Re: [pfSense-discussion] article: Millions of Home Routers at Risk
- Original Message - From: John Dakos gda...@enovation.gr To: discussion@pfsense.com Sent: Tuesday, August 03, 2010 6:57 PM Subject: RE: [pfSense-discussion] article: Millions of Home Routers at Risk Re pf.jpg can someone clarify what a Yes in the right column represents please: a) Yes the router was successful in preventing the attack b) Yes the attack was shown to succeed c) Something else (just in case...) Obviously if it is b) then that is different to the quoted article - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] WAN, LAN1, LAN2 and LAN3
Hi I need to give public SSH access to a box for a remote chap who does not have a static IP. I may be able to give him a PPTP user account connecting to the specified boxes IP. Boxes IP's are assigned using DHCP server. I wish to maintain my security(!) The box he is getting access to is a test nix box, so if it gets trashed we can live with that. LAN1 is for my critical boxes. LAN2 is for printers, less critical PC's that could still harbour viruses and local guests. LAN3 is newly created for the above SSH access as the only way I can see to ring fence that box. LAN1 = 10.x.y.a /24 LAN2 = 10.x+1.y.b /24 LAN3 = 10.x+2.y.c /24 NAT access is provided to boxes on all LANx and that seems fine so not detailed further. Goals: 1) All LANx should have Internet access: Firewall: NAT: Outbound Interface WAN Source LANx (Rule repeated for each x) Source Port * Destination, Destination Port, NAT Address, NAT Port * Static Port No 2) LAN1 can access all of LAN2 (And can access LAN2 and LAN3 via any public NAT ports opened) including printers on LAN2. Windows PC's are on LAN1 and LAN2. It is preferable to have Win Net access from LAN1 to 2 but not the reverse. (Does not work) Firewall: Rules For LAN1: ALLOW Proto * Source LAN net Port * Destination * Port * Gateway * Schedule * Description LAN to any 3) LAN2 cannot access any other LAN except the network printers on LAN1. I understand the first rule is first processed, subsequent rules pick up the pieces that are left over and not already covered. Firewall: Rules For LAN2: BLOCK Proto * Source LAN2 net Port * Destination LAN1 address Port * Gateway * Schedule * Description Block All LAN2 to LAN1 ALLOW Proto * Source * Port * Destination * Port * Gateway * Schedule * Description LAN2 to Internet 4) LAN3 cannot access any other LAN Firewall: Rules For LAN3: BLOCK Proto * Source LAN3 net Port * Destination LAN1 address Port * Gateway * Schedule * Description Block All LAN3 to LAN1 (Could repeat for LAN2 also?) ALLOW Proto * Source * Port * Destination * Port * Gateway * Schedule * Description LAN3 to Internet I thought I'd configured the rules to allow this however from LAN3 I can view webpages on LAN1 and ping LAN1 addresses, which suggests to me my rules are not working and it would be premature to expose the box to the net! Can anyone tell me where my logic is failing? Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pfSense / Free BSD CPU kern.cp_time Jams in some environments
Hi Is anyone else getting this? It is occurring if you get a either a 1) divide by zero error on the index page for CPU Usage or 2) an indication the CPU is always on 0% use, which it shouldn't be for long! It seems to occur 1.2.2 onwards and on some motherboards and not others. It is particularly relevant because if it is occurring it slows down the whole system, for example I have a Pentium 266 that it does not occur on and a Pentium 400 that it does occur on. When it occurs the Pentium 400 slows down to perform more like about a 486 might in comparative terms for serving up the web pages. I assume it similarly effects traffic. There is also a report of a Pentium III 650 doing the same at http://cvstrac.pfsense.org/tktview?tn=1884 The only (temporary) fix I know is reboot. It can also be demonstrated by executing the command sysctl -n kern.cp_time and getting the same values back. On the susceptible system this happens within about an hour of running. Given it takes an hour typically for the condition to develop may make tracking it down more difficult. It would be good to know how many others are affected on what systems it occurs. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
