pfsense, m0n0, smoothwall, ipcop

Which one of these do you use?

Also, where do some of you all get your xbox360 or playstation Visio Stencils?

Been using PFSense lately....because it's strongest in QoS/packet shaping...keeping my online gaming smooth as buttah!. Other web browsers and downloads don't hurt my online gaming performance, and the VoIP support produces better voice quality for my Vonage.

IPCop is also great...a lot of add-on packages...a cool UTM add-on is "CopFilter". getting a bit long in the tooth though.

m0n0 and Smoothie I found boring.

I use pfSense with Squid and SquidGuard, as well as other add-ons. One because it is easy to install, configure, and manage. It is also the only version that would recognize my SATA hard drive.

ben chi(f4) said:

Also, where do some of you all get your xbox360 or playstation Visio Stencils?

Click to expand...

Google is your friend.

Sorry, double post...

I use IPCop + Copfilter. It is the set up that gives me the most control and the most types of spam & virus filters over the others.

where is Untangle in that list ?

leSLIe said:

where is Untangle in that list ?

Click to expand...

Not in the same league...else I'd vote for it. Untangle is more a full UTM setup.....(Unified Threat Management)....which IPCop can sorta almost barely match "some" features with the Copfilter add-on.

Never heard of it. FW? I'll look into it.

firewall


i use ipcop... and i don't even have copfilter... it's been that way for about a year and a half... been meaning to put it on there... maybe i'll do that this week

i have always used ipcop works great and never had a reason to try out the other firewalls

sometimes if the power goes out or you restard the machine without shutting it down the right way the file system gets corrupted and you need to reinstall it, has anyone ever had this problem? other than that no complaints

Where's the ASA option? I'm using a Cisco ASA 5505

AMD_Gamer said:

i have always used ipcop works great and never had a reason to try out the other firewalls

sometimes if the power goes out or you restard the machine without shutting it down the right way the file system gets corrupted and you need to reinstall it, has anyone ever had this problem? other than that no complaints

Click to expand...

i havn't actually... suprisingly enough.... that is the only time the ipcop is actually turned off too... is when there is a power outage...

if i wasn't so cheap i'd just go buy a nice ups for it and my wireless router i use as an AP.... during the seasons where the power doesn't go out every couple of weeks, i usually have uptimes of 200 days or more... i remember doing updates and needing to restart after a 185 day uptime...

while on the subject i was looking at that copfilter addon i think i might install it,

can i use it along with urlfilter http://www.urlfilter.net/ looks nice a very nice url filtering method?

has anyone used urlfilter and know how the user quotas work? http://www.urlfilter.net/images/screenshots/ipcop-userquota.png how do you assign somebody as a user, like with IP address how does the ipcop box know who the user is?

ben chi(f4) said:

Which one of these do you use?

Also, where do some of you all get your xbox360 or playstation Visio Stencils?

Click to expand...

pfSense all the way for me. I've used smoothwall, clarkconnect, ipcop, monowall, dedicated watchguard firewalls, a custom built freebsd firewall ... and nothing beats pfSense.

I've got it routing 5 subnets with various firewall and access control rules, doing IPSEC and PPTP vpn services, it does dhcp for all the subnets, it does dns forwarding for all my machines, I've got squid and squidguard on there for tracking my public wireless.

PF firewall is amazing to work with, you can very carefully control traffic, and it's easy to do with the web interface. I've also got several other add on packages installed doing various other network services, and all of them have been easy to configure and setup!

The ease of use and the lack of stupid problems has been what's kept me with pfSense for a couple years now.

No Endian? Been using it for over a year no problems. One box at home and three at work.

cleric_retribution said:

pfSense all the way for me. I've used smoothwall, clarkconnect, ipcop, monowall, dedicated watchguard firewalls, a custom built freebsd firewall ... and nothing beats pfSense.

Click to expand...

nothing beats pfsense in unstable buggy software!

I had so many problems with pfsense, and the forums were of no use. DNS issues, NTP issues, plug-in installation problems, etc.. etc...

none of the above. Doing a sort of homegrown setup using flashboot to build a OpenBSD release for running off a compact flash in my Soekris net5501

ben chi(f4) said:

Never heard of it. FW? I'll look into it.

