Slashdot Mirror

← Back to Stories (view on slashdot.org)

pfSense 1.0 Firewall Released

Posted by ryuzaki0 on from the protected-by-daemons dept.

Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.

14 of 104 comments (clear)

  1. Re:Based on mOnOwall? by Anonymous Coward · · Score: 3, Informative

    monowall is just a firewall, this does traffic shaping/QoS, lots more services.

  2. SmoothWall by mahesh_gharat · · Score: 4, Informative

    Have a look at SmoothWall at http://www.smoothwall.org/
    It's based on GNU/Linux and provides at par or better features and it is there for almost 4-5 years now.

    1. Re:SmoothWall by MattBurke · · Score: 4, Informative

      Only if you discount firewalling as a feature.

      The code behind iptables is disgusting. It doesn't even do a proper job of stateful tracking. Read and compare the source code if you don't believe me - There are many things which linux does in about 10 lines of code but run into hundreds or thousands of lines in the pf source because pf does the job properly

  3. SmoothWall?? IPCop! by PurPaBOO · · Score: 5, Informative

    You only get the better features in Smoothwall if you pay for the corporate version.

    You could try IPCop instead, a fork of smoothwall.

    I use IPCop instead of pfsense for some installations as it has support for the Bewan PCI ADSL modem.

    --
    If it weren't for the rocks in its bed, the stream would have no songs.
  4. PPTP pass-through? by pmsr · · Score: 3, Informative

    pfSense is an amazing product that does without hiccups what firewalls costing hundreds or even thousands of dollars do. But it has a limitation: it can't handle more than one simultaneous PPTP pass-through session to the same server. Plenty of cheap routers (based in Linux) do this. But granted, that Linux PPTP masquerading kernel module is a little beauty.

    1. Re:PPTP pass-through? by Slashcrap · · Score: 1, Informative

      Of course, let's discount the fact that it can act as a PPTP endpoint (feature from m0n0wall).

      Yes I think we should, since it has no relevance to what the grandparent was talking about.

      What he is pointing out is that if you have a lot of visitors behind your pfSense based corporate firewall and they want to make PPTP connections back to their corporate networks, it will not work. Because there is no support for multiple PPTP passthrough.

      I would love to tell you all about a perfect example of this becoming a problem at a major event because of our choice of OpenBSD for a product. But I can't. Suffice to say you would be amazed how many companies actually use PPTP for their remote connectivity.

      How would having it act as a PPTP endpoint help in this case?

  5. Re:Uuh, no thanks, not convinced by Anonymous Coward · · Score: 1, Informative

    You probably want m0n0wall instead which is lighter and aimed at embedded systems. Having used both (along with ipcop and others) I can say they all are excellent products.

  6. Re:Relies on a full-size computer by beardz · · Score: 2, Informative

    pfSense is quite capable of running on either Soekris SBCs or PC Engine WRAPs, which to use your phrase, are both "small, quiet and wireless!" ;) Granted, the WRT54s are cheaper, but both the Sokeris and WRAP boards offer more flexibility.

  7. minor p2p glitch by Anonymous Coward · · Score: 3, Informative

    After months of regular use I can say pfSense is a great firewall. One minor problem (and the only one) I encountered is the inability to work with the Kademlia p2p network: the client appears as always firewalled even after days though all other ports are correctly routed and the mule client gets a high id. The problem disappears as soon as I route the same ports through a different firewall.

  8. Re:VM? by numbski · · Score: 2, Informative

    The dev version already is.

    I've installed into Qemu before without issues. This is actually a pretty common thing on the irc chans.

    --

    Karma: Chameleon (mostly due to the fact that you come and go).

  9. Re:Uuh, no thanks, not convinced by Anonymous Coward · · Score: 1, Informative

    I have difficulty understanding the problem. We are not aiming at the small embedded 35 euro router market here.

    A cisco 851 has 64MB ram, a cisco 871 has 128MB ram. We are talking hardware that can at least do redundancy, balancing, failover and multiwan. Then you promptly enter the plus $200 market and this is the competition.

    And you need memory for sufficient connection tracking, firmware upgrades, traffic shaping etc.

    We point out that Snort (which we have no control over) requires a lot memory. That is there to prevent foot shooting. Then again the $200 routers do not do IDS/IPS.

    Seems fine to me.

  10. 1.0 and it's still broken by AmiMoJo · · Score: 2, Informative

    I don't know why they are doing a 1.0 release right now. While there are many nice things in pfSense, most of them are replicated in the much more stable m0n0wall on which it is based. The pfSense only features tend not to work too well.

    For example, the traffic shaping is broken. I have a 10Mb/512Kb cable connecction (NTL) and have been totally unable to get traffic shaping to do anything. There are many more like me on the forums. It seems to work for some people on some connections, but is far from robust and universal. The rules that the wizard creates are not right either, and always need modifying. Hardly 1.0 standard I feel.

    There are other issues too, like the fact that embedded web upgrades don't work, or that the queues display does not show accurate stats (particularly on drops).

    I'm going to decomission my 650MHz P3 that is currently running pfSense and replace it with a much lower power Netgear Rangemax router. Really, the only things that the pfSense box has over the Netgear one is traffic shaping and the ability to handle a larger number of connections. The former doesn't work and the latter is irrelevent.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  11. Re:CURRENT? by Philip+K+Dickhead · · Score: 3, Informative

    pfSense Rocks hard.

    I have been on the RC1, and replaced all my Linux/IPfilter machines with this.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  12. Re:A mish-mash of other systems? by DoXaVG · · Score: 2, Informative

    This has been gone over numerous times in both the pfsense forums and the mailing lists. The short answer is hardware support and that bsdinstaller is only available on freebsd and dragonfly at this time.