The FreeBSD Foundation needs donations to meet their 2009 goal. They provide very important funding to the FreeBSD project, which serves as the base of the pfSense project. They are a not for profit organization, so your contribution may be tax deductible.
Our Christmas gift to the community is our 2.0 release reaching the beta milestone.
What does this mean? The release is feature complete, with no new features being added, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, most of our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.0 is not yet for you.
To answer the inevitable “when will it be released?” – as always, “when it’s ready”. The release will happen sometime in 2010, but as for a more specific timeline, we can’t provide one at this time.
If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.0 board on the forum. There is additional risk with snapshots as changes are made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.
The most current list of known issues can be found here. Those marked as “Feedback” are either believed to be resolved but need more testing, or need further details to be able to replicate and resolve – feel free to add comments to any of those tickets if you can test the specific scenario described. Those marked as “New” are outstanding issues. We welcome contributions, if you can provide a fix for any of the open issues. Before opening a new ticket there, please post to the 2.0 board on the forum where we can help quantify the issue. Before reporting problems, ensure you’re on the latest snapshot. At least 10-20+ changes go in most every day, 7 days a week, so it’s very possible the issue you found is already fixed in our git repository. You can see all commits here.
You can upgrade from 1.2.x to 2.0 just as with any other release, BUT, you cannot downgrade from 2.0 to 1.2.x. And after you upgrade, your configuration will be converted to a format that is usable only on 2.0. If you do upgrade, get a backup first so you can reinstall 1.2.3 if needed. Several of the features in 2.0 were revamped to the extent that a change in configuration formatting was necessitated. Many of the rough edges of 2.0 are in the configuration upgrade code, there is less risk with a clean 2.0 install than one upgraded from 1.2.x at this time. Though that’s largely in more advanced configurations.
Proceed with caution! Expect things to be broken, this is absolutely not production-ready for most scenarios for non-developers, but development is moving along rapidly, and we would appreciate feedback from those in a position to test things (and break their network).
Note that kernel debugging is still enabled, which will reduce performance, though from a packet forwarding perspective it’s usually not noticeable.
Merry Christmas from the pfSense team!
Scott and I are on FLOSS 101 discussing the project, check it out. Thanks much to Randal Schwartz and Leo Laporte for having us! FLOSS Weekly is a podcast covering free and open source software.
1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.
The primary changes from 1.2.2 are listed below.
Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards – there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.
Embedded switched to nanobsd - this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.
Dynamic interface bridging bug fix – The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.
IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.
Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.
Sticky connections enable/disable – sticky connections were previously only changed status at boot time for the server load balancer.
Ability to delete DHCP leases – A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.
Polling fixed – polling was not being applied properly previously, and the supported interfaces list has been updated.
ipfw state table size – for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.
Server load balancing – ICMP monitor fixed.
UDP state timeout increases – By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.
Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.
Multiple servers per-domain in DNS forwarder overrides - previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.
No XMLRPC Sync rules fixed - in some circumstances, rules marked to not sync would sync regardless.
Captive portal locking replaced – the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.
DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.
Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.
For information on upgrading, see the Upgrade Guide.
You can get 1.2.3 pre-installed from Netgate on the ALIX and Hamakua platforms, as well as Applianceshop.eu, and our other recommended hardware vendors.
If you haven’t gotten your copy of the book yet (foreword here), it was fully written to account for all the changes in the 1.2.3 release (which were final before it went to print). Pick up your copy today!
Glad to see two book reviews on Amazon already, both with five stars!
I was thrilled to have the foreword for the book written by one of my favorite authors, Michael W Lucas, the author of Absolute FreeBSD, Absolute OpenBSD, Cisco Routers for the Desperate, PGP & GPG, among other things. Thought I would share it here.
My friends and co-workers know that I build firewalls. At least once a month someone says “My company needs a firewall with X and Y, and the price quotes I’ve gotten are tens of thousands of dollars. Can you help us out?”