Click to expand...

More than just a FW...a full UTM appliance. You get virus scanning engines, fantastic SPAM control, pfish filters, content filters, ad-ware blockers, VPN, remote desktop portal, etc etc. TONS of features.
http://www.untangle.com/

I just installed one yesterday...prepping a network for a new office in NYC, used a Dell PowerEdge R200 1U server on a 10 meg pipe.

Cheetoz said:

nothing beats pfsense in unstable buggy software!

I had so many problems with pfsense, and the forums were of no use. DNS issues, NTP issues, plug-in installation problems, etc.. etc...

Click to expand...

When I tried it in the early version like 2 years ago...it was buggy for me. But they had a new release this past Feb....I tried it again..wanting the strong QoS features....it installed smooth as butter on my IBM Thinkpad t23....been running my home LAN for a few months now without a reboot. Great little distro for maintaining online gaming performance with others using your network....as well as keeping VoIP phone quality.

So I'm new to this monowall and pfsense stuff. Is pfsense just a version of freeBSD that you install on a machine and use it as "cheap" firewall as opposed to going and buying a cisco firewall for your home?

Destonomos said:

Is pfsense just a version of freeBSD that you install on a machine and use it as "cheap" firewall as opposed to going and buying a cisco firewall for your home?

Click to expand...

Yes

pfSense is awesome. Just fully configured it with squid and squidguard. Everything is so much faster and secure

Destonomos said:

So I'm new to this monowall and pfsense stuff. Is pfsense just a version of freeBSD that you install on a machine and use it as "cheap" firewall as opposed to going and buying a cisco firewall for your home?

Click to expand...

Pretty much...yeah the *nix based distros are routers..and certain ones gives you different features that each distro is stronger in. Take an older computer..that has 2x network cards...and blammo..instant router to replace that home grade router you have.

I've been happily using pfSense for a couple years now. I have two identical machines running it, so if one fails or crashes (which it never has), the other will pick up, they serve wireless access through a plain old laptop WiFi card <-> PCI adapter, run off of compact flash cards for no moving parts, and being BSD based with PF for a firewall, it's rock solid. It was the only solution I was happy enough with to replace my aging Cisco PIX's

Cheetoz said:

nothing beats pfsense in unstable buggy software!

I had so many problems with pfsense, and the forums were of no use. DNS issues, NTP issues, plug-in installation problems, etc.. etc...

Click to expand...

when did you use pfSense? what version? if you were using one of the beta's, you should definitely try it out now. Many of the "addon" packages are now out of alpha and beta status and are "stable".

I've got my pfSense machine doing tons of stuff:

• PPTP VPN (for my own remote access to home LAN)
• IPSEC VPN (secure tunnel to work)
• NTP server
• DNS forwarder.
• dhcp server on five subnets, with various reservations and lease specifications on each.
• Captive portal for public wireless access point.
• Squid running on the public wireless access point interface to keep bandwidth usage down.
• Squidguard running on public wireless interface to keep people from surfing kiddie pron.
• Snort running on WAN interface to detect traffic anomolies.
• NTOP running on wireless interface to let me accurately see the traffic that goes across it if someone does something bad.
• TONS of PF rules based on time, OS, IP addresses, etc.
• Traffic shaping for my LAN, which keeps my ping low in games, and skype works great, even while torrenting.
• running UPNP for my LAN, so that xbox / ps3 can easily get out to the net for online play.

I've also got a multitude of the other addon software installed, like iperf, nmap, phpsysinfo, etc ... and all of them are working great!

They just recently released the 1.x version, and I'd highly suggest you take another look at it.

cleric_retribution said:

when did you use pfSense? what version? if you were using one of the beta's, you should definitely try it out now. Many of the "addon" packages are now out of alpha and beta status and are "stable".

