[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] alternatives to m0n0
 Date:  Fri, 27 Feb 2015 01:58:03 -0600
Greetings folks,

A little late adding in here, but I wanted to have a private exchange
with Manuel first, and get our road map for pfSense up before
replying. I tried to keep this as short as possible, but it turned
into a novel and there isn't anything I can easily snip out without
omitting important parts of the story.

All of you who have been around here a while know me. For those who
haven’t, other than Manuel himself, none have dedicated as much of
their time to advancing m0n0wall as I have. I have by far the highest
all-time post count to the list here, I wrote the bulk of what’s on
doc.m0n0.ch.  We host that site on the pfSense infrastructure to this
day and have since its inception in 2005. I had a source commit bit
and did some development, though not much in that area. While my
involvement is largely 8-12 years ago, most of m0n0wall is also
largely 8-12 years ago. Manuel and I had a good working relationship
at the time, and I thought a good relationship to this day. Private
conversation after the announcement indicated that this is still true.

I was pretty floored by the announcement recommending OPNsense. There
is one decedent project that has stood the test of time, while
continually increasing the level development over that time: pfSense.
I feel like I got stabbed in the back by the project I put so much
time into recommending a shady offshoot that has yet to put out a
truly stable release, has existed for only a few weeks, is unlikely to
be sustained, and whose entire marketing campaign is FUD and lies
against the project from which they forked. I’m giving Manuel the
benefit of the doubt assuming he was fed the lies OPNsense is using as
 marketing points, and that it was difficult to track down any
background (though he didn’t ask.)  Part of his private response to me
was “hating the politics”, and boy do I agree there. I’d much rather
be spending time doing productive things than having to defend myself
and my company against completely false accusations.

So why the recommendation of OPNsense? I didn’t get a clear answer,
but I suspect it’s money.  Deciso/Applianceshop.eu were advertising on
m0n0.ch, and I suspect they basically acquired m0n0wall by paying
Manuel (they’re going to be taking over the m0n0.ch domain, we offered
to keep it up as is indefinitely and were declined). This is fine, and
I hope they paid Manuel adequately for his efforts and the domain. But
if this is the case, it should have been stated as such: “m0n0wall has
been acquired by OPNsense”, or something along those lines, rather
than regurgitating their marketing FUD. One old timer I met here on
this list and in the #m0n0wall IRC channel back in 2003 got in touch
with me when the announcement came out and called it “complete
bullshit” that pfSense didn’t even get a mention, given my involvement
in m0n0wall.

Manuel said he’d put out a post at the end of this month that pfSense
and OPNsense are both viable alternatives. I hope we’ll see that, as I
think I’ve earned that much.

If you don’t care for the background and details, I’ll TLDR it as
this: OPNsense is extraordinarily shady, proceed with caution.

There’s a good deal of background here that’s necessary to understand
how we’ve gotten to this point.

In 2004, Scott Ullrich and I forked m0n0wall and started pfSense, to
focus on machines where resources weren’t so limited. At the time,
people wanted to keep m0n0wall fitting on an 8 MB CF card, when nearly
all systems had significantly more resources than that, and the limit
of expandability prevented a wide range of functionality that people
wanted to see. Where you have significantly different goals, forks are
a good thing.

Eventually, as with any successful open source project of this nature,
demand for commercial support and development services grew. We
started BSD Perimeter in 2006 as the company behind the project, and
started offering support and development services shortly after. It
eventually grew to the point where I could take the leap of leaving my
day job and doing this full time. A commitment from Netgate, one of
our recommended hardware vendors at the time, meant I at least had the
majority of my mortgage payment was covered each month.  I just
crossed my fingers and hoped for the best on the remainder. Making a
living off open source isn’t easy. Things have been pretty tight
financially since for me personally, as we’ve always been investing
back into open source development.

In 2012, Scott had moved on to other interests and I couldn’t find a
way to move things forward to the level we’re at today, much less the
level we expect to be at in the near future. I explored a variety of
options for moving forward. Ultimately, I went with Jim and Jamie
Thompson of Netgate, who acquired Scott’s share of BSD Perimeter. They
had always done right by us, they were always good to work with, and
our discussions leading up to that showed we had the same vision for
moving things forward. I moved to Austin, Texas in the process. We
shut down that Kentucky company and transferred assets over to the
Texas company Electric Sheep Fencing. In 2012, Netgate had 3 full time
people, BSDP had 3 full time people plus a variety of contractors that
added up to somewhere around 2 full time equivalent depending on the
month. Today we hired employee number 23 between the two companies
combined. We’ve been able to grow revenue considerably via gold
subscriptions, support, and sales of hardware and merchandise on
store.pfsense.org. And that’s allowed us to significantly grow our
investment in developing open source code, both in pfSense itself, and
its underlying components.

