[pfSense-discussion] OpenSSH version bump

2006-05-06 Thread Randy B 

Any idea when/if we might go to version 4.3+?  I've just set up a
full-on VPN with it's new TUN/TAP support on my Linux boxes, and I
must say it's got to be the easiest full-IP tunnel I've ever done -
I'd absolutely love to mess around with setting up pfSense support for
it (after, of course, fulfilling my committment to work on getting
OpenNTPD running... ;-) )

In short, I just used a TAP device (ssh_config directive Tunnel
ethernet), bridged it with the host's LAN interface, DHCPed the
client-end TAP device, routed all client-side traffic over the TAP
device (less that to the host, of course) and away I went.  Now I'm
surfing through  my network at home, from Mexico.  I think this is so
good, it's very well worth scripting up something to make it even more
accessible.  *oh yeah*.

RB

Re: [pfSense-discussion] Nokia IP330

2006-04-06 Thread Randy B 
  Looking at the dmesg from sifter - it looks pretty good -

Ironic - these are precisely the same specs as the box I'm running
pfSense on, but it's just an old HP.  I've cobbled on a few extra
parts (like a 20GB drive, an extra fan, and an Athlon XP HSF), but it
runs very nicely and quietly.

K62-300 +256M is

Re: [pfSense-discussion] Nokia IP330

2006-04-06 Thread Randy B 
I hate GMail sometimes.

K62-300 +256M is nearly perfect - quiet, but plenty of power to handle
most network loads I can throw at it.

On 4/6/06, Randy B [EMAIL PROTECTED] wrote:
   Looking at the dmesg from sifter - it looks pretty good -

 Ironic - these are precisely the same specs as the box I'm running
 pfSense on, but it's just an old HP.  I've cobbled on a few extra
 parts (like a 20GB drive, an extra fan, and an Athlon XP HSF), but it
 runs very nicely and quietly.

 K62-300 +256M is

[pfSense-discussion] RRD graphs

2006-03-29 Thread Randy B 
I like! I like!

Never knew how much I liked historical graphs on my firewall until I
saw these; it makes sense, since I stare at a 40 plasma running
ArcSight all day.  Bravo!

I know there's a thread somewhere that Scott names the author, but I'm
too lazy to go pick it out.  Kudos!


RB

Re: [pfSense-discussion] Traffic Shaper wizard thoughts

2006-03-26 Thread Randy B 
Understood.  Next month I'll have some free time and will try to sit
down and chew through it myself to understand better.  Appreciate all
your work as-is!

RB

On 3/26/06, Bill Marquette [EMAIL PROTECTED] wrote:
 On 3/21/06, Josh Stompro [EMAIL PROTECTED] wrote:
  I think this would be a great idea, I am also in this boat where I would
  like to shape on more than one interface.  I realize it can be done
  manually, but it would be nice if the wizard took care of it.
 
  Is there any more documentation on pfsense's traffic shaping that what
  is listed in the monowall handbook?
  http://doc.m0n0.ch/handbook/trafficshaper.html
 
  I would like to limit the opt interface to 384kbits up/down and
  guarantee that a certain machine or machine's on the lan side get higher
  priority than anything else, for any traffic they send. Along with the
  Ack rules so that downloads don't kill latency.  Since you can only
  shape traffic what is sent on an interface, the Wan queue has to deal
  with limiting traffic coming from opt1, which I don't understand how to
  do yet.

 The code to do this got backed out 9 months ago.  It'll be put back in
 later after I get positive feedback on the current code.  I'm tired of
 tracking down shaper bugs and trying to get the simple stuff we have
 working right (it should now, but I want to work on other stuff for a
 while - I'm kinda burnt out on it).

 --Bill

[pfSense-discussion] Traffic Shaper wizard thoughts

2006-03-18 Thread Randy B 
Not being very familiar with the traffic shaper, I find it hard to
fully grasp yet (all the queues and such), but something you might
consider adding eventually is an ultra-simple shape by interface
setup.

