×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

pfSense 1.0 Firewall Released

kdawson posted more than 7 years ago | from the protected-by-daemons dept.

104

Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

104 comments

CURRENT? (4, Interesting)

scott_karana (841914) | more than 7 years ago | (#16434543)

Why Freebsd 6.1-CURRENT, I wonder? STABLE is bleeding edge enough for most, and I quite imagine that they could just use base 6.1.

Re:CURRENT? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16434791)

There are other issues at play here which still exist in -STABLE. The lead developer has a good sense of what is right, that and he is a FreeBSD committer himself.

In short, -CURRENT works better for us.

One question?? (0)

Anonymous Coward | more than 7 years ago | (#16434559)

What's the best copper-gig network card to use with this?

Re:One question?? (0)

Anonymous Coward | more than 7 years ago | (#16434599)

Here [sun.com]. A tad pricy though. The IBM Gigabit Ethernet-SX PCI-X Adapter is also nice.

Re:One question?? (2, Funny)

Abasher (778648) | more than 7 years ago | (#16434625)

That card is neither Gigabit (it 10Gbps) nor Copper (it's fiber). Hardly what he asked for. But true, the question wasn't very specific.

Re:One question?? (0)

Anonymous Coward | more than 7 years ago | (#16434851)

The intel Gigabit cards, dual port, quad port or the fiber versions.
It's what I use succesfully. The PCI-E or PCI-X cards work fine.

Cards to avoid are the realtek cards. Most other cards work well. for 100Mbit 3com 905s or Intel EEpro100 cards.

For low-end gigabit 32bit syskonnekt cards or intel desktop adapters work well too.

A pe850 with Intel Dual port Pro 1000 PT cards does ~ 800mbps

Based on mOnOwall? (1)

Abasher (778648) | more than 7 years ago | (#16434639)

So why do they release a new distro, instead of contribing to mWall?

Re:Based on mOnOwall? (3, Informative)

Anonymous Coward | more than 7 years ago | (#16434645)

monowall is just a firewall, this does traffic shaping/QoS, lots more services.

Re:Based on mOnOwall? (2, Insightful)

M1FCJ (586251) | more than 7 years ago | (#16435005)

So does firewall, it has even have a traffic shape wizard... I'm a big fan of Monowall bt I'm going to give this a go, if it has more support for hardware compared to Monowall, I might consider switching to it and use my useless wireless PCI card.

Re:Based on mOnOwall? (2, Insightful)

Homology (639438) | more than 7 years ago | (#16434681)

> So why do they release a new distro, instead of contribing to mWall?

Because they have "radically different goals" than monowall. This is in the second sentence in http://www.pfsense.com/ [pfsense.com]

Re:Based on mOnOwall? (3, Interesting)

Anonymous Coward | more than 7 years ago | (#16434771)

m0n0wall is based on FreeBSD 4.x, it has little wireless support, it can not do load balancing for multiwan , neither can it do machine failover with carp.

There are currently over $2000 bounties posted on the m0n0wall list for the first person that makes it work with FreeBSD 6. Unfortunately for m0n0wall, we see people switching to pfsense instead.

Yes, pfSense _is_ based on m0n0wall
No, pfSense _is not_ m0n0wall

Re:Based on mOnOwall? (1)

nacturation (646836) | more than 7 years ago | (#16438957)

So why do they release a new distro, instead of contribing to mWall?

By your argument, there should only be one distro for every open source operating system because people should just contribute back and never fork?
 

SmoothWall (4, Informative)

mahesh_gharat (633793) | more than 7 years ago | (#16434659)

Have a look at SmoothWall at http://www.smoothwall.org/ [smoothwall.org]
It's based on GNU/Linux and provides at par or better features and it is there for almost 4-5 years now.

SmoothWall?? IPCop! (5, Informative)

PurPaBOO (604533) | more than 7 years ago | (#16434741)

You only get the better features in Smoothwall if you pay for the corporate version.

You could try IPCop instead, a fork of smoothwall.

I use IPCop instead of pfsense for some installations as it has support for the Bewan PCI ADSL modem.

