Restricted Advance Shell - examples of challenges

Hi there,

So industry best practices apply to unsupported home users? Fully licensed admin can bork their appliance and support will fix it and industry best practices seem moot?

Here are my use cases that I use shell for all the time.

1.Run top, just to check whats happening on my machine including hung daemons etc which can happen with any software.

2. Run iftop to get a quick snapshot of whats happening on my network. 

3. Change different kernel parameters like swappiness and change my IO scheduler to noop since I run under esxi.

4. Look at logs since its much easier to grep them in the shell.

5. People have mentioned WAF but luckily UTM is not EOL yet.

There maybe other reasons but other than industry best practices, can you guys give a solid reason for restricting home license only. Unless theft of software is a big issue and you guys can't fix it by using better methods. This one is a total head scratcher.

Regards,

Bill

Hi there,

So industry best practices apply to unsupported home users? Fully licensed admin can bork their appliance and support will fix it and industry best practices seem moot?

Here are my use cases that I use shell for all the time.

1.Run top, just to check whats happening on my machine including hung daemons etc which can happen with any software.

2. Run iftop to get a quick snapshot of whats happening on my network. 

3. Change different kernel parameters like swappiness and change my IO scheduler to noop since I run under esxi.

4. Look at logs since its much easier to grep them in the shell.

5. People have mentioned WAF but luckily UTM is not EOL yet.

There maybe other reasons but other than industry best practices, can you guys give a solid reason for restricting home license only. Unless theft of software is a big issue and you guys can't fix it by using better methods. This one is a total head scratcher.

Regards,

Bill

I don't understand your confusion: Sophos needs to make money, and they give more support and more features to folks who pay them. Home users get free firewall software that is commercial-quality with few restrictions, which I'm not aware any other major vendor (Fortinet, Cisco, PAN, etc) provides.

There is no "theft of software" issue: Home is free. There may be issues with non-home users using the free version -- which is quite capable and can run on fairly powerful hardware -- instead of paying. But "better methods" to prevent or discourage this would involve intrusive mechanisms. Would you want your home version to shut down or throttle throughput because it thinks it detects corporate use by you? This approach is a train wreck in the making that would generate a lot of issues and complaints. Better to remove some features that commercial users would need and home users don't need (though they may want/appreciate them).

Also, free folks who bork their system are not actually free. They come here and poorly explain what's going on and take a lot of time and effort from volunteers and Sophos staff as well.

Your points are valid desires -- which I share -- but they aren't really required-to-haves for a free home system. For a hobby, pfsense or OPNsense make a lot of sense -- particularly if you already have capable hardware sitting around, and you can customize it to your hearts content.

Please stay on topic. The title clearly asks challenges faced by home users if cli is not available. So no my points are not desires, that is what they were asking for.

You can open a new thread and I will be more than happy to argue free community support and what is free and how sophos needs to make money.

Also, nobody is stopping sophos to make changes to their free license and say no cli at all for home users or no gui for home version etc. That is all understandable. This cli removal is not being presented as such and was nowhere in the release notes. After people started questioning this thread was created so please be kind and start your own thread.,

Actually that is not correct.

The first version of the Document has this statement on it: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/b/announcements/posts/sophos-firewall-v19-xstream-sd-wan

Linked: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/m/files/9519

Advanced Shell – With the addition of many comprehensive logging enhancements in the GUI,
and in-line with industry best-practices, access to the Advance Shell will be restricted to
licensed commercial versions of the product only.

Just to talk about those points:

top vs the present "GUI" system graphs. What do you missing? I assuming the processes? "Hung Daemons" is a theoretical case, but likely software will restart the system, if a process is in a invalid state. So just to be sure: Did this ever occur to you in the past with SFOS? 

iftop vs GUI: What about the live connection window. It can also show you filters etc. What is the advantage of using iftop vs the present GUI option? Just we collect more information.

Your Kernel Parameters seems something, which is actually missing now. But could be controlled theoretically via vmware tools, which are on the appliance itself. Sophos can take this feedback. 

System graphs are a snapshot of system. Lets say your memory is sitting at 100 percent, how do you know what is causing this? I am not arguing against what is provided in the gui. I am stating what I use the cli for.

Live connections window is the same way. You really can't compare a gui window that refreshes every few seconds to the instant snapshot of iftop

This is my genuine feedback. If you guys make change to license and take cli away, please mention in release notes and be done with it. Most home users probably would never miss it. Otherwise I am just an end user, I have many choices and if I don't like what you provide, nobody is forcing me to use the software. I have appreciated astaro and now sophos continued commitment to provide fully functioning software to home users at no cost. If that commitment has changed for any reason, sophos doesn't need to justify it to me or anyone else.

Regards

Agree with Billybob on `iftop`. I hadn't thought of using Live Connections, so I've been trying them. Three issues: 1) Five seconds is a long time, 2) not as easy to stop refreshing when you want to look at something that just popped up that's odd, and 3) it's not clear what the Kbps time period is and not clear that it means Kbps and not KBps. The `iftop` command is snappy, you can freeze it immediately, and it gives you rates over multiple time periods so you can watch for more of an instantaneous and more of a continuous average at the same time.

Fast refresh in a GUI is probably a mistake, since it's pulling horsepower from the actual firewall job. So maybe allowing access via the CLI would be a good compromise?

As an example, I'm looking for an a machine that's streaming a multi-Mbps video stream. Using Live Connections sorted by download and viewing by IP, the machine bounces in and out of the top. Evidently there's some interaction of sorts between the 5 second refresh, what period of time Sophos is actually calculating over, and perhaps bursty streaming (as streaming programs overfill buffers and throttle themselves, I guess), it's frustrating to see the streamer in the top. Multiple refreshes can show apparently no download.