For example - I have a LAN, a DMZ, and an untrusted wireless DMZ.  I
want the LAN and DMZ to have unfettered, top-priority access to the
WAN bandwidth, and give some of what's leftover to the wireless DMZ,
with a cap of, say, 512Kb/s.

I _think_ I have most of this set up, but had to go through several
iterations of the wizard and cutting out chunks it added in to get it
where I want it.  Now I have to go test.

Anyone else smell what I'm standing in?  Is this a bad or untenable idea?


RB

[pfSense-discussion] Everything else sucks

2006-03-10 Thread Randy B 
I've spent the last month making a grand tour of the firewall world -
tried everything from IPCop to Smoothwall, a fully-licensed PIX-515E
from work to m0n0wall, and I still come back to pfSense.  Not only is
this my hobby, I oversee a flock of ~70 PIXen  FWSMs at work every
day.

There's just nothing quite as feature-rich, easy to use, or quick to
set up.  GNAP comes close, and I'm working on making some custom
extensions to it that may draw me away from pfSense again, but making
it do 95% of what I want takes _so long_.  I just wish I was more
conversant with *BSD so I could really dig under the covers like I did
on the Linux-based ones, even though I was greatly disappointed when I
did.

Granted, you're going to get more horsepower, support, and scalability
with a commercial appliance, but they leave out things that should be
simple - like setting up port-forwarding.  Then there are the *really
nice* things, like 3rd-party extensions.

Like I said, I may be drawn away again some day, but for the time
being I'm back to stay.  In that light, is there anything newer than
Beta-2?

RB

Re: [pfSense-discussion] CARP leak... revisited

2006-01-30 Thread Randy B 

Scott Ullrich wrote:

This was fixed right after b1.

Upgrade to http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-29-06/



Good enough; a step and a half in front of me.  Thanks!

[pfSense-discussion] CARP leak... revisited

2006-01-29 Thread Randy B 
If some of you will recall, quite some time ago I complained that I 
found that CARP was being transmitted on my untrusted interfaces between 
a couple of test boxes in a lab instead of on their synchronization 
interface; something that the rest of the list seemed to think a 
non-issue.  It has arisen again, this time rather more disconcerting - I 
find that my single pfSense box fronting my home network is leaking 
carp messages out the external interface, regardless of the fact that 
I've turned off carp (1.0-BETA1).


I don't like it - no matter what any one else's perception of what is 
exposed, it gives someone on my segment at least a layer-2 knob on my 
network that shouldn't exist.  It's enough to make me want to put a box 
running ebtables outside of it just to filter out spurious stuff like 
this...  Or, worse yet, just replace my pf box with the GNAP image 
I've been working on.  I'm certainly up to customizing pfSense to 
eliminate this behavior, but without upstream support it's something I'd 
have to hunt down and change every time I updated.


What has anyone else done?  Am I alone in disliking this?  I'm not a fan 
of security by obscurity, but I do believe that good security is best 
bolstered by a healthy dose of paranoia and some slick, black, 
featureless walls.  What do you guys think?  Any differently than before?


RB

Re: [pfSense-discussion] Help!!! :)

2005-12-30 Thread Randy B 
Why anyone would want to expose an unencrypted management GUI to the 
outside world is completely beyond me; especially not knowing why it 
wasn't accessible.



Scott Ullrich wrote:

Add a rule to allow traffic to port 80 on the WAN.

On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:


Ok, I can ping the interface, I am just not getting the web
interface to come up

K.

On Fri, Dec 30, 2005 at 03:50:35PM -0500, Scott Ullrich wrote:


Add rules allowing ICMP to WAN interface.
On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:


Internally if I ping my external interface, it pings just
fine. If I go to an external network and attempt to ping the
WAN interface, it fails... The same is true of my virtual
interface. I am wondering if I should be NATing something,
or if there is a rule that I didn't add. Also this is true
of ssh, webinterface, etc.