No Worries Adrian, I am confident I won't be the only one to benefit, thank you. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Sunday, March 01, 2009 6:22 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) My apologies, I meant Network layer, not Transport. Sheesh. Serves me right for spamming the list with general info (as I spam it again with my correction ;) snip So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). /snip - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Apologies for the repeat post, ISP email problem seemed to have lost it, then later on spat it out (Not sure if you guys want yet another email to explain!?) Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
I think I've moved this on some. What I did was avoid the subnet issues which I was clearly running into (and not fully understanding), I opted to use a 172.10.x.x/16 private range for the 2nd LAN. I entered the rules as per DarkFoon (Thank you) Using the rules as suggested are preventing LAN2 access to LAN while allowing Internet access. LAN does not yet seem to have LAN2 access yet though, in terms of no pings and no WINS access, which I was hoping for one way (LAN to LAN2 only) but perhaps that is just not going to happen in this dual LAN setup? Any further guidance would be appreciated please. Kind regards David - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 8:17 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] 1.2.2 CPU Division by zero error in index.php
Hi In the index.php page CPU usage value I am getting: Warning: Division by zero in /usr/local/www/includes/functions.inc.php on line 66 0% This is with the embedded image on a CF, Pentium 400, 756M RAM. If I can assist further please let me know. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] 1.2.2 CPU Division by zero error in index.php
Hi ChrisI get:$ sysctl -n kern.cp_time 8564 1243 9535 4621 326700 I rebooted and initially it seemed fine, however it has recurred now as: Warning: Division by zero in /usr/local/www/includes/functions.inc.php on line 67 0%I have been changing the DHCP server static assignments if that helps at all. Kind regards David - Original Message - From: Chris Buechler c...@pfsense.org To: discussion@pfsense.com Sent: Sunday, March 01, 2009 1:51 PM Subject: Re: [pfSense-discussion] 1.2.2 CPU Division by zero error in index.php On Sat, Feb 28, 2009 at 4:02 PM, Tortise tort...@paradise.net.nz wrote: Hi In the index.php page CPU usage value I am getting: Warning: Division by zero in /usr/local/www/includes/functions.inc.php on line 66 0% This is with the embedded image on a CF, Pentium 400, 756M RAM. Run this from Diagnostics - Command and post the output: sysctl -n kern.cp_time - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] ARP traffic causing routers to hang - single ARP cache with both LAN and WAN ARP entries?
Yes I am using 192.168.0.0/24 I have no devices from those manufacturers. This was not the response I wanted to hear, changing the LAN is a major(!) Can you clarify the nature of the pfSense ARP cache? Is it relevant? (I am not convinced that it is - either the ARP packet is correct or it isn't) Should the ISP be responsible for the integrity of its network and ensuring rogue ARP traffic is eliminated? Should the ISP respond to requests to remove devices off the network with erroneous ARP traffic, as identified by the devices MAC address from pfSense logs? That could clean things up? Thank you Bill for assisting me. Kind regards David Hingston Is 192.168.0.0/24 your LAN segment? If so, I'd suggest moving off it. It sounds to me like something on your WAN is using the 192.168.0.0/24 segment (or there's a couple asshat's out there spamming bogus gratuitous ARPs on that wire). Your first mac listed is probably a switch or other network device: http://www.coffer.com/mac_find/?string=00%3A00%3Acd%3A1c%3A14%3A1a Allied Telesyn Researh (was: Centrecom Systems) (was: Teltrend (nz) Limited) The second mac listed is probably a Wii: http://www.coffer.com/mac_find/?string=00%3A09%3Abf%3A55%3A71%3Ab0 Nintendo Co.,Ltd. --Bill
Re: [pfSense-discussion] ARP traffic causing routers to hang - single ARP cache with both LAN and WAN ARP entries?
