pfSense 1.0 Firewall Released 104
Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.
CURRENT? (Score:4, Interesting)
Re: (Score:2, Insightful)
In short, -CURRENT works better for us.
Re: (Score:1)
Re:CURRENT? (Score:4, Informative)
I have been on the RC1, and replaced all my Linux/IPfilter machines with this.
Re: (Score:2, Funny)
Re: (Score:2)
Based on mOnOwall? (Score:1)
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Because they have "radically different goals" than monowall. This is in the second sentence in http://www.pfsense.com/ [pfsense.com]
Re: (Score:3, Interesting)
There are currently over $2000 bounties posted on the m0n0wall list for the first person that makes it work with FreeBSD 6. Unfortunately for m0n0wall, we see people switching to pfsense instead.
Yes, pfSense _is_ based on m0n0wall
No, pfSense _is not_ m0n0wall
Re: (Score:2)
By your argument, there should only be one distro for every open source operating system because people should just contribute back and never fork?
SmoothWall (Score:4, Informative)
It's based on GNU/Linux and provides at par or better features and it is there for almost 4-5 years now.
SmoothWall?? IPCop! (Score:5, Informative)
You could try IPCop instead, a fork of smoothwall.
I use IPCop instead of pfsense for some installations as it has support for the Bewan PCI ADSL modem.
Re:SmoothWall?? IPCop! (Score:4, Interesting)
I've used both Smoothwall and then IPCop for extended periods on my own home router box (an old P200/128MB). I have now been using M0n0wall for a couple of years and I am very happy with it. It doesn't have the silly coloured NIC idea, I can just add new subnets as I require and name them myself. I find it more powerful and intuitive than IPCop in other ways too. IPCop served me well for a long time but I don't think it's quite on the same level as M0n0wall, I can't comment on the non-free versions of Smoothwall.
As for pfSense, it looks interesting, I may well give it a try
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re:SmoothWall (Score:5, Informative)
The code behind iptables is disgusting. It doesn't even do a proper job of stateful tracking. Read and compare the source code if you don't believe me - There are many things which linux does in about 10 lines of code but run into hundreds or thousands of lines in the pf source because pf does the job properly
Re: (Score:2)
Re: (Score:3, Interesting)
After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here [kernel.org] or maybe here [kernel.org]. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place. Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a lin
Re: (Score:1, Insightful)
You mean that 500 line function which attempts to match a whole slew of various packet characteristics?
You call that clean code? Heh heh heh, OK.
After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here or maybe here. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place.
There is the protocol independe
Re: (Score:2)
Re: (Score:2)
Need to be said: Hate the license
Re: (Score:1, Insightful)
Re: (Score:1)
Relies on a full-size computer (Score:2, Troll)
Re: (Score:3, Interesting)
Mind you, the "target market" leans a little more toward small/mid-size office than home office.
Though I'm sure the hobby-minded with lots of spare older PCs will give it a shot.
Myself, for hy home network, I'm stickin' with mah Linksys.
One major concern (Score:2)
I know routers like the WRT54GL v1.1 choke after 64 or so connections.
Re: (Score:2)
Re: (Score:2)
P2P can choke low end routers.
Re: (Score:2)
I find this hard to believe. Their software must suck really bad then.
With pf here, I see state tables with thousands of entries at peak time
Re: (Score:2)
And this [soekris.com] isn't?
Works much better, too, to say nothing of the other advantages.
Re: (Score:2, Informative)
pfSense is quite capable of running on either Soekris SBCs [soekris.com] or PC Engine WRAPs [pcengines.ch], which to use your phrase, are both "small, quiet and wireless!" ;) Granted, the WRT54s are cheaper, but both the Sokeris and WRAP boards offer more flexibility.
If I could only get port forwarding to work (Score:2)
Uuh, no thanks, not convinced (Score:5, Interesting)
But, no. The minimal ("Do not even attempt to use it on anything less !") hardware is beyond my means (and beyond my expectation, even for traffic shaping and stuff):
All platforms: 128 megabytes of ram
Embedded: 128 megabyte compact flash card
Full installation: 2gb hard drive or larger
LiveCD: USB Keychain for configuration storage
That's simply a tiny little bit too much. I surely get the similar setting with OpenBSD on boxes with lower specs.
Okay, let's get it going. I love compact flash. Alas: "Larger flash sizes can be used but pfSense will not use the space over the 128 MB limit".
... .
"The Snort package requires a LOT of memory, only install this when the sytem has 1 GB ram or over."
Any need to go further ? To me, at least, not. I rather move on
Re: (Score:1, Informative)
Re: (Score:1, Informative)
A cisco 851 has 64MB ram, a cisco 871 has 128MB ram. We are talking hardware that can at least do redundancy, balancing, failover and multiwan. Then you promptly enter the plus $200 market and this is the competition.
And you need memory for sufficient connection tracking, firmware upgrades, traffic shaping etc.
We point out that Snort (which we have no control over) requires a lot memory. That is t
Re: (Score:1)
Lots of folks have their own small server running at home 24x7 already any way, so why not just adding this as one more service layer running on a VM with its own dedicated NIC to protect your network. It behaves just like a separate machine for all practical purposes.
