Slashdot Mirror

Like pfSense?

https://www.pfsense.org/

I wouldn't say it's "bulkier"... you can run it on pretty tiny hardware, like I do (mine is a tiny Jetway box, smaller than most peoples' routers, chassis is metal and functions as the heatsink). Definitely "more complex to administer" but it's right up my alley.

My recommendations for the most secure options for home or small office use:

Dedicated hardware: Asuswrt-Merlin ( https://asuswrt.lostrealm.ca/ ) combined with one of the compatible ASUS router models. It's being actively supported; new versions appear every one to two months, and would likely appear more quickly if there were a major zero-day exploit. Not as feature-rich as DD-WRT or the like but more frequently updated.

Build your own PC or pre-configured PC: pfSense ( https://www.pfsense.org/ ) or OPNsense ( https://opnsense.org/ ). OPNsense is a fork of pfSense, which in turn is a fork of the now unsupported m0n0wall. They're based on FreeBSD. The companies sell pre-configured systems and support contracts as a source of income, but the software is free and open source and you can roll your own system. A PC has more memory and computing power than a dedicated router box, so these are more feature-rich than anything that runs on one of those boxes.

I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD.

https://www.pfsense.org/

If you were to prefer Linux, it would be possible to use openwrt instead.

you are an idiot, for flushing money and electricity down the toilet by leaving an old pentium turned on 24/7

did you even think about electricity costs or are just just a fucking moron? never mind we know the answer

I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD.

https://www.pfsense.org/

If you were to prefer Linux, it would be possible to use openwrt instead.

I want to second the above post. I have the exact same experience at my home. I went with two (so far) "UniFi AC Lite AP" https://www.ubnt.com/unifi/uni... for my rather elongated apartment. They just work. Highly recommended.

They sit behind a SG-2220 pfSense appliance https://store.pfsense.org/SG-2... which also just works.

This combo costs a bit more than typical consumer grade would, but as a reward it is absolutely rock solid, with great coverage and equally great performance.

Front-end is Kodi on OpenElec running on a CuBox-i. Back-ends are several VMs. One VM is running a MythTV Back-end server recording from a roof antenna connected to a couple of HDHomeRun boxes saving to a mounted NFS QNAP 12 TB array. Other VMs run Sonarr, Sabnzbd and Sickbeard. Sorarr is also using a Transmission back-end, while Sabnzbd is using a Usenet subscription. Occasionally I also use Netflix and Vudu on a Roku stick which I turn on only when I need it. I white list every device and every port individually, and all things that could be considered borderline legal go through a permanent VPN link on my pfSense VM. Rock solid setup.

https://www.oo-software.com/en...

That, plus telemetry blocking at the firewall level have placated my concerns, personally.

The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardwa...
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE

Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN).

The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.

The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardwa...
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE

Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN).

The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.

In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.

You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...

I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.

How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???

Replace your ASA's with pfSense boxes (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.

None at all using what does the job for you http://it.slashdot.org/comment...

I couldn't see where the app you referenced sources its block list, but I believe what I use (pfBlockerNG) is probably better.

I maintain that scalability is a big issue you aren't addressing. It's probably fine and certainly better than nothing for one or two Windows desktops, but what about even a small SOHO network that could contain any combination of desktop, mobile, and server operating systems, not to mention embedded devices that may include ffmpeg, like smart TVs and NAS boxes?

Bought a dual NIC fanless MITXPC never looked back, I love the machine it's quiet reliable and small.
You can get them with more than 2 NIC's as well (I suggest you do for versatility reasons) there are a few builds you can run on these things PFSense, Smoothwall, etc.
http://www.mitxpc.com/
http://www.smoothwall.org/
https://www.pfsense.org/
http://suricata-ids.org/downlo...

So the Router firmware that everyone here coos about actually uses a sucky firewall? Netfilter != pf. Typical F/OSS Fail.

So pick another one like http://www.smallwall.org/ or http://www.pfsense.org/ or whatever. The nice thing about FOSS is choice.

But that's like saying you really only have one choice: Both smallwall and pfsense are simply Derivatives of the now-abandoned (like so many other F/OSS Projects), M0n0wall.

And since smallwall's main focus is "Small and Lean", rather than "Robust and Complete", I would think that using it wouldn't be a step "up" in the world of firewall-dom.

