pfSense / opnsense

pfSense & opnsense are opensource security appliance, the page is more focused on pfSense but the same features should be available on opnsense

The aim of this page is to provide links and information about pfSense

pfSEnse official page :https://www.pfsense.org/

opnsense official page: https://opnsense.org/

pfSense as a phyisical appliance

pfSense is openSource but some vendor are selling physical device optimised to run pfSense, physical appliances don't have the flexibility of the virtual one but they there are more efficient, they might be the right solution if your service is facing an high traffic load

here an example from the company that maintain pfsense: https://www.netgate.com/products/appliances/

pfSense as a virtual appliance

Today datacenter are often based on bare metal host running virtual machine, this setup is possible with pfSense, here an example on how to set up pfsense with vSphere: https://medium.com/@glmdev/how-to-set-up-virtualized-pfsense-on-vmware-esxi-6-x-2c2861b25931

The key aspect is to setup pFsense as a gateway for the other virtual machine so all the traffic is controlled. if this is not wished or possible the pfSense appliance can be placed in a DMZ where only the traffic from the pfSense appliance is allowed toward the servers

Multiple pfSense located in different place can setup a IPsecVPN in order to ease communication between remote servers pools

pfSense Modules

this list is not exhaustive, it shows only few modules but those are useful to setup a security layer for web servers

• snort - Snort is an intrusion detection and prevention system. It can be configured to simply log detected network events to both log and block them

  • doc: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

• haproxy - HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP, HTTP and HTTPS-based applications, Ha proxy enable the administrator to perform SSL offloading and to configure the binding between subdomaine.domaine and IP pools

  • doc : https://docs.netgate.com/pfsense/en/latest/packages/haproxy-package.html

• ACME - ACME let the administrator to create trusted SSL certificates via Let’s Encrypt API (green lock next to the URL) that can be used by all services running behind pfSense. Let’s Encrypt is an open, free, and completely automated Certificate Authority from the non-profit Internet Security Research Group (ISRG)

  •  doc: https://docs.netgate.com/pfsense/en/latest/certificates/acme-package.html

• Pfblocker -  Enable advanced blocked IP list or/and country block

  • doc: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html