pfSense is an open source firewall/ router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability and offering features often only found in expensive commercial firewalls. [1 ] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage. [2 ] pfSense is commonly deployed as a perimeter firewall, router, [2 ] wireless access point, DHCP server, DNS server, and as a VPN endpoint.
The name was derived from the fact that it helps make the
stateful packet-filtering tool PF (which acts as a firewall, packet filter, and routing service on many BSD and Unix platforms) make more sense to non-technical users. [3 ]
History [ edit ]
The pfSense project started in 2004 as a fork of the
m0n0wall project by Chris Buechler and Scott Ullrich. From the beginning, it focused on full PC installations, as opposed to m0n0wall's focus on embedded hardware. However, pfSense is also available as an embedded image for [4 ] CompactFlash-based installations. Version 1.0 of the software was released on October 4, 2006. Version 2.0 was released on September 17, 2011, [5 ] with updates 2.0.1 to 2.0.3 between then and 2013. pfSense version 2.1 was released on September 15, 2013, and version 2.1.1 was released on April 4, 2014, [6 ] with a subsequent update to 2.1.2 on April 10, 2014, [7 ] due to the [8 ] Heartbleed bug. 2.1.3 which was released on May 2, 2014, contains several minor fixes and was released mainly to address two FreeBSD SAs which don't affect the base system but some packages. pfSense 2.1.4, released on June 25, 2014, [9 ] contains several security and other fixes. pfSense 2.1.5, released August 27, 2014 [10 ] is primarily a security release. pfSense 2.2 was released January 23, 2015 and contains substantial changes including an upgrade of the base system to FreeBSD 10.1 [11 ] [12 ]
Version history [ edit ]
[5 ] October 4, 2006
The first official release.
[13 ] October 29, 2006
[14 ] [15 ] February 25, 2008
FreeBSD updated to 6.2
Reworked load balancing pools which allow for round robin or failover
Miniupnpd added to the base install
Much enhanced RRD graphs
Numerous Squid Package fixes
dnsmasq updated to 2.36
olsrd updated to 0.4.10
BandwidthD package added
PHP upgraded to 4.4.6
Lighttpd upgraded to 1.4.15
Numerous Bug fixes
[16 ] December 26, 2008
FreeBSD updated to 7.0
[17 ] January 9, 2009
Setup wizard fix
SVG graphs fixed
(IPsec reload fix specific to large (100+ site) deployments
Bridge creation code changes
FreeBSD updates for two security advisories
[18 ] December 10, 2009
Upgrade to FreeBSD 7.2
Embedded switched to nanobsd
Dynamic interface bridging bug fix
IPsec connection reloading improvements
Dynamic site to site IPsec
Sticky connections enable/disable
Ability to delete DHCP leases
ipfw state table size
Server load balancing
UDP state timeout increases
Disable auto-added VPN rules option
Multiple servers per-domain in DNS forwarder overrides
No XMLRPC Sync rules fixed
Captive portal locking replaced
Outbound load balancer replaced
[19 ] September 17, 2011
[20 ] December 20, 2011
Improved accuracy of automated state killing in various cases (#1421)
Various fixes and improvements to relayd
Fixed path to FreeBSD packages repo for 8.1
Various fixes to syslog
Removed/silenced some irrelevant log entries
Fixed various typos
Fixes for RRD upgrade/migration and backup (#1758)
Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
Fixed policy route negation for VPN networks (#1950)
Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
Fixed VoIP rules produced by the traffic shaper wizard (#1948)
Fixed uname display in System Info widget (#1960)
Fixed LDAP custom port handling
Fixed Status > Gateways to show RTT and loss like the widget
Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
Clarified text of serial field when importing a CA (#2031)
Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
Fixed Captive Portal MAC passthrough rules (#1976)
Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
Fixed CARP status widget to properly show “disabled” status.
Fixed end time of custom timespan RRD graphs (#1990)
Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
Fixed handling of OpenVPN client bandwidth limit option
Fixed handling of LDAP certificates (#2018, #1052, #1927)
Enforce validity of RRD graph style
Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
Fixed handling of hostnames in DHCP that start with a number (#2020)
Fixed saving of multiple dynamic gateways (#1993)
Fixed handling of routing with unmonitored gateways
Fixed Firewall > Shaper, By Queues view
Fixed handling of spd.conf with no phase 2’s defined
Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc.)
Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
Clarified text for media selection (#1910)
[21 ] December 21, 2012
[22 ] April 15, 2013
[23 ] September 15, 2013
Upgrade to FreeBSD 8.3
Updated Atheros drivers
OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc.
