pfSense

From Wikipedia, the free encyclopedia
  (Redirected from Pfsense)
Jump to: navigation, search
pfSense
Pfsense logo.png
PfSense 2.3.2.jpg
Developer Rubicon Communications, LLC (Netgate)
OS family FreeBSD (11.1-RELEASE)
Working state Current
Source model Open source
Latest release 2.4.1[1] / October 19, 2017; 26 days ago (2017-10-19)
Platforms IA-32 (No longer supported 2.4.0 onward)[2], x86-64, ARM
Kernel type Monolithic kernel
License Apache License 2.0[3]
Official website www.pfsense.org

pfSense is an open source firewall/router computer software distribution based on FreeBSD.[4][5][6] It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network and has been noted for its reliability[7] and offering a range of features.[8][9] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.[8][10] pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and as a VPN endpoint. pfSense supports installation of third-party packages like Snort or Squid through its Package Manager.

History[edit]

The pfSense project started in 2004 as a fork of the m0n0wall project by Chris Buechler and Scott Ullrich.[11] From the beginning, it focused on full PC installations, as opposed to m0n0wall's focus on embedded hardware. However, pfSense is also available as an embedded image for CompactFlash-based installations. Version 1.0 of the software was released on October 4, 2006.[12] Version 2.0 was released on September 17, 2011.[13] Version 2.1 was released on September 15, 2013.[14]

In 2014 pfSense was acquired by Electric Sheep Fencing LLC (ESF)[15] and the pfSense project licence terms changed.[16][17] Subsequently, in order to get further access to the pfSense build repositories, an appropriate ESF Contributor License Agreement had to be signed by developers.[18]

pfSense version 2.2 was released January 23, 2015.[19][20] Version 2.3 was released on April 12, 2016.[21] Since July 2016, pfSense is licensed under the Apache License 2.0 and is copyright by Rubicon Communications, LLC (Netgate).[22]

As of 2016 pfSense is described by servethehome.com as the "gold standard" for open source network appliances in its buyer guides.[23]

Name[edit]

The name was derived from the fact that it helps make the stateful packet-filtering tool PF (which acts as a firewall, packet filter, and routing service on many BSD and Unix platforms) more sense to non-technical users.[24]

Hardware requirements[edit]

pfSense 2.1 through 2.3 has low minimum system requirements (for example 256 MB RAM and 500 MHz CPU)[25] and can be installed on hardware with x86 or x86-64 architecture. After 2.3, pfSense will require the x86-64 architecture, ending support for 32-bit installations.[26] Starting with 2.5, plans are to require cryptographic hardware acceleration, such as AES-NI.[27] It is also available for embedded system hardware using Compact Flash or SD cards. pfSense also supports virtualized installation.

Features[edit]

Install, update, packages, management
  • Live CD, update, NanoBSD/embedded, virtual machine, and USB installers available
  • Packaged support/push-button installer for extensions, including the Squid proxy server, the Snort intrusion prevention/detection system, ntop, the HAVP antivirus package, IP address blocklist
  • Multi-language
  • Console, web-based GUI, SSH (if enabled) and serial management
  • RRD graphs reporting
  • Traffic shaping and filtering
  • Real-time information using Ajax
Functionality and connectivity
Firewall and routing
  • Stateful firewall
  • Network Address Translation
  • Filtering by source/destination IP address, protocol, OS/network fingerprinting
  • Flexible routing
  • Per-rule configurable logging and per-rule limiters (IP addresses, connections, states, new connections, state types), Layer 7 protocol inspection, policy filtering (or packet marking), TCP flag state filtering, scheduling, gateway
  • Packet scrubbing
  • Layer 2/bridging capable
  • State table "up to several hundred thousand" states (1 KB RAM per state approx)
  • State table algorithms customizable including low latency and low-dropout
Packages support

Packages available as "push button installs" among others:

Version history[edit]

