 Welcome to another PF Sense. They changed the license stream, but technically this is changing it back to what it was planned to be. Yeah, I'm just doing it as a live stream for a couple of reasons. One, so I don't have to take the time to wholly produce a video, put it scripted out. Two, just to get the information out there quicker. And three, so people go, well, did you clear this with NetGate, Tom? Aren't you secretly working for them? Which I don't. And I thought I'd mention that right off the bat, but there's still gonna be people leaving the comments down below because I've been realizing a lot of people seem to be upset with the fact that I am not a crazy angered getting the proverbial pitch forks and forking the project and all kinds of other discussions going on this. But, all right. Halfway through a sentence, all as I said was welcome to another live stream about the PF Sense licensing. And yes, this is just simple living it all live and I wanna make sure answer questions from people. So those are all reasons I'm doing it. So you know it's sincere, you know I'm not scripting it and we're doing it live. It's just faster sometimes to get things out. Now we'll start with what happened for those of you that didn't know or are just waking up to this. And before we even get to what happened, if you are using NetGate hardware, not an issue. This isn't a problem for you. If you're using NetGate hardware, if you have one of the NetGate 6100s, 4100s or all the different NetGate boxes, they already come with PF Sense Plus. There's nothing extra you have to do end of story. This is for in the community specifically, people who are buying it for home. I always say home lab, but it's actually home plus lab. They had different licenses on there. And they have these licenses. I've done videos on this as a topic. If you wanted PF Sense Plus, they had a free license, but the license always had a note that sometime in the future, they would charge $129 for it. So that was in the note from the day one. So people could have stayed and still can to this day, stay with PF Sense CE, which is free. So if you want PF Sense CE, also you can stop watching a video and just use PF Sense CE and say, well, that's what I'm gonna use. Now, this change, of course, rightfully so, was not a great move. The reason they did it is all explained in their blog posts, you know, that you had people essentially these different knockoff manufacturers, hold on, I have one. The companies that make some of these other boxes, if you will, pre-packaging that license on there. And this is obviously a problem. You know, you can't have third-party companies violating license. Now, the arguments I've seen in Reddit is who cares about licenses and stuff like that. I'm like, this kind of matters to developers. And I've talked about this, like NETCATE is a major contributor. And I have my previous video where this was discussed and I'll talk about it later in the video when we cover the topic here. But they're a major contributor to FreeBSD and then everyone benefits from the downstream from that. So I get it. There's definitely a cost to all of that. Dell developers are very expensive people, especially really good ones who can write good code for firewalls. They cost a lot of money. You gotta fund that somehow. NETCATE funds that through the sale of their hardware and of course the PF Sense Plus. Now, let's get over to that change they made. You know, they removed this Homeland Ability for people, which I get it. I don't know why they did it this way and I did have a conversation with NETCATE and I waited to do the video to have to do a blog post. I just kind of said, what were you thinking? It summed up well here and they made a harsh move. I mean, I think it's nice and there's not an easy way to do this because they don't just like, they don't make videos like I do. It's not their thing. I get it. And they brought back the TAC light. Now they had mentioned to me that's what they were gonna lean towards and they'd let me know that they'd probably be doing this. And I said, that's fine. They've brought it back, but they're getting rid of the free still. So there's basically the 129 charge that they said would happen sometime in the future has now happened. 129 year, if you want PF Sense Plus TAC light, if you want PF Sense CE, still free. No charge there. So this is the blog post and you know, let me zoom in a little bit, make it a little easier to read but all of this is linked down below. I have a long forum post where I have a lot of detail that I put into it. Probably even more than I'll have in this video. My forums are free to view, free to sign up for. You do require an email address to sign up to keep the spammers from just posting in there. But you can read through all this. It's all linked and you'll find that forum post link where I've been discussing and kind of making a mega thread, if you will, is linked to in the description of this video. Now, this is where we wanna go and talk about, we did not set out to make a commercial fork of the PF Sense project that would be weaponized against us and the community. Recent discoveries called us to question benefitting the work we do. PMSS Plus has been illegally copied, modified and resold to third-party hardware in a cloud and direct violation of our terms and licensing. So completely like within their rights. But I think their reaction was wrong and so do they. And, let me find the exact one. This is the one down side. I gotta make sure I'm reading exactly the right one. So this is, yeah, this is October 30th one. Yeah, right here. This is the word I'm looking for. This is what they said too, when I talk to them. These are their words. I didn't do a video after I had a conversation with them. I wanna wait till they had the blog post out. And then that result is we reacted too quickly in doing so we made mistakes. This is just a human thing. People make mistakes and they see in the outrage of the community. And I directly talked to them and I said the same thing the community's saying here. I didn't defend. Well, you know, they should have gotten rid of it. You know, I was definitely not of that attitude. I was like, well, they should fix this. And then when I got to talk to people directly at Nakeda, I was like, this could been solved with just changing it to 129. And so they've had a lot of feedback and yes, they brought it back for 129. So now you can get the TAC light system in there. Now there's another note here that I think is really interesting. And it's the fact that they are going to update the open SSL 3.012 in both PF Sense Plus and CE. So they're doing the work that it takes to put all that together. And that's no small task. There's another blog post they have specifically talking about that. We're gonna get on this topic here in a few minutes about why that matters so much. And it's pretty much because all your VPNs and lots of other things are based on it. Back over to here though, the going through their details here. So no impact on Nakeda appliance orders. Like I say, how to get TAC light for new installations, a Nakeda source subscription option. If you've already done PF Sense CE Plus home lab with upgraded TAC light subscription, you can make the purchase through the Nakeda store. Just ensure you have the Nakeda identifier handy for a smooth transaction. Please note that existing home lab users who choose not to purchase TAC light subscription will not receive updates when they are released. Now this means you have until, this is a confusing point that I think some people had but you have until that next version of PF Sense Plus. So if you're on PF Sense Plus, but you are going to choose not to do this. You do not want to buy a license. You're not running Nakeda hardware. Okay, then all you have to do is switch back to CE. Simple as that, or wait for the next version of CE that comes out. Because the next version of CE will be out pretty soon. 2309 is coming out relatively soon. And I don't think 129 is an unreasonable amount of money for this for the Plus version, but you don't have to get it. You can get CE still and it's free. And they're updating this problem with the open SSL to version three