pfSense

From Wikipedia, the free encyclopedia
Jump to: navigation, search
pfSense
Pfsense logo.png
Pfsense215.jpg
pfSense 2.1.5
Developer Electric Sheep Fencing, LLC
OS family FreeBSD (10.3-RELEASE)
Working state Current
Source model Open source
Latest release 2.3.2[1] / July 25, 2016; 2 months ago (2016-07-25)
Platforms IA-32, x86-64
Kernel type Monolithic kernel
License Apache License 2.0[2]
Official website www.pfsense.org

pfSense is an open source firewall/router computer software distribution based on FreeBSD.[3][4][5] It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network and is noted for its reliability[6] and offering features often only found in expensive commercial firewalls.[7][8] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.[7][9] pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and as a VPN endpoint. pfSense supports installation of third-party packages like Snort or Squid through its Package Manager.

Name[edit]

The name was derived from the fact that it helps make the stateful packet-filtering tool PF (which acts as a firewall, packet filter, and routing service on many BSD and Unix platforms) make more sense to non-technical users.[10]

History[edit]

The pfSense project started in 2004 as a fork of the m0n0wall project by Chris Buechler and Scott Ullrich.[11] From the beginning, it focused on full PC installations, as opposed to m0n0wall's focus on embedded hardware. However, pfSense is also available as an embedded image for CompactFlash-based installations. Version 1.0 of the software was released on October 4, 2006.[12] Version 2.0 was released on September 17, 2011.[13] Version 2.1 was released on September 15, 2013[14] and version 2.2 was released January 23, 2015.[15][16] Version 2.3 was released on April 12, 2016.[17]

Version history[edit]

Version history
Version Release date Significant changes
1.0[12] October 4, 2006
  • The first official release.
1.0.1[18] October 29, 2006
  • Bug fixes
1.2[19][20] February 25, 2008
  • FreeBSD updated to 6.2
  • Reworked load balancing pools which allow for round robin or failover
  • Miniupnpd added to the base install
  • Much enhanced RRD graphs
  • Numerous Squid Package fixes
  • dnsmasq updated to 2.36
  • olsrd updated to 0.4.10
  • BandwidthD package added
  • PHP upgraded to 4.4.6
  • Lighttpd upgraded to 1.4.15
  • Numerous Bug fixes
1.2.1[21] December 26, 2008
  • FreeBSD updated to 7.0
  • Bug fixes
1.2.2[22] January 9, 2009
  • Setup wizard fix
  • SVG graphs fixed
  • (IPsec reload fix specific to large (100+ site) deployments
  • Bridge creation code changes
  • FreeBSD updates for two security advisories
1.2.3[23] December 10, 2009
  • Upgrade to FreeBSD 7.2
  • Embedded switched to nanobsd
  • Dynamic interface bridging bug fix
  • IPsec connection reloading improvements
  • Dynamic site to site IPsec
  • Sticky connections enable/disable
  • Ability to delete DHCP leases
  • Polling fixed
  • ipfw state table size
  • Server load balancing
  • UDP state timeout increases
  • Disable auto-added VPN rules option
  • Multiple servers per-domain in DNS forwarder overrides
  • No XMLRPC Sync rules fixed
  • Captive portal locking replaced
  • DNS Forwarder
  • Outbound load balancer replaced
2.0[13] September 17, 2011
2.0.1[24] December 20, 2011
  • Improved accuracy of automated state killing in various cases (#1421)
  • Various fixes and improvements to relayd
  • Fixed path to FreeBSD packages repo for 8.1
  • Various fixes to syslog
  • Removed/silenced some irrelevant log entries
  • Fixed various typos
  • Fixes for RRD upgrade/migration and backup (#1758)
  • Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
  • Fixed policy route negation for VPN networks (#1950)
  • Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
  • Fixed VoIP rules produced by the traffic shaper wizard (#1948)
  • Fixed uname display in System Info widget (#1960)
  • Fixed LDAP custom port handling
  • Fixed Status > Gateways to show RTT and loss like the widget
  • Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
  • Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
  • Clarified text of serial field when importing a CA (#2031)
  • Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
  • Fixed Captive Portal MAC passthrough rules (#1976)
  • Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
  • Fixed CARP status widget to properly show “disabled” status.
  • Fixed end time of custom timespan RRD graphs (#1990)
  • Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
  • Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
  • Fixed handling of OpenVPN client bandwidth limit option
  • Fixed handling of LDAP certificates (#2018, #1052, #1927)
  • Enforce validity of RRD graph style
  • Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
  • Fixed handling of hostnames in DHCP that start with a number (#2020)
  • Fixed saving of multiple dynamic gateways (#1993)
  • Fixed handling of routing with unmonitored gateways
  • Fixed Firewall > Shaper, By Queues view
  • Fixed handling of spd.conf with no phase 2’s defined
  • Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc.)
  • Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
  • Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
  • Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
  • Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
  • Clarified text for media selection (#1910)
2.0.2[25] December 21, 2012
  • Bug fixes
  • Security fixes
2.0.3[26] April 15, 2013
  • Bug fixes
  • Security fixes
2.1[14] September 15, 2013
  • IPv6 Support
  • Upgrade to FreeBSD 8.3
  • Updated Atheros drivers
  • OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc.
  • PHP to 5.3.x
  • OpenVPN to 2.3.x
  • Added mps kernel module
  • Added ahci kernel module
  • Updated ixgbe driver
  • Numerous Bug fixes
  • Security fixes
2.1.1[27] April 4, 2014
  • Security fixes
2.1.2[28] April 10, 2014
  • Heartbleed OpenSSL Security fixes
  • Bug fixes
2.1.3[29] May 2, 2014
  • Security fixes
  • Bug fixes
2.1.4[30] June 25, 2014
  • Security fixes
  • Bug fixes
2.1.5[31] August 27, 2014
  • Security fixes
  • Bug fixes
2.2[15][16] January 23, 2015
  • Upgrade to FreeBSD 10.1
  • Update the IPsec stack to include AES-GCM, and IKEv2
  • Update PHP backend from FastCGI to PHP-FPM
  • Update PHP to 5.5
  • Change from dnsmasq to the Unbound DNS Resolver
  • Numerous Bug Fixes
2.2.1[32] March 17, 2015
  • Security fixes
  • Bug fixes
2.2.2[33] April 15, 2015
  • Security fixes
  • Bug fixes
2.2.3[34] June 25, 2015
  • Security fixes
  • Bug fixes
2.2.4[35] July 27, 2015
  • Security fixes
  • Bug fixes
2.2.5[36] November 5, 2015
  • Security fixes
  • Bug fixes
2.2.6[37] December 21, 2015
  • Security fixes
  • Bug fixes
2.3 [17] April 12, 2016
  • Upgrade to FreeBSD 10.3
  • Rewrite of the webGUI utilizing Bootstrap
  • Numerous Bug Fixes
2.3.1 [38] May 18, 2016
  • Security fixes
  • Bug fixes
2.3.2 [39] July 25, 2016
  • Security fixes
  • Bug fixes
Version Release date Significant changes

