
pfSense: Open source network firewall distribution - lobo_tuerto
https://pfsense.org/
======
lima
Last time I checked, pfSense was good at firewalling but bad at everything
else security-wise.

\- Web panel allows root code execution on the device (every XSS is full RCE!)

\- Everything runs as root

\- No ASLR or other hardening flags because FreeBSD

\- Lots of XSS and CSRF opportunities (probably got better with the new UI)

\- Did not replace SSL certificate after Heartbleed (on packages.pfsense.org!)

\- No package signing, either (not sure if this is still true with pkgng)

\- Did not even _have_ SSL on packages.pfsense.org until one or two years ago

I'm also missing the fq_codel queueing discipline on my home network (prevents
bufferbloat).

I still use it since it's awesome, but I hope their security posture has
improved since.

Most of the commercial vendors are even worse, but still.

~~~
Kurtz79
Are there other valid open-source alternatives, possibly Linux-based ?

~~~
milcron
Just use OpenBSD. They are the upstream developer of pf anyway.

pfsense uses FreeBSD's fork of pf, which is _years_ out of date. They forked
in order to add multithreading, ostensibly for performance. But the diff is
too complicated to keep rebasing on top of upstream, so they're stuck with a
pf from 2009.

Here are a few resources to get you started. You'll learn plenty about
routing!

[https://www.openbsd.org/faq/pf/example1.html](https://www.openbsd.org/faq/pf/example1.html)

[https://www.22decembre.eu/2016/05/27/openbsd-router-
en/](https://www.22decembre.eu/2016/05/27/openbsd-router-en/)

Compared to Linux, OpenBSD is starkly minimal. It can be a little bewildering
when common programs seem to be missing, but the man pages are outstanding.
And the system is very simple and reliable. Config files are almost comically
short. My /etc/hostname.re0 config is just five bytes: `dhcp\n`.

~~~
sverige
I appreciate pfSense offering something that's better than the average
firewall, but I really wish they would just build it on top of the latest
release of OpenBSD.

OpenBSD and pf really is the best. As noted above, FreeBSD has wandered off
into the weeds with pf for no good reason. There have been so many
improvements to pf since 2009 that I wouldn't even consider using something
that old.

I used pfSense years ago when I was first learning firewalls. These days the
best GUI for me is no GUI but a CLI, but some people don't want to take the
time to build a firewall. Granted, once you know how to do it, it doesn't take
that much time to build a firewall, but it does take time to understand what
you're doing and why. But really, not that much time, considering the
aggravation it can save you down the road.

~~~
vocatus_gate
Why does pfSense use FreeBSD vs. OpenBSD?

~~~
gonzo
Mostly because m0n0wall was written on top of FreeBSD.

~~~
pyvpx
you also dislike many OpenBSD policies, and developers.

~~~
gonzo
There are exactly two things I dislike about openbsd.

One is the past behavior of one developer who claimed to reverse engineer code
that obviously wasn't.

The other is a mistake made in 2003, to which they've still not owned up.

You don't silently patch security issues, especially when they are discovered
and fixed by someone outside the project.

Other than these, I have nothing but admiration for the project and it's
developers.

------
jstewartmobile
I liked pfSense until it got too beefy for my ALIX board. That forced me to
move to OpenBSD, and boy am I glad I did.

Once you grok the syntax, it is so much easier to directly update settings in
pf.conf than the pfSense web GUI--especially traffic shaping rules.

That, and OpenBSD has great documentation, decent IPv6 support, and almost
everything you need already baked-in.

Here's a basic set of config files for a home setup:
[https://github.com/BourgeoisBear/OpenBSDFirewall](https://github.com/BourgeoisBear/OpenBSDFirewall)

If you need IPv6 or anything fancy, PM me.