I've got my pfSense machine doing tons of stuff:

• PPTP VPN (for my own remote access to home LAN)
• IPSEC VPN (secure tunnel to work)
• NTP server
• DNS forwarder.
• dhcp server on five subnets, with various reservations and lease specifications on each.
• Captive portal for public wireless access point.
• Squid running on the public wireless access point interface to keep bandwidth usage down.
• Squidguard running on public wireless interface to keep people from surfing kiddie pron.
• Snort running on WAN interface to detect traffic anomolies.
• NTOP running on wireless interface to let me accurately see the traffic that goes across it if someone does something bad.
• TONS of PF rules based on time, OS, IP addresses, etc.
• Traffic shaping for my LAN, which keeps my ping low in games, and skype works great, even while torrenting.
• running UPNP for my LAN, so that xbox / ps3 can easily get out to the net for online play.

I've also got a multitude of the other addon software installed, like iperf, nmap, phpsysinfo, etc ... and all of them are working great!

They just recently released the 1.x version, and I'd highly suggest you take another look at it.

Click to expand...

IMO, this is a perfect example of what is wrong with pfsense. This is a firewall we are talking about...not an all-in-one wonder machine. The more services you put on your firewall the less secure it becomes, period, end of story. A firewall should be a firewall and that's it. I think every other service you just listed should be handled outside the firewall duties on a separate piece of hardware. This is why I liked m0n0wall over pfsense, m0n0wall is just a firewall (yes, it can do a few other things like dhcp and dns forwarding) and that's it. It doesn't try to do it all, thus giving you a much more stable and secure firewall. (I'm sure someone is going to chime in a say their pfsense box has been up for XXXX days )

supergper said:

IMO, this is a perfect example of what is wrong with pfsense. This is a firewall we are talking about...not an all-in-one wonder machine. The more services you put on your firewall the less secure it becomes, period, end of story. A firewall should be a firewall and that's it. I think every other service you just listed should be handled outside the firewall duties on a separate piece of hardware. This is why I liked m0n0wall over pfsense, m0n0wall is just a firewall (yes, it can do a few other things like dhcp and dns forwarding) and that's it. It doesn't try to do it all, thus giving you a much more stable and secure firewall. (I'm sure someone is going to chime in a say their pfsense box has been up for XXXX days )

Click to expand...

PFSense came from m0n0wall.

And you don't have to install and enable all those components. I use it for its superior QoS traffic shaper feature. I can play online games....while the wife surfs...while the kid is downloading, and not have my ping affected. I've sat there and downloaded 4x huge files at the same time..fully pegging out my 6 meg cable...I then fired up Battlefield 2 and played on my usual server with my normal awesome ping. The kid fired up his Battlefield 2 and also did the same. No other router would allow this smooth of an experience.

I forget when I put it in...back in Feb I think...uptime..since then!

supergper said:

IMO, this is a perfect example of what is wrong with pfsense. This is a firewall we are talking about...not an all-in-one wonder machine. The more services you put on your firewall the less secure it becomes, period, end of story. A firewall should be a firewall and that's it. I think every other service you just listed should be handled outside the firewall duties on a separate piece of hardware. This is why I liked m0n0wall over pfsense, m0n0wall is just a firewall (yes, it can do a few other things like dhcp and dns forwarding) and that's it. It doesn't try to do it all, thus giving you a much more stable and secure firewall. (I'm sure someone is going to chime in a say their pfsense box has been up for XXXX days )

Click to expand...

pfSense is actually based on Monowall code
The fact that it does multiple duties doesn't suggest it is less secure in anyway. If it was, i'm sure a warning or notice of some sort would be given to suggest that.
I've worked with a Sonicwall 3060 Pro in a school and it is running multiple VPN tunnels, DHCP, DNS, and serves as a firewall. Still secure while doing other tasks.

supergper said:

IMO, this is a perfect example of what is wrong with pfsense. This is a firewall we are talking about...not an all-in-one wonder machine. The more services you put on your firewall the less secure it becomes, period, end of story. A firewall should be a firewall and that's it. I think every other service you just listed should be handled outside the firewall duties on a separate piece of hardware. This is why I liked m0n0wall over pfsense, m0n0wall is just a firewall (yes, it can do a few other things like dhcp and dns forwarding) and that's it. It doesn't try to do it all, thus giving you a much more stable and secure firewall. (I'm sure someone is going to chime in a say their pfsense box has been up for XXXX days )

Click to expand...

