I think you need to read thru the code.
What is pfsense/monowall ? In simple terms it's freebsd 6.x and freebsd 4.x
with a web gui and some minor patches. Each creates a bunch of firewall
rules for either ipfilter (m0n0) or pf (pfsense).
The OS is more or less a stock freebsd with a bunch of stuff removed, pluss
a different installer and some minor patches.
So the only security flaws you will find will in most cases be rules that
are created wrong and thus exposes the firewall in some unfortunate way (I
would say that this will be very rare). Or it will be exposed services like
ssh or the minihttpd or whatever package(s) you install. There is a reason a
lot of addons are packages and not in the base.
So basically you have a OS and some addons, and on top you have a GUI so
that the end user will not have to play with a bunch of config files.
Everything PFsense does can be done with freebsd6 and programs available for
it.
If you read thru the code you would know this by now.
And merging m0n0 that creates a ipfilter config with pfsense that creates a
pf config would not be smart at all.

-lsf

> -----Original Message-----
> From: Bennett [mailto:[EMAIL PROTECTED]
> Sent: 27. november 2005 08:58
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Unfork m0n0wall
> 
> I've been looking for an open source firewall.  I found m0n0wall, IPCop,
> and few others.  I thought m0n0wall was great, but then I came across
> pfSense, and it was even better, picking up where m0n0wall left off.
> 
> However, this fork of m0n0wall is a bit unnerving.  Yes, I know you have
> "radically different goals," but you also have similar goals and will
> face similar issues.  This fork detracts from BOTH projects because
> you've effectively cut the manpower for each project roughly in half
> (since everyone could be working on one project instead of two) while
> doubling the work (since each project will be duplicating work).  And
> let's not forget the user base is split, too, so each project has half
> the support and testers.
> 
> Even if you're sharing some code so you're not both reinventing the
> wheel, you still have to merge disjoint code as m0n0wall tries to add
> pfSense enhancements into their code and vice versa.  As a programmer, I
> know what all this patching is going to do to the code.  As you exchange
> code back and forth, m0n0wall is going to have some pfSense-specific
> code that they'll patch to retrofit into m0n0wall and then give it back
> to pfSense who will add some patches to the m0n0wall
> patches...Eventually, this bloated mess of patches is so convoluted that
> no one knows how it works and you're on your way to security holes and
> compromised networks.
> 
> Thus, either you've doubled the work with half the developers/testers or
> you've doomed the code to buggy patches on top of patches.  This makes
> me question the founders of pfSense...Did they not foresee this when
> they decided to fork?  And these short-sighted individuals are who I am
> counting on to protect my valuable network?  Or is this some sort of ego
> thing?  Did the other m0n0wall programmers hurt their feelings so they
> ran off and made their own little project?  Or maybe the m0n0wall
> developers are unreasonable jerks and so pfSense politely forked rather
> than bash heads.  But those unreasonable developers are the ones who
> wrote the original m0n0wall code that you're using...
> 
> It seems a wiser course of action would be to NOT FORK and instead focus
> on incorporating an enhanced packaging system within m0n0wall that would
> allow users to install/uninstall features on-demand.  Thus,
> m0n0wall/pfSense could still be installed on embedded systems with a
> streamlined core, and then expanded with additional functionality as
> needed.  (You could have your cake and eat it, too, but without the
> fork).  ;)  In addition, removing unused features will help minimize
> exposure to security holes.
> 
> So, having said all that, why should I consider pfSense for my firewall
> when it's written by a bunch of unreasonable jerks and short-sighted
> egoists who are churning out a insecure, bloated spaghetti?  (Please
> don't get me wrong--I plan on using pfSense to secure my network and
> most likely at least two of my clients' networks, too.  I'm just looking
> for answers to quell my concerns.)
> 
> --Bennett

Reply via email to