While our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.
I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
Here’s a short summary of some of the eye catching features.
Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
Able to limit simultaneous connections on a per-rule basis
pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
Option to log or not log traffic matching each rule.
Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
Transparent layer 2 firewalling capable â€“ can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
Packet normalization â€“ Description from the pf scrub documentation â€“ Scrubbing is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.
Enabled in pfSense by default
Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
Disable filter â€“ you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.
There’s a ton of other great features that you can read up on at http://is.gd/iauk
The LiveCD ISO is available from http://www.pfsense.org/mirror.php?section=downloads and for VMware folks, a prebuilt VM is available at http://files.pfsense.org/vmware/pfSense-1.2.2-VM.zip