Re: pfsense equivalent of shield in bridge mode
Posted by
Wisiwyg on
Aug 01, 2016; 7:29pm
URL: https://itus.accessinnov.com/pfsense-equivalent-of-shield-in-bridge-mode-tp1117p1128.html
I'm playing with this right now, too.
Firstly, on our Shield, Snort is running in 'in-line' mode, meaning its looking at the live stream. This is due to some magic in the way Shield was designed with Snort running as a softswitch. That's why internet will go down if Snort restarts. The Sheld doesn't restart, just Snort.
To do the same thing on a pfSense box, you have to run the latest version of Suricata with the 2.3.X Development version of pfSense. In the 2.3.X version, Released or Development, in-line packet filtering with Suricata is dependent on the latest version of netmap that enables this. This version of netmap doesn't work with older versions of pfSense and doesn't work with Snort - yet. But, this latest version of netmap has its own issues. There is a released version Suricata (3.1.1) that is supposed to aid in resolving the issue for FreeBSD, which is what pfSense is based on, but that is awaiting release by the package maintainer for pfSense.
Long and short of it... pfSense can't quite equal what the Shield is providing, yet. But it isn't too far off. Plus, it could provide other features, like geographic blocking. Care to block the entire country of Russia, China and Pakistan? Check out pfBlocker-NG for pfSense. You can also add on a VPN service to run this all through. Want to have channel bonding/link aggregation to double/tripple throughput? OK.
But all of these features come at a price - it isn't simple to set up or easy to maintain like the Shield.
edit: Suricata 3.1.1 just released today!
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode