pfSense
pfSense is an open source firewall/router computer software distribution based on FreeBSD.[3][4][5] It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network and is noted for its reliability[6] and offering features often only found in expensive commercial firewalls.[7][8] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.[7][9] pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and as a VPN endpoint. pfSense supports installation of third-party packages like Snort or Squid through its Package Manager.
Name
The name was derived from the fact that it helps make the stateful packet-filtering tool PF (which acts as a firewall, packet filter, and routing service on many BSD and Unix platforms) make more sense to non-technical users.[10]
History
The pfSense project started in 2004 as a fork of the m0n0wall project by Chris Buechler and Scott Ullrich.[11] From the beginning, it focused on full PC installations, as opposed to m0n0wall's focus on embedded hardware. However, pfSense is also available as an embedded image for CompactFlash-based installations. Version 1.0 of the software was released on October 4, 2006.[12] Version 2.0 was released on September 17, 2011.[13] Version 2.1 was released on September 15, 2013[14] and version 2.2 was released January 23, 2015.[15][16]Version 2.3 was released on April 12, 2016.[17]
Version history
Version history |
Version |
Release date |
Significant changes |
1.0[12] |
October 4, 2006 |
- The first official release.
|
1.0.1[18] |
October 29, 2006 |
|
1.2[19][20] |
February 25, 2008 |
- FreeBSD updated to 6.2
- Reworked load balancing pools which allow for round robin or failover
- Miniupnpd added to the base install
- Much enhanced RRD graphs
- Numerous Squid Package fixes
- dnsmasq updated to 2.36
- olsrd updated to 0.4.10
- BandwidthD package added
- PHP upgraded to 4.4.6
- Lighttpd upgraded to 1.4.15
- Numerous Bug fixes
|
1.2.1[21] |
December 26, 2008 |
- FreeBSD updated to 7.0
- Bug fixes
|
1.2.2[22] |
January 9, 2009 |
- Setup wizard fix
- SVG graphs fixed
- (IPsec reload fix specific to large (100+ site) deployments
- Bridge creation code changes
- FreeBSD updates for two security advisories
|
1.2.3[23] |
December 10, 2009 |
- Upgrade to FreeBSD 7.2
- Embedded switched to nanobsd
- Dynamic interface bridging bug fix
- IPsec connection reloading improvements
- Dynamic site to site IPsec
- Sticky connections enable/disable
- Ability to delete DHCP leases
- Polling fixed
- ipfw state table size
- Server load balancing
- UDP state timeout increases
- Disable auto-added VPN rules option
- Multiple servers per-domain in DNS forwarder overrides
- No XMLRPC Sync rules fixed
- Captive portal locking replaced
- DNS Forwarder
- Outbound load balancer replaced
|
2.0[13] |
September 17, 2011 |
|
2.0.1[24] |
December 20, 2011 |
- Improved accuracy of automated state killing in various cases (#1421)
- Various fixes and improvements to relayd
- Fixed path to FreeBSD packages repo for 8.1
- Various fixes to syslog
- Removed/silenced some irrelevant log entries
- Fixed various typos
- Fixes for RRD upgrade/migration and backup (#1758)
- Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
- Fixed policy route negation for VPN networks (#1950)
- Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
- Fixed VoIP rules produced by the traffic shaper wizard (#1948)
- Fixed uname display in System Info widget (#1960)
- Fixed LDAP custom port handling
- Fixed Status > Gateways to show RTT and loss like the widget
- Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
- Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
- Clarified text of serial field when importing a CA (#2031)
- Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
- Fixed Captive Portal MAC passthrough rules (#1976)
- Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
- Fixed CARP status widget to properly show “disabled” status.
- Fixed end time of custom timespan RRD graphs (#1990)
- Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
- Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
- Fixed handling of OpenVPN client bandwidth limit option
- Fixed handling of LDAP certificates (#2018, #1052, #1927)
- Enforce validity of RRD graph style
- Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
- Fixed handling of hostnames in DHCP that start with a number (#2020)
- Fixed saving of multiple dynamic gateways (#1993)
- Fixed handling of routing with unmonitored gateways
- Fixed Firewall > Shaper, By Queues view
- Fixed handling of spd.conf with no phase 2’s defined
- Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc.)
- Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
- Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
- Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
- Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
- Clarified text for media selection (#1910)
|
2.0.2[25] |
December 21, 2012 |
|
2.0.3[26] |
April 15, 2013 |
|
2.1[14] |
September 15, 2013 |
- IPv6 Support
- Upgrade to FreeBSD 8.3
- Updated Atheros drivers
- OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc.
