I've been looking for an open source firewall. I found m0n0wall, IPCop, and few others. I thought m0n0wall was great, but then I came across pfSense, and it was even better, picking up where m0n0wall left off. However, this fork of m0n0wall is a bit unnerving. Yes, I know you have "radically different goals," but you also have similar goals and will face similar issues. This fork detracts from BOTH projects because you've effectively cut the manpower for each project roughly in half (since everyone could be working on one project instead of two) while doubling the work (since each project will be duplicating work). And let's not forget the user base is split, too, so each project has half the support and testers. Even if you're sharing some code so you're not both reinventing the wheel, you still have to merge disjoint code as m0n0wall tries to add pfSense enhancements into their code and vice versa. As a programmer, I know what all this patching is going to do to the code. As you exchange code back and forth, m0n0wall is going to have some pfSense-specific code that they'll patch to retrofit into m0n0wall and then give it back to pfSense who will add some patches to the m0n0wall patches...Eventually, this bloated mess of patches is so convoluted that no one knows how it works and you're on your way to security holes and compromised networks. Thus, either you've doubled the work with half the developers/testers or you've doomed the code to buggy patches on top of patches. This makes me question the founders of pfSense...Did they not foresee this when they decided to fork? And these short-sighted individuals are who I am counting on to protect my valuable network? Or is this some sort of ego thing? Did the other m0n0wall programmers hurt their feelings so they ran off and made their own little project? Or maybe the m0n0wall developers are unreasonable jerks and so pfSense politely forked rather than bash heads. But those unreasonable developers are the ones who wrote the original m0n0wall code that you're using... It seems a wiser course of action would be to NOT FORK and instead focus on incorporating an enhanced packaging system within m0n0wall that would allow users to install/uninstall features on-demand. Thus, m0n0wall/pfSense could still be installed on embedded systems with a streamlined core, and then expanded with additional functionality as needed. (You could have your cake and eat it, too, but without the fork). ;) In addition, removing unused features will help minimize exposure to security holes. So, having said all that, why should I consider pfSense for my firewall when it's written by a bunch of unreasonable jerks and short-sighted egoists who are churning out a insecure, bloated spaghetti? (Please don't get me wrong--I plan on using pfSense to secure my network and most likely at least two of my clients' networks, too. I'm just looking for answers to quell my concerns.)
--Bennett
