「pfSense」- 防火墙 | 操作系统 | 学习笔记

认识

pfSense 是一种开源的网络防火墙和路由器操作系统。始于 2004 年,由 m0n0wall 分支而来,由 Netgate 公司主导开发。社区版免费,企业版提供付费支持(如 TAC 支持、云功能等)。以稳定性和企业级功能著称,用户基数庞大。

pfSense software was forked from the m0n0wall open source project in 2004. m0n0wall was focused specifically on providing a firewall/router for embedded devices and was sized for limited hardware resources. Initially pfSense software aimed at providing a firewall/router solution with an expanded set of capabilities on larger PC and server style hardware.

The early tag line for the pfSense open source project was “making sense of pf”, referring to the packet filter technology at the core of the project.

官网

https://www.pfsense.org/

文档

https://docs.netgate.com/pfsense/en/latest/

Finding Information and Getting Help | https://docs.netgate.com/pfsense/en/latest/general/help.html

Acknowledgements | https://docs.netgate.com/pfsense/en/latest/preface/acknowledgements.html

仓库

https://github.com/pfsense/pfsense

组成

—— 该“组成”指构成 pfSense 的内部组件(架构),在日常使用中,我们并不会与该类部件直接交互。例如,操作系统、配置文件、服务管理、……。

协议许可:Apache 2.0 open source license(Learn About the pfSense Project

FreeBSD

操作系统:其基于 FreeBSD 操作系统;

Why FreeBSD? | https://docs.netgate.com/pfsense/en/latest/general/why-freebsd.html
Wireless Support、Network Performance、Familiarity and ease of fork、Alternative Operating System Support、……

Web GUI

Managing Lists in the GUI | https://docs.netgate.com/pfsense/en/latest/config/manage-item-lists.html
Quickly Navigate the GUI with Shortcuts | https://docs.netgate.com/pfsense/en/latest/config/shortcut-bar.html
Menu Guide | https://docs.netgate.com/pfsense/en/latest/menuguide/index.html

用户界面:传统 Web UI(功能全面但稍显陈旧)

PF in FreeBSD

PF in FreeBSD can perform many of the basic packet filtering and QoS firewall tasks that pfSense software provides, however, pfSense software makes it easier to manage, monitor, and maintain.

Interface Naming Terminology

WAN

LAN

OPT or Optional interfaces refer to any additional interfaces other than WAN and LAN. OPT interfaces can be additional LAN segments, WAN connections, DMZ segments, interconnections to other private networks, and so on.

Networking Concepts

https://docs.netgate.com/pfsense/en/latest/network/index.html

Console Types

https://docs.netgate.com/pfsense/en/latest/hardware/console-types.html

XML Configuration File

https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html

构造

pfSense® Plus

The existence of pfSense Plus software would allow Netgate to add advanced features required by business customers.

More Frequent Software Updates
Multiple Releases per Year
Cryptography and VPN Acceleration

  • OpenVPN Data Channel Offload (DCO) support
  • Intel IPsec Multi-Buffer (IIMB) support
  • Intel QuickAssist Technology (QAT) support
  • SafeXcel cryptographic accelerator support
  • CESA support
  • AWS VPC VPN Connection Wizard add-on package
  • IPsec Profile Wizard add-on package | This add-on package creates IPsec configuration profiles for Apple devices (iOS and macOS), and IPsec import script bundles for Windows devices. ⇒ 我们可能比较关心的功能;
  • OpenVPN Client Import add-on package

ZFS Boot Environment (BE) Management in webConfigurator

ZFS dashboard widget (to track status of disks using ZFS)

CARP mode (multicast or unicast) ⇒ 高可用相关

Ethernet (Layer 2) Filtering Rules support ⇒ 我们可能需要该功能;

LDAP Client Certificate support | This feature supports a certificate sent to the LDAP server to identify this client when using an encrypted transport mode.

GUI Options for WAN 802.1X Authentication Bridging and VLAN 0 PCP Tagging

Native Packet Flow Data Export for NetFlow/IPFIX

Capabilities For Netgate Hardware | 硬件版本特有的功能

  • ARM64 support (for Netgate’s ARM-based appliances)
  • The Firmware Update add-on package
  • MMC Utilities package
  • Support for specialized hardware such as status LEDs, reset buttons, switches, and hardware watchdog devices
  • Default optimized configurations for Netgate hardware appliances

pfSense CE

Netgate announced the creation of pfSense Plus software, and the renaming of the open-source project to pfSense Community Edition (CE), in January 2021.

Hardware | https://docs.netgate.com/pfsense/en/latest/hardware/index.html#

Releases | https://docs.netgate.com/pfsense/en/latest/releases/index.html

Download | https://pfsense.org/download/

Installing and Upgrading | https://docs.netgate.com/pfsense/en/latest/install/index.html
on Virtualization | https://docs.netgate.com/pfsense/en/latest/virtualization/index.html

High Availability | https://docs.netgate.com/pfsense/en/latest/highavailability/index.html

Observing

Backup and Recovery | https://docs.netgate.com/pfsense/en/latest/backup/index.html

Certificate Management | https://docs.netgate.com/pfsense/en/latest/certificates/index.html

调优

Troubleshooting

性质

—— 该部分将介绍 pfSense 具有的功能性质,“功能性质”更加关注于 pfSense 能够解决的问题,而其他辅助功能(用户、证书、备份、……)不再该处讨论。

