Home

PfSense up and running, initial thoughts...

I have been wanting to implement a pf [Packet Filter] based firewall, routing solution since I've started playing with OpenBSD so much. Considering I have a half-dozen machines running here, saving a bit of power might be a good idea :D. For now I'm running One of my old 4U rackmount servers with pfsense, soon though I will have a nice small form factor solution to copy over my current configuration to. I basically wanted to ensure this would suite all of my needs before I went in with both pieces and bought dedicated hardware for this project, I can happily say I am nothing but pleased so far. 


Although PfSense is actually a FreeBSD solution, it utilizes a port of pf which has been available in FreeBSD for many years. I am currently using the latest STABLE release which offers many new features since I first tried this several years ago. Packages can now be installed via the webgui and many other things have become more clear to an unexperienced user due to tons of great snippets of "hints." I would highly recommend doing a bit of investigation on the supported network cards and their quality of drivers, etc. Many network cards will work, but with no where near the caliber of the firewall you are about to setup on them. Invest in a good set of NIC's or a couple of single, intel quad-port nics. Some of them retail for over $2k each but don't be worried, plenty of places offer [guaranteed working] refurbished units for under fifty bucks; you can't buy four low quality nics for that much!

Essentially there were only a handful of things that I was dead set on getting up and going, one of which is still out of my reach. 
I first and foremost wanted the 'scrub' feature for cleaning all packets entering and leaving the network, I also wanted strict control over my bandwith using traffic shaping and the load balancer. Optimizing my traffic by protocol various ports like SSH, GAME PORTS, HTTP, POP3, p2p, and a few others. Doing this correctly will ensure that even if you or several others on the network have all kinds of pfsense, Linux, and BSD .iso's downloading for example, web traffic never get's bogged down. 


The filtering and IDS functions are priceless. Because of PF, you can of course block traffic by network, content, protocol, or even by the Operating System from which the sent packets originated from. Most all of these features can be done with the excellent webgui although some more strict operations which are not supported in the webgui, can easily be setup through a SSH connection.

One of my main goals is to import blocklists into pfsense and cut off any unwanted visitors and or companies from accessing my network. There are several requests, and documented wishes for this feature. Currently there isn't really a working way to import for example the bluetack list url's for automated updating ever so often. You can currently cp/paste individual hosts etc but there are over 800 million IP's in my current scheme and that might take a bit longer than I was hoping :D. I'm working hard to find a solution but there just doesn't seem to be one to fit at the moment so I'm crossing my fingers and hoping!

One of our users was hit up by a run of the mill company like Media Sentry, etc. and was had his connection shut down. An effective blocklist deployment could have most likely stopped this in it's tracks, so as I said, I'm eager to get this working. Blocking hosts and networks from the outside is much more effective than having individual host-based clients all doing the same thing, and so my hunt continues. 
Share/Save
  • Share/Save

Recent activity