and both CE, it's not out yet, and the upcoming PF Sense Plus. So back to the topic here. If you want to switch back one more time, I have a video on it. It's really simple to do to roll backwards to the previous version. So if you, no one is locked in there. So it's not a huge deal in some instances here. I feel bad that I suggested everyone switch to it, but anyone who switched to it should have known it's gonna be 129 because I never hid that. That even, it's set it on their page from day one is going to be, it's 129 sometime in the future. Well, it's now that is the future. It would have been a smoother future. And they know this, and we all know this as people who are users of PF Sense. We all are aware that the future would have been better if they just would have said we're just dropping the free and going with the, going with the 129 now. People who have shrugged their shoulders and they would have said, well, they put it in writing since the day they released PF Sense Plus that sometime in the future it's gonna cost 129. And now it does. The downside is there was this little hiccup for a few days where it was not available. So there's actually only a few days of not available. And this is where, well, everything is kind of upset. And I get it, cause they shouldn't have done that. And they apologize for it. And you can forgive them, you can move on, you can use something else. That's really your prerogative to do what you want to do. Oh, you can roll back and put your config of Maximilum Assault and Restory Configuration. Yes, I want to answer some of these questions that are in here is best I can. You bought a 6100 and you can keep the pitch fork in the shed. Yes. Yes, yes, yes. Just a lot of people in comments here. I'm trying to find which ones I can answer real quick before we go a little further. But I think you guys get the idea here that, you know, NetGate is someone who has made mistakes. They fixed the mistakes. Now, one last thing I'll offer for you, and I'm gonna throw this in there. And I don't have a link for this. I'll post it in my forums now that it's gonna be public information. Cause hold on, let me give you something that you will like. I was able to get this or giving it to other people, but they said I could share this in my video and I'm gonna zoom in and Tech Light. This is a TAC-LITE, really simple. You can use this by the way to get this for $99. They said this is good through November. So if you would like to buy it cause it's back on the website, this will get you a discount. There's not anything, this is just a discount code that lasts until the last day in November of 2023. And you get $29 off for each one of these that you buy. Pretty simple, I thought I'd mention that on there. Cause I did, their marketing people said they would offer a discount. I said, okay, what's the discount gonna be? And they didn't know at the time exactly what it was. I think they weren't sure, but they just sent this to me today. And you know, what the blog post came out today, they sent this to me and said, yes, you can use it in the video, you can share it with the crowd. So cool, you get another 30 bucks off. So $99 for your first year if you want. Just offering a discount code here folks. Now let's finish a couple more comments here. Home users don't even use all the features. $129 a year is too expensive. We'll stick with CE, this day's up to date. Well, and we're gonna talk about a few things related to open sense in a minute. Cause this is gonna be where I have some things that I really wanna discuss about security. Let's see. It's for the most part, home users don't really use that one thing, a lot of the only real thing, let's just say it that way. The only real thing that I would say is a big plus, you know, play on words here for home users using PF Sense is gonna be I love the boot environments feature. I know they put a lot of work into it and maybe they're kind of backport it. But I think for a homelab people, that's a cool feature, but a lot of you virtualize it. So maybe it's not as big as a feature, but I do like to be able to do the boot environments. Outside of that for a home user environment, PF Sense Plus doesn't really have a bunch of things that home users really need. So, you know, it's, I don't think 129 years bad at all for a firewall. I mean, you pay more for Netflix. I'm just saying. Yeah, I'm satisfied with this. They said it would be 129 and they're living up to it. That's how I feel too. I wished it would not, you know, made it difficult and they could have just done this. But in a nutshell, they took the hard road to get there. The roundabout way of wondering what would happen if they didn't do it. Or I don't think they even thought that far. Like I had a conversation. They're nice people. They contributed a ton of code back to the code base. We'll talk about that in just a second here, but it's like, I don't think they're intentionally angry, malicious people. They just are human like all of us and do things that sometimes don't make a lot of sense to the rest of us. Yeah, the boot environment helped me out a lot. For non-profit organizations, I'd reach out to them. I don't know if they have any discounts for nonprofits. I mean, if you're a non-profit, you know, buy a net gate appliance and see if they have a discount on the appliance. And if you buy an appliance, you're kind of fine with that. Now, here is the things that I wanna talk about that are why I'm staying with PF Sense. Now, I've covered all the PF Sense drama change here. So you hopefully have watched this video 13 minutes in. You can stop watching here if you wanna know why Tom's staying with it. You know that what PF Sense did, what they changed that they apologized that you got a discount code, boom, we're 13, we're 14 minutes in. And that is where we're gonna put a demarcation here on now Tom's gonna answer questions and talk about a few other things. Explain pitchforks. I had said in the beginning of the video, people are getting their pitchforks out because they're angry that they made changes to the plus license, but now they technically brought it back to what they originally said when they released plus. And if you have a net gate appliance, a 6100 or really any net gate appliance that is not end to life, you can keep loading and you can keep loading the updates for free. The net gates appliances come with PF Sense Plus and you don't have to do any of this licensing. This is only for people running boxes like this that are not net gate appliances. This is who this applies to. I mean, or virtualized people as well. But this is the one thing I wanna talk about cause I see, man, I know people keep telling me open sense, open sense. And that's not really, there's some complexities here and let's talk about it. So this is me a couple of days ago before they fixed it. And I said, I think they'll fix the issue. I'm not like these switch for a few reasons. Let me zoom in and it's really clear. This is in my forums, these are my words. This is me, I'm LTS Tom inside of my own forums. And we have many PF Sense system and production at clients running net gate hardware. My business use case. We have sold these to a lot of customers. I don't remember the exact number, but it's more than 50. And we have to manage all these. They're on net gate, it works. We have spare net gate appliance so we can rapidly recover clients. Yes, we have spares in stock. If a client has a failure, if we have to go on site, we can grab their config file and reload it. These are all the reasons I'm staying with PF Sense and not switching to open sense. Now, PF Sense has integration with our business tools. I spelled out business tools, I meant to say hour. And we have it integrated with Auvik and Blumerra. I don't think Auvik has an integration for the open sense, so I'm not sure and I know Blumerra doesn't. There's no easy way move all the complicated configs over. Yeah, there's not a one-to-one config change. So there's another challenge with it. My team is very familiar with PF Sense and retraining people has a high cost. We have an entire team that support this, that support very complicated configurations. So we're not likely to change. This is