Re: [pfSense] pfSense 2.1.2 is released

[Seth Mos]

On 15-4-2014 7:41, Chris Buechler wrote:
> On Sun, Apr 13, 2014 at 7:33 AM, Doug Lytle  wrote:
>> Jim Thompson wrote:
>>> pfSense release 2.1.2 is now available.  pfSense release 2.1.2 follows less 
>>> than a week after pfSense release 2.1.1, and is primarily a security 
>>> release.
>>
>> Okay,
>>
>> I've just upgraded from 2.1.1 to 2.1.2, now I notice that my firewall
>> logs are being spammed with IPV6 ICMP notifications.
>>
> 
> The "now I notice" being the key part there. Nothing related to that's
> changed. If you don't check "Allow IPv6" under System>Advanced, you
> have a block all rule on IPv6 with logging. Things on your LAN will
> have link local addresses and spew multicast stuff. Probably want to
> configure some block rules for v6 with no logging.
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
> 

To be extra clear here, if you check "Allow IPv6", it won't
automatically allow IPv6 traffic, it just means you can now create rules
for IPv6 traffic instead of the default IPv6 deny all.

Also, iirc, when the "Allow IPv6" is checked the default deny rule will
log IPv6 as it will IPv4. And if you don't check "Allow IPv6" it will
silently drop IPv6 traffic as it did previously.

Also, if you've been using the 2.1 snapshots in 2012 and 2013 the config
will had that setting enabled, which corresponds with your firewall
logs. Maybe you have a upgraded config.

2.1-RELEASE and later do *not* set that on upgrade though, it was
primarily for people tracking the snapshots at the time.

Kind regards,

Seth
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[Chris Buechler]

On Sun, Apr 13, 2014 at 7:33 AM, Doug Lytle  wrote:
> Jim Thompson wrote:
>> pfSense release 2.1.2 is now available.  pfSense release 2.1.2 follows less 
>> than a week after pfSense release 2.1.1, and is primarily a security release.
>
> Okay,
>
> I've just upgraded from 2.1.1 to 2.1.2, now I notice that my firewall
> logs are being spammed with IPV6 ICMP notifications.
>

The "now I notice" being the key part there. Nothing related to that's
changed. If you don't check "Allow IPv6" under System>Advanced, you
have a block all rule on IPv6 with logging. Things on your LAN will
have link local addresses and spew multicast stuff. Probably want to
configure some block rules for v6 with no logging.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] no clamav with new dansguardian package

[Wolfgang Riegler]

Hi,

the new dansguardian package (2.12.0.3_2 pkg v.0.1.8) doesn’t install clamav 
anymore. Do I have to install clamav manually or is this a bug? Can I install 
the old package, which worked fine for me?

My pfsense version: 2.1.2-RELEASE (amd64)

thanks in advance

Wolfgang
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Levelof Support

[Brian Caouette]

I'm still not able to surf the net even with the 2.1.2 update if Captive 
Portal is active. The minute I disable it everything works fine. Not 
sure what is going on. Can anyone else confirm?


On 4/12/2014 11:04 PM, Roberto Tufik wrote:

+1 here


"Ryan Coleman"  escreveu na mensagem
news:33110045-3714-4e0c-af18-8c24cbba8...@me.com...

+1

--
Ryan Coleman
ryanjc...@me.com
m. 651.373.5015
o. 612.568.2749


On Apr 10, 2014, at 20:18, Mehma Sarja
 wrote:

Thanks go out to Chris, Jim and the whole pfSense team for what must be
back breaking work coming on the heels of the 2.1.1 release! This kind of
commitment speaks volumes for the quality of products coming out of
Netgate.

Yudhvir
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



---
Este email está limpo de vírus e malwares porque a proteção do avast! Antivírus 
está ativa.
http://www.avast.com


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to allow only incoming HTTP/HTTPs traffic from WAN interface?

[Walter Parker]

Yes but, if the website is using css and js from other domains, the web
servers don't pull the css and js from the Internet and resend it the
client.  The client pulls the web page from your server using HTTP,
processes the HTML, sees the CSS and JS links to other domains and then
loads the CSS and JS from those domains (servers). Even that is actually
irrelevant, because CSS and JS are severed up just like HTML, as normal
HTTP requests, so if you host those locally, they are just more files.

If you are building reverse proxy for a public website, then you only need
two access rules (HTTP allow all, HTTPS allow all). Then you setup pass
though rules to pass HTTP and HTTPS to the reverse proxy server.

I'd suggest that you see if the Proxy plugin works for your situation. It
does reverse proxy and has mod_security, which has built-in
filtering/security checks for web traffic. If you are trying to do DDOS
protection, then you need to put the router and reverse proxy servers at
data center with lots of bandwidth. Putting the Reverse Proxy server on the
same network feed as the web server will not migrate the bandwidth denial
features of a DDOS attack.