Re:SmoothWall?? IPCop! (3, Interesting)

Drasil (580067) | more than 7 years ago | (#16435091)

I've used both Smoothwall and then IPCop for extended periods on my own home router box (an old P200/128MB). I have now been using M0n0wall for a couple of years and I am very happy with it. It doesn't have the silly coloured NIC idea, I can just add new subnets as I require and name them myself. I find it more powerful and intuitive than IPCop in other ways too. IPCop served me well for a long time but I don't think it's quite on the same level as M0n0wall, I can't comment on the non-free versions of Smoothwall.

As for pfSense, it looks interesting, I may well give it a try

Re:SmoothWall?? IPCop! (1)

Anonymous Psychopath (18031) | more than 7 years ago | (#16437579)

I've also used Smoothwall for about a year, then IPCop for another year or so, and now m0n0wall for the past couple of years. I definitely plan on trying pfSense to see how it compares. Out of the three I have used, m0n0wall is my preference. The traffic shaping actually works, the interface makes sense, and the features provided match my needs.

Re:SmoothWall?? IPCop! (1)

digidave (259925) | more than 7 years ago | (#16439053)

Show me how to do incoming load balancing for web servers in IPCop and you'll make me a happy man. As it is, I'm planning to migrate to pfsense to get this feature.

Re:SmoothWall?? IPCop! (0)

Anonymous Coward | more than 7 years ago | (#16439761)

Simple, use CARP (from OpenBSD) + an httpd of your choice. I believe it's been ported to other BSD's and even Linux too, I don't know about Windows though but it still can be done 'for' IIS, etc.

Re:SmoothWall?? IPCop! (1)

j_pernfuss (980459) | more than 7 years ago | (#16467121)

Even simpler: read the whole question before answering. He asks how to achieve this with IPCop (explicitly, implicating "use something else" should not be considered a valid answer). Furthermore he implicates that he does not know a method to achieve this and most likely regards it as impossible. Because of that, he plans to switch to pfSense because pfSense is able to accomplish this - and pfSense has CARP support.

Re:SmoothWall (-1, Troll)

Antique Geekmeister (740220) | more than 7 years ago | (#16434881)

True. Trying to do live CD's on FreeBSD is like trying to put a transmission on a horse: with the effort of adding all the necessary bits and wedging them into the out of date bits of FreeBSD, you could have worn out the transmission twice on another, better supported OS.

Re:SmoothWall (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16435611)

How does bullshit like this get modded up? Some of us prefer to work with FreeBSD, don't even dare to tell people how they should spend their free time.

Re:SmoothWall (0)

Anonymous Coward | more than 7 years ago | (#16435723)

He wasn't saying the FreeBSD was an inferior OS, or even that he didn't prefer it - he said that it was HARD TO MAKE A FREEBSD BASED LIVECD. Oh noes!

Re:SmoothWall (1)

toadlife (301863) | more than 7 years ago | (#16438179)

"he said that it was HARD TO MAKE A FREEBSD BASED LIVECD."

Which is incorrect.

(meanngless text here to get around the lameness filter triggered by quoting your all caps post)

Re:SmoothWall (0)

Anonymous Coward | more than 7 years ago | (#16435027)

Your argument is just like saying:
"Why do we need GNU/Linux? Windows exists already..."

Diversity is _good_!

And actually pf is the best firewall you can get. Iptables doesn't even get anywhere near it. And smoothwall is nothing more than a wrapper around iptables, which you need because iptables is very non-userfriendly out-of-the-box.

Re:SmoothWall (4, Informative)

MattBurke (58682) | more than 7 years ago | (#16435115)

Only if you discount firewalling as a feature.

The code behind iptables is disgusting. It doesn't even do a proper job of stateful tracking. Read and compare the source code if you don't believe me - There are many things which linux does in about 10 lines of code but run into hundreds or thousands of lines in the pf source because pf does the job properly

Re:SmoothWall (1)

Saint Aardvark (159009) | more than 7 years ago | (#16436249)

Can you give some examples? I'm not trying to be snotty; I'm genuinely curious. I love pf's syntax waaaay better than iptables, esp. for firewalls w/more than two NICs, but I'd be interested to know how the underlying code compares. (Not a prograammer, though I can read C w/effort, so other opinions are valuable to me.)

Re:SmoothWall (2, Interesting)

MattBurke (58682) | more than 7 years ago | (#16442637)

Here's the OpenBSD link [openbsd.org] Search for pf_test_state_tcp - it's abotu 2/3 the was down the page

After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here [kernel.org] or maybe here [kernel.org]. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place. Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a linux box to hand to grep on, but I don't at the moment

One thing should be stated in comparason - Linux is a *LOT* faster at throwing packets through its firewall, mind you it's a direct result of it not really checking them much...

