pfSense is yet another opensource firewall which can turn your old PC into a fully functional Firewall. pfSense opensource firewall is based on the m0n0wall opensource embedded firewall with all the good features of m0n0wall and advanced addition features.

pfSense uses OpenBSD's ported packet filter, FreeBSD 6.1 ALTQ (HSFC) for excellent packet queueing and integrated package managegement system for extending with new features.

pfSense can be downloaded a Live CD which is also an installation CD or as an installation ISO for developer edition or an Embedded edition. For more info on the download packages, click here.

The software itself can be downloaded from here

A good set of install instructions are available here

More information on Hardware, minimum requirements and recommended vendor products, visit pfSense here

In additional to the existing features on m0n0wall firewall, pfSense has the special additional features. The following are some of the key additional features:

• Wireless a/b/g using wpa_supplicant with turbo, WEP, WPA-E/PSK and WPA2 (TKIP) support. Advanced support for wireless devices including HostAP-mode, hardware-encryption if supported by driver, mac-filtering, non-broadcasting SSID with FreeBSD6 supported wireless devices (atheros recommended for full functionality)
• Incoming/outgoing load balancing pools
• Multiple WAN Support
• PPPoE Server
• Setup wizard and package using xml -> web gui toolkit
• Realtime settings change to avoid reboots
• pf for openbsd's packet filter
• CARP – for failover and clustersyncing (rules, trafficshaper, nat, IPSEC SAs…)
• failovercapable DHCP-Server with advanced settings (specify gateway, DNS, WINS)
• Systemstatus with realtimegraphs including SWAP usage monitor
• ALTQ traffic shaping with integrated magic shaper wizard with Queuegraphs for Trafficshaper
• FTP-Proxy using Squid Transparent proxy
• proxy/masquerading for SIP-protocol using siproxd
• Anti-Spam-Proxy using assp
• Fake SMTP-Server as Spam-Tarpit using spamd
• Networkscanner for security auditing using nmap
• Enhanced traceroute using mtr
• enhanced configuration-system featuring a configuration history and partial config down-/uploads
• converting PF-status-massages to Cisco NetFlow-Datagrams using pfflowd
• PFStat Graphing
• Enhanced network history data using NTOP
• STunnel to wrap standard ports with SSL
• arpwatch to watch ethernet/ip-adress-pairings
• freeradius to Radiusserver
• iperf/netio for bandwidth-measuring

A Reader's Toolbox

After SY0-101, a small number of individuals are content with their N10-003 where as the rest go on to study 70-620. This group later covers 350-030 as well.

m0n0wall is a free opensource embedded firewall that runs on embedded PCs (recommended) and other generic standard PC workstations that can run FreeBSD or rather supported by FreeBSD. m0n0wall firewall provides most of the features provided by a commercial firewall.

Click here for a list of supported FreeBSD/i386 hardware.

For more information on the hardware details m0n0wall click here

M0n0wall is based on a bare-bones version of FreeBSD with mini-httpd webserver for web GUI and PHP (with CGI support) for boot time configuration. The complete configuration is stored in XML format. This is likely the only softwar where PHP does the boot time configuration instead of Shell scripts.

The image file for installation is of 6MB in size including the core freebsd and the required components and utilities that offers most if not all the features of a commercial firewall appliance. There are seperate image files for each of the different hardware platforms supported. For more information on downloads, click here

The whole software package can be run on a compact flash card (atleast 8M in size) or on a IDE hard disk. The recommended memory is atleast 64MB. The installation procedures are well documented.

For details on installation procedures click here

The Main features of m0n0wall firewall are,

• Stateful Packet Filtering
• Web Interface (SSL) and Serial Console for administration (mini-httpd)
• Wireless Support
• Captive Portal
• 802.1Q VLAN  support
• Stateful Packet Filtering using ipfilter
• NAT/PAT, Static Router, Host Aliases support
• DHCP client, PPPoE, PPTP and Telstra BigPond Cable support on the WAN interface
• IPsec IKE VPN using Racoon with support for hardware crypto cards, mobile clients and certificates
• PPTP VPN (with RADIUS server support)
• DHCP server and DHCP-Relay (ISC DHCP)
• Caching DNS forwarder using dnsmasq
• DynDNS client and RFC 2136 DNS updater using ez-ipupdate
• Traffic shaping
• SVG-based traffic grapher
• firmware upgrade through the web browser
• Wake on LAN
• Configuration backup/restore

For more detailed feature list, click here

For more information on this FreeBSD based open source firewall, please click here

A Reader's Toobox

After 70-290, a small number of professionals who wants to study 70-296 move on to the next level i.e. 70-270, where as the rest go with the 642-901.

IPCop Firewall – Bad Packets Stop here!!! 