As far as pfsense goes, I can't figure out where it lives, since it is considered a Derivative of m0n0wall, but yet it lists pf as a dependancy. So??? Heck, even iOS runs pf (which I actually found amazing). What is OpenWRT's problem?

So the Router firmware that everyone here coos about actually uses a sucky firewall?
Netfilter != pf.
Typical F/OSS Fail.

So pick another one like http://www.smallwall.org/ or http://www.pfsense.org/ or whatever. The nice thing about FOSS is choice.

Particularly with the FCC racing to lock down router firmware,

Which is a damn good reason to separate the router and the WiFi. The FCC can not do shit about http://www.smallwall.org/ or http://www.pfsense.org/ or any other router that works better than most commercial offerings on old cheap retired desktops.

Maybe. But since I have to pay $100 just to read the manual for this "free" software, I really don't feel that I can evaluate it properly.

What the ever loving fuck are you talking about? Unless you're saying you need to become a gold member subscriber to get access to the manual (meaning the Pfsense: The Definitive Guide book, which, along with a pile of other stuff, comes with that gold membership.) In that case, you're a complete idiot, and probably aren't capable of setting up said firewall in the first place.

Getting started guide: https://www.pfsense.org/getting-started/
Hardware selection guide: https://www.pfsense.org/hardware/
Install guide: https://doc.pfsense.org/index.php/Installing_pfSense
Tutorials: https://doc.pfsense.org/index.php/Tutorials
Full Documentation Wiki: https://doc.pfsense.org/index.php/Main_Page
Forum: https://forum.pfsense.org/index.php

All of these are free. The forums are some of the best of any open source product as far as activity and usefulness.

Incidentally, the book is also available in paperback form from Amazon.ca for $48 CAD (about $40 US), so even if you did insist on having that book as your pfSense "manual," you still don't have to pay $100 for it. The Kindle version is even cheaper, at $36 CAD. http://www.amazon.ca/Pfsense-Definitive-Christopher-M-Buechler/dp/0979034280

Maybe. But since I have to pay $100 just to read the manual for this "free" software, I really don't feel that I can evaluate it properly.

What the ever loving fuck are you talking about? Unless you're saying you need to become a gold member subscriber to get access to the manual (meaning the Pfsense: The Definitive Guide book, which, along with a pile of other stuff, comes with that gold membership.) In that case, you're a complete idiot, and probably aren't capable of setting up said firewall in the first place.

Getting started guide: https://www.pfsense.org/getting-started/
Hardware selection guide: https://www.pfsense.org/hardware/
Install guide: https://doc.pfsense.org/index.php/Installing_pfSense
Tutorials: https://doc.pfsense.org/index.php/Tutorials
Full Documentation Wiki: https://doc.pfsense.org/index.php/Main_Page
Forum: https://forum.pfsense.org/index.php

All of these are free. The forums are some of the best of any open source product as far as activity and usefulness.

Incidentally, the book is also available in paperback form from Amazon.ca for $48 CAD (about $40 US), so even if you did insist on having that book as your pfSense "manual," you still don't have to pay $100 for it. The Kindle version is even cheaper, at $36 CAD. http://www.amazon.ca/Pfsense-Definitive-Christopher-M-Buechler/dp/0979034280

Maybe. But since I have to pay $100 just to read the manual for this "free" software, I really don't feel that I can evaluate it properly.

What the ever loving fuck are you talking about? Unless you're saying you need to become a gold member subscriber to get access to the manual (meaning the Pfsense: The Definitive Guide book, which, along with a pile of other stuff, comes with that gold membership.) In that case, you're a complete idiot, and probably aren't capable of setting up said firewall in the first place.

Getting started guide: https://www.pfsense.org/getting-started/
Hardware selection guide: https://www.pfsense.org/hardware/
Install guide: https://doc.pfsense.org/index.php/Installing_pfSense
Tutorials: https://doc.pfsense.org/index.php/Tutorials
Full Documentation Wiki: https://doc.pfsense.org/index.php/Main_Page
Forum: https://forum.pfsense.org/index.php

All of these are free. The forums are some of the best of any open source product as far as activity and usefulness.

