Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-22 Thread Paolo Gentili
Hi,
Thanks a lot to everybody for coming in this discussion and for sharing
their experiences that convinced me
to traslate into a production environment with no problems!

Anyway i still have some little doubts on implementing a DMZ containing all
the servers, behind NAT.
This because i don't know how pfsense's NAT implementation can handle the
new internet applications/protocols
like AJAX or WEB-SERVICES
or others that could make use of mechanisms like dynamic allocation of port.

Don't you think pfsense (actually NAT) can suffer this?

Again thanks to everybody!
Bye

Paolo


[pfSense-discussion] Is there SMTP Forward in PFSENSE

2007-12-22 Thread ASROFI
Dear friends,

1. I use my PFsense for a hotspot.
2. As you know every laptops has their own configuation of SMTP,
3. How to enable any smtp address runs on our hotspot using pfsense?

Thank alot for your help.


ASROFI


Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-22 Thread Bill Marquette
On Dec 22, 2007 2:22 AM, Paolo Gentili [EMAIL PROTECTED] wrote:
 Anyway i still have some little doubts on implementing a DMZ containing all
 the servers, behind NAT.
 This because i don't know how pfsense's NAT implementation can handle the
 new internet applications/protocols
 like AJAX or WEB-SERVICES

This is simple HTTP on port 80 (or wherever your web server lives).
Nothing new other than it's use of the existing TCP port for transit
here.  What might be useful is describing how your previous firewall
was going to handle this.

 or others that could make use of mechanisms like dynamic allocation of port.

That could cause you problems potentially.  But would be no different
in any other firewall that didn't already understand your protocol.  I
regularly force vendors to redesign their applications to not use
dynamic ports at work, it's a stupid design and really, there's zero
reason to do it (other than sheer laziness on the developers side - or
pissy legacy reasons when it comes to FTP, which is still not a good
excuse IMO).

 Don't you think pfsense (actually NAT) can suffer this?

1:1 NAT (if you have enough IP space) and then it's just rules you
have to add.  Inbound, I don't expect you'll run into many of these.
Most applications you are likely to run on your server will stick to a
single inbound port.

--Bill


Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-22 Thread Ron Lockard
I'm in full agreement with Chris.  The CD burning issue is not unique to 
pfSense.  It will happen with any system if you have bad compatibility 
between your CD/DVD burner, media, and your drive reading the result.  I've 
seen it with certain media with many other OSes given the wrong combination.  
This is not an issue with the OS, pfSense or any other system that has issues 
with booting from the CD/DVD media after it is burned.

I have some media that will repeat this problem almost every time and the same 
ISO burnt to some other media is rock solid every time.  

I bet if you verify the md5sum of the media you're having trouble booting from 
it will show the burn was bad when compared to the original ISO.  It's not 
pfSense.

Ron


On Friday 21 December 2007 8:19:40 pm Chris Buechler wrote:
 Jure Pečar wrote:
  Since everyone is just singing praises, I'll add some things to look for
  ;)
 
  Besides running it at home we run it on three production locations, which
  are two server rooms and one fast growing wireless lan.
 
  First bad expirience: it is really touchy about the quality of your cd
  burner and blank CDs. This mostly shows as misterious crashes and kernel
  panics during boot or later during install. It took us some time to
  figure that out.

 I know a very small percentage of people have issues of this nature. On
 dozens of different systems I have used, I've never personally seen it,
 and the vast majority of users have never seen it.

  Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't
  check 1.2), which ended up with one toasted fs after a power failure.
  Fortunately config.xml was backed up :)

 1.2 has that disabled, and also fixed some other issues that caused file
 system and/or configuration corruption. 1.2 beta/RC has been the
 recommended version for months now for this reason and others.
 Unfortunately we can't release 1.0 bug fix updates because we didn't tag
 that release in CVS, 1.2 will receive interim bug fix updates as
 necessary to address issues of this nature.

  Third bad expirience: once it's up it works rock solid, but there is a
  kernel panic every now and then during boot or during shutdown. Again,
  this is 1.0.1, haven't looked at 1.2.

