Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 2 Jahren

Dienstag, 23. September 2014

[Tool] pfsense, the all-in-one firewall

Whatever we learned from the big company's in network infrastructure, there is one thing Juniper and Cisco have in common. Both bank on FreeBSD.

So there is another firewall system which does so, pfsense.

The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. The pfSense project has become a fairly popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a single computer to large corporations, universities and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. We also offer an embedded image for Compact Flash based installations. The two projects have since diverged significantly.
We've steadily grown to become one of the most widely used network firewalls in the world, with in excess of 200,000 known live installs as of December 2013.

 In the usual case you just download a live installer from their website. Both i386 and amd54 architectures are supported. The basic installation is quite easy handled.
After the reboot you need to choose

  • WAN interface: The Wide Area Network interface, your external connection
  • LAN Interface: The Local Area Network interface, your internal connection
In nowadays design cases, the firewall is placed between the external and internal networks. So any packet from external needs to go through the firewall first.

pfsense has a huge packages database, as there are many features already included or they are easy to install and will be integrated in the webconfiguration toolbox. The following list should give an overview on all these components.
  • Suricata , High Performance Network IDS, IPS and Security Monitoring engine by OISF.
  • HAproxy , The Reliable, High Performance TCP/HTTP Load Balancer 
  • mailscanner , an e-mail security and anti-spam package for e-mail gateway systems.
  • a proxy including mod security, ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.
  • squid including squidguard, High performance web proxy cache. It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy. It includes an Exchange-Web-Access (OWA) Assistant.
and many many more.

Pfsense is fully manageable via a web interface. When  both LAN and WAN are set, be careful, WAN access is blocked by default, so you will not be able to access the GUI or ssh from outside. So maybe you want to adjust your internal ips first.