One of the things Jim undertook post-acquisition is cleaning up
various legal matters, which out of my own ignorance in that area
weren’t necessarily handled properly. Proper handling of trademarks is
one such area. Having a Contributor License Agreement (CLA) is
another, as this ensures the proper open source legal standing of the
project as a whole. Every project needs a CLA to ensure its open
source legal standing. Pretty much every major project has one. Ours
is comparable to any of them, and less stringent than many, in that
the contributors retain their copyright where some such as the Free
Software Foundation require copyright assignment.

When you’re cleaning up a legal mess, you’re not going to make many
friends, and that’s the situation Jim ended up in. We approached the
trademark fixes with our partner vendors as best we could, with Jim
first getting in touch personally and listing the problems with their
usage of the mark, and how they can address those problems. Those who
didn’t address the problems on their site within several weeks got a
letter from our law firm.

Deciso, the company behind OPNsense, was one of our partner hardware
vendors at the time. They’re the *only one* that refused to make the
changes on their website. This was nothing more than appropriately
using the mark on their site, we weren’t trying to get them to stop
selling pfSense at all, weren’t trying to extort more money out of
them, nothing more than wording changes. We tried to work with them
for months to get these changes made, and after their refusal to do so
for several months, we removed them from our recommended hardware
vendors list until they fixed the issues with the usage of our
trademarks. Their response to that was to threaten to challenge our EU
trademark registration (pending at the time, now issued), as if they
had some right to our brand. We *still* tried to work things out with
them even after being threatened, as all along we wanted to continue
to build a mutually-beneficial relationship. They refused.

The other part of OPNsense is Franco, who works for VC-funded company
Packetwerk whose product was originally based on pfSense, and is
probably moving to OPNsense. Franco submitted some huge pull requests
to pfSense at a time we were trying to get a release out and didn’t
immediately have the time to review and merge. A number of pull
requests piled up for a bit. When we later got around to catching up
on that backlog, we required a signed CLA to accept patches. Franco
refused to accept the CLA, though it’s ultimately equal to or less
restrictive than the CLAs those who contribute to Apache Software
Foundation projects, Ubuntu, anything under the Free Software
Foundation, the list could go on and on and on.

Part of the trademark clean-up at hand was addressing the risk of
“naked licensing”, which is how Google almost lost the trademark on
Chromium. That entailed removing the pfsense-tools repo from Github,
and making it a requirement to execute a license agreement to obtain
access. The code is still under an open source license, and
immediately available to anyone who completes the license agreement.
Specifics are here:

But in a nutshell, you just have to agree you won’t build a product
called “pfSense” (which is nothing more than agreeing you won’t
violate trademark law), and if you use the code in something else, you
must attribute the source of the code (which is the BSD license).

That’s really it - agree you’ll abide by the BSD license and won’t
violate our trademarks, and you have access to the tools repo

We tried to continue to work with Franco and Deciso. They both refused.

I don’t care in the least about forks. A number of others have forked
before, and more will do so in the future. It’s the nature of open
source. But when the marketing plan for your fork is to blatantly lie
about the project you forked and try to scare people into moving,  I
have a serious problem.  The people behind OPNsense imply we’re not
“open” though *all* our code is available under an open source
license. They’ve put out “creative fiction” (lies) such as this:

We’ve literally not spent even a single second discussing going closed
source internally - it’s NEVER been up for discussion. I’ve most
certainly never talked to any mystery “hardware vendor” about going
closed source, and I’ve not spent a second of time discussing the same
plan with my business partners. Who favorited that tweet? @opnsense.
Obviously Deciso is the hardware vendor making that up out of thin

Then there’s this thread, where if I get the gist of it from Google
Translate, they’re claiming our road map doesn’t help them because
they can’t use the code, trying to perpetuate the lie that our license
isn’t open source.