Anyone who builds firewalls knows this question could be more realistically phrased as “Could you please come over one evening and slap together some equipment for me, then let me randomly interrupt you for the next three to five years to have you install new features, debug problems, set up features I didn’t know enough to request, attend meetings to resolve problems that can’t possibly be firewall issues but someone thinks might be the firewall, and identify solutions for my innumerable unknown requirements? Oh, and be sure to test every possible use case before deploying anything.”
Refusing these requests makes me seem churlish. Accepting these requests ruins my cheerful demeanor. For a long time, I wouldn’t build firewalls except for my employer. pfSense lets me be a nicer person without having to actually work at it. With pfSense I can deploy a firewall in just a few hours — and most of that is running cables and explaining the difference between “inside” and “outside.” pfSense’s extensive documentation and user community offers me an easy answer to questions — “did you look that up?” If pfSense doesn’t support a feature, chances are I couldn’t support it either. But pfSense supports everything I could ask for, and with a friendly interface to boot. The wide userbase means that features are tested in many different environments and generally “just work,” even when interacting with the CEO’s kids’ Windows ME PC connected to the Internet by Ethernet over ATM over carrier pigeon. Best of all, pfSense is built on much of the same software I’d use myself. I trust the underlying FreeBSD operating system to be secure, stable, and efficient.
Security updates? Just click a button and reboot. You need new features? Just turn them on. pfSense handles clustering, traffic shaping, load balancing, integration with your existing equipment through RADIUS, IPsec, PPTP, monitoring, dynamic DNS, and more. Big-name industry suppliers charge outrageous fees to support what pfSense freely provides. If your employer insists on paying for support contracts, or if you just feel more secure knowing you can pick up the phone and scream for help, you can get pfSense support agreements very reasonably. If you don’t need a support contract, I happen to know that Chris, Jim, or anyone else with a pfSense commit bit will let grateful pfSense users buy them a beer or six.
Personally, I don’t build firewalls from scratch any more. When I need a firewall, I use pfSense.
– Michael W. Lucas
Five years ago today, the pfsense.* domains were first registered. The project actually hit 5 years since its inception about 2-3 months ago, living the first part of its life as projectx (some history here) with no website.We’ve come a long way!
Thanks to everyone who has supported the project in any fashion over the past five years. Here’s to even better things in the next 5 years!
And what better way to celebrate than picking up a fresh off the press copy of the pfSense book?
Finally, comprehensive documentation for pfSense is available in print!
Table of contents is available here.
Authored by pfSense co-founder Chris Buechler and pfSense developer Jim Pingle, The Definitive Guide to pfSense covers installation and basic configuration through advanced networking and firewalling of the popular open source firewall and router distribution.
This book is designed to be a friendly step-by-step guide to common networking and security tasks, plus a thorough reference of pfSense’s capabilities. The Definitive Guide to pfSense covers the following topics:
At the end of this book, you’ll find a menu guide with the standard menu choices available in pfSense and a detailed index.
Thanks for your support!
A new package that provides a full terminal via webpage has been added. This little gem of a package uses AJAX and provides full terminal emulation allowing for full screen terminal applications like vi, nano, top and so such to run perfectly!
The package also provides support for STUnnel. However there is a known bug with STUnnel on the Certificates tab that we are working on but the default SSL Certificate works OK.
Check out a few screen shots
What started originally as a base system option written by Remco Hoef was rescued from the dead, brought up to the latest HAProxy standard and then turned into a full blown package so that it can run on 1.2.3 and 2.0!
Check out these screen shots:
http://twitpic.com/lgtba
http://twitpic.com/lgldl
http://twitpic.com/lgl3o
http://twitpic.com/lgkj3
http://twitpic.com/lgkid
http://twitpic.com/lgfea
http://twitpic.com/lgkjn
Install the package and let us know what you think!
After several months since the last official 1.2.3-RC release, because of some tough issues in the underlying software that are now resolved, 1.2.3-RC3 is now available.
The final release will be coming very soon, please help test.
The major changes since 1.2.3-RC1:
Those are the major changes in this version that impact many users. A number of other minor edge case bugs were fixed, things that nearly all of you have never seen and won’t ever run into. If you’d like the full details on all the changes on the 1.2.x branch, see the git commit logs.
Downloads