Rocco,
Thanks for the heads up.
Disclaimer: I have directly contributed to a few bug-fixes in various
pfSense packages.
I just tested what you're saying and it's true. I can bypass inter-lan
block rules by routing my traffic through the squid-cache. Example:
telnet pfsenseboxip 80 > HTTP GET otherlanip
pfSense is a nice, simple, all-in-one system for people who don't want
to be bothered with manual firewall/traffic shaping implementations. As
far as I can tell, it works very well out of the box -- even for an
"enterprise" user.
Start adding downloadable packages, however, and everything goes to hell.
I absolutely despise pfSense's lack of quality control for their
downloadable packages. For example, NRPEv2 wouldn't even load on
startup because its /usr/local/etc/rc.d/ script didn't have a .sh
extension and the /etc/rc.start_packages only runs *.sh files.
Essentially, whomever released the package NEVER EVEN TESTED IT.
Snort wouldn't run properly on boot without modifications. Squid-cache
opens up this huge, rather obvious vulnerability that Rocco pointed out.
The list goes on and on and on.
IT-Doc24 Ltd. - Rocco Radisch wrote:
Hi Reinier,
I will put it on my long long list ;- and if I would have more time I
would consider to contribute. Its a great product but development is
quite slow due to lack of people.
regards,
Rocco
Reinier Battenberg wrote:
Well, only one way to find out: post the bug (again ;-) )!
(i wouldnt downplay the use of pfsense, its use is for whomever finds
it a handy tool. I know Kyle, at IMG is using it. I think that could
easily be considered an enterprise..)
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Tuesday 01 December 2009 09:25:40 IT-Doc24 Ltd. - Rocco Radisch
wrote:
Hi Reinier,
I know and I think I tried to submit a bug fix report. We discovered
that issue already 2 years ago. I guess my English was too weak at this
time ;-)
Furthermore, the only way to fix it without altering the basic usage of
pfSense is to shift the rules, which allow the transparent proxy
traffic
(port 80), to be loaded after the user rule-set. As far as I understood
the programming framework all the package scripts are loaded before the
custom user rule-sets. If you would set a rule to generally block
private IP traffic from one LAN to the other LAN you won't be able to
intentionally allow traffic via the user rules. So it seems that it is
not an easy fix and pfSense is not meant for enterprise usage, hence
most people won't mind (I guess).
Best regards,
Rocco
Reinier Battenberg wrote:
Hi Rocco,
Well, if you found a bug in a FOSS project, the best thing to do is to
make sure it gets in the next release. That way, you wont have to
patch
all the servers you are maintaining in the future. And so will all
other
pfSense users worldwide.
I guess pfSense has a bugtracker where you can post your fix.
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Tuesday 01 December 2009 08:25:42 IT-Doc24 Ltd. - Rocco Radisch
wrote:
Hi Reiner,
multi lan is if you maintain several local area networks all
connected
to the same Firewall.
"Can you substantiate that statement with some URL's?"
No, I can look if someone else discovered the same issue in the
Forums.
"It turns out"
We discovered this in-house.
Code of squid.inc:
foreach ($ifaces as $iface) {
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from
any to
!($iface) port 80 flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from
any to
!($iface) port $port flags S/SA keep state\n";
$rules .= "\n";
};
The rules are loaded before the custom configured rule-set.
Meaning it
will allow access to http servers from one LAN to the other LAN.
Best regards,
Rocco
Reinier Battenberg wrote:
"it turns out"
Can you substantiate that statement with some URL's?
Else, i dont consider it a true statement.
And for non-networkies: what is Multi-LAN?
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Monday 30 November 2009 17:12:46 IT-Doc24 Ltd. - Rocco Radisch
wrote:
Hi Joseph,
pfSense has modules to work either way, as normal web proxy or as a
reverse proxy. If you need help we have done a couple of custom
pfSense installations as well as custom re-programming of front and
back-end. Furthermore, it turns out that the standard pf rules
used in
conjunction with a transparent web-proxy installation will open
security flaws if used in a multi-wan & multi-lan set-up.
Best regards,
Rocco
Reinier Battenberg wrote:
Hi Joseph,
This seems more targetted at the other end of proxiying.
You can put this proxy in front of your website, which will
take the
load off your apache server.
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Monday 30 November 2009 14:50:04 joseph mpora wrote:
Pfsense has been pretty good for us, haven't seen need to
change :)
Joseph
On 11/30/09, Emmanuel Mulo <[email protected]> wrote:
Hi all,
I am not sure whether this information has been previously
posted
on this mailing list, however I saw something about Yahoo
traffic
server being released as open source. Since I have seen
previously
a number of requests concerning proxy servers for load
balancing,
content filtering etc... would be interesting to hear from any
sysadmins experimenting with this. It is used by Yahoo so it
has
to be good for something no? :)
http://cwiki.apache.org/confluence/display/TS/Traffic+Server
http://ostatic.com/blog/guest-post-yahoos-cloud-team-open-sources-t
ra ff ic -server
Anybody who does something with it please update us.. at least I
would be interested to hear.. Joseph? Reinier?
cheers
Mulo
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not
responsible
for them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not
responsible
for them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible
for them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not
responsible for
them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including
attachments if any). The List's Host is not responsible for them
in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including
attachments if any). The List's Host is not responsible for them
in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including
attachments if any). The List's Host is not responsible for them in
any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible
for them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible for
them in any way.
---------------------------------------
--
Kyle Spencer,
Information Technology Manager,
International Medical Group
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
