pfSense experiences

Steven Alligood steve at bluehost.com
Fri Jun 15 12:00:07 MDT 2007


I guess it depends on what you term "firewall".

If you are running a basic packet inspection firewall (ie, iptables) and 
all you care about is which port can get where and from which ip, but 
you don't want to do stateful inspection or any kind of guarantee that 
someone isn't just tunneling whatever they want on your http port, then 
current PC hardware with open source software should do you (assuming 
that you can push the 4 GB through the pc, hardware wise).  And yes, the 
PIX falls into that category.

And yes, high end firewalls are often on the same type of hardware.  
What you pay for is the software.

An example.  There are a lot of really good spam block packages out 
there for open source.  They do a really good job of stopping spam.  But 
they overload and become almost worthless for really large amounts of 
spam (say, 500,000 messages a day)(and please don't everyone flame me on 
this stat.  I know it can vary greatly depending on how aggresive you 
want to block spam - I am attempting to compare apples to apples on what 
the commercial products will do).  Step up to Ironport and their 
competitors.  They can handle over 600,000 per hour.  They still stop 
the spam, in many of the same ways that the open source ones do, and on 
very similar hardware.

There are many reasons people buy commercial products, and they are not 
all just for support or to use up a budget.  Some of the commercial 
products are really good.

All I am trying to say is that on an enterprise or even carrier grade 
level, often the commercial product will blow the open source ones out 
of the water.  It's how they make money.

Having said that, if you can get the free ones to do what you need, go 
for it.  I run a lot of open source software, with some of it being 
hands down better than the commercial versions (dns, anyone?)

-Steve

Michael L Torrie wrote:
> On Fri, 2007-06-15 at 09:39 -0600, Steven Alligood wrote:
>   
>> "unlimited funds" and "1-4GB of traffic" being the key words here, I 
>> would strongly suggest a commercial product.
>>
>> You can do very well on the lower end traffic scale (a couple hundred 
>> MB/sec) with open source and PC hardware, but once you start throwing 
>> around some serious traffic, you will find that the commercial products 
>> just handle it better, often with very nice reporting tools.
>>
>> I am not saying that you cannot do it with non-commercial stuff, but you 
>> will have a lot more headaches dealing with that amount of traffic.
>>     
>
> Yeah I used to believe that too.  Until opened up our so-called
> professional product.  This was a medium-end Cisco PIX.  Turned out it
> had a Celeron processor in it and 3 ordinary, 100 Mb/s on-board nics.
> And it's no different (except for a more powerful processor and gigabit
> nics) on the higher end PIX's.
>
> A PCI bus is a PCI bus.  Very few firewalls are anything but ordinary pc
> hardware.  Slap a couple of gigabit, 64-bit cards (or PCI express) in a
> beefy machine and you'll more than match the commercial solution.  No
> really.
>
> While it is true a router with ASIC hardware to do fabric switching is a
> far cry from sticking a bunch of nics in a box, installing linux, and
> calling it a router, I have not found the same idea to be true in the
> realm of over-priced, so-called hardware firewalls.  I built a linux
> firewall out of a dell 1U server that handily matched if not beat a
> $10,000 solution in terms of throughput.
>
>   
>> -Steve
>>
>> Daniel wrote:
>>     
>>> It sounds like pfSense is the way to go for the schools, given the
>>> responses.  Thank you.
>>>
>>> Now let's say you had to secure about 1-4GBs of traffic and you had
>>> unlimited funds would you still go with pfSense or would you go with a
>>> commercial solution like Juniper, or Cisco?  Does anyone have
>>> experience with a Juniper or any other commercial solution and
>>> pfSense?
>>>
>>> -Daniel
>>>
>>> On 6/15/07, Lars Rasmussen <lars.rasmussen at gmail.com> wrote:
>>>       
>>>> Look no further than pfSense for your firewall.
>>>>
>>>> I've been using pfSense since the alpha releases - I previously used
>>>> m0n0wall.  Before m0n0wall I was using a floppy disk to boot a Linux
>>>> based firewall.  I've used pfSense at work and at home.
>>>>
>>>> pfSense will let you enforce QoS(even has a wizard for prioritization
>>>> of VoIP & common applications/traffic types).  pfSense allows for
>>>> failover & multiple WAN connections, and has multiple VPN types as
>>>> part of the standard feature set.
>>>>
>>>> You can add features(packages) if you so desire.  One of my Windows
>>>> buddies still marvels at how he doesn't even think about his pfSense
>>>> box - it just sits in the closet and runs.
>>>>
>>>> I am currently using pfSense at home with Comcast & Vonage; it allows
>>>> me to coexist with BitTorrent nicely, and the pfSense project seems to
>>>> have more active development than any of the Linux-based firewall
>>>> projects.
>>>>
>>>> It is straightforward to install pfSense yourself, but you could
>>>> alternately buy an appliance that contains no moving parts & likely
>>>> increase your uptimes to years.  Here's what the console portion of
>>>> the pfSense installation looks like:
>>>>
>>>> http://www.metacafe.com/watch/584867/install_pfsense_1_2beta1/
>>>>
>>>> Configuration after this point is handled via the web interface.
>>>> -- 
>>>> Lars
>>>>
>>>> /*
>>>> PLUG: http://plug.org, #utah on irc.freenode.net
>>>> Unsubscribe: http://plug.org/mailman/options/plug
>>>> Don't fear the penguin.
>>>> */
>>>>
>>>>         
>>> /*
>>> PLUG: http://plug.org, #utah on irc.freenode.net
>>> Unsubscribe: http://plug.org/mailman/options/plug
>>> Don't fear the penguin.
>>> */
>>>       
>> /*
>> PLUG: http://plug.org, #utah on irc.freenode.net
>> Unsubscribe: http://plug.org/mailman/options/plug
>> Don't fear the penguin.
>> */
>>     
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20070615/82bc084a/attachment.bin 


More information about the PLUG mailing list