 Welcome to the homelab show number 111 and yes, we're back. No, we're not gone. How you doing Jay? I'm doing fine. How are you? You may have noticed Jay is not where Jay was Jay is in a different location So we're gonna give you a quick update on you know, basically too long didn't watch Jay moved But we'll talk a little more about that. We have some firewall history I want to cover today as I think it's gonna be a fun topic It seems to be a hot topic of all the different firewalls out there and because I've been using these since 2000 I that's when I started getting well, maybe even 99 or 2000 the oldest photo I can find of me standing next to an open source firewall is all the way from 2021 So I've got a long history and I want to share some of that history with all of you and me and You've maybe 2011 or oh 20 2001. I'm sorry. Yeah I did say that wrong. You're right It feels weird to say that think that was like 22 years ago. All right now everyone knows how old that I'm old Is it the gray here didn't you watch my videos go the gray here? It it lets people know your old time But before we get into all that fun stuff and some updates Let's thank a sponsor and that is gonna be our friends at Akamai They've been sponsoring this podcast for quite a while It is a great place to host a lot of things that you may not want to host internally Or if you're just looking for a cloud playground They have a lot of offerings in terms of pre-built systems that gets you deployed quick and fast We've actually been hosting this podcast the website from it and everything else all in the Akamai cloud Even back when it used to be called the node for those of you wondering if it's a new sponsor No, that's a the same sponsor They just went through a little bit of a name change got some more features And we thank them for being a sponsor show you'll find an offer code to get started with them in the description below Along with all the show notes. There's a lot of show notes today for I like to send people on reading adventures Not everyone will go on reading adventures But for people who want to know how me and Jay came to be we spend a lot of time on what I'll call a reading adventure Rabbit hole of books and learning and knowledge So I always like to cite our sources for everywhere. We're getting this information so This history of firewalls and discussing them when we get to that later is two parts one Tom doing it in real time as I have for the last 20 years as we established in beginning 2001 when I've or 2000 whenever I started doing that all the way till present day But there's a lot of good intro entries in Wikipedia But I realized I may have to read through and try to dig up old emails I haven't see what more context I can add to some of these Wikipedia entries for long forgotten firewalls Absolutely So the first thing is as you know, Jay moved that's a Jay can expand on that if you want but Yeah, he's building a new studio Which that's always exciting, but also it takes you way You don't realize how long we put into building these studios until you try to build it again You're like, yeah, this takes a long time It really has been pushing a month I mean not necessarily exactly a month, but I have hands on it's been like two to three weeks and Fine-tuning everything the lighting is not installed right now So if anyone tells me the camera is washed out you you are right It is if you're watching the live version, but that'll be fixed. It's like a little bit of this a little bit of that It's fine-tuning everything So yeah, I moved and I've been in a new location the move ended up being Very long, you know, it never you always think it's gonna take a certain amount of time when it takes longer So it's like I haven't been on social media like during the move my fresh RSS server was broke So I had to fix that but before I fixed that up to set up the studio So I was actually out of touch with the news for a bit there, too So now I'm actually rejoining society or is this society. I'm in at home or whatever Online that's how we work in the tech role. That's how I put it So it's a work in progress and I think it's gonna change from you know bits and pieces from here on out I have I don't even know how many videos recorded at the last studio that I haven't updated yet or uploaded yet So I'm gonna start recording new content from this studio But then you'll see some older footage I recorded from the older studio It's gonna look like I'm just switching between two different places, but it's just a time warp. That's all it is nothing major Yeah, so you will the live streams are from new studio, but until the backlog of editing is done Yeah, there's there's a J puts a lot of effort into his editing and that take it takes a lot of time And there's always this when I recorded it versus when it's released I think the Vim series what it might have been a couple of months ago that I recorded it or were more two Three months ago and I don't really know because I don't have it in front of me the footage Modification times, but sometimes it can be two to three months be when I record something before you guys see it Unless it's something like a review for something that just came out Then I put it out immediately But if it's like an evergreen topic like I'm teaching a topic and nothing has changed then you know Haven't had a chance or situation yet where something has changed and I had to rerecord everything Crossing my fingers, but so far the system works, I suppose. Yeah, and I'll mention this check out J's Vim series So it's just released all of you can easily find it on learn Linux TV Real easy to follow along and learn Vim to get better I'm even gonna be going through it because I have all kinds of bad habits And I'm positive J will correct those through this video if I watch it So I'll get better at Vim and I'll need to search a little less often to figure out what I what is the key? I forgot So my most recent video is about Neo Vim so not that one although you could watch that one too It's awesome before that so I would say actually I you're right is Neo Vim, but I think the Neo Vim stuff is really good Yep That's the most recent one, but the Vim series if you use Neo Vim obviously you could use the same Vim series either way Whichever one you use if you go on learn Linux TV There's the courses tab click on that and it'll be right there in the list And they'll have all six episodes right there for you to watch Yep, I started going down