Setup Wizard && General Configuration Options

Setup Wizard | https://docs.netgate.com/pfsense/en/latest/config/setup-wizard.html

General Configuration Options | https://docs.netgate.com/pfsense/en/latest/config/general.html

Connecting to the GUI | https://docs.netgate.com/pfsense/en/latest/config/index.html#connecting-to-the-gui
Console Menu Basics | https://docs.netgate.com/pfsense/en/latest/config/console-menu.html

Admin Access | https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html | 该类配置并不涉及网络功能,而是关于 pfSenese 相关的行为。

Notifications | https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html

Resetting to Factory Defaults | https://docs.netgate.com/pfsense/en/latest/config/factory-defaults.html

Firewall & NAT

Firewall | https://docs.netgate.com/pfsense/en/latest/firewall/index.html

NAT | https://docs.netgate.com/pfsense/en/latest/nat/index.html

Firewall & NAT | 高级选项及特性控制 | https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#

Routing | Static and Dynamic

https://docs.netgate.com/pfsense/en/latest/routing/index.html

Routing Protocol | WIP

Bridging

https://docs.netgate.com/pfsense/en/latest/bridges/index.html#

VLAN

https://docs.netgate.com/pfsense/en/latest/vlan/index.html

Multiple WAN

Multiple WAN Connections | https://docs.netgate.com/pfsense/en/latest/multiwan/index.html

VPN Support

其支持多种 VPN 技术(IPsec、OpenVPN、……),能够建立安全的远程连接、站点到站点连接、……

IPSec

L2TP VPN | https://docs.netgate.com/pfsense/en/latest/vpn/l2tp/index.html
OpenVPN | https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html
WireGuard | https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html

配置案例:

排错方法:

QoS and Traffic Shaper

https://docs.netgate.com/pfsense/en/latest/trafficshaper/index.html

Captive Portal

https://docs.netgate.com/pfsense/en/latest/captiveportal/index.html

Networking | DHCP, DNS, SNMP, UPnP, NTPD, …

https://docs.netgate.com/pfsense/en/latest/services/index.html

DHCP

NTPD

DNS

IPv6 Support

Interface Configuration

Wireless

https://docs.netgate.com/pfsense/en/latest/cellular/index.html

Cellular Wireless

https://docs.netgate.com/pfsense/en/latest/cellular/index.html#

Package System

https://docs.netgate.com/pfsense/en/latest/packages/index.html

Package Manager | https://docs.netgate.com/pfsense/en/latest/packages/manager.html

Package List | https://docs.netgate.com/pfsense/en/latest/packages/list.html

应用

pfSense® software Configuration Recipes | https://docs.netgate.com/pfsense/en/latest/recipes/index.html

pfSense® software can meet the needs of nearly any type and size of network environment, from a SOHO to datacenter environments.

  • Perimeter Firewall | The most common deployment of pfSense software is a perimeter firewall. pfSense software accommodates networks requiring multiple Internet connections, multiple LAN networks, and multiple DMZ networks. BGP (Border Gateway Protocol), connection redundancy, and load balancing capabilities are configurable as well.
  • LAN or WAN Router | pfSense software configured as a LAN or WAN router and perimeter firewall is a common deployment in small networks. LAN and WAN routing are separate roles in larger networks.
  • VPN Appliance | pfSense software installed as a separate Virtual Private Network appliance adds VPN capabilities without disrupting the existing firewall infrastructure, and includes multiple VPN protocols.
  • Sniffer Appliance | pfSense software offers a web interface for the tcpdump packet analyzer. The captured .cap files are downloaded and analyzed in Wireshark.
  • DHCP Server Appliance | pfSense software can be deployed strictly as a Dynamic Host Configuration Protocol server, however, there are limitations of the pfSense software GUI for advanced configuration of the ISC DHCP daemon.

针对其丰富的功能和灵活性,所以 pfSense 广泛应用于企业、教育机构、个人用户中,提供一个可靠和安全的网络解决方案;

适合熟悉传统防火墙配置的用户,尤其是企业环境。文档丰富,社区资源多。

需要成熟的企业级解决方案。依赖特定插件(如 pfBlockerNG)。偏好保守的更新策略。

更偏向“稳定优先”的企业用户

pfSense 在传统场景(如 ISP 级路由)更成熟。

改进

Troubleshooting | https://docs.netgate.com/pfsense/en/latest/troubleshooting/index.html

Feedback | https://docs.netgate.com/pfsense/en/latest/preface/feedback.html
Comparison to Commercial Alternatives | https://docs.netgate.com/pfsense/en/latest/general/commercial-alternative-comparison.html
Can pfSense software meet regulatory requirements | https://docs.netgate.com/pfsense/en/latest/general/regulatory-requirements.html

Netgate® Nexus | https://docs.netgate.com/pfsense/en/latest/nexus/index.html | Netgate Nexus is the multi-instance management (MIM) system for pfSense Plus software. ⇒ 其用与管理多个 pfSense Plus 实例。

Development | https://docs.netgate.com/pfsense/en/latest/development/index.html

pfSense 2.7,无法通过 Firefox 登陆

通过 Firefox 登陆 pfSense 2.7 版本,提交登陆信息之后,页面自动化刷新并回到登陆界面。
通过 Google Chrome 则能够正常登陆;

解决方案:通过清除 Firefox 的浏览器缓存、Cookie 数据,我们得以解决该问题;

Filed under: K4NZDROID - @ 11:14 AM