With the prevalence of "black box" appliance firewalls available for $50 or less, one might wonder why you would look for a do-it-yourself solution. Linksys and D-Link, among other vendors, create simple and easy to configure firewall solutions for cheap. And let's face it, a firewall isn't something you can choose to use anymore; a firewall is your first line of defense, and a critical one at that.
So where is the appeal of creating your own firewall system? Take a look at some of the many extra features available in a do-it-yourself firewall. While such a firewall system would be self-contained, require a fair amount of storage, run on over-powered hardware, and consume more electricity than a simple appliance, the benefits still far outweigh the drawbacks.
For one, there is a higher degree of reliability. Running on a full computer system makes it infinitely upgradeable. It can be extended to do more than just shuffle packets back and forth. You can turn a simple firewall into a full intrusion detection system. You can analyze and track bandwidth usage. It can be a VPN end point, a Web proxy, DHCP and DNS server, load balancer, handle automatic failover, and provide great diagnostic tools.
pfSense, a firewall system based on the FreeBSD kernel, can handle all of this and more. All wrapped up in a slick Web interface, it can also be controlled via the command line directly, via SSH or even over a serial port. Have some old hardware kicking around? pfSense can run on anything over a 100MHz Pentium system with 128MB of RAM. It can run without a hard drive: via an install-less Live CD with a USB or floppy drive to hold its configuration, or even run entirely on a 128MB compact flash card. This makes pfSense extremely versatile.
The filtering features pfSense provides are quite unique as well. It can filter based on OS/networking fingerprinting, so you can allow Linux systems to connect to the Internet, but deny Windows systems (if you were so inclined, of course). Filter by IP, protocol, or port — inbound and outbound. It can scrub and normalize packets and can limit simultaneous numbers of connections on a per-rule basis.
Out of the box, pfSense does nearly everything noted earlier. With extra packages that can be installed via the Web console, you can extend pfSense with other applications. It can do on-demand virus scanning, use mod_security to filter and log traffic, run spamd as a tarpit to prevent the delivery of spam, and use snort for an intrusion detection system. Essentially, almost anything you could ever want out of a firewall, pfSense will provide. And with a (by today's standards) minimal system, there is plenty of horsepower to perform these additional tasks and handle any bandwidth requirements.
Personally speaking, I've used Linksys, D-Link, and other consumer firewalls in the past. All of those devices have died within months. The pfSense box I built, however, has been running for two years without a hiccup. It is a 1.8GHz Athlon64 processor with 512MB RAM and an old 80GB HDD (which is a lot of overkill, as even with retained logs, it is using less than 300MB of space).
There is so much that pfSense can do that it's not possible to cover it all, and with the expandability of extra packages, the number of features you can put into a pfSense firewall is amazing. Software (aka firmware) upgrades aren't frequent, but they are easy to do, and with the Web interface, pfSense is simple to configure. Once it's configured, pfSense is completely reliable, regardless of the traffic you push at it.
If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider. It is a mature product with an amazing feature set, and the security it brings to a network environment is worth the extra up-front cost in hardware, compared to consumer-level firewall appliances. I cannot recommend it enough, it's that good.
Get the PDF version of this tip here.
Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.