PHP to 5.3.x
OpenVPN to 2.3.x
Added mps kernel module
Added ahci kernel module
Updated ixgbe driver
Numerous Bug fixes
[7 ] April 4, 2014
[24 ] April 10, 2014
Heartbleed OpenSSL Security fixes
[25 ] May 2, 2014
[26 ] June 25, 2014
[27 ] August 27, 2014
[12 ] January 23, 2015
Upgrade to FreeBSD 10.1
Update the IPsec stack to include AES-GCM, and IKEv2
Update PHP backend from FastCGI to PHP-FPM
Update PHP to 5.5
Change from dnsmasq to the Unbound DNS Resolver
Numerous Bug Fixes
[28 ] March 17, 2015
[29 ] April 15, 2015
Features [ edit ]
Install, update, packages, management
Live CD, update, NanoBSD/embedded, virtual machine, and USB installers available
Packaged support/push-button installer for extensions, including the Squid proxy server, the Snort intrusion prevention/detection system, ntop, the HAVP antivirus package, IP address blocklists Multi-language
GUI, SSH (if enabled) and serial management
RRD graphs reporting Traffic shaping and filtering
Real-time information using
Functionality and connectivity
Virtual Private Networks using IPsec, L2TP, OpenVPN, or PPTP
PPPoE server High availability clustering; redundancy and failover including
CARP and pfsync Outbound and inbound
Quality of Service (QoS)
DHCP server and relay
IPv6 support Multiple public IP addresses/multi-NAT
RADIUS/ LDAP Multiple resolvers (DNS forwarder,
Unbound, TinyDNS, other) Aliases supported for rules, IP addresses, ports, computers, and other entities
Firewall and routing
Network Address Translation Filtering by source/destination IP address, protocol, OS/network fingerprinting
Per-rule configurable logging and per-rule limiters (IP addresses, connections, states, new connections, state types), Layer 7 protocol inspection, policy filtering (or packet marking), TCP flag state filtering, scheduling, gateway
Layer 2/bridging capable
State table "up to several hundred thousand" states (1 KB RAM per state approx)
State table algorithms customizable including low latency and low-dropout
Packages available as "push button installs" (as of March 2013
Asterisk, Squid (file caching), ClamWin download scanner, Apache HTTP Server with mod-security, FreeSWITCHG (Voice over IP), jail, LCD panel support, spamd email tarpit, nmap, stunnel, Varnish accelerator, multiple monitoring and statistics packages, file managers.
) include but are not limited to:
Hardware [ edit ]
Although the focus of pfSense is on full-PC installation, it is also available in versions for embedded use on hardware using media similar to Compact Flash.
Derivatives [ edit ]
See also [ edit ]
References [ edit ]
^ Danen, Vincent (December 7, 2009). "DIY pfSense firewall system beats others for features, reliability, and security". . TechRepublic If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider
^ a b Miller, Sloan (June 26, 2008). "Configure a professional firewall using pfSense". (22). Free Software Magazine No experience is needed with FreeBSD or GNU/Linux to install and run pfSense
^ Buechler, Chris (June 21, 2007). "So what does pfSense stand for/mean, anyway?". pfSense Digest.
^ "pfSense Open Source Firewall Distribution - History".
^ a b Ullrich, Scott (October 13, 2006). "1.0-RELEASED!". pfSense Digest.
^ Buechler, Chris (September 17, 2011). "2.0-RELEASED!". pfSense Digest.
^ a b Thompson, Jim (April 4, 2014). "2.1.1-RELEASE now available". pfSense Digest.
^ Thompson, Jim (April 10, 2014). "2.1.2-RELEASE Now available". pfSense Digest.
^ Dillard, Jared (May 2, 2014). "2.1.3-RELEASE now available". pfSense Digest.
^ Dillard, Jared (June 25, 2014). "2.1.4-RELEASE now available". pfSense Digest.
^ Dillard, Jared (August 27, 2014). "2.1.5-RELEASE now available". pfSense Digest.
^ a b Buechler, Chris (January 23, 2015). "2.2 Release now available!". pfSense Digest.
^ Ullrich, Scott (October 29, 2006). "1.0.1-RELEASED!". pfSense Digest.
^ Ullrich, Scott (April 29, 2007). "1.2-BETA-1 released!". pfSense Digest.
^ Buechler, Chris (February 25, 2008). "1.2 Release Available!". pfSense Digest.
^ Buechler, Chris (December 26, 2008). "pfSense 1.2.1 released!". pfSense Digest.
^ Buechler, Chris (January 9, 2009). "pfSense 1.2.2 released!". pfSense Digest.
^ Buechler, Chris (December 10, 2009). "pfSense 1.2.3 released!". pfSense Digest.
^ Buechler, Chris (September 17, 2011). "2.0 Release Now Available!". pfSense Digest.
^ Buechler, Chris (December 20, 2011). "2.0.1 release now available!". pfSense Digest.
^ Buechler, Chris (December 21, 2012). "2.0.2 release now available!". pfSense Digest.
^ Buechler, Chris (April 15, 2013). "2.0.3 release now available!". pfSense Digest.
^ Buechler, Chris (September 15, 2013). "pfSense 2.1-RELEASE now available!". pfSense Digest.
^ Thompson, Jim (April 10, 2014). "2.1.2 Release Now available". pfSense Digest.
^ Dillard, Jared (May 2, 2014). "2.1.3 RELEASE Now available". pfSense Digest.
^ Dillard, Jared (June 25, 2014). "2.1.4 RELEASE Now available". pfSense Digest.
^ Dillard, Jared (August 27, 2014). "2.1.5 RELEASE Now available". pfSense Digest.
^ Buechler, Chris (March 17, 2015). "2.2.1 RELEASE Now available". pfSense Digest . Retrieved . 13 April 2015
^ Buechler, Chris (April 15, 2015). "2.2.2 RELEASE Now available!". pfSense Digest . Retrieved . 15 April 2015
^ Schellevis, Jos (January 2, 2015). "OPNsense 15.1-RELEASED". OPNsense website.
External links [ edit ]