Incidentally, the book is also available in paperback form from Amazon.ca for $48 CAD (about $40 US), so even if you did insist on having that book as your pfSense "manual," you still don't have to pay $100 for it. The Kindle version is even cheaper, at $36 CAD. http://www.amazon.ca/Pfsense-Definitive-Christopher-M-Buechler/dp/0979034280

Maybe. But since I have to pay $100 just to read the manual for this "free" software, I really don't feel that I can evaluate it properly.

What the ever loving fuck are you talking about? Unless you're saying you need to become a gold member subscriber to get access to the manual (meaning the Pfsense: The Definitive Guide book, which, along with a pile of other stuff, comes with that gold membership.) In that case, you're a complete idiot, and probably aren't capable of setting up said firewall in the first place.

Getting started guide: https://www.pfsense.org/getting-started/
Hardware selection guide: https://www.pfsense.org/hardware/
Install guide: https://doc.pfsense.org/index.php/Installing_pfSense
Tutorials: https://doc.pfsense.org/index.php/Tutorials
Full Documentation Wiki: https://doc.pfsense.org/index.php/Main_Page
Forum: https://forum.pfsense.org/index.php

All of these are free. The forums are some of the best of any open source product as far as activity and usefulness.

Incidentally, the book is also available in paperback form from Amazon.ca for $48 CAD (about $40 US), so even if you did insist on having that book as your pfSense "manual," you still don't have to pay $100 for it. The Kindle version is even cheaper, at $36 CAD. http://www.amazon.ca/Pfsense-Definitive-Christopher-M-Buechler/dp/0979034280

Maybe. But since I have to pay $100 just to read the manual for this "free" software, I really don't feel that I can evaluate it properly.

What the ever loving fuck are you talking about? Unless you're saying you need to become a gold member subscriber to get access to the manual (meaning the Pfsense: The Definitive Guide book, which, along with a pile of other stuff, comes with that gold membership.) In that case, you're a complete idiot, and probably aren't capable of setting up said firewall in the first place.

Getting started guide: https://www.pfsense.org/getting-started/
Hardware selection guide: https://www.pfsense.org/hardware/
Install guide: https://doc.pfsense.org/index.php/Installing_pfSense
Tutorials: https://doc.pfsense.org/index.php/Tutorials
Full Documentation Wiki: https://doc.pfsense.org/index.php/Main_Page
Forum: https://forum.pfsense.org/index.php

All of these are free. The forums are some of the best of any open source product as far as activity and usefulness.

Incidentally, the book is also available in paperback form from Amazon.ca for $48 CAD (about $40 US), so even if you did insist on having that book as your pfSense "manual," you still don't have to pay $100 for it. The Kindle version is even cheaper, at $36 CAD. http://www.amazon.ca/Pfsense-Definitive-Christopher-M-Buechler/dp/0979034280

Maybe. But since I have to pay $100 just to read the manual for this "free" software, I really don't feel that I can evaluate it properly.

What the ever loving fuck are you talking about? Unless you're saying you need to become a gold member subscriber to get access to the manual (meaning the Pfsense: The Definitive Guide book, which, along with a pile of other stuff, comes with that gold membership.) In that case, you're a complete idiot, and probably aren't capable of setting up said firewall in the first place.

Getting started guide: https://www.pfsense.org/getting-started/
Hardware selection guide: https://www.pfsense.org/hardware/
Install guide: https://doc.pfsense.org/index.php/Installing_pfSense
Tutorials: https://doc.pfsense.org/index.php/Tutorials
Full Documentation Wiki: https://doc.pfsense.org/index.php/Main_Page
Forum: https://forum.pfsense.org/index.php

All of these are free. The forums are some of the best of any open source product as far as activity and usefulness.

Incidentally, the book is also available in paperback form from Amazon.ca for $48 CAD (about $40 US), so even if you did insist on having that book as your pfSense "manual," you still don't have to pay $100 for it. The Kindle version is even cheaper, at $36 CAD. http://www.amazon.ca/Pfsense-Definitive-Christopher-M-Buechler/dp/0979034280

http://pfsense.org/ is one such option.

I normally have AC filtered so I can't even see them, but I saw the responses and had to come here to tell you about pfSense:
https://pfsense.org/

Seriously, this would take care of almost all of the items on your list, and you can get the hardware new for $200-$300, or just re-purpose an old PC for free.

Have fun!

Easily achieved with Cisco hardware ( read that enterprise class ) but can't swear to it via PfSense. Talking a beefy and / or $$$ router though for the speeds you quoted in the Cisco world.

