[pfSense-discussion] OpenSSH version bump
Any idea when/if we might go to version 4.3+? I've just set up a full-on VPN with it's new TUN/TAP support on my Linux boxes, and I must say it's got to be the easiest full-IP tunnel I've ever done - I'd absolutely love to mess around with setting up pfSense support for it (after, of course, fulfilling my committment to work on getting OpenNTPD running... ;-) ) In short, I just used a TAP device (ssh_config directive Tunnel ethernet), bridged it with the host's LAN interface, DHCPed the client-end TAP device, routed all client-side traffic over the TAP device (less that to the host, of course) and away I went. Now I'm surfing through my network at home, from Mexico. I think this is so good, it's very well worth scripting up something to make it even more accessible. *oh yeah*. RB
Re: [pfSense-discussion] Nokia IP330
Looking at the dmesg from sifter - it looks pretty good - Ironic - these are precisely the same specs as the box I'm running pfSense on, but it's just an old HP. I've cobbled on a few extra parts (like a 20GB drive, an extra fan, and an Athlon XP HSF), but it runs very nicely and quietly. K62-300 +256M is
Re: [pfSense-discussion] Nokia IP330
I hate GMail sometimes. K62-300 +256M is nearly perfect - quiet, but plenty of power to handle most network loads I can throw at it. On 4/6/06, Randy B [EMAIL PROTECTED] wrote: Looking at the dmesg from sifter - it looks pretty good - Ironic - these are precisely the same specs as the box I'm running pfSense on, but it's just an old HP. I've cobbled on a few extra parts (like a 20GB drive, an extra fan, and an Athlon XP HSF), but it runs very nicely and quietly. K62-300 +256M is
[pfSense-discussion] RRD graphs
I like! I like! Never knew how much I liked historical graphs on my firewall until I saw these; it makes sense, since I stare at a 40 plasma running ArcSight all day. Bravo! I know there's a thread somewhere that Scott names the author, but I'm too lazy to go pick it out. Kudos! RB
Re: [pfSense-discussion] Traffic Shaper wizard thoughts
Understood. Next month I'll have some free time and will try to sit down and chew through it myself to understand better. Appreciate all your work as-is! RB On 3/26/06, Bill Marquette [EMAIL PROTECTED] wrote: On 3/21/06, Josh Stompro [EMAIL PROTECTED] wrote: I think this would be a great idea, I am also in this boat where I would like to shape on more than one interface. I realize it can be done manually, but it would be nice if the wizard took care of it. Is there any more documentation on pfsense's traffic shaping that what is listed in the monowall handbook? http://doc.m0n0.ch/handbook/trafficshaper.html I would like to limit the opt interface to 384kbits up/down and guarantee that a certain machine or machine's on the lan side get higher priority than anything else, for any traffic they send. Along with the Ack rules so that downloads don't kill latency. Since you can only shape traffic what is sent on an interface, the Wan queue has to deal with limiting traffic coming from opt1, which I don't understand how to do yet. The code to do this got backed out 9 months ago. It'll be put back in later after I get positive feedback on the current code. I'm tired of tracking down shaper bugs and trying to get the simple stuff we have working right (it should now, but I want to work on other stuff for a while - I'm kinda burnt out on it). --Bill
[pfSense-discussion] Traffic Shaper wizard thoughts
Not being very familiar with the traffic shaper, I find it hard to fully grasp yet (all the queues and such), but something you might consider adding eventually is an ultra-simple shape by interface setup. For example - I have a LAN, a DMZ, and an untrusted wireless DMZ. I want the LAN and DMZ to have unfettered, top-priority access to the WAN bandwidth, and give some of what's leftover to the wireless DMZ, with a cap of, say, 512Kb/s. I _think_ I have most of this set up, but had to go through several iterations of the wizard and cutting out chunks it added in to get it where I want it. Now I have to go test. Anyone else smell what I'm standing in? Is this a bad or untenable idea? RB
[pfSense-discussion] Everything else sucks
I've spent the last month making a grand tour of the firewall world - tried everything from IPCop to Smoothwall, a fully-licensed PIX-515E from work to m0n0wall, and I still come back to pfSense. Not only is this my hobby, I oversee a flock of ~70 PIXen FWSMs at work every day. There's just nothing quite as feature-rich, easy to use, or quick to set up. GNAP comes close, and I'm working on making some custom extensions to it that may draw me away from pfSense again, but making it do 95% of what I want takes _so long_. I just wish I was more conversant with *BSD so I could really dig under the covers like I did on the Linux-based ones, even though I was greatly disappointed when I did. Granted, you're going to get more horsepower, support, and scalability with a commercial appliance, but they leave out things that should be simple - like setting up port-forwarding. Then there are the *really nice* things, like 3rd-party extensions. Like I said, I may be drawn away again some day, but for the time being I'm back to stay. In that light, is there anything newer than Beta-2? RB
Re: [pfSense-discussion] CARP leak... revisited
Scott Ullrich wrote: This was fixed right after b1. Upgrade to http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-29-06/ Good enough; a step and a half in front of me. Thanks!
