Türkçe | English

PFSense Firewall


pfSense is a free, open sourced and specialized FreeBSD distribution adapted as a firewall and router. In addition to having a powerful and flexible firewall and router platform , it also has a long feature list and packet system . This packet system ; besides providing an easy expansion flexibility to an operation system, also avoids the occurrence of safety gaps in distribution. PfSense; as of its publication, reached a downloading number more than 1 million a day, and proved itself with limitless installations at small webs which consist of single pc; at major enterprises having thousands of web device, at universities and other organizations.
Minimum Hardware requirements :
Processor
: 100 Mhz Pentium
Memory
 : 128 MB
Disc : 1 GB
For installation CDROM
    Firewall
  • Filtering according to Source or target IP, Protocol, source or target port( for UDP/TCP traffic)
  • Restriction on connections as rule based
  • Permitting or obstructing the run of packets according to operation system
  • Keeping or not keeping record for every rule
  • Policy based routing for every rule ( in particular load – balancing , failover, multiple wide network connection management )
  • Grouping IP, network or ports by using Alias system.
  • Applying firewall at Transparent 2nd layer .
  • Packet normalization (Normalization)
    State Table
  • Adjustable  state table dimension. Assumed  statetable dimension is  10000 states ,  but this may be changed as requested.
      - For every rule
    • Number of client  link can be restricted
    • Number of link to be made to target server can be restricted
    • Number of link which  may be opened in a second can be restricted
    • State timeouts values may be adjusted
    • State type may be regulated  (keep state, modulate state, synproxy)
      - State table optimization 
    • Normal : Assumed algorithm
    • High Latency :  may be used in links which have  high latency  such as satellite links, it provides state tables to be  maintained more than normal
    • Aggressive :  Provides links to be ended in shorter time
    • Conservative :   Attempts to keep legal links  longer time in memory.
    Address Conversion (NAT)
  • By using Port routing, port intervals  and IP more than one
  • For one to one address conversion and (Bi-nat)IPs and networks
  • Address conversion reflection : Provides devices in  local network to reach servers having local IP address through external IP address
    Load Balancing
  • Load balancing towards out :   Provides wide area  network  links more than one to be used for local networks and provides the obstruction of exit of problematic links by making  error checking.
  • Load balancing towards inside : Provides  servers more than one to give the same service as a single server.  Servers which are not replying tom ping packets shall be  removed from the service pool automatically.
    VPN PfSense offers three options for vpn. IPSec, OpenVPN, PPTP. 
    Reporting and Monitoring
      RRD Grafikleri :  RRD graphics provide below given information retrospectively.
    • CPU usage
    • Total throughput
    • Firewall state table
    • Separate  throughput values for each interface
    •  Quantity of traffic  passing  per second rates  separately for each interface
    • Ping access  periods from wide area  network interfaces (WAN)  to network gateway
    • Tail graphics in systems  in  which  traffic shaping has been made
      Real time Information
    • SVG graphics view the real time traffic passing over interfaces
    Dynamic DNS : dynamic  DNS service provides the opportunity for the provision of dns services to   dynamic  IP addresses by using below mentioned verifiers. 
  • DynDNS
  • DHS
  • DyNS
  • easyDNS
  • No-IP
  • ODS.org
  • ZoneEdit
    Captive Portal
    Captive Portal service  provides the authorization of users for enabling to utilize network service or provides  users to switch by clicking to a page. This service may be  used in wireless  public areas, on the other hand it may be also  used  in institutional networks  for providing an extra  safety layer to wireless networks.  Following adjustments are available by  Captive Portal service.

  • Maximum concurrent connections which may be provided  from a client  IP address can be limited.
  • Idle timeout :   Connections of clients which do not operate  for a specific period  shall be cut.
  • Hard timeout :   Connections of all clients after a defined time shall be cut . - Logon Pop-up window :After connection is provided,  may be viewed from a  log-off window .
  • URL  Routing :  After routing is achieved,  users may be routed towards a specific - defined  url address.
  • Authorization options  :there are three options herein .
    • No authorization  : User  clicks only the portal page  and fill necessary information
    • Local user management  : For users, a local user data base is used over PfSense
    • Radius authorization  : It is a type of authorization general preferred in institutional networks  and service providers.  It may provide the verification of users from Microsoft Active Directory or different  Radiusservers.
  • HTTP or HTTPS :  Users authorization  may be provided over  http or https portal page .
  • File Manager  : Different pages  and/or pictures may be provided to be loaded to portal  page.
    Bandwidthd
    Traffics of Bandwidth networks are followed and their html graphics are formed . Graphics are prepared as  IP based  and shown as pre- designed manner  for  2 days, 8 days,  40  days and  400 day- periods . In addition, usage of each IP address may be kept in  3.3minute, 10  minute, 1  hour  and 12  hour -cdf format  or in a data base .
    SquidGuard
  • It is a black list applied- url router used together with  Squid.
  • Access to underside sites is obstructed through SquidGuard and traffic is routed towards url.
  • Retrospective recording is available.
  • Due to  blacklist which is ready and automatically updated from internet, only the categories which are requested to be obstructed  (porno,  gambling etc.) are indicated, and  these are blocked automatically.
  • Sites are hindered to be accessed by IP addresses.
    Siproxd : Siproxd SIP protokolü için bir vekil(proxy)/maskeleme(masquerading) sunucusudur. Özel IP(Private IP) ağlarında yer alan SIP istemcilerinin kayıt işlemlerinin(registration) ele alınmasını ve SIP mesaj başlıklarının Adres Dönüşümü (NAT) arkasından bağlantı kurulabilmesi için uygun şekilde yeniden yazılmasını sağlar.
    DNS Server : PfSense provides the dns server to be kept over itself and provides its service to be maintained . 
    imspector : Provides   viewing and obstruction of  massage software such as  Imspector MSN, Jabber/XMPP, AIM, ICQ, Yahoo ( conferences may be viewed and/or  registered) or  provides content supervision thereof .
    Dhcp Server  and Dhcp Transmission (Relay) : PfSense dhcp server ordhcp may be adjusted as  a server so as to be able to  transmit their requests .
    Lightsquid : Lightsquid Provides the viewing of url registrations  which are produced by squid  as a  html  page form  and  IP/Host/URL  based  manner. 
    Freeradius : Freeradius is a free and open sourced coded  radius software.  It provides  radius application over PfSense.