pfSense firewalls

If you are worried about hackers breaking into your network and stealing your information, you need to look at pfSense. It can block attackers by analyzing data requests and also block entire countries from gaining access. For example, do you really want someone in Syria, Afghanistan, Ukraine, Russia and other counties known as sources of hacking trying to log into your systems? Probably not.

pfSense is an Open Source enterprise class firewall and VPN product. It competes with $5,000 enterprise hardware products through major vendors, and has the key advantage of being both free to use still offering similar features to proprietary products.

Read the InfoWorld article about it here. InfoWorld is the leading industry trade journal. Also, see a pfSense presentation the bottom of this page.


This information is provided courtesy of the pfSense documentation –

Firewall

    • Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
    • Able to limit simultaneous connections on a per-rule basis
    • pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
    • Option to log or not log traffic matching each rule.
    • Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
    • Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
    • Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
    • Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
      • Enabled in pfSense by default
      • Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
    • Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.

VPN

pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.

IPsec

IPsec allows connectivity with any device supporting standard IPsec. This is most commonly used for site to site connectivity to other pfSense installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions such as Cisco, Juniper and so on. It can also be used for mobile client connectivity.

OpenVPN

OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems. The NSA hates it.

PPTP Server

PPTP is a popular VPN option because nearly every operating system has a built-in PPTP client, including every Windows release since Windows 95, SR2.

The pfSense PPTP Server can use a local user database, or a RADIUS server for authentication. RADIUS accounting is also supported. Firewall rules on the PPTP interface control traffic initiated by PPTP clients.

Limitations
  • Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page.

PPPoE Server

pfSense offers a PPPoE server. A local user database can be used for authentication, and RADIUS authentication with optional accounting is also supported.

Redundancy

CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.

pfsync ensures the firewall’s state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.

Call us at 678.269.8111 or reach us by email.

Here’s a presentation to show just how sophisticated this software is. We can install it for you at your company –

 

Comments are closed.