4 open source firewall/router projects, incl pfSense and m0n0wall

LinuxPlanet has a post with some background information of 4 great open source firewall/router projects. Two are Linux-based (endian and smoothwall) and the other two are based on FreeBSD (m0n0wall and pfSense):

pfSense

pfSense is a customized distribution of FreeBSD. It actually started in 2004 as a fork of the m0n0wallproject. However, it concentrates more towards full PC installations, where m0n0wall is more towards embedded hardware.

pfSense can be considered as a popular package, as it has more than 1 million downloads. It can be used in homes or in large corporations and organizations. It’s available as a Live CD, hard drive installation, or embedded.

pfSense has low system requirements; 100 MHz Pentium CPU and 128 MBs of RAM. The Live CD requires a CD-ROM drive and a USB flash drive or floppy drive for storing the configuration file. The hard drive installation requires a CD-ROM for the initial installation and at least 1 GB hard drive. The embedded version requires a serial port for console and at least a 128 MB Compact Flash card.

pfSense, of course, includes a powerful firewall, including the ability to filter based upon the passively detected operating system. Its state table can be finely customized. It can do Network Address Translation (NAT) and load balancing of multiple WAN connections. It has a DHCP server and relay functionality.

Other important features include redundancy and synchronization, captive portal, and the support of three VPN solutions: IPsec, OpenVPN, and PPTP.

pfSense includes great reporting and monitoring features. RRC graphs show historical values of CPU utilization, firewall states, throughput, and more. There are also SVG graphs showing the real-time throughput of interfaces.

m0n0wall

m0n0wall is also based from FreeBSD. This firewall project is designed for use with embedded x86-based PCs. However, it is possible to run m0n0wall on most standard desktop PCs.

m0n0wall officially supports the embedded net48xx/net55xx systems from Soekris Engineering and the ALIX platform from PC Engines. It requires at least a 16 MB Compact Flash (CF) card and they recommend using at least 64 MBs of RAM.

Getting m0n0wall running on an embedded system just takes downloading an image and writing it to a CF card. For desktop PCs, you can be write a disk image to a small IDE hard drive or CF card, or use the CD-ROM and floppy disk version. A VMware image is also available.

The entire system configuration is conveniently stored in one single XML text file, eliminating multiple text files parsed in a shell script. m0n0wall can completely boot up in less than 25 seconds after hitting the power button. On embedded platforms it provides a WAN to LAN TCP throughput of more than 50 Mbps (including NAT), and with newer PCs you can see 100+ Mbps.

The firewall provides stateful packet filtering and supports Network Address Translation (NAT). It also features a DHCP server and relay support. It supports VLANs and IPsec and PPTP VPNs. It even features wireless support for certain chipsets to create an access point (AP).

Other important features include a captive portal, SVG-based traffic graphing, SNMP agent, DynDNS client, and Wake on LAN client.” (full article)

Great to see the attention given by LinuxPlanet to FreeBSD based router/firewall projects. It would be nice if this was followed up by an in-depth review, comparison and benchmarking to help users decide which of the four is the best for their particular need.

M0n0wall vs pfSense vs NanoBSD

This shows how secure and rock-solid FreeBSD is. Makura no Soshi was running FreeBSD 4.11 as fil ter ing net work bridge, and thinking of upgrading, he’s compared the pros and cons of  m0n0wall, pfSense and NanoBSD. In the end he decided to go with NanoBSD.

Thus I chose NanoBSD. YMMV, and I would not recommend it for anyone not familiar with BSD. But with four other BSD servers the addition al maintenance effort is really small; possibly even easier than with any non-standard or web-based configuration.

Read the full post here: M0n0wall vs pfSense vs NanoBSD

m0n0wall 1.31 Released

Manual Kasper has announced the release of m0n0wall 1.31. This is a quick summary of the changes since 1.3:

  • various IPv6 improvements (in DNS forwarder, DHCPv6, AYIYA, etc.)
  • bridge “disable spoof check” option (for non-m0n0wall DHCP and multicast)
  • fans/temperature monitoring on status page for supported platforms (unfortunately Soekris/PC Engines not included
  • fix for OpenSSL session renegotiation vulnerability (-> HTTPS webGUI)
  • patch to DHCP server daemon to reduce lease file growth

Downloads and Changelog | m0n0wall website

Released: m0n0wall 1.3

m0n0wall logo 100x100Manuel Kasper has announced m0n0wall 1.3.

