Stateful Packet Inspection (SPI)

A stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature used to invoke fine-grained security policies. pfSense software does this by default, and can be configured to block traffic based on policy matches. Alternatively, one can just inspect and not block traffic, by adding pass rules for all traffic on each interface from any/to any as desired.

IP/DNS-based filtering

IP/DNS-based filtering can block web traffic from entire countries, one mechanism for stopping cyber criminals from attacking your business. Network connections are blocked based on geographic location (information gathered from IP addresses) which can then be used to filter and prevent outgoing and incoming connections to and from your business.

Anti-Spoofing

Anti spoofing detects packets with false addresses which leads to increased security.

Captive portal guest network

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources.

Time-based rules

Time based rules allow firewall rules to activate during specified days and/or time ranges. Time based rules function the same as any other rule, except they are effectively not present in the ruleset outside of their scheduled times.

Connection Limits

A firewall connection limit policy allows or denies traffic based on a matching tuple: source address, destination address, and service; and connection count, which enables detection of anomalous connection requests.

NAT mapping (inbound / outbound)

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.

Router

Policy-based routing

Policy-based routing forwards and routes data packets based on specified policies or filters using parameters such as source and destination IP address, source or destination port, traffic type, protocols, access list, packet size, etc. to then route packets on user-defined routes.

Concurrent IPv4 and IPv6 Support

IPv4 address space is rapidly exhausting. IPv6 addresses are the future, but the two will need to peacefully coexist for years to come. Therefore NAT mapping for inbound and outbound traffic needs to support concurrent IPv4 and IPv6, making it easier to configure static routes on the router.

Configurable static routing

Static routing occurs when a router uses a manually-configured routing entry, rather than information from dynamic routing traffic.

IPv6 network prefix translation

IPv6-to-IPv6 Network Prefix Translation (NPTv6 or NAT66) is a specification for IPv6 to achieve address-independence at the network edge, similar to network address translation (NAT) in Internet Protocol version 4.

IPv6 router advertisements

IPv6 router advertisement is used for IPv6 auto-configuration and routing. When enabled, messages are sent by the router periodically and in response to solicitations. A host uses the information to learn the prefixes and parameters for the local network.

Multiple IP addresses per interface

Multiple IP addresses per network interface allow the mapping of many host names (non-aliased), each to a single IP address also within a single server, even though that server might only have one physical network interface.

PPPoE Server

Point-to-Point Protocol over Ethernet (PPPoE) is designed to manage how data is transmitted over Ethernet networks, allowing a single server connection to be divided between multiple clients, using Ethernet.

Attack Prevention

IDS/IPS

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) analyzes packets as well, but can also stop the packet from being delivered, helping to halt the attack.

Snort-based packet analyzer

Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.

Layer 7 application detection

Layer 7, the OSI (Open System Interconnection) Model application layer, supports application and end-user processes, such as HTTP and SMTP. Attacks at this layer present a security challenge as malicious code can masquerade as valid client requests and normal application data.

Multiple rules, sources, and categories

Depending on choices around performance, security risk tolerance, and actual business applications in use, there are many ways to configure an IDS/IPS. pfSense Plus software supports the use of multiple sources of rules for both Snort and Suricata. Additionally, each of those packages have multiple categories for rules as well, including floating rules, interface group rules, and interface rules.

Emerging threats database

An IDS/IPS solution can be configured to simply log detected network events, or both log and block them. This is performed through the use of detection signatures, called rules. Rules can be custom created by the user, or any of several pre-packaged rule sets can be enabled and downloaded. Pre-packaged rulesets offer added detection / protection against emerging threats in the wild.

IP blacklist database

IP blacklisting filters out illegitimate or malicious IP addresses from accessing your networks. pfBlocker is a pfSense software package that allows you to add IP block list and country block lists.

Pre-set rule profiles

pfSense Plus software is equipped with a number of automatically added firewall rules. Examples include anti-lockout, anti-spoofing, block private networks, block Bogon networks, IPsec protocol use and port access, default deny rule, etc.

Per-interface configuration

pfSense software allows each LAN or WAN interface to be independently configured with firewall rules and other per-interface functionality.

False positive alert suppression

Each IDS/IPS security admin must ultimately decide their own alert volume tolerance, as only you know the type of traffic that is normal on your network. pfSense software enables you to select specific ruleset and alerting policies on a per interface basis, as well as offering detailed guidance about how to eliminate noisy false positives.