PfSense will do a few flavors of VPN, but I've never tried to get it working with any sort of logic to flag which traffic should bring the tunnel up and which should go out unencrypted.

However this link is informational:

https://doc.pfsense.org/index....

Since it's a mixed environment, it would probably be best to do it at the router level.

Using a PFsense with multiple nics you could set up numerous networks and control routing between the networks at that point. Also pfsense can fully intergrate openvpn into the Scheme and has a firewall and filtering to be able to tell where everyone in the network is going. It also allows for port forwarding for you Linux box. did I mention all of this is done through a GUI interface. Software can be downloaded at: https://www.pfsense.org/

This thread has some great ones, dual lan NUC for $100

Keep it simple: https://www.pfsense.org/

runs from very small disk (I use a 4gb m-sata ssd) and has a great ui, is a superb firewall and is bsd based. used to be the old openwall code.

pfSense runs from very small disk (I use a 4gb m-sata ssd) and has a great ui, is a superb firewall and is bsd based. used to be the old openwall code.

FTFY.

(I hate subject commenting. You put the most important information in the least accessible place.)

Or you can get a used Watchguard Firebox XCore or XCore-e series for around $50-100 on ebay. Drop in a 2 or 4GB Compact Flash and you're in business. Looks professional with working LCD display with a few modifications. I'm not sure about throughput over VPN so that could be a dealbreaker for some. The XCore-e series has gigabit NICs if you need the extra bandwidth. https://doc.pfsense.org/index....

• APU 1C
• APU 1C4 (same as above but with 4 GB of ram instead of 2)

Software:

• Voyage Linux This is a Debian-based Linux distribution that's tweaked to run on x86-based embedded systems (like one of the APU systems above). This is a good option if you're a Linux power user and prefer to set things up yourself manually.
• pfSense You can flash this onto an SD or mSATA card and boot straight into it. This is good for those that want a more turn-key solution. pfSense is based on m0n0wall.

My OpenVPN/Raspberry Pi proxy was a miserable failure...

Dare I raise the suspicion, that the underlying Linux is to blame? pfSense, on contrast, is based on FreeBSD and is — as mentioned by numerous people here — quite usable even on old celerons...

I just went through this and here's the short summary of my research. DIY - go with a PC Engines Alix board or a Soekris board if Intel NICs matter to you. You can buy them here (link below). Install PFSense. Done. Easy. Or if you want a more command line approach install VyOS. https://soekris.com/ http://www.mini-box.com/ALIX-b... https://www.pfsense.org/ http://vyos.net/wiki/Main_Page If you want an off the shelf solution the best product I've found for the money is by Ubiquiti Networks called Edge Router lite. http://www.ubnt.com/edgemax/ed... As far as VPN acceleration. With the Alix or the Soekris you can have a dedicated Crypto Accelerator. I haven't gotten to the VPN portion of my build yet. It only really matters if you need fast sustained throughput on a point to point IPSEC. If you are just connecting from remote software decoding will probably be fine. PFsense has OpenVPN included and makes this easy. VyOS or another route will require more hands on.

I really like pfsense. It is FreeBSD based and very easy to setup. See http://www.pfsense.org/

pfsense plus openvpn does a decent job. Building your certs with XCA takes some time, but it is very easy to manage after it is up. Plus, it is BSD under the hood.

There are tons of options available to you.

I love me some pfSense. We use it at the office and it handles everything we can throw at it (including VPN/IPSec between offices to backfeed high bandwidth security video). It is also light weight enough to work in a home environment on minimal hardware.

Their hardware is both overpriced and well-made. For our small branch offices their embedded devices (such as https://store.pfsense.org/VK-T...) are better than what we could create on our own in low volume and a lot less work. For larger branch offices we will stick pfSense in virtual machine with whatever else they have running. It does well as a VM, too.

Cheers,
Matt

No need to block entire countries - just allow SSH access to those systems that need it.

Now, if you want to talk about blocking access to your web or mail server from anyone in East Elbonia, then you can implement a package like Country Block, or use a service like this one, depending on your firewall.

The lesson from this? Restrict access to important services via a whitelist, block access to public services with a deny list.

I know you're new to the linux world, but while you're at it, dive into the BSD realm while you're at it.

