pfSense 1.0 Firewall Released

Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.

Re:Based on mOnOwall?

[Homology]

> So why do they release a new distro, instead of contribing to mWall?

Because they have "radically different goals" than monowall. This is in the second sentence in http://www.pfsense.com/ [pfsense.com]

Re:CURRENT?

[Anonymous Coward]

There are other issues at play here which still exist in -STABLE. The lead developer has a good sense of what is right, that and he is a FreeBSD committer himself.

In short, -CURRENT works better for us.

Re:Based on mOnOwall?

[M1FCJ]

So does firewall, it has even have a traffic shape wizard... I'm a big fan of Monowall bt I'm going to give this a go, if it has more support for hardware compared to Monowall, I might consider switching to it and use my useless wireless PCI card.

VM?

[kafka47]

Would love to see this on a downloadable VM. Any takers?

/K

Re:SmoothWall

[Anonymous Coward]

How does bullshit like this get modded up? Some of us prefer to work with FreeBSD, don't even dare to tell people how they should spend their free time.

Re:SmoothWall

[Anonymous Coward]

Here's the OpenBSD link Search for pf_test_state_tcp - it's abotu 2/3 the was down the page

You mean that 500 line function which attempts to match a whole slew of various packet characteristics?
You call that clean code? Heh heh heh, OK.

After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here or maybe here. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place.

There is the protocol independent netfilter code in your second link, and the ipv4 specific match modules in the first.
This is a good example of a well designed architecture (ignoring the actual low level implementation issues, because
I'm not familiar with the code).

Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a linux box to hand to grep on, but I don't at the moment

No. See all those files in your first link? Each of those provides support to match a specific packet characteristic
(not counting things like the general ipv4 stateful connection tracking support). All nicely seperated and modularised.

One thing should be stated in comparason - Linux is a *LOT* faster at throwing packets through its firewall, mind you it's a direct result of it not really checking them

Why do you say "not really checking them", and why did you claim that Linux does not do a proper job of stateful
connection tracking? State what exact functionality you require that PF supports but netfilter does not -- trying
to go through the code in 30 minutes looking for feature parity is not going to achieve anything especially if you
are not familiar with the code in the first place.