Re: [pfSense-discussion] FreeNAS
Am 24.01.2009 um 11:13 schrieb Eugen Leitl: A customer/friend of mine needs a large (some 10 TByte) online storage. Ten TB? OpenSolaris 2008.11 That is, if you don't actually want go with one of SUN's new appliances. What financial value do these 10TB represent? Rainer - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Website filtering with pfSense on alix
Gary Buckmaster schrieb: Mark Dueck wrote: Hi everyone, Is it possible to do website filtering on an Alix board? I setup some businesses with gateways using squid and dansguardian to blanket block the internet, and then allowing access on a per ip basis or allow certain websites for the rest of the users. Is this possible on an alix board using a CF by taking of caching, but using the dansguardian? I have see others asking the same, but not seen any replies. Or can this be setup using rules? Thanks. Mark, No, the embedded platform does not work with packages. Further, squid is an extreme resource hog and would kill most Alix board resources even under fairly light load. Lastly, Dansguardian isn't licensed to be free for commercial use, so you may well be violating their license by installing it for businesses. -Gary Well, with rules only, I guess it would work if you only have a handful of websites (B2B scenario) that are OK to visit. Rainer
Re: [pfSense-discussion] Captive Portal on pfsense
Chris Buechler schrieb: On Tue, Jul 15, 2008 at 8:38 AM, muhammad panji [EMAIL PROTECTED] wrote: Dear All, Hi I start searching for option to implement captive portal on my campus hotspot and I think pfsense captive portal will make it easier. I'm not really familiar with wireless technology. If i'm not false my campus bought some Linksys WRT54G Wireless Router. I want to ask : - What is the difference between Linksys WRT54G and Linksys WAP54G in case of how the basically operate. Up to now what I know is WAP do bridging to wired network and WRT do routing. You would likely deploy WRTs in bridged anyway since you're using them as just APs, so for your purposes the two should be functionally equivalent. - If I have four Access Point is that mean That I have to have four different network which routed to pfsense LAN network? No, you can bridge all four to the same network. If you have more than one AP, don't you need ones that can do mesh-networking, so you can hand-over a connection to another AP, in case the user moves? I'm not very familiar with building large-scale WLANs, but AFAIK, it's a little more than just buying enough APs and placing them in the right spots... cheers, Rainer
Re: [pfSense-discussion] Captive Portal on pfsense
RB wrote: I'm not very familiar with building large-scale WLANs, but AFAIK, it's a little more than just buying enough APs and placing them in the right spots... I am, and it actually is just that. If you already have UTP ports within 300' the AP locations, it's by far the most effective route - then you only have to worry about channelization and overlap. That's what I was thinking: isn't it a problem to have to APs with same SSID (and maybe the same channel) in reach of each other? Don't the clients get confused? Or are the drivers usually smart enough not to flap between the two? Sorry, I'm just curious... Regards, Rainer
[pfSense-discussion] [Fwd: Re: Linux SMP network performance measurements]
Hi, this may be of interest to people here. Via the FreeBSD-current mailing-list - apologies, if you read that, too. cheers, Rainer ---BeginMessage--- Stefan Lambrev wrote: Thierry Herbelot wrote: gives some measurements on various tweakings of an SMP machine with 4 Xeon processors (it *shows* a nice improvement when using more CPUs and more bonded Ethernet interfaces). Has some the machine (and the time, obviously) to make some of the same measurements with the latest FreeBSD versions ? I'm planning to test network performance on FreeBSD + bridged interfaces, very soon, but my test servers are not so powerful as the server from this page :) Best that I'll have is 1x quad core processor, 4 port gigabit intel network card and 2GB RAM. I did some testing about a year or two ago and with a recent current of about 2 months ago. I found that generally SMP was a performance regression for the workload I tested - forwarding and filtering. The single most significant contributer to network performance is level 1 cache size. I believe that the extreme