Well, only one way to find out: post the bug (again ;-) )!
(i wouldnt downplay the use of pfsense, its use is for whomever finds it a
handy tool. I know Kyle, at IMG is using it. I think that could easily be
considered an enterprise..)
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work: www.startyourbusiness.ug
On Tuesday 01 December 2009 09:25:40 IT-Doc24 Ltd. - Rocco Radisch wrote:
> Hi Reinier,
>
> I know and I think I tried to submit a bug fix report. We discovered
> that issue already 2 years ago. I guess my English was too weak at this
> time ;-)
> Furthermore, the only way to fix it without altering the basic usage of
> pfSense is to shift the rules, which allow the transparent proxy traffic
> (port 80), to be loaded after the user rule-set. As far as I understood
> the programming framework all the package scripts are loaded before the
> custom user rule-sets. If you would set a rule to generally block
> private IP traffic from one LAN to the other LAN you won't be able to
> intentionally allow traffic via the user rules. So it seems that it is
> not an easy fix and pfSense is not meant for enterprise usage, hence
> most people won't mind (I guess).
>
> Best regards,
> Rocco
>
> Reinier Battenberg wrote:
> > Hi Rocco,
> >
> > Well, if you found a bug in a FOSS project, the best thing to do is to
> > make sure it gets in the next release. That way, you wont have to patch
> > all the servers you are maintaining in the future. And so will all other
> > pfSense users worldwide.
> >
> > I guess pfSense has a bugtracker where you can post your fix.
> >
> >
> > rgds,
> >
> > Reinier Battenberg
> > Director
> > Mountbatten Ltd.
> > +256 782 801 749
> > www.mountbatten.net
> >
> > Do you have a businessplan? Make your idea work: www.startyourbusiness.ug
> >
> > On Tuesday 01 December 2009 08:25:42 IT-Doc24 Ltd. - Rocco Radisch wrote:
> >> Hi Reiner,
> >>
> >> multi lan is if you maintain several local area networks all connected
> >> to the same Firewall.
> >>
> >> "Can you substantiate that statement with some URL's?"
> >> No, I can look if someone else discovered the same issue in the Forums.
> >>
> >> "It turns out"
> >> We discovered this in-house.
> >>
> >> Code of squid.inc:
> >> foreach ($ifaces as $iface) {
> >> $rules .= "# Setup squid pass rules for proxy\n";
> >> $rules .= "pass in quick on $iface proto tcp from any to
> >> !($iface) port 80 flags S/SA keep state\n";
> >> $rules .= "pass in quick on $iface proto tcp from any to
> >> !($iface) port $port flags S/SA keep state\n";
> >> $rules .= "\n";
> >> };
> >>
> >> The rules are loaded before the custom configured rule-set. Meaning it
> >> will allow access to http servers from one LAN to the other LAN.
> >>
> >> Best regards,
> >> Rocco
> >>
> >> Reinier Battenberg wrote:
> >>> "it turns out"
> >>> Can you substantiate that statement with some URL's?
> >>>
> >>> Else, i dont consider it a true statement.
> >>>
> >>> And for non-networkies: what is Multi-LAN?
> >>>
> >>> rgds,
> >>>
> >>> Reinier Battenberg
> >>> Director
> >>> Mountbatten Ltd.
> >>> +256 782 801 749
> >>> www.mountbatten.net
> >>>
> >>> Do you have a businessplan? Make your idea work:
> >>> www.startyourbusiness.ug
> >>>
> >>> On Monday 30 November 2009 17:12:46 IT-Doc24 Ltd. - Rocco Radisch wrote:
> >>>> Hi Joseph,
> >>>>
> >>>> pfSense has modules to work either way, as normal web proxy or as a
> >>>> reverse proxy. If you need help we have done a couple of custom
> >>>> pfSense installations as well as custom re-programming of front and
> >>>> back-end. Furthermore, it turns out that the standard pf rules used in
> >>>> conjunction with a transparent web-proxy installation will open
> >>>> security flaws if used in a multi-wan & multi-lan set-up.
> >>>>
> >>>> Best regards,
> >>>> Rocco
> >>>>
> >>>> Reinier Battenberg wrote:
> >>>>> Hi Joseph,
> >>>>>
> >>>>> This seems more targetted at the other end of proxiying.
> >>>>>
> >>>>> You can put this proxy in front of your website, which will take the
> >>>>> load off your apache server.
