pfSense

From Wikipedia, the free encyclopedia
Jump to: navigation, search
pfSense
Pfsense logo.png
pfsense 2.1.5 screenshot
Developer Electric Sheep Fencing, LLC
OS family FreeBSD (10.1-RELEASE)
Working state Current
Source model Open source
Latest release 2.2.2 / April 15, 2015 (2015-04-15)
Platforms Intel x86, AMD64
Kernel type Monolithic kernel
License BSD License
Official website www.pfsense.org

pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability[1] and offering features often only found in expensive commercial firewalls.[2] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.[2] pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and as a VPN endpoint.

Name[edit]

The name was derived from the fact that it helps make the stateful packet-filtering tool PF (which acts as a firewall, packet filter, and routing service on many BSD and Unix platforms) make more sense to non-technical users.[3]

History[edit]

The pfSense project started in 2004 as a fork of the m0n0wall project by Chris Buechler and Scott Ullrich.[4] From the beginning, it focused on full PC installations, as opposed to m0n0wall's focus on embedded hardware. However, pfSense is also available as an embedded image for CompactFlash-based installations. Version 1.0 of the software was released on October 4, 2006.[5] Version 2.0 was released on September 17, 2011,[6] with updates 2.0.1 to 2.0.3 between then and 2013. pfSense version 2.1 was released on September 15, 2013, and version 2.1.1 was released on April 4, 2014,[7] with a subsequent update to 2.1.2 on April 10, 2014,[8] due to the Heartbleed bug. 2.1.3 which was released on May 2, 2014,[9] contains several minor fixes and was released mainly to address two FreeBSD SAs which don't affect the base system but some packages. pfSense 2.1.4, released on June 25, 2014,[10] contains several security and other fixes. pfSense 2.1.5, released August 27, 2014 [11] is primarily a security release. pfSense 2.2 was released January 23, 2015 and contains substantial changes including an upgrade of the base system to FreeBSD 10.1 [12]

Version history[edit]