Version history
Version Release date Significant changes
1.0[12] October 4, 2006
  • The first official release.
1.0.1[28] October 29, 2006
  • Bug fixes
1.2[29][30] February 25, 2008
  • FreeBSD updated to 6.2
  • Reworked load balancing pools which allow for round robin or failover
  • Miniupnpd added to the base install
  • Much enhanced RRD graphs
  • Numerous Squid Package fixes
  • dnsmasq updated to 2.36
  • olsrd updated to 0.4.10
  • BandwidthD package added
  • PHP upgraded to 4.4.6
  • Lighttpd upgraded to 1.4.15
  • Numerous Bug fixes
1.2.1[31] December 26, 2008
  • FreeBSD updated to 7.0
  • Bug fixes
1.2.2[32] January 9, 2009
  • Setup wizard fix
  • SVG graphs fixed
  • (IPsec reload fix specific to large (100+ site) deployments
  • Bridge creation code changes
  • FreeBSD updates for two security advisories
1.2.3[33] December 10, 2009
  • Upgrade to FreeBSD 7.2
  • Embedded switched to nanobsd
  • Dynamic interface bridging bug fix
  • IPsec connection reloading improvements
  • Dynamic site to site IPsec
  • Sticky connections enable/disable
  • Ability to delete DHCP leases
  • Polling fixed
  • ipfw state table size
  • Server load balancing
  • UDP state timeout increases
  • Disable auto-added VPN rules option
  • Multiple servers per-domain in DNS forwarder overrides
  • No XMLRPC Sync rules fixed
  • Captive portal locking replaced
  • DNS Forwarder
  • Outbound load balancer replaced
2.0[13] September 17, 2011
2.0.1[34] December 20, 2011
  • Improved accuracy of automated state killing in various cases (#1421)
  • Various fixes and improvements to relayd
  • Fixed path to FreeBSD packages repo for 8.1
  • Various fixes to syslog
  • Removed/silenced some irrelevant log entries
  • Fixed various typos
  • Fixes for RRD upgrade/migration and backup (#1758)
  • Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
  • Fixed policy route negation for VPN networks (#1950)
  • Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
  • Fixed VoIP rules produced by the traffic shaper wizard (#1948)
  • Fixed uname display in System Info widget (#1960)
  • Fixed LDAP custom port handling
  • Fixed Status > Gateways to show RTT and loss like the widget
  • Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
  • Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
  • Clarified text of serial field when importing a CA (#2031)
  • Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
  • Fixed Captive Portal MAC passthrough rules (#1976)
  • Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
  • Fixed CARP status widget to properly show “disabled” status.
  • Fixed end time of custom timespan RRD graphs (#1990)
  • Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
  • Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
  • Fixed handling of OpenVPN client bandwidth limit option
  • Fixed handling of LDAP certificates (#2018, #1052, #1927)
  • Enforce validity of RRD graph style
  • Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
  • Fixed handling of hostnames in DHCP that start with a number (#2020)
  • Fixed saving of multiple dynamic gateways (#1993)
  • Fixed handling of routing with unmonitored gateways
  • Fixed Firewall > Shaper, By Queues view
  • Fixed handling of spd.conf with no phase 2’s defined
  • Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc.)
  • Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
  • Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
  • Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
  • Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
  • Clarified text for media selection (#1910)
2.0.2[35] December 21, 2012
  • Bug fixes
  • Security fixes
2.0.3[36] April 15, 2013
  • Bug fixes
  • Security fixes
2.1[14] September 15, 2013
  • IPv6 Support
  • Upgrade to FreeBSD 8.3
  • Updated Atheros drivers
  • OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc.
  • PHP to 5.3.x
  • OpenVPN to 2.3.x
  • Added mps kernel module
  • Added ahci kernel module
  • Updated ixgbe driver
  • Numerous Bug fixes
  • Security fixes
2.1.1[37] April 4, 2014
  • Security fixes
2.1.2[38] April 10, 2014
  • Heartbleed OpenSSL Security fixes
  • Bug fixes
2.1.3[39] May 2, 2014
  • Security fixes
  • Bug fixes
2.1.4[40] June 25, 2014
  • Security fixes
  • Bug fixes
2.1.5[41] August 27, 2014
  • Security fixes
  • Bug fixes
2.2[19][20] January 23, 2015
  • Upgrade to FreeBSD 10.1
  • Update the IPsec stack to include AES-GCM, and IKEv2
  • Update PHP backend from FastCGI to PHP-FPM
  • Update PHP to 5.5
  • Change from dnsmasq to the Unbound DNS Resolver
  • Numerous Bug Fixes
2.2.1[42] March 17, 2015
  • Security fixes
  • Bug fixes
2.2.2[43] April 15, 2015
  • Security fixes
  • Bug fixes
2.2.3[44] June 25, 2015
  • Security fixes
  • Bug fixes
2.2.4[45] July 27, 2015
  • Security fixes
  • Bug fixes
2.2.5[46] November 5, 2015
  • Security fixes
  • Bug fixes
2.2.6[47] December 21, 2015
  • Security fixes
  • Bug fixes
2.3 [21] April 12, 2016
  • Upgrade to FreeBSD 10.3
  • Rewrite of the webGUI utilizing Bootstrap
  • Numerous Bug Fixes
2.3.1 [48] May 18, 2016
  • Security fixes
  • Bug fixes
2.3.2 [49] July 25, 2016
  • Security fixes
  • Bug fixes
2.3.3 [50] February 20, 2017
  • Stability and Bug fixes
  • Fixes for a handful of security issues in the GUI
  • A handful of new features
2.3.4 [51] May 4, 2017
  • Stability and Bug fixes
  • Fixes for a handful of security issues in the GUI
  • A handful of new features
2.4.0 [52] Oct 12, 2017
  • FreeBSD updated to 11.1
  • New pfSense installer with support for ZFS, UEFI, and other partition layouts
  • OpenVPN 2.4.x support
  • GUI offers 13 different languages
  • Web GUI improvements
  • Certificate management improvements
  • Captive portal rewritten to include CSR signing and international character support
Version Release date Significant changes