Features[edit]

Install, update, packages, management
  • Live CD, update, NanoBSD/embedded, virtual machine, and USB installers available
  • Packaged support/push-button installer for extensions, including the Squid proxy server, the Snort intrusion prevention/detection system, ntop, the HAVP antivirus package, IP address blocklist'
  • Multi-language
  • Console, web-based GUI, SSH (if enabled) and serial management
  • RRD graphs reporting
  • Traffic shaping and filtering
  • Real-time information using Ajax
Functionality and connectivity
Firewall and routing
  • Stateful firewall
  • Network Address Translation
  • Filtering by source/destination IP address, protocol, OS/network fingerprinting
  • Flexible routing
  • Per-rule configurable logging and per-rule limiters (IP addresses, connections, states, new connections, state types), Layer 7 protocol inspection, policy filtering (or packet marking), TCP flag state filtering, scheduling, gateway
  • Packet scrubbing
  • Layer 2/bridging capable
  • State table "up to several hundred thousand" states (1 KB RAM per state approx)
  • State table algorithms customizable including low latency and low-dropout
Packages support

Packages available as "push button installs" among others:

Hardware[edit]

pfSense 2.1 through 2.3 has low minimum system requirements (for example 256 MB RAM and 500 MHz CPU)[40] and can be installed on hardware with x86 or x86-64 architecture. After 2.3, pfSense will require the x86-64 architecture, ending support for 32-bit installations[citation needed]. It is also available for embedded system hardware using Compact Flash or SD cards. pfSense also supports virtualized installation.

See also[edit]

BSD based:
Linux based:

References[edit]

  1. ^ Buechler, Chris (2016-07-25). "pfSense 2.3.2 Available". pfSense Digest. Electric Sheep Fencing LLC. Retrieved 2016-07-25. 
  2. ^ "pfSense moves to Apache License". Retrieved 15 June 2016. 
  3. ^ "You should be running a pfSense firewall". InfoWorld. 22 December 2014. Retrieved 27 July 2015. 
  4. ^ "Enterprises cut costs with open-source routers". Network World. 9 June 2009. Retrieved 5 August 2015. 
  5. ^ "Multiple Vulnerabilities Patched in pfSense". Security Week. 26 March 2015. Retrieved 5 August 2015. 
  6. ^ Danen, Vincent (December 7, 2009). "DIY pfSense firewall system beats others for features, reliability, and security". TechRepublic. If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider 
  7. ^ a b Miller, Sloan (June 26, 2008). "Configure a professional firewall using pfSense". Free Software Magazine (22). No experience is needed with FreeBSD or GNU/Linux to install and run pfSense 
  8. ^ Stahie, Silviu (April 7, 2014). "pfSense 2.1.1 Firewall Distro Can Replace Any Commercial Alternative". Softpedia. Firewall Distro Can Replace Any Commercial Alternative 
  9. ^ "You should be running pfsense" - Paul Venezia, InfoWorld http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html
  10. ^ Buechler, Chris (June 21, 2007). "So what does pfSense stand for/mean, anyway?". pfSense Digest. 
  11. ^ "pfSense Open Source Firewall Distribution - History". 
  12. ^ a b Ullrich, Scott (October 13, 2006). "1.0-RELEASED!". pfSense Digest. 
  13. ^ a b Buechler, Chris (September 17, 2011). "2.0-RELEASED!". pfSense Digest. 
  14. ^ a b Buechler, Chris (September 15, 2013). "pfSense 2.1-RELEASE now available!". pfSense Digest. 
  15. ^ a b Buechler, Chris (January 23, 2015). "2.2 Release now available!". pfSense Digest. 
  16. ^ a b "DistroWatch.com: pfSense". 
  17. ^ a b Buechler, Chris (April 12, 2016). "2.3-RELEASE Now available!". pfSense Digest. Retrieved 12 April 2016. 
  18. ^ Ullrich, Scott (October 29, 2006). "1.0.1-RELEASED!". pfSense Digest. 
  19. ^ Ullrich, Scott (April 29, 2007). "1.2-BETA-1 released!". pfSense Digest. 
  20. ^ Buechler, Chris (February 25, 2008). "1.2 Release Available!". pfSense Digest. 
  21. ^ Buechler, Chris (December 26, 2008). "pfSense 1.2.1 released!". pfSense Digest. 
  22. ^ Buechler, Chris (January 9, 2009). "pfSense 1.2.2 released!". pfSense Digest. 
  23. ^ Buechler, Chris (December 10, 2009). "pfSense 1.2.3 released!". pfSense Digest. 
  24. ^ Buechler, Chris (December 20, 2011). "2.0.1 release now available!". pfSense Digest. 
  25. ^ Buechler, Chris (December 21, 2012). "2.0.2 release now available!". pfSense Digest. 
  26. ^ Buechler, Chris (April 15, 2013). "2.0.3 release now available!". pfSense Digest. 
  27. ^ Thompson, Jim (April 4, 2014). "2.1.1-RELEASE now available". pfSense Digest. 
  28. ^ Thompson, Jim (April 10, 2014). "2.1.2 Release Now available". pfSense Digest. 
  29. ^ Dillard, Jared (May 2, 2014). "2.1.3 RELEASE Now available". pfSense Digest. 
  30. ^ Dillard, Jared (June 25, 2014). "2.1.4 RELEASE Now available". pfSense Digest. 
  31. ^ Dillard, Jared (August 27, 2014). "2.1.5 RELEASE Now available". pfSense Digest. 
  32. ^ Buechler, Chris (March 17, 2015). "2.2.1 RELEASE Now available". pfSense Digest. Retrieved 13 April 2015. 
  33. ^ Buechler, Chris (April 15, 2015). "2.2.2 RELEASE Now available!". pfSense Digest. Retrieved 15 April 2015. 
  34. ^ Buechler, Chris (June 25, 2015). "2.2.3 RELEASE Now available!". pfSense Digest. Retrieved 7 July 2015. 
  35. ^ Buechler, Chris (July 27, 2015). "2.2.4 RELEASE Now available!". pfSense Digest. Retrieved 27 July 2015. 
  36. ^ Buechler, Chris (November 5, 2015). "2.2.5 RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015. 
  37. ^ Buechler, Chris (December 21, 2015). "2.2.6-RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015. 
  38. ^ Buechler, Chris (May 18, 2016). "2.3.1-RELEASE Now available!". pfSense Digest. Retrieved 18 May 2016. 
  39. ^ Buechler, Chris (July 25, 2016). "2.3.2-RELEASE Now available!". pfSense Digest. Retrieved 25 July 2016. 
  40. ^ "Hardware". Electric Sheep Fencing LLC. Retrieved 5 August 2015. 

Further reading[edit]

External links[edit]