Also, I would suggest that you might think about conceptualizing the
project in term of what you want rather than how would you re-implement a
system using open source to replace one for one the expensive proprietary
tools that exist on the market (Cisco, Juniper, watchguard, F5, Barrcuda).

How you protect a network of web servers is quite different that how you
would protect a network of desktop computers.


Walter



On Mon, Apr 14, 2014 at 12:17 PM, Oğuz Yarımtepe wrote:

>
> The problem with this setup is, what will happen if the website is using
> some css, js files from other domains? Adding a rule for each of these
> domains will be painfull after a while i assume. But on the other hand, i
> will be using this reverse proxy node as the first entry point to my DDoS
> protection network, so not sure whether DPI is a good thing here or not.
>
>
> On Sat, Apr 12, 2014 at 11:40 PM, Walter Parker  wrote:
>
>> How about configuring the firewall to block everything and then then
>> create a rule that forwards/allows only port 80 and 443 to the reverse
>> proxy server. Configure the reverse proxy server to only support HTTP
>> traffic (on port 80 and using SSL on 443). Then you don't need to do DPI.
>> I'd say you don't actually need to filter the traffic to the reverse proxy
>> server if you pick one that that can be configured to only support HTTP
>> traffic.
>>
>>
>>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to allow only incoming HTTP/HTTPs traffic from WAN interface?

[Oğuz Yarımtepe]

The problem with this setup is, what will happen if the website is using
some css, js files from other domains? Adding a rule for each of these
domains will be painfull after a while i assume. But on the other hand, i
will be using this reverse proxy node as the first entry point to my DDoS
protection network, so not sure whether DPI is a good thing here or not.


On Sat, Apr 12, 2014 at 11:40 PM, Walter Parker  wrote:

> How about configuring the firewall to block everything and then then
> create a rule that forwards/allows only port 80 and 443 to the reverse
> proxy server. Configure the reverse proxy server to only support HTTP
> traffic (on port 80 and using SSL on 443). Then you don't need to do DPI.
> I'd say you don't actually need to filter the traffic to the reverse proxy
> server if you pick one that that can be configured to only support HTTP
> traffic.
>
>
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] LoadBalancing traffic FROM the pfSense

[Justin Edmands]

On Mon, Apr 14, 2014 at 12:47 PM, Lucas Mocellin wrote:

> Hello,
>
> I googled and tried to search in this list but didn't find anything very
> useful.
>
> my loadbalance/fail over is working out amazingly, the only thing is that
> the traffic FROM the pfSense by itself is not passing through this rules.
>
> I tried to force in the WAN interface to get this traffic from WAN address
> and put it to the gateway group but it didn't work out.
>
> does someone has a generic answer for this? I checked individual answer
> for any of the specific services. in my case I wanna OpenVPN client to use
> the loadbalance, with one preferred link.
>
> thanks in advance,
>
> Lucas.
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
I think you may need a NAT rule (someone please correct me if this is
incorrect).

An example NAT rule would be to set your source to be your OpenVPN
interface. Set the destination to be your loadbalancer virtual server. You
may need to clone the existing virtual server that uses the WAN IP, but I
find that "cloning" doesn't work. Just open a new one and manually copy
over the new settings. Set the destination as the internal loadbalanced
IP(may or may not need a Virtual IP setup for this)

Let me know how this goes. I will most likely be doing this kind of thing
in the future.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[Paul Mather]

On Apr 14, 2014, at 1:33 PM, compdoc  wrote:

>> I found that I had problems with FreeBSD using pf + virtio under KVM
> 
> Virtio in KVM works fine with pfSense, but you have to modify
> the/boot/loader.conf.local file to enable the drivers. And if you load the
> storage drivers, you have to modify /etc/fstab.
> 
> https://doc.pfsense.org/index.php/VirtIO_Driver_Support

Just to clarify on my original post, the problem I experienced was at 
the KVM host end, not the FreeBSD guest end.  The combination of pf + 
virtio would trigger lots of "[abrt] full crash report" e-mails from 
the KVM host whereas pf + e1000 wouldn't.  It seemed that pf + virtio 
interacted badly with the bridging setup on the KVM host; pf + e1000 
had no issues.  All this happened over a year ago, under CentOS 6.4 and 
FreeBSD 9-STABLE (different from the "Works-For-Me" list at the above 
URL), and I'm hazy on the details now.  I should try again to see if 
the problem still persists now.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[compdoc]

