[BlueOnyx:24874] Re: FreeBSD 13 and pfSense drama (Off-Topic)

[Chris Gebhardt - VIRTBIZ Internet]

This hits a little bit close to home.   I have used and recommended 
pfSense for many years and overall it has been an extremely stable and 
relatively feature-rich option.

But to say that the move to 2.5 was botched would be kind.    We rolled 
out a new pfSense device on a non-profit's network we help to manage to 
turn up a new site and the system acted flat-out broken when trying to 
connect IPSEC VPN to the main system back at the HQ.    The 
recommendation, of course, was to update all the systems so we scheduled 
the outages necessary to load the new updtes and reboot.   After the 
updates, then entire VPN network was down and would not re-connect.

I fiddled with it for some time before opening a paid support case with 
Netgate.    They had it fixed within literal minutes of opening the case 
(yay!) but the report on what they did to fix it was a bit vague, to say 
the least.   Although the case was resolved, we noted that no 
configuration change had been made within the GUI.    Odd.

Nobody here knew anything about what had been happening behind the 
scenes with the Wireguard mess, but something about the response we got 
on our case just didn't feel right.  Looking around online, what we 
experienced with the VPN doesn't seem to have been an isolated 
incident.   The lack of transparency from Netgate was disappointing.    
I find that I have much better tolerance for a problem when the vendor 
will own it and explain the way forward.   Hushed conversations and 
finger pointing tend to lead to distrust.   I hope that Netgate will do 
better in the future.

I'm directly responsible for the management of a couple dozen pfSense 
devices and we support dozens more.   It's been a great product.   I'd 
like to continue to be able to confidently rely upon and recommend pfSense.

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

On 3/27/2021 11:42 PM, Michael Stauber wrote:
> Hi all,
>
> This is not BlueOnyx related at all, but if you want a giggle at the
> expense of others, say no more:
>
> https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/
>
> TL;DR: Netgate paid a convicted felon to port WireGuard into the FreeBSD
> kernel to make it easier for them to use pfSense on FreeBSD for their
> stuff. That guy eventually delivered and the code submission was merged
> into the code tree for the upcoming release of FreeBSD 13.
>
> Until the FreeBSD core maintainers found out what an unmitigated and
> exploitable disaster that code was. "Bad" just doesn't cut it. It was a
> hell of a lot worse.
>
> So in a two week bender they rewrote it from scratch on their own. Which
> gave Netgate the fits and put them into a rage-fit of accusations and
> easily refutable denials. The reason for that unwise move was: They
> already had merged the shitty pre-beta FreeBSD-code into pfSense 2.5.0
> (released a month before FreeBSD 13 was to come out) and FreeBSD's fixes
> now clearly showed what an exploitable buggy mess pfSense 2.5.0 actually
> had become.
>
> End result: FreeBSD and Netgate no longer seem to be "friends" and
> WireGuard has been stripped from the upcoming FreeBSD 13 release entirely.
>
> That went well. /facepalm
>
> I actually liked pfSense a little. Now I'm wondering what other
> "surprises" they have under the hood. :-/
>