Forgot your password?
typodupeerror

pfSense 1.0 Firewall Released 104

Posted by kdawson
from the protected-by-daemons dept.
Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.
This discussion has been archived. No new comments can be posted.

pfSense 1.0 Firewall Released

Comments Filter:
  • CURRENT? (Score:4, Interesting)

    by scott_karana (841914) on Saturday October 14, 2006 @04:47AM (#16434543)
    Why Freebsd 6.1-CURRENT, I wonder? STABLE is bleeding edge enough for most, and I quite imagine that they could just use base 6.1.
  • So why do they release a new distro, instead of contribing to mWall?
    • Re: (Score:3, Informative)

      by Anonymous Coward
      monowall is just a firewall, this does traffic shaping/QoS, lots more services.
      • Re: (Score:2, Insightful)

        by M1FCJ (586251)
        So does firewall, it has even have a traffic shape wizard... I'm a big fan of Monowall bt I'm going to give this a go, if it has more support for hardware compared to Monowall, I might consider switching to it and use my useless wireless PCI card.
    • Re: (Score:3, Insightful)

      by Homology (639438)
      > So why do they release a new distro, instead of contribing to mWall?

      Because they have "radically different goals" than monowall. This is in the second sentence in http://www.pfsense.com/ [pfsense.com]
    • Re: (Score:3, Interesting)

      by Anonymous Coward
      m0n0wall is based on FreeBSD 4.x, it has little wireless support, it can not do load balancing for multiwan , neither can it do machine failover with carp.

      There are currently over $2000 bounties posted on the m0n0wall list for the first person that makes it work with FreeBSD 6. Unfortunately for m0n0wall, we see people switching to pfsense instead.

      Yes, pfSense _is_ based on m0n0wall
      No, pfSense _is not_ m0n0wall
    • So why do they release a new distro, instead of contribing to mWall?

      By your argument, there should only be one distro for every open source operating system because people should just contribute back and never fork?
       
  • SmoothWall (Score:4, Informative)

    by mahesh_gharat (633793) on Saturday October 14, 2006 @05:22AM (#16434659)
    Have a look at SmoothWall at http://www.smoothwall.org/ [smoothwall.org]
    It's based on GNU/Linux and provides at par or better features and it is there for almost 4-5 years now.
    • SmoothWall?? IPCop! (Score:5, Informative)

      by PurPaBOO (604533) on Saturday October 14, 2006 @05:46AM (#16434741) Homepage
      You only get the better features in Smoothwall if you pay for the corporate version.

      You could try IPCop instead, a fork of smoothwall.

      I use IPCop instead of pfsense for some installations as it has support for the Bewan PCI ADSL modem.
      • by Drasil (580067) on Saturday October 14, 2006 @07:46AM (#16435091)

        I've used both Smoothwall and then IPCop for extended periods on my own home router box (an old P200/128MB). I have now been using M0n0wall for a couple of years and I am very happy with it. It doesn't have the silly coloured NIC idea, I can just add new subnets as I require and name them myself. I find it more powerful and intuitive than IPCop in other ways too. IPCop served me well for a long time but I don't think it's quite on the same level as M0n0wall, I can't comment on the non-free versions of Smoothwall.

        As for pfSense, it looks interesting, I may well give it a try

        • I've also used Smoothwall for about a year, then IPCop for another year or so, and now m0n0wall for the past couple of years. I definitely plan on trying pfSense to see how it compares. Out of the three I have used, m0n0wall is my preference. The traffic shaping actually works, the interface makes sense, and the features provided match my needs.
      • by digidave (259925)
        Show me how to do incoming load balancing for web servers in IPCop and you'll make me a happy man. As it is, I'm planning to migrate to pfsense to get this feature.
    • Re:SmoothWall (Score:5, Informative)

      by MattBurke (58682) on Saturday October 14, 2006 @07:54AM (#16435115)
      Only if you discount firewalling as a feature.

