pfSense tutorial: Configure pfSense as an SMB-caliber firewall

“Imagine this scenario: Another business group in your midsize company needs some new network connectivity, but they also require a number of network security features, including an integrated access point, user authentication, VPN capabilities, and a firewall to separate a certain group from the rest of the network. Oh, and they also want access to Snort and Nmap. Luckily, pfSense offers all of these features along with a number of customization options.”

Keith Barker explains in this video tutorial how to configure an SMB-caliber firewall

pfSense – Squid + Squidguard / Traffic Shapping Tutorial

Ever wanted to set up a pfSense firewall/router with content filtering? Howtoforge has one of the easiest tutorials to help you set this up. If you have a spare box, there’s no reason now to wait any longer: pfSense – Squid + Squidguard / Traffic Shapping Tutorial

In this tutorial I will show you how to set up pfSense 2.0.1 up as an Internet Gateway with Squid Proxy / Squidguard Filtering. I will also show that you have to configure some extra features of pfSense like traffic shapping with squid.

Installing and configuring Squid and DansGuardian under FreeBSD

Installing and configuring FreeBSD as router is something most of us won’t do daily. It’s one of those jobs you do once, and when it’s up and running, you let your server / router do its work and you don’t touch it – unless there’s a problem.

Squid and DansGuardian are some excellent tools for caching and content filtering. Squid is a caching proxy  supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. DansGuardian is a web content filter. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering.

Since configuring Squid and DansGuardian is not something we daily do, the following tutorial may be useful: Installing and configuring Squid and DansGuardian under FreeBSD.

If you run pfSense, you can install Squid and DansGuardian too.

Another interesting tutorial is the one on creating plugins for FreeBSD’s new pkgng package management: Writing plugins for pkgns.

 

Traffic Shaping with pfSense and HFSC (video)

This screencast demonstrates the use of a pfSense device for traffic shaping on a typical home network, with the goals of minimizing latency and maximizing throughput. In particular, we use a three-tier queue configuration where a parent speedboost queue on each interface contains leaf queues that catch all the traffic. The speedboost queues use HFSC’s non-linear service curve to match the behavior of the comcast speedboost. The leaf queues are configured to partition the available bandwidth, and automatically allow ‘borrowing’ when there is no contention.


Section links:

  • Installation / Setup: 3min:01sec
  • Monitoring: 6min:30sec
  • Traffic Shaping: 15min:34sec

HOWTO: Run pfSense nanobsd in VirtualBox

There’s a very useful howto on the pfsense forums showing step-by-step how to run pfSense in virtualbox:

  1. Get Oracle VirtualBox from https://www.virtualbox.org/ or from the repo of your distribution. Works in Windows, Linux too.
  2. Download a VGA-enabled nanobsd version of pfSense from here. For example pfSense-2.0.1-RELEASE-4g-i386-nanobsd_vga.img.gz.
  3. Decompress the .gz to get a plain disk image .img file (you need pfSense-2.0.1-RELEASE-4g-i386-nanobsd_vga.img)
  4. Convert the disk image to a virtual hard disk using this command:
    1. Code: VBoxManage convertfromraw pfSense-2.0.1-RELEASE-4g-i386-nanobsd_vga.img pfSense-2.0.1-RELEASE-4g-i386-nanobsd_vga.vdi
    2. Don’t worry if the .vdi file will be much smaller. It will actually be a dynamic virtual disk, which physically occupies only the amount of data which is not empty.
  5. Create a new virtual machine in VirtualBox, using these settings:
    1. Enable IO APIC
    2. 512MB of RAM (or more, I guess)
    3. no audio, no USB
    4. 2 network adapters, first bridged to your physical NIC, second “Host-Only Adapter”, both Intel PRO/1000 T Server. Untick “Cable connected”
    5. a serial port, just to be sure
    6. use as hard disk the .vdi image you created in step 4
  6. Boot up the virtual machine, let pfSense start up
  7. Assign network interfaces as usual, to simulate cable connection open “Network Adapters” window and tick back  ”Cable connected” when appropriate. Make the first (em0) as WAN, the second (em1) as LAN.
  8. Set manually IP address of LAN to 192.168.56.10 (or any IP within your “Host-Only Adapter network”)
  9. Type your LAN address in your browser and you’re in!

pfSense 2.0.1, load balancing and pfSense Cookbook

 

pfSense is a powerful, open source, free and FreeBSD based firewall and security solution. The follwoing are three links you may be interested in if you use or would like to use pfSense.

pfSense 2.0.1 announcement

Chris Buechler has announced the release of pfSense 2.0.1. This is a maintenance release with some bug and security fixes since 2.0 release. This is the recommended release for all installations.