Thanks Bill I appreciate your frank advice, together with your humour(!) Certainly it brought more than one smile to my face! The pain you refer to is close to the same, however at this point it remains greater to change the whole LAN addressing system. (Experience proves some devices will not smoothly change their IP addresses (TiVos) and require whole reinstallation, backup of data There are 3 of these. Yes I know they should change easily and I have previously proceeded as if they did These are the worst ones, think in terms of days of work, although I'd be good at it by the time I got to the third one! The rest vary and some clearly are a simple matter to change.) In terms of the ISP even though a small customer I can get pretty persuasive. We can escalate to the CEO's office if necessary, I understand that gets taken seriously. The Internet also provides avenues if needed! Other avenues also exist. Clearly these options one prefers to avoid! It seems that a precondition for the conflict to occur is a common IP on the LAN and the WAN. Would that be true? Thank you again. Kind regards David Hingston - Original Message - From: Bill Marquette [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Saturday, April 05, 2008 9:50 AM Subject: Re: [pfSense-discussion] ARP traffic causing routers to hang - single ARP cache with both LAN and WAN ARP entries? On Fri, Apr 4, 2008 at 3:28 PM, Tortise [EMAIL PROTECTED] wrote: Yes I am using 192.168.0.0/24 I have no devices from those manufacturers. This was not the response I wanted to hear, changing the LAN is a major(!) H, more or less major than the incidents that prompted this dicussion? :) Can you clarify the nature of the pfSense ARP cache? Is it relevant? (I am not convinced that it is - either the ARP packet is correct or it isn't) Correct or not, FreeBSD is warning you that it's seeing a machine with the wrong subnet on the wrong side of your firewall. I don't think FreeBSD is actually honoring it, but don't quote me on that, I haven't tested this specific configuration. Should the ISP be responsible for the integrity of its network and ensuring rogue ARP traffic is eliminated? Should? Yes. Would I personally expect them to actually take responsibility for it? Nope. Run our supported operating system is the answer I expect them to give you. Should the ISP respond to requests to remove devices off the network with erroneous ARP traffic, as identified by the devices MAC address from pfSense logs? That could clean things up? Should? Yes. But again, I expect you won't get past first level tech support unless you are a business account (and even then *shudder*). You're on a shared medium connection, the rest of the idiots out there that have no idea how to configure a network (and be neighborly on a shared network) are going to take you down whenever they feel like it. Honestly, I know it's painful. But this isn't any different than a new neighbor moving in that decides to use the same wireless channel as you, but are broadcasting a high enough signal that they're stomping all over you. You either figure out who it is and shoot them (figuratively of course ;-P) or you change your stuff (and in the human way, you massively amp your signal and hope there's no FCC goons - or hams - in the area). :) --Bill
Re: [pfSense-discussion] ARP traffic causing routers to hang - single ARP cache with both LAN and WAN ARP entries?
