We have already demonstrated how packages can be used to extend the functionality of pfSense in previous chapters. For example, we used the OpenVPN Client Export Utility to make OpenVPN client configuration easier. We also showed how routed packages can be used to make dynamic routing available with pfSense. These packages, however, only represent a fraction of what is available.
We can divide the packages available for pfSense into several categories:
- Utilities: These are packages that often do little more than provide the same functionality available with many stock Linux installations, but are nonetheless useful because they help provide solutions to unusual problems. For example, in the previous chapter we outlined a solution for eliminating loops in a CARP configuration with bridges that required the use of the
cronutility. NoJ:JUNKNew folder of them are just Linux command-line utilities, but most perform simple functions. For example,Service_Watchdogmonitors pfSense for stopped services and restarts them. Packages such asarping,cron, andsudofall into this category. - Network monitoring: There are several utilities whose main purpose is simply to gather information on network usage. For example, you can use these utilities to find out who is on Facebook all day or who is using up 90% of your bandwidth downloading torrents.
darkstat,RRD_Summary, andsoftflowdareare among the packages that fall into this category. - Intrusion detection and prevention: These are network security utilities that monitor network activities and detect malicious (or potentially malicious) activities. Some of them merely notify the network admins of such activity, while some are capable of taking steps to prevent the malicious party from carrying out their attacks – for example, by blocking their IP address(es). Packages such as
nmap,snort, andsuricatafall into this category. - Proxies: These are packages that provide the ability to cache web pages as well as block certain sites. Some of them have spam-filtering capabilities as well. pfBlocker, squid, and SquidGuard fall into this category.
- Miscellaneous: This category covers everything that does not fall into one of these categories, such as freeradius2 (an implementation of the RADIUS protocol), HAproxy (which provides additional load-balancing capabilities), and LADVD (for sending and receiving link layer advertisements).
It is impossible to do justice to all the packages available for pfSense within a single chapter, but we will cover the most important packages. The outline of this chapter is as follows:
- Basic considerations
- Installing packages
- Popular packages
- Other packages
For the most part, you can begin installing and configuring pfSense packages without worrying too much about the effects they will have on your pfSense system. Nonetheless, some caution is called for when installing packages on mission-critical systems. First, having some basic knowledge of the technologies underlying the packages you want to install is helpful. For example, it would be ill-advised to install routed (the Routing Information Protocol daemon) without having some basic knowledge of how dynamic protocols work in general and how RIPv1 and RIPv2 work.
Beyond that, you should be mindful of the fact that installing additional packages may consume additional resources. Simple packages such as arping and cron can be installed on virtually any pfSense system without much consideration, but they are the exception to the rule. Installing and configuring a proxy server requires additional disk space to store cached web pages. Many packages require additional CPU resources. Any dynamic routing protocol requires CPU resources to calculate routes, as do many intrusion detection systems. If you had not foreseen installing such packages when you initially came up with the specifications for your pfSense box, you may have to adjust these specifications accordingly.
Installing and using packages without consideration of resource utilization can result in the following:
- CPU resources being taxed heavily, bringing pfSense to a crawl
- Disk space being completely used up, so that the DHCP server stops functioning, and no more DHCP leases are assigned
- pfSense cannot update, because there is insufficient disk space
- In some cases, insufficient disk space/CPU resources can render pfSense unusable, requiring a complete reinstallation of pfSense
All of these are outcomes we want to avoid in a production environment, so obviously some caution is justified when installing and configuring packages.
Furthermore, you should take into consideration the way packages interact with existing pfSense functionality and other packages. For example, some packages are installed in the same location as other packages and thus cannot co-exist with each other (OpenBGPD and Quagga OSPF come to mind). If you already have firewall rules in place upon which you rely, be aware that installing a proxy can affect outcomes, and traffic that was assumed to be blocked may no longer be blocked, as we will see when we cover squid later in this chapter.