~~~
SSLy
ugh, i wish we could use that syntax on the linux side of the computing world

~~~
tasn
I recently switched to nftables on Linux and the syntax is great, you should
give it a go. I wrote a blog post demonstrating my server configuration.
Shameless plug: [https://stosb.com/blog/explaining-my-configs-
nftables/](https://stosb.com/blog/explaining-my-configs-nftables/)

~~~
dhess
Does nftables support packet tagging/policy filtering ala pf's "tag" keyword
[1]? It's so nice to tag a packet as "trusted" once it has passed an input
filter, and then just pass trusted packets on outbound interfaces based solely
on the tag.

For example, on my OpenBSD firewall I can write the following simple rules to
restrict outbound Internet access to a specific set of IP addresses or
networks:

    
    
      # internal_if is the LAN-facing interface; isp_if is the ISP-facing interface, i.e., the Internet.
      match in log on internal_if from <internet_allowed_networks> tag OUTBOUND
      pass in  log quick on internal_if tagged OUTBOUND
      ...
      pass out log on isp_if inet tagged OUTBOUND nat-to (isp_if) static-port
    

The tags are sticky, so that you can apply multiple tags to packets and sort
through the tags later in the pipeline.

If nftables supports something like this, I'll probably make the switch, as I
prefer Linux in every other way to OpenBSD.

[1]
[https://www.openbsd.org/faq/pf/tagging.html](https://www.openbsd.org/faq/pf/tagging.html)

~~~
tasn
I'm not familiar with the pf "tag", and I gtg so I don't have time to read
more, but it seems very similar to "mark"[1]. It essentially lets you mark a
packet with a tag (if memory serves it's a 32 bitmap you can do whatever
bitwise/assignment operations to). I used it in the beginning, but then I
managed to find cleaner ways to do what I was doing.

For me nftables changed the game for linux firewalls. From the almost
incomprehensible mess that was iptables we now have a clean language that lets
me be quite DRY, and is easy to work with.

1: [https://wiki.nftables.org/wiki-
nftables/index.php/Setting_pa...](https://wiki.nftables.org/wiki-
nftables/index.php/Setting_packet_metainformation#mark_and_conntrack_mark)

~~~
dhess
nftables "mark" would behave like pf "tag" _if_ you can filter a packet
further downstream based on the value of the mark. (It looks like the mark
functionality is also present in iptables.)

If people are using marks for policy-based firewalls a la tag in pf, it
doesn't look like a particularly common practice, based on a quick Google
search. Anyway, it's a start. Thanks for the pointer.

~~~
tasn
There's a page somewhere on the nftables wiki that shows all the operations
you can do, but you essentially can bitmask and compare, or just compare and
do something based on the result of that conditional, so I guess exactly what
you want.

------
notaplumber
Netgate/pfSense has been notoriously anti-community, with their own co-founder
attacking other projects, including a recent fork called OPNSense.

They've also been very hostile towards the OpenBSD developers, and project.
Despite the fact they've effectively built a business on OpenBSD innovations,
like pf and CARP, even incorporating the name 'pf' into their trademark having
not contributed a bit of code.. n̶o̶r̶ ̶a̶ ̶d̶i̶m̶e̶ (but perhaps some hw).

But feel free to keep using it.. no need to take my word for it.

[https://www.openbsd.org/donations.html](https://www.openbsd.org/donations.html)

[http://www.openbsdfoundation.org/contributors.html](http://www.openbsdfoundation.org/contributors.html)

~~~
stsp
I won't defend their demeaning public behaviour towards OpenBSD. I find it
revolting.

But they did make one donation to this OpenBSD developer. They sent me 3 rcc-
ve boards which I am still using for development:
[http://cvsweb.openbsd.org/cgi-
bin/cvsweb/www/want.html#rev1....](http://cvsweb.openbsd.org/cgi-
bin/cvsweb/www/want.html#rev1.945)