      The code behind iptables is disgusting. It doesn't even do a proper job of stateful tracking. Read and compare the source code if you don't believe me - There are many things which linux does in about 10 lines of code but run into hundreds or thousands of lines in the pf source because pf does the job properly
      • Can you give some examples? I'm not trying to be snotty; I'm genuinely curious. I love pf's syntax waaaay better than iptables, esp. for firewalls w/more than two NICs, but I'd be interested to know how the underlying code compares. (Not a prograammer, though I can read C w/effort, so other opinions are valuable to me.)
        • Re: (Score:3, Interesting)

          by MattBurke (58682)
          Here's the OpenBSD link [openbsd.org] Search for pf_test_state_tcp - it's abotu 2/3 the was down the page

          After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here [kernel.org] or maybe here [kernel.org]. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place. Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a lin
          • Re: (Score:1, Insightful)

            by Anonymous Coward
            Here's the OpenBSD link Search for pf_test_state_tcp - it's abotu 2/3 the was down the page

            You mean that 500 line function which attempts to match a whole slew of various packet characteristics?
            You call that clean code? Heh heh heh, OK.

            After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here or maybe here. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place.

            There is the protocol independe
    • by Orlando (12257)
      Last time I tried Smoothwall (18 months ago) the UI was so bad I gave up on it and chose pfsense instead. I hope it has improved since.
    • by aliquis (678370)
      Yeah right ;/

      Need to be said: Hate the license :D
  • Sorry, I'll take my Linksys WRT54GS (v3) running OpenWRT [openwrt.org] or dd-wrt [dd-wrt.com]. Small, quiet, and wireless!
    • Re: (Score:3, Interesting)

      by Merovign (557032)
      Sure.

      Mind you, the "target market" leans a little more toward small/mid-size office than home office.

      Though I'm sure the hobby-minded with lots of spare older PCs will give it a shot.

      Myself, for hy home network, I'm stickin' with mah Linksys.
    • How many simultaneous connections can this handle? I suppose it might be really dependant on the NICs instead of the software.

      I know routers like the WRT54GL v1.1 choke after 64 or so connections.
      • 4096
      • by TCM (130219)
        I don't really understand the business of "supporting so and so many connections". A connection when tracked with a stateful packet filter is nothing more than an entry in a state table. IIRC, state tables are binary trees. The number of entries doubles, the effort increases by one additional check.

        I know routers like the WRT54GL v1.1 choke after 64 or so connections.

        I find this hard to believe. Their software must suck really bad then.

        With pf here, I see state tables with thousands of entries at peak time

    • Sorry, I'll take my Linksys WRT54GS (v3) running OpenWRT or dd-wrt. Small, quiet, and wireless!

      And this [soekris.com] isn't?

      Works much better, too, to say nothing of the other advantages.
    • Re: (Score:2, Informative)

      by beardz (790974)

      pfSense is quite capable of running on either Soekris SBCs [soekris.com] or PC Engine WRAPs [pcengines.ch], which to use your phrase, are both "small, quiet and wireless!" ;) Granted, the WRT54s are cheaper, but both the Sokeris and WRAP boards offer more flexibility.

    • DD-WRT has some trouble, at least on my setup. It intermittently bugs out in certain things, for example I can't get my port forwarding to work. I have set it as a DMZ in my modem/router but some forwarded ports will work while others won't. Too bad, it really is an excellent piece of equipment (or would be, if it worked).
  • by udippel (562132) on Saturday October 14, 2006 @05:49AM (#16434751)
    I opened the links, since I was keen on finding out (even using) the thingy.

    But, no. The minimal ("Do not even attempt to use it on anything less !") hardware is beyond my means (and beyond my expectation, even for traffic shaping and stuff):
    All platforms: 128 megabytes of ram
    Embedded: 128 megabyte compact flash card
    Full installation: 2gb hard drive or larger
    LiveCD: USB Keychain for configuration storage

    That's simply a tiny little bit too much. I surely get the similar setting with OpenBSD on boxes with lower specs.

    Okay, let's get it going. I love compact flash. Alas: "Larger flash sizes can be used but pfSense will not use the space over the 128 MB limit".
    "The Snort package requires a LOT of memory, only install this when the sytem has 1 GB ram or over."

    Any need to go further ? To me, at least, not. I rather move on ... .

    • Re: (Score:1, Informative)

      by Anonymous Coward
      You probably want m0n0wall instead which is lighter and aimed at embedded systems. Having used both (along with ipcop and others) I can say they all are excellent products.
    • Re: (Score:1, Informative)

      by Anonymous Coward
      I have difficulty understanding the problem. We are not aiming at the small embedded 35 euro router market here.

      A cisco 851 has 64MB ram, a cisco 871 has 128MB ram. We are talking hardware that can at least do redundancy, balancing, failover and multiwan. Then you promptly enter the plus $200 market and this is the competition.