Bill The TiVos in question are necesssarily a highly hacked local variation, with the usual nix support. They are good examples of the old adage if it ain't broke(!!) I am sure most will easily port across. I imagine I would not have the skills to do a fair problem swap, tempting as it is. I've appended the original post for your ease of access, if you need a brief diversion from current task in hand, at some point! I did wonder about such an approach, that is much easier to do (!) I have some spare kit to run an intermediary up with. As a bonus I guess my network would get even more secure! I'll let you know the result when this is tested. (Think in terms of many weeks from now likely required for a good amount of test data!) Kind regards David Hingston - Original Message - From: Bill Marquette [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Saturday, April 05, 2008 12:13 PM Subject: Re: [pfSense-discussion] ARP traffic causing routers to hang - single ARP cache with both LAN and WAN ARP entries? On Fri, Apr 4, 2008 at 5:55 PM, Tortise [EMAIL PROTECTED] wrote: The pain you refer to is close to the same, however at this point it remains greater to change the whole LAN addressing system. (Experience proves some devices will not smoothly change their IP addresses (TiVos) and require whole reinstallation, backup of data There are 3 of these. Yes I know they should change easily and I have previously proceeded as if they did Certainly not to underscore your experience, but I've never had any issues moving my Tivo's. What you might try doing if you have the opportunity to test a little more. If you have another spare box with a couple nics, do another pfsense install with a different LAN network, put it in front of your existing pfsense install. See if your issues go away...choose a bizarre subnet like 10.49.253.0 or something just so you know nothing is likely to be stomping on it. It seems that a precondition for the conflict to occur is a common IP on the LAN and the WAN. Would that be true? I think so. I admit, I somewhat forget what the original problem was and don't feel up to trolling through the archives to find it, sorry :) I'll trade ya problems, yours sounds MUCH more interesting than mine right now :-/ --Bill - Original Message - From: Tortise [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, April 03, 2008 11:10 PM Subject: [pfSense-discussion] ARP traffic causing routers to hang - ingle ARP cache with both LAN and WAN ARP entries? Hi I am still tracking down issues on our cable network here. (See previous old posts - its getting better!) We seem to be getting an issue with rogue ARP data, for example LAN addresses getting replies from the WAN side, as logged, for example: kernel: arp: unknown hardware address format (0x) kernel: arp: unknown hardware address format (0xdd1f) kernel: arp: 192.168.0.7 is on em1 but got reply from 00:00:cd:1c:14:1a on em0 kernel: arp: 192.168.0.7 is on em1 but got reply from 00:09:bf:55:71:b0 on em0 I cannot identify these ARPs on the LAN so they seem to be WAN side. It may be possible that some sort of erroneous ARP traffic is the problem here that causes the Motorola Cable modem to occasionally reboot and also to occasionally lose the connection with pfSense, which has been re-established with ifconfig code as has been detailed on the list before. With reference to http://www.geekzone.co.nz/forums.asp?ForumId=44TopicId=19840 what sort of ARP caching does pfSense do? This is on 1.2 RC2 embedded, have there been any changes since that might be relevant to this issue here since? (I have not upgraded as an upgrade I expect needs to be customised with the ifconfig rescue code we did!) Can anyone make anything of what I have described here? Kind regards David Hingston
Re: [pfSense-discussion] ARP traffic causing routers to hang - ingle ARP cache with both LAN and WAN ARP entries?
