94 pfsense 2 0 and beyond bsdcan 09
TRANSCRIPT
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
1/36
pfSense - 2.0 and beyond
Chris Buechler - [email protected]
Scott Ullrich - [email protected]
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
2/36
History of pfSense
Started as a work project 13 years ago when we needed a
internal firewallOriginally Linux, switched to FreeBSD 2.2Evolution of this path shrunk the firewall down to a Soekris sizeMoatware was startedMet Chris Buechler during this time
Sell a number of productsSales guy moves to FloridaMoatware failsChris and myself debate starting over freshpfSense is forked from m0n0wall roughly 4 years ago
Still going strong today - momentum is snowballing
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
3/36
pfSense Overview
Customized FreeBSD distribution tailored for use as a
firewall and router.pfSense has many base features and can be extended withthe package system including one touch installations ofpopular 3rd party packages such as SpamD (spam filter)
and Squid (web caching).Includes many features found in commercial products suchas Cisco PIX, Sonicwall, Watchguard, etc.Many support avenues available, mailing lists, forum andcommercial support.
Has the best price on the planet.... Free!
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
4/36
pfSense Platforms
Live CD
Full InstallEmbeddedDevelopers
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
5/36
Project statistics
millions of downloads served11,400 forum members~1200 mailing list users (support and discussion)21 developers12 active developers (committed in the last year)
Consistent Google growth
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
6/36
New features (base)
Layer 7 QoS
New traffic shaperUser ManagerOpenVPN ImprovementsPHP 5Certificate Manager
Routing / Gateways improvementsDashboardLoad balancer changesWeb based PFTOP, TOP
IGMP proxy
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
7/36
New features (continued)
Complete new interface systemMultiple DynDNS interface supportDHCP Server improvementsPPTP Improvements
New LIBALIAS based in-kernel FTP helperImproved load balancing (incoming and outgoing)
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
8/36
Layer 7 QoS improvements
Based on regex matching systemDetects BitTorrent very nicelyCan detect between bulk and interactive traffic ?About X% overhead for L7
PF peels off first X bytes of header for inspection via divert
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
9/36
New traffic shaper
Rewritten from scratch by Ermal LuciSupports HFSC, CBQ, FairQ, PriQUses ALTQNow works on more than 2 interfaces
Supports bridgingPretty much all limitations are now gone!
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
10/36
User Manager
Full user manager with user and groups supportCan allow an account to specific areasConsolidating all accounts in various areas (VPN users, etc)LDAP authentication support
Per user certificate support
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
11/36
IPsec
Major overhaul by Matthew Grooms, ipsec-tools committer
and author of Shrew Soft IPsec client - http://shrew.netMultiple Phase 2 per Phase 1Transport mode support added
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
12/36
IPsecXauth - user and group authentication
pfSense local user database
LDAPMicrosoft Active DirectoryNovell eDirectoryand others...
RADIUSMicrosoft Active Directorymany others
Now a drop-in replacement for Cisco VPN concentrators,PIX firewalls, and routers
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
13/36
OpenVPN
Major overhaul by Matthew GroomsCan now export a Windows Installer bundled withCertificatesNow considered a first class VPN topology in pfSense
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
14/36
New interfacesGRE
gifPPP (dial up POTS modems, 3G cellular wireless)Many 3G wireless additionslagg(4) interface bonding
failover
load balanceround robinEtherchannelLACP
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
15/36
Bridging enhancementsall of if_bridge capabilities supported
18 Advanced configuration options availableSTP and RSTP - fully configurableSPAN port capable
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
16/36
Certificate Manager
Certificate authority supportGenerate OpenVPN certificatesGenerate user certificatesGenerate HTTPS certificate
Generate IPsec certificatesRevocation supportImport existing certificates
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
17/36
Routing / Gateway Additions
New gateway group featureFailover threshold supports RTT or packet loss triggersGroups now employ a "Tier" type system
Supports balancing
Supports interface failover orderingCan fail on packet loss % or 100% down situations
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
18/36
Dashboard
Allows quick access tosystem informationAdded RSS widgetAdded picture widgetAdded gateways widget
