pfSense

pfSense
Developer Rubicon Communications, LLC (Netgate)
OS family FreeBSD (10.3-RELEASE)
Working state Current
Source model Open source
Latest release 2.3.2-p1[1] / October 6, 2016 (2016-10-06)
Platforms IA-32, x86-64
Kernel type Monolithic kernel
License Apache License 2.0[2]
Official website www.pfsense.org

pfSense is an open source firewall/router computer software distribution based on FreeBSD.[3][4][5] It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network and has been noted for its reliability[6] and offering a range of features .[7][8] It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.[7][9] pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and as a VPN endpoint. pfSense supports installation of third-party packages like Snort or Squid through its Package Manager. As of 2016 pfSense is described by servethehome.com as the "gold standard" for open source network appliances in its buyer guides.[10]

Name

The name was derived from the fact that it helps make the stateful packet-filtering tool PF (which acts as a firewall, packet filter, and routing service on many BSD and Unix platforms) make more sense to non-technical users.[11]

History

The pfSense project started in 2004 as a fork of the m0n0wall project by Chris Buechler and Scott Ullrich.[12] From the beginning, it focused on full PC installations, as opposed to m0n0wall's focus on embedded hardware. However, pfSense is also available as an embedded image for CompactFlash-based installations. Version 1.0 of the software was released on October 4, 2006.[13] Version 2.0 was released on September 17, 2011.[14] Version 2.1 was released on September 15, 2013.[15] pfSense version 2.2 was released January 23, 2015.[16][17] Version 2.3 was released on April 12, 2016.[18] Since July 2016, pfSense is licensed under the Apache License 2.0 and is copyright by Rubicon Communications, LLC (Netgate).[19]

Version history

Version history
Version Release date Significant changes
1.0[13] October 4, 2006
  • The first official release.
1.0.1[20] October 29, 2006
  • Bug fixes
1.2[21][22] February 25, 2008
  • FreeBSD updated to 6.2
  • Reworked load balancing pools which allow for round robin or failover
  • Miniupnpd added to the base install
  • Much enhanced RRD graphs
  • Numerous Squid Package fixes
  • dnsmasq updated to 2.36
  • olsrd updated to 0.4.10
  • BandwidthD package added
  • PHP upgraded to 4.4.6
  • Lighttpd upgraded to 1.4.15
  • Numerous Bug fixes
1.2.1[23] December 26, 2008
  • FreeBSD updated to 7.0
  • Bug fixes
1.2.2[24] January 9, 2009
  • Setup wizard fix
  • SVG graphs fixed
  • (IPsec reload fix specific to large (100+ site) deployments
  • Bridge creation code changes
  • FreeBSD updates for two security advisories
1.2.3[25] December 10, 2009
  • Upgrade to FreeBSD 7.2
  • Embedded switched to nanobsd
  • Dynamic interface bridging bug fix
  • IPsec connection reloading improvements
  • Dynamic site to site IPsec
  • Sticky connections enable/disable
  • Ability to delete DHCP leases
  • Polling fixed
  • ipfw state table size
  • Server load balancing
  • UDP state timeout increases
  • Disable auto-added VPN rules option
  • Multiple servers per-domain in DNS forwarder overrides
  • No XMLRPC Sync rules fixed
  • Captive portal locking replaced
  • DNS Forwarder
  • Outbound load balancer replaced
2.0[14] September 17, 2011
2.0.1[26] December 20, 2011
  • Improved accuracy of automated state killing in various cases (#1421)
  • Various fixes and improvements to relayd
  • Fixed path to FreeBSD packages repo for 8.1
  • Various fixes to syslog
  • Removed/silenced some irrelevant log entries
  • Fixed various typos
  • Fixes for RRD upgrade/migration and backup (#1758)
  • Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
  • Fixed policy route negation for VPN networks (#1950)
  • Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
  • Fixed VoIP rules produced by the traffic shaper wizard (#1948)
  • Fixed uname display in System Info widget (#1960)
  • Fixed LDAP custom port handling
  • Fixed Status > Gateways to show RTT and loss like the widget
  • Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
  • Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
  • Clarified text of serial field when importing a CA (#2031)
  • Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
  • Fixed Captive Portal MAC passthrough rules (#1976)
  • Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
  • Fixed CARP status widget to properly show “disabled” status.
  • Fixed end time of custom timespan RRD graphs (#1990)
  • Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
  • Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
  • Fixed handling of OpenVPN client bandwidth limit option
  • Fixed handling of LDAP certificates (#2018, #1052, #1927)
  • Enforce validity of RRD graph style
  • Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
  • Fixed handling of hostnames in DHCP that start with a number (#2020)
  • Fixed saving of multiple dynamic gateways (#1993)
  • Fixed handling of routing with unmonitored gateways
  • Fixed Firewall > Shaper, By Queues view
  • Fixed handling of spd.conf with no phase 2’s defined
  • Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc.)
  • Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
  • Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
  • Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
  • Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
  • Clarified text for media selection (#1910)
2.0.2[27] December 21, 2012
  • Bug fixes
  • Security fixes
2.0.3[28] April 15, 2013
  • Bug fixes
  • Security fixes
2.1[15] September 15, 2013
  • IPv6 Support
  • Upgrade to FreeBSD 8.3
  • Updated Atheros drivers
  • OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc.
  • PHP to 5.3.x
  • OpenVPN to 2.3.x
  • Added mps kernel module
  • Added ahci kernel module
  • Updated ixgbe driver
  • Numerous Bug fixes
  • Security fixes
2.1.1[29] April 4, 2014
  • Security fixes
2.1.2[30] April 10, 2014
  • Heartbleed OpenSSL Security fixes
  • Bug fixes
2.1.3[31] May 2, 2014
  • Security fixes
  • Bug fixes
2.1.4[32] June 25, 2014
  • Security fixes
  • Bug fixes
2.1.5[33] August 27, 2014
  • Security fixes
  • Bug fixes
2.2[16][17] January 23, 2015
  • Upgrade to FreeBSD 10.1
  • Update the IPsec stack to include AES-GCM, and IKEv2
  • Update PHP backend from FastCGI to PHP-FPM
  • Update PHP to 5.5
  • Change from dnsmasq to the Unbound DNS Resolver
  • Numerous Bug Fixes
2.2.1[34] March 17, 2015
  • Security fixes
  • Bug fixes
2.2.2[35] April 15, 2015
  • Security fixes
  • Bug fixes
2.2.3[36] June 25, 2015
  • Security fixes
  • Bug fixes
2.2.4[37] July 27, 2015
  • Security fixes
  • Bug fixes
2.2.5[38] November 5, 2015
  • Security fixes
  • Bug fixes
2.2.6[39] December 21, 2015
  • Security fixes
  • Bug fixes
2.3 [18] April 12, 2016
  • Upgrade to FreeBSD 10.3
  • Rewrite of the webGUI utilizing Bootstrap
  • Numerous Bug Fixes
2.3.1 [40] May 18, 2016
  • Security fixes
  • Bug fixes
2.3.2 [41] July 25, 2016
  • Security fixes
  • Bug fixes
Version Release date Significant changes

