Source Allies Logo

Sharing Our Passion for Technology

& Continuous Learning

<   Back to Blog

pfSense

I am looking for a new firewall solution for my home and an open source system to provide to current or prospective customers. Whenever I ask tech minded people what open source solution they favor, I get the same answer again and again. So I started digging into the documentation for pfSense and here are some of the features.

pfSense runs on FreeBSD and has a history with m0n0wall.

Firewall

pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.

State Table

State table optimization options - pf offers four options for state table optimization. The most interesting setting is the "Conservative" setting - It works to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization which saves valuable resources on a high traffic network.

Almost all firewalls allow for some sort of Network Address Translation or (NAT). PFSense also does NAT Reflection - in some configurations, NAT reflection is possible so services can be accessed by public IP from internal networks. The limitation is NAT reflection can only be used with port ranges less than 500 ports and cannot be used with 1:1 NAT hosts.

Redundancy - your firewall server can be clustered, synced and used in a failover configuration.

pfSense does both inbound and outbound Load Balancing.

VPN/OpenVPN - PPTP Server, PPPoE Server, and IPsec which can be used for mobile client connectivity.

Real Time Information uses Ajax to provide CPU, memory, swap and disk usage, and state table size. pfSense also has graphs that show real time throughput for each interface.

Dynamic DNS

Captive Portal allows you to force authentication, or redirection to a click through page for network access.

There  are also a number of pf GUIs available through sourceforge that make it less bash like and more windows like for anyone who wishes to simplify management.