K.



On Fri, Dec 30, 2005 at 03:35:49PM -0500, Scott Ullrich wrote:


What do you mean access the interface externally?  SSH, webConfigurator?

On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:


I just installed 1.0beta... I am able to see the access and
see the WAN interface within the LAN, but I am not able to
access the interfaces externally. What rule did I forget to
add. My virtual interface is not viewable from the outside
world either...

K.

[pfSense-discussion] Beep script

2005-10-19 Thread Randy B 
I like the current beep, but had written my own for a headless Linux box 
some time ago.  You guys might at least be entertained...


RB
#!/bin/bash

P=37
sN=150
eN=300
qN=600
hN=1200

C=261.6
Cs=277.2
D=293.7
Ds=311.1
E=329.6
F=349.2
Fs=370.0
G=392.0
Gs=415.3
A=440.0
As=466.2
B=493.9
hC=523.2
hCs=554.4
hD=587.4
hDs=622.2
hE=659.2
hF=698.4
hFs=740.0
hG=784.0
hGs=830.6


beep -f $G -l $qN -D $P -r3 \
  -n -f $D -l $eN -n -f $D -l $sN -D $P \
  -n -f $As -l $sN -D $P \
  -n -f $G -l $qN -D $P \
  -n -f $D -l $eN -n -f $D -l $sN -D $P \
  -n -f $As -l $sN -D $P \
  -n -f $G -l $qN -D $P \
  -n -f 1 -l $qN -D $P \
  -n -f $hD -l $qN -D $P -r3 \
  -n -f $hDs -l $eN -n -f $hDs -l $sN -D $P \
  -n -f $As -l $sN -D $P \
  -n -f $Fs -l $qN -D $P \
  -n -f $Ds -l $eN -n -f $Ds -l $sN -D $P \
  -n -f $As -l $sN -D $P \
  -n -f $G -l $qN -D $P \

Re: [pfSense-discussion] Integrating PFSense into a full system...

2005-10-02 Thread Randy B 

Forrest Aldrich wrote:
I have a home-based SOHO network - so less computers are better. ;-) 

Unless I found some smaller device that I could install this on  -  a 
shuttle or something.   I'll consider that.


I would highly recommend one of the SBCs like the Soekris boxes or a 
WRAP engine.  There are some positively tiny machines this would run on, 
it's really going to be an inverse function with the size of your wallet 
- the more you're willing to spend, the smaller it'll get.


The Soekris 4801 will set you back about $240; it should provide 
sufficient power for most SOHO users.  Power and size vary from there, 
but you should still expect to spend at least $200 for a 'small' machine.


I, for one, have taken an old 400MHz AMD K6-2 PC I got for free from a 
friend, loaded it up with a bunch of leftover NICs  a 20GB HD, put 
pfSense on it, and stuck it in a closet.  No fuss, no muss.  Of course, 
that 'closet' really is a wiring closet - complete with racking, 
incoming cabling conduit, and the whole nine yards.  But it _was_ 
originally a normal house closet; my wife's just really nice about that 
stuff.  :-D


RB

[pfSense-discussion] SlickWall

2005-09-09 Thread Randy B 
Yes, I made it up.  ;-)  Thinking of nefariously sneaky ways to be very 
transparent, and thought of a way to do this in IPtables, now would like 
to try it with my pfSense boxen...