They took much more than they have given (which the source code licence allows
them to do, even if it's morally wrong). Claiming they never gave anything at
all is incorrect.

~~~
cr0sh
> They took much more than they have given (which the source code licence
> allows them to do, even if it's morally wrong).

I don't want to start a flame war, but if the BSD license allows for them to
do this, why is it morally wrong?

That is - how can you complain when the license explicitly allows for this? If
you (not you personally, of course - but the OpenBSD project) didn't want this
to happen, then the license would need to be changed to prevent it.

Of course then, companies wouldn't be as willing to use the code, as we tend
to see with the GPL.

But if companies are just going to take the code, modify it, and not
contribute the changes back (or contribute little back), where's the loss by
using another license?

If the loss is "but the code then won't be used in the greater ecosystem", why
complain when it is?

Again - I'm not trying to cause a flame war; everybody has their license and
needs. I'm just trying to understand why there is complaints when code isn't
contributed back under the BSD license, when it explicitly allows for this.

Furthermore, I am wondering if there is anything we can do about it, that
doesn't cause the kind of ire to rise when the GPL is invoked instead. Perhaps
there isn't a solution, but I'd love to hear ideas on the subject.

~~~
throwaway2048
There is a difference between forcing what you believe to be right onto others
via legal means, and wanting people to do the right thing because it is moral
to do so.

~~~
AsyncAwait
The GPL exists because Stallman knew that corporations seldom do the right
thing if not required so by law.

~~~
stephenr
And like the DRM he detests so much, he hurts the "good guys" more than the
"bad guys".

Plenty of companies simply avoid the gpl because it complicates things, and
stick to more permissive licenses for their open source efforts.

Plenty more just do what the fuck they want regardless of what the gpl says.

~~~
trome
And yet there are many thriving GPL projects, running on billions of devices
worldwide, from routers to servers. GPL has created an environment where
Netgear and Linksys collaborate on developing the same pieces of software, not
due to morals, but due to it being the best option for themselves. Same with
IBM and many other companies working on GPL sofware.

~~~
emaste
> not due to morals, but due to it being the best option for themselves

Indeed, and this is why the same thing happens in the BSD world. There are
many examples of large and small companies, competitors, working on the same
parts of FreeBSD.

Enlightened companies contribute to Free and Open Source software because it's
in their best interest, not directly because of the license. Conversely, there
are countless examples of companies who don't think it's in their interest,
and willfully violate the GPL.

------
notaplumber
If you want a pf firewall, you should probably get it from OpenBSD.. they
created pf.

[https://www.openbsd.org/faq/pf/index.html](https://www.openbsd.org/faq/pf/index.html)

------
stevefeinstein
I used pfSense for a long time and ultimately the conclusion was it was a 75%
solution. It made those 75% things pretty easy to set up and configure. But
once you needed something from the 25% you had to dig into the BSD
configuration and now had to deal with how that interoperated with the pfSense
stuff. Better to just bite the bullet and configure BSD (or linux for some
things it does even better) from scratch and get exactly what you want and
need.

------
F00Fbug
I can't say enough good things about pfSense. I'm running three of 'em and
would gladly trash my Checkpoint firewalls to use pfSense, if our parent
company didn't mandate them.

I've run it on everything from tiny, Atom-based machines to kitted-out HP
DL385s, and even on ESXi virtual machines. It works great in all scenarios.

------
dstroot
Happy user here. I have used this exclusively for the past eight years. It's
gotten better as it's got more commercial – better UI, more polished plugins,
better features, etc.

------
sschueller
PfSense is awesome! It runs very well for very little money on your own
hardware [1].

You can do so many things easily. For example force all local chromecasts via
a VPN for netflix.