So they can fork our code and include that, which is under the exact
same license as these future developments will be. But now our future
code, under the *exact same license* as what they forked, can’t be?
Obviously, he’s lying.

Then Franco’s making claims that our code can’t be contributed into
FreeBSD, including trying to poison FreeBSD developers against us.
Bullshit. OPNsense has never done anything for FreeBSD that I’ve seen.
We’ve contributed financially and in code for many years, and are
contributing more every year than in any previous year. Here is a
quote from Jim to the FreeBSD devs who Franco was attempting to turn
against us:


“We don’t force *anyone* to buy Gold, and we direct anyone who wants
to “donate” to pfSense to, instead, donate to the FreeBSD Foundation.

We support several BSD-focused conferences.

We sponsored MeetBSD (and have for many years).  Last year with cash
and a give-away


We sponsored a Cyber Defense Competition Team last year.  They won
their nationals.



In addition to sponsoring BSDCan, for many years now:

https://www.bsdcan.org/2015/sponsors.php (Netgate)

https://www.bsdcan.org/2014/sponsors.php (Netgate)

https://www.bsdcan.org/2013/sponsors.php (Netgate)

https://www.bsdcan.org/2012/sponsors.php (BSD Perimeter)

We made two custom-etched APUs for the Foundation to give-away at
BSDcan last year.  Note that neither of these had any pfSense or
Netgate markings on them. Pictures here:


We are the largest advertiser in FreeBSD Journal (and have been from
the start).  I actually called for doubling the ad rates and giving
the magazine away at MeetBSD.

We’ve donated to the FreeBSD Foundation every year for many years now.

And Renato already pointed out the co-development we did with the Foundation.

We have a ports committer and a src commuter on-staff.  Renato and I,
and another person here (Matt Smith) are on the start of the path
toward getting a src commit bit (George is our mentor).

Intel is supporting our efforts to bring QuickAssist Crypto to FreeBSD
(yes, in the FreeBSD tree).  Something linux got last Summer.

So we advertise in FreeBSD Journal, sponsor conferences, sponsor the
Foundation, sponsor technical work, do technical work ourselves and
offer it back, ask people to donate to the Foundation instead of us,
and employ committers.”


end quote from Jim. I don’t think any of the people involved in
OPNsense can even name the first thing they’ve ever done for FreeBSD,
but for sure any list they could assemble would be far shorter. Yet
Franco is out telling FreeBSD developers that we’re hostile to
FreeBSD. That’s since been cleared up with those developers, and we’ve
gotten apologies from those who originally believed him and were
perpetuating his lies, but Franco doubtless continues his campaign of
hate and deception.

On Mon, Feb 16, 2015 at 11:01 AM, Thomas Sprinzing <thomas at sprinzing dot org> wrote:
> - pfsense forums: i was shocked by the attitude and the tone of some of the core wizards on > the

Outside of threads where we're having to FUD bust and respond to
people who were spewing garbage, I disagree that there is an attitude
and tone problem. Some of our regulars can certainly be abrasive.
Doktornotor on the forum comes to mind. He’s helpful, but sometimes
that help comes with snark or abrasiveness. Frankly, no community of
any type on the Internet is free from such things. But largely, we
have a great, friendly, helpful community. If you come in attacking
us, the gloves might come off.

> - pfsense business vs. community:  truly versus. see before. Pfsense seems to be stuck in a > rut
there, the opnsense fork was already on the horizon
> last summer.

There is a huge gap between some people's impression there, and the
reality of the matter. That’s pretty well covered above. We’ve done
nothing that’s anti-community. Nothing is any different than it’s ever
been for the community, and in fact things are better than ever since
our growing business is leading more open source development.

> - Let me make an uneducated guess: the need for developer hangouts will be limited with
> this audience. Thus, pfsense gold support contracts will most probably not skyrocket now.

That’s fine, we don’t force anyone to buy anything. We encourage
people to support our work, but if you don’t have a need to buy
anything from us, the software is freely available for all - knock
yourself out.

> - those of you catering for businesses: Maybe it’s the best reason to talk to your customers. >
Talk about business continuity and such…. I’d say for the
> moment, you won’t do wrong going pfsense

This is the correct answer if you want something that’s proven to be
sustainable. Sustaining a project along these lines over the long term
is hard. You can’t trust a project in the honeymoon period of their
fork to be sustained for any length of time. Especially one that’s
undertaking the tactics OPNsense has thus far.

