I started looking for server side applications that I could install and just have the admin pull the data from there, however, the costs I was finding were a bit too much.  I setup a pfSense in a quick lab to demo this up.  After installing pfSense on some old hardware, did a basic configuration of the box, and then installed the Squid proxy package.  I configured this to be a traditional proxy where I had to send traffic on a specific port, and the user was required to login.  That was really the trick to get the terminal server users broken apart.  I know it could probably use a little masaging with NTLM authentication or some other clean mechanism but for the lab and the purposes of this client, this hit the mark for a great price.

I did mention that they did not want to install new hardware during this process, but the knew they needed to upgrade their Linksys “router” that was currently firewalling their network.  I am once again impressed with the flexibility and ease of use that pfSense gives you.  I truly only have 1 complaint about the system at all but it has nothing to do with this and as I understand it, that feature has been added in pfSense 2.0.  The management of OpenVPN clients/certificates is somewhat of a nightmare for large installs unless you use a single certificate for all users (not recommended).

This weekend I’ll be doing two more that are quite important and I will need to make sure I backup the configs before hand…..yeah, I didn’t on the other ones I’m hoping the next year flies by for the BSD7 version of pfSense. It’s supposed to have a large number of improvements as well. FreeBSD’s website has a large number of them listed here. It amazes me that an already good product can go from release after release and the product just gets better and better.

I’m hoping my company will start using more of these instead of the Cisco ASA for our smaller clients, but we just started down the reseller path for Cisco so I don’t have to high of expectations for doing so. Oh well, I’ll use it where I can.

For more information on pfSense, it’s little brother m0n0wall or FreeBSD check out the hotlinks.

pfSense 1.2 Final will be out here sometime soon so I’ll be updating numerous firewalls to that code base when it does hit FINAL.

This next weekend I will be installing a pfSense box for my Dad to start using/managing.

I have been working with my Dad on a web hosting reseller configuration at http://www.builthosting.com. Hopefully we will be able to get that up and running so I can migrate the rest of my websites over to there. He is doing the reseller setup through HostGator.

I’ve been working on some other website / blogging ideas to help pass the time, however, I don’t have time to think about them…strange situation.

This week at work, the TechTalk for the second time will be hosted by someone else. Kenny Kant, my counterpart at work has offered up his services to do a TechTalk on Microsoft Small Business Server 2003. I’ll try to talk to him about adding some content on here as well.

At work one of my upcoming projects will be testing the embedded hardware from ALIX to build a firewall that is as capable as a Cisco PIX 506E and then some for under $300. The hardware I am speaking of actually needs to be assembled which is kinda cool and all in all is the size of a Cisco PIX 501 which is in the neighborhood of 6″x6″. Not too shabby huh.

Here’s the parts list stolen from the pfSense blog:

ALIX Board
Black Case
2GB CF Card
Power Supply
Wireless Card
Pigtail
Antenna

The CF card, wireless card, pigtail and antenna might be sourced elsewhere if I can find good deals however for the power supply, ALIX board and case I will be using Netgate. Total cost for the item’s mentioned at time of this writing is $235.50 plus tax and shipping.

As you can see the embedded hardware will have 3 10/100 NIC’s and an 802.11a/b/g wireless card which when pared with pfSense would make an excellent branch office or home router/firewall/IDS/wireless device.

I’ll let you know my progress as it begins to unfold, it shouldn’t take me long after I receive all the parts.

At work, as a project, I am (with one of my colleagues) building two firewalls that act as one just like an active/passive failover cluster. Currently I am running release 1.2 RC3 that was released just a few days ago. So far the solution has been stellar to say the least. The developers and the community behind pfSense are really awesome, the capabilities that the “FREE” firewall solution has in it’s back pocket beat the crap out of a Cisco PIX 515 or ASA 5510. Sure, you can do most all of the things that pfSense does with a PIX or ASA from Cisco but It’ll cost you extra. Now with the Snort Package available from pfSense as well as Squid and a BGP package, pfSense is starting to grow some muscles. I will say that Cisco has the VPN department OWNED but hopefully the features that they offer will be developed for OpenVPN in the near future. Now on to the build.

Here is a simplified diagram of the design that I have built successfully:

The design is a no brainer, managed switches inside and outside, two firewalls with a CARP sync connection between and 3 VLAN’s internal to the network that are in noway, shape or form able to talk to each other, unless of course, someone does a little VLAN hopping. I’m not going to worry about that at this point however.

The true beauty behind using pfSense for this solution is the simplicity of the installation and configuration to get it up to a production level. Once you figure out how the different facets of NAT can help you achieve your goal, the configuration is very straight forward. If you want your entire segment to send out traffic as a single IP (NAT Overload) you put it in the Outbound NAT table, if you want to provide services on specific ports, you add them to the Port Forward Table, and if you want your single IP address on the inside to have it’s own dedicated outside IP, add it to the 1:1 NAT Table. Very simple stuff. When you add things to the Port Forward NAT table, it has the ability to auto add a firewall entry for you as well, I usually let it do this and then adjust it’s configuration accordingly.

