Introducing pfSense

From pfSense Documentation
Jump to: navigation, search

What pfSense is

pfSense is a complete firewall software package that, when used together with suitable hardware, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). pfSense is based on a stripped-down and heavily customized version of FreeBSD, along with a web server LightTPD, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent.

pfSense is probably the second UNIX system to have its boot-time configuration done with PHP, rather than the usual shell scripts, and to have the entire system configuration stored in XML format. The pfSense project was based on m0n0wall, which was the first system of this type.

pfSense features a package system that allows the environment to be extended with new features and functions.

What pfSense is not

pfSense is a firewall, and the purpose of a firewall is to provide security. The more functionality is added, the greater the chance that a vulnerability in that additional functionality will compromise the security of the firewall. It is the opinion of the pfSense founders and core contributors that anything outside the base services of a layers 2 through 4 firewall do not belong in the pfSense base system. Services may be extended via the package manager but the operator should use caution in deciding when, where and how to deploy these services. In many cases a separate machine deployed alongside the primary firewall would serve better to maintain maximum security.


pfSense provides many of the features of expensive commercial firewalls, and some that are not found in any commercial firewalls, including:

  • Web interface (Uses SSL by default)
  • Serial console interface for recovery
    • Set interface IP addresses
    • Reset admin password
    • Restore factory defaults
    • Reboot system
  • Wireless support (access point or BSS/IBSS with depending on the card and driver)
  • Stateful packet filtering
    • Block/pass rules
    • Logging
    • Scheduled rules
  • NAT/PAT (including 1:1)
  • DHCP client, PPPoE and PPTP support on the WAN interface
  • IPsec VPN tunnels (IKE; with support for hardware crypto cards)
    • NAT+IPsec support for masking Phase 2 tunneled networks
    • Mobile IPsec support using xauth and local, RADIUS, or LDAP backed authentication
  • OpenVPN for site-to-site or remote access setup
    • Remote Acesss OpenVPN also supports local, RADIUS, or LDAP backed authentication
  • PPTP VPN (with RADIUS server support)
  • Static routes
  • DHCP server or relay
  • Caching DNS forwarder
  • DynDNS client
  • SNMP agent
  • Traffic shaper
  • Firmware upgrade through the web browser or console
  • Configuration backup/restore
  • Host, network, and port aliases
  • High-availability active/passive failover using CARP
  • Captive Portal
  • Multi-WAN Load Balancing (outbound)
  • Server Load Balancing (inbound)
  • NTP Server
  • PPPoE Server (with RADIUS server support)
  • Universal Plug-n-Play (UPnP, NAT-PMP)
  • Wake on LAN

Software Copyright and Distribution (Licenses)

See Copyright