- PHP to 5.3.x
- OpenVPN to 2.3.x
- Added mps kernel module
- Added ahci kernel module
- Updated ixgbe driver
- Numerous Bug fixes
- Security fixes
|
2.1.1[27] |
April 4, 2014 |
|
2.1.2[28] |
April 10, 2014 |
- Heartbleed OpenSSL Security fixes
- Bug fixes
|
2.1.3[29] |
May 2, 2014 |
|
2.1.4[30] |
June 25, 2014 |
|
2.1.5[31] |
August 27, 2014 |
|
2.2[15][16] |
January 23, 2015 |
- Upgrade to FreeBSD 10.1
- Update the IPsec stack to include AES-GCM, and IKEv2
- Update PHP backend from FastCGI to PHP-FPM
- Update PHP to 5.5
- Change from dnsmasq to the Unbound DNS Resolver
- Numerous Bug Fixes
|
2.2.1[32] |
March 17, 2015 |
|
2.2.2[33] |
April 15, 2015 |
|
2.2.3[34] |
June 25, 2015 |
|
2.2.4[35] |
July 27, 2015 |
|
2.2.5[36] |
November 5, 2015 |
|
2.2.6[37] |
December 21, 2015 |
|
2.3[1] |
April 12, 2016 |
- Upgrade to FreeBSD 10.3
- Rewrite of the webGUI utilizing Bootstrap
- Numerous Bug Fixes
|
Version |
Release date |
Significant changes |
|
Features
Install, update, packages, management |
- Live CD, update, NanoBSD/embedded, virtual machine, and USB installers available
- Packaged support/push-button installer for extensions, including the Squid proxy server, the Snort intrusion prevention/detection system, ntop, the HAVP antivirus package, IP address blocklist'
- Multi-language
- Console, web-based GUI, SSH (if enabled) and serial management
- RRD graphs reporting
- Traffic shaping and filtering
- Real-time information using Ajax
|
Functionality and connectivity |
- Virtual Private Networks using IPsec, L2TP, OpenVPN, or PPTP
- PPPoE server
- High availability clustering; redundancy and failover including CARP and pfsync
- Outbound and inbound load balancing
- Quality of Service (QoS)
- Dynamic DNS
- Captive portal
- uPnP
- Multi-WAN
- VLAN (802.1q)
- DHCP server and relay
- IPv6 support
- Multiple public IP addresses/multi-NAT
- RADIUS/LDAP
- Multiple resolvers (DNS forwarder, Unbound, TinyDNS, other)
- Aliases supported for rules, IP addresses, ports, computers, and other entities
|
Firewall and routing |
- Stateful firewall
- Network Address Translation
- Filtering by source/destination IP address, protocol, OS/network fingerprinting
- Flexible routing
- Per-rule configurable logging and per-rule limiters (IP addresses, connections, states, new connections, state types), Layer 7 protocol inspection, policy filtering (or packet marking), TCP flag state filtering, scheduling, gateway
- Packet scrubbing
- Layer 2/bridging capable
- State table "up to several hundred thousand" states (1 KB RAM per state approx)
- State table algorithms customizable including low latency and low-dropout
|
Packages support |
Packages available as "push button installs" among others:
|
Hardware
pfSense 2.1 through 2.3 has low minimum system requirements (for example 256 MB RAM and 500 MHz CPU)[38] and can be installed on hardware with x86 or x86-64 architecture. After 2.3, pfSense will require the x86-64 architecture, ending support for 32-bit installations. It is also available for embedded system hardware using Compact Flash or SD cards. pfSense also supports virtualized installation.
See also
- BSD based:
- Linux based:
References
- 1 2 Buechler, Chris (2016-04-12). "pfSense 2.3-RELEASE Now Available!". pfSense Digest. Electric Sheep Fencing LLC. Retrieved 2016-04-12.
- ↑ "pfSense Overview". www.pfsense.org. Electric Sheep Fencing LLC. Retrieved 28 June 2015.
- ↑ "You should be running a pfSense firewall". InfoWorld. 22 December 2014. Retrieved 27 July 2015.
- ↑ "Enterprises cut costs with open-source routers". Network World. 9 June 2009. Retrieved 5 August 2015.
- ↑ "Multiple Vulnerabilities Patched in pfSense". Security Week. 26 March 2015. Retrieved 5 August 2015.