The CARP (sync mechanism) for pfSense is quite easy to configure as well. Their is a very nice tutorial on http://www.pfsense.com that shows you how to accomplish this. Basically on the primary firewall, you put in the IP of the other firewall, tell it what interface to sync through and what to sync, and voila, you are done.

I’ve barely started putting services behind the firewall but will be pushing the project live here very soon. I will keep you posted on how it performs, the battles that I had to fight to get things to work and offer any guidance that I may have that would benefit you. Thanks for reading.

Home Computer

I have a Panasonic Toughbook laptop running Ubuntu 7.04 that I really haven’t modified too awful much because I like the look and feel of the OS as it is. Here’s a list of things that I use everyday or every so often to accomplish a task without spending any money.

Operating System – Ubuntu 7.04 – Stable, clean, easy to install, based on GNOME and very well supported by the community. I would say that the forums for Ubuntu are better than most and for some reason, the users of Ubuntu are much nicer than that of Red Hat and others.

Blogging – Blogger.com attached to my Gmail account (I do my own hosting)

Firewall - pfSense – I mentioned this a few post’s ago. I absolutely love this firewall.

Document Management – Google Doc’s and Spreadsheets – This one is really neat, you can upload your Microsoft Office Word and Excel files as well as OpenOffice equivalent documents up to Google, edit them, and even save off as PDF documents if need be.

Music – Pandora.com – This site has been around for a little while now, It allows you to basically make your own radio station, and it dynamically learns what music you want to listen to. A side spawn of this project is Squeezebox which allows you to turn your music library into a radio station with streaming music.

Chat – Gaim – It’s easy to use, installed by default on Ubuntu, and supports multiple accounts. On Linux and Windows you can use Pidgin and for Mac OS X you can use Adium.

VoIP – Twinkle – So far this is the best SIP capable client for Linux I have found. You can installed it through apt-get or Synaptic on Ubuntu or download it here. On Windows and Mac OS X I use X-Lite from CounterPath. I would say X-Lite is the best of the two but the Linux version sucks in my opinion.

PBX – trixbox – I just started using this because I’m trying to get my company or rather the company I work for into a new market so that we can make some more money as a company which personally helps me through profit sharing. Though, if I didn’t get that last bit, I would still peruse doing phone VoIP systems because I think they are interesting. I have it installed on an old PIII 500 with 256Mb of ram and it suits the needs of my wife an I just fine. A larger scale deployment would need a better server though.

Email – Gmail and Evolution – I just started using Evolution about a month ago because Outlook Web Access on Microsoft Exchange 2003 sucks when viewed from Firefox. Damn Microsoft. Kidding. Evolution seemed to be a logical choice for me because well, it was already installed on my computer and quite frankly I needed a way to check my mail. Sounds like a match made in heaven. Gmail, as you all probably know, is free and has cool features like web sharable calendars, documents and photos. You will probably see a trend here for me liking everything Google.

I think that’s enough for now. I’ll make a part 2 to this one pretty soon with quite a few more added programs and services that I use everyday for free. Compute free or die.

Please take some time to mull over all the features that the BSD based firewall offers for FREE. Unlike a Cisco or Fortigate, you don’t have to pay for the extras that actually make the thing functional. This is one of the best open source firewall solutions on the marked, the best in my opinion but well, thats my opinion. Take a look for yourself. The website has some tutorials of how to set things up and get you going however, any computer savy home user could set this up without too much fuss.

The firewall, hardware wise doesn’t require much of a system to run. I would recommend a PIII 500Mhz with 256Mb of memory and 2 NICs to get started. The server/firewall can actually boot and run from the bootable CD, then store it’s configuration on a floppy if you wish, however, some of the cool additional features can not be installed to make this thing really bad ass. Just install it to a hard disk, something small like a 6Gb drive or something. Could also be installed on a solid state disk if you have the time and money. Anywho, once you get the hardware, pop in the CD and floppy and get the thing to a basic config, you will have to tell it which interface is which NIC. So the outside interface goes to NIC fx0 and the inside interface goes to fx1 or something. You’ll figure it out. After you have an IP address on the box you can web into it and configure the rest from there. A few features that are worth mentioning would be:

Failover/Load Balancing
SNORT
Statefull Packet Filtering
QoS / Traffic Shaping
Captive Portal
Wireless LAN Support
Free Radius
IPSec Tunnel Support
OpenVPN Support
Traffic Graphing with RRD Graphs
Real Time Graphing
and many more…

Please, Please, Please take a look at this package and give it a try. I know pretty much everybody has an extra computer laying around that they could put this on. If not, let me know and I’ll try to source you one. At work, a colleague of mine and I are working to get these into the production network and possibly offer it as a line of service for out clients. More on what I do and this project later. Enjoy.