pfSense is an open source firewall/ router computer software distribution based on FreeBSD. [2 ] [3 ] It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network and is noted for its reliability [4 ] and offering features often only found in expensive commercial firewalls. [5 ] [6 ] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage. [7 ] [6 ] pfSense is commonly deployed as a perimeter firewall, router, [8 ] wireless access point, DHCP server, DNS server, and as a VPN endpoint. pfSense supports installation of 3rd party packages like Snort or Squid through its Package Manager.
The name was derived from the fact that it helps make the
stateful packet-filtering tool PF (which acts as a firewall, packet filter, and routing service on many BSD and Unix platforms) make more sense to non-technical users. [9 ]
History [ edit ]
The pfSense project started in 2004 as a fork of the
m0n0wall project by Chris Buechler and Scott Ullrich. From the beginning, it focused on full PC installations, as opposed to m0n0wall's focus on embedded hardware. However, pfSense is also available as an embedded image for [10 ] CompactFlash-based installations. Version 1.0 of the software was released on October 4, 2006. Version 2.0 was released on September 17, 2011. [11 ] Version 2.1 was released on September 15, 2013 [12 ] and version 2.2 was released January 23, 2015. [13 ] [14 ] [15 ]
Version history [ edit ]
[11 ] October 4, 2006
The first official release.
[16 ] October 29, 2006
[17 ] [18 ] February 25, 2008
FreeBSD updated to 6.2
Reworked load balancing pools which allow for round robin or failover
Miniupnpd added to the base install
Much enhanced RRD graphs
Numerous Squid Package fixes
dnsmasq updated to 2.36
olsrd updated to 0.4.10
BandwidthD package added
PHP upgraded to 4.4.6
Lighttpd upgraded to 1.4.15
Numerous Bug fixes
[19 ] December 26, 2008
FreeBSD updated to 7.0
[20 ] January 9, 2009
Setup wizard fix
SVG graphs fixed
(IPsec reload fix specific to large (100+ site) deployments
Bridge creation code changes
FreeBSD updates for two security advisories
[21 ] December 10, 2009
Upgrade to FreeBSD 7.2
Embedded switched to nanobsd
Dynamic interface bridging bug fix
IPsec connection reloading improvements
Dynamic site to site IPsec
Sticky connections enable/disable
Ability to delete DHCP leases
ipfw state table size
Server load balancing
UDP state timeout increases
Disable auto-added VPN rules option
Multiple servers per-domain in DNS forwarder overrides
No XMLRPC Sync rules fixed
Captive portal locking replaced
Outbound load balancer replaced
[12 ] September 17, 2011
[22 ] December 20, 2011
Improved accuracy of automated state killing in various cases (#1421)
Various fixes and improvements to relayd
Fixed path to FreeBSD packages repo for 8.1
Various fixes to syslog
Removed/silenced some irrelevant log entries
Fixed various typos
Fixes for RRD upgrade/migration and backup (#1758)
Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
Fixed policy route negation for VPN networks (#1950)
Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
Fixed VoIP rules produced by the traffic shaper wizard (#1948)
Fixed uname display in System Info widget (#1960)
Fixed LDAP custom port handling
Fixed Status > Gateways to show RTT and loss like the widget
Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
Clarified text of serial field when importing a CA (#2031)
Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
Fixed Captive Portal MAC passthrough rules (#1976)
Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
Fixed CARP status widget to properly show “disabled” status.
Fixed end time of custom timespan RRD graphs (#1990)
Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
Fixed handling of OpenVPN client bandwidth limit option
Fixed handling of LDAP certificates (#2018, #1052, #1927)
Enforce validity of RRD graph style
Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
Fixed handling of hostnames in DHCP that start with a number (#2020)
Fixed saving of multiple dynamic gateways (#1993)
Fixed handling of routing with unmonitored gateways
Fixed Firewall > Shaper, By Queues view
Fixed handling of spd.conf with no phase 2’s defined
Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc.)
Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
Clarified text for media selection (#1910)
[23 ] December 21, 2012
[24 ] April 15, 2013
[13 ] September 15, 2013
Upgrade to FreeBSD 8.3
Updated Atheros drivers
OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc.