> >>>>>
> >>>>>
> >>>>>
> >>>>> rgds,
> >>>>>
> >>>>> Reinier Battenberg
> >>>>> Director
> >>>>> Mountbatten Ltd.
> >>>>> +256 782 801 749
> >>>>> www.mountbatten.net
> >>>>>
> >>>>> Do you have a businessplan? Make your idea work:
> >>>>> www.startyourbusiness.ug
> >>>>>
> >>>>> On Monday 30 November 2009 14:50:04 joseph mpora wrote:
> >>>>>> Pfsense has been pretty good for us, haven't seen need to change :)
> >>>>>>
> >>>>>> Joseph
> >>>>>>
> >>>>>> On 11/30/09, Emmanuel Mulo <[email protected]> wrote:
> >>>>>>> Hi all,
> >>>>>>>
> >>>>>>> I am not sure whether this information has been previously posted
> >>>>>>> on this mailing list, however I saw something about Yahoo traffic
> >>>>>>> server being released as open source. Since I have seen previously
> >>>>>>> a number of requests concerning proxy servers for load balancing,
> >>>>>>> content filtering etc... would be interesting to hear from any
> >>>>>>> sysadmins experimenting with this. It is used by Yahoo so it has
> >>>>>>> to be good for something no? :)
> >>>>>>>
> >>>>>>>
> >>>>>>> http://cwiki.apache.org/confluence/display/TS/Traffic+Server
> >>>>>>> http://ostatic.com/blog/guest-post-yahoos-cloud-team-open-sources-t
> >>>>>>>ra ff ic -server
> >>>>>>>
> >>>>>>> Anybody who does something with it please update us.. at least I
> >>>>>>> would be interested to hear.. Joseph? Reinier?
> >>>>>>>
> >>>>>>> cheers
> >>>>>>> Mulo
> >>>>>>> _______________________________________________
> >>>>>>> LUG mailing list
> >>>>>>> [email protected]
> >>>>>>> http://kym.net/mailman/listinfo/lug
> >>>>>>> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
> >>>>>>>
> >>>>>>> The above comments and data are owned by whoever posted them
> >>>>>>> (including attachments if any). The List's Host is not responsible
> >>>>>>> for them in any way. ---------------------------------------
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> LUG mailing list
> >>>>>> [email protected]
> >>>>>> http://kym.net/mailman/listinfo/lug
> >>>>>> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
> >>>>>>
> >>>>>> The above comments and data are owned by whoever posted them
> >>>>>> (including attachments if any). The List's Host is not responsible
> >>>>>> for them in any way. ---------------------------------------
> >>>>>
> >>>>> _______________________________________________
> >>>>> LUG mailing list
> >>>>> [email protected]
> >>>>> http://kym.net/mailman/listinfo/lug
> >>>>> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
> >>>>>
> >>>>> The above comments and data are owned by whoever posted them
> >>>>> (including attachments if any). The List's Host is not responsible
> >>>>> for them in any way. ---------------------------------------
> >>>>
> >>>> _______________________________________________
> >>>> LUG mailing list
> >>>> [email protected]
> >>>> http://kym.net/mailman/listinfo/lug
> >>>> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
> >>>>
> >>>> The above comments and data are owned by whoever posted them
> >>>> (including attachments if any). The List's Host is not responsible for
> >>>> them in any way. ---------------------------------------
> >>>
> >>> _______________________________________________
> >>> LUG mailing list
> >>> [email protected]
> >>> http://kym.net/mailman/listinfo/lug
> >>> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
> >>>
> >>> The above comments and data are owned by whoever posted them (including
> >>> attachments if any). The List's Host is not responsible for them in any
> >>> way. ---------------------------------------
> >>
> >> _______________________________________________
> >> LUG mailing list
> >> [email protected]
> >> http://kym.net/mailman/listinfo/lug
> >> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
> >>
> >> The above comments and data are owned by whoever posted them (including
> >> attachments if any). The List's Host is not responsible for them in any
> >> way. ---------------------------------------
> >
> > _______________________________________________
> > LUG mailing list
> > [email protected]
> > http://kym.net/mailman/listinfo/lug
> > %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
> >
> > The above comments and data are owned by whoever posted them (including
> > attachments if any). The List's Host is not responsible for them in any
> > way. ---------------------------------------
>
> _______________________________________________
> LUG mailing list
> [email protected]
> http://kym.net/mailman/listinfo/lug
> %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
>
> The above comments and data are owned by whoever posted them (including
> attachments if any). The List's Host is not responsible for them in any
> way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