just the way it is. Buying a license for the business stable version of open sense doesn't really make sense, because yes, open sense does have a business version that's stable with less updates. And that doesn't make sense when we already have net gate hardware. There's a cost to that. It's like all the other things and their own licenses on top to get a stable version. And this is the last one and this is a big one here that I have a lot of comments on. I still don't have the same faith in open sense when it comes to security versus PF Sense. And in my forums is a list of the PF Sense CVEs and the open sense CVEs. Open sense is a lot more vulnerabilities in it. It's just one of those things. That's gonna be a factor. Now let's go over here of why I cannot use and this is a compliance problem. I can't use software or vulnerabilities in it. You can be comfortable doing that and I am less comfortable doing that. And this is very pointed. I wanna say at the fact that even net gate, I'm completely aware that PF Sense still is based on the current released versions of CE and plus are still running the older version of open SSL which is open SSL 111. This is what ships in BSD. Now net gate has been working to update this. So yes, this is absolutely a problem because open SSL 111 is no longer supported. Don't ask me what happened to two. They just jumped into three as the new versioning number. So now things have to move to open sense version three. Now this is from the October 25th of 2023. So five days ago, this is the release notes. A word of caution for third-party repository users. This is from open sense. The previously currently changes a number of things in our ecosystem. My first to change is to move the open SSL package to open SSL 111. Since the former is now based on version three, this can and likely would disrupt updates of third-party packages not having followed this change while we want to use open SSL three eventually, being in the middle of a stable run is not the place to do it. That's kind of a problem because right here is a CVE in open SSL. That means there is an active, now I say active CVE, but let me clarify. I'm not saying the skies are falling or anything like that. I wanna let you know that this CVE to my knowledge is rated as moderate and I don't know anyway that this breaks a VPN. But the fact that there's an unsupported open SSL is a real problem because if they find another bug in it and they have not moved to the new version of open SSL and they're still basing it on the old one, who fixes that bug? By the way, it's not being supported by open SSL and OpenSense waits for things to come downstream from BSD because they're not a major code contributor to BSD. They are waiting for it to come downstream. And because they're waiting for it to come downstream, it means right now you have a OpenSense being released with vulnerable libraries in it. And this is just a problem. If we look at what PF Sense is doing, NetGate migrates open SSL three and PF Sense Plus. Now they had commented that they're also going to do this in the PF Sense CE. So they're gonna have a release of both coming out soon. So even NetGate is technically, because it was end of September. They're 30 days past and have a library within here. Now there's no major flaw at this moment. There's just that CVE that's moderate that has something to do with the key generation. I haven't found anyone's write-up to tell me exactly what could be compromised with the key generation in there. But nonetheless, NetGate is moving to open SSL three. This is not like just swap the library. This is rebuilding everything that depends on it and the people at OpenSense are aware of that. That's why they have delayed this because they know it would break so many things. And this is all the things that are using this. Anything that uses a CA server or CA certificate, open VPN instances, and other consumer certificates. Certificate manager, IP sec. Unbound does not require any adjustments because it still supports SHA-1 certificates for the time being. And the migration open SS3 was essentially the work done by NetGate and 2309 support was complex. The changes have been incorporated with little impact to users as possible but some services may require reconfiguration to tell your certificate to use stronger algorithm because some things are gonna be deprecated. This, like I said, is kind of a stop right there for me to run OpenSense because I would be loading something, if I were to load this, that has an insecure library and no roadmap, no date planned to get that fixed. And if I'm wrong about that, if someone can point me to, and I've been in OpenSense forums reading through it and this is the release notes, that they're staying with the old unsupported version, this kind of bothers me that they don't have a plan to fix. Now, like I said, I can be completely wrong about something and people can tell me I'm wrong. Please post in my forum, send me a message, a DM or whatever you need to do to say, Tom, you're completely wrong. There's nothing wrong with OpenSSL and they somehow are gonna magic it, support together. Someone's gonna update those libraries but according to everything I've read, that is a dead version and that's the reason, NetGate and other companies, this is something you can go through. The OpenSSL 111 problem is not just a free BSD problem, it is a open source library support problem against other packages. So it's definitely something worth discussing here. So let me see if there's any questions on this. Ah, do-do-do-do. I thought the pitchfork was a reference to the free BSD. We can go with that. Well, they could just require the OpenSSL 111 package when installing the OpenSSL 3.0 package, I guess. Yeah, that isn't, you have to refactor some code to make that work. I guess NetGate's hardware is just stable and paying anyways, it prefers to pay the hardware that comes with the software free tech support and it's fanless, I think is probably the word you're trying to say there. Yeah, 99 year is a no-brainer. I feel like the 4100 might be a sweet spot for home users, maybe 6100 for going crazy, yes. I like that. I will laugh at people who call me PF Simp. I'm just saying, if I were to switched away, I've seen people calling for the end of NetGate. The reality is, NetGate is helping to prop up free BSD. So is IAC systems, but there's a reason some of these other companies are kind of looking at other alternatives. It's sad, but free BSD is not what it was before. It doesn't compare to Linux in terms of support. This is one of the things, firewall support's difficult. Having upstream support's really critical. I mean, if there's no easy solutions for that and no one's contributing code, yeah. Besides PF Sense and OpenSense, what other home open source free firewalls do you recommend to try out? That's a good question because I don't have an answer. I was going through a Wikipedia and I was doing this in another live stream, just as a discussion. I used to play with so many old firewalls and things like that. I say they were new when I was using them, but I loved all of them, like Smoothwall and IPCOP. They're all defunct. There's just not anyone supporting open source firewalls anymore because of the complexity of the firewalls, there's very few of them left. And when you're trying to get someone to do code audits, code review and really poke at security for these firewalls, you can't just trust any one company for it. Especially when my task is keeping my clients secure in a commercial sense. I can't just go, well, I'm just gonna use a free open source project and hope they update things that they said they don't have a roadmap to update. That's kind of a problem. I would be a hypocrite to use something that literally doesn't have a roadmap of fixing out of date library support. There's no way around it. I can disagree with NetGate, but also realize they are the best option for security. Those things can both be true at the same time. So I laugh that someone's calling me like I'm defending NetGate, but I'm like, I didn't defend their decision, but I also have to defend my clients against security threats. The other options are, when it comes to open source