pfSense 1.0 Firewall Released

Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.

CURRENT?

Why Freebsd 6.1-CURRENT, I wonder? STABLE is bleeding edge enough for most, and I quite imagine that they could just use base 6.1.

Re:CURRENT?

pfSense Rocks hard.

I have been on the RC1, and replaced all my Linux/IPfilter machines with this.

Based on mOnOwall?

So why do they release a new distro, instead of contribing to mWall?

SmoothWall

Have a look at SmoothWall at http://www.smoothwall.org/ [smoothwall.org]
It's based on GNU/Linux and provides at par or better features and it is there for almost 4-5 years now.

SmoothWall?? IPCop!

You only get the better features in Smoothwall if you pay for the corporate version.

You could try IPCop instead, a fork of smoothwall.

I use IPCop instead of pfsense for some installations as it has support for the Bewan PCI ADSL modem.

Re:SmoothWall?? IPCop!

I've used both Smoothwall and then IPCop for extended periods on my own home router box (an old P200/128MB). I have now been using M0n0wall for a couple of years and I am very happy with it. It doesn't have the silly coloured NIC idea, I can just add new subnets as I require and name them myself. I find it more powerful and intuitive than IPCop in other ways too. IPCop served me well for a long time but I don't think it's quite on the same level as M0n0wall, I can't comment on the non-free versions of Smoothwall.

As for pfSense, it looks interesting, I may well give it a try

Re:SmoothWall

Only if you discount firewalling as a feature.

The code behind iptables is disgusting. It doesn't even do a proper job of stateful tracking. Read and compare the source code if you don't believe me - There are many things which linux does in about 10 lines of code but run into hundreds or thousands of lines in the pf source because pf does the job properly

Relies on a full-size computer

Sorry, I'll take my Linksys WRT54GS (v3) running OpenWRT [openwrt.org] or dd-wrt [dd-wrt.com]. Small, quiet, and wireless!

Uuh, no thanks, not convinced

I opened the links, since I was keen on finding out (even using) the thingy.

But, no. The minimal ("Do not even attempt to use it on anything less !") hardware is beyond my means (and beyond my expectation, even for traffic shaping and stuff):
All platforms: 128 megabytes of ram
Embedded: 128 megabyte compact flash card
Full installation: 2gb hard drive or larger
LiveCD: USB Keychain for configuration storage

That's simply a tiny little bit too much. I surely get the similar setting with OpenBSD on boxes with lower specs.

Okay, let's get it going. I love compact flash. Alas: "Larger flash sizes can be used but pfSense will not use the space over the 128 MB limit".
"The Snort package requires a LOT of memory, only install this when the sytem has 1 GB ram or over."

Any need to go further ? To me, at least, not. I rather move on ... .

PPTP pass-through?

pfSense is an amazing product that does without hiccups what firewalls costing hundreds or even thousands of dollars do. But it has a limitation: it can't handle more than one simultaneous PPTP pass-through session to the same server. Plenty of cheap routers (based in Linux) do this. But granted, that Linux PPTP masquerading kernel module is a little beauty.

no firewall can keep all hackers out

"No firewall can keep all hackers [techtarget.com] out." With these words, security consultant Bob Toxen began his sermon, or workshop, on the "seven deadly sins" of Linux security. Any IT manager who commits one of these sins will "get nailed sooner or later,"

"Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall [ranum.com] transparent to hackers"

'"Enumerating Badness" is the idea behind a huge number of security products and systems, from anti-virus to intrusion detection, intrusion prevention, application security, and "deep packet inspection" firewalls'

Unreliable Network Simulation

I'd actually like to see more systems like this provide plugins exposing options for setting up configurations to simulate unreliable network connections. I used monowall quite extensively a few years ago, and it exposed a traffic shaper option to delay packets a defined amount of time, but that alone isn't sufficient for a proper simulation. And why anyone would set that to anything other than 0 when using it for firewall purposes is beyond me.

If you're going to try to shape traffic in manners like that, it would have been useful to have other options as well such as random packet dropping, packet corruption, packet reordering, and random packet delay.

I recall a few years ago that some company came up with a hardware device specifically for simulating unreliable networks with the intent of selling them primarily to game developers. I don't recall the product name though. In any event, it would be nice to see either pfSense or monowall support an official plugin to provide access to that sort of functionality. I'm not sure if *BSD has the network hooks to support all of the necessary features though.

minor p2p glitch

After months of regular use I can say pfSense is a great firewall. One minor problem (and the only one) I encountered is the inability to work with the Kademlia p2p network: the client appears as always firewalled even after days though all other ports are correctly routed and the mule client gets a high id. The problem disappears as soon as I route the same ports through a different firewall.

Console, anyone?

