Re: [pfSense] pfsense h/w
I'm suffering in my efforts to install 2.1.5 onto my box, so can I change the box? A proven hardware platform, available in the UK with at least 6 physical network ports, I can probably justify buying. Suggestions anyone? We’ve used these: http://linitx.com/product/fx5624-intel-celeronm-600mhz-6-nic-firewallrouter-platform-2xgigalan-4x10100/12508 and these: http://linitx.com/product/fx5625-intel-atom-18ghz-8-nic-firewallrouter-platform-8-intel-gigalan/13468 Pretty frequently with pfSense and not had any problems. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
Hi Chris I'm trying to use a http://www.mini-itx.com/store/~FX5624 which I think is the same box as your first link, if you can install onto here easily and frequently then it must be me doing something wrong, aaagh Nick Upson, Telensa Ltd, Senior Operations Network Engineer direct +44 (0) 1799 533252, support hotline +44 (0) 1799 399200 On 23 October 2014 10:17, Chris Bagnall pfse...@lists.minotaur.cc wrote: I'm suffering in my efforts to install 2.1.5 onto my box, so can I change the box? A proven hardware platform, available in the UK with at least 6 physical network ports, I can probably justify buying. Suggestions anyone? We’ve used these: http://linitx.com/product/fx5624-intel-celeronm-600mhz-6-nic-firewallrouter-platform-2xgigalan-4x10100/12508 and these: http://linitx.com/product/fx5625-intel-atom-18ghz-8-nic-firewallrouter-platform-8-intel-gigalan/13468 Pretty frequently with pfSense and not had any problems. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
I'm trying to use a http://www.mini-itx.com/store/~FX5624 which I think is the same box as your first link, if you can install onto here easily and frequently then it must be me doing something wrong, aaagh Certainly looks like the same unit. Are you trying to install onto a CF card (those units have a CF slot) or are you trying to do a full install onto an SSD or HDD? Most of ours are done using the embedded install using a CF card, as follows: - download 32-bit embedded image *with* VGA console - use dd on a Linux or Mac system to write it to a suitable CF card (instructions on pfSense wiki) - insert CF card and boot box - configure interfaces from command line in the usual manner In the several dozen we’ve deployed, I don’t think any of them have been more complicated than that. Of the two failures we’ve had in several years, both have been down to a dodgy CF card, not the unit itself. Hope that helps. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
I'm trying to do a full install onto HDD, but I never get that far, I have been unable to get the box to boot pfsense from stick or cd so that I can install onto the HDD I did try a CF card, that started to boot but immediatley hung I thought there was a very large restriction in packages using CF compared to HDD, is that not the case (I'm coming from 1.2.3 so this might have changed) Nick Upson, Telensa Ltd, Senior Operations Network Engineer direct +44 (0) 1799 533252, support hotline +44 (0) 1799 399200 On 23 October 2014 10:32, Chris Bagnall pfse...@lists.minotaur.cc wrote: I'm trying to use a http://www.mini-itx.com/store/~FX5624 which I think is the same box as your first link, if you can install onto here easily and frequently then it must be me doing something wrong, aaagh Certainly looks like the same unit. Are you trying to install onto a CF card (those units have a CF slot) or are you trying to do a full install onto an SSD or HDD? Most of ours are done using the embedded install using a CF card, as follows: - download 32-bit embedded image *with* VGA console - use dd on a Linux or Mac system to write it to a suitable CF card (instructions on pfSense wiki) - insert CF card and boot box - configure interfaces from command line in the usual manner In the several dozen we’ve deployed, I don’t think any of them have been more complicated than that. Of the two failures we’ve had in several years, both have been down to a dodgy CF card, not the unit itself. Hope that helps. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
I thought there was a very large restriction in packages using CF compared to HDD, is that not the case (I'm coming from 1.2.3 so this might have changed) That may well be true - I must confess I’m of the school of thought that a firewall/router should do firewalling and routing, and not a lot else, so my experience with packages is at best limited :-) I did try a CF card, that started to boot but immediatley hung I’ve had that on occasion - nearly always down to an incorrectly (or incomplete) written CF card. I don’t know what OS environment you’re used to using day-to-day, but in my experience I could never persuade the windows physdiskwrite utility to work reliably on Win7. If you’re not using a *nix machine to write your CF card, I’d strongly suggest doing so if you can. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
