Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Using Software from FreeBSD

pfSense® software is based on FreeBSD, thus many familiar FreeBSD packages are available for use by veteran FreeBSD system administrators.

Warning

Installing software this way will have unintended side effects. This action is not recommended or supported by Netgate.

Many parts of FreeBSD are not included in the base installation of pfSense software, so library and other issues can occur when attempting to use software installed in this manner. The pfSense software base installation does not include a compiler in the base system for many reasons, and as such software cannot be built locally. However, packages can be installed from FreeBSD the package repository.

Concerns/Warnings

Several important concerns must be considered by any administrator before deciding to install additional software, especially software that is not obtained from Netgate package repositories.

Security Concerns

Any extra software added to a firewall is a security problem, and must be evaluated fully before installation. If the need outweighs the risk, it may be worth taking. Official packages for pfSense software are not immune to this problem either. Any additional service is another potential attack vector.

Performance Concerns

Most hardware running pfSense software can handle the traffic load with which it is tasked. If the firewall hardware has horsepower to spare, it may not hurt performance to add additional software. That said, be mindful of the resources consumed by the added software.

Conflicting Software

If an installed package duplicates functionality found in the base system, or replaces a base system package with a newer version, it could cause unpredictable system instability. Ensure that the software does not already exist in pfSense.

Lack of Integration

Any extra software installed will not have GUI integration. For some, this is not a problem, but there have been people who expected to install a package and have a GUI magically appear for its configuration. These packages must be configured by hand. If this is a service, that means also making sure that any startup scripts accommodate the methods used by pfSense software.

Software can also install additional web pages that are not protected by the pfSense software authentication process. Test any installed software to ensure that it protects and filters access appropriately.

Lack of Backups

Packages installed in this manner must have any configuration or other needed files backed up manually.

These files will not be backed up during a normal backup and could be lost or changed during a firmware update. The add-on package described in Backup Files and Directories with the Backup Package is capable of backing up arbitrary files such as these.

Installing Packages

To install a package, the proper package site must be used. pfSense software is compiled against a specific FreeBSD branch, and has only a specific set of packages hosted on Netgate servers.

Packages located in the Netgate package repository, including some FreeBSD software packages that are not a part of the pfSense software distribution, can be installed using pkg install directly:

# pkg install screen

Or use a full URL to a pkg add to add them from the FreeBSD package servers:

# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tshark-3.2.6.txz

The pkg utility will download and install the package, along with its required dependencies.

Additionally, the full set of FreeBSD packages can be made available by editing /usr/local/etc/pkg/repos/pfSense.conf and changing the first line to:

FreeBSD: { enabled: yes }

Warning

Adding software from FreeBSD package repositories will introduce problems with package dependencies, especially if a package depends on another piece of software that already exists on the firewall which may have been built with conflicting options. Take extreme caution when adding packages in this way.

Custom packages can also be built on another computer running FreeBSD and then the package file can be copied and installed on a firewall running pfSense software. Due to the complexity of this topic, it will not be covered here.

Maintaining Packages

The following command prints a list of all currently installed packages, including packages and components of the base system of pfSense software:

# pkg info

To delete an installed package, pass its full name or use a wildcard:

# pkg_delete iftop-1.0.p4
# pkg_delete pstree-\*