crowdsec
-
That's extremely discouraging. You should at least allow the bouncer to block offending IPs on your network. This type of stuff very much belongs on Next Generation firewalls. Cisco and Palo are incorporating their threat intelligence into their stuff. Crowdsec has basically done the work for you guys already. Opnsense has Sensei.
You're gonna make your pfsense+ users flock to Opnsense with that attitude. Just saying.
-
I understand where you're coming from, but personally, I hope they focus on maintaining and refining the packages that are already available. pfSense has built up a solid ecosystem over the years, with many well-supported and actively maintained packages that meet a wide range of needs. A lot of time, effort, and community support has gone into making those tools stable and reliable.
While it’s always tempting to ask for more features or additional packages, sometimes expanding too far can risk diluting the quality and stability of what’s already working well. That said, the beauty of pfSense being open-source is that there’s still flexibility—if something’s missing, there are often ways to integrate it yourself or run it alongside pfSense on another system.
-
@JonathanLee None of which offer good next generation features for firewalls. I've got 3 + licenses. If they're not going to adopt for future technology I'm not renewing them.
Right now they basically offer layer 3 firewalling and snort. Snort is defeated by SSL which is 90% of the traffic these days on firewalls, including almost all web and email traffic. That is not a good future posture to have for a modern firewall. That would be stuck in 2008 basically.
Ontop of that in this particular case, the Crowdsec team did all the work for them. They basically just have to adopt their package into the package system and the Crowdsec team maintains it. The support argument is not an issue and completely invalid.
-
@Zermus I respectfully and fundamentally disagree with your assessment of pfSense’s current package offerings and pfSense Plus overall. Dismissing the platform as "stuck in 2008" just because a particular package isn’t included is, frankly, an oversimplification—and somewhat unfair. For example, Suricata is a powerful, multithreaded IDS/IPS with solid IPv6 support, and it’s fully available through pfSense. That’s just one of many robust packages offered.
One of the core strengths of pfSense is that it’s open source—you’re free to extend it. If a particular package isn’t officially supported, nothing stops you from running it on a separate device, integrating it yourself, or contributing to development.
Here’s a list of officially supported packages if you're open to trying something new:
https://docs.netgate.com/pfsense/en/latest/packages/list.html
You might also explore Suricata further: https://suricata.io/
Speaking from experience—don’t get too fixated on a single missing package. I went down that road with Squid, which I love, but I found myself begging developers to fix something as basic as the status page. Most of these packages are maintained by volunteers, and contributions often come slowly. That’s just the nature of community-supported software.The high degree of customizability in pfSense is exactly why people grow so attached to their setups. After years of tweaking and fine-tuning, someone coming in and demanding a particular feature can feel like a disruption. It’s not hostility—it’s the natural reaction to a deeply personalized system.
-
@JonathanLee Look, Suricata offers no functional detection improvement over Snort and falls short on the same problems of SSL detection. In fact Suricata uses the SAME SIGNATURES as snort. It's just a performance improvement. Any seasoned Security/Network admin knows this. Yes, it's essentially 2008 technology (I could technically argue 1998, but I'm being nice with 2008). Don't even get me started on Zeek. There are reasons I've never seen it running in a Fortune 100 or Government environment.
You're entitled to your opinion Johnny but your arguments are falling short. You're effectively arguing against adding next generation modern security features for using IDS technology from 2008. Most people are going to want next generation features. Your lack of wanting newer security features is noted. Most + users are going to want them.
As you say "add it yourself" Crowdsec has already packaged and given Netgate the package, so that's already been done. See here - https://docs.crowdsec.net/docs/getting_started/install_crowdsec_pfsense/ Again your arguments are falling short. You have no idea what you're talking about. Maybe you should sit this one out.
Everything is already done for Netgate on this one, they just simply have to add it and work with the Crowdsec team and for people like me, we would welcome the next generation features that Crowdsec offers. It would even compete against and offer a better solution than OPNSense Sensei.