Lots of suggestions on the hardware, but I see nobody mention anything based around the new and much more powerful Avoton platform. The platform is officially supported, and the pfSense store has hardware based on it (looks to be the Supermicro 5018A-FTN4, The Supermicro 5018A-FTN4 server (http://www.supermicro.com/products/system/1U/5018/SYS-5018A-FTN4.cfm) is a mostly prebuilt box with 4 gigabit ports. It sells for 504.99 USD on amazon (http://www.amazon.com/Supermicro-Rackmount-Barebone-Components-SYS-5018A-FTN4/dp/B00G3ED7D4/) and ships to Australia, so I assume it ships to the UK as well. It only has 4 ports by default, but you can add an Intel i350-T4 NIC (I got one for ~150 USD a while ago off ebay myself) to add another 4 gigabit ports. All up that should still be under 1000 USD which is very competitive considering the C2758 is a much more powerful CPU than anything posted so far excluding that one Xeon box from osnet. Personally, I'd also run pfSense virtualized and pass the ports through the use of virtual sitches, solely to make the entire thing nice and portable across machines (the Avoton is very nice for that, since it has the virtualization extensions to run decently fast). -- Zia Nayamuth On 23/10/14 20:32, Chris Bagnall wrote: I'm trying to use a http://www.mini-itx.com/store/~FX5624 which I think is the same box as your first link, if you can install onto here easily and frequently then it must be me doing something wrong, aaagh Certainly looks like the same unit. Are you trying to install onto a CF card (those units have a CF slot) or are you trying to do a full install onto an SSD or HDD? Most of ours are done using the embedded install using a CF card, as follows: - download 32-bit embedded image *with* VGA console - use dd on a Linux or Mac system to write it to a suitable CF card (instructions on pfSense wiki) - insert CF card and boot box - configure interfaces from command line in the usual manner In the several dozen we’ve deployed, I don’t think any of them have been more complicated than that. Of the two failures we’ve had in several years, both have been down to a dodgy CF card, not the unit itself. Hope that helps. Kind regards, Chris ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
my aim in using the CF card was to see if there was any functionality I need missing I run a mixed environment but I don't have a unix machine with a CF drive Nick Upson, Telensa Ltd, Senior Operations Network Engineer direct +44 (0) 1799 533252, support hotline +44 (0) 1799 399200 On 23 October 2014 11:13, Chris Bagnall pfse...@lists.minotaur.cc wrote: I thought there was a very large restriction in packages using CF compared to HDD, is that not the case (I'm coming from 1.2.3 so this might have changed) That may well be true - I must confess I’m of the school of thought that a firewall/router should do firewalling and routing, and not a lot else, so my experience with packages is at best limited :-) I did try a CF card, that started to boot but immediatley hung I’ve had that on occasion - nearly always down to an incorrectly (or incomplete) written CF card. I don’t know what OS environment you’re used to using day-to-day, but in my experience I could never persuade the windows physdiskwrite utility to work reliably on Win7. If you’re not using a *nix machine to write your CF card, I’d strongly suggest doing so if you can. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On Oct 23, 2014, at 5:18 AM, Zia Nayamuth zedestruc...@gmail.com wrote: Lots of suggestions on the hardware, but I see nobody mention anything based around the new and much more powerful Avoton platform. The platform is officially supported, and the pfSense store has hardware based on it (looks to be the Supermicro 5018A-FTN4, It is. The FW-7551 runs a two core version of the same SoC. The SoC in both is based on Rangeley, which is like Avoton, but more Ethernets and a crypto core named QuickAssist. We have a line of similar hardware coming out early next year. You can see the beginnings of same on the Netgate site. Don't stress about the dev board pricing, it's far higher than production boards / systems will be. This will be the hardware that pfSense is tested on, and released for. Other platforms will continue to work, but if you want to run the solution that the pfSense team uses, develops for, and tests on, look in the store. Before someone accuses (because this always comes up), we don't cripple other solutions (witness the AES-NI acceleration available to all in pfSense version 2.2), but we do polish things we sell. When we decided to sell the C2758 (5018A-FTN4), we made sure all the Ethernets worked (this was released in 2.1.1) and did some tuning such that the platform worked well using pfSense 2.1.x. We don't release the tuning info, and, incredibly, a couple people a month write in demanding it. Anyway, the point is, the community is still free to run pfSense software on a given platform, but, as was always true, YMMV with platforms we don't support. Someone asked in the blog if we would be enabling the crypto part on the Watchguard he had purchased on eBay. The answer is no. Not only because the hardware is slower than a software-only solution on a modern cpu, but also because SafeNet (the company that made that part) no longer supports them, nor is the technical documentation available. And then there is the main reason: We don't have infinite time and other resources. Also, while the end user can change things to enable or even optimize a given platform choice, load additional packages, etc., nobody can distribute the result and call it pfSense. Simple trademark law demands same. Anyway, the point is, things we don't sell aren't on developers desks, and are not in the test rack, and thus, not exercised by the test harness. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
One nit: yes, I can sell something called pfSense, as that's the freely-downloadable software under a (IIRC) BSD license. I can't sell something called NetGate. I can't produce a derivative work and call it pfSense. (This is a gray area, admittedly.) But, at least here, I'm quite sure I can install pfSense on some random hardware and still call it pfSense. Having said that, if there's a high-throughput hardware option that's fully supported and tested and optimized, I don't know why I would *sell* anything else. I'll continue to install pfSense in VMs and on existing repurposed hardware, but that's an entirely different market segment anyway, and all I'm selling is my time. -Adam On October 23, 2014 11:06:42 AM CDT, Jim Thompson j...@netgate.com wrote: On Oct 23, 2014, at 5:18 AM, Zia Nayamuth zedestruc...@gmail.com wrote: Lots of suggestions on the hardware, but I see nobody mention anything based around the new and much more powerful Avoton platform. The platform is officially supported, and the pfSense store has hardware based on it (looks to be the Supermicro 5018A-FTN4, It is. The FW-7551 runs a two core version of the same SoC. The SoC in both is based on Rangeley, which is like Avoton, but more Ethernets and a crypto core named QuickAssist. We have a line of similar hardware coming out early next year. You can see the beginnings of same on the Netgate site. Don't stress about the dev board pricing, it's far higher than production boards / systems will be. This will be the hardware that pfSense is tested on, and released for. Other platforms will continue to work, but if you want to run the solution that the pfSense team uses, develops for, and tests on, look in the store. Before someone accuses (because this always comes up), we don't cripple other solutions (witness the AES-NI acceleration available to all in pfSense version 2.2), but we do polish things we sell. When we decided to sell the C2758 (5018A-FTN4), we made sure all the Ethernets worked (this was released in 2.1.1) and did some tuning such that the platform worked well using pfSense 2.1.x. We don't release the tuning info, and, incredibly, a couple people a month write in demanding it. Anyway, the point is, the community is still free to run pfSense software on a given platform, but, as was always true, YMMV with platforms we don't support. Someone asked in the blog if we would be enabling the crypto part on the Watchguard he had purchased on eBay. The answer is no. Not only because the hardware is slower than a software-only solution on a modern cpu, but also because SafeNet (the company that made that part) no longer supports them, nor is the technical documentation available. And then there is the main reason: We don't have infinite time and other resources. Also, while the end user can change things to enable or even optimize a given platform choice, load additional packages, etc., nobody can distribute the result and call it pfSense. Simple trademark law demands same. Anyway, the point is, things we don't sell aren't on developers desks, and are not in the test rack, and thus, not exercised by the test harness. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