Re:SmoothWall (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16449651)

Here's the OpenBSD link Search for pf_test_state_tcp - it's abotu 2/3 the was down the page

You mean that 500 line function which attempts to match a whole slew of various packet characteristics?
You call that clean code? Heh heh heh, OK.

After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here or maybe here. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place.

There is the protocol independent netfilter code in your second link, and the ipv4 specific match modules in the first.
This is a good example of a well designed architecture (ignoring the actual low level implementation issues, because
I'm not familiar with the code).

Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a linux box to hand to grep on, but I don't at the moment

No. See all those files in your first link? Each of those provides support to match a specific packet characteristic
(not counting things like the general ipv4 stateful connection tracking support). All nicely seperated and modularised.

One thing should be stated in comparason - Linux is a *LOT* faster at throwing packets through its firewall, mind you it's a direct result of it not really checking them

Why do you say "not really checking them", and why did you claim that Linux does not do a proper job of stateful
connection tracking? State what exact functionality you require that PF supports but netfilter does not -- trying
to go through the code in 30 minutes looking for feature parity is not going to achieve anything especially if you
are not familiar with the code in the first place.

Re:SmoothWall (1)

Orlando (12257) | more than 7 years ago | (#16437559)

Last time I tried Smoothwall (18 months ago) the UI was so bad I gave up on it and chose pfsense instead. I hope it has improved since.

Relies on a full-size computer (1, Troll)

wesmills (18791) | more than 7 years ago | (#16434677)

Sorry, I'll take my Linksys WRT54GS (v3) running OpenWRT [openwrt.org] or dd-wrt [dd-wrt.com]. Small, quiet, and wireless!

Re:Relies on a full-size computer (2, Interesting)

Merovign (557032) | more than 7 years ago | (#16434699)

Sure.

Mind you, the "target market" leans a little more toward small/mid-size office than home office.

Though I'm sure the hobby-minded with lots of spare older PCs will give it a shot.

Myself, for hy home network, I'm stickin' with mah Linksys.

One major concern (1)

Propaganda13 (312548) | more than 7 years ago | (#16434733)

How many simultaneous connections can this handle? I suppose it might be really dependant on the NICs instead of the software.

I know routers like the WRT54GL v1.1 choke after 64 or so connections.

Re:One major concern (0)

Anonymous Coward | more than 7 years ago | (#16435645)

Ahahaha 64 connections, seriously? I gotta imagine more, else nobody would use it. With that said, pfSense defaults to 10,000 states which is 5000 connections (one each for filter and nat). Each state takes approx. 1K of RAM and the limit is configurable, if you've got the RAM, add more, I know of people running 500K states.

Re:One major concern (1)

TCM (130219) | more than 7 years ago | (#16441567)

I don't really understand the business of "supporting so and so many connections". A connection when tracked with a stateful packet filter is nothing more than an entry in a state table. IIRC, state tables are binary trees. The number of entries doubles, the effort increases by one additional check.

I know routers like the WRT54GL v1.1 choke after 64 or so connections.
I find this hard to believe. Their software must suck really bad then.

With pf here, I see state tables with thousands of entries at peak times. pfctl -si currently shows an average of 500 state lookups per second. And the best part: the box shows almost no system load. The fractions of a percent that I see are probably file system operations when invoking top or cron jobs. All CPU time is mostly spent processing interrupts of the NICs. And all this is on a 586-class Geode processor with 266MHz and no L2 cache. http://www.pcengines.ch/wrap.htm [pcengines.ch] BTW. Even if those WRTs have measly 100MHz ARM processors (I don't know), they should do better than 64 connections.

And pf does more than just filtering. It can act as a proxy for the 3-way TCP handshake, protecting servers from SYN floods. It does packet normalization, reassembling fragments and thereby greatly reducing ruleset complexity. And I just don't see any effect on the load. Before you see pf choke, the rest of the box must have choked long ago.

Re:Relies on a full-size computer (0)

Anonymous Coward | more than 7 years ago | (#16434761)

you could also use a WRAP board from http://www.pcengines.ch/wrap.htm [pcengines.ch],
and no i don't work for them but i've installed mine yesterday and plan to use another one at work.

