Packages wishlist?



  • Snort would be able to do this, also a layer7 filter of some sort would also be able to do this.
    P2P is in general hard to filter out as it tends to use whatever port it can get it's hands on (like www port 80).
    You need either a raw packet filter, or a layer7 filter.
    At this point there is no way to effectively block P2P in pfsense.



  • i like to see a complete packages (tftpd,nfs,etc…) to allow diskless/pxe client boot into something like thinstation or puppy or others...

    like these ones:
    thinstation.sf.net
    http://forums.freesco.org/support/index.php?showtopic=13170&st=45&#entry74098



  • Nagios would be a good package



  • I wonder, is it possible to add to RDD graph some new options such a wireless client's statistics… ::)
    I mean statistics about connections in time period.



  • @agismaniax:

    I've found www.ipp2p.org for iptables/netfilter.
    Is there any packages can do blocking p2p filesharing traffic in FreeBSD/pfSense?

    Yes my vote also goes to a Layer 7 filter.. Also  Snort is quite good to block P2P, at least we know how to use it. ;)
    But an embedded option for blocking P2P in pfSense it self is the most desirable.



  • Hello ppl. ! I will like to see HAVP+ClamAV+Dansguardian as content filter, Snort as IDS, OpenVPN as VPN default app., AdvancedProxy+Calamaris+URLFilter. Smoothwall, IPCop and EndianFirewall already have these.



  • @Aderium:

    Nagios would be a good package

    What about something like NRPE (nagios remote plugin executor) and the plugins?  Useful for checking stuff behind the NAT and/or firewall from an external nagios install.



  • I find it difficult to determine, what else should be running on the firewall machine. If squid is on, I'd suggest the following should be as well:

    Privoxy: web proxy with advanced filtering capabilities for protecting privacy, modifying web page content, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a very flexible configuration and can be customized to suit individual needs and tastes. Privoxy has application for both stand-alone systems and multi-user networks.

    Tor: toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.



  • Oh, forgot one thing which may be quite important:

    APCUPSD: You definitely also want your firewall machine hanging on your UPS, if you performed a full installation on a harddrive.



  • a dshield package, and a fixed freeradius package with webgui integration



  • @buraglio:

    @Aderium:

    Nagios would be a good package

    What about something like NRPE (nagios remote plugin executor) and the plugins?  Useful for checking stuff behind the NAT and/or firewall from an external nagios install.

    Would people find these useful?  NRPE and some plugins?  What plugins would be most useful (other than check_ping)



  • I'd like to see more package maintainers.  This pie in the sky discussion is great but there is nobody to implement these ideas.



  • Any idea for SARG (Squid Analysis Report Generator)!



  • POUND - REVERSE-PROXY AND LOAD-BALANCER
    http://www.apsis.ch/pound/

    The Pound program is a reverse proxy, load balancer and HTTPS front-end for Web server(s). Pound was developed to enable distributing the load among several Web-servers and to allow for a convenient SSL wrapper for those Web servers that do not offer it natively. Pound is distributed under the GPL - no warranty, it's free to use, copy and give away.

    This would be good for running mutiple web servers with limited IPs or just plain old load balancing for applications.  Can route HTTP request to backend web server based on domain/host name.



  • My wishlist would be improvements to:

    * Web Proxy Content Filtering
      * Web & Email Anti-Virus Scanning Proxies

    Proxy filtering has been tossed around quite a bit, notably with SquidGuard, but looking for a solution that checks based on actual content scanning (as opposed to just list checking).  Something similar to DansGuardian (but with a more open licence) would be great.  And if we're scanning the content anyway, it would be great if virus signature scanning could be done at the same time.

    It would also be nice to have a lightweight (relative to sendmail/postfix anyway) SMTP reverse proxy capable of scanning email for junk and virus signatures.  This would be a transparent reverse proxy for SMTP (& SMTPS?), preventing junk mail and virus emails from ever making it to the mail servers inside.  (Check out ASSP and DspamPD if you're looking to get a better idea of the concept.)

    Both of these wishlist ideas are not exactly 'lightweight' and may not belong on a box that's strictly a firewall, but they do both protect the inside from the outside, and would be a good fit for many smaller orgs without dedicated resources for these.



