pfSense: Open Source Firewall Distribution
Ok guys, a firewall can be a software or a piece of hardware, but what does it do and why do we need one?
Ok , you got a brain, right? Use it! Firewall is a word which can be split in to other words (fire + wall). I think that you understand. Not ye? Hmm, let’s say that the firewall acts as a wall to protect your computer. Attackers will try to get access to your server by brute-force attacking your SSH account. But if you use a firewall you can set rules to block them. You can block specific IP’s to connect to your machine or you can block all IP’s expect your own.
Now, let me introduce you to the pfSense project.
What is pfSense project?
pfSense is a powerful, flexible firewalling and routing platform which ca be used as as a firewall and router. It is a free, open source customized distribution of FreeBSD and includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
Why do you need pfSense?
You can use pfSense to protect your small home network, large corporations, universities and other organizations protecting thousands of network devices.
pfSense has more than 1 million downloads since its inception and is one of the most widely used network firewalls in the world, with in excess of 167,000 known live installs as of April 2013. This project started in 2004 and now it is a very popular project. One very useful feature of the pfSense is its ability to filter by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic. You can read more details about pfSense project here.
- Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
- Able to limit simultaneous connections on a per-rule basis
- pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
- Option to log or not log traffic matching each rule.
- Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
- Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
- Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
- Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
- Enabled in pfSense by default
- Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
- Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.