See also[edit]

References[edit]

  1. ^ Pingle, Jim (2017-10-12). "pfSense 2.4.1-RELEASE Now Available". pfSense Digest. Rubicon Communications, LLC (Netgate). Retrieved 2017-10-19. 
  2. ^ Pingle, Jim (2017-10-19). "pfSense 2.4.1-RELEASE Now Available". pfSense Digest. Rubicon Communications, LLC (Netgate). Retrieved 2017-10-19. 
  3. ^ "pfSense moves to Apache License". Retrieved 15 June 2016. 
  4. ^ "You should be running a pfSense firewall". InfoWorld. 22 December 2014. Retrieved 27 July 2015. 
  5. ^ "Enterprises cut costs with open-source routers". Network World. 9 June 2009. Retrieved 5 August 2015. 
  6. ^ "Multiple Vulnerabilities Patched in pfSense". Security Week. 26 March 2015. Retrieved 5 August 2015. 
  7. ^ Danen, Vincent (December 7, 2009). "DIY pfSense firewall system beats others for features, reliability, and security". TechRepublic. If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider 
  8. ^ a b Miller, Sloan (June 26, 2008). "Configure a professional firewall using pfSense". Free Software Magazine (22). No experience is needed with FreeBSD or GNU/Linux to install and run pfSense 
  9. ^ Stahie, Silviu (April 7, 2014). "pfSense 2.1.1 Firewall Distro Can Replace Any Commercial Alternative". Softpedia. Firewall Distro Can Replace Any Commercial Alternative 
  10. ^ "You should be running pfsense" - Paul Venezia, InfoWorld http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html
  11. ^ "pfSense Open Source Firewall Distribution - History". 
  12. ^ a b Ullrich, Scott (October 13, 2006). "1.0-RELEASED!". pfSense Digest. 
  13. ^ a b Buechler, Chris (September 17, 2011). "2.0-RELEASED!". pfSense Digest. 
  14. ^ a b Buechler, Chris (September 15, 2013). "pfSense 2.1-RELEASE now available!". pfSense Digest. 
  15. ^ "Electric Sheep Fencing". Electric Sheep Fencing. Archived from the original on 5 July 2014. Retrieved 21 November 2016. 
  16. ^ "The pfSense® software usage terms have changed". Yawarra Tiny Computers. Retrieved 21 November 2016. 
  17. ^ "About pfSense -". Electric Sheep Fencing LLC. Archived from the original on 3 July 2014. Retrieved 21 November 2016. 
  18. ^ "License Agreement Form". Electric Sheep Fencing LLC. Archived from the original on 5 September 2015. Retrieved 21 November 2016. 
  19. ^ a b Buechler, Chris (January 23, 2015). "2.2 Release now available!". pfSense Digest. 
  20. ^ a b "DistroWatch.com: pfSense". 
  21. ^ a b Buechler, Chris (April 12, 2016). "2.3-RELEASE Now available!". pfSense Digest. Retrieved 12 April 2016. 
  22. ^ "Take A Tour of pfSense - Legal, License". Rubicon Communications, LLC (Netgate). Retrieved 21 November 2016. 
  23. ^ Servethehome.com Buyers' Guides: "pfSense is the gold standard for open source network appliances"
  24. ^ Buechler, Chris (June 21, 2007). "So what does pfSense stand for/mean, anyway?". pfSense Digest. 
  25. ^ "Hardware". Electric Sheep Fencing LLC. Retrieved 5 August 2015. 