cost of mutex acquisition on Intel cpus is the main culprit for SMP network performance regression. Coupled with miniscule L1 cache size on the entire Intel CPU product line gives pretty poor network performance. Forwarding (routing between multiple interfaces) and filtering (ipfw) IIRC with quad Intel e1000 NIC: Dual Intel Xeon 2.8GHz: 240Kpps 12k L1 cache Single Intel Xeon 2.8GHz: 380Kpps 12k L1 cache Core 2 Duo 1.8Ghz: 420kpps 12k L1 cache Single Pentium-M 1.8GHz:550Kpps 32k L1 cache Dual AMD opteron 2GHz: 890Kpps 64k L1 cache Single AMD opteron 2GHz:970Kpps 64k L1 cache All these hosts had 255 vlan interfaces with about 3000 routes and about 3 firewall rules, with a good spread of packets between the interfaces with polling and fastforwarding. I struggled to generate enough packets to load the AMD routers. I was interested in SMP due to additional processing for netflow accounting and packet rate monitoring for DDoS detection and mitigation. I recomend to anyone using FreeBSD as a router or for any serious workload to just plain forget about using Intel CPUs. Ian -- Ian Freislich ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED] ---End Message---
Re: [pfSense-discussion] full instalation on 4 GB SSD
Paul M wrote: Eugen Leitl wrote: I was thinking a real 2.5 SSD would have a MTBF comparable to a real hard drive (SanDisk claims 2 Mh MTBF, can't find any such for Hama SSD, which is a bargain at about 100 EUR for 4 GByte, which probably already answers my question). I think that proper ssd units designed to replace a regular magnetic hard drive have to have very sophisticated wear-levelling algorithms, and probably have an intermediate store for written data, e.g. some battery-backed SRAM or non-wearable memory. Yeah, like this one: http://www.superssd.com Of course, unless you're prepared to spend a six-figure-sum, you don't need to think about buying one of those kits. For a busy mail scratch-dir, this should do wonders. For a firewall: probably overkill... Rainer
Re: [pfSense-discussion] full instalation on 4 GB SSD
Curtis LaMasters wrote: Honestly I don't know the answer to your questions but keep this in mind, pfSense loads from disk/flash/cd and then run's completely from RAM. I think this is true only for the embedded version. The full version (with packages et.al.) will quite probably use disk I/O. I've thought about using a 4 GB Microdrive, but never got around doing it. cheers, Rainer
Re: [pfSense-discussion] Dynamic DNS
Stefan Tunsch wrote: I'm talking about the integrated dyndns client. Luckily I installed the ADSL with the dynamic ip address on the WAN interface... How can I report an IP other than the WAN IP? I think he said next version. Or did I misread that? Bear with them - they're probably going to have to take a vacation, now that the release is actually out ;-) cheers, Rainer
Re: [pfSense-discussion] IDS yet?
Daniel S. Haischt wrote: Beside that I always thought Snort is first and foremost an IDS and not an IPS... It can do both, IIRC. But commercial IDS/IPS products have been blurring the line between these two purposes for years - upto a point where I think there is no real distinction possible anymore. Just like various intelligence-techniques have blurred the line between packet filter and application firewall in the commercial-firewall world. At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). cheers, Rainer
Re: [pfSense-discussion] artwork
Am 21.06.2006 um 21:18 schrieb Scott Ullrich: On 6/21/06, Bill Marquette [EMAIL PROTECTED] wrote: That's kind of inflamatory, but change the theme to pfsense and you'll have the ugly old look back. It is indeed fnlamatory and I would go as far to say it is rude and a slap in the face to Holger, one of the people that have helped this project more than anyone else (even me). An apology is in order otherwise I will be deleting any ticket that I ever see with your email address attached. I wouldn't go so far - this is really a question of taste. It's his opinion. OTOH, I can't imagine making the above (=thread-opening) statement myself - but I never used m0n0wall myself, either. This is an OSS-project, for which 95% of all conflicts (and 100% of the this looks...it should look like-conflicts) should be endable with a simple Either put up or shut up cheers, Rainer
Re: [pfSense-discussion] No altq support on linitx.com appliances? Also, plug for packaging on embedded version.