On Mon, Feb 16, 2015 at 11:20 AM, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> I used to play a bit with pfSense, and recommend it in some cases, but...
> Chris partnered with a new guy, and the new guy is the cause of all of the
> woes you have mentioned.

See above re: cleaning up legal issues not being a recipe for making friends.

> He is combative, and unprofessional,

Jim’s caught flak from the licensing changes, but that’s really not
true at all. Quoting him in an email to Manuel: “And yes, things went
too far in the debacle about the licensing, but I had a job to do.”

> and is constantly looking to maximize revenue at the expense of everything else.

This is a frequent accusation, but give me one thing that was done to
“maximize revenue at the expense of everything else”. There were
plenty of people with tin foil hats on who insisted this was some huge
shift and that things would change. We wasted inordinate amounts of
time fighting FUD after that. A year later, I thought that was all
past us. Among our community, it is. Those who were active
contributors at that point and had objections and/or concerns about
the changes have since come to recognize that *nothing has changed*.

> I had worked with Chris a few times over the years, so when his partner
> blasted me on LinkedIn, I tried to contact Chris privately to find out what
> was going on.  I heard nothing, so I suspect he is contractually enjoyed
> from saying anything.

I contacted Lee off-list to find out what I dropped the ball on here.
I’m not under any sort of contractual obligation to not say anything.
Until more recently I got an absurd amount of email and things could
fall through the cracks. As we’ve grown the business side, we’ve been
able to offload a lot of what I was doing so that’s not an issue
anymore. It just so happened that Lee’s email came in a matter of
hours before a family emergency that kept me tied up for much of a
couple weeks, with everything that wasn’t an immediate customer need
getting pushed aside. His email ended up archived along with others I
gave up on catching up on.

> This means that I can not trust Chris (who I still
> consider a very good guy)

Thank you for the benefit of the doubt.

> to keep pfSense trustworthy.  So pfSense is off
> the table.

I hope you’ll reconsider that, from our discussion off-list, and the
above points.

On Mon, Feb 16, 2015 at 11:33 AM, Bao Ha <bao at hacom dot net> wrote:
> Jim roughed me up too early last year! I still like Chris and he was very
> helpful before Jim arrived.

Thanks, Bao. I don’t think Jim roughed you up too badly. :) You were
willing to make the changes Deciso wasn’t, and are still on our vendor

On Wed, Feb 18, 2015 at 11:06 AM,  <leesharp at hal dash pc dot org> wrote:
> Funny that you should bring this up...  When Heartbleed came out, pfSense
> needed a new build.  When Shellshocked came out, pfSense and nas4free both
> needed new builds.  m0n0wall did not.  Lean systems have less attack
> vectors.

m0n0wall only didn't need an update for Heartbleed because its openssl
was so outdated it predated the introduction of the Heartbleed bug. In
that case, being really outdated was a benefit. The openssl in
m0n0wall is vulnerable to a wide range of other, less significant
vulnerabilities though. pfSense does not include bash in the base
system and did *not* require an update for Shellshock. We did update a
couple add-on packages that included bash as a dependency, but the
vast majority of systems don’t use said packages. The PHP 4.x in
m0n0wall has a slew of vulnerabilities. Updating it to a current PHP
version is a massive undertaking because of the number of things that
have been deprecated from PHP 4.x to the 5.5x/5.6x currently-supported

I’ll jump into the discussion over at SmallWall when I get some time,
to add some advice on moving forward.

> While I dislike the idea
> that it has become harder to build pfSense yourself, I understand that
> were reasons for that step. As I saw it, some of the guys behind the
> pfSense project perceived a legal threat against them and they had to
> take actions.

Correct, detailed above. It’s actually easier now to build than it was
before. Sure, you have to take 5 minutes to create an account and
accept the license agreement, but we’ve done so much clean up in the
build tools recently that make things significantly easier to deal
with, faster, and more reliable. The entire build tools is getting
rewritten for v3.0 to address the remaining issues.

Here is our upcoming road map.

We welcome everyone to join us at pfSense. Hopefully the drama stops
now, and we can get back to doing productive work.

I wish Manuel the best in his new endeavor, and hope to see some of
you who haven't moved over already around pfSense.