      And you need memory for sufficient connection tracking, firmware upgrades, traffic shaping etc.

      We point out that Snort (which we have no control over) requires a lot memory. That is t
    • by Natales (182136)
      Well, it really depends a lot on what are you doing.

      Lots of folks have their own small server running at home 24x7 already any way, so why not just adding this as one more service layer running on a VM with its own dedicated NIC to protect your network. It behaves just like a separate machine for all practical purposes.
      • by udippel (562132)
        Lots of folks have their own small server running at home 24x7 already any way

        I do. What is 'small' ? To me, it is P75 / P300 and 128 MB of RAM. Your turn to run a VM on it and said pfSense.
        Have you read http://wiki.pfsense.com/wikka.php?wakka=ReleaseCa v eats [pfsense.com] ? I am running a P233 with 64 MB RAM and get around 40 Mbits. Not as VM, of course, but plain OpenBSD.
        On my Soekris 4801 I get a good 24 Mbits with http://www.zelow.no/floppyfw/ [zelow.no] inclusive TC; from a floppy (if I so wanted).

        And when I start looki

    • by Agripa (139780)
      Most though not all current embedded hardware used for m0n0wall that can be had for about $200 meets the pfsense embedded requirements.
    • Just to be clear, those requirements are for several different flavors of the product.

      128MB of RAM, plus

      128MB CF card

      OR

      2GB hard drive

      OR

      A CD-ROM and a USB stick

      Personally I have no trouble coming up with a system with 128MB of RAM, a CD-ROM drive, and 32MB USB flash sticks are practically a throw-away item.

      No hard drive is required in this configuration.
  • PPTP pass-through? (Score:4, Informative)

    by pmsr (560617) on Saturday October 14, 2006 @06:33AM (#16434895)
    pfSense is an amazing product that does without hiccups what firewalls costing hundreds or even thousands of dollars do. But it has a limitation: it can't handle more than one simultaneous PPTP pass-through session to the same server. Plenty of cheap routers (based in Linux) do this. But granted, that Linux PPTP masquerading kernel module is a little beauty.

    • Of course, let's discount the fact that it can act as a PPTP endpoint (feature from m0n0wall).
      • Re: (Score:1, Informative)

        by Slashcrap (869349)
        Of course, let's discount the fact that it can act as a PPTP endpoint (feature from m0n0wall).

        Yes I think we should, since it has no relevance to what the grandparent was talking about.

        What he is pointing out is that if you have a lot of visitors behind your pfSense based corporate firewall and they want to make PPTP connections back to their corporate networks, it will not work. Because there is no support for multiple PPTP passthrough.

        I would love to tell you all about a perfect example of this becoming a
  • "No firewall can keep all hackers [techtarget.com] out." With these words, security consultant Bob Toxen began his sermon, or workshop, on the "seven deadly sins" of Linux security. Any IT manager who commits one of these sins will "get nailed sooner or later,"

    "Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall [ranum.com] transparent to hackers"

    '"Enumerating Badness" i
  • I'd actually like to see more systems like this provide plugins exposing options for setting up configurations to simulate unreliable network connections. I used monowall quite extensively a few years ago, and it exposed a traffic shaper option to delay packets a defined amount of time, but that alone isn't sufficient for a proper simulation. And why anyone would set that to anything other than 0 when using it for firewall purposes is beyond me.

    If you're going to try to shape traffic in manners like that, i
    • by slashnik (181800)
      For traffic shaping there is always netem http://linux-net.osdl.org/index.php/Netem [osdl.org]
      If not for you have a look at nistnet URL:http://www-x.antd.nist.gov/nistnet/>
      and dummynet.
    • by Fweeky (41046)
      That's what ipfw and dummynet(4) are for; while it's more typically used for rate limiting, it can also be used for randomly delaying (and thus reordering)/dropping packets. You can also filter packets through userspace daemons using divert sockets, which is how natd works; you can munge a packet pretty much however you want from there.

