In the last article regarding firewalls I gave you the links and some basic information regarding three different firewall options.  I had intended to try all three and let you know how it went but I was enjoying messing with the Endian firewall too much to lose it!  Well, I recently got bored and decided what the hell – time to try something new.  So I went to the next in the list:  pfSense.

So in this article I’ll give you a brief overview of what pfSense can do.  This article is going to be a lot more technical than the last article because to be honest – pfSense required me to be more technical than either Endian or IPCOP for what I needed.  If you do not run a DMZ at your house and are just looking for a quick, cheap firewall to turn your old computer into something useful – pfSense can do that with not a lot of work on your part, and the majority of this article will not be for you.  If you do run a DMZ – you’ll need to read this :).

So I downloaded the LiveCD installer option, printed out my port configuration page from my Endian setup, and rebooted the firewall.  It booted directly into a fully working system in just a few minutes – which is expected when using a “LiveCD”.

In the pfSense documentation it recommended to configure the firewall before installing to the hard drive so I did just that.  I logged into the website, which in my opinion is a fairly professional and clean interface, and started configuring my network cards and subnets.

Everything went pretty smoothly at the beginning and eventually I got to the point of installing to the hard drive.  This was again, totally uneventful and worked perfectly.  The installation was a little more difficult, or seemed to be, than the others I have tried (Smoothwall, IPCop, Endian) because the installer wouldn’t really do anything for you (like partition the hard drive).  I’m not too surprised by this, as this firewall is based on a BSD kernel and not Linux – which in my experience the BSD distributions tend not to be as user-friendly as their Linux counterparts.  BSD derivatives make up for it, however, (again in my experience), by being a little more stable and secure out of the box than Linux is.

To be fair, that’s usually because out of the box a BSD system has less 3rd party software, which leads again to the non-user friendliness :).  Anyway, back on point, after selecting my options for the installation I ejected the CD and rebooted into pfSense.

As advertised, it saved all my configuration details and most of my LAN worked as is.  Now I got to the point of the more difficult things like checking the firewall port forwarding and setting up my DMZ.  This is where pfSense got to be a little more difficult..

In IPCOP, it automatically asks you if you have/want an Orange interface, and then automatically configures you a nice default set of rules that allow pretty much anything out to the internet but not to your Green or Blue networks.  This works well, is point/click easy, and takes all of 10 minutes to start forwarding your ports to your DMZ and off you go.

In Endian, it also wants to know if you want a Orange network, and it also automatically configures a nice default set of firewall rules that are much more restrictive than in the IPCOP defaults.  This is good for security, and requires the admin to open up only what he or she wants.

In pfSense.. it wants to know why you want to use a third interface and tells you to go stick it.  Well ok, not really.  It is however much less intuitive.  During installation it will ask you for a LAN interface, fair enough, then it asks for an internet interface, good good, and then it just goes on to ask for “Optional Interfaces” that it duely names “OPT1, OPT2, OPT3.. etc” until you decide you’re done adding interfaces.  Once the interface is then added, you have to go into the web interface and actually enable it (because.. you may have just been adding random nonexistant interfaces for fun) and then you go to the firewall rules area and find…. nothing.  This is great for just being annoying :).

Under the pfSense firewall rules you have different tabs per interface and you do have of course a tab for the new interface but NO default rules are added.  No DNS, no web, nada.  So you get to add everything you need, including basic “make this subnet work” rules by hand.

On the other hand.. pfSense does have a rule that Endian opted to skip: The Any->Any Allow rule for your LAN network.  You know, that’s the easy rule I described in my last article that makes ipcop a great new or inexperienced user’s firewall setup.  You don’t have to mess with anything to get all of the internet at your fingertips, while securing the malicious traffic from the outside. Again this is a complete trade-off on how you want to setup your network: Access control for employee’s or children, or easy configuration with minimal fuss.

Now, Endian and pfSense each take a different road by default, but can each be made like the other due to support for bi-directional (incoming and outgoing traffic) firewalling… IPCOP on the other hand takes the easy road, with no default options to change it.  With IPCOP you have to install an addon that allows you to block outgoing traffic – again solidifying IPCOP’s role as the user-friendly easy firewall with limited advanced options (without addons).

Like IPCOP, however, pfSense comes with nearly no additional software beyond your default firewall/router/nat configuration.  It does have some advanced things: Loadbalancing with another pfSense firewall, PPoE server, etc.. but no Proxies, anti-virus, content filters, etc.  Endian came default with these.  Unlike IPCOP, however, the pfSense package/addon interface seems much simpler.  It’s already there in your menu, ready to go, just click “install” on any particular addon and it automatically fetches, installs and configures it.  Using these you can add all the missing functionality you need.  In IPCOP, this requires you to install the basic addon interface first (via a command line in SSH), and then you can browse to “Addons” in the web interface, pick an addon where you have to go download the package to your computer, then go back to the web interface and “upload” the package to IPCOP.  This whole procedure breaks the “easy” that IPCOP’s entire foundation lives on.