Adam, (Three people rushed to my office, saying, “Here we go again!”) There is a metaphor I like to use to explain the situation, it is roughly this: Can you buy a bottle of Coca-Cola, and then sell or give it to someone else? Yes you can. Without getting too deep into the legalities, you have certain rights in the first sale. Can you buy a bottle of Coca-Cola, open it, change the contents (anything here from adding salt, or distilled water, to adding battery acid), recap the bottle and offer someone the result as “a bottle of Coke”? No you can not, and nearly everyone understands ‘Why not”. Similarity: Can you distribute the pfSense software that you received from us, *as you received it from us*? Yes you can. Can you put the pfSense software you received from us, and, without altering it, put it on the hardware platform of your choosing, and sell the result? Yes, but here trademark comes into play. You can sell the result as, e.g. “My firewall with pfSense software.” You can’t sell it as a “pfSense firewall”. The first (“with pfSense software”) states a fact. The second uses the mark without a license. We ask that people using the mark in a fact adhere to several ‘rules’ in order to help us preserve the mark. First, that the mark is only ever used with genuine pfSense software. Any change to the software means that the “genuine” requirement is violated. Second, that “pfSense” should always be used as an adjective, never as a noun. Example of allowed use as adjective: “… with pfSense software” Examples of disallowed use as noun: “… with pfSense”, “powered by pfSense”. Third, we ask that in any country where the pfSense mark is registered, that the “circle R” mark be appended to the first use in any view (web page, marketing collateral, etc.) “my firewall with pfSense® software” A *current* list of countries where the mark is registered follows: United States of America, its territories and possessions, Australia, Brazil, Canada, China, (every country in the) European Community, India, Israel, Japan, Mexico, New Zealand, Norway, Philippines, Singapore, South Korea, Switzerland, Turkey, Ukraine, and Vietnam Others are pending, but not yet issued. Fourth, we ask that attribution occur at the bottom of the ‘page’ in any use of the registered mark. Our suggested language is: pfSense® is a registered trademark of Electrical Sheep Fencing LLC.” My purpose in all of the above is to engage the community in helping preserve the trademarks. (The registration in IC9 protects the use of the mark on hardware, software and similar. The registration in IC42 protects the use of the mark when used with services including support. Looking at the above, “pfSense support” isn’t allowed (other than for ESF and its licensees), but “support for pfSense® software” is.) To address your point, But, at least here, I'm quite sure I can install pfSense on some random hardware and still call it pfSense.” True, but you can’t call the solution “pfSense”, see above. I’m with you in the opinion that fully-supported high-throughput (or even “high-value”) solutions are best for the market. Jim On Oct 23, 2014, at 11:39 AM, Adam Thompson athom...@athompso.net wrote: One nit: yes, I can sell something called pfSense, as that's the freely-downloadable software under a (IIRC) BSD license. I can't sell something called NetGate. I can't produce a derivative work and call it pfSense. (This is a gray area, admittedly.) But, at least here, I'm quite sure I can install pfSense on some random hardware and still call it pfSense. Having said that, if there's a high-throughput hardware option that's fully supported and tested and optimized, I don't know why I would *sell* anything else. I'll continue to install pfSense in VMs and on existing repurposed hardware, but that's an entirely different market segment anyway, and all I'm selling is my time. -Adam On October 23, 2014 11:06:42 AM CDT, Jim Thompson j...@netgate.com wrote: On Oct 23, 2014, at 5:18 AM, Zia Nayamuth zedestruc...@gmail.com wrote: Lots of suggestions on the hardware, but I see nobody mention anything based around the new and much more powerful Avoton platform. The platform is officially supported, and the pfSense store has hardware based on it (looks to be the Supermicro 5018A-FTN4, It is. The FW-7551 runs a two core version of the same SoC. The SoC in both is based on Rangeley, which is like Avoton, but more Ethernets and a crypto core named QuickAssist. We have a line of similar hardware coming out early next year. You can see the beginnings of same on the Netgate site. Don't stress about the dev board pricing, it's far higher than production boards / systems will be. This will be the hardware that pfSense is tested on, and released for. Other platforms will
Re: [pfSense] pfsense h/w