ones, I don't really know because Untangle got bought by Arista and they only, I think they only have, I don't think they have anything for free anymore. They only have the Untangle home edition, but I think they remove the word, double check that they remove it from open source. I was never, like I did some Untangle videos as this never a big fan of them. They have a weird firewall interface, essentially is how I felt about it, but it Untangle is another option that's out there. Sophos bought, someone can remember in the comments because Sophos, I think it's called Sophos XG. They took a commercial firewall or an open source firewall and just got rid of the open source and rolled it into their own thing. I can't remember which one they bought. Was it Endian firewall or was it Smoothwall that eventually worked its way into being that? I mean, there's just not a lot of options out there. I appreciate your coverage, Tom. I was very mad at first, found out, but after hearing your insight and coverage, I'll miss VCE for my house because I don't use the features. Yeah, open SSL, one was dead in the water the December two CVEs. You've been thinking about migrating open source through time, but ultimately you didn't because stable API, yes, concerns by customers. Okay, open SSL two was consumed by open SSL for FIPS so they advised to move there. Yep, without NETK8P of sense, open sense. You know, and this is something I, people don't really realize. BIOS is great for data centers. They have a license. If you want a stable version of BIOS, get ready for this, 8,000 a year. That's on the BIOS page. So when people talk about BIOS being an alternative, I'm like, to what? Yeah, Smoothwall and Endian were two really cool and Smoothwall, Endian, IPCOP. I mean, there were some good ones out there, but yeah, it's just a lot. Oh, let's see. Yeah, Sophos has a homelab version of their firewall. Their homelab I think is free, but it has limitations on there. I don't know what the limitations are because I don't use it, but yeah. I see people, I've seen people say this, I don't use it. I don't really have an interest in using the Sophos one. I don't know. Some people like it, some people hate it. Yeah, IP fires still exists, but boy, feature lacking is for sure. They don't have a lot of features. Yeah. It's interesting that PSense went for EBSD so early, but has such a problem with OpenSSL. No, they went to, they have a whole thing of why they went to 14. It was because they knew these things were coming because 13 is still on the old version. 14 is on the new version of OpenSSL. So, and by the way, NetGate is contributing a lot of the code to that. So that's a whole other thing that NetGate is contributing so much to the code. Matter of fact, one of the things I thought was interesting, and let me highlight something for people. One, this right here, you can dig through all of these. This is some of the PFSense developers. I was going through and some of them have unique enough names. It's super easy to find some of their code contributions. But one of the things I wanted to point out, for example, is like this right here. If you're wondering, how did FreeBSD get two and a half gigs support on those network cards? I've seen people go, but OpenSense supports it. Yeah, OpenSense wouldn't support the network cards if it was not sponsored by Rubicon Communications LLC, also known as NetGate. There's actually a ton. If you start going through all the code contributions that they've done, you'll find that there's all these drivers, all these things. Matter of fact, Christian McDonald, you may have seen him do some posts before. I've recommended his video on WireGuard, Christian McDonald. It's been submitting code patches. This is by Christian McDonald. This is the unbound Python support and all the updated Python things that got fixed in there. Yeah, without NetGate, how does OpenSense benefit if someone doesn't write the drivers and do the updates? I'm just pointing out, that's one of the things with it here. It's not like, people are like, oh, you're rooting for NetGate. No, I'm just living in the real world where I want my free thing, but someone had to write all the code for my free thing. This is, I just was debating someone in my forum because they were complaining about XenorcaShop locking things behind a paywall. I'm like, oh, no, you just got to compile it yourself. Oh, no, I shouldn't have to compile it myself. They should just give me all the features for free and not charge. I'm like, no, they charge for service delivery, but you can compile it. I have a video on how to compile it yourself. I don't know. But in free BSE, OpenSSL can use for a base system, but the ports can opt to use either base OpenS or the port version. I guess the problem is they don't want to use different versions. Yeah. Konegate, Translate, Christian, BSD Linux, BSD to Linux at some point where that'd be too challenging. Yeah, that's not happening. Yep. They went the 129 route. Ping me if you want to join, Jason, and join in the debate of all this fun stuff. But yeah, they went the 129 route, essentially, and they gave us a discount code of Tac Lite so we can get $99 for the trouble, I guess. Yeah, this is, yeah, there's no way for them to simply move it over. You can't just take and swap the system to be Linux on the back end. There's way, way too much dependency for both OpenSense and PFSense on things that are only features of free BSD. They're very intertwined. And the reality is these are the projects that are helping to prop up, you know, well, putting all the code. Let's pull up, where did I have this? Right here. I shared this. This is posted in my forums, all the details. This is all the code contributions. This is from, not NetGate. This is from the free BSD foundation. NetGate accounts for like 8% of the sponsored commits. Netflix is 15% of them. Juniper Networks is only 6%, but Juniper Networks actually went through some of the things like they're committing firewall things to it as well. So you have these companies doing it. So without all these large scale code commits, they're doing it. Now, someone, I don't know if I can pull this up. So I have it. Yes, let's pull it over here. You know, I even, I'm not in any way telling people just not to use OpenSense, because I know that'll come up. I did, there is a thread right here you can find where I had a discussion with Franco. I think he said, head of the project at there. And we were talking about OpenSense. He has a link here, and you can see what code commits they're doing. They're not doing none, but they're doing very little code commits compared to the other people. For those of you wondering, so I addressed some issues and you can see me posting as Lawrence Systems in the forum. So if you're looking for me in the OpenSense forums, I'm not gonna spend a lot of time in there, but if someone wants to call me out or tell me I'm wrong, I do have an account in the OpenSense forums. I use the same name on all my forums, Lawrence Systems. So just so people know. Yeah, Jason's right about this. The UDM is manned from an extra firewall standpoint. Also, the UDMs are not very customizable. The firewall rules are atrociously bad to write. And yeah, as a fellow MSP, I really appreciate you following up on this and putting out the videos so quickly that things happen. Adam, hopefully you're using Neckate hardware and I will tell you a little bit. If you dig around and know where to look, you will find that they are working on from the people at Neckate because this was posted in Reddit somewhere. I'd have to dig around to it. If you dig around, you will find that the... This is actually funny. Are you taking your sun to scouts or are you joining the live stream? But I do know that you can find on Reddit, there's a very rough draft that was posted. It may have been taken down. This is by Neckate. There was a comment they made. They're working on a central management system that is going to be for PFSense Plus. So there's gonna be something that's for us IT people who manage it. They realize we're a big category and they're looking at developing that. So you didn't know OpenSense had no roadmap for SSL, changes your