You are here: Home > Security > pfSense Firewall

pfSense Firewall


The Mendax pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.
 
 Common deployements
Perimeter Firewall
The most common deployment of pfSense is as a perimeter firewall, with an Internet connection plugged into the WAN side, and the internal network on the LAN side. It supports multiple Internet connections as well as multiple internal interfaces. pfSense accommodates networks with more complex needs, such as multiple Internet connections, multiple LAN networks, multiple DMZ networks, etc. Unlike many similar solutions, you can deploy systems with dozens of interfaces if needed.
Perimeter Router
The second most common deployment of pfSense is as a LAN or WAN router. This is a separate role from the perimeter firewall in midsized to large networks, and can be integrated into the perimeter firewall in smaller environments. pfSense can  also be deployed strictly as a wireless access point. Wireless capabilities can also be added to any of the other types of deployments.
VPN Appliance
Many deploy pfSense as a special purpose appliance. Some users drop in pfSense as a VPN (Virtual Private Network) appliance behind an existing firewall, to add VPN capabilities without creating any disruption in the existing firewall infrastructure. Most pfSense VPN deployments also act as a perimeter firewall, but this is a better fit in some circumstances.
Sniffer Appliance
One user was looking for a sniffer appliance to deploy to a number of branch office locations. Commercial sniffer appliances are available with numerous bells and whistles, but at a very significant cost especially when multiplied by a number of branch locations. pfSense offers a web interface for tcpdump that allows the downloading of the resulting pcap file when the capture is finished. This enables this company to capture packets on a branch network, download the resulting capture file, and open it in Wireshark for analysis.
 Screenshots

 
 pfSense Firewall

 
         
   
PART NUMBER
PRICE USD
 
   
 
pfSense PFS1035-30-SPW-1
We are proud to present the pfSense Firewall based on a 1U RackMount with a Pentium 4 3.2GHZ, 1GB ECC DDR2 667MHz, 160 GB or storage, Up to 2TB SATA, 2 x Gigabit Ethernet...
pfSense PFS1035-30-SPW-2
We are proud to present the pfSense Firewall based on a 1U RackMount with a Pentium 4 3.2GHZ, 2GB ECC DDR2 667MHz, 320 GB or storage, Up to 2TB SATA, 2 x Gigabit Ethernet...
pfSense PFS1035-30-SPW-3
We are proud to present the pfSense Firewall based on a 1U RackMount with a Pentium 4 3.2GHZ, 4GB ECC DDR2 667MHz, 320 GB or storage, Up to 2TB SATA, 2 x Gigabit Ethernet...
pfSense (Configure yourself)
Configure your own pfSense firewall server...
 
 
Note : Mendax will donate 25 $ from any server sold with PFSense installed to the PFSense project.
 pfSense features

Firewall
  • Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
  • Able to limit simultaneous connections on a per-rule basis.
  • PfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
 
State Table
  • Adjustable state table size - there are multiple production pfSense installations using several hundred thousand states.
  • The default state table size is 10,000, but it can be increased on the fly to your desired size. Do not set it arbitrarily high.
  • On a per-rule basis:
    • Limit simultaneous client connections
    • Limit states per host
    • Limit new connections per second
    • Define state timeout
    • Define state type
 
Redundancy
  • CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
  • pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
Network Address Translation (NAT)
  • Port forwards including ranges and the use of multiple public IPs
  • 1:1 NAT for individual IPs or entire subnets.
  • Outbound NAT
    • Default settings NAT all outbound traffic to the WAN IP. In multiple WAN scenarios, the default settings NAT outbound traffic to the IP of the WAN interface being used.
    • Advanced Outbound NAT allows this default behavior to be disabled, and enables the creation of very flexible NAT (or no NAT) rules.
  • NAT Reflection - in some configurations, NAT reflection is possible so services can be accessed by public IP from internal networks.
 
NAT Limitations
  • PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet.
  • A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development.
 
Real Time Information
  • Maximum concurrent connections - Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.
  • Idle timeout - Disconnect clients who are idle for more than the defined number of minutes.
  • Hard timeout - Force a disconnect of all clients after the defined number of minutes.
  • Logon pop up window - Option to pop up a window with a log off button.
  • MAC filtering - by default, pfSense filters using MAC addresses.
  • Authentication options - There are three authentication options available.




[Company]   [Contact Us]   [Support]   [Warranty]   [Discount] [Price Drop]  
[Credit Application]   [Sitemap] [Privacy Policy]   [Terms of use]   [Security]  

Copyright Mendax Microsystems Inc. 1996-2007 all rights reserved
USA including APO / AFO, CANADA & OVERSEAS
Toll Free: 1-800-963-6329
Back to Mendax Store