there because there's someone who I Can't I wish I could find the videos I would have shared I actually searched for it We couldn't find it so all those late night Tom watching videos It was a person who went through and they did some real it was like a 30 minute video I think I'd watch it but it was engaging of all the different things They tried before just going why they started with Neo Vim and in the end they end up with Neo Vim and in between There was emacs and every other imaginable like notion AI and all kinds of things But they said in the end Neo Vim was just the best like they don't it just has all the Things they want Emacs was too heavy was the emacs the person really took the time to dive in the emacs, but they also said yeah, yeah This is this is heavy I will be switching the Neo Vim at some point I because right now my answer bowl He just pulls in normal Vim, but I think I'll be switching the Neo Vim as soon as I get a chance. So that's on my list Other noteworthy updates is the new version of Cobia, which is the true-nosed Cobia version They they're going by fish names. So Cobia is a fish so blue fin It was the alpha was angel fish and I thought that was cool Then they went to blue fin now true nascale is at Cobia. I'm still waiting to finish a review of it I would say though from a storage standpoint provided and I did a live stream covering the cave It's basically if you have some encrypted pools and you want to have unencrypted nested under there You're gonna have problems outside of that The systems I upgraded to it that are fully encrypted pools do work perfectly fine, but check that out It's the next layer and they're by the way They're not offering they get they did a point release to blue fin So you can stand a little longer because they were some security patches that need to be done So do the point if you're gonna stay on blue fin a longer do the point release Maybe you're waiting for the point release to Cobia because there are a few bugs one of them is Sis log is broken. I found that bug and there's a curly bracket in the sis log com that doesn't belong there I think it was a curly bracket. Whatever. I did a bug report and I was happy I was excited to help squash a bug that they they have targeted for the next release There's a manual fix for it. Just delete the curly bracket in the config file, but hey, oh Yeah, it's always a great feeling when something you put in a pull request for Ends up being part of the project like crunch bang plus plus was one that I contributed to like early on and it was just a spelling error And in one of the comments in one of the bash files, but I'm like it's a spelling error It's a valid problem. So I submitted it. It was accepted immediately Which is pretty cool and then I knew right then and there everyone else wouldn't see that spelling error But it could go from documentation all the way up to Hardcore coding whenever you can do it's always helpful. Yep So it's it definitely I thought it was weird someone actually commented They they thought it was odd and I was unprofessional by jumping on whenever there's a new release I'm like, what do you mean unprofessional? I'm a bug reporter. And yes I did take my production systems and that's what someone said it was unprofessional for me to take production my Systems my video editing not I didn't shut down a client to do this Like and I always like to test everything in my own world like I'm dog food in here I'm going to give you the latest release and everything else. I don't want to see if all my systems run on it That's why I do that and I current Jenny of you. I mean, this is how the point releases get better If if it is within your ability to load the latest version and deal with the troubleshooting one You get better at troubleshooting because you jumped in first and second those things get fixed Yeah That's eventually how they get fixed is when people like me and people like you that also have the time to participate in it You know, this is a community give back. I mean, I'd be able to write code, but I'll find a bug Yeah, it's like for me I'll tell people for example when it comes to a boon to use the LTS releases and skip everything else because it just Changes too fast, but I can't use LTS myself because I have to stay current on what's coming And the only way to do it is like you said eat it, you know dog eating the dog food So to speak I have to use the latest and greatest which also means I have a lot of things to fix But then that's an opportunity to make sure my automation system can get me back up and running quickly So that strengthens my automation system, which then strengthens everything. So Obviously, I don't have a company with thousands of employees or something that are going to scream at me I just you know if the Wi-Fi is down the kids might come down and yell at me or something But other than that, it's you know, it's it's kind of different when you are the sys admin and the owner of the company at the same time It's a lot of work, but you also have full control, which is kind of fun Absolutely now this is gonna be a topic that I'm gonna try to keep it relatively brief But as I said lots of reading down there including I found I was happy I found this because I couldn't remember the title of the video, but I was happy I found it to put it in the notes The untold story how picks firewall and that save the internet now The please know I didn't say the word Cisco I said picks firewall, but some you go isn't that a Cisco thing. That's a that's an interesting topic And it's great. This is a YouTube video by the serial port. They cover some computer history stuff I think it was great so that is down in the list and definitely worth a watch outside of this to kind of Understand some of the history of how we got there with Nat and firewalls because that's how Nat came to be and it's a fun I love that deep dives in the history That's so my favorite things to watch on YouTube is people who articulate some of this old history stuff So I actually I'm thinking about maybe I'll make a really long video on all the firewalls I've done more in depth than I'll do in this podcast But it's still kind of an audio thing because I'm not gonna load every one of these I well, I can't say I I would actually try but it's just so much effort I was trying to get some of these old firewalls because you can find the old ISOs for them I try getting some of the work. They don't seem to like modern hypervisors So