[pfSense-discussion] CARP leak... revisited
If some of you will recall, quite some time ago I complained that I found that CARP was being transmitted on my untrusted interfaces between a couple of test boxes in a lab instead of on their synchronization interface; something that the rest of the list seemed to think a non-issue. It has arisen again, this time rather more disconcerting - I find that my single pfSense box fronting my home network is leaking carp messages out the external interface, regardless of the fact that I've turned off carp (1.0-BETA1). I don't like it - no matter what any one else's perception of what is exposed, it gives someone on my segment at least a layer-2 knob on my network that shouldn't exist. It's enough to make me want to put a box running ebtables outside of it just to filter out spurious stuff like this... Or, worse yet, just replace my pf box with the GNAP image I've been working on. I'm certainly up to customizing pfSense to eliminate this behavior, but without upstream support it's something I'd have to hunt down and change every time I updated. What has anyone else done? Am I alone in disliking this? I'm not a fan of security by obscurity, but I do believe that good security is best bolstered by a healthy dose of paranoia and some slick, black, featureless walls. What do you guys think? Any differently than before? RB
Re: [pfSense-discussion] Help!!! :)
Why anyone would want to expose an unencrypted management GUI to the outside world is completely beyond me; especially not knowing why it wasn't accessible. Scott Ullrich wrote: Add a rule to allow traffic to port 80 on the WAN. On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Ok, I can ping the interface, I am just not getting the web interface to come up K. On Fri, Dec 30, 2005 at 03:50:35PM -0500, Scott Ullrich wrote: Add rules allowing ICMP to WAN interface. On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Internally if I ping my external interface, it pings just fine. If I go to an external network and attempt to ping the WAN interface, it fails... The same is true of my virtual interface. I am wondering if I should be NATing something, or if there is a rule that I didn't add. Also this is true of ssh, webinterface, etc. K. On Fri, Dec 30, 2005 at 03:35:49PM -0500, Scott Ullrich wrote: What do you mean access the interface externally? SSH, webConfigurator? On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I just installed 1.0beta... I am able to see the access and see the WAN interface within the LAN, but I am not able to access the interfaces externally. What rule did I forget to add. My virtual interface is not viewable from the outside world either... K.
[pfSense-discussion] Beep script
I like the current beep, but had written my own for a headless Linux box some time ago. You guys might at least be entertained... RB #!/bin/bash P=37 sN=150 eN=300 qN=600 hN=1200 C=261.6 Cs=277.2 D=293.7 Ds=311.1 E=329.6 F=349.2 Fs=370.0 G=392.0 Gs=415.3 A=440.0 As=466.2 B=493.9 hC=523.2 hCs=554.4 hD=587.4 hDs=622.2 hE=659.2 hF=698.4 hFs=740.0 hG=784.0 hGs=830.6 beep -f $G -l $qN -D $P -r3 \ -n -f $D -l $eN -n -f $D -l $sN -D $P \ -n -f $As -l $sN -D $P \ -n -f $G -l $qN -D $P \ -n -f $D -l $eN -n -f $D -l $sN -D $P \ -n -f $As -l $sN -D $P \ -n -f $G -l $qN -D $P \ -n -f 1 -l $qN -D $P \ -n -f $hD -l $qN -D $P -r3 \ -n -f $hDs -l $eN -n -f $hDs -l $sN -D $P \ -n -f $As -l $sN -D $P \ -n -f $Fs -l $qN -D $P \ -n -f $Ds -l $eN -n -f $Ds -l $sN -D $P \ -n -f $As -l $sN -D $P \ -n -f $G -l $qN -D $P \
Re: [pfSense-discussion] Integrating PFSense into a full system...