“After almost three years in beta, I have decided that m0n0wall 1.3 is now good enough for production. It’s basically a re-release of 1.3b18, with two fixes thrown in. No major bugs have been reported anymore, but as always, upgrade on your own risk .

Major changes in this release (since 1.23):

  • switched base operating system to FreeBSD 6.4
  • consolidated net45xx, net48xx and wrap images into a single “embedded” image
  • switched bridge implementation to if_bridge: bridge member  interfaces will now always be filtered (the filtering bridge option has been removed)
  • IPv6 support (enable on advanced setup page)
  • firewall support for IPsec traffic
  • IPsec NAT-T, DPD and dynamic tunnels
  • countless bugfixes and other improvements

If you’re upgrading a 1.2 generic-pc installation, you need to install 1.3b7 before you install 1.3 (because the image is too big to fit in the MFS that 1.2 allocates for the firmware upgrade).

If you’re upgrading a 1.2 net45xx/net48xx/wrap installation, you need to rename the embedded image to reflect your platform before you upload it (this is a one time thing only).”

Links:

Released: m0n0wall 1.236

m0n0wall logo 100x100M0nowall version 1.236 was released last week in order to address a security issue in the ISC DHCP client. If you don’t use the DHCP client on WAN or if you trust the DHCP server(s), there’s no need to upgrade.

1.236 also includes a few captive portal fixes imported from the 1.3b branch, so if you use the captive portal, that would be another reason to upgrade.

Links:

WebsiteDownloads | Changelog

m0n0wall Beta 1.3b17 released

m0n0wall logo 100x100Manual Kasper has released another m0n0wall beta release bringing the project closer to the release of the final m0n0wall 1.3. According to the announcement:

The move to FreeBSD 6.4 has been completed, and legacy BRIDGE has been replaced by if_bridge (thanks to Chris Buechler), so if you’re using the bridging features, you may want to test especially carefully whether everything works as desired after the upgrade.

Also, the filtering bridge is now always on (this is by design), so you may have to add firewall rules to permit traffic on your bridged interfaces if you have not already done so.

Various bugs have of course also been fixed (for the SIP inbound NAT problem, advanced outbound NAT slowness when using destination matching, DHCPv6 range check, etc.)

For more info, the changelog and downloads visit the beta page

ANNOUNCEMENT: BSD Router Project (bsdrp)

Olivier Cochard-Labbé, an IP routing expert and founder of FreeNAS (a FreeBSD based Network-Attached-Storage system), has released the first alpha (0.1) image of his new project: BSD Router Project - http://bsdrp.net

bsdrp is an open source customised distribution of FreeBSD dedicated to offering IP routing services for small ISP’s.

The release 0.1 of BSDRP is a fully working prototype, to be used on real or virtual machines that boot from ATA device only (not usb).

This first release includes:

  • Base FreeBSD 8.0-CURRENT system (NanoBSD) for i386
  • Customized script (config, upgrade, help, command completion, etc…)
  • Quagga ready to use (OSPFv2, OSPFv3, RIP, RIPng and BGP)

You may ask, what is the difference between BSDRP and m0n0wall of pfSense.

  • The main goal of BSDRP is not firewalling but routing. If you need a firewall don’t use BSDRP: Use m0n0wall or pfSense.
  • BSDRP is not for a home use, but for compagny use (small ISP’s for example).
  • BSDRP doesn’t have a Web GUI: It’s to be configured from a CLI only (like Cisco or Juniper)
  • pfSense can be used for routing, but Olivier wanted to set up a Cisco or Juniper like project just for routing.

Thanks, Olivier, for contacting me to announce this project. If you have any (new) FreeBSD related products or services that you want to announce, submit it here.