Slashdot Mirror
pfSense 1.0 Firewall Released
Chris Daniel writes, "pfSense, a FreeBSD-based firewall LiveCD distribution, has reached its official 1.0 release. Based on m0n0wall, pfSense offers firewalling, traffic shaping, VPNs, load balancing, and a nice package-management system for adding extra functionality, among many other useful built-in features. The project has been ongoing for two years, and pfSense has already been in production use in a number of locations well before the 1.0 release." Find a download mirror here.
Why Freebsd 6.1-CURRENT, I wonder? STABLE is bleeding edge enough for most, and I quite imagine that they could just use base 6.1.
Sure.
Mind you, the "target market" leans a little more toward small/mid-size office than home office.
Though I'm sure the hobby-minded with lots of spare older PCs will give it a shot.
Myself, for hy home network, I'm stickin' with mah Linksys.
But, no. The minimal ("Do not even attempt to use it on anything less !") hardware is beyond my means (and beyond my expectation, even for traffic shaping and stuff):
All platforms: 128 megabytes of ram
Embedded: 128 megabyte compact flash card
Full installation: 2gb hard drive or larger
LiveCD: USB Keychain for configuration storage
That's simply a tiny little bit too much. I surely get the similar setting with OpenBSD on boxes with lower specs.
Okay, let's get it going. I love compact flash. Alas: "Larger flash sizes can be used but pfSense will not use the space over the 128 MB limit".
... .
"The Snort package requires a LOT of memory, only install this when the sytem has 1 GB ram or over."
Any need to go further ? To me, at least, not. I rather move on
m0n0wall is based on FreeBSD 4.x, it has little wireless support, it can not do load balancing for multiwan , neither can it do machine failover with carp.
There are currently over $2000 bounties posted on the m0n0wall list for the first person that makes it work with FreeBSD 6. Unfortunately for m0n0wall, we see people switching to pfsense instead.
Yes, pfSense _is_ based on m0n0wall
No, pfSense _is not_ m0n0wall
I've used both Smoothwall and then IPCop for extended periods on my own home router box (an old P200/128MB). I have now been using M0n0wall for a couple of years and I am very happy with it. It doesn't have the silly coloured NIC idea, I can just add new subnets as I require and name them myself. I find it more powerful and intuitive than IPCop in other ways too. IPCop served me well for a long time but I don't think it's quite on the same level as M0n0wall, I can't comment on the non-free versions of Smoothwall.
As for pfSense, it looks interesting, I may well give it a try
Lacking the knowledge of the internal workings of PF, I do have to say that I have never had a problem with SIP. My home phone is through Vonage behind pfsense and I routinely connect while on the road to a friends Asterisk box to make phone calls with a soft phone and bluetooth headset on my laptop. He has a pfsense router and all of his trunks are SIP. Several users are simultaneously connected using SIP from remote locations and properly routed out the SIP trunks. Not to doubt that you have had things that do not work; I am only relating my experiences. I must also state that the SIP traffic shaping appears to work beautifully there as I really don't have any call issues that are not related to the bandwidth available at my remote location(s).
"The strong will do what they want, the weak will do what they must."
-Thucydides
The underlying pf seems to have more flexibility than the interface on top then.
I suppose you mean something like the following?
# XXX: hardwire SIP and RTP source ports
nat on $ext_if inet proto udp from $asterisk port { 5060, 10000:20000 } to any -> ($ext_if) static-port
nat on $ext_if inet from $int_net to any -> ($ext_if)
rdr on $ext_if inet proto udp from any to ($ext_if) port { 5060, 10000:20000 } -> $asterisk
Which means that traffic from an internal Asterisk that has source ports 5060 and 10000-20000 leaves NATed but with the source ports intact. Together with the ability to let Asterisk enter arbitrary IP addresses in SIP messages[1], this makes it look like it was directly connected and not behind NAT at all.
All other traffic - even HTTP from the Asterisk server for example - gets the source port replaced as usual.
[1] Who TF thought that entering layer 3 addresses in application layers was a good idea anyway?
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Here's the OpenBSD link Search for pf_test_state_tcp - it's abotu 2/3 the was down the page
After 30 minutes of searching I couldn't find the Linux equivalent. It's either in one of the files here or maybe here. Maybe. OK I'm showing my ignorance somewhat here but I don't understand why there's a whole heap of stuff all over the place. Anyhow, netfilter's state matching basically about 4 lines which just checks a packet against a list of ip,srcport,dstport. Sorry I'd have been able to find it if I had a linux box to hand to grep on, but I don't at the moment
One thing should be stated in comparason - Linux is a *LOT* faster at throwing packets through its firewall, mind you it's a direct result of it not really checking them much...