Re:Relies on a full-size computer (1)

value_added (719364) | more than 7 years ago | (#16434853)

Sorry, I'll take my Linksys WRT54GS (v3) running OpenWRT or dd-wrt. Small, quiet, and wireless!

And this [soekris.com] isn't?

Works much better, too, to say nothing of the other advantages.

It has to (0)

Anonymous Coward | more than 7 years ago | (#16435029)

Keep in mind that most light embedded systems will choke while attempting to filter much less than 50 mbit traffic. When speed matters you'll need a full PC or a high performance embedded board.

Re:Relies on a full-size computer (2, Informative)

beardz (790974) | more than 7 years ago | (#16435061)

pfSense is quite capable of running on either Soekris SBCs [soekris.com] or PC Engine WRAPs [pcengines.ch], which to use your phrase, are both "small, quiet and wireless!" ;) Granted, the WRT54s are cheaper, but both the Sokeris and WRAP boards offer more flexibility.

Re:Relies on a full-size computer (0)

Anonymous Coward | more than 7 years ago | (#16440703)

if you run it on a soekris you might as well be using m0n0wall. All those extra 'features' you were so proudly boasting about in this distro dont exist on the compact flash version. The dhcp server totally sucks shit in both distro's too btw. No additional DHCP options can be set. The dnsmasq daemon on openwrt is significantly more flexible and much smaller footprint.

Re:Relies on a full-size computer (0)

Anonymous Coward | more than 7 years ago | (#16435107)

Yes, because your wrt54 can route/firewall GigE clients to an OC12 link. Broaden your mind dude, not everybody is happy with a little $100 DSL router. Some environments require more powerful hardware/software solutions.

If I could only get port forwarding to work (1)

Poromenos1 (830658) | more than 7 years ago | (#16435139)

DD-WRT has some trouble, at least on my setup. It intermittently bugs out in certain things, for example I can't get my port forwarding to work. I have set it as a DMZ in my modem/router but some forwarded ports will work while others won't. Too bad, it really is an excellent piece of equipment (or would be, if it worked).

Re:Relies on a full-size computer (0)

Anonymous Coward | more than 7 years ago | (#16438437)

you've somehow never heard of WRAP or Soekris?

Uuh, no thanks, not convinced (4, Interesting)

udippel (562132) | more than 7 years ago | (#16434751)

I opened the links, since I was keen on finding out (even using) the thingy.

But, no. The minimal ("Do not even attempt to use it on anything less !") hardware is beyond my means (and beyond my expectation, even for traffic shaping and stuff):
All platforms: 128 megabytes of ram
Embedded: 128 megabyte compact flash card
Full installation: 2gb hard drive or larger
LiveCD: USB Keychain for configuration storage

That's simply a tiny little bit too much. I surely get the similar setting with OpenBSD on boxes with lower specs.

Okay, let's get it going. I love compact flash. Alas: "Larger flash sizes can be used but pfSense will not use the space over the 128 MB limit".
"The Snort package requires a LOT of memory, only install this when the sytem has 1 GB ram or over."

Any need to go further ? To me, at least, not. I rather move on ... .

Re:Uuh, no thanks, not convinced (1, Informative)

Anonymous Coward | more than 7 years ago | (#16435017)

You probably want m0n0wall instead which is lighter and aimed at embedded systems. Having used both (along with ipcop and others) I can say they all are excellent products.

Re:Uuh, no thanks, not convinced (1, Informative)

Anonymous Coward | more than 7 years ago | (#16435949)

I have difficulty understanding the problem. We are not aiming at the small embedded 35 euro router market here.

A cisco 851 has 64MB ram, a cisco 871 has 128MB ram. We are talking hardware that can at least do redundancy, balancing, failover and multiwan. Then you promptly enter the plus $200 market and this is the competition.

And you need memory for sufficient connection tracking, firmware upgrades, traffic shaping etc.

We point out that Snort (which we have no control over) requires a lot memory. That is there to prevent foot shooting. Then again the $200 routers do not do IDS/IPS.

Seems fine to me.

Re:Uuh, no thanks, not convinced (1)

Natales (182136) | more than 7 years ago | (#16436229)

Well, it really depends a lot on what are you doing.

