Saturday, January 9, 2010

Goodbye Smoothwall, Hello pfSense!

I have been a faithful Smoothwall user for many years.After the first time I got hacked I started to look into firewalls and was pointed to smoothwall by my co-blogger Dre Day.

Now years later I have decided to leave Smoothwall in 2009 and start the year a fresh with pfSense. Why you might ask, I will attempt to answer this question but putting the facts in front of you and hopefully you can see why.

I have take information from both projects website and narrowed it down to a few features of interest to me.


Smoothwall Express features of interest to me

Firewalling:

* Supports LAN, DMZ, and Wireless networks, plus Extrnal.
* External connectivity via: Static Ethernet, DHCP Ethernet, PPPoE, PPPoA using various USB and PCI DSL modems.
* Portforwards, DMZ pin-holes
* Outbound filtering
* Timed access
* Simple to use Quality-of-Service (QoS)
* Traffic stats, including per interface and per IP totals for weeks and months
* IDS via automatically updated Snort rules
* UPnP support
* List of bad IP addresses to block

Proxies:

* Web proxy for accelerated browsing
* POP3 email proxy with Anti-Virus
* IM proxy with realtime log viewing

Maintenance:

  • Backup config
    * Easy single-click application of all pending updates
    * Shutdown and Reboot from UI

pfSense features of interest to me

Firewall

  • Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
  • Able to limit simultaneous connections on a per-rule basis
  • pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
  • Option to log or not log traffic matching each rule.
  • Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
  • Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
  • Transparent layer 2 firewalling capable - can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
  • Packet normalization - Description from the pf scrub documentation - "'Scrubbing' is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations."
    • Enabled in pfSense by default
    • Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
  • Disable filter - you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
  • VPN
  • IPSec
  • Reporting and Monitoring RRD Graphs
  • Dynamic DNS support
  • Network Address Translation (NAT)
  • Real Time Information
  • State Table

Redundancy

CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall

Captive Portal

Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense Captive Portal.
 
In the end pfSense was the best fit for what I was looking for in a Firewall.


No comments:

Post a Comment