This is just a general reply here, not aimed specifically at anyone;
I’m a fan on pfSense, although at home I tended to use hardware solutions with a cisco badge on them until recently, now using a pfSense box and very happy with it. What you do with it is very much up to you, the simple fact is that firewalling IS a complex subject, there is more to a good firewall than just being able to route traffic and open ports.
I fully recommend you look at the snort plugin for pfSense, this adds some automated intelligence to your firewall, its not fool proof, but its an extra layer than can really help.
For all things security - take a layered approach, don’t rely on one line of defence for anything.
Take SSH as the first simple example;
- Make sure you use a non-standard username where possible, so not “root”, not “pi” and not “admin”
- Use a complex password
- Require SSH keys in addition to your complex password
In addition to all of the above, limit access to known IP addresses on the internet.
Now at this point, you turned your SSH security up to 11, all of that means nothing if you have another vulnerable service open… so…
If you are providing web services on the same box - front end them with cloud flare where possible: https://www.cloudflare.com - its FREE and adds a good layer of security including adding on HTTPS to your website if thats what you want (yes you want that if you use ANY kind of login for your page).
And on your web server - ONLY accept requests from Cloudflare - they provide their IP lists for this purpose.
One final trick, you may be the kind of person that locks down internet access already, or you may be the kind of person who leaves all the outbound traffic open - the latter isn’t a good thing. If you don’t want the hassle of locking down all of your outbound internet access, at least do the following;
Lock down outbound telnet, lockdown outbound DNS over TCP (its used for zone transfers - I’m quite sure you won’t ever be doing that) and lock down DNS over UDP to the servers you actually use (your ISP or OpenDNS maybe). Lock down SMTP (port 25) to your ISPs Mail servers (or turn OFF SMTP totally if you use G-mail for example). Similarly if you are not using SSH, turn it off.
Why do this? Because at least this stops you taking part is most of the bot-nets that are out there, it will stop your machines being un-willing zombies without you even knowing.
Finally, securing ANY device is never quite as straight forward as you might think, take the layered approach, don’t assume it won’t happen to you - there are an army (literally) of machines out there that are working around the clock to compromise every system they can, they will find yours and they will use any weakness to get in.