Going back to the port forwarding in the DMZ, I was presented with a different problem.  First, what was obvious to me but may not be to some (or most?), was that because the firewall interface is broken up by interface (LAN, WAN, DMZ) you can’t just create one bi-directional rule for port forward, but instead have to go create one rule on the WAN to allow it coming in, and one rule on the DMZ to allow it going out.

Normally this would create double the work, if it weren’t for a hidden specialty that pfSense has and I will get to in a minute.  Second, after spending an hour banging my head against the wall and searching through pages of forum posts online trying to figure out why my port forwards still weren’t working for my DMZ.. I found a post that explained you needed to actually add specific NAT rules for each port as well.

Holy Hell pfSense, so let’s get this right: what you can do in one rule in Endian and IPCOP, takes 3 rules in 3 different pages for pfSense?!? One in Firewall->NAT, one in Firewall->Rules->WAN, and one in Firewall->Rules->DMZ – AND they are all different.  So basically, if I have 20 rules in Endian for 20 ports I need to forward – then doing it this way would have taken 60 bloody rules!  To be fair, if you do the NAT one first it has a checkbox that will automatically create a rule for the WAN – but still, that’s just nonsense!

Now, not all servers need this: Web servers for example don’t need to get “out” port 80 due to the nature of the stateful firewall – it allows “responses” from your webserver to the client; however mail servers on the other hand obviously need to get “out” port 25 to talk to other mail servers – my example of 60 represents a “worst case scenario”.

Hello again!  Up until a few days ago I secured my home DSL broadband network with the IPCOP 1.4 firewall.  I do like IPCOP and it was fun and easy to use.. especially when you add all the addons (which are of course unsupported) that you may want.  Keep in mind that, while Linux based, everything is managed through a web interface, just like any Netgear/Linksys router.  Now, I do believe in the KISS principal on security.  A server/box should be what it is and nothing more.  A firewal should be a firewall, proxy a proxy, mail server a mail server, etc.  The more you combine into one machine the more chance multiple applications/systems can become compromised.

However, some of us are just securing our home network here, not some corporate secrets that will cause a global radioactive explosion if they happen to leak beyond the boundaries of the intrawebz.  Granted, Your own life could potentially be ruined if someone gets ahold of your bank information, but to expect the average user to be running 30 different systems for each piece of security is just unrealistic.

So, the addons on IPCOP almost become a necessity because out of the box it’s a Firewall, and IDS, and Proxy.  But the proxy doesn’t include much of any content filtering by default, it’s just simply a proxy.  The other thing about IPCOP is by default the interface doesn’t really support bi-directional rule creation.  It pretty much assumes all outgoing traffic is good, all incoming is bad.  Which is nice and simple, if a bit limited.  So, a few addons later you have a full content-filtering, bi-directional, firewall and router solution to secure your home.

What all this means for you is that (especially if you have kids): You can easily block most Porn, Virus’, Spams, Advertisements, Hacker/Illegal/Piracys/gambling/etc websites, and a whole bunch of other things considered “bad” on the internet, simply by clicking a checkbox.  Try getting your Linksys to do that :).

The downside to these firewalls is that they require hardware.   Unlike the Linksys or Netgear router that you buy from the store, take home and just plug into your DSL/cable/satellite modem to give you the assumption of security (these don’t provide much protection, especially if you leave them at the defaults, including passwords.), IPCOP and the others I discuss here require a separate computer.  The nice thing however is that this computer can be the biggest piece of junk you can find in a yard sale and it’ll likely still work.  We’re talking PII’s here with 5GB hard drive space and probably 256MB memory is more than enough to run these.

As I said, it was IPCOP for me until recently.  Several months ago Snort started failing with a Helper Code on the page.  It appears that the version of Snort (the Intrusion Detection System, IDS) on IPCOP 1.4 is 2.6 and the new Snort rulesets only support 2.8 and up.  So I checked out IPCOP’s forums and other sources of information and basically gathered that, not only is it known that Snort is broke, but the people at IPCOP seem to have gotten the idea that snort is useless anyway, so they just won’t include it in the next release, 2.0.

Well, this blog isn’t to argue the usefullness or lack thereof of Snort.  Suffice to say, I like Snort, I do find it useful in detecting various things (sure, I get a lot of fluff, but it’s easier to look through Snort alerts than the billions of lines of firewall logs that get generated) and I think an IDS is an integral part of security.  I’m sure IPCOP has good reasons for ditching Snort, but I want it, so I ditched IPCOP.  While on the search for a new “turn-key” based firewall solution I came across these: