Using Software from FreeBSD’s Ports System (Packages)

Because pfSense is based on FreeBSD, many familiar FreeBSD packages are available for use by veteran FreeBSD system administrators.

Warning

Installing software this way is not for the inexperienced, as it could have unintended side-effects, and is not recommended nor supported.

Many parts of FreeBSD are not included, so library and other issues can occur when attempting to use software installed in this manner. pfSense does not include a compiler in the base system for many reasons, and as such software cannot be built locally. However, packages can be installed from FreeBSD’s pre- built package repository.

Concerns/Warnings

Several important concerns must be considered by any administrator before deciding to install additional software to a pfSense firewall, especially software that is not a sanctioned package.

Security Concerns

Any extra software added to a firewall is a security problem, and must be evaluated fully before installation. If the need outweighs the risk, it may be worth taking. Official pfSense packages are not immune to this problem either. Any additional service is another potential attack vector.

Performance Concerns

Most hardware running pfSense can handle the traffic load with which they are tasked. If the firewall hardware has horsepower to spare, it may not hurt the system to add additional software. That said, be mindful of the resources consumed by the added software.

Conflicting Software

If an installed package duplicates functionality found in the base system, or replaces a base system package with a newer version, it could cause unpredictable system instability. Ensure that the software does not already exist in pfSense before trying to install anything.

Lack of Integration

Any extra software installed will not have GUI integration. For some, this is not a problem, but there have been people who expected to install a package and have a GUI magically appear for its configuration. These packages will need to be configured by hand. If this is a service, that means also making sure that any startup scripts accommodate the methods used by pfSense.

Software can also install additional web pages that are not protected by the authentication process on pfSense. Test any installed software to ensure that access is protected or filtered in some manner.

Lack of Backups

Packages installed in this manner must have any configuration or other needed files backed up manually.

These files will not be backed up during a normal pfSense backup and could be lost or changed during a firmware update. The add-on package described in Backup Files and Directories with the Backup Package is capable of backing up files such as these.

Installing Packages

To install a package, the proper package site must be used. pfSense is compiled against a specific FreeBSD RELEASE branch, and has only a specific set of packages hosted on the project servers.

Packages located in the pfSense package repository, including some FreeBSD software packages that are not a part of pfSense, can be installed using pkg install directly:

# pkg install iftop

Or use a full URL to a pkg add to add them from the FreeBSD package servers:

# pkg add http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/All/iftop-1.0.p4.txz

The package will be downloaded and installed, along with any needed dependencies.

Additionally, the full set of FreeBSD packages can be made available by editing /usr/local/etc/pkg/repos/pfSense.conf and changing the first line to:

FreeBSD: { enabled: yes }

Warning

Adding software from FreeBSD package repositories can introduce problems with package dependencies, especially if a package depends on another piece of software that already exists on pfSense which may have been built with conflicting options. Take extreme caution when adding packages in this way.

Custom packages can also be built on another computer running FreeBSD and then the package file can be copied and installed on a pfSense firewall. Due to the complexity of this topic, it won’t be covered here.

Maintaining Packages

The following command prints a list of all currently installed packages, including pfSense packages and parts of the pfSense base system:

# pkg info

To delete an installed package, pass its full name or use a wildcard:

# pkg_delete iftop-1.0.p4
# pkg_delete pstree-\*