Posts Tagged ‘pfsense’
For years I was using miniature PowerPC and ARM machines as gateway for my SoHo network. A normal Linux install using openSUSE or Debian, with iptables, proxies, sometimes an IDS or even a torrent server to seed openSUSE alpha/beta/release CDs. While it was fun, these machines were never intended to do this job, additional Ethernet interfaces were on USB, could not keep up with today’s broadband speed increase, and did not like the near 7/24 operation. Now I got a chance to try a machine, designed to be run 7/24, passive cooling and multiple Ethernet ports, so a real gw machine, an eBox 3310mx instead of some nice hacks.
As a FreeBSD maniac, the first firewall distribution I tested on the machine was pfSense. In addition to being a flexible and powerful firewall and routing platform, it can be extended with many add-on packages for IDS (Snort), VoIP, caching proxy (squid), etc. All these arrive with convenient and uniform web interface extensions to the base web GUI.
Using pfSense I had some mixed results. The machine is based on the Vortex86 SoC, which also includes an Ethernet port. In theory FreeBSD is supported, in practice it did not work, only the additional two Ethernet ports. On the other hand, this was the fastest networking stack on the machine: I often measured faster downloads than theoretical maximum on my ADSL line.
As I also wanted to test a three Ethernet setup, so I also downloaded a Linux based firewall distribution. I was recommended to try ZeroShell, but after a few hours I gave up on installation. Then I tried IPCop, a simple, easy to use firewall distribution. Still it had many more features and yet easier to use than my SoHo router box. It has some nice graphs, traffic shaping, VPN connections, a lot more flexible firewall and logs about network activity. On the other hand, while there was support for the on chip Ethernet, its speed was less than optimal.
The best Linux experience I had on the machine was using it with Debian. Installation was quick and easy. Network speed was close to theoretical maximum on each interface. And as it’s a general purpose distribution, I could easily add NAS functionality using USB hard drives and necessary software.
Talking about Debian, I have some good news for you: Zorp GPL packages are available for Debian, as it was announced on the Zorp mailing list recently. This makes installation of Zorp GPL a lot more easy on many different versions of Debian and Ubuntu. Still not as easy as the web GUI based firewall distributions I tested, but thanks to its proxy based architecture, it can provide a lot stricter and fine tuned protection than any others I tested. For details on how to get started read announcement or the maintainers blog.
One of the main strengths of syslog-ng is that it runs on many different architectures. Not just on Linux, but on most BSD variants, AIX, HP-UX, Solaris and the Premium Edition also has clients for Windows and IBM System i. The platform I want to talk about now is FreeBSD. First of all, because it’s my favorite server platform, and also because FreeBSD users seem to like syslog-ng.
How do I know this? Some download statistics, some personal e-mails and also from forum messages:
- When we released the first alpha version of syslog-ng 3.4 and updated the sysutils/syslog-ng-devel port for it, I checked the source download statistics, and most of the downloads were initiated from FreeBSD systems.
- One of the major organizations supporting FreeBSD’s development asked us in private e-mail to enable SSL support by default in the syslog-ng port. Thanks to Cy, who maintains the package in FreeBSD ports, it’s enabled now, so the next time FreeBSD packages are built from ports, syslog-ng will have SSL support compiled in.
- Somebody asked for syslog-ng support in pfsense, a very nice FreeBSD based firewall distribution.
I used pfsense in the last couple of days, and I like it very much, as my Internet connection feels to be a lot faster now even without upgrading the line Once I have a little more time, I’ll check how difficult it would be to integrate syslog-ng into this nice firewall distribution.