Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    General security

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 3 Posters 761 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JohnSCarter
      last edited by

      Firstly sorry if this has already been asked but I can't seem to find an answer as of yet.

      Although I've only had pfSense for a couple of weeks now I'm loving it. Now I'm moving onto additional packages (currently made my way through encryption through OpenVPN, Suricata and Snort) but I was wondering what other packages are made for the security / privacy of the network. It would be handy if there was a short list that explained the additional packages or every perhaps categories within the package manager itself. For me at least (coming from a point of relative inexperience) it's hard to tell if a package is made for hosting servers or security.

      Again, sorry if this has been asked before or is too generic. Thanks for your time, Respectfully.

      John.

      Network security & monitoring enthusiast

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        It's ok if you want to test drive every package, but keep in mind that pfSense, as it delivered, is already safe.
        A package like snort could very easily add insecurity to your network. Because you think it's adds security, but you do not know what it does, neither how to set it up, neither how to check it. You think it does job the job for you, but actually, it's the other way around : a tool will be as good for you as as you understood it.
        When you reached that point, you can tell in a split second if you need package X or Y.
        By default : you need nothing.

        If a users wants to visit site that contains files loaded with viruses, etc, well, that up to the user, right ?
        It's like our cars : the are not limited to 90 km/hours or xx miles/hours. Some cars can make more then x/hours : up to you not to do so.

        I'll present you another simple rule : it's not because package exists that they all should be used - a very recent thread, elsewhere on the forum, already treats the same subject.
        If security is a real issue for you, start educating the end users. The sad thing is : this isn't available as a package.

        edit : found it : https://forum.pfsense.org/index.php?topic=145336.0 read it.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • Raffi_R
          Raffi_
          last edited by

          Hi John,

          I am not very experienced with pfSense either, but I have spent several months time with setting up the box and digging into different packages. You already mentioned most of these, but speaking from my own limited experience and setup, below is what I have and some of my knowledge on them.

          OpenVPN
          Great for secure remote access.

          pfBlockerNG
          Great for URL filtering and added security depending on the lists used. I followed this awesome tutorial on YouTube to help get that setup the way I wanted. https://www.youtube.com/watch?v=QwFpMwXEK5w. You don't have to use all the lists and examples in that video, but it's a great start. For example, the ad blocking helps prevent users from doing things they shouldn't be doing like clicking on Google ads that say "Official Microsoft site" but the URL is clearly not right and can take them to a potentially malicious site. This saved me a few times at least. I use most of the lists in that video along with some of the easy lists included in the package.

          Suricata
          I originally used Snort, but I had a fatal issue with it when Snort ran into some updated rules which it didn't know what to do with. To me, having an IPS with a few missing rules is better than having one that chokes on those few faulty rules and not run at all. I ended up switching to Suricata instead which uses many of the same rules and categories anyway.

          Squid with ClamAV
          Squid is being used as a caching web proxy server which all my clients go through. The web proxy wasn't really needed, but the anti-virus on the firewall level was the main selling point to me. That is done thanks to ClamAV included in the Squid package. On my setup, ClamAV is only scanning http traffic and not https. Technically it could be setup to do both. I personally am staying away from that for reasons discussed throughout these forums.

          Good luck.
          Raffi

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.