immediate recommendations. Yeah, yeah. It's, like I said, this is a big concern because if they have to rely on things to happen, I just don't think they have the staff. Matter of fact, I thought I had a discussion I could pull up on that. It's in their form. If you dig around, they were talking about this as early as May in the OpenSense forums going, we'll wait to see what FreeBSD does was kind of comments I've seen people making. And I'm like, okay, but that's not really a plan for security to say I'll wait for when FreeBSD gets around to fixing it. BIOS LTS can be built from source someone XP and G, but that's not the same as actually supporting it. Like they want you to use their rolling release if you have to build it from source each time. That doesn't make it easy to update. Oh, Jason's going to join me. Here, let me send him the link. Jason's actually spent a lot of time in the BSD world. OpenSense 24 one have a roadmap for OS version. No, I don't think this will be, see the UDM can't hold a candle to what you can do with PF sense free. And this is kind of the problem. Hey, Jason. The, so this is people will use a UDM over a PF sense. In reality is you can't hold a candle to the abilities of PF sense compared to like a UDM. You've got so much more flexibility, so many more features that people use it. And I think for the free version of CE or even paying 129 bucks a year, I don't, you got to go to like Juniper to get those level of features in a firewall. You got to go to something that's a lot higher in the more. The management piece of it, it's all just open source stuff, right? If you're willing to go to the command line, you can do all of that stuff without any licensing. Yeah, yeah. For, see someone says, who's the person on the screen? This is Jason Seigl, president of CNWR. For people that don't know when I split merged my company, Lawrence Systems does the media stuff. Jason handles all the IT stuff. And I make media and then do consulting at CNWR. All that fun stuff. There's a video on it, you can find that's. Yeah, I'm a long time, I'm a BSD guy. Yeah, Jason's a BSD guy and he also has the same task that I do because people are asking, why can't you just switch to OpenSense? And I said, you know, we have a lot of clients with BF Sense. That means we can't just drop and swap because we got to train everybody, we got people that know. But also OpenSense doesn't have a security roadmap right now. Yeah. I mean, I think we could probably port the config over. I started looking at it and it looks like it's probably not that bad to do, but why? I mean, just go back to CEE if you're worried about it. That's kind of my attitude, just like roll. I showed how easy it was to roll back. It's like a, it takes so little time. It's like a 15 minutes to reload one of these firewalls. And someone pointed out, I should have said in my video, if you copy the config on a USB at the same time, you can do it in one step instead of booting it up. So yeah, you can do it in one step versus Tom's two steps of booting it, loading the config and telling it to reboot one more time. Yeah, the thing we're missing though, as you know, is going to be the central management piece. That's, they're working on it. I mean, they told me they're working on it. I seen some preview stuff. I think that's pretty cool. And being a BSD guy, how do you feel? This is the bigger picture stuff. How does BSD look compared to the way it used to look? I mean, it has a different goal than a lot of the Linux distros do, right? I'm still on, even though I haven't contributed a long time, I'm still on Puppet at FreeBSD.org. If you email that, I get it. I'm one of the members of it. I helped Puppet, the newer versions of Puppet and Leatherman and some of the other dependencies over FreeBSD. It's not great compared to where it was, I don't know, 15 years ago. But I mean, then again, F5 used to be net BSD, right? Like you used to have a bunch of these BSD derivatives used places and now there just aren't that many left, honestly. Yeah. So is, am I wrong? Someone's telling me Juniper's no longer FreeBSD. I don't think that's true. I don't know. Not all Juniper is FreeBSD, right? So that is a very, very big distinction, but are the newer JunoS, is the newer JunoS Linux? What other firewalls are based on FreeBSD right now? So they're running Linux on the bare metal and then they're running FreeBSD and a QEMU virtual machine on the Linux host. Got it. Yeah. Yeah, because they're still listed as one of the, big co-contributors is still them. They still, Juniper Networks. I figure that means they have at least a pretty strong reliance on it of some sort, so. Yeah, JunoS Evolution or something is Linux, that is correct. So I think some of the newer hardware has moved to direct Linux, but that's a lot, right? Like, so Juniper was basically, it started out as all FreeBSD, which is commodity hardware, and then they started making ASICs, right? As you want to go faster, you make ASICs. Well, if the drivers that run those ASICs are written in FreeBSD, then you have to basically port them all to Linux, which has a considerably different low level API than FreeBSD does. Yeah, and I think that's what people just don't understand when they were talking about, they can't just swap the kernel of the Linux, no. The PHP interface is not the hardest part of writing a firewall. It's all those integrations to get everything to work the way you think it should work. There's a lot of details, everything from IPsec VPNs and OpenVPN, which I'm actually kind of, OpenVPN DCO is coming, which is pretty cool, and NETGate is the one who brought that over to FreeBSD. It's in the 14 version of FreeBSD, so that's another good feature. It's a way to stop swapping things back and forth over to user space, which slows down OpenVPN, so it puts it all, the data channel, the data channel gets offloaded in kernel space so you can have a much faster connection over OpenVPN. Actually, Rival's WireGuard, it's kind of slick, and of course, it's OpenVPN, so it has all the other facilities within it that you're used to. Interesting, somebody has ported IPFW to Linux, it looks like, so you actually could get IPFW on Linux. That's interesting. I didn't think anyone would take the time to port that. Oh, I see someone asking about Meeker check. Man, such a good idea with such a bad software implementation. It's like, it's... The only thing they get going from is they're really inexpensive. Yeah, 100%, right, RouterOS or Winbox, like, let's, yeah, Winbox is a turd. Oh my God. I have no other nice, I have no nice words to say about Winbox, it's terrible. Sonic Walls are actually, what was that software they used to use, because it got, it had a lot of bad vulnerabilities in it. What's that? Was it VXOS? Something like that. I think VXOS is all Linux space these days too. Yeah, a lot of it switched. Someone said Sonic Walls moved over to Linux, but don't use Sonic Wall. I'm sorry, they're just not. Maybe Dell will buy them and then unbuy them three or four more times. Yeah. Yeah, it's, Netflix is obviously a big supporter of the BSD project, because that's how Netflix has all their streaming stuff. They're the, they contribute 15% of the commits now, which I think is pretty wild. Yeah, I actually started Thunderbird just to like, take a look at the previous emailing list, because I'm still on a bunch of them. Yeah, it's, that's the thing. There used to be so many open source firewalls out there. And I think with the increased complexity of what it takes to build and manage a firewall, they've all just gone defunct. Not enough people have enough time to keep up with what it takes to run a firewall here in 2023. It's a, Steve Gibson over at GRC had a really good commentary of why there's no one writing a browser. They did some like, how hard it is to write the engine inside our browser. And I said, to start one from scratch today would take a massive team. Yeah. Well, I mean, unless you use somebody's JavaScript implementation. Right, but that's why everyone's like, that's why everyone just says, we're either gonna go Chrome or what's the engine in Firefox called? Oh, I forget. Yeah, because that's only engines we have left. We have