While what you say is good security practice, unfortunately, most home and small business users cannot justify having 10 systems running to each do a dedicated task like firewalling, vpn access, dns, dhcp, etc. Even with virtulization (vmware, xen, jails, etc), the additional headache of maintaining those additional installations is a waste of time and resources. You'll be running the same software (with the same vulnerabilities) on those additional machines that you are running on pfsense (or m0n0 or smooth, etc...), and the only advantage you may have is a quicker response time to known vulnerabilities. (if you really want a fast response, you'd be patching and recompiling on your own anyway, rather than waiting for your distro to throw down the latest updates into it's repositories. You can have your own pfsense build environment to do just that. It's no different than any BSD or Linux.)

If someone is able to exploit one of my internet facing services, it doesn't matter what my firewall is, I've got a problem. If someone is spoofing traffic coming into my firewall, it doesn't matter what my firewall is, I've got a problem.

Properly configured firewall rules, and properly secured services mitigate many of the "security risks" of running multiple apps on a gateway machine. The same can be said of checkpoint, watchguard, sonicwall, pix, and any other "dedicated" firewall solution.

And yes, my pfSense box has had uptimes of several months between power outages or upgrades.

YeOldeStonecat said:

PFSense came from m0n0wall.

And you don't have to install and enable all those components. I use it for its superior QoS traffic shaper feature. I can play online games....while the wife surfs...while the kid is downloading, and not have my ping affected. I've sat there and downloaded 4x huge files at the same time..fully pegging out my 6 meg cable...I then fired up Battlefield 2 and played on my usual server with my normal awesome ping. The kid fired up his Battlefield 2 and also did the same. No other router would allow this smooth of an experience.

I forget when I put it in...back in Feb I think...uptime..since then!

Click to expand...

Yes, I am fully aware that m0n0wall is what pfsense forked from, that's why I mentioned it. Pfsense adds the abiity to load all those extra components. That's the exact reason I said I like m0n0wall over pfsense. I ran m0n0wall from it's first release (before it was even in beta ) up till about a month or two ago, when I moved my home to a Cisco ASA for my firewall, I am very familiar with the two projects.

AMD_RULES said:

pfSense is actually based on Monowall code
The fact that it does multiple duties doesn't suggest it is less secure in anyway. If it was, i'm sure a warning or notice of some sort would be given to suggest that.
I've worked with a Sonicwall 3060 Pro in a school and it is running multiple VPN tunnels, DHCP, DNS, and serves as a firewall. Still secure while doing other tasks.

Click to expand...

See my comment above about the m0n0wall vs. pfsense relationship.

This shows your lack of understanding security. The more services that run, the more things there are that can be compromised. The more ports that are open, the more "entry" points there are. Like I said, running all those off your firewall is a security risk and should be avoided at all costs. Maybe for your home that is a risk worth having, but for an office, company or (IMO) my home, it's not even an option.

cleric_retribution said:

While what you say is good security practice, unfortunately, most home and small business users cannot justify having 10 systems running to each do a dedicated task like firewalling, vpn access, dns, dhcp, etc. Even with virtulization (vmware, xen, jails, etc), the additional headache of maintaining those additional installations is a waste of time and resources. You'll be running the same software (with the same vulnerabilities) on those additional machines that you are running on pfsense (or m0n0 or smooth, etc...), and the only advantage you may have is a quicker response time to known vulnerabilities. (if you really want a fast response, you'd be patching and recompiling on your own anyway, rather than waiting for your distro to throw down the latest updates into it's repositories. You can have your own pfsense build environment to do just that. It's no different than any BSD or Linux.)

If someone is able to exploit one of my internet facing services, it doesn't matter what my firewall is, I've got a problem. If someone is spoofing traffic coming into my firewall, it doesn't matter what my firewall is, I've got a problem.

Properly configured firewall rules, and properly secured services mitigate many of the "security risks" of running multiple apps on a gateway machine. The same can be said of checkpoint, watchguard, sonicwall, pix, and any other "dedicated" firewall solution.

And yes, my pfSense box has had uptimes of several months between power outages or upgrades.

Click to expand...