On Oct 23, 2014, at 9:06 AM, Jim Thompson j...@netgate.com wrote: We don't release the tuning info, and, incredibly, a couple people a month write in demanding it. Does this mean there’s a special, hardware-specific version of pfSense (or a package or ?) or is the tuning in the hardware itself? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On 14-10-23 03:06 PM, Chris L wrote: We don't release the tuning info, and, incredibly, a couple people a month write in demanding it. Does this mean there’s a special, hardware-specific version of pfSense (or a package or ?) or is the tuning in the hardware itself? AFAIK it's the same software (plus or minus some logo and CSS changes? not 100% sure...), but with different sysctl values precisely (in theory) matched to the hardware it's running on. I would imagine they also ensure all the BIOS settings are set appropriately, IRQs are distributed appropriately, etc. If you spent a few weeks testing the crap out of your own system, you'd be able to figure out the precise values that maximized throughput for your hardware, too. Note that the precise values that work for any particular piece of hardware are unlikely to be precisely ideal for any other particular piece of hardware... so even copying exactly what Netgate provides on *their* system onto yours doesn't guarantee optimal performance. Besides, given what Jim just said, do you really think he's going to answer your question? ;-) The value-add is technically in the labour, but the secret sauce is knowing precisely where to direct that labour to maximize the value to his paying customers. The rest of us get enough value from the software as it is. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Bro package for pfSense
Has there been any discussion or work on creating a Bro package for pfSense? I did a bit of searching and came up with one forum post from 2010 discussing it, but can’t find anything since then. Bro seems to run well on FreeBSD and is able to be installed via pkg. I have never attempted to make a pfSense package, but am tempted to look into it. Just wondering if anyone has tried and run into issues with it. Jeff ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On Oct 23, 2014, at 1:13 PM, Adam Thompson athom...@athompso.net wrote: On 14-10-23 03:06 PM, Chris L wrote: We don't release the tuning info, and, incredibly, a couple people a month write in demanding it. Does this mean there’s a special, hardware-specific version of pfSense (or a package or ?) or is the tuning in the hardware itself? AFAIK it's the same software (plus or minus some logo and CSS changes? not 100% sure...), but with different sysctl values precisely (in theory) matched to the hardware it's running on. I would imagine they also ensure all the BIOS settings are set appropriately, IRQs are distributed appropriately, etc. If you spent a few weeks testing the crap out of your own system, you'd be able to figure out the precise values that maximized throughput for your hardware, too. Note that the precise values that work for any particular piece of hardware are unlikely to be precisely ideal for any other particular piece of hardware... so even copying exactly what Netgate provides on *their* system onto yours doesn't guarantee optimal performance. Besides, given what Jim just said, do you really think he's going to answer your question? ;-) The value-add is technically in the labour, but the secret sauce is knowing precisely where to direct that labour to maximize the value to his paying customers. The rest of us get enough value from the software as it is. I’m not asking what the changes are - I’m asking if these boxes require a special version of pfSense for maximum performance. I am considering some C2758s and I’m curious. I have another APU4 on its way to me as we speak. If it’s just sysctl values then it’s not possible to keep it secret. sysctl -a, sysctl -a, diff If it’s a custom kernel, etc, then I have to take waiting for netgate to issue patches into consideration. Now and in the future. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On 14-10-23 04:29 PM, Chris L wrote: I’m not asking what the changes are - I’m asking if these boxes require a special version of pfSense for maximum performance. I can't answer that with 100% certainty, but I believe the packaging is tweaked slightly. Whether you call that a special version or not is up to you... AFAIK the kernel is the same, and the pfSense layered code is the same. Netgate may add *more* stuff on top of that, I'm not sure - I don't even own one right now. If it’s just sysctl values then it’s not possible to keep it secret. sysctl -a, sysctl -a, diff Granted... my point stands, it's not the secrecy, it's the time taken to match the values to the hardware. No two systems (models) are identical. If it’s a custom kernel, etc, then I have to take waiting for netgate to issue patches into consideration. Now and in the future. Perhaps you've forgotten that Netgate/ESF is the pfSense project *sponsor* and that all/most (?) of the core developers work for