Using Software from FreeBSD¶
pfSense® software is based on FreeBSD, thus many familiar FreeBSD packages are available for use by veteran FreeBSD system administrators.
Warning
Installing software this way will have unintended side effects.
This action is not recommended or supported by Netgate.
Many parts of FreeBSD are not included in the base installation of pfSense software, so library and other issues can occur when attempting to use software installed in this manner. The pfSense software base installation does not include a compiler in the base system for many reasons, and as such software cannot be built locally. However, packages can be installed from FreeBSD the package repository.
Concerns/Warnings¶
Several important concerns must be considered by any administrator before deciding to install additional software, especially software that is not obtained from Netgate package repositories.
Security Concerns¶
Any extra software added to a firewall is a security problem, and must be evaluated fully before installation. If the need outweighs the risk, it may be worth taking. Official packages for pfSense software are not immune to this problem either. Any additional service is another potential attack vector.
Performance Concerns¶
Most hardware running pfSense software can handle the traffic load with which it is tasked. If the firewall hardware has horsepower to spare, it may not hurt performance to add additional software. That said, be mindful of the resources consumed by the added software.
Conflicting Software¶
If an installed package duplicates functionality found in the base system, or replaces a base system package with a newer version, it could cause unpredictable system instability. Ensure that the software does not already exist in pfSense.
Lack of Integration¶
Any extra software installed will not have GUI integration. For some, this is not a problem, but there have been people who expected to install a package and have a GUI magically appear for its configuration. These packages must be configured by hand. If this is a service, that means also making sure that any startup scripts accommodate the methods used by pfSense software.
Software can also install additional web pages that are not protected by the pfSense software authentication process. Test any installed software to ensure that it protects and filters access appropriately.
Lack of Backups¶
Packages installed in this manner must have any configuration or other needed files backed up manually.
These files will not be backed up during a normal backup and could be lost or changed during a firmware update. The add-on package described in Backup Files and Directories with the Backup Package is capable of backing up arbitrary files such as these.
Installing Packages¶
To install a package, the proper package site must be used. pfSense software is compiled against a specific FreeBSD branch, and has only a specific set of packages hosted on Netgate servers.
Packages located in the Netgate package repository, including some FreeBSD
software packages that are not a part of the pfSense software distribution, can
be installed using pkg install
directly:
# pkg install screen
Or use a full URL to a pkg add
to add them from the FreeBSD package
servers:
# pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tshark-3.2.6.txz
The pkg
utility will download and install the package, along with its
required dependencies.
Additionally, the full set of FreeBSD packages can be made available by editing
/usr/local/etc/pkg/repos/pfSense.conf
and changing the first line to:
FreeBSD: { enabled: yes }
Next, edit /usr/local/etc/pkg/repos/FreeBSD.conf
and make the same change
there:
FreeBSD: { enabled: yes }
It must be enabled in both places to function.
Warning
Adding software from FreeBSD package repositories will introduce problems with package dependencies, especially if a package depends on another piece of software that already exists on the firewall which may have been built with conflicting options. Take extreme caution when adding packages in this way.
Custom packages can also be built on another computer running FreeBSD and then the package file can be copied and installed on a firewall running pfSense software. Due to the complexity of this topic, it will not be covered here.
Maintaining Packages¶
The following command prints a list of all currently installed packages, including packages and components of the base system of pfSense software:
# pkg info
To delete an installed package, pass its full name or use a wildcard:
# pkg_delete iftop-1.0.p4
# pkg_delete pstree-\*