Version Release date Significant changes
1.0 [5] October 4, 2006
  • The first official release.
1.0.1 [13] October 29, 2006
  • Bug fixes
1.2 [14][15] February 25, 2008
  • FreeBSD updated to 6.2
  • Reworked load balancing pools which allow for round robin or failover
  • Miniupnpd added to the base install
  • Much enhanced RRD graphs
  • Numerous Squid Package fixes
  • dnsmasq updated to 2.36
  • olsrd updated to 0.4.10
  • BandwidthD package added
  • PHP upgraded to 4.4.6
  • Lighttpd upgraded to 1.4.15
  • Numerous Bug fixes
1.2.1 [16] December 26, 2008
  • FreeBSD updated to 7.0
  • Bug fixes
1.2.2 [17] January 9, 2009
  • Setup wizard fix
  • SVG graphs fixed
  • (IPsec reload fix specific to large (100+ site) deployments
  • Bridge creation code changes
  • FreeBSD updates for two security advisories
1.2.3 [18] December 10, 2009
  • Upgrade to FreeBSD 7.2
  • Embedded switched to nanobsd
  • Dynamic interface bridging bug fix
  • IPsec connection reloading improvements
  • Dynamic site to site IPsec
  • Sticky connections enable/disable
  • Ability to delete DHCP leases
  • Polling fixed
  • ipfw state table size
  • Server load balancing
  • UDP state timeout increases
  • Disable auto-added VPN rules option
  • Multiple servers per-domain in DNS forwarder overrides
  • No XMLRPC Sync rules fixed
  • Captive portal locking replaced
  • DNS Forwarder
  • Outbound load balancer replaced
2.0 [19] September 17, 2011
2.0.1 [20] December 20, 2011
  • Improved accuracy of automated state killing in various cases (#1421)
  • Various fixes and improvements to relayd
  • Fixed path to FreeBSD packages repo for 8.1
  • Various fixes to syslog
  • Removed/silenced some irrelevant log entries
  • Fixed various typos
  • Fixes for RRD upgrade/migration and backup (#1758)
  • Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
  • Fixed policy route negation for VPN networks (#1950)
  • Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
  • Fixed VoIP rules produced by the traffic shaper wizard (#1948)
  • Fixed uname display in System Info widget (#1960)
  • Fixed LDAP custom port handling
  • Fixed Status > Gateways to show RTT and loss like the widget
  • Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
  • Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
  • Clarified text of serial field when importing a CA (#2031)
  • Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
  • Fixed Captive Portal MAC passthrough rules (#1976)
  • Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
  • Fixed CARP status widget to properly show “disabled” status.
  • Fixed end time of custom timespan RRD graphs (#1990)
  • Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
  • Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
  • Fixed handling of OpenVPN client bandwidth limit option
  • Fixed handling of LDAP certificates (#2018, #1052, #1927)
  • Enforce validity of RRD graph style
  • Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
  • Fixed handling of hostnames in DHCP that start with a number (#2020)
  • Fixed saving of multiple dynamic gateways (#1993)
  • Fixed handling of routing with unmonitored gateways
  • Fixed Firewall > Shaper, By Queues view
  • Fixed handling of spd.conf with no phase 2’s defined
  • Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc.)
  • Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
  • Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
  • Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
  • Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
  • Clarified text for media selection (#1910)
2.0.2 [21] December 21, 2012
  • Bug fixes
  • Security fixes
2.0.3 [22] April 15, 2013
  • Bug fixes
  • Security fixes
2.1 [23] September 15, 2013
  • IPv6 Support
  • Upgrade to FreeBSD 8.3
  • Updated Atheros drivers
  • OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc.
  • PHP to 5.3.x
  • OpenVPN to 2.3.x
  • Added mps kernel module
  • Added ahci kernel module
  • Updated ixgbe driver
  • Numerous Bug fixes
  • Security fixes
2.1.1 [7] April 4, 2014
  • Security fixes
2.1.2 [24] April 10, 2014
  • Heartbleed OpenSSL Security fixes
  • Bug fixes
2.1.3 [25] May 2, 2014
  • Security fixes
  • Bug fixes
2.1.4 [26] June 25, 2014
  • Security fixes
  • Bug fixes
2.1.5 [27] August 27, 2014
  • Security fixes
  • Bug fixes
2.2 [12] January 23, 2015
  • Upgrade to FreeBSD 10.1
  • Update the IPsec stack to include AES-GCM, and IKEv2
  • Update PHP backend from FastCGI to PHP-FPM
  • Update PHP to 5.5
  • Change from dnsmasq to the Unbound DNS Resolver
  • Numerous Bug Fixes
2.2.1 [28] March 17, 2015
  • Security fixes
  • Bug fixes
2.2.2 [29] April 15, 2015
  • Security fixes
  • Bug fixes
Version Release date Significant changes

[anchor:Features]

Features[edit]

Install, update, packages, management
Functionality and connectivity
Firewall and routing
  • Stateful firewall
  • Network Address Translation
  • Filtering by source/destination IP address, protocol, OS/network fingerprinting
  • Flexible routing
  • Per-rule configurable logging and per-rule limiters (IP addresses, connections, states, new connections, state types), Layer 7 protocol inspection, policy filtering (or packet marking), TCP flag state filtering, scheduling, gateway
  • Packet scrubbing
  • Layer 2/bridging capable
  • State table "up to several hundred thousand" states (1 KB RAM per state approx)
  • State table algorithms customizable including low latency and low-dropout

Packages available as "push button installs" (as of March 2013) include but are not limited to: Asterisk, Squid (file caching), ClamWin download scanner, Apache HTTP Server with mod-security, FreeSWITCHG (Voice over IP), jail, LCD panel support, spamd email tarpit, nmap, stunnel, Varnish accelerator, multiple monitoring and statistics packages, file managers.

Hardware[edit]

Although the focus of pfSense is on full-PC installation, it is also available in versions for embedded use on hardware using media similar to Compact Flash.