You can do Firewalling with packet filter instead of iptables (better session tracking). BSD is generally better as a network appliance than linux for a number of reasons, and for firewalling especially. Better session tracking, better dynamic protocol handling, better error and flow control, and generally more robust. Iptables is powerful, but it has its downsides that can be felt these days with higher network speeds, IPv6, and dynamic network protocols which is why the linux kernel is moving away from it to NFTables. But NFTables is not yet complete, hence we circle back to BSD with its pf package.

pfSense offers exactly what you're looking for and probably more. It provides a gui and cli to manage the device and a robust user/support community. Beyond firewalling you can do proxy, captive portal, VPN, DNS, DHCP, NAT, IPS/IDS, and a whole lot more. It has a webGUI and sets up in all of about 10 minutes.

It packs all of the features you would see on "enterprise class" firewalls, just open source.
https://www.pfsense.org/

You may want to have a look at: https://www.pfsense.org/ Very good option...

I have PFSense running on a virtual server, which I recommend to anyone. Perhaps not on the virtual server... it kind of adds a layer of complication that most people probably wouldn't care for, but it works well enough.

http://www.pfsense.org/

Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing.

Why would you count the cost of labor? Most people don't work for an employer that will allow them to work unlimited hours -- most people hit 40 hrs and that's it. Some people get overtime, but more than about 20 hours of OT is pretty rare. Some people get paid salary so there's no way for them to get more for some of their time. Some people get second jobs, but for the most part, moonlighting jobs pay less than one's regular gig, and most moonlighting jobs are low skill low pay.

Yes -- somebody out there will be the __rare__ exception to all that. You are an outlier.

In other words, the time a person has after work is not worth what their employer pays them -- it may be worth more or less depending on whether one is severely under or over compensated but ultimately, your time is worth zero dollars if you can't work extra hours. Stated otherwise, your time is priceless, and what matters is the joy you derive from it. That joy might come from assembling legos, growing carrots, DIY routers (and hey, pfSense http://www.pfsense.org/ is a great option for that), or whatever, but because your free uncompensatable time isn't worth anything monetary, don't count that in the cost of a DIY system -- it is perfectly valid however to count the joy value and for you, that is apparently a negative number, and you should probably spend $300 on a router. For others, a DIY system could prove cheaper in a monetary sense, and provide substantial joy, which in essence lowers the cost further (because that person did not have to spend money on hookers or books or ski trips -- that's a monetary savings).

Also SmoothWall but of the three I'm happiest with pfSense.

http://www.pfsense.org/ (BSD)

http://www.smoothwall.org/ (Linux)

http://m0n0.ch/wall/ (BSD)

I'm using an atom cpu with several onboard intel gig-e ports.

fanless and has been pretty reliable so far. my 50mbps cable connection stays up and the 'router' has not needed rebooting in the month or two that I've been using it so far.

I've been very happy with pfSense running on a PC Engines Alix2d13 board. The board has 3 100mbit ethernet ports and 1 miniPCI slot for Wifi expansion, but I think there's limited driver support for 802.11n capable cards. I already had an Asus 802.11abgn wifi router, so I'm using that router for Wifi, and the pfSense box just as a firewall, VPN server, and a home webserver. I have dual WAN connections and use pfSense to failover from the primary connection (Comcast 50mbit) to the backup 3mbit DSL connection. Works great, and I can set up policy routes to route certain traffic across either WAN connection.

The Alix is not super powerful and is somewhat memory constrained (256MB), but I can get a Speedtest peak of 60mbit down from my Comcast connection. They are supposed to be working on a more powerful Alix successor that will have 1 or 2GB of RAM and a faster, dual core CPU. The cost is supposed to be in line with the current boards ~ $200.

I've only had this setup for a few months, but seems pretty stable, I last rebooted over 70 days ago and haven't had any problems with it.

Pfsense and a computer with two network cards is all you need. Pick up a used cisco access point and add a 3rd nic for wireless.

Rock soild, Guaranteed no back doors. Installs in less than 15 minutes from cd. Dependability based BSD and the parts you put in it. Get a cheap core2duo era xeon 1u server for 100 bucks, and make it look even slicker

Here's one way: http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker
Since pfSense runs on the FreeBSD stable point releases, it tends to be behind the current, which means pfSense was a little slow to the IPv6 party, but is getting lots of support now.

Any suggestions?