the engine that comes out of Chrome or the Chromium engine. Even Microsoft went that way. Even Microsoft gave up on doing it. I mean, it wasn't worth the resources in trying to do it. And I feel firewalls are getting that same way because, you know, look at how hard it is for even a company like 40Net with all the CBEs they've had. Oh, horses go recently with their CBEs. Yeah. So somebody commented that like moving then FreeBSD stack at Netflix to Linux would be a monumental task. It actually probably wouldn't be. But if you hire a bunch of people that understand FreeBSD and can do kernel code and can roll your own and building world is super easy and the dev chain is simpler than a lot of the Linux distributions, you'd have to hire a whole new team that understood Linux. That's the actual monumental task. The porting the code is probably trivial. Yeah, and they've done a bunch of, my understanding is I talked to someone who was one of their devs a long time ago. It's just all kinds of neat things for packet streaming they had to do, which the dumbest part about what they actually have to do has more to do with licenses because they can't do any type of multicasting there. There's like a license rule. So they have to know what IP address and what household is actually getting each one. There's a ton of like accounting things they have to do. I was talking to him, I'm like, that's so absurd. He's like, yeah, he goes, if a bunch of people started watching the same thing we could do the packets differently but it would violate licenses that we have with the movie companies that don't care that we're trying to stay bandwidth. That's why they have all those edge devices that they do to make that work. I mean, a lot of these things are also not forked rel, right, like they're, so I see somebody saying here, you have to fork rel. I mean, a ton of these OSs are also Debian based and you also see a lot of the, a lot of the ones that are in use in the enterprise software stacks, they're not based on any of the commercial change, right? They have their own tool chains that develop their very own basically distribution, right? They're not RPM based in many cases. They basically just untar a working operating system more like atomic. Yeah, I mean, let me bring this up real quick. So you probably heard of BIOS, right? Yeah. That's the one people keep talking about. I'm trying to find their price page because they've really made a nice job on the, on redoing the website and everything else. Where is the download rolling release? Or do you gotta find your subscription page? Because they only give you a rolling release now unless you buy their subscription. Oh, there we go. Now I can pull it up. I mean, I guess it's possible they're rel based, but man, that's a lot of overhead. Yeah, I mean, I can see Facebook probably forked rel, probably forked sento is not rel or fedora, but yeah. Yeah, but if you want a stable version of BIOS that you don't have to compile yourself and grab all those codes, it's only 8,000 a year. I mean, clearly this is what the home user should all be, he keeps suggesting. I mean, they do give discounts. If you buy a five years description, it's only $6,400 a year. People keep asking me to do videos and it's like suggesting like it's a homelab thing. I'm like, I don't think BIOS is really, it's a good, if you have a job that you want to get in the enterprise networking space, take the time to learn BIOS, play with the rolling release, learn it. I don't see it as the home user replacement for a PSS. So I've done work for a lot of enterprises and I've never come across any of them that would touch any of that shit with a million football. Like where you're gonna come across that stuff is data centers and other places like that that are rolling their own, right? It's not gonna be like we presently do work with a couple of Fortune 100s and they would never touch something like BIOS. There are Cisco or FortiGate or Palo Alto or there's some sort of commercial vendor. They're not open sourcing it. Yeah, exactly what Jason's saying right here. They really, is the large companies generally gonna go for that and bringing us back to what this whole topic is about. Is there an alternative to PF Sense that's viable for home lab users? Nothing jumps out at me. I didn't know if anything jumped out at you for other open source firewalls. All of them are defunct. I think comp was awesome. You learn to configure firewall command or whatever your tool of choice is in Ansible and just push Ansible playbooks for all your firewall stuff and there you go. You don't need a pretty gooey. Yeah, you can just do it that way. Just do it all by hand. I was trying to find, so. There's another one, Cumulus Networks is another one of those very popular cloud-based one. And then Tinser is the other one that you've obviously turned on to. But Cumulus is used by a lot of the companies that just use the Broadcom reference platform and then they throw Cumulus on it and have like an iOS-like interface. I like that this one still exists. This is, I think this is probably a long derivative, like what do you call it from IP COP and things like that. But when you start looking, they have IPsec and OpenVPN and it's really basic if you look at it. Even the documentation is really, really weak. So I think in the end, what has made both PF Sense and MicroTik live forever are wireless ISPs. Yeah. Like that is the use case for both of these devices for many, many, many years, right? Because even the same thing, right? Like when you get to the enterprise level, no one's run a PF Sense, right? They're all, they can, like that $10,000 a year like licensing fee, that's like a rounding error. Yeah, it's niche. So there's enterprises running it but there are specific use cases. They have some good blog posts on a NetGate because it's used extensively in the military. They've got some posts on that, which is weird but I guess the Navy likes it. Yeah. The wizzy guy is right that NVIDIA did by Cumulus. Oh, did they? Yep. Yeah. There's not much under. Is Endian Firewall still alive? It looks like it hasn't had an update in three years. I used to use this one forever ago. All these fun firewalls and they're all just gone now. This looks like this is a Firewall. Endian OS, that's great. It's a bigger little. Yeah, bigger little Indian. UTM hardware appliance. Looks like they got rid of the, I don't see like a free, I see free trials, they went commercial. That's all these companies, man. Firewall is another one, right? They went commercial. They were open source for what? But I thought. Firewalla? Yeah. They're weird, they've got, they actually commit a lot of stuff to open source but their management control plane is web based. So it's a cloud firewall. So you put things in the cloud. A lot of people like it. And from a home user standpoint, I think they're neat, but they're super basic. But they actually have decent layer seven filtering support and they're all controlled from a phone app. Yep. Well, they also have an MSP platform for what it's worth. Yeah. Someone reached out to me about that. I said, no, I'm not, not really. But ultimately, you know, I had, I actually had a conversation, I don't know if you were in a beginning live stream with the people at Netgate. They just, oops. Yeah. I mean, I think that they gut check reacted too quick. I mean, because the reality of it is unless, I haven't actually dug under the hood of PSN Plus to know, does the license key authenticate you against the upstate servers in some meaningful way? No, it's not hard to bypass. You can simply clone the server and have a great day. Yeah, okay. So all of those people that are shipping the routers that are using PSN Plus illegally, they're just gonna do that. Like this isn't actually gonna solve the problem they're trying to solve. Yeah. That's my exact words to them. I said, and they were mad because they're using a free licenses. And they actually commented on Reddit that people were, you know, they have the emails where they were using like the people that I guess protect Tilly were using the protect Tilly email address to register it. Yeah. I'm just like, I mean, they have a way to stop it because