Netgate/ESF? I don't think you'll be waiting very long. I wouldn't be at all surprised if the Netgate build gets updated first, in fact. And I do *not* mean that they deliberately wait before releasing patches for the generic pfSense build, I just mean that I would expect the Netgate update to be available +/- 15 minutes compared to the generic pfSense update. I get that Jim rubs a lot of people the wrong way (myself included), but I don't understand the vitriol and/or suspicion directed at Netgate, which, after all, is who's paying to keep pfSense free. Jim: maybe the Netgate/ESF branding needs to get splashed all over pfSense, to drive home the point? It may be unclear to newbies what the relationship between Netgate, ESF, and pfSense is. Even I'm a little bit vague on the finer points. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On Oct 23, 2014, at 4:42 PM, Adam Thompson athom...@athompso.net wrote: On 14-10-23 04:29 PM, Chris L wrote: I’m not asking what the changes are - I’m asking if these boxes require a special version of pfSense for maximum performance. I can't answer that with 100% certainty, but I believe the packaging is tweaked slightly. Whether you call that a special version or not is up to you... AFAIK the kernel is the same, and the pfSense layered code is the same. Netgate may add *more* stuff on top of that, I'm not sure - I don't even own one right now. The kernel is the same. All the patches are in the tree, and all the code except for what is described next is also in the tree. We currently add the ‘tuning’ (or other other platforms such as the APU, the bits necessary to be able to successfully load and reboot the system), and, as of version 2.1.5, the Amazon VPC wizard is in the “Netgate” build, which is loaded on everything sold via both store.pfsense.com and store.negate.com. We can do this because we’re the trademark holder (technically we’re licensed by the holder, but the point is minutia.) That’s it. If it’s just sysctl values then it’s not possible to keep it secret. sysctl -a, sysctl -a, diff Granted... my point stands, it's not the secrecy, it's the time taken to match the values to the hardware. No two systems (models) are identical. It’s sysctl values. It’s not “secret” if you dig it out, and no steps were taken to prevent same. If you buy the tools and have the knowledge, you ‘tune’ the ECU in a car or truck for more power and/or better milage, too. Some enterprising individuals sell pre-tuned computers, or a new ‘chip’ with the changes made to the various lookup tables (MAP .vs RPM, TPS, etc.) though the factory tends to look askance at these in the same way that we look askance at individuals who come to us with “I bought my own Supermicro, and didn’t pay your markup, give me your bits.” If it’s a custom kernel, etc, then I have to take waiting for netgate to issue patches into consideration. Now and in the future. Perhaps you've forgotten that Netgate/ESF is the pfSense project *sponsor* and that all/most (?) of the core developers work for Netgate/ESF? There are package developers outside Netgate/ESF, but everyone at the core works for Netgate (technically Rubicon Communications) or ESF. We’re likely to consolidate this in the coming weeks, too. In many ways you can think of Netgate as the “home of pfSense”. I don't think you'll be waiting very long. I wouldn't be at all surprised if the Netgate build gets updated first, in fact. Point in fact, the “Netgate build typically occurs after the, (for lack of a better term) “community build” occurs. And I do *not* mean that they deliberately wait before releasing patches for the generic pfSense build, I just mean that I would expect the Netgate update to be available +/- 15 minutes compared to the generic pfSense update. We try to release in parallel. There is a testing phase of both that proceeds in parallel, *after* the build is done. I get that Jim rubs a lot of people the wrong way (myself included), Darn, you’d think that sharing a last name would count for something... but I don't understand the vitriol and/or suspicion directed at Netgate, which, after all, is who's paying to keep pfSense free. I think some people are waiting for “the other shoe to drop”. For us to take the pfSense project in a direction similar to what happened with Vyatta. This is not happening, but everyone seems to love chatting up conspiracy theories. Fluoride in the water and chemtrails overhead are evidence of government mind-control experiments, Paul Mccartney died in 1966, 9/11 was a “false flag” operation, pfSense is going closed source, and Jim Thompson is actually a blood thirsty, extra-terrestrial, shapeshifting reptile. (Paging Alex Jones to the white, courtesy router. Alex Jones to the white courtesy router, please.) I