pfSense

Firewalls provide the “crunchy-on-the-outside” layer in a good defense-in-depth policy and are the network security keystone for most organizations. However, the cost of a full-featured, enterprise-class firewall might be out of reach for a small office/home office (SOHO) or even for a branch office of a large company. I'd like to show you a possible solution: an open-source router and firewall called pfSense, which offers more features than many of the big guys.

Loading pfSense

PfSense is a stateful firewall and a descendent of the m0n0wall firewall project, which was designed for installation on a PC. At its core, pfSense utilizes BSD's stateful packet filter, PF, which integrates packet-filtering firewall software with network address translation (NAT) and Quality of Service (QoS) mechanisms. Its hardware requirements are light, and the actual firewall installation package is less than 60MB.

To get started, go to http://www.pfsense.org and download the LiveCD titled pfSense-1.2-LiveCD-Installer.iso. Because a LiveCD is an OS that executes from a CD-ROM upon boot, pfSense is quick to try. If you like it, you can then install the software on the host computer, which lets your changes persist across reboots. However you don’t need to install it to use and configure an actual instance of pfSense. For example, if you wanted a bare-bones redundant firewall configuration, you could configure your firewall from the LiveCD, then in the UI go to Diagnostics, select Backup/Restore, and back up the configuration via a web browser to another computer where you could store it on a USB drive or other media. If your hardware on that first firewall fails, building a spare is really easy: just boot a second computer with the pfSense LiveCD and restore the configuration. (Your hardware can be somewhat different but you’ll want to have the same number of network interfaces for your pfSense configuration to match.) The backup file is saved in an XML format and is easy to inspect.

Configuring pfSense

After you load pfSense, set the interface IP address information from the text menu in the console of the firewall host, which Figure 1 shows. Then open the GUI by accessing the firewall's internal IP address in a browser, where you can then view the firewall status, which Figure 2 shows, and make additional configuration changes. Don’t rule out the console entirely, though. You can use it to access a FreeBSD command line to run programs on your firewall such as the packet sniffer tcpdump or other programs that generate performance data. The pfSense website tells how to extend pfSense by installing other packages such as the intrusion detection system (IDS) program Snort and the web-caching server Squid.

If you've configured a firewall before, you should feel at ease with the pfSense interface. Tutorials from the pfSense website can assist with basic configuration as well as offer help with the more sophisticated features. It’s easy to get started and configure a basic port address translation (PAT) and Access Control List (ACL) policy. An ACL is your traditional firewall ruleset that defines which ports, protocols, and addresses are allowed and denied. Setting up more sophisticated address routing and ACLs (via static NATs) is a bit more involved, but the pfSense UI is intuitive to use and the website examples easy to follow.

Cool Features

Beyond typical firewall features such as ACL and NAT management, pfSense offers many more features right out of the box. You can configure point-to-point and mobile IPsec VPN connections and set up an inbound PPTP or OpenVPN server for remote clients, authenticate your VPN users by using a built-in database or use Remote Authentication Dial-In User Service (RADIUS), which you’ve configured on another server. PfSense also includes a captive portal, which is useful for authenticating a guest connecting to an interface for a set of basic services that you define. (Captive portals are used frequently with guest wireless LANs.)

One of the coolest advantages of pfSense over many other firewalls is its support of sophisticated routing based on various packet attributes such as source, destination IP address, port type, or even OS. It also supports multiple routing tables for robust inbound and outbound load balancing on a per-rule basis, which really distinguishes it from many other firewalls. Let’s say your SOHO has two WAN connections—a cable and a DSL Internet connection. You could terminate both of these Internet circuits on your pfSense firewall, then create granular rules that route network traffic to one circuit or the other based on a number of factors. For example, your users could go out over the cable but your servers transit only the DSL line. (Because my DSL line fails now and then, I’ve created a rule which I simply enable to re-route traffic to the cable circuit.) PfSense also incorporates passive fingerprinting via its support for p0f, an OS fingerprinting and masquerade detection utility (http://lcamtuf.coredump.cx/p0f.shtml), which you could use, for example, to enforce policies such as allowing your Windows systems to access the Internet but not your Linux systems. These types of granular rules really extend the firewall ACLs beyond simple IP address and port combinations.

You can view basic pfSense logs via the web UI or configure pfSense to forward its logs to a syslog server of your choice. PfSense includes several useful built-in status reports and supports SNMP traps. Its Traffic Graph report shows a real-time view of network traffic across any of the pfSense interfaces. The Round Robin Database (RRD) graphs show system, traffic, and packet information over a variety of time intervals and are generated using the open-source data logging and graphing program RRDtool.

Besides being able to restore a pfSense firewall from a saved configuration, pfSense supports hardware-level failover via Common Address Redundancy Protocol (CARP), a protocol which lets multiple hosts on the same local network share IP addresses, so you can build two firewalls and automatically fail over to one or the other. PfSense lets you configure how much synchronization information to send between failover members; for example, you can synchronize configuration information or state tables. This means that existing connections made by your users should persist even if the primary firewall fails.

Robust and Easy to Use

PfSense provides very robust and powerful firewall features and wraps them up in an attractive and easy-to-navigate UI. Using pfSense packages, you can add other popular open-source programs. And if you want to be “green” and run pfSense on a smaller hardware platform that uses less energy, you can find hardware appliances that are purpose-built to support running pfSense and store the software on a flash drive. All of these features make pfSense one of my favorite choices for independently deployed firewalls.