[pfSense-discussion] Re: Low end, cool CPE.
- Forwarded message from Bjørn Mork bj...@mork.no - From: Bjørn Mork bj...@mork.no Date: Fri, 12 Nov 2010 13:55:27 +0100 To: na...@nanog.org Subject: Re: Low end, cool CPE. Organization: m User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux) Leo Bicknell bickn...@ufp.org writes: - IPv6 support, native or tunnel to tunnelbroker.net type thing. This is far too diffuse. You'll get a yes, we've got IPv6. You should at least add - IPv6 packet filtering and policy management (at least simple access lists) - DHCPv6-PD client running over PPP or ethernet (possibly bridged DSL) WAN interface(s) - Ability to split the delegated prefix into a /64 for every LAN and loopback interface, preferably fully configurable - Configurable RA on LAN interfaces, using the dynamically allocated prefixes - (wishlist) configurable ifid's on the LAN and loopback interfaces as an alternative to using EUI-64 - WAN link addressing using whatever is available of SLAAC, DHCPv6 IA_NA or link local. Specifically: Using SLAAC for the WAN link should be possible without sacrificing any router functionality on the CPE. and probably a lot more. DNS resolver handling needs a chapter on it's own The point is: We've been asking for IPv6 for too long. That's just one bit in a packet header. We need to start asking for the features we expect, which is a lot more than that bit. Bjørn - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Re: Low end, cool CPE.
- Forwarded message from Charles N Wyble char...@knownelement.com - From: Charles N Wyble char...@knownelement.com Date: Fri, 12 Nov 2010 08:07:14 -0800 To: na...@nanog.org Subject: Re: Low end, cool CPE. User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.11) Gecko/20101006 Thunderbird/3.1.5 On 11/12/2010 01:24 AM, Eugen Leitl wrote: On Thu, Nov 11, 2010 at 05:41:00PM -0800, Leo Bicknell wrote: I've run into a number of low end CPE situations lately where I haven't found anything that does what I want, but I have to believe it is out there. I'm hoping NANOG can help. An ALIX with pfSense 2.0 (BETA4 at the moment) would fit most of the above. IPv6 support is coming (is mostly there in the kernel, but interface only alpha). PPPOE is currently broken in 2.0 BETA4. :( If you want to run the snort package I'd however pick a Supermicro Atom system with 2 onboard NICs and add a dual-port Intel NIC, and run pfSense from a small SSD or an USB stick. Albeit a rackmount, the system would be quiet enough for SOHO. Yes. I agree. Have SNORT run as a transparent bridge and have a separate management interface. Use vlans on that interface to handle whatever you need to do (dedicated vlan for snort, one for your management network, one for secure wifi, one for guest wifi etc). Basically think about a sophisticated home user, or a 1-5 person small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as backups. Looking for an appliance, very much fire and forget. I probably won't get all the features that I want, but in no particular order: - Able to deal with backup connectivity, eg. Cell Cards which you only want to use if the primary is down. - User friendly features, e.g. UPNP, NAT-PMP, etc. - Good manageability. ssh to a cli would be a huge bonus, at least the ability to backup a config. Very well supported. http(s) and ssh both. Well the SSH interface is very limited. You can login and do some basic checks. However everything is driven from a single XML config file that gets parsed by PHP scripts during the init process and then writes out all the UNIX configuration files. However all the things I've ever done from the CLI on a Linux box are readily available from the pfSense web interface (arp table checks, traceroute,ping,iperf,tcpdump). I only use the CLI when I have broken something. _ Nice firewall features. - IDS features are cool. It has a SNORT package that's pretty nice. Also has some other AV type stuff and a proxy. I haven't gotten the proxy/av to work yet, but haven't put much time into them. WiFi is not strictly required, but would be cool. Things like guest WiFi would be an added bonus. It supports a lot of wifi cards. I put a USB wifi stick in my pfsense box and configured it as an AP from the web UI. I'm running the current stable pfSense (1.2.3 I think). Very happy with it. It's a fully featured distribution that is incredibly well put together. - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] API?
I have a customer who wants to be able to automate IP blackholing on their PFSense firewall from their custom IDS. In essence, the application wants to go something like 'I'm being abused by this IP 198.51.100.20' 'POST HTTPS://GATEWAY/pfapi.php?alias=blocklistip=198.51.100.20comment=' 'POST HTTPS://GATEWAY/pfapi.php?action=apply' There was a post about this some time ago, and the answer at the time was 'there's no such functionality'. Is there anything new on this front? Nathan Eisenberg - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] API?
On 11/12/2010 2:01 PM, Nathan Eisenberg wrote: I have a customer who wants to be able to automate IP blackholing on their PFSense firewall from their custom IDS. In essence, the application wants to go something like 'I'm being abused by this IP 198.51.100.20' 'POST HTTPS://GATEWAY/pfapi.php?alias=blocklistip=198.51.100.20comment=' 'POST HTTPS://GATEWAY/pfapi.php?action=apply' There was a post about this some time ago, and the answer at the time was 'there's no such functionality'. Is there anything new on this front? There isn't anything in the XMLRPC API we have for that yet. I would suggest you could do this via easyrule.php in 2.0, but I think the recent http_referer and/or csrf checks may mean that will no longer work if done remotely. Jim - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Re: Low end, cool CPE.
On Fri, Nov 12, 2010 at 5:51 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: [snip] But still - no IPv6 support (though a 3rd-party patch is now available to beat it in, it's not up to par yet, and it's not in 'stable'). :( The work Seth is doing will be in 2.1 sometime next year. He has made a lot of progress in a very short amount of time. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] Re: Low end, cool CPE.
The work Seth is doing will be in 2.1 sometime next year. He has made a lot of progress in a very short amount of time. And please don't misunderstand - I am absolutely thrilled about it. But it probably does not meet the OP's needs quite yet. Nathan - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