Christoph Hanle wrote: Carl Youngblood schrieb: On 5/2/06, Scott Ullrich [EMAIL PROTECTED] wrote: On 5/2/06, Carl Youngblood [EMAIL PROTECTED] wrote: I am new to pfsense and have a question and a suggestion. I just installed pfsense on a brand new appliance that we bought from linitx.com, found here: http://linitx.com/product_info.php?cPath=4products_id=909osCsid=9be4eef80f6c2fa682ad294a2e92d3dc It seems to work well, except that when I go to the traffic shaping menu item, it says that my interface doesn't support altq. This is critical to us, as we use voip for our phone system. Any suggestions? I would be surprised to hear that there isn't some way to do QoS on this brand new device. Which device? If it says that ALTQ is not supported then its not, unfortunately. Realtek 8169 for the 5 100 Mbit ports Realtek 8139 for the 1 Gigabit port Imho are these chipsets a joke and not usable in a firewall or router. You will get a lot of trouble with this scrap. I had similar boxes running with pfSense and m0n0wall and trouble with the stability and performance of some connections. After replacing the boxes with smaller PCs with real NICs the problems are vanished. I think the latest-generation RealTek's are not that bad - I may be wrong, because I avoid them like the plague myself, but ISTR having read somewhere that the latest generation is somehow better than the the 1st generation (on which the comment in the source is really targeted). cheers, Rainer
Re: [pfSense-discussion] No altq support on linitx.com appliances? Also, plug for packaging on embedded version.
Chris Buechler wrote: Rainer Duffner wrote: I think the latest-generation RealTek's are not that bad - I may be wrong, because I avoid them like the plague myself, but ISTR having read somewhere that the latest generation is somehow better than the the 1st generation (on which the comment in the source is really targeted). I've heard the same thing. Just stumbled upon it: Theo mentioned it in the latest interview with kerneltrap. http://kerneltrap.org/node/6550 ;-) cheers, Rainer
Re: [pfSense-discussion] Setup advice wanted, devices for public library
Am 29.03.2006 um 00:25 schrieb Josh Stompro: Anyone have recommendations for 2.5 inch hard drives for this sort of application? Hitachi. http://www.hitachigst.com/tech/techlib.nsf/techdocs/ 79EC6FC280F57A2A86256D630067D507/$file/Travelstar_E7K60_100504.pdf Has anyone thought of how a pfSense manager would work, something that would control a large deployment of pfSense Firewalls. I guess this is on the road-map (or in the heads of the developers) - why else go with the overhead of XML-RPC for the communication between front-end and backend? At least, that's what I make out of it. I hope it will be available at some point. - I haven't thought about how it should look like - perhaps one of the developers would like to comment on how much of the groundwork is already done and what is missing? I'm more concerned about how on earth I'm going to collect and correlate the logs. Does the prelude pflog-lml for OpenBSD also work on FreeBSD (I didn't have a chance, yet, to try it out)? cheers, Rainer
Re: [pfSense-discussion] throughput - cpu, bus
Am 14.03.2006 um 20:52 schrieb Greg Hennessy: I'd love to get the chance to throw an Avalanche at a decent system running PF to see what it really can stand upto. Andre Oppermann is working on that. http://people.freebsd.org/~andre/ But the results won't show-up until 7.0 is released, which looks to be sometime in 2007. http://www.freebsd.org/releng/index.html Rainer
Re: [pfSense-discussion] pfSense merge with freebsd?
DarkFoon wrote: So the question is, if I jumper the drive to limit it to 32GB so the darn computer will actually boot (the BIOS freezes detecting the drive), can I get FreeBSD to recognize all 300GB? I probably should check the FreeBSD man pages, but being as ill as I am right now, I feel like asking you guys first (ya'll seem nice enough ;) ) You can try dangerously dedicated mode - now under the wizzard-mode in the fdisk-editor, where you create the partitions. But I guess any 75$ PC from ebay will correctly detect and work with a 300 GB disk nowadays. Is your time worth so little? :-) Rainer
Re: [pfSense-discussion] Clients... ugh
DarkFoon wrote: APPLIANCE! That's the word I was looking for! Thank you! Yes, my client my client means what you said: an appliance, which is plug, go to web interface, click, click, click and it works. He has one of those (appliance) already, but like I said, its some piece of crap. It can't do hardly anything. I mean, I use m0n0wall (because I like using a CD-ROM instead of a harddisk) and it's got so many functions that I don't use. And pfSense has more, but my client could use some of them. I didn't know that I could do pfSense on a WRAP. I thought pfSense needs a harddisk (for swap and such), and I thought WRAP uses CF (which swap will wear out quickly). But the idea of a 1u rackmount unit is nice. I'll still look around for some commercial appliances that have the same features, but I'll try to push for pfSense with this renewed information. IMO, the only thing that can match and exceed pfSense is a Juniper-Netscreen Appliance. (I think they