You make a valid point for the multiple systems, however, I never said to have each service on it's own system. This is [H] right what do you think the percentage is of guys that have more than one system? All I'm saying is let your firewall be your firewall, setup a separate machine that can handle the rest.

You're right, properly configured rules go a long way, but the problem with that is it's become quite clear how many guys here don't have a clue how to properly secure an environment. Removing those services from your firewall puts one more line of defense between your network and the outside world.

I'm not saying pfsense isn't an ok product. I think though, that making it "so easy" to add all the extra components on the same machine is a seriously flaw. It's also another reason pfsense should NEVER be considered for an environment outside the home.

supergper said:

Pfsense adds the abiity to load all those extra components. That's the exact reason I said I like m0n0wall over pfsense. I think though, that making it "so easy" to add all the extra components on the same machine is a seriously flaw. It's also another reason pfsense should NEVER be considered for an environment outside the home.

Click to expand...

So the criticism should go towards those who go and add those extra services..if you're against using them. Not against the product "out of the box".

I went back to PFSense because their recent version brought good stability..and I prefer it superiority over other distros in QoS....I don't want whatever the wife is doing or the kid is doing to impact my online gaming as much as other distros would allow.

I usually change routers almost monthly..in trying out another distro, or in taking home some new biz grade router that I'm learning for a client...but being so happy with Battlefield 2 running so smoothly regardless of what others are doing at the house...that makes PFSense a good product for me. The fact that I "can" install tons of other options....which some may consider a security risk...but that I don't install them..doesn't make PFSense a bad product. It's free...I had one of my many old IBM Thinkpad T21 p3 laptops sitting in a drawer collecting dust..with PFSense it keeps a smile on my face with smooth internet performance..so it's good for me. The Cisco PIX, Sonicwall SOHO3, and huge collection of other various linksys/netgear/dlink/SMC/2Wire and various other routers will continue to collect dust in a cabinet.

YeOldeStonecat said:

...

I usually change routers almost monthly..in trying out another distro, or in taking home some new biz grade router that I'm learning for a client ...

Click to expand...

haha, I used to have the same problem

supergper said:

I'm not saying pfsense isn't an ok product. I think though, that making it "so easy" to add all the extra components on the same machine is a seriously flaw. It's also another reason pfsense should NEVER be considered for an environment outside the home.

Click to expand...

I would disagree with "NEVER". There are several small business that have products in place now that are far inferior, (security and feature wise) to PFsense, even with all those features turned on. What's wrong with better security and more features that fits within a budget?

moetop said:

I would disagree with "NEVER". There are several small business that have products in place now that are far inferior, (security and feature wise) to PFsense, even with all those features turned on. What's wrong with better security and more features that fits within a budget?

Click to expand...

Right, there are lots of sorry setups out there but you're arguing that it's ok to replace "not up to par" with "not up to par". The worse of two evils??? I have a problem with companies that won't pay for the basics of their network. Yes, as admins some times you inherit these situations and you gotta do what you gotta do but I really don't think pfsense is ever the answer. I'd rather use m0n0wall or ipcop before putting in pfsense.

supergper said:

I'd rather use m0n0wall or ipcop before putting in pfsense.

Click to expand...

I think IPCop is the king of "add-ins and options".

For businesses I've been using full UTM distros...I want the added dual engine-antivirus, antispam, and anti-spyware protection that Untangle gives.

supergper said:

Right, there are lots of sorry setups out there but you're arguing that it's ok to replace "not up to par" with "not up to par". The worse of two evils??? I have a problem with companies that won't pay for the basics of their network. Yes, as admins some times you inherit these situations and you gotta do what you gotta do but I really don't think pfsense is ever the answer. I'd rather use m0n0wall or ipcop before putting in pfsense.

Click to expand...

I would suggest it's up to budget and comfort level. Par is a poor example, as everyone does not have the same needs security and feature wise . This solution could be "up to par" for several small companies.

supergper said:

Right, there are lots of sorry setups out there but you're arguing that it's ok to replace "not up to par" with "not up to par". The worse of two evils??? I have a problem with companies that won't pay for the basics of their network. Yes, as admins some times you inherit these situations and you gotta do what you gotta do but I really don't think pfsense is ever the answer. I'd rather use m0n0wall or ipcop before putting in pfsense.