  • I'd like an interface to allow creation of firewall rules based on GEOIP data.  Many organizations provide services within a limited geographical area, and could live without all the traffic from regions outside those service areas.  I've seen examples of pf implementations, but I'm not sure what would be required to integrate this functionality into pfsense.

    Kirk



  • @kferguson:

    I'd like an interface to allow creation of firewall rules based on GEOIP data.  Many organizations provide services within a limited geographical area, and could live without all the traffic from regions outside those service areas.  I've seen examples of pf implementations, but I'm not sure what would be required to integrate this functionality into pfsense.

    Kirk

    That might be quite easy with the uopcoming alias features of pfSense (already implemented in the HEAD tree), where you can update your aliases frequently by downloading an external file (see http://pfsense.com/~sullrich/pics/SampleAlias.PNG for a screenshot of that already implemented feature).



  • Nylon (socks proxy) would be nice to see.



  • An interesting (though probably very difficult to add) package would be TorrentFlux:

    http://www.torrentflux.com/

    Basically, it's a web-based torrent manager.  Ever since I ran across this, I've thought the concept was pretty neat.  You can even configure it to automatically remove the torrent once you've shared it a number of times.  It looks like it even has its own user system. With this as a package you may be able to block torrent downloads behind the firewall and only allow them through this interface, where traffic shaping is in control of the bandwidth utilization rules you've set up…   Each user on the network could have a login so that they could download torrents in a controlled manner, so each workstation isn't competing for the bandwidth.


  • Moderator

    Would people find these useful?  NRPE and some plugins?  What plugins would be most useful (other than check_ping)

    Yep. Horribly useful! We currently use (and I would be glad to use on pfSense):

    check_nrpe!check_total_procs (processes)
    check_nrpe!check_disk1 (discspace - you never know what hits your logfile)
    check_nrpe!check_load (load)
    check_nrpe!check_ping (ping - different hosts)
    a check for the firewall / packet filter itself
    check_ntp
    check_ssh
    (and perhaps for pfsenses GUI check_http(s))

    These would sure be nice additions dreams Full integration into Nagios… blinks



  • I would like to see one package to SARG (Squid Analysis Report Generator).

    I'm starting to use pfsense 1.0-RC2 4 days ago. Great work! How can I build one SARG package?

    Thanks,

    fricardo



  • There is not much documentation on how to create a package, however some pointers can be found where to start at the forum. Please search.



  • I would like to see ipfm + scr_ipfm integrated

    Keep up the good work.

    Greetings Darek



  • the good service to addon pfsense…apcupsd for APC UPS...



  • @mdepot:

    It would also be nice to have a lightweight (relative to sendmail/postfix anyway) SMTP reverse proxy capable of scanning email for junk and virus signatures.  This would be a transparent reverse proxy for SMTP (& SMTPS?), preventing junk mail and virus emails from ever making it to the mail servers inside.  (Check out ASSP and DspamPD if you're looking to get a better idea of the concept.

    ASSP doesn't support AV scanning and DspamPD hasn't been actively developed for over a year.



  • I liked the idea of a 'voting system' for package suggestions. I would really like to see something out there to enforce corporate content-filtering policies. Right now, the squid package somewhat addresses the web side. The SMTP part is a bit less interesting unless you are putting the firewall in your production environment (as opposed to office) where it can behave as a server-side proxy. I have successfully used transparent POP3 proxying in the past. However, I dont think its a very clean way of doing email filtering.

    The one still missing from most distros is instant messaging proxying/filtering for the main clients (MSN/Yahoo/AOL/Google). This would allow for a complete content-filtering solution. (Web + IM, while mail is imparted). Note that some suggested antivirus support for the web proxy, this is fairly difficult to implement, and very unefficient. (Because the proxy cant really know if its a virus until the download is .. well.. done).

    As for SMTP filtering (SpamAssassin and such) - I do think that  spam filtering without a proper quarantaine solution is a bit wreckless. As such, I would be tempted to leave the spam filtering to a dedicated solution. However, blocking malicious code and extensions as well as defanging potentially dangerous dynamic content are all very feasible tasks. I myself would tend to focus on these features.

    Someone proposed bind as a package. I find the mention of bind running on a firewall a little disturbing =P I frankly don't really see the point of running DNS off a firewall. It seems somewhat off-focus.