IPCop Firewall is a well known Opensource Linux distribution built to protect Home and SOHO networks from hackers and potential intruders on the Internet. IPCop can run a old PC and can be installed and be operational within minutes.

Please click here for more information on the Hardware compatibility list. Installation is fairly straight forward. Involves downloading the ISO image and burn it to a CD and start the hardware with the installation media and follow the onscreen instructions. A detailed installation instruction is here.

The IPCop firewall runs on Linux Kernel 2.4 and is a stateful firewall (1.3 and later) based on Linux IPTables. The IPCop firewall has a nice web interface from where almost all the configurations can be done.

While IPCop firewall is primarily a router and Stateful firewall, it has most of the common features found on commercial hardware firewall appliances. Some of the key features are

• Stateful Firewall using IPTables
• Intrusion Detection System using Snort
• IP, Web and FTP proxy using Squid Proxy
• Dynamic DNS Support
• DNS Forwarding and DHCP using dnsmasq
• IPSec VPN supporting both roadwarrior and Site to Site using OpenSwan
• Wireless supported a DMZ on the firewall using the Wireless_Tools (opensource Wireless tools sponsored and supported by HP)
• Traffic Shaping on the External Internet facing interface (RED)
• SSH using OpenSSH
• Local and remote logging support
• NTP Server/Client support
• NAT Helper and port forwarding support

The IPCop Firewall has a very good documentation and FAQ on its website actively supported by the Opensource community. Smoothwall Express is a opensource firewall based on th IPCop firewall

For more information and download, please click here

Anytime you use an internet connection in a public place like a public wireless hotspot or a hotel room internet acces, you put your data at risk. All data you send can be intercepted easily and quickly by those hackers out there looking for a victim, without your knowledge. Your data could be anything from email address, passwords, emails, Instant Messages or even credit card details.

Using powerful 256-bit AES encryption technology, the iOpus Private Internet Gateway (iPIG) creates a secure "tunnel" that protects your inbound and outbound communications (Email, Web, IM, VOIP, calls, FTP, etc.) at any Wi-Fi hotspot or wired network.

iPIG shields your data from even the most sophisticated methods of online spying and snooping like the "Evil twin attacks". In addition, your sensitive information is not only protected between your computer and the wireless access point you're using, but all the way to iOpus' secure connection servers deep in the Internet. This ensures that your data can't be easily hijacked through the air and at the point it transitions to a "wired" Ethernet connection.

Unlike other technologies, iPig works with any kind of Internet connection (Wifi, WLAN, 802.11 a/b/g, wired ethernet) and requires NO configuration of any kind. You just start your favorite web browser, email client or chat software and switch the iPig encryption on: iPig grabs all Internet traffic before it leaves your PC and encrypts it securely! iPig also works with all major firewall software like Zonealarm or Norton Internet Security. The software runs on Windows 2000, XP and 2003.

iPIG client is free to download and requires you to register with iOpus for a free account. Once account is created, use the username and password in the iPIG client. Basically, once the iPIG client goes active, it connects to iOPUS public server. The free software gives you upto 10MB of data transfer for free after which you need to buy additional bandwidth.

If you want to setup your own iPIG server then the iPIG server edition is available for download this can support upto 5 users for free for unlimited number users, the PRO edition is available for a price.

For more information, please visit iOpus website here.

CoovaChilli is an open-source software access controller, based on the popular ChilliSpot project. CoovaChilli is the continuation of the great work of the ChilliSpot project. It is a feature rich software access controller that provides a captive portal / walled-garden environment and uses RADIUS for access provisioning.

CoovaChilli is an integral part of the CoovaAP OpenWRT-based firmware which is specialized for hotspots.

For more information and download, please click here

CoovaAP is an OpenWRT-based firmware designed especially for HotSpots. It comes with the CoovaChilli access controller built-in and makes it easily configurable. CoovaAP is perfect for just about any HotSpot application – from WPA Enterprise (with RADIUS accounting) to Free WiFi with Terms of Service acknowledgment to commercial HotSpot captive portal applications. Use the embedded captive portal for a simple self contained HotSpot or use your own captive portal and RADIUS back-end.

Key features of CoovaAp are 

• Open-source, based on OpenWrt
• Advanced Web-based Configuration
• Easy HotSpot Configuration & Status
• Embedded Captive Portal
• Enhanced ChilliSpot Access Controller
• Integrated ChilliSpot with WPA
• OpenID Authentication
• Centralized ChilliSpot Config (RADIUS)
• WiFiDog Access Controller
• PPTP VPN Client and Server
• OpenVPN Client
• Traffic Shaping

For more download and detailed installation instruction, please click here

For details on advanced configuration, click here

PacketProtector is a Linux distribution for wireless routers, built on top of OpenWrt. The goal of this project is to transform the router into a unified threat management (UTM) device.