> I found that I had problems with FreeBSD using pf + virtio under KVM

Virtio in KVM works fine with pfSense, but you have to modify
the/boot/loader.conf.local file to enable the drivers. And if you load the
storage drivers, you have to modify /etc/fstab.

https://doc.pfsense.org/index.php/VirtIO_Driver_Support



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[Paul Mather]

On Apr 14, 2014, at 10:36 AM, Tim Nelson  wrote:

> - Original Message - 
>> I'll put here the amount of info that I can before my server's
>> security may be compromised.
> 
>> I want to install pfsense to an server that's hosted by ProfitBrick
>> and using KVM as virtualization enviroment which may became a
>> problem.
> 
>> It has two nics. One for WAN and one for LAN.
> 
>> The need for it is just simple as providing firewall and NAT(If
>> needed.) to the local network which has some servers that are not
>> and will not be on the public network directly.
> 
>> The install goes fine, but the problems start becaming visible when
>> I'm trying to configure it.
> 
> 
> What type of NIC emulation is the KVM VM providing? e1000 would be best, 
> followed by virtio, then possibly rtl8139. Of course, that is coming from my 
> experience with using KVM via Proxmox VE, not KVM in a manual or 'cloud' 
> environment such as Profitbrick.

I found that I had problems with FreeBSD using pf + virtio under KVM 
but not when using pf + e1000 under KVM (under CentOS 6).  That was 
under RELENG_9.  I haven't tried RELENG_8_* or RELENG_10.  I should try 
again, to see if I still get problems.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] LoadBalancing traffic FROM the pfSense

[Lucas Mocellin]

Hello,

I googled and tried to search in this list but didn't find anything very
useful.

my loadbalance/fail over is working out amazingly, the only thing is that
the traffic FROM the pfSense by itself is not passing through this rules.

I tried to force in the WAN interface to get this traffic from WAN address
and put it to the gateway group but it didn't work out.

does someone has a generic answer for this? I checked individual answer for
any of the specific services. in my case I wanna OpenVPN client to use the
loadbalance, with one preferred link.

thanks in advance,

Lucas.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[cbr]

Hey Jim,

The addresses in your message are all link-local IPv6 addresses - 
http://en.wikipedia.org/wiki/Link-local_address#IPv6
Any interface with IPv6 enabled stack on any device on the network will have a 
link-local address (does not need to have a routable address assigned!)
Check the interfaces on your fw and other devices on LAN - the ending bits of 
the link-local address usually are specific to the MAC address of the device 
that's using the address, IE fe80::20c:29ff:feca:a0be belongs to a device with 
MAC ending with ca:a0:be

These are being caught/logged by the default deny rule, so you may want to just 
add another rule specifically not-logging blocks to/from fe80::/10

I don't believe you can completely disable IPv6 via webUI of pfSense - I know 
you can do this via /etc/rc.conf on FreeBSD, unsure for pfSense.


On Apr 13, 2014, at 6:33 AM, Doug Lytle  wrote:

> Jim Thompson wrote:
>> pfSense release 2.1.2 is now available.  pfSense release 2.1.2 follows less 
>> than a week after pfSense release 2.1.1, and is primarily a security release.
> 
> Okay,
> 
> I've just upgraded from 2.1.1 to 2.1.2, now I notice that my firewall
> logs are being spammed with IPV6 ICMP notifications.
> 
> I'm not on an IPV6 network and have all IPV6 options disabled.  Snippet
> of the logs below:
> 
> 
> 
>   Apr 13 08:26:46 lo0 Block all IPv6 (@3)
>  
> 
> [fe80::20c:29ff:feca:a0be]
>  
> 
> [ff02::1] ICMPv6
> 
> 
>   Apr 13 08:26:46  LANBlock all IPv6 (@4)
>  
> 
> [fe80::20c:29ff:feca:a0be]
>  
> 
> [ff02::1] ICMPv6
> 
> 
>   Apr 13 08:26:38 lo0 Block all IPv6 (@3)  
>  
> [fe80::20c:29ff:feca:a0be]
> 
> 
>  [ff02::1]ICMPv6
> 
> 
> 
> I've found nothing under the logging options that I can check to disable
> these log entries.
> 
> Suggestions?
> 
> As a side note:
> 
> The system is a VM under EXSi 5.10
> The system is connected to 3 interfaces (LAN, WAN, DMZ)
> The system is connected to my home cable modem
> 
> Thanks,
> 
> Doug
> 
> -- 
> Ben Franklin quote:
> 
> "Those who would give up Essential Liberty to purchase a little Temporary 
> Safety, deserve neither Liberty nor Safety."
> 
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[anonymous12]

On 14. huhtikuuta 2014 17:36:45, Tim Nelson wrote:

- Original Message -

I'll put here the amount of info that I can before my server's
security may be compromised.