I would probably have to reload them all on hardware and they're not gonna like modern hardware So I can probably find some old hardware, but boy, I don't know if that's a project to try testing all these old firewalls It's fun in concept It's I started looking at how much time it would take and I don't know if I have time to do all that Maybe I'll goof around with it some more, but that's why I'm covering it here in a podcast form I think most people just want to we can walk through some of the history. Yep All right now as I said, this is all linked down below this starts from Wikipedia So this is where I get a lot of the dates from because even though I may have used a lot of these firewalls Don't ask me to remember when I used them because that's the harder part So as well, we'll start with one of the some of the original ones This is not exactly who was first because they were all kind of working Roughly around that same time. This was the 1999 2000 I was early adopter to jump on it was told by lots of people like oh, no, no, no Way you shouldn't be using these software firewalls is whatever one called it I always considered the other ones hardware firewalls versus software firewalls That was the big debate in the tech world of the early 2000s because they were saying like oh, no You're you're completely not understanding the firewalls and I'm like no, no It's still running Linux like it's so or whatever OS they have on these It's still running software on hardware and now today 20 years later Everything is well not everything but a huge number of firewalls are based roughly on Linux. I see people talking about 40 net They're not really an open-source solution. So I'm not bringing them up into this list. But yeah, the 40 nets are definitely a popular solution within the community. I'm trying to Narrow it for the homelab show here to people talking about open-source stuff. So IP cop I love their slogan. It was the bad packets stop here and they started. I remember that. Oh, yes I used to use that at a company. I used to work for a while back yeah, it was cool and It's just one of those things. It's like it was a cool firewall I was a big fan of it. There was I couldn't find it But I think it was mandrieva linux before I used IP cop used to have a firewall. I could not find it in wikipedia It was mandrieva or mandrake. I can't remember which one it was. That's all defunct now, but I Peacop is the one that really got a lot of community support. They were big They had this weird way of doing things at the time. It was new It was red. I think it was red green and orange were your firewall colors. So red was your van Green or blue. Maybe it was green was land. Sorry. This is this is the details were loading It would be kind of fun, but then you could set your DMZ to be like the orange so you can segment your network that way It was kind of a neat concept But that that whole project fell apart by 2019 was the last time I think they had any type of updates It actually lasted quite a while They used to have some decent documentation on it not amazing But you can figure out with this one of the important things about any of these is a Firewall can live and die on how much community support there is and how much documentation there is and whether or not there's enough Recipes out there if you will write up so how to get something done because if the company doesn't directly have documentation a big community Will help create the documentation, right? I kind of made that as a note to some of these where yes Some of these things exist. No, there's not a lot of documentation for them So you're kind of on your own to figure it out now adjacent to this was smooth wall Which started in 2000 last download for smooth wall express which would have been the open source one seems to be 2014 now smooth wall silk has continued on as a company as a commercial entity and I think that's kind of cool So they still exist. They still sell UTMs and things like that And yes, I see Veronica is in the comments asking doesn't IP fire still do the color thing Yes, we'll talk about IP fire because that is a fork of the IP cop We'll get to that one in a little bit here Because I think IP fire came out a lot later, but it's that's still on that's so one of the active ones you can try Yeah, it's funny. We're talking about history in computing Veronica Definitely knows a bunch of things about that and that's so fun to learn from her So check out her channel shout out if you're not already familiar with it a quick way to get to her channel Just go to learn Linux TV bottom right corner has a list of friends of the My channel which is are the same as yours. So yeah, and she's done good with SEO by having the name Veronica explains There's not that many Veronica explains out there that I'm aware of so she's easy to find But smooth wall his more is interesting because it's moved to kind of a split when in terms of You know, they have a commercial offering. So they still are Existing they don't seem to support their non-commercial offering And this is coming back to one of the notes we're gonna bring up upon On and off here, which me and Jay have talked about is open source can be hard to get support for In terms of people keeping people engaged to build the product itself I was if you go to the smooth wall express and They have a by me coffee, which is all the way from 2014 They have almost by me a coffee page and it lists only one supporter So like one supporter for the project still but it hasn't had a release since 2014 so I'm gonna pretty much declare the open source version of smooth wall to best of my knowledge according to Wikipedia and Me reading under site is not an available option anymore now This is where there's a couple Distributions and I seen someone mess messages. I thought this was cool and concept starts with Clark connect Clark connect in it. I don't remember it being Clark connect for very long before it became clear OS I didn't have the dates exactly when this change But clear OS was a successor to Clark connect and have the concept of being an all-in-one firewall VPN proxy email server web server print server user manager file server and then HP bought it and I Really feel like since HP purchased it that the updates kind of came to a halt I think the last update was like around 20 20 for it It's a neat concept because it's not just a firewall It was the everything box like first they targeted. Let's be the windows If anyone worked