pfSense 1.0 Firewall Released 104
Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.
Re:Based on mOnOwall? (Score:3, Insightful)
Because they have "radically different goals" than monowall. This is in the second sentence in http://www.pfsense.com/ [pfsense.com]
Re:CURRENT? (Score:2, Insightful)
In short, -CURRENT works better for us.
Re:Based on mOnOwall? (Score:2, Insightful)
VM? (Score:3, Insightful)
Would love to see this on a downloadable VM. Any takers?
Re:SmoothWall (Score:1, Insightful)
Re:SmoothWall (Score:1, Insightful)
You mean that 500 line function which attempts to match a whole slew of various packet characteristics?
You call that clean code? Heh heh heh, OK.
After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here or maybe here. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place.
There is the protocol independent netfilter code in your second link, and the ipv4 specific match modules in the first.
This is a good example of a well designed architecture (ignoring the actual low level implementation issues, because
I'm not familiar with the code).
Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a linux box to hand to grep on, but I don't at the moment
No. See all those files in your first link? Each of those provides support to match a specific packet characteristic
(not counting things like the general ipv4 stateful connection tracking support). All nicely seperated and modularised.
One thing should be stated in comparason - Linux is a *LOT* faster at throwing packets through its firewall, mind you it's a direct result of it not really checking them
Why do you say "not really checking them", and why did you claim that Linux does not do a proper job of stateful
connection tracking? State what exact functionality you require that PF supports but netfilter does not -- trying
to go through the code in 30 minutes looking for feature parity is not going to achieve anything especially if you
are not familiar with the code in the first place.