Click to expand...

I would suggest it's up to budget and comfort level. Par is a poor example, as everyone does not have the same needs security and feature wise . This solution could be "up to par" for several small companies.

supergper said:

Right, there are lots of sorry setups out there but you're arguing that it's ok to replace "not up to par" with "not up to par". The worse of two evils??? I have a problem with companies that won't pay for the basics of their network. Yes, as admins some times you inherit these situations and you gotta do what you gotta do but I really don't think pfsense is ever the answer. I'd rather use m0n0wall or ipcop before putting in pfsense.

Click to expand...

I would suggest it's up to budget and comfort level. Par is a poor example, as everyone does not have the same needs security and feature wise . This solution could be "up to par" for several small companies.

pfSense and m0n0wall are okay for home use, but I haven't been able to get them to work reliably in a corporation. Not supporting NAT-T is the biggest con. I think once 1.3 comes out, that may change.

+1 on the ASA 5505 option.

supergper said:

IMO, this is a perfect example of what is wrong with pfsense. This is a firewall we are talking about...not an all-in-one wonder machine. The more services you put on your firewall the less secure it becomes, period, end of story. A firewall should be a firewall and that's it. I think every other service you just listed should be handled outside the firewall duties on a separate piece of hardware. This is why I liked m0n0wall over pfsense, m0n0wall is just a firewall (yes, it can do a few other things like dhcp and dns forwarding) and that's it. It doesn't try to do it all, thus giving you a much more stable and secure firewall. (I'm sure someone is going to chime in a say their pfsense box has been up for XXXX days )

Click to expand...

IMO, this is a perfect example of what is wrong with open forums. People posting crap like this without backing it up at all.

supergper said:

...

You're right, properly configured rules go a long way, but the problem with that is it's become quite clear how many guys here don't have a clue how to properly secure an environment. Removing those services from your firewall puts one more line of defense between your network and the outside world.

Click to expand...

I usually just disregard posts from people who don't have a clue

As for adding another line of defense: Not really. If you are offering publicly available services (dns, web, vpn, mail, etc) then unless you have an IDS system in place that does L3+ traffic inspection and can take action on the fly, your firewall / gateway is not adding a single layer of security to those services. If they get exploited and the servers are not properly segregated from the LAN (in a DMZ with appropriate firewall access to the LAN / WAN) then it doesn't matter what machine the services are on.

I guess that goes back to the stupid user not properly configuring their stuff though

supergper said:

I'm not saying pfsense isn't an ok product. I think though, that making it "so easy" to add all the extra components on the same machine is a seriously flaw. It's also another reason pfsense should NEVER be considered for an environment outside the home.

Click to expand...

For me and where I was working, we would inherit lots of clients with older watchguard or sonicwall firewalls in place, where their licensing had expired or they couldn't afford to upgrade from a 10 client license to a 50 client license (or were overly stubborn about it, etc..), or they were having hardware issues with the device. Watchguard's low end firewalls are such a joke - the web interface sucks, and it basically just shows you the output of the underlying linux commands that are being called.

We ended up rolling out some mini-itx hardware with pfSense installed, and it *blows away* the crappy watchguards and sonicwalls we've replaced. We end up not having to explain to a company why they have to pay hundreds of extra dollars for other "features" like vpn access or intrusion detection services.

We have easy remote access to client networks (pptp or ipsec) so we can offer remote monitoring and file backup services. By using vpn access, companies are now not having to have publicly accessible remote desktop / terminal services stuff. In fact, almost all services that employees access are done over the vpn, rather than over the plain internet.

Again, the security comes through proper configuration on these installations.

We've not had a single hardware failure yet (given, it's only been about a year), and we've had stellar uptime with these little boxes we've built.

It's hard to justify the costs of a *new* PIX, Watchguard, or Sonicwall to a small business when all they need is a firewall and some secure remote access.

We do well by being able to keep alot of clients through good service and cheaper prices than our competitors offering watchguard or sonicwalls. pfSense keeps us happy because it's very easy to manage, and we don't have to deal with any stupid licensing like some of the other devices.