To make some horrendous puns, the intent is to make a firewall so Smooth 
and Slick that all data (save what it wants) slides right off of it to 
another machine it Pix.  Okay.  Enough.  Here's the idea in a nutshell - 
I have one network  three machines - two desktops  a pfSense system. 
Desktop A is kosher on the LAN, whereas desktop B is not.  There are 
constant, active scans on the LAN that will detect desktop B and set off 
clanging gongs.  User Z understands not putting B on the network, but 
still wants to use it for SSH and other items.  Enter the firewall - in 
iptables, I'd use the MASQUERADE  TTL targets to transparently spoof 
being an alternate NIC on desktop A, all the while silently siphoning 
off port 22 inbound and forwarding it to desktop B on a private 
interface, as well as statefully handling the rest of it's traffic.  :-D



  LAN
 /   \
/ \
   --- /---  MASQ   ---\---
   | PFS  | -- |  A   |
    
  |
  | --- tcp:22
   ---|
   |  B   |
   


I know a picture is worth a thousand words, but ascii-art doesn't seem 
to be sticking with me tonight.  Anyone understand what I'm trying to do 
and whether we have the tools available on pfSense?  The reason I'm 
using MASQ instead of simple forwarding is that it wouldn't do to have a 
query hit the PFS IP and be responded to from the A IP, now would it?


RB

[pfSense-discussion] L3 load balancer

2005-08-31 Thread Randy B 
Just noting that the current LB package used is sldb and that it's a 
very much dead project, actively seeking a new maintainer.  I also note 
that ipvs is in ports.  Any potential (future, of course) switch?  I 
know the resource assigned might have to be me, but I was just curious...



RB

Re: [pfSense-discussion] L3 load balancer

2005-08-31 Thread Randy B 

Scott Ullrich wrote:
  We have the source code to SLBD and have been making our own changes.

Any intent to add some of the nice features ipvs offers (that slbd 
doesn't seem at first glance to), like multiple scheduling algorithms, 
UDP, persistent connections, and such?


If it doesn't have those, I can imagine that some of those would be 
non-trivial to add; maybe I'll have to dig in and try to make a 
3rd-party package for pfSense.


RB

Re: [pfSense-discussion] L3 load balancer

2005-08-31 Thread Randy B 

Scott Ullrich wrote:


Wait a second.  I may be looking at the wrong thing.

Can you send a link of what ipvs is?   I ended up on the linux virual
server page but now I'm wondering if your speaking of something else.


We are speaking of something of the same thing; I didn't do all of my 
homework either.  My introducer to *BSD mentioned Monday that ipvs 
(ported LVS code to work with the BSD API) had made it into ports.  What 
I didn't do was go check the status of the project before I made queries 
about it.  :(  Now that I look farther, I find that the package is 
marked as 'broken' on freshports.  *sigh*.  I really enjoyed working 
with the software on some RHEL machines, and was looking forward to 
using it in my newfound toy.


I'll keep an eye on it, and should it become usable, raise the flag again.

RB

Re: [pfSense-discussion] A few questions

2005-07-28 Thread Randy B 

Bill Marquette wrote:

Not sure why, but this seems to be a very popular feature request
these days, I can count at least 3 different requests for this in the
last week.  No need to file a feature request for this feature unless
the code that comes out of the hackathon doesn't do what you want (not
directed at you Chris :)).


My bad - I thought I had originally subscribed to pfsense-discussion, 
but it turned out that I'd not (only support).  Otherwise, I likely 
would have seen this request roll by in the past weeks.  Thanks for the 
update, Bill!


RB

[pfSense-discussion] A few questions

2005-07-27 Thread Randy B 
I really enjoy pfSense; it's an incredible project, and as I learn more 
about using/administering *BSD systems, I hope to be able to contribute 
more than my opinion.  ;-)


That said, I'd love to see a couple of bits of functionality added, but 
am really not sure how to go about it.  The first is an L3 load 
balancer, like LVS (Linux Virtual Server, that is, not Logical Volume 
System).  I know CARP does L2 balancing, but most of my needs in 
incoming balancing lie outside of my local segment.  The second would be 
apcupsd - my home system is already hooked up to a UPS, but I've no 
viable way to monitor/configure it.  It would be oh-so-nice to be able 
to tell it to shut down gracefully with 2 minutes left on the UPS.


Comments?  Rotten fruit?  Pointers to where to start BMOFP?  All 
appreciated!


RB