All you need is a Linksys WRTSL54GS or ASUS WL-500g (Deluxe or Premium) router, and a USB 2.0 drive with atleast 100MB free space.

The UTM features in PacketProtector are,

• Stateful firewall (iptables)
• WPA/WPA2 Enterprise wireless (802.1X and PEAP with FreeRADIUS)
• Intrusion Detection & Intrusion Prevention (Snort & Snort-inline)
• Remote Access VPN (OpenVPN)
• Content Filtering/Parental Controls (DansGuardian)
• Web Antivirus (DG + ClamAV)
• Local Certificate Authority (OpenSSL)
• Secure Management (SSH and HTTPS)
• Advanced Firewall scripts for blocking IM and P2P apps
• IP Spoofing Prevention (Linux rp_filter)
• Basic Protocol Anomaly Detection (ipt_unclean)

The PacketProtector has two components,

1. a replacement firmware for the router built on the Openwrt framework
2. packetprotector software itself which sits on the USB flash drive

Both the components can be downloaded here

For install instructions, please click here

The PathPing tool is a route tracing tool that combines features of Ping and Tracert with additional information that neither of those tools provides. PathPing sends packets to each router on the way to a final destination over a period of time, and then computes results based on the packets returned from each hop. Since PathPing shows the degree of packet loss at any given router or link, you can pinpoint which routers or links might be causing network problems. Pathping can be a very effective tool when troubleshooting a network connectivity or a performance issue in Windows. Pathping first traces the route to the final destination as done by the Tracert command and then send packets to each individual nodes in the path over a period of time (25sec per nod) and upto 100 packets. It then calculates the node/link performance at the end of it To use, simply type pathping from the command prompt:

C:\>pathping http://www.google.com/

Tracing route to http://www.l.google.com/ [64.233.183.103]

over a maximum of 30 hops:

0 mypc.test.local [192.168.0.2]

1 192.168.0.1

2 cr1.lwfel.uk.easynet.net [87.87.250.213]

3 80.238.38.161

4 * ip-89-200-134-117.ov.easynet.net [89.200.134.117]

5 ge2-1-0.er3.tclon.uk.easynet.net [89.200.130.0]

6 195.66.226.125 7 209.85.252.42 8 64.233.174.27

9 209.85.248.80

10 72.14.233.79

11 216.239.43.34

12 nf-in-f103.google.com [64.233.183.103]

Computing statistics for 300 seconds…

Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address

0 mypc.test.local [192.168.0.2] 0/ 100 = 0% |

1 10ms 0/ 100 = 0% 0/ 100 = 0% 192.168.0.1 0/ 100 = 0% |

2 76ms 0/ 100 = 0% 0/ 100 = 0% cr1.lwfel.uk.easynet.net [87.87.250.213] 0/ 100 = 0% |

3 67ms 0/ 100 = 0% 0/ 100 = 0% 80.238.38.161 0/ 100 = 0% |

4 — 100/ 100 =100% 100/ 100 =100% ip-89-200-134-117.ov.easynet.net [89.200.134.117] 0/ 100 = 0% |

5 — 100/ 100 =100% 100/ 100 =100% ge2-1-0.er3.tclon.uk.easynet.net [89.200.130.0] 0/ 100 = 0% |

6 75ms 0/ 100 = 0% 0/ 100 = 0% 195.66.226.125 0/ 100 = 0% |

7 71ms 0/ 100 = 0% 0/ 100 = 0% 209.85.252.42 0/ 100 = 0% |

8 72ms 0/ 100 = 0% 0/ 100 = 0% 64.233.174.27 0/ 100 = 0% |

9 79ms 1/ 100 = 1% 1/ 100 = 1% 209.85.248.80 0/ 100 = 0% |

10 84ms 0/ 100 = 0% 0/ 100 = 0% 72.14.233.79 24/ 100 = 24% |

11 88ms 24/ 100 = 24% 0/ 100 = 0% 216.239.43.34 2/ 100 = 2% |

12 85ms 26/ 100 = 26% 0/ 100 = 0% nf-in-f103.google.com [64.233.183.103]

Trace complete.

A best option would be to use "-n" to avoid the DNS lookups which makes the trace run a bit faster. There are other additional switches that one can use to tune the trace.

Some of them are,

-n : No DNS Lookup

-h: Number of hops (Default: 30)

-g: Specifiy route list

-p: Milliseconds between pings

-q: Number of queries per hop

-R: Check RSVP Support

-T: Attach a L2 tag

-w: Time-out period for Ping reply (Default: 3000ms)

A detailed Microsoft page for pathping