[1] [https://pcengines.ch/apu2.htm](https://pcengines.ch/apu2.htm)

~~~
sashk
Agree. I've been running pfSense on HP thin client (T5740[1] with expansion
module + gigabit dual port ethernet NIC) and was pretty happy. Cost to me was
about $60 for fully working firewall/router.

[1]:
[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_...](http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c01926335)

------
jenkstom
We've had a lot of success with pfSense. BGP works, IPSEC works, most things
work quite well with no headaches. My previous employer used a Watchguard
firewall and to be honest pfSense was a much better experience all around.

Except for cloud VOIP. Neither 8x8 nor Shoretel worked worth a darn through
this firewall. We even paid for the gold support and opened more than one
support case with no luck. It appeared to be a RTSP issue, SIP didn't have any
trouble. And it was intermittent. Most of the time it would work, occasionally
it would not. Eventually we replaced pfSense with a Cisco router for our
phones and it worked fine.

------
sandGorgon
I always had this question - can something like pfsense be built on linux
_with comparable performance_ or is there something inherent to the whole
stack that makes this effective?

I have always wondered if building pfsense on a modern linux kernel + selinux
+ BPF with something like nginx/lua scripting (for addon packages) would make
more sense.

[http://www.brendangregg.com/blog/2016-10-27/dtrace-for-
linux...](http://www.brendangregg.com/blog/2016-10-27/dtrace-for-
linux-2016.html)

~~~
edcastro
[https://vyos.io/](https://vyos.io/) might be what you're looking for.

~~~
Dangeranger
So is VyOS the successor to Vyatta?

It looks like maybe this project forked after the purchase by Brocade.

As a side not Vyatta is the base OS in many of the Ubiquiti Networks routers.
It's quite nice for small office/ home office.

~~~
slau
I would say it's nice enough for more than just "small" stuff. Depending on
your definition of "small", I guess.

I'm running a VyOS machine (old desktop with a couple of NICs) which handles
the traffic for our Copenhagen office. That's ~15 CI boxes, and 30 people.
This is on a 100/100 connection.

For Ubiquiti, I'm a fan. I helped our co-working space setup a network on
another floor, and we used an EdgeRouter Lite to handle the 200/200
connection. The ERL handles it without breaking a sweat. That's for 60 people
on a daily basis.

For another building, I just finished setting up an ERPro (the 8-port rack-
mounted version). It's again on a 200/200 connection, and for roughly 150
people on average, with a maximum around 300-500.

At home, I have an ERPoE, which handles my home lab just perfectly. I'm only
on a 100/100 uplink at the moment, but will be upgraded to 1000/500 soon, and
I know the ERPoE will handle that just fine as well (thank you hardware
offloading ;)). 5 VLANs with full firewalling and routing between them, native
IPv6 with prefix delegation, mDNS proxying between VLANs, OpenVPN handled by
the router. I could do a lot of this with OpenWRT on an Archer C7, but the
ERPoE is simply miles ahead.

The UI is nice for newcomers, and the CLI is amazing. I fell in love with the
CLI on VyOS, and am very happy to see the same in the UBNT products. For $100,
they are amazing devices. VyOS is my go-to choice when I need to have a
virtual router.

~~~
sandGorgon
are you talking about vyos or ubiquiti. Im not sure what the relationship is
between them - could you talk about what's so amazing for a complete first
timer?

i currently have pfsense running on a mini quad NIC box
([https://m.aliexpress.com/s/item/32670582442.html](https://m.aliexpress.com/s/item/32670582442.html))

do you think vyos will run on this stuff. in your opinion are pfsense and vyos
generally at par?

~~~
slau
VyOS is just software. So nothing to purchase there. It's what I use when I
need either a virtual router, or want to use commodity hardware to act as a
router. It's great to throw in ESXi or another hypervisor, or even EC2. It
comes with all features you might need (probably), and because it's fairly
standard Linux (Debian based), making it do extra things isn't very hard.

The ERL is $100, and comes with Ubiquiti's EdgeOS, which is largely based on
VyOS (or something like that), and simply adds a (decent) web UI, and hardware
offloading. This means that the ERL which runs on a dual core 700Mhz MIPS CPU
can route 1Gbit/s, and not even break 30% CPU utilisation.

Where VyOS shines is when you need to cobble together a bunch of things. If
you just need a pure firewall, I would probably stick with pfsense, as that
is, after all, what it is good at. VyOS only offers iptables with some
lipstick (which is well enough for a Swiss-army knife setting)

I guess VyOS would run on that box. I can't see specs, nor know what network
chipset it is rocking, but I don't see why not.

