Configure advanced features with pfSense 2.0 (Packt Pub’s new book)

Packt Publishing, the publishers of Learning FreeNAS, are now in the process of publishing pfSense 2 Cookbook.

This book helps users discover the power of pfSense‘s core functionality. It is written by Matt Williamson and is filled with examples of interfaces, firewall rules, NAT port-forwarding, VPN services, etc.

pfSense 2 Cookbook helps readers determine their deployment scenario, their hardware, throughput, andinterface requirements, and to select the right platform version of pfSense. They will be able to configure essential networking services such as DHCP, DNS, Dynamic DNS, and will be able to provide external Remote Desktop Access to an internal machine.

Through this book readers will learn to create multiple WAN interfaces, virtual IPs, a virtual LAN, gateways, and bridged interfaces. They will be able to configure traffic-shaping and Quality of Service (QoS), firewall redundancy with a CARP firewall failover, and external logging with syslog.

Talking about CARP, I came across a very interesting site explaining how to set up a CARO cluster, step-by-step: http://pfsense.basis06.com/download/tutorials/carp/carp-cluster-new.htm. There’s enough material available and howtos explaining how to set this up, but this little demo, is super clear.

When I have read the book, I’ll let you know more about the contents.

More information can be found here: pfSense 2 Cookbook, and a free chapter, dealing with DHCP and DNS, can be downloaded here: pfSense 2 Cookbook – sample chapter.

pfSense: Build an UTM, and 2.0-RC1 available

smallnetbuilder.com has an article (Build your own UTM with pfSense) showing what you can do with pfSense as Unified Threat Management appliance, esp. with regards to
Intrusion Detection and Prevention, Anti-Virus, Content Filtering, Anti-Spam and Traffic Control.

The concept of Unified Threat Management is straightforward: on the outer reaches of your network perimeter, you install an appliance that stops all possible threats to your network, an über firewall, as it were. The fact of the matter is that UTM hardware is expected to completely overtake separate network protection hardware.

[...]

pfSense can perform all these functions to some extent. To judge how well pfSense meets these UTM requirements, I’ve given a subjective grade to each set of UTM function groups. Once we’ve defined how these functions thwart threats, and how pfSense meets those challenges, we’ll upgrade Cerberus, and see how it performs as a UTM. more

The article concludes with:

With pfSense, this content is largely free – making pfSense, with all of its patchwork flaws, very compelling. The value proposition of pfSense is significant. It is free, open, and no expensive subscriptions are needed to protect your network. Free something is better than nothing.

Chris Buechler has also announced the availability of pfSense 2.0-RC1 (pfSense 2.0-RC1 now available):

Years and many thousands of hours in the making, pfSense 2.0 Release Candidate 1 is now available!

Check it out, test it, and leave feedback on the pfSense forums

Miscelaneous (Free)BSD news and links (Week 2)

I End of Life Announcement for PC-BSD 7.x

With the release of version 8.2 just around the corner, and PC-BSD 9.0 slated for later this year, we will be stopping the production of new packages / PBIs for the PC-BSD 7.x series in the near future: End of Life Announcement for PC-BSD 7.x

II Required: Senior FreeBSD/UNIX/Linux Administrator

You might be our next Sr. Systems Engineer: Senior FreeBSD/UNIX/Linux Administrator

III FreeBSD: Virtual Network Switch

In the previous post, I have mentioned about I’m going to cover Open vSwitch and Vde implementation. However I think it is also interesting to cover how you can setup virtual switch with FreeBSD native system. As we all know bridging is actually software switching, therefore we can make use of bridge interface to achieve this. I will explain the 6 ports virtual network switch setup that is illustrated in the diagram below: FreeBSD: Virtual Network Switch

IV Installing pfSense on an Alix.6e1

The ALIX.6e1 hardware platform:

2 10/100 LAN / 1 miniPCI / 1 miniPCI Express / AMD LX800 / 256 MB / 2 USB / DB9 serial port / CF Card slot / Board size: 6 x 6 : Installing pfSense on an Alix.6e1

pfSense development in 2011

Recently I contacted lead developers of different FreeBSD based projects and asked them about their development plans and ideas for 2011. Yesterday we looked at PC-BSD, let’s now see what the pfSense developers have in store.

As most of you will be aware, pfSense is a free, open source customised version of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

The project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. (m0n0wall vs pfSense).

Chris Buechler emailed the following update for 2011:

“2011 looks to be the best year yet for the project. We’ll have 2.0 release candidate 1 out this month. Final release soon after though it’s hard to put a timeline on that.

After that, we’ll be adding IPv6 support this year for the 2.1 release. That may be the only major new feature or change in the 2.1 release, which we expect by the end of 2011 at latest and probably sooner. We’re speeding up our release cycles and adding far fewer
things on each release, so we’ll have major releases out much more frequently going forward (in addition to any needed maintenance releases). The 2.0 release brings major enhancements to virtually every single piece of the system, and hence has taken a while to get through the release cycle. It’s looking very good now though.”

Thanks, Chris, for the update. Whishing you, Scott and the team a successful 2011. pfSense 2.0 is set to rock the routing/firewalling world and we’re all looking forward to its release.

If you, blog readers, have any requests, ideas or general views on pfSense, let us know via the comments below.

pfSense website | pfSense blog

Quick news and links: ghostbsd, pfsense, doing business with BSD

Some links to recent project updates and howtos.

pfSense

GhostBSD

Setting up FreeBSD Wireless

Successful businesses do it with BSD!

The hidden underbelly of Mac OS X is; yep you guessed it BSD. Originally based on OpenBSD however since 10.2 or shortly there after FreeBSD. So this begs the question why do some many manufacturers rally behind Linux when Apple has clearly demonstrated beyond a shadow of any doubt that if you wish to be truly commercially successful building on the back of Open Source you’ve got to do it with a BSD. Consider all of those netbook producers out there with deploying Windows XP in most cases or some flavorless Linux distribution. …. Contintues

kFreeBSD with ZFS, Bordeaux on PC-BSD, benchmarks and pfSense

Debian’s GNU/kFreeBSD Installer will support ZFS

“While Debian GNU/kFreeBSD has supported the ZFS file-system with its FreeBSD-8 kernel, support for installing the Debian GNU/kFreeBSD distribution to a root ZFS file-system will now be possible with the Debian 6.0 “Squeeze” release.

For those unfamiliar with Debian GNU/kFreeBSD, it takes the GNU user-land but runs it atop the FreeBSD kernel rather than Debian GNU/Linux with the Linux kernel. You can still use apt-get and do most anything you would with the Linux-based Debian distribution (aside from different hardware compatibility and other support differences), but instead you’re running the FreeBSD kernel.

While the upstream FreeBSD project doesn’t have an easy root ZFS file-system installation option within FreeBSD 8.0/8.1, this isn’t particularly ground-breaking, as the FreeBSD-based PC-BSD already has ZFS installation support that is quite easy to work.”

Full post on Phoronix: Debian’s GNU/kFreeBSD Installer Will Support ZFS

Review of Running Bordeaux on PC-BSD

Jesse Smith of Distrowatch has used Bordeaux for a week and written up his (mostly positive) experience (feature story):

“The Bordeaux Technology Group is a company specializing in compatibility software. Specifically, they work at making it as easy as possible to run Windows programs on the UNIX family of operating systems. Their Bordeaux tool is built to run on Linux, FreeBSD, Solaris, OpenIndiana and Mac OS X. Bordeaux is, at its heart, a customized build of Wine. They take a recent version of Wine, add some special tools and test their build for compatibility against a group of popular Windows software. They then sell this bundle (along with support) for about US$20 – 25, much less than the typical cost of a Windows license. A few weeks ago I had a chance to chat with Tom, a member of the Bordeaux Technology Group, and he was kind enough to give me a copy of Bordeaux (PC-BSD edition) to test-drive.

The provided PBI package was about 44 MB and it installed without any problems. With the install completed, two icons were added to my desktop and application menu. These new icons were labelled “Bordeaux” and “Cellar Manager”. I launched Bordeaux first and was presented with a new window featuring three tabs along the top. These three tabs are called “Install Applications”, “Manage Wine” and “Unsupported Packages”. At the bottom of the window, regardless of which tab is selected, are two buttons called “Help” and “Install”. Clicking the Help button always opens a browser window to the Bordeaux documentation website. The Install button actually performs different functions depending on which tab is selected.”

Read on for the remainder of the story, and the conclusion: Test-driving Bordeaux 2.0.8

NB, Bordeaux Group has a 50% offer going: Bordeaux 50% off recession busting sale

New benchmarks of OpenSolaris, BSD & Linux

Phoronix has benchmarked the latest OpenSolaris-based distributions (OpenSolaris, OpenIndiana, and Augustiner-Schweinshaxe), compared to PC-BSD, Fedora, and Ubuntu. The Phoronix review concludes:

There you have it, the performance of the latest OpenSolaris distributions against PC-BSD/FreeBSD and two of the most popular Linux distributions. The Fedora and Ubuntu operating systems won most of the tests, but there were a few leads for PC-BSD while the OpenSolaris operating systems just one won test (Local Adaptive Thresholding via GraphicsMagick) at least for our benchmarking selection and workload. If you are using an OpenSolaris-based operating system hopefully you are not using it for a performance critical environment but rather to take advantage of its technical features like DTrace, ZFS (though that is becoming moot with its availability on PC-BSD/FreeBSD and even Linux), etc.