in the IT world Windows SPS small business server 2003 was the all-in-one box That did it all it was it was actually a really popular System because you didn't have to deal with the client access licenses for small business they had some cool ways of doing it and This was kind of an answer to that like an open source version where they packed in samba user management firewall VPN And it made sense at the time from the concept of hey, I'd like my users to have their file shares I want one place of truth for my users where I've got their email set up their file shares set up their VPN If they're not in the office set up so they can get in there cool concept like it was An ambitious project to put everything in one box now There's obviously some scary things by having everything in one box because they compromised the firewall They are also on your file server and your email server because it's one physical server I think this was probably a hard project to build and support but Yeah, best I can tell they they haven't had an update in quite a while HP purchased them and HP's where some things go to die now when Cisco buys something That's where things go to get monetized and licensed when HP buys things HP said a history of buying some things It just kind of got I don't think they put the right community around it and it just kind of flops I Was told I was just covering the HP logo on my computer while you're talking Mmm Yeah Now interestingly, it's not a fork that that I'm aware of is the ZENT YAL I think it's pronounced Zental very similar to clear OS start in 2009 They still seem to have a commercial offering their last open-source release was in January 6th of 2021 kind of same thing we want to put everything on One server But I they don't have a blog post since July of 2021 so I'm a fuzzy like the website looks current Someone's paying the bill to keep the website But they haven't had any news updates or updates for ZENT YAL But they're same thing they're packing in firewall and all user functionality just like clear OS It seems to be like a competitor for it But fuzzy that that's secure and up-to-date especially there's been some Samba a several Samba vulnerabilities And yeah, if you're not keeping these things up-to-date you you've got some Samba vulnerabilities in there so a last spin of January 6th of 2021 tells me that's probably not up-to-date Yeah, and if you want to enlighten us if you know more than that just send us some feedback Feedback at the home lab. Show I believe that's the address it up and since we're on that subject I think it might just be a good idea to point everybody to that because I want to do a Q&A episode It's been a while. So if you could you know grace us with some feedback. I would really appreciate that Yeah, I'm gonna look at on the screen the feedback at the home lab. Show. Yeah, please email us. We like hearing from you Not to mention this is all from Wikipedia. So I know there could be some errors in there or You know, maybe they've got a new website and I didn't know when the project's been forked again And there's no fork listed in Wikipedia for these particular projects. So I think that's it's an interesting discussion topic here Mm-hmm. Next one down the list is one I used a lot. So I use IP cop a lot. I definitely tested smooth wall I remember playing with Clark connect. I never tried Zantel Clear OS the successor. I never really play with but now we're down to Indian We actually used to use this in a business environment. I thought Indian was cool. It's another fork of IP cop There's still an active system. One of the big things that Indian was really cool was they had the ability to Import export VPN settings from one to another like you could build a simple config file that you could import in the other Indian system to get them connected It was just it was simple instead of manually building the firewalls It was one of things like I don't know other companies just have this kind of simple thing here to do It's kind of I like this now they started building in a lot of Filtering features and as people would be asking for your next-gen firewall features for traffic filtering and things like that That is all done in their commercial product. That is not something part of their open source one They still have a limited edition that you can find is a oddly downloaded via source forage still And they have a comparison page and I link those down below. So the Indian ones look it looks interesting I'm not sure how much love their open source one gets but at least it does see more up-to-date than any of the ones I've previously mentioned So they there is some active around there, but it seems like they're really trying to upsell you There's a lot of limitations so to speak features that aren't included in the open source one that they try to upsell you on their commercial one But hey, it's an option. It's it exists. I can't really it's been forever. I mean, I haven't used it in over 10 years So I did use it in the past though. I think it was a pretty neat project Yep now IP fire also a fork of IP cops still active, but you're gonna find no wire guard support Very little documentation just a lot of people asking questions in the forums and Like VLANs. I wanted just to go through how the VLANs are set up on there I didn't find it in a documentation There's a lot of discussion in the forums and there seems to be a lot of limitations So I found it kind of confusing when I looked at it This is this is where even a modern firewall so to speak in terms of it's up to date and has the package updates And there's an active community around it like there is for IP fire you may find that The VLANs up is very challenging and the lack of documentation and there's not like a ton of posts on this There's not many tutorials at all that I found on YouTube Maybe there's a couple that if I search for the right terms I find it seems pretty basic and If I'm not remember, I believe it was a developer from IP fire Can I talk about they're not going to bother supporting or putting in or building in Wireguard to the system, which is weird because it's a Linux face firewall So it's in the kernel already. Maybe they just don't want to write the interface for it. So Yeah, it's it's a neat project. I think you could probably use it I don't know what my confidence level is in Security of it. This is and any of these unless they have a commercial company actually having a commercial product that has