also think that some people are upset that the trademark is enforced, and they can no longer build their own version of “pfSense” (software), or sell hardware branded with “pfSense”. Finally, I think there is still a segment of the community who views me with distrust because I put a license agreement and contributor agreement in front of access to the source code for the pfSense project. We didn’t articulate the reasons for doing this very well, and the execution when we did it wasn’t … optimal. But the source code is still open. All the contributor agreement does is cover the ‘rules’ in play if you send us a contribution to the source code (a “patch” or “pull request”), and all the license agreement really does is put the rules in-play that cover a fork. (attribution, can’t call it “pfSense”, can’t relicense, etc.) Nobody lost anything, but I will always and forevermore be the ahole for taking the steps. I’ve learned to live
Re: [pfSense] pfsense h/w
[Hmm... half of this doesn't need to be on-list. Sorry if I'm polluting. -Adam] On 14-10-23 05:57 PM, Jim Thompson wrote: I get that Jim rubs a lot of people the wrong way (myself included), Darn, you’d think that sharing a last name would count for something... Sorry, no. ;-) Kind of in the same way Theo de Raadt rubs people the wrong way. Mostly just idiots newbies take offense. And it's mostly driven, I think, by having your lifetime supply of tolerance for people who speak first and think second be long-since exhausted. So as long as you don't start saying incorrect or technically-invalid things, your audience sticks around. See closing comments, below. I think some people are waiting for “the other shoe to drop”. For us to take the pfSense project in a direction similar to what happened with Vyatta. Yeah... it's a possibility. OTOH, I'll point out that UBNT essentially forked Vyatta (and renamed it EdgeOS, IIRC) when Brocade started to close it all up. Not that UBNT is a paragon of openness, either, but that's the benefit of the appropriate license - everyone can feel free to copy (or fork!) pfSense from any of the multitude of places it lives online right now, and feel free to burn it to archival WORM media Just In Case Something Bad Happens To The Project. As Jim pointed out, however, when you resurrect it (and somehow replace all the infrastructure and developers in one fell swoop, *ahem*), you can't call your new project pfSense. You can have an FAQ entry explaining how it used to be pfSense, you can even leave the GIT, or SVN, or even SCCS repository up as-is with the pfSense name throughout it, but as soon as you create a derivative work: new project. ... pfSense is going closed source, Technically, this could happen, but realistically, someone will probably fork it. And that project will likely die out or remove itself from public participation, as these things tend to do. For that matter, remember that pfSense is (sort of) a fork of m0n0wall from a decade ago in the first place. For different reasons, but nonetheless. and Jim Thompson is actually a blood thirsty, extra-terrestrial, shapeshifting reptile. Well, that explains a few things! grin Finally, I think there is still a segment of the community who views me with distrust because I put a license agreement and contributor agreement in front of access to the source code for the pfSense project. We didn’t articulate the reasons for doing this very well, and the execution when we did it wasn’t … optimal. I wasn't affected by that, and - AFAIK - neither were most of the people who whine and cadge about a commercial entity being involved. I don't recall what the license used to be, but clearly the current one is a custom license that doesn't even attempt to follow the UCB/BSD license. As long as ESF covered all their legal bases properly, they can do whatever the f*** they want with the license. I can see how old contributors might not like the new CLA, though. And I don't know of any project that has ever pivoted on a license change this way ... optimally. Ugh… were you around for the 2.1.5 release with the “Gold” menu front-and-center (and the resultant shitstorm)? Long before that, yes, but I think I managed to skip the affected versions by accident, so I forgot all about it / never saw it myself. Since I've already renewed my gold subscription once by now, clearly I wasn't one of the shit-flingers in the shitstorm. I like getting paid for my work, too! (Or wonder in silence what it must be like to work in the same place as Jim Thompson.) Can't be any worse than my last corporate job. In fact, would probably be *much* better... I don't have to like you to respect you or work with/for you. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On Oct 23, 2014, at 7:48 PM, Adam Thompson athom...