they have to email you the license key. But then I don't know, it doesn't, people are gonna do this. I don't know, I guess it was a problem because people probably were calling their support with the same license key and stuff like that. That's probably clued them onto it. But at some point, if it's, even if you made it $500 if these other companies making all these little cheap boxes, they're gonna pay one time. Yeah. So Brick guy's right. If he uses the NDI to authenticate, they're not gonna be able to get updates directly from the NETK servers. But again, this is essentially a Sentos versus REL thing here, right? Like you get, you buy one legit license, you clone the update server and then you just modify the code. You have a build step that modifies it to call your update server instead and you profit. Like it's so easy. I mean, that's so trivially easy to defeat that. I mean, you made basically, you took the really, really lazy guys out of it, but now the people, you just up did a level of difficulty essentially. Yeah. If you don't revert the license, you won't, if you have the free license and you're running like whatever the current version is, when the next version 2309 comes out, you won't get that version. That's all. And I have a video on how to convert back to CE. I don't think the plus versions we're doing it to get, we're only doing it to get two and a half gig support. Yeah, but two and a half gig support's in 2.7 CE right now. So I don't know, 2.7 has the, granted plus came out before, but this happened, all these incidents sound like they happened after. So I don't really get it. Oh, cool. You can post comments from side of Streamier and now if you connect it, you don't have to, I don't have to independently pull the YouTube comments. Oh, nice. Yeah. Yeah, so, but this X-pack guy's point, like no one in enterprise is using PF Sense. Like this is not... Yeah, it's Mitch. They have a market big, but it's, yeah. It's all the shitty wireless ISPs again, right? Like they're buying like bootleg PF Sense boxes from some other third party for 20% less than the NetGate appliances and that's what they're trying to stop. Yep. And it's not, you know, I actually gave them the example. I said, I have a, there's a couple of companies that have just been cloning my videos and dumping them to their site. I'm not going to stop making videos. I don't know what to do about it. Like it's just, they're stealing my intellectual property. I'll send them a takedown notice, which I have a fun plan. I'll talk to you about later on that because it's going to be something funny. One of them that's doing it. What's the story on Tangle? I'm not a huge fan of on Tangle. I don't know. I don't hate it. Arista bought it. They have a home lab version, which is nice. It's like 150 bucks a year. It's got some decent features. I just, I'm not a huge fan of the interface. I've never gotten, like there's just things in the interface I think are kind of quirky with it. So, oh, I guess this is a fair point. We have a hardware support for NetGate devices. I have trouble with it. Well, the troubling Europe, if I'm not mistaken is really just the fact that it's hard to get things over in some areas. Like getting them brought over. That can be really challenging. There we go. CLI, all the things. I mean, that's the best way to learn. It is the best way to learn. Unless that CLI command is firewall command, in which case you should just kill it with fire. Just learn IP tables. Yep. I will go probably another 10 minutes here to see if we can answer any more questions that people have about firewalls and things like that. Reposting Tom's videos is gonna be my business plan. Sorry. I do know a school was using them. I don't know what to say about that. My videos are being played in a class and I got this crazy DM from someone that they asked to remain anonymous because they spent money to an IT training class. And he goes, I'm so angry that I'm watching your videos that I already watched in this class. And I said, are you at least watching on YouTube? He goes, yeah, they didn't cut out your part where you said that, jumping around in a video and using you as an explainer. He goes, I didn't pay all this money to go to this class to watch you. I thought that was so good. Lazy professors exist everywhere. Yes. You know what's funny? I don't even think I have a copy of my own puppet book here. Oh, you look at your bookshelf. Yeah, that's funny. Yeah. By the way, I'll mention it one more time if I can find the link. Here we go. The discount code, good to November, just so people know, is going to be a Taclight, T-A-C-L-I-T-E. That'll get you that 30 bucks off. I threw it in here. I thought it was nice that they're offering a discount. I mean, it'd be better if they didn't make mistakes, but hindsight's 20-20. We all wish we didn't make mistakes. That's how I feel. In the end of the day, they're human. Who OEMs their appliances? Are they SuperMicro? No, there's two companies that they use. They do the design. They have an industrial designer for all those white box ones, the ones that we have a lot of, like the 6,100s and 8,200s. SuperMicro is all the big ones, like the 7,100s. Yeah, that's clearly the 1537. It's clearly a SuperMicro. Yeah, and they don't hide that at all. Matter of fact, if you notice when the boxes get shipped to us, they all have net gate written or SuperMicro on the box. They don't even like rebrand the boxing. They are custom because they have a special backplane and not that custom, but it's a one-off. But I mean, that's really easy to do. Like even our Prometica, our big health system down here, they have a Lenovo tiny bomb that like literally they only sell their Prometica. You just have to buy enough of them. I started seeing repost-launched videos in my feed and I handle it like the react videos. That's how YouTube recommended me, prefer the original. If you let me know, if they're on YouTube, I can issue takedown notices. It's the third parties that are copying my content that I can't issue takedown notes. Well, I can, they just don't go anywhere because the people putting them up don't care. Those sites usually don't last long so they don't get a lot of engagement. There's always like, I'm gonna create a YouTube competitor. I'm gonna go grab the popular videos from YouTubers to create it and yeah. But for people, you can get Dell OEM op shows and not, yeah, not Dell. And Ditto uses Dell Micro PCs and servers for their appliances now. Huh, a bunch of old Cisco appliances for OEM Dell. How is the base net gate model compared to the next step up? It really depends on what you need. I did that video recently because Jason had brought this up, calculating just how much processor performance you need to run something like Snort or Saracada. I actually showed on a relatively low end system in that video, you can get away with quite a bit. And yeah, I was shocked at how much I was able to, I was running torrents through it. I was really taxing it. And the processor score is so slow it still wasn't able to handle it without chugging. I was still able to, it was peaking. I mean, the CPU was hitting 90% but it still worked. Yeah, but Snort, it will basically the setup packets, like once the stream is established, Snort is usually out of the middle, right? It's not necessarily examining every packet. No, it's the initial ones trying to do a pattern match on it. I did talk about the efficacy of Snort and Saracada as well in the home user situation where it's not, and there's a reason we use a lot more tools than that. It's like the most basic one-on-one protection makes insurance companies happy that you're doing something. That's a nice checkbox, but you'd really need for security a lot more than just something at the firewall. How was the endurance of the EMMC in the Netgate boxes? I always concern me. Probably not great. Yeah, they don't do a ton of writing to it. So it's not been much of an issue. I presume they don't write logs there. They keep really minimal logs. So if you want, what they actually suggest, this is why they have like ones with EMMC and ones with SSDs. Like, do you plan to keep a lot of logs? Do you plan to write everything out and not