PS Why are you even using Squid? Try HAPRoxy or nginx. Welcome to 2025. :)
-
Snort and falls short on the same problems of SSL detection. In fact Suricata uses the SAME SIGNATURES as snort. It's just a performance improvement. Any seasoned Security/Network admin knows this. Yes, it's essentially 2008 technology (I could technically argue 1998
You're effectively arguing against adding next generation modern security features
Crowdsec team and for people like me, we would welcome the next generation features that Crowdsec offers
https://www.crowdsec.net/pricing
Pricing of $348 to $46,800 per year is not the sort of feature I look forward to. -
Scroll down and you'll see a community plan.
-
@Zermus Regarding SSL—I'm doing full SSL/TLS decryption on my setup, so I'm not experiencing the issues you're seeing. You’ll need to install trusted root certificates on your client devices to make that work properly. That feature you're referring to is part of enterprise-grade software, and it typically comes with a high price tag.
-
@Zermus Just to clarify—HAProxy, Squid, and NGINX are all proxies, but they serve very different purposes and are designed for different use cases.
-
HAProxy is a high-performance reverse proxy and load balancer, focused on distributing incoming traffic across backend servers. It operates at both Layer 4 (TCP) and Layer 7 (HTTP), making it ideal for high availability, failover, and load balancing in server environments.
-
Squid is a forward proxy primarily used for web content caching, filtering, and traffic control. It sits between internal clients and the internet, and is often used in enterprise environments for monitoring and restricting outbound traffic. A major advantage of Squid is that it can perform full SSL/TLS decryption on outbound HTTPS traffic. While complex to set up, once configured, it can inspect and log encrypted traffic by decrypting every packet, applying policies, and then re-encrypting it.
-
NGINX is a versatile web server, reverse proxy, and load balancer. Like HAProxy, it's commonly used to route incoming traffic to web servers, handle SSL termination, and serve static content. It’s particularly good at handling large numbers of simultaneous connections efficiently. NGINX can also act as a basic forward proxy, but that’s not its main strength. Unlike Squid, NGINX does not natively support full SSL interception for outbound client traffic.
In summary: -
HAProxy = Reverse proxy and load balancer for incoming traffic (high-performance, TCP/HTTP-based)
-
NGINX = Web server + reverse proxy, great for SSL termination and static content, limited forward proxy support
-
Squid = Forward proxy for outbound traffic, with advanced caching, filtering, and full SSL/TLS decryption capabilities
Each tool has its own strengths and ideal use cases, and while there’s some overlap, they’re not interchangeable.
-
-
@Zermus Hold on—“sit this one out”? That seems a bit much. Let’s keep the discussion productive.
From what I can see, the CrowdSec package is already available for those who want it. The documentation is public, and if someone really wants to run it, they absolutely can install it manually. That’s the nature—and the strength—of open-source platforms like pfSense: you have the freedom to add what you need, when you need it.
Personally, I already use a paid IPS/IDS subscription, and when combined with full SSL/TLS decryption, it’s working well for my needs. I get updated blocklists from Cisco directly, refreshed daily. It may not be instant like CrowdSec’s threat intel sharing, but it’s reliable and effective in my setup.
In the end, there are multiple ways to achieve similar results. Let’s not lose sight of that just because one particular method isn't officially bundled.
-
@JonathanLee Again, your only valid argument here, so far, is essentially "it's expensive (Meaning you didn't actually read the website) and I don't want to use it (Even though you pay for other IDS signatures, which to argue that point is kind of hypocritical on your part)" They have a free version available for Community users as I've already pointed out.
Until you have a valid reason other than if "I don't want to use it, so nobody should", which is quite narcissistic, I'm not going to argue anymore semantics with you.
nginx can do anything squid can do. The HAProxy decryption on the front end can yield valid Snort alerts yes (Again we're talking 2008 technology that came out in 1998 here), but it's a pain in the ass method and still not as secure as running Crowdsec along with it. Defense in depth is always the best approach.
That's why I say sit this one out. You don't want to use it. Big deal. Get over yourself. A lot of people DO want to use it.