Deep Packet Inspection (DPI)

Deep Packet Inspection (DPI) enables security analysts to capture and evaluate full packet header and payload information to identify protocol compliance, spam, virus, intrusion, and other anomalous or malicious traffic. Snort, Suricata, and NTOPNG packages each support DPI capabilities.

Application blocking

pfSense software leverages Snort and OpenAppID to detect, monitor and manage application usage on your network.

VPN

IPsec

IPsec is a group of protocols used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, where it both encrypts IP packets and authenticates the source from where the packets originated.

OpenVPN

OpenVPN is a VPN solution that implements secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

Wireguard

WireGuard is an open-source VPN software solution designed with the intent of providing ease of use, high speed performance, and a low attack surface.

Site-to-site and remote access VPN

Site-to-site VPNs allow multiple users’ traffic to flow through each VPN tunnel. Remote-access VPNs only allow one user’s traffic to travel through each VPN tunnel. pfSense Plus software supports both site-to-site and remote-access VPN capabilities via IPsec or OpenVPN. 

SSL encryption

Secure Sockets Layer (SSL) is an encryption-based Internet security protocol used to ensure privacy, authentication, and data integrity in Internet communications. OpenVPN is an SSL based VPN.

VPN client for multiple operating systems

OpenVPN supports clients on a wide range of operating systems including all the BSDs, Linux, Android, Mac OS X, iOS, Solaris, Windows 2000 and newer, and even some VoIP handsets.

L2TP/IPsec for mobile devices

pfSense Plus software supports remote access VPN for a variety of Android and iOS devices. Other clients may work as well.

IPv6 support

OpenVPN can connect a site-to-site tunnel to either an IPv4 address or an IPv6 address, and both IPv4 and IPv6 traffic may be passed inside of an OpenVPN tunnel at the same time. IPv6 is supported both in site-to-site and mobile clients, and it can be used to deliver IPv6 to a site that only has IPv4 connectivity.

IPsec is capable of connecting to a tunnel over IPv4 or IPv6 phase 1 peer addresses, but with some traffic limitations.

Split tunneling

Split tunneling allows a user to access dissimilar security domains, e.g., a public network and a local LAN or WAN at the same time, using the same or different network connections.

Multiple tunnels

pfSense software supports the ability to establish multiple VPN tunnels over a single physical interface – useful, for example when securely connecting a number of office locations to one another.

VPN tunnel failover

pfSense software supports both OpenVPN and IPsec tunnel failover

NAT support

pfSense software supports both OpenVPN and IPsec tunnel failover

Proxy and Content Filtering

HTTP and HTTPS proxy

pfSense software enables web (HTTP and HTTPS) proxy functions via Squid (for caching web pages and related tasks), SquidGuard (for filtering and controlling access to web content) and Lightsquid (for reporting user activity based on the Squid access logs) packages.

Non Transparent or Transparent caching proxy

pfSense software supports both non-transparent and transparent caching proxy via Squid.

Website access reporting

pfSense software leverages LightSquid, a Squid log analyzer, to parse through proxy access logs and produce web-based reports that detail the URLs accessed by each user on the network.

Domain Name blacklisting (DNSBL)

pfSense Plus software has several options for blocking websites including DNS, Firewall rules, user of a proxy, and category blocking.

Usage reporting

pfSense Plus software uses LightSquid to monitor internet usage on your network. By parsing through proxy access logs, web-based reports that detail URLs accessed by date and time by each user on the network, bandwidth usage, and top site reports can be produced – unbeknownst to network users.

Network Services

Dynamic DNS

Dynamic DNS automatically updates a name server in the Domain Name System, often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information. The Dynamic DNS client built into pfSense Plus software software registers the IP address of a WAN interface with a variety of dynamic DNS service providers. This is used to remotely access services on hosts that have WANs with dynamic IP addresses, most commonly VPNs, web servers, etc.

DHCP Server

A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways and other network parameters to client devices. It relies on the standard protocol known as Dynamic Host Configuration Protocol (DHCP) to respond to broadcast queries by clients. The DHCP Server in pfSense Plus software provides addresses to DHCP clients, and automatically configures them for network access.