with RTT and lossreportingNew AJAX CPU utilizationwidget
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
19/36
Load Balancer changes(relayd)
Layer3 balancingLayer7 balancingNew monitoring features
Send/expect
DNSHTTPHTTPS
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
20/36
Web based pftop
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
21/36
Web based top
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
22/36
IGMP Proxy
Useful for Video in some casesSome phone systems use IGMP for overhead speakersIP TVGaming
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
23/36
New interface system
All interfaces treated equally - no special status forLAN/WAN.Multi interface PPPoE support (WAN)Multi interface PPTP support (WAN)
Allows just one interface to be assigned (appliance mode)QinQ VLAN supportInterface groups
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
24/36
DHCP Server improvements
Dynamic DNS client name registration supportDefinable NTP ServersLDAP URI IntegrationNow allows duplicate IP address registration for multiple
MAC addressesNetwork booting related additions
Next-serverFilenameroot-path-string
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
25/36
New features (packages)
Jails
FreeSWITCHSquid 3AvahiOpen-VM ToolsPHP ServiceOpenVPN Client Export Utility (Windows)TFTP Server (useful for upgrading Cisco/HP Switches, etc)
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
26/36
Appliance building
pfSense builder system can now automatically generatecustom "Appliances" from an overlay file.Simply add files that you want to include into a directory anddefine the directory in pfsense_local.sh custom_overlaydirective
We will go over a quick appliance build later in thispresentation
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
27/36
FreeSWITCH Appliance
Can be run on pfSense directly or as a dedicated appliance.
Features:Voice MailVoice Mail to e-mail (one or more email addresses, also canbe sent to special email addresses for SMS Text
Messages)Auto AttendantMusic on Hold (.wav)RecordingsFollow Me
Text to Speech (flite)
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
28/36
FreeSWITCH Appliance
Features Continued:Call ParkCall ForwardDISA (Direct Inward/Outward System Access)
Call QueuesSIP (TLS) and SRTP and more.Simple to call between multiple systems using the Internet.Call Eavesdrop (aka barge)Call Recording
Call Intercept by Group, Global, Extension
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
29/36
FreeSWITCH Appliance
Features Continued:Call ParkGoogle 411
Email: [email protected]
Wiki: http://doc.pfsense.org/index.php/FreeSWITCH
IRC: #pfsense-freeswitch
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
30/36
DNS Server Appliance
Many features removed such as DHCP Server, VPN, etc
Two versions released so far, newest based on FreeBSD 8Based on TinyDNS from DJ BernsteinAutomatically synchronizes changes to 5 other hostsAutomatically fail to backup records on host failure usingICMP
Automatically fail to backup record if WAN RTT > XAutomatically fail to backup record if RTT to host Y.Y.Y.Y >XZone transfer support for the BIND folks
Configuration data stored in master config.xml file
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
31/36
Creating an appliance(overview)
Install FreeBSD 7Follow http://devwiki.pfsense.org/DevelopersBootStrapAndDevIsoExcute these shell commands:
cd /home/pfsense/tool/builder_scripts
cp builder_profiles/pfDNS/pfsense_local.sh./build_iso.sh
http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso -
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
32/36
Creating your own appliance(Overview)
cd/home/pfsense/tools/builder_scripts/builder_profiles/cp -R pfDNS MyAppliance && cd MyAppliance
grep -R "pfDNS" * | cut -d":" -f1 | sort -u
README
config/config.xmlcopy_overlay/boot/beastie.4th
copy_overlay/etc/inc/globals.inccopy_overlay/usr/local/share/dfuibe_lua/conf/pfSense.
luapfsense_local.sh
Edit the above files to your liking
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
33/36
Building your appliance(overview)
cd /home/pfsense/tools/builder_scriptscpbuilder_profiles/MyAppliance/pfsense_local.sh .
./build_iso.shSee http://devwiki.pfsense.org/CreatingAnAppliance
http://devwiki.pfsense.org/CreatingAnAppliancehttp://devwiki.pfsense.org/CreatingAnAppliance -
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
34/36
BSD Perimeter milestones
Chris is now working Full TimeBSD Perimeter coordinating MIPS port for RouterStationpfSense book will be released in the next couple monthsCommercial support is growing with satisfied customers
Sponsored IPsec improvementsSponsoring various misc projects on behalf of customer,IGMP package for 1.2.*, etc
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
35/36
Questions?
Comments?
-
8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09
36/36
Thanks for attending!