Archive for December, 2008

pfSense in 2009

Wednesday, December 31st, 2008

As 2008 comes to a close, we have many plans for 2009. This post outlines some of the big things coming up in 2009.

  • CVS conversion to git – this has been partially in progress for 6 months now, and now that 1.2.1 is out, Bill Marquette is working on getting us converted. This should be done within the next week, and brings a number of development-related benefits which will be detailed later.
  • pfSense as an appliance building framework – one of the things Scott and I envisioned in founding this project is to make it into an appliance building framework, in combination with the package system. With 2.0, this has come to fruition. The firewall project will remain as it is today, but we have also set things up in a way that allows us to build appliances such as pfDNS, pfPBX, and more to come. This also makes it easier to build the rebranded versions of pfSense that several companies sell. If your company is interested in selling a rebranded version, we encourage you to check out our reseller subscription.
  • Release of pfSense: The Definitive Guide book – this has been a work in progress for more than a year, and should be in print and available for purchase in the first quarter of 2009.
  • Conferences – pfSense will be presented at multiple conferences this year. DCBSDCon in February is confirmed, and we will likely also be at BSDCan and NYCBSDCon in 2009.
  • Developer summit/hackathon – we’ll be having our fourth annual developer conference in March. This is a full week get together, with 6-8 developers expected to attend from across the US and Europe.
  • 1.2.x maintenance releases – We will put out maintenance releases with bug and security fixes as needed, probably into 2010. None will see as significant of changes as 1.2 to 1.2.1, with the switch from FreeBSD 6.2 to 7.0, to avoid the lengthy release engineering process that significant change necessitated.
  • 2.0 release – we hope to see the 2.0 final release late in 2009, or at a minimum, be at release candidate status by this time next year. There is a significant amount up in the air with this release, and a lot of work remaining to be completed, so this is a very rough estimate. After getting converted to git, we will be moving 2.0 from its current FreeBSD 7.1 base to what will become FreeBSD 8.0. We expect the 2.0 final release will be on FreeBSD 8.0, though that depends on FreeBSD’s release schedule which is entirely outside our control.

2008 was the most successful year to date for this project, and we look forward to making 2009 top that. Thanks to all of you who support the project, especially our commercial support and reseller subscribers!

Here’s to a great 2009. Happy New Year!

pfSense 1.2.1 released!

Friday, December 26th, 2008

The pfSense team has a Christmas present for you all – the 1.2.1 final release.

The only changes since RC4:

  • Fixed problem preventing RIP from starting
  • Fixed broken link in VLAN reboot notification
  • Fixed problem with SSL certificate generation

Changes since 1.2 release
Read the rest of this entry »

Network Perimeter Redundancy with pfSense session at DCBSDCon

Thursday, December 18th, 2008

It’s official. As I alluded to yesterday, I will be presenting at DCBSDCon 2009.

Got to love the intro they added.

What do you get when you cross an enterprise-class packet filtering subsystem with a graphical front-end for easy configuration and maintenance?  A throbbing headache for commercial vendors like SonicWALL, that’s what.

Information on the session is available on the DCBSDCon blog.

The BSD conferences are always very informative, and a great time and I’m sure DCBSDCon will be no different. I look forward to meeting many of you there. 

DCBSDCon registration opening soon

Tuesday, December 16th, 2008

DCBSDCon is a BSD conference being held in Washington DC on February 5 and 6, 2009. Registration will be opening soon.

The accepted speakers have been notified, and the official announcements will be coming soon on the DCBSDCon blog.  Hint: the readers of this blog will find a session of interest, but I will let them officially announce the lineup before discussing any further.

This conference coincides with Shmoocon, a security conference in Washington DC. I haven’t been to Shmoocon, but have watched most of the presentations given there in the past from videos on their website, and it’s top notch stuff. Past presentations and videos:  2008  2007  2006  2005

1.2.1-RC4 now available

Tuesday, December 16th, 2008

RC3 was short lived because of a regression in the FTP proxy for those who use it to host FTP servers behind NAT. Unforeseen consequences of a bug fix in RC2 broke this.

The only change from RC3 to RC4 is this bug fix resolving problems with the FTP proxy.

1.2.1-RC4 VMware Appliance is also available.

1.2.1-RC3 is on its way to the mirrors

Sunday, December 14th, 2008

1.2.1-RC3 is here!

This release has been replaced by RC4 because of a regression for the FTP helper with FTP servers hosted on your network behind NAT.

Changes since 1.2.1-RC2 include:

  • Do not accept \ in alias fieldnames
  • Fix setup wizard WAN configuration page since removal of BIGPond
  • Replaced route get default with netstat -rn equivalent
  • Read the rest of this entry »

VoIP coming to pfSense

Thursday, December 11th, 2008

Some of you might have noticed already that there is a new package listed in your pfSense’s package manager: FreeSWITCH. Mark Crane is working hard to bring you VoIP-PBX-features to pfSense. More information on FreeSWITCH can be found here.

Check out this screenshot for a sneak peak:

The package is not yet completely done but feel free to check it out. Feedback is appreciated, however if you want to discuss a bug that you have found or a special configuration please take this to the forum or mailinglist.

1.2.1 release schedule

Thursday, December 11th, 2008

If you follow Scott’s twitter, you’ve seen our plans for the 1.2.1 release. This weekend will see the last RC, and the final release will come as a Christmas gift to the community.

New malware spotted that answers to DHCP-Requests to send clients to malicious DNS-servers

Tuesday, December 9th, 2008

There’s a new threat in the wild where a single infected machine in your network can harm all other dhcp clients on the same net: A trojan answering to dhcp-requests.

If that trojan is answering faster than your real dhcp-server it will assign some malicious dns-servers to the client that sent out the request. This is making phishing pretty easy but could also lead to the installation of faked updates.

You can find some more information about that trojan at the symantec page.

A way to prevent this using pfsense is to use a firewallrule on your internal networkinterface that is blocking all outbound tcp/udp port 53 (DNS) connections to any destination. Make sure your internal dns-server, that is manually configured and not affected by this dhcp attack, has a pass rule on top of this block rule or if you use the pfsense as dns-forwarder create a rule that grants access to the pfsense ip on port 53 tcp/udp. This way a client with faked dns-server will not be able to resolve dns anymore which will be noticed pretty soon instead of possibly using the malicious dns servers without noticing it.

NTOP is back!!

Thursday, December 4th, 2008

I just reinstated the NTOP package for 1.2.1 and 2.0!!

If you were waiting on this package before deploying 1.2.1 your wait is now over.  Enjoy!  :)