[talk] m0n0wall project ending

Charles Sprickman spork at bway.net
Sun Feb 15 14:54:29 EST 2015


On Feb 15, 2015, at 2:44 PM, Okan Demirmen <okan at demirmen.com> wrote:

> On Sun, Feb 15, 2015 at 2:26 PM, Charles Sprickman <spork at bway.net> wrote:
>> On Feb 15, 2015, at 2:19 PM, Brian Callahan <bcallah at devio.us> wrote:
>> 
>>> 
>>> On 02/15/15 14:16, Charles Sprickman wrote:
>>>> On Feb 15, 2015, at 11:13 AM, George Rosamond <george at ceetonetechnology.com> wrote:
>>>> 
>>>>> Mark S. noted this:
>>>>> 
>>>>> http://m0n0.ch/wall/end_announcement.php
>>>>> 
>>>>> The end of m0n0wall…
>>>> The most interesting thing I found there was this:
>>>> 
>>>> https://opnsense.org
>>>> 
>>>> Never heard of it until today. It is a pfsense fork…
>>>> 
>>>> I’ve had good luck with Dutch software so far (hi, PowerDNS, OpenVPN-NL), this should be interesting to watch.
>>>> 
>>> 
>>> BSD Now has had some coverage of OPNsense recently. I think they
>>> interviewed one of the project members. Worth checking out if you have
>>> some time.
>> 
>> I also should have included this:
>> 
>> https://wiki.opnsense.org/index.php/OPNsense:So_why_did_we_fork%3F
>> 
>> Seems like a bunch of valid points.  Ethically, I’d say if the company sponsoring this fork did contribute time and money to the pfsense project as they claim, then this is quite fair.
>> 
>> I do wonder why they would go to the trouble of rewriting the front end to not require php running as root yet continue to use php. :)
> 
> Well, one of the biggest criticisms is the fact that one is
> controlling a security device via a web interface, running an
> application directly as root; basically webmin on the security device.
> Web accessibility tends to be more important; odd for security device
> management, but meh, ymmv.
> 
> Sure, use something other than php; that doesn't address the issue.
> There's a reason why privilege separation has existed for umpteen
> years - it's time to starting using such a thing, no??

Well, the scary part is that pretty much every home router that runs
Linux is running everything as root.  And meaningful security
updates for $40 hardware?  Yeah, not going too happen too often.
And it seems like some of the newer botnets are now leveraging home
routers rather than PCs.  Such a pool of exploitable hardware thats
rarely touched by its owners…

As for opnsense, to be clear, they are no longer running the web admin as root.

Also I was poking around, and the daemon that waits for commands from the web UI is python and not php.  Not sure how much better this is, but it’s likely not worse than pfsense:

https://github.com/opnsense/core/blob/master/src/opnsense/service/modules/processhandler.py

Charles





More information about the talk mailing list