Derivatives[edit]

See also[edit]

BSD based:
Linux based:
Browser plugin/App:

References[edit]

  1. ^ Danen, Vincent (December 7, 2009). "DIY pfSense firewall system beats others for features, reliability, and security". TechRepublic. If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider 
  2. ^ a b Miller, Sloan (June 26, 2008). "Configure a professional firewall using pfSense". Free Software Magazine (22). No experience is needed with FreeBSD or GNU/Linux to install and run pfSense 
  3. ^ Buechler, Chris (June 21, 2007). "So what does pfSense stand for/mean, anyway?". pfSense Digest. 
  4. ^ "pfSense Open Source Firewall Distribution - History". 
  5. ^ a b Ullrich, Scott (October 13, 2006). "1.0-RELEASED!". pfSense Digest. 
  6. ^ Buechler, Chris (September 17, 2011). "2.0-RELEASED!". pfSense Digest. 
  7. ^ a b Thompson, Jim (April 4, 2014). "2.1.1-RELEASE now available". pfSense Digest. 
  8. ^ Thompson, Jim (April 10, 2014). "2.1.2-RELEASE Now available". pfSense Digest. 
  9. ^ Dillard, Jared (May 2, 2014). "2.1.3-RELEASE now available". pfSense Digest. 
  10. ^ Dillard, Jared (June 25, 2014). "2.1.4-RELEASE now available". pfSense Digest. 
  11. ^ Dillard, Jared (August 27, 2014). "2.1.5-RELEASE now available". pfSense Digest. 
  12. ^ a b Buechler, Chris (January 23, 2015). "2.2 Release now available!". pfSense Digest. 
  13. ^ Ullrich, Scott (October 29, 2006). "1.0.1-RELEASED!". pfSense Digest. 
  14. ^ Ullrich, Scott (April 29, 2007). "1.2-BETA-1 released!". pfSense Digest. 
  15. ^ Buechler, Chris (February 25, 2008). "1.2 Release Available!". pfSense Digest. 
  16. ^ Buechler, Chris (December 26, 2008). "pfSense 1.2.1 released!". pfSense Digest. 
  17. ^ Buechler, Chris (January 9, 2009). "pfSense 1.2.2 released!". pfSense Digest. 
  18. ^ Buechler, Chris (December 10, 2009). "pfSense 1.2.3 released!". pfSense Digest. 
  19. ^ Buechler, Chris (September 17, 2011). "2.0 Release Now Available!". pfSense Digest. 
  20. ^ Buechler, Chris (December 20, 2011). "2.0.1 release now available!". pfSense Digest. 
  21. ^ Buechler, Chris (December 21, 2012). "2.0.2 release now available!". pfSense Digest. 
  22. ^ Buechler, Chris (April 15, 2013). "2.0.3 release now available!". pfSense Digest. 
  23. ^ Buechler, Chris (September 15, 2013). "pfSense 2.1-RELEASE now available!". pfSense Digest. 
  24. ^ Thompson, Jim (April 10, 2014). "2.1.2 Release Now available". pfSense Digest. 
  25. ^ Dillard, Jared (May 2, 2014). "2.1.3 RELEASE Now available". pfSense Digest. 
  26. ^ Dillard, Jared (June 25, 2014). "2.1.4 RELEASE Now available". pfSense Digest. 
  27. ^ Dillard, Jared (August 27, 2014). "2.1.5 RELEASE Now available". pfSense Digest. 
  28. ^ Buechler, Chris (March 17, 2015). "2.2.1 RELEASE Now available". pfSense Digest. Retrieved 13 April 2015. 
  29. ^ Buechler, Chris (April 15, 2015). "2.2.2 RELEASE Now available!". pfSense Digest. Retrieved 15 April 2015. 
  30. ^ Schellevis, Jos (January 2, 2015). "OPNsense 15.1-RELEASED". OPNsense website. 

External links[edit]