pfSense: M0n0wall and more20 Feb 2007
I've been a big fan of the FreeBSD-based firewall M0n0wall for some time. Yesterday I finally got around to trying out pfSense, which is based on M0n0wall but which can take advantage of bigger hardware. It's only been a day, but I think I'm hooked.
M0n0wall was developed for embedded devices, and can work with a minimum of CPU, memory and disk (or CF). That means that it doesn't have some features you might find handy in a firewall, like a login shell or a packet sniffer (they can be hacked in, but still). M0n0wall does run on x86 hardware, but it's going to remain focused on small hardware. pfSense started as a friendly fork a couple of years ago to add features and a more recent FreeBSD for those with hardware to support them. We're not talking massive hardware here... 128MB RAM and CF (as opposed to 64MB RAM and 8MB CF for M0n0wall).
pfSense released 1.0 last fall, but my M0n0walls at home and at work have been working well, so I never looked into it. We're now considering infrasructure changes at work, and it'd be nice to have OpenVPN on the firewall. pfSense has it. I run the CD-ROM version of M0n0wall on an old PC at home, with settings saved on a floppy. I inserted the pfSense CD and rebooted. It took over the M0n0wall settings and just worked. Over the console I was able to copy the running system to hard disk, so I can now add packages and install updates.
Just clicking through the interface I found a half dozen reasons to consider switching even running systems:
- SSH login with standard command-line tools (mmmm, tcpdump)
- OpenVPN on board
- Aliases for groups of hosts, networks and ports
- Add-in packages for nmap and ntop
- NAT reflector (NAT addresses available from LAN, makes routing much simpler)
- Load Balancer
The aliases should be real nice since I was raised on the object model in CheckPoint. One drawback of M0n0wall is that it's hard to keep the rules organized, the more intelligent aliases in pfSense should make the rules a bit more managable.