Features

Install, update, packages, management
  • Live CD, update, NanoBSD/embedded, virtual machine, and USB installers available
  • Packaged support/push-button installer for extensions, including the Squid proxy server, the Snort intrusion prevention/detection system, ntop, the HAVP antivirus package, IP address blocklist'
  • Multi-language
  • Console, web-based GUI, SSH (if enabled) and serial management
  • RRD graphs reporting
  • Traffic shaping and filtering
  • Real-time information using Ajax
Functionality and connectivity
Firewall and routing
  • Stateful firewall
  • Network Address Translation
  • Filtering by source/destination IP address, protocol, OS/network fingerprinting
  • Flexible routing
  • Per-rule configurable logging and per-rule limiters (IP addresses, connections, states, new connections, state types), Layer 7 protocol inspection, policy filtering (or packet marking), TCP flag state filtering, scheduling, gateway
  • Packet scrubbing
  • Layer 2/bridging capable
  • State table "up to several hundred thousand" states (1 KB RAM per state approx)
  • State table algorithms customizable including low latency and low-dropout
Packages support

Packages available as "push button installs" among others:

Hardware

pfSense 2.1 through 2.3 has low minimum system requirements (for example 256 MB RAM and 500 MHz CPU)[42] and can be installed on hardware with x86 or x86-64 architecture. After 2.3, pfSense will require the x86-64 architecture, ending support for 32-bit installations. It is also available for embedded system hardware using Compact Flash or SD cards. pfSense also supports virtualized installation.

See also

BSD based:
Linux based:

References

  1. Thompson, Jim (2016-10-06). "pfSense 2.3.2-p1 Available". pfSense Digest. Electric Sheep Fencing LLC. Retrieved 2016-10-06.
  2. "pfSense moves to Apache License". Retrieved 15 June 2016.
  3. "You should be running a pfSense firewall". InfoWorld. 22 December 2014. Retrieved 27 July 2015.
  4. "Enterprises cut costs with open-source routers". Network World. 9 June 2009. Retrieved 5 August 2015.
  5. "Multiple Vulnerabilities Patched in pfSense". Security Week. 26 March 2015. Retrieved 5 August 2015.
  6. Danen, Vincent (December 7, 2009). "DIY pfSense firewall system beats others for features, reliability, and security". TechRepublic. If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider
  7. 1 2 Miller, Sloan (June 26, 2008). "Configure a professional firewall using pfSense". Free Software Magazine (22). No experience is needed with FreeBSD or GNU/Linux to install and run pfSense
  8. Stahie, Silviu (April 7, 2014). "pfSense 2.1.1 Firewall Distro Can Replace Any Commercial Alternative". Softpedia. Firewall Distro Can Replace Any Commercial Alternative
  9. "You should be running pfsense" - Paul Venezia, InfoWorld http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html
  10. Servethehome.com Buyers' Guides: "pfSense is the gold standard for open source network appliances"
  11. Buechler, Chris (June 21, 2007). "So what does pfSense stand for/mean, anyway?". pfSense Digest.
  12. "pfSense Open Source Firewall Distribution - History".
  13. 1 2 Ullrich, Scott (October 13, 2006). "1.0-RELEASED!". pfSense Digest.
  14. 1 2 Buechler, Chris (September 17, 2011). "2.0-RELEASED!". pfSense Digest.
  15. 1 2 Buechler, Chris (September 15, 2013). "pfSense 2.1-RELEASE now available!". pfSense Digest.
  16. 1 2 Buechler, Chris (January 23, 2015). "2.2 Release now available!". pfSense Digest.
  17. 1 2 "DistroWatch.com: pfSense".
  18. 1 2 Buechler, Chris (April 12, 2016). "2.3-RELEASE Now available!". pfSense Digest. Retrieved 12 April 2016.
  19. "Take A Tour of pfSense - Legal, License". Rubicon Communications, LLC (Netgate). Retrieved 21 November 2016.
  20. Ullrich, Scott (October 29, 2006). "1.0.1-RELEASED!". pfSense Digest.
  21. Ullrich, Scott (April 29, 2007). "1.2-BETA-1 released!". pfSense Digest.
  22. Buechler, Chris (February 25, 2008). "1.2 Release Available!". pfSense Digest.
  23. Buechler, Chris (December 26, 2008). "pfSense 1.2.1 released!". pfSense Digest.
  24. Buechler, Chris (January 9, 2009). "pfSense 1.2.2 released!". pfSense Digest.
  25. Buechler, Chris (December 10, 2009). "pfSense 1.2.3 released!". pfSense Digest.
  26. Buechler, Chris (December 20, 2011). "2.0.1 release now available!". pfSense Digest.
  27. Buechler, Chris (December 21, 2012). "2.0.2 release now available!". pfSense Digest.
  28. Buechler, Chris (April 15, 2013). "2.0.3 release now available!". pfSense Digest.
  29. Thompson, Jim (April 4, 2014). "2.1.1-RELEASE now available". pfSense Digest.
  30. Thompson, Jim (April 10, 2014). "2.1.2 Release Now available". pfSense Digest.
  31. Dillard, Jared (May 2, 2014). "2.1.3 RELEASE Now available". pfSense Digest.
  32. Dillard, Jared (June 25, 2014). "2.1.4 RELEASE Now available". pfSense Digest.
  33. Dillard, Jared (August 27, 2014). "2.1.5 RELEASE Now available". pfSense Digest.
  34. Buechler, Chris (March 17, 2015). "2.2.1 RELEASE Now available". pfSense Digest. Retrieved 13 April 2015.
  35. Buechler, Chris (April 15, 2015). "2.2.2 RELEASE Now available!". pfSense Digest. Retrieved 15 April 2015.
  36. Buechler, Chris (June 25, 2015). "2.2.3 RELEASE Now available!". pfSense Digest. Retrieved 7 July 2015.
  37. Buechler, Chris (July 27, 2015). "2.2.4 RELEASE Now available!". pfSense Digest. Retrieved 27 July 2015.
  38. Buechler, Chris (November 5, 2015). "2.2.5 RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015.
  39. Buechler, Chris (December 21, 2015). "2.2.6-RELEASE Now available!". pfSense Digest. Retrieved 1 December 2015.
  40. Buechler, Chris (May 18, 2016). "2.3.1-RELEASE Now available!". pfSense Digest. Retrieved 18 May 2016.
  41. Buechler, Chris (July 25, 2016). "2.3.2-RELEASE Now available!". pfSense Digest. Retrieved 25 July 2016.
  42. "Hardware". Electric Sheep Fencing LLC. Retrieved 5 August 2015.

Further reading

This article is issued from Wikipedia - version of the 11/26/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.