Is it only me, but... I always like to have a console (or otherwise called a terminal) accessible on the boxes that I own. I want to be able to SSH them and change configs, hack it up, or just play around. The reason why I'm still with IPcops is that it has a full Linux console accessible locally and also via SSH. M0n0wall doesn't. So how about pfSense, does it or doesn't it?

Any comments on it? I know that I'm not _supposed_ to install stuff on a firewall, but gosh, it's a full-blown computer that just there.

I'm currently using IPcops, but I've heard great things about BSD. The recent IPcops updates have been breaking things. But it's working out great in my environment. And, I guess I'll need to plug, but I even have a webcam which shows all my networking equipments and computers in my basement: http://thelab.servegame.com:8080/view/index.shtml [servegame.com]
(The IPCop box is the lower-right one, the one to the left of it is a Windows box that's never up (Hey, guess why ;-) and the upper right one is my storage server.

VM?

Would love to see this on a downloadable VM. Any takers?

/K

1.0 and it's still broken

I don't know why they are doing a 1.0 release right now. While there are many nice things in pfSense, most of them are replicated in the much more stable m0n0wall on which it is based. The pfSense only features tend not to work too well.

For example, the traffic shaping is broken. I have a 10Mb/512Kb cable connecction (NTL) and have been totally unable to get traffic shaping to do anything. There are many more like me on the forums. It seems to work for some people on some connections, but is far from robust and universal. The rules that the wizard creates are not right either, and always need modifying. Hardly 1.0 standard I feel.

There are other issues too, like the fact that embedded web upgrades don't work, or that the queues display does not show accurate stats (particularly on drops).

I'm going to decomission my 650MHz P3 that is currently running pfSense and replace it with a much lower power Netgear Rangemax router. Really, the only things that the pfSense box has over the Netgear one is traffic shaping and the ability to handle a larger number of connections. The former doesn't work and the latter is irrelevent.

Current Wifi support

That was the main piece missing in monowall.. ( that and a nice installer for PC hardware users ).

Re:One question??

That card is neither Gigabit (it 10Gbps) nor Copper (it's fiber). Hardly what he asked for. But true, the question wasn't very specific.

Re:A mish-mash of other systems?

curses interface? Are you sure you are looking at pfSense?

Re:PFsense NAT is symmetric, result: no SIP (VoIP)

Lacking the knowledge of the internal workings of PF, I do have to say that I have never had a problem with SIP. My home phone is through Vonage behind pfsense and I routinely connect while on the road to a friends Asterisk box to make phone calls with a soft phone and bluetooth headset on my laptop. He has a pfsense router and all of his trunks are SIP. Several users are simultaneously connected using SIP from remote locations and properly routed out the SIP trunks. Not to doubt that you have had things that do not work; I am only relating my experiences. I must also state that the SIP traffic shaping appears to work beautifully there as I really don't have any call issues that are not related to the bandwidth available at my remote location(s).

Re:Born dead: *BSD is dying

openbsd is becomming a better network os than the others. depends what you mean by dying. stats can show whatever, but for most people they use bsd's at the firewall level and put services on the hosts behind it. other people use bsd all over the place, but with recent desktop improvements on gnome/kde etc people are moving towards the linux desktop. there are other features too such as brilliant package management which makes distros like debian and rh far less maintenance.

fwiw, openbsd is growing, bgp/ospf are now part of the default install and it's very attractive for network ops, oh and chroot apache is a good move also.

if bsd kernels had a strong drive behind them like ltorvalds then perhaps they would have better device support.

Re:A mish-mash of other systems?

As best as I can make out, this is a general purpose unix with the packet filter from OpenBSD grafted onto FreeBSD and an interface adapted from a linux firewall;

Please excuse my ignorance, but why don't they use OpenBSD instead of FreeBSD? Surely if you're building a (open|free) firewall, you start with the most secure (open|free) Unix you can find?

Re:x86?

Great, we thank you for donating our sparc64 build systems.

Re:One question??

One answer: Get Intel cards.

Re:PFsense NAT is symmetric, result: no SIP (VoIP)

The underlying pf seems to have more flexibility than the interface on top then.

I suppose you mean something like the following?

# XXX: hardwire SIP and RTP source ports
nat on $ext_if inet proto udp from $asterisk port { 5060, 10000:20000 } to any -> ($ext_if) static-port
nat on $ext_if inet from $int_net to any -> ($ext_if)
rdr on $ext_if inet proto udp from any to ($ext_if) port { 5060, 10000:20000 } -> $asterisk

Which means that traffic from an internal Asterisk that has source ports 5060 and 10000-20000 leaves NATed but with the source ports intact. Together with the ability to let Asterisk enter arbitrary IP addresses in SIP messages[1], this makes it look like it was directly connected and not behind NAT at all.

All other traffic - even HTTP from the Asterisk server for example - gets the source port replaced as usual.

[1] Who TF thought that entering layer 3 addresses in application layers was a good idea anyway?