Lots of folks have their own small server running at home 24x7 already any way, so why not just adding this as one more service layer running on a VM with its own dedicated NIC to protect your network. It behaves just like a separate machine for all practical purposes.

Re:Uuh, no thanks, not convinced (1)

udippel (562132) | more than 7 years ago | (#16436613)

Lots of folks have their own small server running at home 24x7 already any way

I do. What is 'small' ? To me, it is P75 / P300 and 128 MB of RAM. Your turn to run a VM on it and said pfSense.
Have you read http://wiki.pfsense.com/wikka.php?wakka=ReleaseCav eats [pfsense.com] ? I am running a P233 with 64 MB RAM and get around 40 Mbits. Not as VM, of course, but plain OpenBSD.
On my Soekris 4801 I get a good 24 Mbits with http://www.zelow.no/floppyfw/ [zelow.no] inclusive TC; from a floppy (if I so wanted).

And when I start looking at my production stuff, I don't want GUI; I don't want Live-CD and I don't want USB. And - of course - I don't want any off-the-shelf PC. And production seems what these guys are going for. Call me a wet blanket, but I seriously don't see what this whole thing is supposed to deliver. Seriously.

Re:Uuh, no thanks, not convinced (1)

Agripa (139780) | more than 7 years ago | (#16437443)

Most though not all current embedded hardware used for m0n0wall that can be had for about $200 meets the pfsense embedded requirements.

Re:Uuh, no thanks, not convinced (1)

Anonymous Psychopath (18031) | more than 7 years ago | (#16437619)

Just to be clear, those requirements are for several different flavors of the product.

128MB of RAM, plus

128MB CF card

OR

2GB hard drive

OR

A CD-ROM and a USB stick

Personally I have no trouble coming up with a system with 128MB of RAM, a CD-ROM drive, and 32MB USB flash sticks are practically a throw-away item.

No hard drive is required in this configuration.

PPTP pass-through? (3, Informative)

pmsr (560617) | more than 7 years ago | (#16434895)

pfSense is an amazing product that does without hiccups what firewalls costing hundreds or even thousands of dollars do. But it has a limitation: it can't handle more than one simultaneous PPTP pass-through session to the same server. Plenty of cheap routers (based in Linux) do this. But granted, that Linux PPTP masquerading kernel module is a little beauty.

Re:PPTP pass-through? (1)

Chris Daniel (807289) | more than 7 years ago | (#16438537)

Of course, let's discount the fact that it can act as a PPTP endpoint (feature from m0n0wall).

Re:PPTP pass-through? (2, Informative)

Slashcrap (869349) | more than 7 years ago | (#16450475)

Of course, let's discount the fact that it can act as a PPTP endpoint (feature from m0n0wall).

Yes I think we should, since it has no relevance to what the grandparent was talking about.

What he is pointing out is that if you have a lot of visitors behind your pfSense based corporate firewall and they want to make PPTP connections back to their corporate networks, it will not work. Because there is no support for multiple PPTP passthrough.

I would love to tell you all about a perfect example of this becoming a problem at a major event because of our choice of OpenBSD for a product. But I can't. Suffice to say you would be amazed how many companies actually use PPTP for their remote connectivity.

How would having it act as a PPTP endpoint help in this case?

A mish-mash of other systems? (0)

Anonymous Coward | more than 7 years ago | (#16435069)

As best as I can make out, this is a general purpose unix with the packet filter from OpenBSD grafted onto FreeBSD and an interface adapted from a linux firewall; An interesting combo. pf is a superb firewall but OpenBSD is not exactly optimised for speed and I'd personally never dream of using a web GUI to configure a firewall. Rather I'd remove the httpd and possibly any CGI script host, however the curses interface looks like it could simplify admin duties.

This is definately on my "to try" list, it may make a good base system for server deployment.

Re:A mish-mash of other systems? (1)

BiggerIsBetter (682164) | more than 7 years ago | (#16439673)

As best as I can make out, this is a general purpose unix with the packet filter from OpenBSD grafted onto FreeBSD and an interface adapted from a linux firewall;

Please excuse my ignorance, but why don't they use OpenBSD instead of FreeBSD? Surely if you're building a (open|free) firewall, you start with the most secure (open|free) Unix you can find?