How To Use pfSense to load balance your Web Servers

This howto shows you how to configure pfSense 2.0 as a load balancer for your web servers. It is assumed that you already have a pfSense box and at least 2 Apache servers installed and running on your network, and that you have some pfSense knowledge.

How To Use pfSense To Load Balance Your Web Server

pfSense Cookbook

There’s a great pfSense reference book published earlier this year, pfSense 2 Cookbook. It’s great for network admins, but also the casuel pfSense user. It’s a preatical, example-driven guide to configure the simple and the most advanced features for pfSense.

The chapters in the book are:

  • Initial Configuratino
  • Essential Services
  • General Configuration
  • Virtual Private Networking
  • Advance Configuration
  • Redundancy, load balancing and fail over
  • Services and maintenance
  • Appendix 1 – Monitoring and logging
  • Appendix 2 – Determining hardware requirements

The book is full with screenshots, explaining all the different settings.

You can “look inside” book: pfSense Cookbook

FreeBSD quick news and links (GhostBSD, Centreon, FreeBSD Dev, iXsystems)

GhostBSD 2.5: A GNOME-ified FreeBSD 9.0

If you want to try out FreeBSD 9.0 this holiday but are not turned on by the actual FreeBSD 9.0 install and setup process, nor find the KDE desktop of PC-BSD 9.0 enjoyable, you may want to try out GhostBSD 2.5.

GhostBSD 2.5: A GNOME-ified FreeBSD 9.0


Centreon 2.3.3 on FreeBSD 9

This tutorial will guide the user to complete the installation of Centreon on FreeBSD. We will be using an installation on a FreeBSD 9.0-PRERELEASE kernel version, kernel version does not influence the tutorial.

What is the Centreon? Centreon is a powerful tool for monitoring hosts and services, it is a frontend that works on top of Nagios, adding many features for viewing and alert history, status, etc. ..

Centreon 2.3.3 on FreeBSD 9


Debian GNU/kFreeBSD Gets Ready For FreeBSD 9.0

It’s not only the FreeBSD and PC-BSD camps gearing up for the imminent release of FreeBSD 9.0, but Debian developers have already been gearing up for the major update of this leading BSD distribution as they prepare to pull in its new kernel.

Debian GNU/kFreeBSD Gets Ready For FreeBSD 9.0


Top 6 Linux and BSD graphical installation programs

PC-BSD’s installation setup is one of them: Top 6 Linux and BSD graphical installation programs.


FreeBSD Development over 13 Years

This video shows the visual development of FreeBSD with its committers.

iXsystems Haiku Contest

Do you have the creativity/humor/love for FreeBSD and PC-BSD? Then submit an original haiku poem.

Here at iXsystems we always love hearing what you have to say, and what better way to celebrate the upcoming PC-BSD 9.0 release than indulging in some creative writing? We’ll gladly give away a PC-BSD shirt to the winner, and immortalize his/her haiku up on our Facebook and Google+ sites. (via)

bsdtalk210 – James Nixon from iXsystems

Interview with James Nixon from iXsystems at the LISA 2011 conference in Boston.

bsdtalk210 – James Nixon from iXsystems


BSDs ‘lost’ just because of this phone number 1-800-ITS-UNIX

BSD ‘lost’ because of a phone number? Nonsense.

Four of the BSD guys had just formed a company to sell BSD commercially. They even had a nice phone number: 1-800-ITS-UNIX. That phone number did them and me in. AT&T sued them over the phone number and the lawsuit took 3 years to settle. That was precisely the period Linux was launched and BSD was frozen due to the lawsuit

Interview with Andrew Tanenbaum


FreeBSD Security Advisories

PAMPAM_sshtelnetdchroot, and bind.