PHP to 5.3.x
OpenVPN to 2.3.x
Added mps kernel module
Added ahci kernel module
Updated ixgbe driver
Numerous Bug fixes
[25 ] April 4, 2014
[26 ] April 10, 2014
Heartbleed OpenSSL Security fixes
[27 ] May 2, 2014
[28 ] June 25, 2014
[29 ] August 27, 2014
[14 ] [15 ] January 23, 2015
Upgrade to FreeBSD 10.1
Update the IPsec stack to include AES-GCM, and IKEv2
Update PHP backend from FastCGI to PHP-FPM
Update PHP to 5.5
Change from dnsmasq to the Unbound DNS Resolver
Numerous Bug Fixes
[30 ] March 17, 2015
[31 ] April 15, 2015
[32 ] June 25, 2015
[33 ] July 27, 2015
Features [ edit ]
Install, update, packages, management
Live CD, update, NanoBSD/embedded, virtual machine, and USB installers available
Packaged support/push-button installer for extensions, including the Squid proxy server, the Snort intrusion prevention/detection system, ntop, the HAVP antivirus package, IP address blocklist' Multi-language
GUI, SSH (if enabled) and serial management
RRD graphs reporting Traffic shaping and filtering
Real-time information using
Functionality and connectivity
Virtual Private Networks using IPsec, L2TP, OpenVPN, or PPTP
PPPoE server High availability clustering; redundancy and failover including
CARP and pfsync Outbound and inbound
Quality of Service (QoS)
DHCP server and relay
IPv6 support Multiple public IP addresses/multi-NAT
RADIUS/ LDAP Multiple resolvers (DNS forwarder,
Unbound, TinyDNS, other) Aliases supported for rules, IP addresses, ports, computers, and other entities
Firewall and routing
Network Address Translation Filtering by source/destination IP address, protocol, OS/network fingerprinting
Per-rule configurable logging and per-rule limiters (IP addresses, connections, states, new connections, state types), Layer 7 protocol inspection, policy filtering (or packet marking), TCP flag state filtering, scheduling, gateway
Layer 2/bridging capable
State table "up to several hundred thousand" states (1 KB RAM per state approx)
State table algorithms customizable including low latency and low-dropout
Packages available as "push button installs" among others:
Hardware [ edit ]
pfSense 2.x has low minimum system requirements (for example 256 MB RAM and 500 MHz CPU)
and can be installed on hardware with [34 ] x86 or x86-64 architecture. It is also available for embedded system hardware using Compact Flash or SD cards. pfSense also supports virtualized installation.
See also [ edit ]
References [ edit ]
^ "pfSense Overview". www.pfsense.org. Electric Sheep Fencing LLC . Retrieved . 28 June 2015
^ "You should be running a pfSense firewall". InfoWorld. 22 December 2014 . Retrieved . 27 July 2015
^ "Enterprises cut costs with open-source routers". Network World. 9 June 2009 . Retrieved . 5 August 2015
^ "Multiple Vulnerabilities Patched in pfSense". Security Week. 26 March 2015 . Retrieved . 5 August 2015
^ Danen, Vincent (December 7, 2009). "DIY pfSense firewall system beats others for features, reliability, and security". . TechRepublic If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider
^ a b Miller, Sloan (June 26, 2008). "Configure a professional firewall using pfSense". (22). Free Software Magazine No experience is needed with FreeBSD or GNU/Linux to install and run pfSense
^ Stahie, Silviu (April 7, 2014). "pfSense 2.1.1 Firewall Distro Can Replace Any Commercial Alternative". . Softpedia Firewall Distro Can Replace Any Commercial Alternative
^ "You should be running pfsense" - Paul Venezia, InfoWorld http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html
^ Buechler, Chris (June 21, 2007). "So what does pfSense stand for/mean, anyway?". pfSense Digest.
^ "pfSense Open Source Firewall Distribution - History".
^ a b Ullrich, Scott (October 13, 2006). "1.0-RELEASED!". pfSense Digest.
^ a b Buechler, Chris (September 17, 2011). "2.0-RELEASED!". pfSense Digest.
^ a b Buechler, Chris (September 15, 2013). "pfSense 2.1-RELEASE now available!". pfSense Digest.
^ a b Buechler, Chris (January 23, 2015). "2.2 Release now available!". pfSense Digest.
^ a b http://distrowatch.com/table.php?distribution=pfsense
^ Ullrich, Scott (October 29, 2006). "1.0.1-RELEASED!". pfSense Digest.
^ Ullrich, Scott (April 29, 2007). "1.2-BETA-1 released!". pfSense Digest.
^ Buechler, Chris (February 25, 2008). "1.2 Release Available!". pfSense Digest.
^ Buechler, Chris (December 26, 2008). "pfSense 1.2.1 released!". pfSense Digest.
^ Buechler, Chris (January 9, 2009). "pfSense 1.2.2 released!". pfSense Digest.
^ Buechler, Chris (December 10, 2009). "pfSense 1.2.3 released!". pfSense Digest.
^ Buechler, Chris (December 20, 2011). "2.0.1 release now available!". pfSense Digest.
^ Buechler, Chris (December 21, 2012). "2.0.2 release now available!". pfSense Digest.
^ Buechler, Chris (April 15, 2013). "2.0.3 release now available!". pfSense Digest.
^ Thompson, Jim (April 4, 2014). "2.1.1-RELEASE now available". pfSense Digest.
^ Thompson, Jim (April 10, 2014). "2.1.2 Release Now available". pfSense Digest.
^ Dillard, Jared (May 2, 2014). "2.1.3 RELEASE Now available". pfSense Digest.
^ Dillard, Jared (June 25, 2014). "2.1.4 RELEASE Now available". pfSense Digest.
^ Dillard, Jared (August 27, 2014). "2.1.5 RELEASE Now available". pfSense Digest.
^ Buechler, Chris (March 17, 2015). "2.2.1 RELEASE Now available". pfSense Digest . Retrieved . 13 April 2015
^ Buechler, Chris (April 15, 2015). "2.2.2 RELEASE Now available!". pfSense Digest . Retrieved . 15 April 2015
^ Buechler, Chris (June 25, 2015). "2.2.3 RELEASE Now available!". pfSense Digest . Retrieved . 7 July 2015
^ Buechler, Chris (July 27, 2015). "2.2.4 RELEASE Now available!". pfSense Digest . Retrieved . 27 July 2015
^ "Hardware". Electric Sheep Fencing LLC . Retrieved . 5 August 2015
Further reading [ edit ]
External links [ edit ]