 1.2 should be better in that area, but those are likely FreeBSD issues
 specific to your hardware. If it's something you can replicate with 1.2,
 it might be worthwhile to install the developer kernel with debugging
 tools (an option during the install now), and get a back trace. Start a
 new thread if you want to investigate in the future.


 For the original poster: The only really common issue going from a test
 environment into production, when replacing an existing firewall (which
 is common to any network device, not pfsense-specific) is ARP caches -
 your perimeter router, or your ISP's router (depending on the type of
 connection you have) has an ARP cache with your existing firewall's MAC
 address. When you change the firewall, it can take several hours for
 that cache to timeout and recognize the new system. On Cisco routers,
 the ARP cache is 4 hours by default. You may need cooperation from your
 ISP if you don't have access to that router. If you do have access to
 the router, you can just power cycle it. Cable and DSL modems commonly
 require a power cycle to pick up a replaced system.

 Aside from that, which is common to any firewall migration regardless of
 software, we haven't seen any widespread issues with going from testing
 to production.


Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-22 Thread Heiko Garbe
I have follow the thread but i don´t understand it, not reallly., i 
have many pfs 1.2rcx
firewalls up and running around the world, what is your mission critical 
needed feature?


Sorry!
Greetings
Heiko

Ron Lockard schrieb:
I'm in full agreement with Chris.  The CD burning issue is not unique to 
pfSense.  It will happen with any system if you have bad compatibility 
between your CD/DVD burner, media, and your drive reading the result.  I've 
seen it with certain media with many other OSes given the wrong combination.  
This is not an issue with the OS, pfSense or any other system that has issues 
with booting from the CD/DVD media after it is burned.


I have some media that will repeat this problem almost every time and the same 
ISO burnt to some other media is rock solid every time.  

I bet if you verify the md5sum of the media you're having trouble booting from 
it will show the burn was bad when compared to the original ISO.  It's not 
pfSense.


Ron


On Friday 21 December 2007 8:19:40 pm Chris Buechler wrote:
  

Jure Pečar wrote:


Since everyone is just singing praises, I'll add some things to look for
;)

Besides running it at home we run it on three production locations, which
are two server rooms and one fast growing wireless lan.

First bad expirience: it is really touchy about the quality of your cd
burner and blank CDs. This mostly shows as misterious crashes and kernel
panics during boot or later during install. It took us some time to
figure that out.
  

I know a very small percentage of people have issues of this nature. On
dozens of different systems I have used, I've never personally seen it,
and the vast majority of users have never seen it.



Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't
check 1.2), which ended up with one toasted fs after a power failure.
Fortunately config.xml was backed up :)
  

1.2 has that disabled, and also fixed some other issues that caused file
system and/or configuration corruption. 1.2 beta/RC has been the
recommended version for months now for this reason and others.
Unfortunately we can't release 1.0 bug fix updates because we didn't tag
that release in CVS, 1.2 will receive interim bug fix updates as
necessary to address issues of this nature.



Third bad expirience: once it's up it works rock solid, but there is a
kernel panic every now and then during boot or during shutdown. Again,
this is 1.0.1, haven't looked at 1.2.
  

1.2 should be better in that area, but those are likely FreeBSD issues
specific to your hardware. If it's something you can replicate with 1.2,
it might be worthwhile to install the developer kernel with debugging
tools (an option during the install now), and get a back trace. Start a
new thread if you want to investigate in the future.


For the original poster: The only really common issue going from a test
environment into production, when replacing an existing firewall (which
is common to any network device, not pfsense-specific) is ARP caches -
your perimeter router, or your ISP's router (depending on the type of
connection you have) has an ARP cache with your existing firewall's MAC
address. When you change the firewall, it can take several hours for
that cache to timeout and recognize the new system. On Cisco routers,
the ARP cache is 4 hours by default. You may need cooperation from your
ISP if you don't have access to that router. If you do have access to
the router, you can just power cycle it. Cable and DSL modems commonly
require a power cycle to pick up a replaced system.

Aside from that, which is common to any firewall migration regardless of
software, we haven't seen any widespread issues with going from testing
to production.