Re: (Score:2)
I do. What is 'small' ? To me, it is P75 / P300 and 128 MB of RAM. Your turn to run a VM on it and said pfSense.
Have you read http://wiki.pfsense.com/wikka.php?wakka=ReleaseCa v eats [pfsense.com] ? I am running a P233 with 64 MB RAM and get around 40 Mbits. Not as VM, of course, but plain OpenBSD.
On my Soekris 4801 I get a good 24 Mbits with http://www.zelow.no/floppyfw/ [zelow.no] inclusive TC; from a floppy (if I so wanted).
And when I start looki
Re: (Score:2)
Re: (Score:1)
128MB of RAM, plus
128MB CF card
OR
2GB hard drive
OR
A CD-ROM and a USB stick
Personally I have no trouble coming up with a system with 128MB of RAM, a CD-ROM drive, and 32MB USB flash sticks are practically a throw-away item.
No hard drive is required in this configuration.
PPTP pass-through? (Score:4, Informative)
Re: (Score:1)
Re: (Score:1, Informative)
Yes I think we should, since it has no relevance to what the grandparent was talking about.
What he is pointing out is that if you have a lot of visitors behind your pfSense based corporate firewall and they want to make PPTP connections back to their corporate networks, it will not work. Because there is no support for multiple PPTP passthrough.
I would love to tell you all about a perfect example of this becoming a
Re: (Score:1)
Re: (Score:2)
Please excuse my ignorance, but why don't they use OpenBSD instead of FreeBSD? Surely if you're building a (open|free) firewall, you start with the most secure (open|free) Unix you can find?
Re: (Score:2, Informative)
no firewall can keep all hackers out (Score:1, Offtopic)
"Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall [ranum.com] transparent to hackers"
'"Enumerating Badness" i
Unreliable Network Simulation (Score:2)
If you're going to try to shape traffic in manners like that, i
Re: (Score:2)
If not for you have a look at nistnet URL:http://www-x.antd.nist.gov/nistnet/>
and dummynet.
Re: (Score:2)
There's also netgraph(4) which is quite flexible aiui.
Re: (Score:1)
minor p2p glitch (Score:3, Informative)
Re: (Score:2)
If pf really had serious issues with certain types of UDP traffic, it should get fixed.
Console, anyone? (Score:3)
Any comments on it? I know that I'm not _supposed_ to install stuff on a firewall, but gosh, it's a full-blown computer that just there.
I'm currently using IPcops, but I've heard great things about BSD. The recent IPcops updates have been breaking things. But it's working out great in my environment. And, I guess I'll need to plug, but I even have a webcam which shows all my networking equipments and computers in my basement: http://thelab.servegame.com:8080/view/index.shtml [servegame.com]
(The IPCop box is the lower-right one, the one to the left of it is a Windows box that's never up (Hey, guess why
Re: (Score:2)
Re: (Score:1)
VM? (Score:3, Insightful)
Would love to see this on a downloadable VM. Any takers?
Re: (Score:3, Informative)
I've installed into Qemu before without issues. This is actually a pretty common thing on the irc chans.
Re: (Score:1)
http://www.vmware.com/vmtn/appliances/directory/3
to update it to release.
Re: (Score:1)
With this config you can tweak the amount of real memory you allocate to the VM based on you real utilization patterns (i.e, not everybody will run the Snort module).
Disclaimer: I work for VMware.
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
I suppose you mean something like the following?
# XXX: hardwire SIP and RTP source ports
nat on $ext_if inet proto udp from $asterisk port { 5060, 10000:20000 } to any -> ($ext_if) static-port
nat on $ext_if inet from $int_net to any -> ($ext_if)
rdr on $ext_if inet proto udp from any to ($ext_if) port { 5060, 10000:20000 } -> $asterisk
Which means that traffic from an internal Asterisk that has source ports 5060 and 10000-
Re: (Score:1)
1.0 and it's still broken (Score:3, Informative)
For example, the traffic shaping is broken. I have a 10Mb/512Kb cable connecction (NTL) and have been totally unable to get traffic shaping to do anything. There are many more like me on the forums. It seems to work for some people on some connections, but is far from robust and universal. The rules that the wizard creates are not right either, and always need modifying. Hardly 1.0 standard I feel.
There are other issues too, like the fact that embedded web upgrades don't work, or that the queues display does not show accurate stats (particularly on drops).
I'm going to decomission my 650MHz P3 that is currently running pfSense and replace it with a much lower power Netgear Rangemax router. Really, the only things that the pfSense box has over the Netgear one is traffic shaping and the ability to handle a larger number of connections. The former doesn't work and the latter is irrelevent.
Re: (Score:2)
Re: (Score:1)
The documentation is rubbish, I agree. Part of the documentation issue is that it's excruciatingly difficult to document a changing system. A large amount of the documentation that was created during the alpha and beta phases of development were ren
Re: (Score:1)
Great. So instead of helping out when the developers can't replicate an issue, he moves on to another project and then complains about it. Fine by me, open source only works when there's a community behind it. Those who complain about features that don't work quite right or don't work the way they want them to need to remember exactly how much they paid for it and exactly what the developers owe th
Current Wifi support (Score:2)
Re: (Score:2)
fwiw, openbsd is growing, bgp/osp