    Just my 2 cents -



  • Congrats on the gold release! I've been impressed with pfsense from the beginning when I discovered it from a m0n0wall source.

    My 2 cents on the packages wishlist:

    -FakeAP(http://www.blackalchemy.to/project/fakeap/)
    -Linblock (http://www.dessent.net/linblock/) this is really just a script but I have no clue how to implement it on BSD
    -A package allowing you to provide a one-time (expiring) link to a file download from the local freeNAS raid volumes (scawf if you want…)

    These were already talked about but I 2nd the request for these:
    snort
    nagios
    asterisk
    tftp/pxe capabilities
    dansguardian
    cups

    I saw these in the list pre 1.0 so I'm hoping they'll get re-added:
    freeradius
    freeNAS

    Thanks for listening!



  • Snort is already included.  The TFTP/PXE proxy is in HEAD and should make its way to a future version.



  • I would like to see a content filter package using Dansguardian.



  • I'd like to see no-ip.com client as package for pfsense so I don't have to remember my ip address all the time, which isn't static anyway.



  • @bluekkis:

    I'd like to see no-ip.com client as package for pfsense so I don't have to remember my ip address all the time, which isn't static anyway.

    It's already there: services>Dynamic DNS.



  • @hoba:

    @bluekkis:

    I'd like to see no-ip.com client as package for pfsense so I don't have to remember my ip address all the time, which isn't static anyway.

    It's already there: services>Dynamic DNS.

    Duh… and I though I had already gone through all features, thx anyway =)



  • I would like to see spam filtering ie:spamassassin
    Content filtering ie: squidguard, dansguardian

    Thanks



  • This :

    http://www.imspector.org/

    Would be a very valuable addition. It's basically a Instant Messenging proxy, which means that it can be used to provide logging facilities that are mandatory for most security certifications.

    It could also be used to block IM file transfers and eventually provide antivirus/extension-based blocking. Its a great addition to pfSense because this way it could provide application-layer filtering for the three main point of entry for viruses/malware: web, email and im.



  • I would love to have a monitoring/net management package that is suitable even for an embeded edition and yet capable of monitoring via SMTP, IMAP, POP3, HTTP,TCP,UDP, NNTP, and PING tests and posting results in html or terminal.

    http://www.sysmon.org/config.html

    Rrealtime accounting and monitoring would be nice to have as well:
    pktstat (FreeBSD port exists)
    ->listens to the network and shows the bandwidth being consumed by packets of various kinds in realtime. It understands some protocols (including FTP, HTTP, and X11) and adds a descriptive name next to the entry (e.g., 'RETR cd8.iso', 'GET http://slashdot.org/' or 'xclock -fg blue').

    iftop (FreeBSD port exists)
    ->listens to network traffic on a named interface,  or on  the  first  interface  it can find which looks like an external interface if none is specified,  and  displays  a table of current bandwidth usage by pairs of hosts.

    monit (compiles under FreeBSD); http://www.tildeslash.com/monit/
    ->monit is a utility for managing and monitoring, processes, files, directories and devices on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.

    my 2c…

    regards,
    mr-s



  • A LPR/LPD package to support using pfSense as a print (printer) server would be nice. Preferably with SAMBA support.



  • FreeRADIUS additions/modifications…

    I've configured FreeRADIUS to add eap_tls and eap_ttls to authenticate my access point for WPA2-CCM on my pfsense box. What would be nifty is a the ability to integrate the CA similarly to how it is done for IPSEC VPN's to manage certificates for both the CA and users. This would give users the option to utilize either eap_tls or eap_ttls (for the more lazy). If you think about it, possibly just a centralized CA that was separated per duty might be sufficient (e.g., one for IPSEC another for OpenVPN, another for WPA, however utilizing the same openssl.cnf, etc and just splitting off different directories per usage type). Sorry for rambling... but I think this might provide a nice feature and pull together any loose ends that utilize certs for a auth method.



  • OSPF and  RIP I + II would be on the top of the list.
    Newer nVidia chipsets.. 4+
    64 bit support would be nice too.



  • @ellisgl:

    OSPF and  RIP I + II would be on the top of the list.

    routed: RIP v1 and v2 daemon
    Already available as package.



  • I'd like to second the request for TorrentFlux. This couldn't be too hard to implement, TorrentFlux itself is just a PHP controlled implementation of BitTornado as far as I understand.