------
kiallmacinnes
It's been a few years since I used pfSense (maybe 7 or 8 years?) - when did
they become so "commerical"?

(I'm not saying thats a bad thing, I really have no opinion on that, I'm just
curious!)

~~~
feld
There are over 500,000 pfSense installations in the wild. The creation of a
company around pfSense has allowed them to offer real support and hire
developers to improve everything from the UI to massive improvements to
network stack/firewall and even IPSEC performance. These changes get pushed
upstream to FreeBSD, everyone wins.

~~~
pyvpx
what developers have they hired? besides Neville as a consultant for FreeBSD
netstack performance improvements.

~~~
gonzo
There are two FreeBSD committers on staff (one second, the other ports), the
author of the O'Reiley book on git, the guy who rewrote the GUI, and three
others.

Several have really deep telecommunications equipment / router vendor
experience.

Plus gnn, whom, as you say is a consultant. If we're going to include him, we
should include Patrick Kennedy, who has done work on libuinet for us.

------
hobarrera
You know what's open source and works great as a firewall (also based on pf)?

OpenBSD.

No, seriously. Don't bother picking a third-party repackage of pf, when you
can actually get the a secure OS built by people who actually put security
above everything else. If you care about security, there's no reason to go
elsewhere.

------
hpcjoe
A fan of pfSense, I've used/deployed it a number of times to customers, and
for some previous employer bits. Current version doesn't have an API, but is
fine for what I do with it.

I did see people hating on it here, and while I cannot/will not speak to their
specific issues, I look at it as a much better tool than the integrated
hardware units you can buy online for ~$100USD, with also integrated back-
doors, courtesy of the development effort.

I know perfectly well that I could build what I need using IPtables ... but
have you used IPtables? I'm a CLI guy, and heck ... I want a GUI for IP tables
...

I've not yet played with the nftables, and frankly, I am looking for a
generally simpler model of putting some of these things together. pfSense does
a pretty good job of this.

One note on the php on the stack ... yeah, this is a concern for me as well.
So I don't generally expose the admin access to the interwebs. And I lock that
aspect down pretty hard (only specific addresses are allowed to even connect
to the admin port). This isn't perfect, but its far better than setting up a
web port, and suddenly presenting the pfSense gui out (yeah, this sorta
happens by default if you don't move the gui to a different port, and do some
other config).

This all said, it is pretty good for what it does, and a few of my previous
customers have bought the support for it directly from the team.

------
vxxzy
I use pfSense as a vitual machine to firewall/NAT off my vitual environment.
It works great. I am running it on KVM/QEMU and handing off the PCI device to
the pfSense VM. Great for managing my environment through VPN.

I've also used this in a retail chain in DC/MD/VA. Each location used pfSense
for site-site VPN (OpenVPN). We also used the asterisk package to handle VoIP.

Overall, pfSense is a robust UTM.

------
nailer
Is this 'pf' like the BSD firewall? Anyone more familiar with the space want
to provide some detail?

Edit: yeah it is:

> The pfSense project is a free network firewall distribution, based on the
> FreeBSD operating system with a custom kernel and including third party free
> software packages for additional functionality.

From [https://pfsense.org/getting-started/](https://pfsense.org/getting-
started/) see also
[https://doc.pfsense.org/index.php/Installing_pfSense](https://doc.pfsense.org/index.php/Installing_pfSense)

~~~
hueving
Yep, basically a really nice web interface and management system for
configuring a pf-driven firewall.

You can click your way to high availability with sub 5-second failovers (even
including NAT state synchronization) in a morning starting from no pfsense or
bsd knowledge.

------
kek918
We use pfSense at a client of mine and it's great. I didn't have any prior
experience with it but I only spent a couple of nights setting everything up.
We use it to manage firewall rules and as DHCP server for 2 VLANs.

We've used it for about a year now. Had several power outages. The pfSense box
is still running like a champ, no problems whatsoever.

Turns out my client actually wanted an email spamfilter though, but our mail
is hosted in another country so I had a little trouble explaining why our
internal pfSense couldn't help us there. Oh well.