- ↑ Danen, Vincent (December 7, 2009). "DIY pfSense firewall system beats others for features, reliability, and security". TechRepublic.
If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider
- 1 2 Miller, Sloan (June 26, 2008). "Configure a professional firewall using pfSense". Free Software Magazine (22).
No experience is needed with FreeBSD or GNU/Linux to install and run pfSense
- ↑ Stahie, Silviu (April 7, 2014). "pfSense 2.1.1 Firewall Distro Can Replace Any Commercial Alternative". Softpedia.
Firewall Distro Can Replace Any Commercial Alternative
- ↑ "You should be running pfsense" - Paul Venezia, InfoWorld http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html
- ↑ Buechler, Chris (June 21, 2007). "So what does pfSense stand for/mean, anyway?". pfSense Digest.
- ↑ "pfSense Open Source Firewall Distribution - History".
- 1 2 Ullrich, Scott (October 13, 2006). "1.0-RELEASED!". pfSense Digest.
- 1 2 Buechler, Chris (September 17, 2011). "2.0-RELEASED!". pfSense Digest.
- 1 2 Buechler, Chris (September 15, 2013). "pfSense 2.1-RELEASE now available!". pfSense Digest.
- 1 2 Buechler, Chris (January 23, 2015). "2.2 Release now available!". pfSense Digest.
- 1 2 "DistroWatch.com: pfSense".
- ↑ Buechler, Chris (April 12, 2016). "2.3-RELEASE Now available!". pfSense Digest. Retrieved 12 April 2016.
- ↑ Ullrich, Scott (October 29, 2006). "1.0.1-RELEASED!". pfSense Digest.
- ↑ Ullrich, Scott (April 29, 2007). "1.2-BETA-1 released!". pfSense Digest.
- ↑ Buechler, Chris (February 25, 2008). "1.2 Release Available!". pfSense Digest.
- ↑ Buechler, Chris (December 26, 2008). "pfSense 1.2.1 released!". pfSense Digest.
- ↑ Buechler, Chris (January 9, 2009). "pfSense 1.2.2 released!". pfSense Digest.
- ↑ Buechler, Chris (December 10, 2009). "pfSense 1.2.3 released!". pfSense Digest.
- ↑ Buechler, Chris (December 20, 2011). "2.0.1 release now available!". pfSense Digest.
- ↑ Buechler, Chris (December 21, 2012). "2.0.2 release now available!". pfSense Digest.
- ↑ Buechler, Chris (April 15, 2013). "2.0.3 release now available!". pfSense Digest.
- ↑ Thompson, Jim (April 4, 2014). "2.1.1-RELEASE now available". pfSense Digest.
- ↑ Thompson, Jim (April 10, 2014). "2.1.2 Release Now available". pfSense Digest.
- ↑ Dillard, Jared (May 2, 2014). "2.1.3 RELEASE Now available". pfSense Digest.
- ↑ Dillard, Jared (June 25, 2014). "2.1.4 RELEASE Now available". pfSense Digest.
- ↑ Dillard, Jared (August 27, 2014). "2.1.5 RELEASE Now available". pfSense Digest.
- ↑ Buechler, Chris (March 17, 2015). "2.2.1 RELEASE Now available". pfSense Digest. Retrieved 13 April 2015.
- ↑ Buechler, Chris (April 15, 2015). "2.2.2 RELEASE Now available!". pfSense Digest. Retrieved 15 April 2015.
- ↑ Buechler, Chris (June 25, 2015). "2.2.3 RELEASE Now available!". pfSense Digest. Retrieved 7 July 2015.
- ↑ Buechler, Chris (July 27, 2015). "2.2.4 RELEASE Now available!". pfSense Digest. Retrieved 27 July 2015.
- ↑ Buechler, Chris (November 5, 2015). "2.2.5 RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015.
- ↑ Buechler, Chris (December 21, 2015). "2.2.6-RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015.
- ↑ "Hardware". Electric Sheep Fencing LLC. Retrieved 5 August 2015.
Further reading
- pfSense: The Definitive Guide to the Open Source Firewall and Router Distribution. Reed Media Services, 2009. ISBN 978-0-9790342-8-2. By Christopher M. Buechler and Jim Pingle.
- pfSense 2 Cookbook. Birmingham, UK: Packt Publishing, 2011. ISBN 978-1849514866. By Matt Williamson.
External links