support Their adjacent one is going to be really Challenging because you're gonna have to ask the question here in 2023. How secure is it? This is what divides my You know my network from the outside world where there's people who would like to if they if they can find the opportunity Exploit things. So you really want to make sure your firewall is locked down and doesn't have bugs in it itself This is one of the reasons probably many of you are here in the home labs because you're going well Yeah, all the consumer ones seem to have absolute lackluster security and you're not wrong. There is definitely a lack of security lack of validation testing that goes into the Average generic ones that you find off the shelf and with the problems that have been found including things like I remember It was some of the links this one's whether you even though you could toggle off things It wouldn't actually turn them off. This was a few years ago Maybe quite a few years ago now, but that was a big that was all the reasons people started pushing for updated Firmwares on their links devices because there was just no security on these That allowed people to pivot into your network without you Doing anything like you didn't have to open it up to the world. It was open up to the world by default which is It's not doing what a firewall That's the worst that could happen. Yeah And that'll lead into open WRT now. This was that firmware replacement. This started in 2004 it's still active. I get mixed signals from people on how easy it is to use that's kind of a Back and forth I get some people say they like it I don't know how good it is for complicated configs Some people mentioned you just got to go to the command line because it's running Linux and start configing it Which may be fine for people But they do have quite a bit packed into it It's one of the things I might want to poke at myself Because I seen it's popular with the Zima board because you can pop in a four port network card and some of these Smaller compute devices with a few network interfaces open to WT also source Wi-Fi So this is where you may not you may kind of have Wi-Fi support in the other ones But I think open WRT my understanding is it does it better, but I haven't loaded this project in a long time But it's definitely something out there for people don't want to play with in a home lab There is a lot of commuter the engagement around it. So up definitely You know good now back to that security thing I mentioned is there a Security validation that goes into it. I don't know how good they are at that because I don't think there's anything that I've seen commercial behind it Which will then lead to one that does have commercial support And I think this is an odd recommendation for the home lab unless and I this was a big discussion in my forums Unless you are going to have a discussion on I'm building my home lab I would like to run vios because my goal is to understand How a cloud level data center level firewall works that's mostly driven from the command line for the majority of the features Even though they're building a web interface vios is definitely a powerful system now they have a Free version if you will this is how they work so vios is a fork of viata viata It's been around for a while it used to be developed by Broadcom Broadcom dropped it so now we're at vios and They have their latest snapshot builds are compiled the stable builds require a subscription But you can compile from source the stable builds yourself So if you want a stable build compiled and this is you know I don't know exactly how much work it is compiled viata, but hey that is a lot more effort to have to compile I don't know if there's some automation script that just has an easy build Version, I don't know how hard it is to upgrade when you're doing the stable builds That's something I really explored the subscription price What do you take a stab if you haven't looked already Jay? Have you cheated and looked you know how much description prices for viata or for viata literally just looking at it I'm gonna guess. I mean, I'm just gonna throw a completely random number $500. Yeah 8,000 years where it starts Okay, I would not have guessed that at all don't get me wrong it is a It's kind of a niche system You can definitely run it at home, but it's really targeting that enterprise market The fact that it's be as popular as it is and my understanding from talking to a few people And there was actually someone in one of my other live streams really mentioned if it's used Quite a bit, but like in the data center, which there's not that many large I mean there's actually a lot of large data centers, but it's not as big as let's say the homelab market So while you could use it but Yeah So it's one of those things that I don't think it's necessarily bad I don't think it's going to be targeted at the majority of people running things in the homelab Right. Yep Yeah, that's Chat the chat room mentioned, you know, I'm basically not talking as much well For anyone that's new Tom and I we take turns being the teacher and student His channel is more focused on the firewalls than mine So he's going to definitely own this topic quite a bit So, but then we'll circle back around to a linux topic and then I usually We'll not always take over. I think we both know linux very well, but Well, we both have specialties I guess yeah, and I'll even I'll even mention Because someone called Jay the ansible guy This is actually we'll let we'll actually we'll we'll dovetail this together here You can and someone even mentioned it down here Building BIOS Rolling release to an ISO deploying with terraform and configuring with ansible. Yes, you can This is definitely if that was the topic today This is where Jay would shine because he's quite the ansible expert and Check out any of our videos on ansible push and pull and Jay's debate on that I was I've learned a lot from Jay. I sat silent on that one I almost wonder if we should just Bring up ansible again at some point in the future because I think it's been a while and there's probably a little bit to talk about Yep Now all the things I mentioned from top to bottom here not by accident We're all linux firewalls and open source firewalls on there Now we're down to we'll focus on the ones that are really popular here today Because all these is you notice there's a lot of caveats with them that make them kind of challenging of You know, whether it's an eight thousand