------
mrmondo
I've been using PFSense both at various workplaces and at home for many years
now, it's seriously fantastic. Feature rich, rock solid and good 3rd party
packages.

------
widea
Yet I use Smallwall, the successor of M0n0wall on an old Soekris 5501-70. It
is just a firewall, no bells and whistles and therefor very stable.

------
throw2016
Unless your needs are extreme in which case you will have networking experts
making choices the linux networking subsystem is actually quite good both in
terms of tooling and performance.

I experimented with Vyatta which was based on Debian - open source fork now
used by Ubiquity networks in their devices, and pfsense a couple of years ago
and I found plain linux on its own delivers better performance. The recent
series of Ars articles on building your own router confirm this with some
benchmarks [1]

[1] [https://arstechnica.com/gadgets/2016/01/numbers-dont-lie-
its...](https://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-
build-your-own-router/)

------
kylegordon
Been using pfsense for a while now, and with CARP and system redundancy,
firewalling, and twin ipsec tunnels to AWS, it's been great and hugely
reliable.

------
storrgie
Does there exist an analog to this for switching (particularly an organization
that sells hardware)?

------
amadeuspzs
Having used pfsense for a good few years, we recently switched to Meraki.

Global infrastructure and Meraki APs just made it easier to go with their
ecosystem, despite the licensing costs.

~~~
ShakataGaNai
Ironic. I just did the reverse. Moved from years of Meraki to pfSense (or Palo
Alto Networks at another company). The Meraki WAP's are mostly great, their
switches are fine, but their "gateway" devices are terrible. The performance
is horrible and their internal tests have proven as much. If you need more
than 150mbps consistently, Meraki is going to bite you in the ass.

------
wslh
I don't have such experience. I tried to configure IPSec and IKEv2 in pfSense
following the instructions and it never worked with a Windows client. There
are a lot of questions related to this on the forums without a
concrete/canonical answer.

I like pfSense but I chose it to easily configure usually complex networking
stuff, not a DHCP or DNS. We are trying now to configure IKEv2 on an Ubiquiti
device using UniFi with a load balancer and doesn't seem to be trivial.

~~~
curtipus
When did you try the IPSec/IKEv2 in pfsense? Prior to, I think, 2.4 you had to
go into the registry and do some hack to get around certificate limitations.
It's no longer necessary and setup was a breeze for me (and the registry hack
worked for me as well). I loosely followed:
[https://doc.pfsense.org/index.php/IKEv2_with_EAP-
MSCHAPv2](https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2)

~~~
gonzo
> Prior to, I think, 2.4

2.3 (which got Strongswan), but yeah.

2.4 isn't released yet.

------
xer
I reviewed pfSense around nov 2016, it failed on many basic security best-
practices, and was rejected for our purpose.

~~~
gonzo
Yet in the same timeframe US Army Cyber Command selected it to stand in front
of their infrastructure.

~~~
xer
Lol

------
MPSimmons
Do they have an API yet? Because I hated using it without an API.

~~~
bpineau
Same here.

No API means no automation, no Chef/Puppet/Ansible/Salt or other kind of
scripts. Everything in the head of the person who clicked through the web
interface.

Are there automation friendly alternatives?

------
Bombthecat
I want something like that in docker :)

------
rdslw
Guys, they started in 2004. Its 2017 today. hackersNEWS ?

------
dcow
Usually when people mention they run pfSense it means, "I heard pfSense is
good for security so I use it". If I get that impression in an interview, GG.
IMO it's an easy litmus test for netsec/secops roles. If you can't write a pf
rule, there are probably bigger issues. OpenBSD is the way to go.

I also think the pfSense CEO has a massively inflated ego and pays little
homage to the roots of his software. Does pf _really_ need a GUI?

 _edit:_ clarity.

~~~
chrisper
Are you saying that people who use pfSense don't know what they are doing?

~~~
dcow
Not quite. But I am saying I've always found better candidates.