  26. ^ "64-bit support". Electric Sheep Fencing LLC. Retrieved 7 May 2017. 
  27. ^ "pfSense 2.5 and AES-NI". Electric Sheep Fencing LLC. Retrieved 25 September 2017. 
  28. ^ Ullrich, Scott (October 29, 2006). "1.0.1-RELEASED!". pfSense Digest. 
  29. ^ Ullrich, Scott (April 29, 2007). "1.2-BETA-1 released!". pfSense Digest. 
  30. ^ Buechler, Chris (February 25, 2008). "1.2 Release Available!". pfSense Digest. 
  31. ^ Buechler, Chris (December 26, 2008). "pfSense 1.2.1 released!". pfSense Digest. 
  32. ^ Buechler, Chris (January 9, 2009). "pfSense 1.2.2 released!". pfSense Digest. 
  33. ^ Buechler, Chris (December 10, 2009). "pfSense 1.2.3 released!". pfSense Digest. 
  34. ^ Buechler, Chris (December 20, 2011). "2.0.1 release now available!". pfSense Digest. 
  35. ^ Buechler, Chris (December 21, 2012). "2.0.2 release now available!". pfSense Digest. 
  36. ^ Buechler, Chris (April 15, 2013). "2.0.3 release now available!". pfSense Digest. 
  37. ^ Thompson, Jim (April 4, 2014). "2.1.1-RELEASE now available". pfSense Digest. 
  38. ^ Thompson, Jim (April 10, 2014). "2.1.2 Release Now available". pfSense Digest. 
  39. ^ Dillard, Jared (May 2, 2014). "2.1.3 RELEASE Now available". pfSense Digest. 
  40. ^ Dillard, Jared (June 25, 2014). "2.1.4 RELEASE Now available". pfSense Digest. 
  41. ^ Dillard, Jared (August 27, 2014). "2.1.5 RELEASE Now available". pfSense Digest. 
  42. ^ Buechler, Chris (March 17, 2015). "2.2.1 RELEASE Now available". pfSense Digest. Retrieved 13 April 2015. 
  43. ^ Buechler, Chris (April 15, 2015). "2.2.2 RELEASE Now available!". pfSense Digest. Retrieved 15 April 2015. 
  44. ^ Buechler, Chris (June 25, 2015). "2.2.3 RELEASE Now available!". pfSense Digest. Retrieved 7 July 2015. 
  45. ^ Buechler, Chris (July 27, 2015). "2.2.4 RELEASE Now available!". pfSense Digest. Retrieved 27 July 2015. 
  46. ^ Buechler, Chris (November 5, 2015). "2.2.5 RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015. 
  47. ^ Buechler, Chris (December 21, 2015). "2.2.6-RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015. 
  48. ^ Buechler, Chris (May 18, 2016). "2.3.1-RELEASE Now available!". pfSense Digest. Retrieved 18 May 2016. 
  49. ^ Buechler, Chris (July 25, 2016). "2.3.2-RELEASE Now available!". pfSense Digest. Retrieved 25 July 2016. 
  50. ^ Pingle, Jim (February 20, 2017). "pfSense 2.3.3 RELEASE Now Available!". pfSense Digest. Retrieved 20 February 2017. 
  51. ^ Pingle, Jim (May 4, 2017). "pfSense 2.3.4 RELEASE Now Available!". Netgate Blog. Retrieved 4 May 2017. 
  52. ^ Pingle, Jim (Oct 12, 2017). "pfSense 2.4.0-RELEASE Now Available!". pfSense Digest. Retrieved 12 Oct 2017. 

Further reading[edit]

  • pfSense: The Definitive Guide to the Open Source Firewall and Router Distribution. Reed Media Services, 2009. ISBN 978-0-9790342-8-2. By Christopher M. Buechler and Jim Pingle.
  • pfSense 2 Cookbook. Birmingham, UK: Packt Publishing, 2011. ISBN 978-1849514866. By Matt Williamson.

External links[edit]