@athompso.net wrote: [Hmm... half of this doesn't need to be on-list. Sorry if I'm polluting. -Adam] On 14-10-23 05:57 PM, Jim Thompson wrote: I get that Jim rubs a lot of people the wrong way (myself included), Darn, you’d think that sharing a last name would count for something... Sorry, no. ;-) Kind of in the same way Theo de Raadt rubs people the wrong way. Wow. You just compared me to Theo. I’m done. Anyone want to buy a firewall company? It’s either that, or I invoke Godwin’s law. (Or its corollary, “Thompson’s Law”: That the thread is over once someone compares one of the participants to Mr. de Raadt.) (It’s left to you to decide who gets the eponymous glory.) Mostly just idiots newbies take offense. And it's mostly driven, I think, by having your lifetime supply of tolerance for people who speak first and think second be long-since exhausted. So as long as you don't start saying incorrect or technically-invalid things, your audience sticks around. See closing comments, below. I think some people are waiting for “the other shoe to drop”. For us to take the pfSense project in a direction similar to what happened with Vyatta. Yeah... it's a possibility. OTOH, I'll point out that UBNT essentially forked Vyatta (and renamed it EdgeOS, IIRC) when Brocade started to close it all up. Not that UBNT is a paragon of openness, either, “either”? Wow. Strike 2. You probably don’t want to know that Jamie and I nearly bought Ubiquiti from Mr. Pera, or that we let the company live when he owed us a pile of cash. I’m not going into details, but Ubiquiti did violate Vyatta’s license, got called on it, and had to reverse direction for a bit. but that's the benefit of the appropriate license - everyone can feel free to copy (or fork!) pfSense from any of the multitude of places it lives online right now, and feel free to burn it to archival WORM media Just In Case Something Bad Happens To The Project. As Jim pointed out, however, when you resurrect it (and somehow replace all the infrastructure and developers in one fell swoop, *ahem*), you can't call your new project pfSense. You can have an FAQ entry explaining how it used to be pfSense, you can even leave the GIT, or SVN, or even SCCS repository up as-is with the pfSense name throughout it, but as soon as you create a derivative work: new project. ... pfSense is going closed source, Technically, this could happen, but realistically, someone will probably fork it. And that project will likely die out or remove itself from public participation, as these things tend to do. For that matter, remember that pfSense is (sort of) a fork of m0n0wall from a decade ago in the first place. For different reasons, but nonetheless. As if I didn’t know, had forgotten, or wish people would forget. Just in-case you have forgotten, Netgate originally shipped m0n0wall on WRAP boards, then cut-over to pfSense quite early after the fork. and Jim Thompson is actually a blood thirsty, extra-terrestrial, shapeshifting reptile. Well, that explains a few things! grin It explains everything, actually. Finally, I think there is still a segment of the community who views me with distrust because I put a license agreement and contributor agreement in front of access to the source code for the pfSense project. We didn’t articulate the reasons for doing this very well, and the execution when we did it wasn’t … optimal. I wasn't affected by that, and - AFAIK - neither were most of the people who whine and cadge about a commercial entity being involved. I don't recall what the license used to be, but clearly the current one is a custom license that doesn't even attempt to follow the UCB/BSD license. As long as ESF covered all their legal bases properly, they can do whatever the f*** they want with the license. I can see how old contributors might not like the new CLA, though. And I don't know of any project that has ever pivoted on a license change this way ... optimally. There is an agreement that allows access to the pfsense-tools repo. As pre-requisite to that agreement, a contributor agreement must be in-place. Once you have the code, you’ll find the license in the individual files to be the same as it always was (mostly BSD 3 clause, but there are a smattering of other files.) Doesn’t matter, you already agreed to the other license, that’s the hack. The license is non-transferable, but if you build and release a version otherwise in compliance with the license, you must license your version under substantially similar terms. Ugh… were you around for the 2.1.5 release with the “Gold” menu front-and-center (and the resultant shitstorm)? Long before that, yes, but I think I managed to skip the affected versions by accident, so I forgot all about it / never saw it myself. Since I've