DNS forwarding

DNS forwarding determines how particular sets of DNS queries are handled by a designated server, rather than being handled by the initial server contacted by the client. pfSense Plus software is equipped with a DNS Forwarded that resolves DNS requests using hostnames obtained by the DHCP service, static DHCP mappings, or manually entered information.

Configuration Management

Web-based configuration

Most pfSense software software configuration is performed using its built-in web-based GUI. Some tasks may also be performed from the console, whether it be a monitor and keyboard, over a serial port, or via SSH.

Setup wizard for initial configuration

The first time a user logs into the pfSense Plus software GUI, the firewall automatically presents a setup wizard, facilitating new users with a guided setup tour.

Remote web-based administration

pfSense software supports several ways to remotely administer a firewall running pfSense Plus software – with varying levels of recommendation based on client restrictions, corporate policies, etc.

Customizable dashboard

The main GUI page of the pfSense software is the dashboard. The dashboard page provides a wealth of information that can be seen at a glance, contained in configurable widgets.

Easy configuration backup/restore

pfSense software has a complete Backup and Restore capability accessible via the GUI Diagnostics menu option. Configuration file. Simply select your pfSense software configuration backup XML filem click on the Restore configuration button, and your computer will upload the XML file and restore the pfSense software configuration backup.

Configuration export/import

pfSense software supports export/import of system configuration information in XML through the use of GUI Backup, where a web browser prompts the user to save the file somewhere on an external compute environment.

Simple updates

By default, update settings look for officially released versions of pfSense software software, but can also be set to track development snapshots.

Forward-compatible configuration

Many configurations are forward-compatible, depending on the software version and its corresponding configuration revision numbers and whether the configuration backup is complete or partial.

Wake-on-LAN

Wake-on-LAN is an Ethernet or Token Ring networking standard that allows a computer to be turned on by a network message normally sent to the target computer by a program executed on a device connected to the same local area network, e.g., a smartphone. 

User Authentication Management

Local user and group database

pfSense software allows for a RADIUS or LDAP server to authenticate GUI users. Users and/or group memberships must be defined in the firewall in order to properly allocate permissions, as there is no method to obtain permissions dynamically from an authentication server.

User and group-based privileges

GUI user privileges can be set and administered on an individual or group basis. Privileges including page access, password management, remote connection/authentication, firewall configuration changes, and root-level access are controllable.

Optional automatic account expiration

pfSense software supports the ability to set a date by which the firewall will automatically deactivate a user account.

Automatic lockout after repeated attempts

Attempting to login to the GUI or SSH and failing many times will cause the connecting IP address to be added to the lockout table.

System Security Management

Web interface security protection

The protocol used by the GUI to accept web browser connections may either be HTTP (plain unencrypted HTTP, insecure and basic, but widely compatible and less likely to have client issues, or HTTPS (SSL/TLS) – encrypted “secure” HTTP which protects communication between the client browser and the firewall GUI. Best practice is to use HTTPS so only encrypted traffic is exchanged between the GUI and clients.

CSRF protection

Cross-site request forgery (CSRF, and sometimes represented as XSRF) is a malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. The pfSense Plus software WebGUI uses the csrf-magic library to protect against Cross-Site Request Forgery (CSRF) attacks.

HTTP Referer enforcement

Referer (sic) headers contain the address of a request, e.g., the address of the previous web page from which a link to the currently requested page was followed, or the address of a page loading an image or other resource. While there are many legitimate uses – including analytics, logging, or optimized caching – there are also problematic uses such as tracking, stealing, or inadvertently leaking sensitive information. The pfSense Plus software GUI checks the referring URL sent by a client browser to ensure that the form was submitted from this firewall. This check prevents a form on another site from submitting a request to the firewall, and changing an option when the administrator did not intend for that to happen.  

DNS Rebinding protection

DNS rebinding is a method of manipulating resolution of domain names, commonly used as a form of computer attack. In an attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. DNS rebinding circumvents this protection by abusing the Domain Name System (DNS). pfSense Plus software contains built-in methods of protection against DNS rebinding attacks.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) helps defend websites from man-in-the-middle attacks, e.g., protocol downgrade attacks and cookie hijacking. pfSense Plus software supports HSTS, which forces the browser to use only HTTPS for future requests to the firewall’s fully qualified domain name (FQDN), thus ensuring it does not accidentally or intentionally downgrade to an unencrypted connection. 