For the people who just want to gripe and look stupid who didn't RTFM:
Which plan should I choose?
From hobbyists to large-scale organizations, CrowdSec has a plan that’s just right for you.
For enthusiasts and individuals exploring the cybersecurity space, our free’Community plan is an excellent starting point. Immerse yourself in advanced security practices without monetary investment.
-
So, what's the bottom line?
Any user can already install the ready-made CrowdSec package on pfSense. Yes, there are some inconveniences — for example, the package gets removed when pfSense itself is upgraded. But even Netgate themselves recommend uninstalling all packages before major upgrades and reinstalling them afterward.
Arguing that Snort and Suricata not being able to handle SSL traffic on the fly is somehow a competitive advantage sounds, to put it mildly, odd — because CrowdSec doesn’t do deep protocol inspection at all. Instead, it analyzes behavioral patterns based on system logs (such as SSH, HTTP, etc.) and blocks IP addresses accordingly.
In fact, CrowdSec can be more effective in certain scenarios — particularly due to its log-based behavioral approach. If you have public-facing services behind your firewall, CrowdSec can detect and respond to suspicious activity that traditional packet-level tools might miss.
For the average user who doesn’t host any services behind the firewall, pfBlockerNG with DNS blocking enabled is usually more than sufficient. I once compared both tools using community-maintained rule sets, and pfBlocker actually filtered out more junk traffic in practice.
At the same time, the lack of packet inspection in CrowdSec can also be seen as a limitation — not all types of attacks can be detected through log analysis alone. In that sense, all of these tools — CrowdSec, pfBlockerNG, Snort or Suricata — can complement each other when properly configured, each covering different aspects of network defense.
But again — nothing is stopping anyone from installing CrowdSec on pfSense right now.
As for official integration — I haven’t seen any response from Netgate. I don’t know what might be holding it back; possibly there are security concerns involved, but that’s just speculation.
-
@w0w Bottom line is it should be an integrated package. Instead of asking why should this be a package, my question is WHY NOT if it's already purpose built for that? The only gripes I see are people don't want to use it. Great then don't use it. A lot of people DO WANT TO USE IT. It compliments a weak point for pfSense and this is a next generation feature. OPNSense has fielded this with Sensei. If pfSense refuses to integrate it, I'm sure Crowdsec will go over there as well. Many who use pfSense in a hosting type environment could benefit greatly from this, especially since the Crowdsec team is basically doing all the heavy lifting to have it incorporated. Crowdsec IMHO is a better product than Sensei.
The only reason not to incorporate it is basic gripes of people who don't want it. Hell I don't want 75% of the packages already built with pfSense that offer nothing more than BS analytics you can do outside pfSense. This is a next generation security feature that actively blocks threats that DOES plug right in with pfSense, which is much more valuable if you want your pfSense product to be a relevant Next Generation firewall in 2025+.
I'm not going to continue to dish out for money for + licenses for a stagnant firewall, especially when I can go to OPNSense for free for the same features. However I'm a loyal pfsense user and remained here when the split happened, but that loyalty has it's limits. A lot of + users feel the same way. We paid expecting newer technology. Netgate will be losing money by not keeping their product relevant to their paid users. Less money to Netgate means less uptake for all packages and updates, and that hits the community edition people who are not contributing monetarily.
Bottom line is it's simple economics if they want their customers to remain loyal, you have to keep your product up to date with the times to your paying customers. Layer 3 firewalls are 90s technology and that includes Snort (Which was released in 1998). Newer threats need next generation features.
-
I get your point, and I agree that pfSense needs to evolve — but a few clarifications:
CrowdSec is already usable on pfSense — it can be manually installed and works fine. Official GUI integration would definitely improve adoption, but it’s not technically blocked today.
You’re saying that integrating tools like CrowdSec is a step toward a “next-gen firewall.” I get that — but let’s be clear:
CrowdSec is not a firewall. It’s more like a collaborative, modern fail2ban — a behavioral IP reputation engine that reacts to log activity. That’s useful only when there are services behind pfSense that generate logs (e.g., SSH, web servers, exposed APIs). If you're just routing traffic or using pfSense as an edge NAT gateway, there's very little for it to act on.