Re:A mish-mash of other systems? (2, Informative)

DoXaVG (65405) | more than 7 years ago | (#16440381)

This has been gone over numerous times in both the pfsense forums and the mailing lists. The short answer is hardware support and that bsdinstaller is only available on freebsd and dragonfly at this time.

no firewall can keep all hackers out (0, Offtopic)

rs232 (849320) | more than 7 years ago | (#16435121)

"No firewall can keep all hackers [techtarget.com] out." With these words, security consultant Bob Toxen began his sermon, or workshop, on the "seven deadly sins" of Linux security. Any IT manager who commits one of these sins will "get nailed sooner or later,"

"Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall [ranum.com] transparent to hackers"

'"Enumerating Badness" is the idea behind a huge number of security products and systems, from anti-virus to intrusion detection, intrusion prevention, application security, and "deep packet inspection" firewalls'

Unreliable Network Simulation (1)

Arethan (223197) | more than 7 years ago | (#16435125)

I'd actually like to see more systems like this provide plugins exposing options for setting up configurations to simulate unreliable network connections. I used monowall quite extensively a few years ago, and it exposed a traffic shaper option to delay packets a defined amount of time, but that alone isn't sufficient for a proper simulation. And why anyone would set that to anything other than 0 when using it for firewall purposes is beyond me.

If you're going to try to shape traffic in manners like that, it would have been useful to have other options as well such as random packet dropping, packet corruption, packet reordering, and random packet delay.

I recall a few years ago that some company came up with a hardware device specifically for simulating unreliable networks with the intent of selling them primarily to game developers. I don't recall the product name though. In any event, it would be nice to see either pfSense or monowall support an official plugin to provide access to that sort of functionality. I'm not sure if *BSD has the network hooks to support all of the necessary features though.

Re:Unreliable Network Simulation (0)

Anonymous Coward | more than 7 years ago | (#16436175)

If your main interest is the simulation of unreliable networks, maybe nistnet [nist.gov] may help you. It supports packet delays, max. bandwidth and package dropping and duplication (no firewall though, although setting up a minimal debian installation with iptables is not hard). It can be configured using the GUI or the CLI.

Re:Unreliable Network Simulation (1)

Fweeky (41046) | more than 7 years ago | (#16436219)

That's what ipfw and dummynet(4) are for; while it's more typically used for rate limiting, it can also be used for randomly delaying (and thus reordering)/dropping packets. You can also filter packets through userspace daemons using divert sockets, which is how natd works; you can munge a packet pretty much however you want from there.

There's also netgraph(4) which is quite flexible aiui.

Re:Unreliable Network Simulation (1)

j_pernfuss (980459) | more than 7 years ago | (#16467553)

You should have looked under the fancy GUI. m0n0wall uses dummynet(4) for traffic shaping - and simulating various network conditions and delays was actually the initial target of it. It can do everything you ask for, m0n0wall simply didn't export its complete funtionality to the gui.

minor p2p glitch (3, Informative)

Anonymous Coward | more than 7 years ago | (#16435181)

After months of regular use I can say pfSense is a great firewall. One minor problem (and the only one) I encountered is the inability to work with the Kademlia p2p network: the client appears as always firewalled even after days though all other ports are correctly routed and the mule client gets a high id. The problem disappears as soon as I route the same ports through a different firewall.

Re:minor p2p glitch (1)

TCM (130219) | more than 7 years ago | (#16441635)

This deserves investigating, I think. I'm seeing the same with pf on a custom-built NetBSD. I always blamed Kademlia because this is the only thing that doesn't work right and I have no other filter to transparently replace the current one.

If pf really had serious issues with certain types of UDP traffic, it should get fixed.

Re:minor p2p glitch (0)

Anonymous Coward | more than 6 years ago | (#16522679)

Try using the static-port option on your nat rule(s), at least for UDP traffic.

Console, anyone? (2)

paulius_g (808556) | more than 7 years ago | (#16435195)

Is it only me, but... I always like to have a console (or otherwise called a terminal) accessible on the boxes that I own. I want to be able to SSH them and change configs, hack it up, or just play around. The reason why I'm still with IPcops is that it has a full Linux console accessible locally and also via SSH. M0n0wall doesn't. So how about pfSense, does it or doesn't it?

Any comments on it? I know that I'm not _supposed_ to install stuff on a firewall, but gosh, it's a full-blown computer that just there.

