Archive for June, 2007

Explanation of snapshot file name dates

Thursday, June 28th, 2007

This has come up a few times, and I explained it on the support list earlier, but want to put it out here as well.

Our snapshot server builds images automatically every two hours from the source code in CVS at the time of the build. The update files have dates in the file name, which come from /etc/version in CVS. So this date in the file name does not change unless someone commits a change to /etc/version. Earlier this week, that file had not been changed for several weeks so the snapshots were still showing something like 06-06-2007 (as the majority of the developers are US-based, we use MM-DD-YYYY format, rather than DD-MM-YYYY that some of you are accustomed to). Scott committed a change the last couple days so the snapshots are showing the actual build dates for the past two days, but this won’t necessarily always be the case.

In short: trust the time stamp shown on the file, not the date in the file name.

Hopefully post-1.2 release we can change the build scripts to eliminate this confusion.
For now, we’re focusing on getting out the 1.2 release.

Web site stats

Monday, June 25th, 2007

It’s always interesting to see the web stats from our sites. Only counting www.pfsense.(com|net|org), not the forum, wikis, blog, cvstrac, FAQ, or anything else, we’ve had 33,000-39,000 unique visitors per month for 2007 through the end of May. More than 70,000 visits, and about a million hits per month. So we see a good deal of traffic, and it’s growing every month with May our second highest month ever with close to 39,000 unique visitors.

Our highest month to date was October 2006, when we were on the front page of Slashdot, OS News, popular on digg, and on numerous other sites for the 1.0 release. That month we had nearly 54,000 unique visitors, and over 15,000 on the busiest day.

Browser Stats

Firefox – 41.3%
IE – 29.6%
Unknown – 20.4% (note: mostly pfSense installs downloading packages)
Opera – 3.3%
Mozilla – 1.5%
Safari – 1.5%

OS Stats

Windows (all versions) – 64.9%
Unknown – 22% (note: mostly pfSense installs downloading packages)
Linux – 8.4%
Macintosh – 3.7%
BSD – 0.7%

Windows versions used include NT 4, 2000, XP, 2003, Vista, 95, 98, ME and CE. What, nobody with Windows 3.11 out there anymore?

BSD’s include FreeBSD, OpenBSD, and NetBSD. FreeBSD with about 90% of the total BSD share.

The most popular Linux distro of our web site visitors is Ubuntu, with more than 5 times the number of users as the next closest, Suse. Red Hat, Mandriva/Mandrake, Fedora, Debian, and CentOS follow in that order of popularity, though Ubuntu has more users on our site than all those named distros combined!

Other OS’s include Solaris, Symbian OS, OS/2, CPM, Irix, BeOS, OSF Unix, AmigaOS, VMS, and WebTV (are you kidding me?).

Quite a diverse group!

Of course these things can be changed to look like something they aren’t, but I’m sure the number of people who go to that trouble is statistically insignificant.

1.2 status update

Sunday, June 24th, 2007

I’ve been going through all the open bug tickets cleaning up things that have been fixed and reviewing everything else to help Scott and the other developers fix the remaining issues. We’re down to about a half dozen known issues in the current RELENG_1_2 snapshots, which will hopefully all be fixed in a week or less. At that point, assuming we don’t find any other issues in the mean time, 1.2b2 will be released.

As always, I can’t speculate on a release date for 1.2. That largely depends on what issues people find once 1.2b2 is out, and how much the developers’ real lives and paid work get in the way of open source work. Probably somewhere between 1-4 months from now. We’re shooting for sooner rather than later, as this release is already drastically more reliable and bug free than 1.0.1, but we also want to make sure there are no known issues in the 1.2 release.

Typo Squatters on "pfsence"

Saturday, June 23rd, 2007

Looking at some reports on our web logs, I noted the second most common Google search that lands people on www.pfsense.(com|net|org) is “pfsence” (the first being, of course, “pfsense”). Somebody obviously figured out that’s a common misspelling long before I did. “” was registered by a typo squatter on 1/1/2006. I guess that’s how you know you’re popular. :) We had the foresight to register the .com, net and org domains at least, but didn’t consider any common typos.

Polling and FreeBSD

Saturday, June 23rd, 2007

In a default pfSense configuration, any time a NIC needs attention, it generates an interrupt. In some instances, rather than having to deal with heavy interrupt load, alternative methods improve performance. An alternative to interrupt-driven operation in FreeBSD is using device polling. This stops interrupts from being generated and polls the devices a set number of times per second. This value is kern.hz, which is 1000 by default on pfSense full installations, with 100 as the default on embedded and any hardware automatically detected as VMware.

The general consensus in the FreeBSD community used to be that polling is faster, and performance testing proved this. This comes from back in the FreeBSD 4.x days. It’s still ingrained in a lot of BSD people’s heads as being faster, but that’s just not true anymore for firewall scenarios. Polling in FreeBSD 5.x through -CURRENT all have some serious issues in firewall deployments. It always drastically lowers network throughput on pfSense and all other FreeBSD 5.x, 6.x, and -CURRENT systems.

The only reason I would suggest using polling at this time is if your hardware runs at its maximum capacity frequently, because an overloaded pfSense install is completely unresponsive on all management interfaces – the console, SSH, and webGUI. The better solution is to size your hardware adequately for the amount of throughput you require, and don’t push your hardware past its capacity.

So what does pfSense stand for/mean, anyway?

Thursday, June 21st, 2007

This question came up on the forum, I thought I would answer it here to a wider audience.

This project ran for a couple months with no name. In fact, the FreeBSD jail that runs our CVS is still called “projectx”.

Scott and I were the only two members of the project at the time, as the founders. We ran through numerous possibilities, with the main difficulty being finding something with domains available. Scott came up with pfSense, pf being the packet filtering software used, as in making sense of pf. My response was less than enthusiastic. But, after a couple weeks and still having nothing better, we went with it. It was even said “eh, we can always change it.”

Others have suggested it stands for things including Plain F…. Sense, but I won’t go there. :)

I started a thread on the private developers list sometime last year proposing changing the name of the project. Most people didn’t care one way or the other. A couple said they thought pfSense was fine. There wasn’t any serious interest in changing. We had some extensive lists of options put together, but never really came up with anything compelling enough to change.

Got an idea for a replacement name with domains available? Email me. Think the name is fine as it is? Think we should change? Feel free to leave comments or email me. I don’t think a name change is very likely, but thought I would mention it.

Update: From numerous emails and the comments here, the opinion of the vast majority seems to be “keep the name!” I’m glad our user base thinks it’s good, I’m certainly satisfied with it then.

Network performance update

Monday, June 11th, 2007

I deleted the last two posts on network performance because they contained some incorrect and misleading information, because of some problems we discovered.

We’ve eliminated the performance issues discovered in 1.2b1 in current snapshots starting several days ago. We kept some kernel patches that show measurable performance gains, and removed others that showed no gains. We’re now about 15% faster in 1.2 than in 1.0, and about 10% faster than m0n0wall 1.3 (pf patches now make it faster than ipfilter in m0n0wall).
Read the rest of this entry »