dollar your license for the stable version Or it's just the fact that I don't really have a clear picture on documentation or validation testing for security on these For how big the projects are with, you know, some of the exceptions that have commercial backing Now we get down to mono wall and Mono wall was based on bsd. This is kind of what made them different So while everyone's running around building firewalls in the linux world Mono wall was saying no no bsd is the way to go. So this is some bsd people building it And mono wall project would actually discontinued around 2004, but there was a lot of popularity on it Which is what led pf sense to pick it up which pf sense Picked it up essentially but renamed it pf sense. It's a fork And then that starts in 2006. I believe was the first release of pf sense I didn't start using pf sense till probably around 2008. I think or nine I'm trying to remember exactly sometime around there. So I've been using it a long time myself now pf sense all the way till present is still developing and I've covered that I've got two recent videos Just on some of the changes of they changed the license They changed it back for their plus version not for their ce version now the benefits of pf sense one net gates a big commercial company that does a ton of validation testing net gate I've talked about this before they are a massive code contributor to The free bsd project because they write a lot of the code that ends up in the firewalls They sponsor a lot of code projects and commits that go in there And this is a the the open source challenge of any of these companies when you're relying on things downstream You're at the mercy of the project above and what those people would like to get done When you sponsor the code and you're a firewall company You obviously are going to sponsor a very specific code to be written That is needed for firewall. So pf sense and juniper by the way because juniper that I I believe in someone commented They aren't as based as much as they used to be if they were also a free bsd firewall I believe they've kind of wrote some of their own stuff juniper is a huge commercial company with the large product line But they actually still do a lot of commits back to free bsd because some of their product lines still requires Free bsd support. So those are your two contributors. I believe net gate is like the third or fourth top contributor overall to Free bsd This is like you can be mad at them for the license changes and all that and I've talked about that I'm not going to get off topic on it because those are in other videos But you have to look at how an ecosystem works and for example We all love our intel 226 drivers because those two and a half gig Uh cards are becoming rather popular in these small firewalls. That was actually something written by net gate And without net gate writing it in bsd. I don't know that it would have gotten written I mean would someone have wrote it? I don't know who someone is that would have Understood how to write drivers. That's not your average person that writes kernel level code. Matter of fact, that's probably worth noting Take a google search and Type in how much does a kernel developer make? You'll find that these are not your average Um jobs. These are jobs that pay 150k plus a year Especially when you have a specialty or expertise So this it's not a small feat to just sponsor some code commits. It's actually a lot of development I just want to make sure that's clear. This is not in defense of anything net gate did This is a fact to what keeps the ecosystem going and why All those firewalls are kind of wishy-washy with the exception of vios has clearly got a good support plan option But when it comes to the bsd There's so little if if something happens to these companies then It's kind of like the the cards tumbling down of when no one's committing a bunch of firewall updates That are to the open source bsd project. We don't get a lot of things downstream. Now, of course, this leads me to Open sense and this is interesting because open sense forked from pf sense in 2015. There was a lot of arguments, but essentially I'm not going to get into the drama, but they started doing their own appliances open sense also sells a business license if you want a more stable versus the The latest release I've commented before open sense has more releases than pf sense But more releases means more breakage. You can read that in their forums But that's part of the feedback if you would like a stable version. They do have a subscription you can buy they also fund it with selling hardware and So you have both of these offering of services so it's not like pf sense is the only one Having a version that you can get for paid on subscription But pf sense still has their ce or community edition, which is open source the plus version has a few extra versions in there I don't really clear on the business license other than the fact that it keeps you on a stable release And support is not with that. You buy support separately per their page You can see that at open sense now some of the challenges are and there's a discussion in the open sense forums You can find I have commented that they do the most minimal of code contributions back I've never said zero, but I have said they minimally contribute back to code this is kind of a challenge and you can follow franco the project lead at open sense and See them asking for community help on kernel things There's even a recent some type of kernel panic related to I don't know exactly which related to but it's in it's in the recent forums where there's some back and forth discussion They open sense relies on everything coming downstream Where this is a problem is of course when you look at free bsd and the problem with open ssl This is just an easy example Open ssl 111 has been deprecated the open ssl people are saying yep 111 is gone This is not a free bsd specific problem This is open ssl 111 across linux and free bsd is no longer supported We have moved to open ssl 3 if you're wondering what happened to open ssl 2 That was reserved for I believe vips Someone can correct me on that if I'm wrong But I believe like the two series was stuff for vips and the three series is the current now You can't just swap the library Um People asking that question is a common one and that means you've not had to actually look at how that's coded It's not a one-to-one swap. There's things that are deprecated