can do Active-Active clustering for bridging, too). But the bigger ones can be 10x as expensive as a similar machine built with pfSense. Multiply by 2 for a HA-solution... If you can afford it, go Netscreen. If not, pfSense or raw OpenBSD ;-) My question still stands, though: does anybody know of a commercial (linksys, d-link, and such) firewall/router appliance (that's so much faster to type) with the features my client wants? thanks http://www.juniper.net/products/integrated/ I see that Tyan now also makes appliance-barebones: http://www.tyan.com/products/html/network.html I'm not sure if the onBoard cryto-accelerator really supports FreeBSD - Cavium do mention FreeBSD on their website and it seems that some boards of the series are actually supported. Those would really make killer-appliances, but I haven't seem them sold anywhere and the price tag is probably high. cheers, Rainer
Re: [pfSense-discussion] block port 25
dny wrote: On 12/24/05, Rainer Duffner [EMAIL PROTECTED] wrote: exactly what i need. can you please give more detailed? perhaps step-by-step guide will be greatly appreciated. This reading-list might be useful: http://www.oreilly.com/catalog/fire2 http://www.oreilly.com/catalog/mfreeopenbsd http://www.oreilly.com/catalog/postfix [insert various other mailserver-oriented books/links here, personally I'd use qmail, but others hate it, so use whichever you find easiest] Maybe a categorie for these types of questions could be added to the wiki. cheers, Rainer
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
Chris Buechler wrote: Sanjay Arora wrote: Hi all Just joined the list. Am mostly using IPcop other Linux flavours for perimeter firewalling. Needed ISP WAN-link balancing failover, hence my search for a new option. Also have started experimenting with freebsd, so choice was limited to either freebsd or linux. Have downloaded the iso...will install on a Pentium III 550 MHz and revert with feedback within the week. My thought is that any perimeter firewall should be a minimal design. Would not having php on pfsence make it vulnerable to php vulnerabilities, as well as those of apache. Haven't exactly tried it, so really haven't the right to comment on it but would the community please comment on this and other similar issues inherent in this architecture design? This part of the architecture has changed slightly from m0n0wall I believe, so if I go astray here, somebody kick me back into shape. ;) Basically, you can't get to PHP without first being authenticated. At this point, if you're authenticated, you have root access to the box. So who cares about any PHP vulnerabilities when you already have root access? And, as others said, most PHP problems are from sloppy PHP code, not issues within PHP itself. Besides, the ability to even attempt to login is restricted to LAN only by default, and if you're in a situation where you have to worry about what your internal users can attempt on the firewall, you can and should restrict that further. It's not like PHP is doing the actual firewalling. As an addition to this: If somebody doesn't like PHP on his firewall, he can just go back, install OpenBSD 3.8 and use vi to edit the rulesets and all the other configuration-options (VLANs, NAT, VPN etc. pp.). Until there's a multi-user, multi-customer capable interface that allows several virtual firewalls to be administered by different clients/customers, I'm not going to worry about PHP-security one single second. Firewalls, which are managed by a fat-client GUI also had their share of vulnerabilties precisely because the communication between the GUI and the firewall was badly designed or implemented. cheers, Rainer
Re: [pfSense-discussion] Restricted viewing...
Scott Ullrich wrote: Sure its possible. Are we planning to do this soon? Not on the list. I'd also vote for pushing this far behind. Perhaps somebody has got an idea how to get a per-customer user-interface implemented so that the individual customers can view AND edit their own rules. I.E. to designate vlan20, vlan21 and vlan22 to customer Mr X and let him work out the rules. Everything else can be dealt with other means (I plan to syslog to another server and try to collect the data in Prelude (http://www.prelude-ids.org) and IMO no developer-minute should be wasted on this matter otherwhise. cheers, Rainer
Re: [pfSense-discussion] FFS bad disklabel
Rajkumar S wrote: Scott Ullrich wrote: Try out http://www.pfsense.com/~sullrich/FreeSBIE.iso which has a few installer tweaks. We're still actively hunting this bug down. Still the same error. I have accepted all default options. No seperate partitions, full 40GB in a single slice and in that a single / and swap. I think you must use a disk that is (much) smaller. 9 GB SCSI worked for me, finally. Of course, pfSense needs to be fixed, too, but in the meantime, that's the best solution. Or is it motherboard-dependent? This is on rather old P3-motherboards, does it work on modern Socket 458 or 604 (or 754 or 939?) motherboards? Because if not, I will have serious trouble finding such disks for our production-server...new disks especially. Who wants to build a critical firewall from ebay-parts? ;-) cheers, Rainer