It doesn’t see actual traffic, can’t analyze protocol misuse, lateral movement, or application-layer anomalies. Snort and Suricata, while older, can still inspect traffic headers and patterns in real time — things CrowdSec simply can’t do by design.
So yes, integrating CrowdSec might be a step toward a more modern firewall stack, but it only covers a narrow layer of defense. And that layer is already accessible today — even if not officially packaged.
Personally, I’d wait for an official response from Netgate before jumping to conclusions.
-
https://www.crowdsec.net/pricing
Pricing of $348 to $46,800 per year is not the sort of feature I look forward to.Scroll down and you'll see a community plan.
Correct BUT with an organisation which view each paying customer as a very significant income stream the "free" offering WILL become very limited in applicability so as to ensure a paying customer is not missed.
Imo Netgate is more likely to find synergy with suppliers which help them support the market they address. Not my call obviously but loosing critical mass in a tool which adds value for the the majority of their paying customer is more significant than gaining enhanced support for a product aimed at different market.
-
@Patch you literally just described Netgate’s business model. You can’t have it both ways.
I’m a paying customer about to leave for a free firewall with better features. Network Security is the business. Crowdsec adds value to that. Are you a paying customer of Netgate? My situation is exactly opposite of and disproves your entire narrative.
Your whole argument is Netgate is not in the business of network security but that's exactly what a firewall is, network security. Are you drunk or something? lol
-
@Zermus ...
From my perspective, CrowdSec relies heavily on a large user base to feed data into its system, making it fundamentally a reactive security tool. In practice, this means something harmful must happen to one user before others benefit from a preemptive defense. The more users, the more effective the system becomes. This is likely why there's a strong push to get it installed broadly—it benefits CrowdSec more than it benefits Netgate.
Netgate already provides a pathway for users to install CrowdSec voluntarily. Including it as an officially approved package would require additional oversight and transparency regarding how user data is handled. It would also mean Netgate is funneling another layer of potentially sensitive information into a cloud-based, Security-as-a-Service platform—something that introduces increased risk and undermines the principles of local firewall control.
CrowdSec's model depends on constant data collection from users to remain viable. Naturally, they want to onboard as many pfSense users as possible to build a fast, reactionary threat intelligence database. But that raises the question: what does Netgate gain from this relationship, beyond a shared ban list? In doing so, Netgate would be trading increased exposure of its user base for the benefit of CrowdSec’s threat modeling system.
“Crowd-based intelligence” is not without risks. There are significant compliance considerations around GDPR, CCPA, and HIPAA. The nature of threat modeling involves persistent log collection—tracking what IPs are communicating with whom, around the clock. For a firewall platform that exists to shield that kind of data, this represents a fundamental shift in risk posture.
Relying too heavily on a shared intelligence model can also create a false sense of security—especially in an environment where polymorphic threats and obfuscation tactics are evolving constantly. It's only a matter of time before something breaks, and when it does, the entity holding all that centralized data becomes a high-value target. That same data can also be weaponized to improve offensive attack modeling.
Personally, I believe in keeping things simple and minimizing attack surfaces. If someone wants to use CrowdSec, they can install it manually. As for me, I’ll continue relying on tried-and-true methods that have protected networks since the 1990s. Overreliance on automated tools can lead to dangerous blind spots, especially when those tools are built on shiny blacklists that often overpromise and underdeliver.
-
@JonathanLee Just from your response I can tell you've never worked in Fortune 100 or Government Network/Infosec IT.
We get it, you don't need this. Time to move on. You probably don't even pay Netgate for your use. Me as a paying customer, I'm going to be using a firewall that doesn't want to support my needs and incorporate future technology, I'm moving and taking my $$ elsewhere.
-
This post is deleted! -
@Zermus
Could you provide examples and typical usage scenarios of CrowdSec on pfSense? It would help everyone here understand the context in which it would actually be used on a firewall and why it can not be used right now.