You can't bond two different ISP's, unless you own the end of a tunnel somewhere else (maybe a VPS), but you can pretty easily load balance and do failover with pfSense v2. The quick version: you set up both interfaces, both gateways, then you set up a gateway group with your fast ISP as Tier 1 and your slower ISP as Tier 2, and then in your LAN firewall rules, you put in an 'allow to all' rule at the end, with the gateway set to the gateway group. There's also a tick box to make the use of a gateway sticky for session affinity purposes and other variables that can be tuned (e.g. drop a member of the group on packet loss or latency thresholds).

I use it *without* knowing on my router http://www.pfsense.org/ and my NAS http://www.freenas.org/

Pendantic mode - How do you know you use it without knowing? Besides the boot messages are a dead giveaway.

I used to use pfsense. It worked fine but it did seem annoyingly limited in some respects and everytime I asked how to do a thing I was told I should pay for a bounty to add some feature in the next release. It annoyed me so much I changed to OpenBSD and now write pf rules in vi. Now I know exactly what my firewall is doing, it runs a more recent version of pf, I have way more flexibility to do other things on my firewall if I choose, and pfsense can't compete with OpenBSD's security history.

Get you a computer, just about anything modern will do, and a couple of supported nic's. I used the TEG-PCITXRL because I have use older model low profile optiplexes.
http://www.pfsense.org/

Firewall port 80 and port 443
set up squid
set up squidblock

Create a wpad.dat file and put it on the web server, so browsers will automatically configure to use the proxy as long as they are set to automatically configure

Then download some freely available pre-categorized sites. I used these, but you can also use shalla's if you are a non-profit.
1. http://dsi.ut-capitole.fr/documentations/cache/squidguard_en.html#contrib
2. http://squidguard.mesd.k12.or.us/blacklists.tgz
3. http://www.shallalist.de/

I also downloaded the list of websites that adblock uses from easylist, and put it in the right format with a quick macro in my text editor:
https://easylist-downloads.adblockplus.org/easylist.txt

You can get really fancy if you want, and if you have a domain you can do a man in the middle proxy by creating a certificate then installing it on your pfsense box and each desktop. This would allow you to just route all 80 and 443 traffic through squid, and then you could use dansguardian to do keyword filtering. For your application I would probably steer clear of this for now, because you need to have a good way of making sure that EVERYONE knows that you can see their passwords to banks, emails, etc, and it's in a policy they sign or you could get in deep doo doo.

If I ever get filthy rich, I'm doing a large scale PSA on this because people are dumb and just don't get it.

Anything done on company property, that includes their computers and networks, is not private and should be considered like one is broadcasting their private information loudly for everyone to hear. Just because it's personal and/or done on non-company time doesn't mean it's private when on company property.

Never have your web browser save any information, especially passwords and sensitive information! I know it makes life easier, but just don't. If one is having a hard time remembering that stuff, use KeePass and make sure to use a password, not a windows account, and make a few backups.

If one absolutely must do private stuff while at work, use a smartphone, tablet, or a laptop. If that's not an option, there's plenty of ways to remote into one's computer at home. I personally use RDP over an SSH tunnel since it doesn't require installing any software, PuTTY is easily downloadable, and the RDP client is installed by Windows by default. I know I could just do RDP strait, but I like the added security SSH adds. I know there are some routers that will do the SSH tunneling natively (most SOHO on stock firmware can't) or you can just build your own with something like pfSense.

[Disclaimer, I am a pfSense developer, employee, and book author so I'm a bit biased] :-)

pfSense is based on FreeBSD 8.3 with quite a few things patched in the kernel and base system. We've been doing quite a lot of work lately on getting the last few bits of IPv6 going along with some other features we have in the chamber for 2.1. IPv6 support is the main focus of pfSense 2.1 so changes in other areas have happened but they have been minimal in comparison.

Here is a spreadsheet covering the current status of IPv6 in various areas of pfSense. Some of those will have to wait for pfSense 2.2.

We just got one key feature holding back 2.1 from being released solved, and there are a few more bugs left but progressing rapidly.

I'm glad to see you mention that. While under the FreeBSDs, Monowall has supported BSDs for a while, the same hadn't been true about pFSense. I wanted to know whether pFSense 2.1 supports IPv6 or not. Checking out their site, it stated

Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.

We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.

IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.

Incidentally, which version of FreeBSD does pFSense 2.1 correspond to?