Optional key-based SSH access

Secure Shell (SSH) access to a firewall is typically used for debugging and troubleshooting, but has many other useful purposes. An SSH key is an access credential in the SSH protocol which functions similarly to that of usernames and passwords. Keys, however, are primarily used for automated processes and for implementing single sign-on by system administrators and power users. pfSense Plus software supports the use of SSH access using only public key authentication, which is more secure than allowing access by password alone.

Resilience / Reliability Management

Optional multi-node High Availability Clustering

High-availability clusters are groups of firewalls or routers that can step in for one another – in the event of a failure – to minimize down-time. pfSense software leverages Common Area Redundancy Protocol (CARP) to provide failover redundancy for multiple firewalls / routers on the same local area network.

Multi-WAN for load balancing and failover

The multiple WAN (multi-WAN) capabilities in pfSense software allow a firewall to utilize multiple Internet connections to achieve more reliable connectivity and greater throughput capacity.

Reverse Proxy

A reverse proxy typically sits between remote clients and local servers, and allows for load balancing, failover, or other intelligent connection routing for public services such as web servers. pfSense Plus software uses HAProxy to address many types of proxy tasks, and has the benefit of scaling well for large deployments.

Automatic connection failover

Multiple remote servers can be configured on OpenVPN clients. If the first server cannot be reached, the second will be used. This can be used in combination with a multi-WAN OpenVPN server deployment to provide automatic failover for clients.

Bandwidth throttling

Bandwidth throttling is the intentional slowing or speeding of an internet connection. It is used to regulate network traffic and minimize bandwidth congestion. pfSense Plus software supports bandwidth throttling through the use of traffic shaper queues. Each queue has settings specific to the scheduler and can be chosen through a traffic shaping wizard. 

Traffic Shaping Wizard

The easiest way to get started with traffic shaping is by using the fSense Plus shaper wizard, which guides administrators through the shaper configuration process. Each step of the wizard sets up unique queues and rules that control what traffic is assigned into those queues.

Reserve or restrict bandwidth based on traffic priority

Limiters are an alternate method of traffic shaping that do not rely on alternate queuing (ALTQ). Limiters are currently the only way to achieve per-IP address or per-network bandwidth rate limiting using pfSense Plus software, and are also used by Captive Portal for per-user bandwidth limits.

Fair sharing bandwidth

pfSense software uses limits to enforce a total cap on user traffic and to dynamically manage the connections based on real network conditions — allocating more bandwidth per device when the network is quiet and less bandwidth per device when many clients are chatting at the same time.

System Reporting and Monitoring

Dashboard with configurable widgets

pfSense software dashboard widgets provide an excellent bird’s eye view of system-level status, log and graph-based information. Over 20 widgets are available, each containing a specific set of data, type of information, graph, etc.

Local logging

pfSense software logs – useful for both troubleshooting and long-term monitoring – may be stored locally either in memory or written to disk.

Remote logging

pfSense software logs – useful for both troubleshooting and long-term monitoring – may be stored locally either in memory or written to disk.

Local monitoring graphs

pfSense software supports a host of local monitoring graphs covering system performance, traffic, WAN interface quality, VPN usage and more.

Real-time interface traffic graphs

pfSense software is equipped with real-time traffic graphs which show interface traffic as it happens. Real-time graphs focus on what is happening “now”, as opposed to averaged data from RRD graphs – which are better suited for long-term traffic analysis.

SNMP monitoring

Simple Network Management Protocol (SNMP) enables remote monitoring of numerous pfSense Plus software software parameters including network traffic, network flows, pf queues, and general system information such as CPU, memory, and disk usage. Additionally, traps can be sent to an SNMP server for certain events.

Notifications via web interface, SMTP, or Growl

pfSense software can notify administrators of important events and errors via several mechanisms including GUI menu bar alerts, SMTP E-mail, Telegram API, Pushover API and Growl.

Hardware monitoring

pfSense software supports hardware monitoring of several popular chipsets. Specifically, the Thermal Sensors dashboard widget, or the CLI sysctl command allows Intel or AMD processor temperature to be monitored.

Networking diagnostic tools

pfSense software is equipped with a rich set of diagnostics for easily managing network administration tasks.