functions that don't work Calls that may not be the same therefore when you move to open ssl 3 Breakage happens you can't just drop this in so with this is in the forums over at in the latest version I think it's a late october that was released of open sense. They have penned To the 111 version which is no longer supported and no more security updates because they don't have a roadmap for exactly when It will be updated via free bsd 13 to fully support all their packages That's kind of a big security problem. I have right now with open sense and if you have packages That can't be updated and then we find a vulnerability Where does that leave you scrambling to get it done now? If you can't get it done now not under duress what happens under duress When there's a vulnerability in a vpn that's related to open ssl because open ssl libraries are generally Heavily used without with throughout the vpn systems. What do you do turn off your vpn until? someone Refactors all the code because you're not going to get an update for the 111 version You'll only get updates for the 3.0 version. This is actually why Netgate and they have a whole blog post on this has put substantial efforts into refactoring all the code for both pf sense community edition and pf sense Plus to support open ssl 3.0. That's right now a big status, but this leads me to the bigger Topic of who supports all these people are really angry. They're like i'm never going to download The free version of pf sense again. I'm going to download the free version of another one. Okay, but how are we going to support the projects? That's the big question i'm asking because exactly get these If we don't have a mechanism to sponsor the developers to keep them working because someone asks Well, what if the developer what if we forked pf sense for example? I'm like, well, you got to hire all the developers and the people with the expertise It's not like you can just hire a kernel developer You can you take line is tour balls is a great wonderfully smart person in terms of kernel about it But you can't drop him over in bsd. I'm sure he'd do well, but he's he's going to have a learning curve So you can't just hire a kernel developer You need a bsd kernel developer and they all happen to be working or sponsored by neck gate How do you put them all on your payroll and and support the project because if you said I think they have like seven or eight kernel developers on there And if each one of them let's just say make 200 000 a year because it's an easy number and we multiply that times eight I think that's 1.6 million. Did I did I do the math right if you if you have eight people making 200 000 a year? My math brain is not working today Check my math Yeah, but that's just that's not validation testing That's like payroll to get them to do updates not not the actual build process and then the validation testing So it's just it's just a thought process. So when people talk about things like hey, um It's one of those things if you want to build in fork of firewall, that's fine in the modern day ecosystem This is actually the history of why they failed leads me to what i'm saying now All these companies if they don't have some type of model to keep it going The level of testing you have to do to build a secure firewall is harder today than it was before We have plenty of tooling but that validation testing because of the security threats because of the very complex things If you look at the debrief on the sysco now, this was effect the latest sysco vulnerability That was released only a week ago. I posted about I can't remember the cve number exactly Even sysco, this is one of their supported products had some challenges getting this fixed because of how complex the attack was You have to validate against these things and sysco made a mistake Someone found the mistake sysco made and exploited it You hope all these companies are doing the same neck gates at least well used enough I know there's a ton of poking at it. They've had very few cve's and That is a good thing because of the kind of goes to the testing They also take a minimalist approach to build and once again, this is not a defensive neck gate this is just how they build things and It's important. They only build into the firewall what's needed and not extra. That's one of the ways they're able to avoid Having long release cycles but still not having a cve in between Because some of the cve's that were posted even though they were free bsd ones were not things compiled in at the time And this is a bigger problem As j knows, how how's the framework programming work in the modern age? We throw everything in but the kitchen sink even though we're not using it, right? Yeah, that's how it and even Linux distributions have a bunch of things by default that we don't want so Yeah, the prune basically Yeah, no one does the pruning anymore. So this is how the web p vulnerability became such a big deal where you have Everyone like for example, we found the web p vulnerability because that library was in one of our tools It's a tool that doesn't view images But they baked because they built it with the same framework. It always includes web p But there's what they refer to as yes, you have a vulnerable library within this build By the way, there's no path to execution because there's nothing about this tool that calls that particular vulnerable version But they baked it in because they grabbed the framework and said yes So the product that they build is actually that much bigger This is where taking a firewall approach You don't want those extras in there and this is important for some of the minimal builds And Yeah, this is kind of that, you know the the end of my discussion here on the firewalls and one of the reasons And I have my forum post which you'll find linked in there as well I'll add that to the notes, but it's not hard to find my forum post on Uh pf sense license changes. I've referred it to those several other videos on there But there's a reason I stay with pf sense and it's that security I can completely and do disagree with the way they handled their plus change But for those of you running pf sense ce nothing happened to you You're still running ce before the license change after the license change the license change doesn't affect your community addition This was all them being a I don't know short-sighted and poor communicators and Not smart about how they handled the license changes when it came to pf