Forrest Aldrich wrote: I have a home-based SOHO network - so less computers are better. ;-) Unless I found some smaller device that I could install this on - a shuttle or something. I'll consider that. I would highly recommend one of the SBCs like the Soekris boxes or a WRAP engine. There are some positively tiny machines this would run on, it's really going to be an inverse function with the size of your wallet - the more you're willing to spend, the smaller it'll get. The Soekris 4801 will set you back about $240; it should provide sufficient power for most SOHO users. Power and size vary from there, but you should still expect to spend at least $200 for a 'small' machine. I, for one, have taken an old 400MHz AMD K6-2 PC I got for free from a friend, loaded it up with a bunch of leftover NICs a 20GB HD, put pfSense on it, and stuck it in a closet. No fuss, no muss. Of course, that 'closet' really is a wiring closet - complete with racking, incoming cabling conduit, and the whole nine yards. But it _was_ originally a normal house closet; my wife's just really nice about that stuff. :-D RB
[pfSense-discussion] SlickWall
Yes, I made it up. ;-) Thinking of nefariously sneaky ways to be very transparent, and thought of a way to do this in IPtables, now would like to try it with my pfSense boxen... To make some horrendous puns, the intent is to make a firewall so Smooth and Slick that all data (save what it wants) slides right off of it to another machine it Pix. Okay. Enough. Here's the idea in a nutshell - I have one network three machines - two desktops a pfSense system. Desktop A is kosher on the LAN, whereas desktop B is not. There are constant, active scans on the LAN that will detect desktop B and set off clanging gongs. User Z understands not putting B on the network, but still wants to use it for SSH and other items. Enter the firewall - in iptables, I'd use the MASQUERADE TTL targets to transparently spoof being an alternate NIC on desktop A, all the while silently siphoning off port 22 inbound and forwarding it to desktop B on a private interface, as well as statefully handling the rest of it's traffic. :-D LAN / \ / \ --- /--- MASQ ---\--- | PFS | -- | A | | | --- tcp:22 ---| | B | I know a picture is worth a thousand words, but ascii-art doesn't seem to be sticking with me tonight. Anyone understand what I'm trying to do and whether we have the tools available on pfSense? The reason I'm using MASQ instead of simple forwarding is that it wouldn't do to have a query hit the PFS IP and be responded to from the A IP, now would it? RB
[pfSense-discussion] L3 load balancer
Just noting that the current LB package used is sldb and that it's a very much dead project, actively seeking a new maintainer. I also note that ipvs is in ports. Any potential (future, of course) switch? I know the resource assigned might have to be me, but I was just curious... RB
Re: [pfSense-discussion] L3 load balancer
Scott Ullrich wrote: We have the source code to SLBD and have been making our own changes. Any intent to add some of the nice features ipvs offers (that slbd doesn't seem at first glance to), like multiple scheduling algorithms, UDP, persistent connections, and such? If it doesn't have those, I can imagine that some of those would be non-trivial to add; maybe I'll have to dig in and try to make a 3rd-party package for pfSense. RB
Re: [pfSense-discussion] L3 load balancer
Scott Ullrich wrote: Wait a second. I may be looking at the wrong thing. Can you send a link of what ipvs is? I ended up on the linux virual server page but now I'm wondering if your speaking of something else. We are speaking of something of the same thing; I didn't do all of my homework either. My introducer to *BSD mentioned Monday that ipvs (ported LVS code to work with the BSD API) had made it into ports. What I didn't do was go check the status of the project before I made queries about it. :( Now that I look farther, I find that the package is marked as 'broken' on freshports. *sigh*. I really enjoyed working with the software on some RHEL machines, and was looking forward to using it in my newfound toy. I'll keep an eye on it, and should it become usable, raise the flag again. RB
Re: [pfSense-discussion] A few questions
Bill Marquette wrote: Not sure why, but this seems to be a very popular feature request these days, I can count at least 3 different requests for this in the last week. No need to file a feature request for this feature unless the code that comes out of the hackathon doesn't do what you want (not directed at you Chris :)). My bad - I thought I had originally subscribed to pfsense-discussion, but it turned out that I'd not (only support). Otherwise, I likely would have seen this request roll by in the past weeks. Thanks for the update, Bill! RB
[pfSense-discussion] A few questions
I really enjoy pfSense; it's an incredible project, and as I learn more about using/administering *BSD systems, I hope to be able to contribute more than my opinion. ;-) That said, I'd love to see a couple of bits of functionality added, but am really not sure how to go about it. The first is an L3 load balancer, like LVS (Linux Virtual Server, that is, not Logical Volume System). I know CARP does L2 balancing, but most of my needs in incoming balancing lie outside of my local segment. The second would be apcupsd - my home system is already hooked up to a UPS, but I've no viable way to monitor/configure it. It would be oh-so-nice to be able to tell it to shut down gracefully with 2 minutes left on the UPS. Comments? Rotten fruit? Pointers to where to start BMOFP? All appreciated! RB