pfSense experiences

Michael L Torrie torriem at
Fri Jun 15 17:07:52 MDT 2007

On Fri, 2007-06-15 at 12:00 -0600, Steven Alligood wrote:
> I guess it depends on what you term "firewall".

I'm currently defining it as a Layer 3 firewall, which seems to be
exactly what the original poster was talking about.  pfSense appears to
be a very good piece of software for implementing a Layer 3 firewall on
a piece of hardware.

> If you are running a basic packet inspection firewall (ie, iptables) and 
> all you care about is which port can get where and from which ip, but 
> you don't want to do stateful inspection or any kind of guarantee that 
> someone isn't just tunneling whatever they want on your http port, then 
> current PC hardware with open source software should do you (assuming 
> that you can push the 4 GB through the pc, hardware wise).  And yes, the 
> PIX falls into that category.

Typically commercial "hardware" packet filters run up to $10,000.  When
we went to replace our NetScreen, we found the basic model that would
handle sub-100 Mb/s would run us about $10,000.  We settled on a Cisco
Pix for about $5000-$6000, mainly for political reasons (see my comments
on this below).  A Linux firewall in fact worked far better than the

I have yet to see evidence that a Layer 7 firewall is that effective.
>From my limited experience I have found it's better to implement
solutions at the application level itself.  For example, an out-going
proxy server, rather than a layer 7 firewall.  Now that Layer 7
firewalls are more popular and known, people tend to fall into a false
sense of security and forget that firewalls were never intended to
protect oneself from flaws in the very applications (HTTP for one) that
you are trying to serve.

As far as countering http tunneling goes, a transparent proxy (or
blocking port 80 entirely and requiring the use of a corporate proxy) is
a far better way of dealing with things.  BYU has a Layer 7 firewall and
it causes no end to difficulties and you can bet they've bought the most
expensive system Cisco makes.

> And yes, high end firewalls are often on the same type of hardware.  
> What you pay for is the software.

Which is not worth it, as far as I'm concerned.  IOS is really good, but
let's be honest.  IOS in the PIX is not worth the $6000 it costs.

> An example.  There are a lot of really good spam block packages out 
> there for open source.  They do a really good job of stopping spam.  But 
> they overload and become almost worthless for really large amounts of 
> spam (say, 500,000 messages a day)(and please don't everyone flame me on 
> this stat.  I know it can vary greatly depending on how aggresive you 
> want to block spam - I am attempting to compare apples to apples on what 
> the commercial products will do).  Step up to Ironport and their 
> competitors.  They can handle over 600,000 per hour.  They still stop 
> the spam, in many of the same ways that the open source ones do, and on 
> very similar hardware.

I've seen expensive commercial products choke just as easily as an open
source solution.  I've also seen commercial products blast through
amazing amounts of traffic.

However, for this specific example, I think what you say really drives
the point home.  If I can implement a cheap linux-based solution that
can handle 100,000 a day for a fraction of the price of the Ironport, I
can scale that solution up to Ironport levels at still less cost than
the Ironport.  It's PHB thinking (the culture) that drives Ironports
sales.  The perception of the value of service (perception is reality so
one should do whatever one perceives brings the most value).
> There are many reasons people buy commercial products, and they are not 
> all just for support or to use up a budget.  Some of the commercial 
> products are really good.
> All I am trying to say is that on an enterprise or even carrier grade 
> level, often the commercial product will blow the open source ones out 
> of the water.  It's how they make money.

I disagree to a certain point. Commercial products make money primary
based on a culture.  They also make money based on spec sheets that are
designed to impress PHB's.  In short it's about marketing.  I've rarely
seen any enterprise decision based on merit.  You can't get fired for
buying IBM, Sun, and Cisco.  Sure products should and often do compete
on their own merits.  But in vast majority of the enterprises, it's all
about culture, brand, etc.  It's not about merit, features, or
components, really.  (Witness the wild success of Microsoft's products.)

> Having said that, if you can get the free ones to do what you need, go 
> for it.  I run a lot of open source software, with some of it being 
> hands down better than the commercial versions (dns, anyone?)

> -Steve

More information about the PLUG mailing list