ship it off to a log server? And by the way, keeping the logs on PF-Sense sucks. They didn't give you great tools unless you're going to the command line, which this is not what home user to do it. Like export it to a log server, your life will be better. Wow, that second to last comment there about SATA doms, he must have an entirely different experience with SATA doms than I have, because man, I've had so many of those fail over the years. Running VMware on them. Yeah. PF-Sense runs perfectly fine at AMD Epic. No, I mean, I imagine Epic would run it fine. Yeah, this right here, don't focus your firewall and layer seven protection, especially me and you were discussing all the problems found in squid. Yeah. Just don't try to run all that traffic inspection through your firewall. Use an endpoint protection, it's just easier. Yeah, so there is a lot of information you can gather, well, until Cloudflare gets their way. So you can look at SNI and you can stop a lot of command and control traffic just by looking at SNI, just see where people are going. There's still benefit in running Snort or Saracada or something like Dart cubed, if you're not going to do that, just to block the emerging threat stuff, because so many of these ransomware things, if you stop them from phoning home to command and control, they can't get an encryption key and they won't actually encrypt you. Or just block outbound except known things. You will stop 80 to 90% of ransomware if you only allow known things to reach out. If everything has to go out via proxy and you expect you to get that proxy or hosts that aren't allowed to communicate with the internet just can't, other than updates and known things, you will stop 80 to 90% of ransomware. Matter of fact, that's one of the things I pointed out that if you use even the open threat model ones, they have a ton of IPs in the block list there and they're all the ones. Dynify is a fork of open sense. That's true, which invalidates the whole question considering Dynify as an alternative. Yes, because Dynify is just pulling from, they pull, then they do, I don't really know what details they change. It really, I don't think they change anything other than call it Dynify. I don't really know any major contributions that they do. Run said. They just like, yeah, Run said, because it says Dynify everywhere it said open sense. It has a different logo but it doesn't seem to be greatly different. If I'm wrong about that, please let me know in the comments, but yeah, now this is what Dynify does have. Single pane of glass for all the senses. Dynify supports their own open sense and PF sense from central management. I haven't looked at their implementation but a few of these companies, what they do is they want to hold all your SSH keys, logging all your firewalls and they're really small companies. I'm not ready to, oh, let me just give some company access that is some small company access to all my firewalls because what could possibly go wrong with their security taking over and sending commands to all my firewalls at once. Ask finality how that worked out. Yeah, that's true. Yeah. Is there a way around the piehole would be of sense? I mean, you- Not properly configured. You can, the PF sense has right up on how to block outbound DNS so you can use piehole and focus everything on that. We used, I used to run a service that I had a driver on my laptop and we would do TCPIP over DNS because a lot of the captive portals that make you log in or pay for internet access, you could still do DNS queries. So we would just tunnel TCPIP over DNS. And I mean, it's so slow to be unusable these days and there's so much free wifi and hotspots. It's not worth it. But yeah, there's all sorts of fun things you can do like that. Yeah. I think the last thing I'll answer is cause I've seen people asking about clearOS. If I'm not mistaken, this is, yeah, it was all bought by Hewlett Packard now. Yeah, it's good. HP has just bought all kinds of things. HP's bought a ton of storage things and shelfed them. And killed 90% of them. Yeah, I don't understand HP's business model. If Cisco buys something, all you know is license fees are going up. If Cisco, the product may not get any more innovation and it's definitely gonna get a lot of license fees, but HP buys it, it just dies. Well, so I mean, but if you're HP, do you really need seven different network vendors, right? So some of these things, I think they're preemptively buying them just so they don't become competitors later cause they can get them cheap. Yeah. It's kind of weird. And the same thing, like three par, that thing. Yeah, I think three par still exists, maybe. My understanding is it's dead. I think they're on violin now. It's, I mean, I know HP bought it, that's what killed it, or it was on its way out, I'm not sure. It's gonna be a mess. And one more comment on the filtering thing, if you're not familiar, look up Encrypted Hello by Cloudflare, cause they've been pushing that. And there's more breakage. That will kill SNI, yeah, that'll kill SNI inspection for sure. Would you prefer HP or Broadcom to buy your favorite product? They can buy all the things we hate. Yeah. They're both good at, Broadcom's good at monetizing things. They have like their notes on buying VMware were great. Like they, there's no holds barred. You're like, eh, we'll raise prices, people will wine, the enterprise companies are too intertwined with VMware to switch. They'll pay it, end of story and the shareholders went wild. Well, but I mean, that works until it doesn't, right? Then you get somebody like as you're coming out supporting multi-cloud stuff, right? So like you basically create yourself a migration path away from VMware using something like that. Look, what's the product death count for HP, Google, or Intel? Google graveyard hands down. I mean, Google can kill a product better than anyone. They've got it down to a science. Like, I love the Google graveyard. It's just so great. All right, we're getting way off topic here, but thanks for everyone for joining us. This was fun. Hopefully I answered your questions. I made sure in the first few minutes to answer the high level questions of what, what changed, what's back. Here's your discount code. And then we spent the next 45 minutes talking about firewalls and all the headaches. We're all just going to move over to XCPNG from VMware. Jerry's still out on that one. Going back to VMware from XCPNG apparently is difficult. No, no. What's difficult is when you don't remove the drivers properly. I actually, I went and loaded Citrix over the weekend and then removed it and it broke. Citrix still hasn't fixed it. Citrix has deleted, someone had it right up. Citrix is deleting a bunch of files and modifies a bunch of crap in the bootloader that they shouldn't when you uninstall. I don't know why they do that. Like it's a Citrix problem. Citrix drivers like on their way out when you remove them. They're like, let me just go hammer this for ya. Peace out. Good luck. Good luck, sir. I'm gonna mess out, I'm out. Yeah, it's actually kind of a known issue that yeah, Citrix, when you uninstall the Citrix drivers, peace out, man, it's gonna destroy your bootloader. I don't know why it does that. Thanks, Citrix. They're working, they're actually rewriting all the, I believe even the ones for Windows are getting a full rewrite by the XCPNG team to avoid silliness. Like they've let Citrix, the Citrix has a signing key for Microsoft. They're like, you guys can keep doing it. Well, now you're doing it wrong. $349, that's a really lame excuse. Assigning keys are not expensive. Signing key and the fact that they've already got it like in the Windows update thing. That's the more specific. It's built into Windows update, the Citrix one is. It's not just a key, but like the whole, it's in the ecosystem for Windows. But I love Debian, who doesn't love Debian? This person doesn't love Debian. All right, we're wandering off way off topic. We'll do this again sometime. Ian Jason wanted to start doing some tech support stuff and answering Q and A. So back to that. All right, thanks everyone for joining. Use that offer code, tech light, get your discount or switch back to CE later.