Discover the features of DynFi Firewall

A firewall that protects your networks

Stateful Firewall

DynFi Firewall is a stateful firewall. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets that match a known active connection will be allowed by the firewall, others will be rejected.

Stateful inspection, also known as stateful filtering, is an essential feature of enterprise network cybersecurity.

DynFi Firewall has the following advanced filtering features:

  • TCP and UDP filtering

  • Filtering of 130 IPv4 protocols

  • Source and destination filtering at the IP address level

  • Ability to limit the number of connections per rule

  • Advanced filtering :

    • Filtering by Operating System with p0f
    • Filtering with dynamic routing: when a flow is hooked by a firewall rule, it will be routed by the gateway of your choice
    • Filtering with time slot definition
    • Marking and identification of 802.1Q frames
    • Possibility of advanced state control rule by rule

Multiple VPN Technologies

DynFi implements various VPN technologies such as IPsec, OpenVPN and ZeroTier and soon WireGuard.

IPsec

This is the flagship VPN technology and is implemented in most firewalls regardless of brand.

DynFi Firewall supports :

  • Site-to-site IPsec VPNs with support for Tunnel Mode or Routed Mode via Virtual Tunnel Interfaces (VTI)
  • IPsec VPNs for mobile clients
  • IPsec VPNs to clouds such as Azure or OVH for example

DynFi Firewall is compatible with standard VPN clients (iOS, Android, Mac OS X, Windows or Linux) and with the certified VPN Client from the French company The Green Bow.

OpenVPN

OpenVPN VPN technology is available on DynFi Firewall, both as a VPN client and server.

OpenVPN uses OpenSSL authentication technologies to allow clients sharing encryption keys to establish a tunnel. Numerous refinements provide advanced authentication and routing functions.

ZeroTier

ZeroTier is a technology that enables secure networks to be created site-to-site, in the cloud, or via remote mobile connections.

ZeroTier is an SD-WAN technology that allows you to unify your VPNs and VLANs with a single solution. ZeroTier offers Layer 2 Ethernet access with multipath, multicast and bridge capabilities. ZeroTier offers zero-trust security with end-to-end 256-bit encryption.

ZeroTier is free for up to 50 nodes and uses a BSL license.

Wire Guard

In a future release DynFi Firewall will implement WireGuard.

WireGuard® is an extremely simple, fast and modern VPN system that uses state of the art encryption methods.

WireGuard aims to be faster, simpler and lighter than IPsec. It aims to be considerably more powerful than OpenVPN. WireGuard is designed as a multi-functional VPN that meets most use cases.

The current performance of the FreeBSD module is average because the module is not implemented at kernel level. As soon as the module for the FreeBSD kernel is available, it will be implemented in DynFi Firewall.

Intrusion Prevention and Detection

DynFi Firewall uses Suricata as its network threat detection and prevention engine (IDS / IPS).

Suricata is capable of real-time intrusion detection, online intrusion prevention (IPS) and network security monitoring (NSM).

DynFi Firewall will offer new advanced filtering features using Suricata, including advanced filtering of HTTPS flows, later in 2021.

Proxy function

DynFi Firewall uses the Squid proxy which is the most widely used proxy in the world.

Squid is a web cache proxy that supports HTTP, HTTPS, FTP protocols. It reduces bandwidth usage and improves response times by caching and reusing frequently requested web pages.

To enable more comprehensive filtering, DynFi Firewall uses the c-icap library, which provides an implementation of an ICAP server. When used with Squid, this allows the implementation of content adaptation and filtering services, including anti-virus filtering via Clamav-Clamd.

Squid also has extensive access controls.

The software is licensed under the GNU GPL.

Anti-Virus Functionality

DynFi Firewall features the open source anti-virus ClamAV®.

Clamav can be used for email scanning, webstream scanning and endpoint security. It provides a number of utilities, including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatically updating its virus signature databases.

Captive Portal with integrated coupon management

The captive portal implemented in DynFi Firewall makes it easy to deploy a captive portal and combine it with authentication and coupon management.

Real-Time Traffic Analysis System

DynFi Firewall has several different mechanisms for real-time analysis, filtering and viewing of logs.

Firewall Log Analysis

The default system is based on packet filter (pf) log analysis and allows real-time filtering and viewing of all or part of the logs. This is an essential tool to ensure the proper debugging of your rules on a production firewall.

Log analysis via NetFlow

NetFlow is a powerful network flow analysis protocol that has become a standard over the years. It provides a high level of flow detail, allowing you to understand what is happening on your network in real time.

