Is PfSense Legit?

Warning, Noob question:
I was wondering - if PfSense is designed for people who wouldn’t trust proprietary software, and who are generally people who (may) have more to hide, how does one know that it’s not some sort of big brother project?

Can you understand the source code? If not I guess you just have to take people’s word for it.

4 Likes

https://github.com/pfsense/

This is the Source Code. PfSense is Open Source so you are free to go through the code - clone it and edit for yourself.

I think that makes it as secure as possible in regards to “big brother”.

1 Like

Well, the code is on github. So anyone can download it and look at it.

That doesn’t mean that there can’t be spyware, it does make it unlikely though.
That is the whole point of using open software for networking stuff. (From the users perspective at least.)

If you are more into Linux than BSD, then maybe this is something for you:

https://www.ipfire.org/

1 Like

I really like IPFire, only problem is it doesn’t support Multi-WAN load balancing - only fail-over. This has made it impossible to use in most of my use cases.

1 Like

Yes they are legit. pfSense is a BSD distro tailored for use a network firewall, dhcp server, etc.

2 Likes

If you install mwan3 on OpenWRT (which you can just download prebuilt for x86_64 as well), mwan3 can provide you with a UI that’ll do the right thing with routing tables and firewall config behind the scenes to give you policy based routing and load balancing.

There’s an entire community of eyeballs looking at the source code, I’m sure someone would have noticed something by now, but can you ever be absolutely 100% sure on anything.

Keep in mind that most hardware (routers and computers, networking chipsets etc) are complex enough and contain enough closed source hardware and firmware to make being absolutely sure a near impossibility even if you are very confident your OS is good.

Broadcom, Cisco, some Arm, Intel and AMD based systems all have included closed management systems that most have been shown to have vulnerabilities to one degree or another.

In order to be sure, you better focus on completely open source hardware solutions as well like Novena project.

Then there’s ISP’s and VPN’s that could be spying on you too…

This rabbit hole goes deep

There was a whole community looking at openSSL too and look at what happened there. Open-source is infinitely better than closed, but it’s no guarantee.

1 Like

well, unless you trust the hundreds of devs auditing and updating it, then you have to learn a bunch of low level sysadmin and programming and figure it out for yourself.

Thing is, vulnerabilities have a tendency to show themselves as people exploit them, and if there are any glaring telemetry or backdoor installations in the base system then the fact they’re still unknown is incredibly impressive

Yes. If there are backdoors, they aren’t ineptly constructed. I’ll drink to that.

to be fair, libressl forked off before all those CVEs and there had been dissenting voices for some time trying to warn people and get fixes pulled. It heavily depends on the individual project’s committers and culture. I would be way less suprised to see vulns in systemd, for example, because of how they handle outside suggestions and fixes, than say, Freebsd

3 Likes

OPNsense is worth a look (it’s a fork of pfSense). You can use LibreSSL and the GUI is much better, imho. It is not quite as feature-rich though, so not appropriate in all cases.

Or you could use a vanilla server distribution and leverage what you already know about unix and not worry about having to figure out locations of specific gui settings.

3 Likes

Pure OpenBSD is always an option.

1 Like

If you’re worried about pfsense (which is open source), i’d suggest that you need to be more concerned about the intel management engine, the amd psp, your motherboard BIOS, your WIFI/NIC firmware (Why are wifi drivers hundreds of meg, hmmm? bigger than windows 98 in its entirety), etc.

There are so many other places for the TLAs to insert malware that would be much easier to keep hidden from you.

1 Like

Sigh.

A driver ain’t a driver until it has a gamery animated splash screen on every boot and system tray icon to enable disable that sends commands to a webserver running php as administrator. :frowning:

2 Likes

Yup. Times we live in. But also in firmware blobs that size there’s plenty of room to slip in a few choice features or “mis-features” available for exploit by the relevant TLAs.

Apparently some of these firmware blobs contain a Linux kernel and userspace utils that run on the device itself.

https://youtu.be/6o_mVPwHYnk (from 33c3)

1 Like


They have a bunch of easy to follow videos on how to set it up so you can tell quickly if you get it or not.

2 Likes