sense plus And that's life. It's commercial companies doing commercial company things And I use pf sense as well, but you know using something On my end and I'm sure yours doesn't mean it's perfect It means it might have you know edged ahead of something else doesn't have to be ahead by much Or or whatnot. I agree with you. There's a lot of controversy there. It makes me a little nervous But then as you're talking last night looking at the alternatives I don't like what pf sense did But right now it's better to stick with them on my end You just make that decision for yourself based on what you see, but we've uh Kind of went the direction right for now staying with pf sense But that doesn't mean forever and it doesn't mean it's perfect, but right now. I mean the it's it's working pretty well So it's one of those things that the the challenge is it's one of the best options out there Just you know, you set aside the controversy and for people using as I said ce They could have ignored the controversy. It literally it did not affect them But the open ssl is kind of This is where things are ramping up. There's a reason open ssl ones being deprecated. There's a lot of spaghetti code in there It's hard to maintain I get it. Uh, that's why they wanted to move But these type of complexities because we want firewalls with lots of features The only firewalls out there that are you know that have these large scale features unless you go fully commercial Don't get me wrong juniper support these Halal those got some great support supporting that you're going to find all kinds of commercial vendors that have Firewalls that have matching features. You're not going to be able to download the screen. They're not open source and Yeah, and I see I already see someone out there just get a palo alto. You see time that the challenge would be so you're looking at a The same thing more expensive firewalls. It's not something you're going to open source and download for free and run your homeland Not same palo alto is bad or anything like that But for a lot of the homelab community the budget doesn't necessarily lend itself to palo alto Yeah, and you look at something like in PF sense has bgp in there. So you're going cool. I want to play with uh, some bgp multiple vlands wire guard ip sack lots of crazy routing configs and I want documentation Uh to do all of this decades documentation is top notch along with Besides myself, there's a lot of people have done videos on it. It's kind of hard to move away from it And money the much of the experience I'm bringing to those videos is the fact that we have this deployed at lots of our businesses Like this is something we use in a commercial environment as well ourselves. Uh, so it's challenge And someone says uh, palo alto has a homelab version. It starts at like 400 dollars. That's interesting Mm-hmm. Yeah, I see people not liking palo alto support support So I can't speak to it because I I'm not a palo alto person We have clients, uh, because we do like co-managed it. So I've run into them. They seem happy I haven't it's not the part they're complaining about it's not what I'm consulting on usually Yeah, and uh, these someone pointed out and I'll specifically because I have a video on it If you want to dive into it if you want to know how egregiously bad the cve vulnerabilities were for 40 net I mean 40 net and uh, zike cell there another one out there zike cells built on Built once again on open source, but does not is not an open source firewall Both of them had some pretty serious back doors And that were bad One of them was a coding accident on on 40 nets part where they accidentally put a back door in At a customer request that it wasn't supposed to make it into the main code base and it did So 40 nets just like if you read the history of it, it's so dumb its face palming You're like, how are you a commercial company? How do you not have code sanitization? How did you have a customer request a back door be put in a vpn to reset passwords and it accidentally ended up in the main code base? You really can't make these things up No, and zike cells the same thing. They've accidentally hard coded passwords too many times to be an accident I don't I don't trust them Uh, and it's a whole thing It's just there's a lot of challenges in there. So mm-hmm Yeah, it's I it's a it's a challenging thing. That's kind of the history of firewalls some of the options Uh, but when it comes to security documentation everything else It's one of the reasons and like I said call me out if I know people have differing opinions, but if there's some Wrongness if you will in the way I stated it with pf sense not from an emotional standpoint of them mishandling the ce stuff but from a Firewall that has a lot of features is available for the homelabbers Has a ton of documentation and works. I I still think that's probably one of the best bets out there for it Over wrt. I do want to play with that's that's at least one of them Uh, there are there are some videos on using it with the little zima boards. I think it'd be fun So that might be a fun project. Uh, it's definitely novel I don't know that I'd run it as my main firewall But hey definitely something else to look at because I'd like to see A good version of open wrt combined with some good hardware to build For the basic people going, you know, I want it all in one box with some wi-fi I you know, they don't need multiple access points like one little wi-fi for an apartment on an open wrt box Um, that makes sense. I think that's if I can make that work and build something Rational with it with my uh zima board. I will definitely do a video on it Mm-hmm. That'd be fun Yeah, so all right That was a lot. That was a lot. All right. I I got it done as fast as possible and it still took 47 We're 47 minutes in and we started it like I don't know like the nine minute mark Yeah, it's like this has been your lesson on the state of firewalls today in 2023 Yeah feedback at the home lab dot show What you love what you hate because I'm sure this is going to cost some controversy But uh hit us up there. We love hearing from all of you We are back. We are well, we'll have to work on next week's show schedule because I'll be out of town But we're working on our regular cadence again. Jay's building a studio back up I have still a little bit of a travel schedule, but yeah, absolutely Mm-hmm So on time. All right. Thanks everyone for joining and see you next time. See you next time