      There's also netgraph(4) which is quite flexible aiui.
    • You should have looked under the fancy GUI. m0n0wall uses dummynet(4) for traffic shaping - and simulating various network conditions and delays was actually the initial target of it. It can do everything you ask for, m0n0wall simply didn't export its complete funtionality to the gui.
  • minor p2p glitch (Score:3, Informative)

    by Anonymous Coward on Saturday October 14, 2006 @08:05AM (#16435181)
    After months of regular use I can say pfSense is a great firewall. One minor problem (and the only one) I encountered is the inability to work with the Kademlia p2p network: the client appears as always firewalled even after days though all other ports are correctly routed and the mule client gets a high id. The problem disappears as soon as I route the same ports through a different firewall.
    • by TCM (130219)
      This deserves investigating, I think. I'm seeing the same with pf on a custom-built NetBSD. I always blamed Kademlia because this is the only thing that doesn't work right and I have no other filter to transparently replace the current one.

      If pf really had serious issues with certain types of UDP traffic, it should get fixed.
  • by paulius_g (808556) on Saturday October 14, 2006 @08:08AM (#16435195) Homepage
    Is it only me, but... I always like to have a console (or otherwise called a terminal) accessible on the boxes that I own. I want to be able to SSH them and change configs, hack it up, or just play around. The reason why I'm still with IPcops is that it has a full Linux console accessible locally and also via SSH. M0n0wall doesn't. So how about pfSense, does it or doesn't it?

    Any comments on it? I know that I'm not _supposed_ to install stuff on a firewall, but gosh, it's a full-blown computer that just there.

    I'm currently using IPcops, but I've heard great things about BSD. The recent IPcops updates have been breaking things. But it's working out great in my environment. And, I guess I'll need to plug, but I even have a webcam which shows all my networking equipments and computers in my basement: http://thelab.servegame.com:8080/view/index.shtml [servegame.com]
    (The IPCop box is the lower-right one, the one to the left of it is a Windows box that's never up (Hey, guess why ;-) and the upper right one is my storage server.
    • by Agripa (139780)
      I currently only use the PC version but as far as I know you can SSH into any of the pfsense variations assuming you enable it and have the appropriate firewall rule allowing access. The console only quote for the embedded version probably refers to a lack of display and keyboard support.
    • pfsense does allow console access via ssh, i have dnetc running on mine without a problem.
  • VM? (Score:3, Insightful)

    by kafka47 (801886) on Saturday October 14, 2006 @09:23AM (#16435465) Homepage

    Would love to see this on a downloadable VM. Any takers?

    /K

    • Re: (Score:3, Informative)

      by numbski (515011) *
      The dev version already is.

      I've installed into Qemu before without issues. This is actually a pretty common thing on the irc chans.
    • by DoXaVG (65405)
      Maybe you could convince the author of this:
      http://www.vmware.com/vmtn/appliances/directory/36 1 [vmware.com]
      to update it to release.
    • by Natales (182136)
      You don't even need a preinstalled VM image for this. It's easier to create your own VM with NO virtual hard drive, boot it from the ISO file and store the configuration on a virtual floppy image. I've done it with Monowall for years and it works like a charm.

      With this config you can tweak the amount of real memory you allocate to the VM based on you real utilization patterns (i.e, not everybody will run the Snort module).

      Disclaimer: I work for VMware.
      • by nurb432 (527695)
        While it might be good for testing and such, what is the true value of running it in a VM when you are using your hardware network interfaces anyway ? To me that sort of defeats the purpose ..
  • by AmiMoJo (196126) <mojoNO@SPAMworld3.net> on Saturday October 14, 2006 @01:31PM (#16437389) Homepage
    I don't know why they are doing a 1.0 release right now. While there are many nice things in pfSense, most of them are replicated in the much more stable m0n0wall on which it is based. The pfSense only features tend not to work too well.

    For example, the traffic shaping is broken. I have a 10Mb/512Kb cable connecction (NTL) and have been totally unable to get traffic shaping to do anything. There are many more like me on the forums. It seems to work for some people on some connections, but is far from robust and universal. The rules that the wizard creates are not right either, and always need modifying. Hardly 1.0 standard I feel.

    There are other issues too, like the fact that embedded web upgrades don't work, or that the queues display does not show accurate stats (particularly on drops).

    I'm going to decomission my 650MHz P3 that is currently running pfSense and replace it with a much lower power Netgear Rangemax router. Really, the only things that the pfSense box has over the Netgear one is traffic shaping and the ability to handle a larger number of connections. The former doesn't work and the latter is irrelevent.
  • That was the main piece missing in monowall.. ( that and a nice installer for PC hardware users ).

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...