could it be you have two machines accidentally set up with the same IP - perhaps broken DHCP? = I very much doubt this is the case. Some are static, rest pfSense is doing the DHCP. All devices on the LAN are functioning as expected. if you've got managed switches, can you check their arp tables to see where those mac addresses live? = unmanaged switches. I have checked all the MAC addresses I can find on the LAN and local WAN, (pfSense makes this easy with the ARP and DHCP lease pages) put into spreadsheet and searched the errant ones for, none are found. I suppose one could find the ARP range assigned to what manufacturer, but that sounds hard and non specific. are you using vlans, and if so could you have accidentally joined them? = Not sure, have got PPTP setup, but most of time it is unused. Problem occurs when PPTP not operational. Does that answer? It was only implied, to be clear em0 is WAN, em1 is LAN. I know others on the same cable network who are having similar problems. Kind regards David Hingston - Original Message - From: Paul M [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Friday, April 04, 2008 12:00 AM Subject: Re: [pfSense-discussion] ARP traffic causing routers to hang - ingle ARP cache with both LAN and WAN ARP entries? Tortise wrote: kernel: arp: unknown hardware address format (0x) kernel: arp: unknown hardware address format (0xdd1f) kernel: arp: 192.168.0.7 is on em1 but got reply from 00:00:cd:1c:14:1a on em0 kernel: arp: 192.168.0.7 is on em1 but got reply from 00:09:bf:55:71:b0 on em0
Re: [pfSense-discussion] php: : Not installing nat reflection rules for a port range 500 (1.2-RC2)
Scott I have looked into this some more, yes I do have one range 500, for Asterisk VOIP, which seem standard practice, of WAN UDP 10001 - 16383 192.168.x.x (ext.: a.b.c.d) 10001 - 16383. The funny thing is they have been there for ages and did not exhibit this, it was only when I added the 4th RDP singleton that the message started coming up. On rebooting it came up twice in the log in the initial bootup cycle. Here is the section, it does not appear again. Nov 11 22:39:29 dhcpd: All rights reserved. Nov 11 22:39:29 dhcpd: Copyright 2004-2006 Internet Systems Consortium. Nov 11 22:39:29 dhcpd: Internet Systems Consortium DHCP Server V3.0.5 Nov 11 22:39:17 pftpx[403]: listening on 127.0.0.1 port 8021 Nov 11 22:39:17 pftpx[403]: listening on 127.0.0.1 port 8021 Nov 11 22:39:10 php: : Not installing nat reflection rules for a port range 500 Nov 11 22:39:09 php: : Not installing nat reflection rules for a port range 500 Nov 11 22:39:03 kernel: pflog0: promiscuous mode enabled Nov 11 22:38:38 sshlockout[327]: sshlockout starting up Nov 11 22:38:38 sshlockout[327]: sshlockout starting up Nov 11 22:38:38 sshd[325]: Server listening on 0.0.0.0 port 22. Nov 11 22:38:38 sshd[325]: Server listening on :: port 22. Is this correct behaviour or should port ranges be limited to 500? (Or perhaps entered as two sequential ranges?) David - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Saturday, November 10, 2007 5:22 AM Subject: Re: [pfSense-discussion] php: : Not installing nat reflection rules for a port range 500 (1.2-RC2) You most likely have a port range defined. Scott On Nov 9, 2007 2:26 AM, Tortise [EMAIL PROTECTED] wrote: Hi Team I added a rule for MS TS access to 3389, I get logged php: : Not installing nat reflection rules for a port range 500 and the connection does not seem to be created. I cannot however find a port range 500 and the port added is a single port. Can anyone advise me on this please? Kind regards David PS on reviewing all my rules it seems that UDP NAT entries may have been erroneously automatically entered in rules as TCP rules?
[pfSense-discussion] php: : Not installing nat reflection rules for a port range 500 (1.2-RC2)
Hi Team I added a rule for MS TS access to 3389, I get logged php: : Not installing nat reflection rules for a port range 500 and the connection does not seem to be created. I cannot however find a port range 500 and the port added is a single port. Can anyone advise me on this please? Kind regards David PS on reviewing all my rules it seems that UDP NAT entries may have been erroneously automatically entered in rules as TCP rules?
[pfSense-discussion] What is /etc/ping_hosts.sh for exactly?
Hi