I'm currently using IPcops, but I've heard great things about BSD. The recent IPcops updates have been breaking things. But it's working out great in my environment. And, I guess I'll need to plug, but I even have a webcam which shows all my networking equipments and computers in my basement: http://thelab.servegame.com:8080/view/index.shtml [servegame.com]
(The IPCop box is the lower-right one, the one to the left of it is a Windows box that's never up (Hey, guess why ;-) and the upper right one is my storage server.

Re:Console, anyone? (0)

Anonymous Coward | more than 7 years ago | (#16435487)

I went and found the answer to your question in under 30 seconds. Now you can too.

Re:Console, anyone? (1)

Agripa (139780) | more than 7 years ago | (#16437399)

I currently only use the PC version but as far as I know you can SSH into any of the pfsense variations assuming you enable it and have the appropriate firewall rule allowing access. The console only quote for the embedded version probably refers to a lack of display and keyboard support.

VM? (2, Insightful)

kafka47 (801886) | more than 7 years ago | (#16435465)

Would love to see this on a downloadable VM. Any takers?

/K

Re:VM? (2, Informative)

numbski (515011) | more than 7 years ago | (#16435685)

The dev version already is.

I've installed into Qemu before without issues. This is actually a pretty common thing on the irc chans.

Re:VM? (1)

Natales (182136) | more than 7 years ago | (#16436133)

You don't even need a preinstalled VM image for this. It's easier to create your own VM with NO virtual hard drive, boot it from the ISO file and store the configuration on a virtual floppy image. I've done it with Monowall for years and it works like a charm.

With this config you can tweak the amount of real memory you allocate to the VM based on you real utilization patterns (i.e, not everybody will run the Snort module).

Disclaimer: I work for VMware.

Re:VM? (1)

nurb432 (527695) | more than 7 years ago | (#16438541)

While it might be good for testing and such, what is the true value of running it in a VM when you are using your hardware network interfaces anyway ? To me that sort of defeats the purpose ..

PFsense NAT is symmetric, result: no SIP (VoIP) (0)

Anonymous Coward | more than 7 years ago | (#16436535)

I have played quite extensively with PFSense because I wanted some of the traffic-shaping features but I had to come to the conclusion that PFSense NAT does not work with SIP (VoIP).

The symmetric NAT of PF is simply a pain - most SIP VoIP things do not work. Anyone who considers to use SIP should not use symmetric NAT and should go for fully coned NAT.

IPCop does fully coned NAT. Traffic shaping features are also available as add-ons.

In short: PFsense is a nice idea but unfortunately useless for SIP users.

Cheers

GeeJay

Re:PFsense NAT is symmetric, result: no SIP (VoIP) (2, Interesting)

SiliconJesus101 (622291) | more than 7 years ago | (#16436907)

Lacking the knowledge of the internal workings of PF, I do have to say that I have never had a problem with SIP. My home phone is through Vonage behind pfsense and I routinely connect while on the road to a friends Asterisk box to make phone calls with a soft phone and bluetooth headset on my laptop. He has a pfsense router and all of his trunks are SIP. Several users are simultaneously connected using SIP from remote locations and properly routed out the SIP trunks. Not to doubt that you have had things that do not work; I am only relating my experiences. I must also state that the SIP traffic shaping appears to work beautifully there as I really don't have any call issues that are not related to the bandwidth available at my remote location(s).

Re:PFsense NAT is symmetric, result: no SIP (VoIP) (2, Interesting)

TCM (130219) | more than 7 years ago | (#16441717)

The underlying pf seems to have more flexibility than the interface on top then.

I suppose you mean something like the following?

# XXX: hardwire SIP and RTP source ports
nat on $ext_if inet proto udp from $asterisk port { 5060, 10000:20000 } to any -> ($ext_if) static-port
nat on $ext_if inet from $int_net to any -> ($ext_if)
rdr on $ext_if inet proto udp from any to ($ext_if) port { 5060, 10000:20000 } -> $asterisk


Which means that traffic from an internal Asterisk that has source ports 5060 and 10000-20000 leaves NATed but with the source ports intact. Together with the ability to let Asterisk enter arbitrary IP addresses in SIP messages[1], this makes it look like it was directly connected and not behind NAT at all.

All other traffic - even HTTP from the Asterisk server for example - gets the source port replaced as usual.