DynFi Firewall implements this protocol natively and allows protocol visualization from the firewall.
It is also possible to send flows to software such as Ntop for in-depth flow analysis.

Bandwidth management function

Bandwidth management in DynFi Firewall has been redesigned and simplified to make it easy to understand and quick to deploy.

It is therefore possible in the firewall :

  • Simply prioritize certain flows within your firewall,
  • Allocate a fixed bandwidth to a subnet
  • Limit the bandwidth allocated to one or more users
  • Set a priority per application

Central network functions: DNS, DHCP, NTP

These functions are implemented in a very qualitative way within the firewall and thus allow services to be deployed with a unique level of control and granularity.

DNS via DNSmasq

Dnsmasq is a lightweight server designed to provide DNS services to small and medium sized networks. The software is simple to integrate and administer.

DNS with Unbound

Unbound is a more powerful validating, caching, recursive DNS resolver than DNSmasq, it allows for more advanced DNS operations and is a good alternative to DNSmasq.


Monitoring Services

DynFi Firewall has chosen to keep only a limited number of monitoring services within the firewall. Indeed, it seems to us that a firewall should not (for obvious security reasons) be transformed into a monitoring and supervision tool.

This is why we wanted to favour supervision tools integrated into the firewall or those that are extremely light and do not pose any particular security problems.

DynFi Manager integration

DynFi Manager is our centralized firewall management tool, compatible with pfSense® and OPNsense® firewalls.

This software is free of charge for up to three monitored firewalls and can be deployed in a few clicks.
It has a complete monitoring interface and allows you to centralise information on all your firewalls in a rich and highly functional interface.

For an overview of DynfiManager features, follow this link.

Monit

Monit is a small open source utility for managing and monitoring BSD and Linux systems. It is used within DynFi Firewall as a system alerting tool. Coupled with any email account my allows you to receive essential system alerts by email.

SMART

The SMART tool provides an automatic monitoring system for your appliance’s hard drive. It allows you to diagnose several reliability indicators in order to anticipate hard disk errors.

Support for many types of interfaces

The main purpose of a firewall is to become a comprehensive tool for controlling and managing your network. With DynFi Firewall, you will have a complete firewall that provides access to many standard interfaces.

VLAN / 802.1Q

VLANs are supported on DynFi Firewall.

Bridge

Bridge interfaces are supported on DynFi Firewall.

VXLAN

VXLAN interfaces

VXLAN (Virtual Extensible LAN) is a network virtualisation technology that aims to address scalability issues associated with cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate OSI Layer 2 Ethernet frames into Layer 4 UDP datagrams.

VXLAN will allow your DynFi Firewall to structure a network to a hypervisor or switch located in a Cloud, Data-Center or remote network, while preserving a Layer 2 link between the two parts of the network.

LAGG

Link Aggregation 802.3ad is supported in DynFi Firewall.

GIF and GRE

DynFi Firewall supports both GIF and GRE interfaces.

Both of these protocols are intended to encapsulate traffic between two hosts without encryption. In addition to encapsulating IPv4 or IPv6 directly, GIF can be used to encapsulate IPv6 over IPv4 networks and vice versa. GIF tunnels are commonly used to obtain IPv6 connectivity with an IPv6 broker such as Hurricane Electric in locations where IPv6 connectivity is not available.

PPP

DynFi Firewall allows you to use PPP - Point to Point Protocol to deploy a modem or other equipment that requires the use of this type of protocol.

Point-to-Point Protocol (PPP) is a transmission protocol for the Internet, described in the RFC 1661 standard, which is heavily based on HDLC and allows a connection to be established between two hosts over a point-to-point link. It is part of the data link layer (layer 2) of the OSI model.

802.11 WiFi interface

It is finally possible to implement WiFi networks with DynFi Firewall based on the supported WiFi protocols supported by FreeBSD.

The 802.11 protocol with B, G, A, N and soon AC standards are supported on our firewalls.


DynFi Firewall & Manager: fast integration

A revamped interface

DynFi Firewall’s interface offers quick access to many of the firewall’s functions. Access to logs has been completely redesigned to provide a consistent and systematized logic throughout the firewall menus and submenus.

The menus are now clearer with a better iconography and better adapted to the needs of system administrators.

DynFi Manager: Three clicks away!

Integrating your DynFi Firewall with our centralized firewall manager DynFi Manager has never been easier.

With the Connection Manager, all your DynFi Firewalls will be interconnected to the Manager for fast and efficient centralized management.