Check out the article for the graphs, benchmark details and hardware used: New benchmarks of Opensolaris, BSD and Linux

Build your own Router (pfSense)

Martin Diers set up pfSense for a new warehouse.

My company is expanding into a warehouse, and so for the first time, I have to setup a WAN. That’s a Wide Area Network, which basically means joining together two or more LANs so everyone can see each other, even if you are across the country.

At my company, I have our local internet router running pfSense on a traditional PC with two network cards. It works just like your home linksys or netgear router. It’s just faster and can handle a lot more traffic. It is also extremely stable. I never have to reboot the thing. You configure it just like your home router: through a web interface

He finishes the article by saying how easy setting up a wlan with pfsense (and cheap), compared to the 90′s:

pfSense has been the best router software I have ever used. It is as capable as anything put out by Cisco or HP, and it is open source. For the cost of the bare hardware, you can have a world-class router that supports many other services such as local DNS resolution, content filtering, bandwidth monitoring, Quality of Service controlls, the list goes on, and you can even have it in an little fanless package.

Read the whole post: Build your own router (trojanbadger.com)

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.”

4 open source firewall/router projects, incl pfSense and m0n0wall

LinuxPlanet has a post with some background information of 4 great open source firewall/router projects. Two are Linux-based (endian and smoothwall) and the other two are based on FreeBSD (m0n0wall and pfSense):

pfSense

pfSense is a customized distribution of FreeBSD. It actually started in 2004 as a fork of the m0n0wallproject. However, it concentrates more towards full PC installations, where m0n0wall is more towards embedded hardware.

pfSense can be considered as a popular package, as it has more than 1 million downloads. It can be used in homes or in large corporations and organizations. It’s available as a Live CD, hard drive installation, or embedded.

pfSense has low system requirements; 100 MHz Pentium CPU and 128 MBs of RAM. The Live CD requires a CD-ROM drive and a USB flash drive or floppy drive for storing the configuration file. The hard drive installation requires a CD-ROM for the initial installation and at least 1 GB hard drive. The embedded version requires a serial port for console and at least a 128 MB Compact Flash card.

pfSense, of course, includes a powerful firewall, including the ability to filter based upon the passively detected operating system. Its state table can be finely customized. It can do Network Address Translation (NAT) and load balancing of multiple WAN connections. It has a DHCP server and relay functionality.

Other important features include redundancy and synchronization, captive portal, and the support of three VPN solutions: IPsec, OpenVPN, and PPTP.

pfSense includes great reporting and monitoring features. RRC graphs show historical values of CPU utilization, firewall states, throughput, and more. There are also SVG graphs showing the real-time throughput of interfaces.

m0n0wall

m0n0wall is also based from FreeBSD. This firewall project is designed for use with embedded x86-based PCs. However, it is possible to run m0n0wall on most standard desktop PCs.

m0n0wall officially supports the embedded net48xx/net55xx systems from Soekris Engineering and the ALIX platform from PC Engines. It requires at least a 16 MB Compact Flash (CF) card and they recommend using at least 64 MBs of RAM.

Getting m0n0wall running on an embedded system just takes downloading an image and writing it to a CF card. For desktop PCs, you can be write a disk image to a small IDE hard drive or CF card, or use the CD-ROM and floppy disk version. A VMware image is also available.

The entire system configuration is conveniently stored in one single XML text file, eliminating multiple text files parsed in a shell script. m0n0wall can completely boot up in less than 25 seconds after hitting the power button. On embedded platforms it provides a WAN to LAN TCP throughput of more than 50 Mbps (including NAT), and with newer PCs you can see 100+ Mbps.

The firewall provides stateful packet filtering and supports Network Address Translation (NAT). It also features a DHCP server and relay support. It supports VLANs and IPsec and PPTP VPNs. It even features wireless support for certain chipsets to create an access point (AP).

Other important features include a captive portal, SVG-based traffic graphing, SNMP agent, DynDNS client, and Wake on LAN client.” (full article)

Great to see the attention given by LinuxPlanet to FreeBSD based router/firewall projects. It would be nice if this was followed up by an in-depth review, comparison and benchmarking to help users decide which of the four is the best for their particular need.