[1] Who TF thought that entering layer 3 addresses in application layers was a good idea anyway?

x86? (0)

Anonymous Coward | more than 7 years ago | (#16437223)

Some of us got rid of the proprietary and obsolete x86 platform years ago. FreeBSD runs on SPARC64 which is the perfect platform for this kind of application. x86 is a joke at best.

1.0 and it's still broken (2, Informative)

AmiMoJo (196126) | more than 7 years ago | (#16437389)

I don't know why they are doing a 1.0 release right now. While there are many nice things in pfSense, most of them are replicated in the much more stable m0n0wall on which it is based. The pfSense only features tend not to work too well.

For example, the traffic shaping is broken. I have a 10Mb/512Kb cable connecction (NTL) and have been totally unable to get traffic shaping to do anything. There are many more like me on the forums. It seems to work for some people on some connections, but is far from robust and universal. The rules that the wizard creates are not right either, and always need modifying. Hardly 1.0 standard I feel.

There are other issues too, like the fact that embedded web upgrades don't work, or that the queues display does not show accurate stats (particularly on drops).

I'm going to decomission my 650MHz P3 that is currently running pfSense and replace it with a much lower power Netgear Rangemax router. Really, the only things that the pfSense box has over the Netgear one is traffic shaping and the ability to handle a larger number of connections. The former doesn't work and the latter is irrelevent.

Re:1.0 and it's still broken (0)

Anonymous Coward | more than 7 years ago | (#16438401)

Instead of trolling, why don't you submit patches? This is an open source project. It's also a one dot oh release.

Re:1.0 and it's still broken (0)

Anonymous Coward | more than 7 years ago | (#16444017)

"Instead of trolling"

He is not trolling; he is stating a fact.

"why don't you submit patches?"

Because he found a more cost-effective solution from his point of view.

"This is an open source project"

So what? That only means that he *can* submit patches, not that he *must*.

"It's also a one dot oh release."

Which usually means "the first functionally complete, bug-free as-far-as-we-know release". You know, they themselves publish this release as "The pfSense team is excited to bring you our first ever real release!" . Which is quite far to be the current situation.

I feel the main developers suffer from quite a strong "featurittis" that focuses them so much towards their new "HEAD" than to polish their current 1.0. Oh! and a bit of reality-negating attitude. Usually an "I can replicate that on my environment" (or even an "I don't want to take the time to test it now") tends to become "You must be wrong: it surely works properly" which in turn tends to mean that not so easy to catch bugs (like those on NAT and balancing, for instance) just go through untouched since months ago.

Re:1.0 and it's still broken (1)

AmiMoJo (196126) | more than 7 years ago | (#16499039)

I have to agree with the parent. The pfSense team's attitude seems to be that it must be the users fault for mis-configuring it. They tell you to go read the documentaion (which is frankly rubbish, especially on traffic shaping) or some useless forum posts.

Current Wifi support (1)

nurb432 (527695) | more than 7 years ago | (#16438555)

That was the main piece missing in monowall.. ( that and a nice installer for PC hardware users ).

Born dead: *BSD is dying (0)

Anonymous Coward | more than 7 years ago | (#16438931)

It is now official. Netcraft confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be the Amazing Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

Re:Born dead: *BSD is dying (1)

eneville (745111) | more than 7 years ago | (#16439421)

openbsd is becomming a better network os than the others. depends what you mean by dying. stats can show whatever, but for most people they use bsd's at the firewall level and put services on the hosts behind it. other people use bsd all over the place, but with recent desktop improvements on gnome/kde etc people are moving towards the linux desktop. there are other features too such as brilliant package management which makes distros like debian and rh far less maintenance.

fwiw, openbsd is growing, bgp/ospf are now part of the default install and it's very attractive for network ops, oh and chroot apache is a good move also.

if bsd kernels had a strong drive behind them like ltorvalds then perhaps they would have better device support.

Re:Born dead: *BSD is dying (0, Troll)

WindowsIsForArseWipe (990338) | more than 7 years ago | (#16440149)

if bsd kernels had a strong drive behind them like ltorvalds then perhaps they would have better device support.

But they don't so BSD is dying.

pfSense 1.0 Firewall Deceased (0)

Anonymous Coward | more than 7 years ago | (#16492719)

Fact: *BSD is dying
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...