Hi Reinier,
I know and I think I tried to submit a bug fix report. We discovered
that issue already 2 years ago. I guess my English was too weak at this
time ;-)
Furthermore, the only way to fix it without altering the basic usage of
pfSense is to shift the rules, which allow the transparent proxy traffic
(port 80), to be loaded after the user rule-set. As far as I understood
the programming framework all the package scripts are loaded before the
custom user rule-sets. If you would set a rule to generally block
private IP traffic from one LAN to the other LAN you won't be able to
intentionally allow traffic via the user rules. So it seems that it is
not an easy fix and pfSense is not meant for enterprise usage, hence
most people won't mind (I guess).
Best regards,
Rocco
Reinier Battenberg wrote:
Hi Rocco,
Well, if you found a bug in a FOSS project, the best thing to do is to make
sure it gets in the next release. That way, you wont have to patch all the
servers you are maintaining in the future. And so will all other pfSense
users worldwide.
I guess pfSense has a bugtracker where you can post your fix.
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work: www.startyourbusiness.ug
On Tuesday 01 December 2009 08:25:42 IT-Doc24 Ltd. - Rocco Radisch wrote:
Hi Reiner,
multi lan is if you maintain several local area networks all connected
to the same Firewall.
"Can you substantiate that statement with some URL's?"
No, I can look if someone else discovered the same issue in the Forums.
"It turns out"
We discovered this in-house.
Code of squid.inc:
foreach ($ifaces as $iface) {
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from any to
!($iface) port 80 flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from any to
!($iface) port $port flags S/SA keep state\n";
$rules .= "\n";
};
The rules are loaded before the custom configured rule-set. Meaning it
will allow access to http servers from one LAN to the other LAN.
Best regards,
Rocco
Reinier Battenberg wrote:
"it turns out"
Can you substantiate that statement with some URL's?
Else, i dont consider it a true statement.
And for non-networkies: what is Multi-LAN?
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work: www.startyourbusiness.ug
On Monday 30 November 2009 17:12:46 IT-Doc24 Ltd. - Rocco Radisch wrote:
Hi Joseph,
pfSense has modules to work either way, as normal web proxy or as a
reverse proxy. If you need help we have done a couple of custom pfSense
installations as well as custom re-programming of front and back-end.
Furthermore, it turns out that the standard pf rules used in conjunction
with a transparent web-proxy installation will open security flaws if
used in a multi-wan & multi-lan set-up.
Best regards,
Rocco
Reinier Battenberg wrote:
Hi Joseph,
This seems more targetted at the other end of proxiying.
You can put this proxy in front of your website, which will take the
load off your apache server.
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Monday 30 November 2009 14:50:04 joseph mpora wrote:
Pfsense has been pretty good for us, haven't seen need to change :)
Joseph
On 11/30/09, Emmanuel Mulo <[email protected]> wrote:
Hi all,
I am not sure whether this information has been previously posted on
this mailing list, however I saw something about Yahoo traffic server
being released as open source. Since I have seen previously a number
of requests concerning proxy servers for load balancing, content
filtering etc... would be interesting to hear from any sysadmins
experimenting with this. It is used by Yahoo so it has to be good
for something no? :)
http://cwiki.apache.org/confluence/display/TS/Traffic+Server
http://ostatic.com/blog/guest-post-yahoos-cloud-team-open-sources-tra
ff ic -server
Anybody who does something with it please update us.. at least I
would be interested to hear.. Joseph? Reinier?
cheers
Mulo
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible
for them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible for
them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