In writing a program to run a 5 minute ping / ifconfig rescue (which I think I
may have achieved - appended) I note the cron job
running every 5 minutes
*/5 * * * * root /etc/ping_hosts.sh
/etc/ping_hosts.sh contains:
#!/bin/sh
# pfSense ping helper
# written by Scott Ullrich
# (C)2006 Scott Ullrich
# All rights reserved.
# Format of file should be deliminted by |
# Field 1: Source ip
# Field 2: Destination ip
# Field 3: Ping count
# Field 4: Script to run when service is down
# Field 5: Script to run once service is restored
# Field 6: Ping time threshold
# Field 7: Wan ping time threshold
# Read in ipsec ping hosts
if [ -f /var/db/ipsecpinghosts ]; then
IPSECHOSTS=/var/db/ipsecpinghosts
fi
# General file meant for user consumption
if [ -f /var/db/hosts ]; then
HOSTS=/var/db/hosts
fi
# Package specific ping requests
if [ -f /var/db/pkgpinghosts ]; then
PKGHOSTS=/var/db/pkgpinghosts
fi
cat $PKGHOSTS $HOSTS $IPSECHOSTS /tmp/tmpHOSTS
if [ ! -d /var/db/pingstatus ]; then
/bin/mkdir -p /var/db/pingstatus
fi
if [ ! -d /var/db/pingmsstatus ]; then
/bin/mkdir -p /var/db/pingmsstatus
fi
PINGHOSTS=`cat /tmp/tmpHOSTS`
for TOPING in $PINGHOSTS ; do
echo PROCESSING $TOPING
SRCIP=`echo $TOPING | cut -d| -f1`
DSTIP=`echo $TOPING | cut -d| -f2`
COUNT=`echo $TOPING | cut -d| -f3`
FAILURESCRIPT=`echo $TOPING | cut -d| -f4`
SERVICERESTOREDSCRIPT=`echo $TOPING | cut -d| -f5`
THRESHOLD=`echo $TOPING | cut -d| -f6`
WANTHRESHOLD=`echo $TOPING | cut -d| -f7`
echo Processing $DSTIP
# Look for a service being down
ping -c $COUNT -S $SRCIP $DSTIP
if [ $? -eq 0 ]; then
# Host is up
# Read in previous status
PREVIOUSSTATUS=`cat /var/db/pingstatus/$DSTIP`
if [ $PREVIOUSSTATUS = DOWN ]; then
# Service restored
if [ $SERVICERESTOREDSCRIPT != ]; then
echo UP /var/db/pingstatus/$DSTIP
echo $DSTIP is UP, previous state was DOWN .. Running
$SERVICERESTOREDSCRIPT
echo $DSTIP is UP, previous state was DOWN .. Running
$SERVICERESTOREDSCRIPT | logger -p daemon.info -i -t PingMonitor
sh -c $SERVICERESTOREDSCRIPT
fi
fi
echo UP /var/db/pingstatus/$DSTIP
else
# Host is down
PREVIOUSSTATUS=`cat /var/db/pingstatus/$DSTIP`
if [ $PREVIOUSSTATUS = UP ]; then
# Service is down
if [ $FAILURESCRIPT != ]; then
echo DOWN /var/db/pingstatus/$DSTIP
echo $DSTIP is DOWN, previous state was UP .. Running $FAILURESCRIPT
echo $DSTIP is DOWN, previous state was UP .. Running $FAILURESCRIPT |
logger -p daemon.info -i -t PingMonitor
sh -c $FAILURESCRIPT
fi
fi
echo DOWN /var/db/pingstatus/$DSTIP
fi
echo Checking ping time $DSTIP
# Look at ping values themselves
PINGTIME=`ping -c 1 -S $SRCIP $DSTIP | awk '{ print $7 }' | grep time | cut -d
= -f2`
echo Ping returned $?
echo $PINGTIME /var/db/pingmsstatus/$DSTIP
if [ $THRESHOLD != ]; then
if [ $PINGTIME -gt $THRESHOLD ]; then
echo $DSTIP has exceeded ping threshold $PINGTIME / $THRESHOLD .. Running
$FAILURESCRIPT
echo $DSTIP has exceeded ping threshold $PINGTIME / $THRESHOLD .. Running
$FAILURESCRIPT | logger -p daemon.info -i -t
PingMonitor
sh -c $FAILURESCRIPT
fi
fi
# Wan ping time threshold
WANTIME=`rrdtool fetch /var/db/rrd/wan-quality.rrd AVERAGE -r 120 -s -1min -e
-1min | grep : | cut -f3 -d | cut -de -f1`
echo Checking wan ping time $WANTIME
echo $WANTIME /var/db/wanaverage
if [ $WANTHRESHOLD != ]; then
if [ $WANTIME -gt $WANTHRESHOLD ]; then
echo $DSTIP has exceeded wan ping threshold $WANTIME / $WANTHRESHOLD ..
Running $FAILURESCRIPT
echo $DSTIP has exceeded wan ping threshold $WANTIME / $WANTHRESHOLD ..
Running $FAILURESCRIPT | logger -p daemon.info -i -t
PingMonitor
sh -c $FAILURESCRIPT
fi
fi
done
exit 0
What is this supposed to do? (And is it supposed to do what I was wanting to
do, but not quite?)
With thanks
David Hingston
/etc/pinger.sh is called from crontab and is now:
#!/bin/sh
if ! ping -c1 Static_ip_Gateway /dev/null 2/dev/null
then
echo First_Hop_OK
else
ifconfig em0 down ifconfig em0 up
echo Restored
fi
