Author Archive

The Road to QoS

Monday, November 17th, 2008

Check out a new blog that goes over the improvements of the pfSense traffic shaper in 2.0.  Basically we are on the road to protocol inspection / classification.

This will be very exciting once the work is completed!!

Linked in pfSense software users group

Tuesday, November 11th, 2008

Use linked in?   Join our pfSense software users group!!

WPA no longer considered reliable?

Thursday, November 6th, 2008

There are a number of stories making the rounds today about how WPA has been cracked, though “it’s not as bad as you think…yet”.

WPA2 when using TKIP is also affected.

Running a VPN on top of your wireless encryption can offer additional protection, and you may want to consider such a deployment regardless of the wireless encryption deployed in your network. Whether pfSense is your AP, or your APs connect to it, it can provide VPN services to internal users on your wireless network, and you can restrict all traffic coming in from your wireless network to only access the VPN. Then after successfully authenticating to the VPN, users can access your internal network and/or the Internet.

Edit:  SANS has a good webcast on this topic for those interested in details.

Appliance building with pfSense – Introducing pfDNS!

Sunday, October 26th, 2008

While reworking the builder system for a commercial client that is
basing their appliance on pfSense we needed a builder target that
could be public and show how to build an appliance from scratch.

Therefore, pfDNS is born!  http://snipurl.com/4q1xe

pfDNS

pfDNS

pfDNS is a customized pfSense installation featuring the TinyDNS server package.   Host DNS using this appliance.   XMLRPC sync support to secondary nameservers means you only need to enter the information on the primary name server making administration a breeze for your primary and secondary name servers.  Depending on how popular this gets we might add a website and start making regular releases :)

To see how pfDNS was created, check out
tools/builder_scripts/builder_profiles/pfDNS.

Building this appliance could not be easier!  Simply copy
tools/builder_scripts/builder_profiles/pfDNS/pfsense_local.sh to
/home/pfsense/tools/builder_scripts/ and run build_iso.sh and presto!

I hope this example appliance will help others on their quest when
building a custom appliance based on the pfSense framework.

Edit: updated version available based on FreeBSD 8 and a newer DNS package with a number of bug fixes. 

What do you all think?  Leave comments in the blog.

Also, Holger is working on some artwork that I will get in there soon..  I’ll
post an updated ISO at that point (just look for a newer mtime).

EDIT:artwork added, it is a work in progress but gives a better idea of how the builder system can customize an appliance.

Calling all themers – improving theme support in 1.3

Monday, October 13th, 2008

Work is underway to remove any hard coded theme items!!

If you would like to work on a theme or have worked on a theme in the past and you find something that is hard coded that you cannot change, please e-mail coreteam@pfsense.org with the hard coded details and we will get that corrected.

1.2.1 Snapshots are shaping up rapidly!

Thursday, July 24th, 2008

The 1.2.1 snapshots are shaping up much quicker than we thought they would.  Please see the previous blog entry for more information and jump in and help us test!

If all goes well we will be releasing a 1.2.1-RC1 this weekend!

Don’t use FTP!

Tuesday, July 15th, 2008

Recently came across a number of great reasons why you should not be using FTP.

Take a look at let me know what you think: http://stevenf.com/archive/dont-use-ftp.php

Hurry up and wait … for that image to build.

Thursday, May 29th, 2008

It seems more and more that I spend 90% of my time waiting for pfSense builds to validate code changes, kernel changes, etc. I am curious if anyone has a connection to one of the major computer vendors that could persuade them to donate a “fast” box to the project. In return we will put your logo on our webpage and let the world know we use XYZ hardware for building pfSense. If you know someone that is in a position to make these types of decisions, please email me at sullrich@gmail.com …

Life is too short to spend waiting for building images! :)

UPDATED: See comments for some samples of what we are looking for.  We have access to sandford and son machines all day long but we need some real hardware for this chore.

PCEngines ALIX boards and pfSense

Tuesday, March 4th, 2008

We have been receiving a lot of requests for help in getting pfSense working on the ALIX board.  The good news is that it does work if you have the latest BIOS version.

Anyone looking to install pfSense on an ALIX, please see this link.

IPsec Stability fixes and 1.2-RC4

Friday, January 18th, 2008

Some of you might have noticed that a lot of work went into getting IPsec running a bit smoother for large numbers of connections. We would like to take a moment and thank a number of folks for their hard work and for their generous monetary contributions that made these efforts possible.

1. Heiko Gabe w/ neos-ag.de donated significant monetary resources to sponsor these fixes. Heiko has sponsored many projects in pfSense and we are exceptionally grateful for his continued support.

2. Timo Teräs is a racoon developer and helped correct a few very minor bugs in racoon and worked on improving setkey code in FreeBSD. Timo is a genius and we are absolutely grateful to him for helping us out.

3. Seth Mos is a pfSense developer and uses IPsec at his work. Seth has been extremely patient and has worked with Timo and Heiko to coordinate, test and get these patches into pfSense.

Now pfSense can handle far more connections than it could when we began. We could barely handle 75 connections at a time then racoon would go into “sbwait” state mode and would wedge. Now we have noticed that 250+ active tunnels can be running simultaneously and everything seems to work great. I would not be surprised to see us being able to handle thousands of tunnels but we still need to test this.

Thanks to everyone involved, our IPsec is far more scalable than what is in FreeBSD itself! Next step is to try and convince the FreeBSD developers to adopt our changes so everyone can win.

Please give everyone above a great round of applause, we really appreciate you guys!!