I want to install pfsense to an server that's hosted by ProfitBrick
and using KVM as virtualization enviroment which may became a
problem.



It has two nics. One for WAN and one for LAN.



The need for it is just simple as providing firewall and NAT(If
needed.) to the local network which has some servers that are not
and will not be on the public network directly.



The install goes fine, but the problems start becaming visible when
I'm trying to configure it.



What type of NIC emulation is the KVM VM providing? e1000 would be best, 
followed by virtio, then possibly rtl8139. Of course, that is coming from my 
experience with using KVM via Proxmox VE, not KVM in a manual or 'cloud' 
environment such as Profitbrick.

--Tim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


I don't know which one it is...
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[Tim Nelson]

- Original Message - 
> I'll put here the amount of info that I can before my server's
> security may be compromised.

> I want to install pfsense to an server that's hosted by ProfitBrick
> and using KVM as virtualization enviroment which may became a
> problem.

> It has two nics. One for WAN and one for LAN.

> The need for it is just simple as providing firewall and NAT(If
> needed.) to the local network which has some servers that are not
> and will not be on the public network directly.

> The install goes fine, but the problems start becaming visible when
> I'm trying to configure it.


What type of NIC emulation is the KVM VM providing? e1000 would be best, 
followed by virtio, then possibly rtl8139. Of course, that is coming from my 
experience with using KVM via Proxmox VE, not KVM in a manual or 'cloud' 
environment such as Profitbrick.

--Tim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[anonymous12]

I'll put here the amount of info that I can before my server's security 
may be compromised.



I want to install pfsense to an server that's hosted by ProfitBrick and 
using KVM as virtualization enviroment which may became a problem.


It has two nics. One for WAN and one for LAN.

The need for it is just simple as providing firewall and NAT(If needed.) 
to the local network which has some servers that are not and will not be 
on the public network directly.


The install goes fine, but the problems start becaming visible when I'm 
trying to configure it.



On 14.4.2014 16:32, Mehma Sarja wrote:
If your intent is to get help from this group, you may want to supply 
more information. Unless security concerns prevent you from doing so. 
In which case, I can guess there is a device you are trying to install 
on. I can also imagine the device having, or needing one or more 
Ethernet ports - depending upon what you want to do with it. I can 
also guess the install goes fine because you have atleast reached the 
place where you configure the interfaces.





On Mon, Apr 14, 2014 at 3:25 AM, anonymous12 > wrote:


Hi all,


I have a problem with pfsense at it wont let me to get it
installed and configured.


There's one valid network device which it says as: usbus00, but it
wont accept it if I type it.

Version: 2.1.2-RELEASE.


___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[Mehma Sarja]

If your intent is to get help from this group, you may want to supply more
information. Unless security concerns prevent you from doing so. In which
case, I can guess there is a device you are trying to install on. I can
also imagine the device having, or needing one or more Ethernet ports -
depending upon what you want to do with it. I can also guess the install
goes fine because you have atleast reached the place where you configure
the interfaces.




On Mon, Apr 14, 2014 at 3:25 AM, anonymous12 wrote:

> Hi all,
>
>
> I have a problem with pfsense at it wont let me to get it installed and
> configured.
>
>
> There's one valid network device which it says as: usbus00, but it wont
> accept it if I type it.
>
> Version: 2.1.2-RELEASE.
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Problems with pfsense on ProfitBrick

[anonymous12]

Hi all,


I have a problem with pfsense at it wont let me to get it installed and 
configured.



There's one valid network device which it says as: usbus00, but it wont 
accept it if I type it.


Version: 2.1.2-RELEASE.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] after upgrade to 2.1.1: never ending "Carp cluster member has resumed the state "BACKUP"" mails

[Martin Fuchs]

Hi, Chris !
I'll try this with a new install on 2 new systems that should arrive
today...

We'd switch then from x86 to x64.

Are there caveats when restoring the config (as stated in the docs ?
(https://doc.pfsense.org/index.php/Upgrade_Guide#Changing_architecture_.2832
_bit_to_64_bit_or_vice_versa.29_during_upgrade)

Regards,
martin

-Ursprüngliche Nachricht-
Von: List [mailto:list-boun...@lists.pfsense.org] Im Auftrag von Chris
Buechler
Gesendet: Samstag, 12. April 2014 21:47
An: pfSense Support and Discussion Mailing List
Betreff: Re: [pfSense] after upgrade to 2.1.1: never ending "Carp cluster
member has resumed the state "BACKUP"" mails

On Sat, Apr 12, 2014 at 9:58 AM, Martin Fuchs  wrote:
> Hi !
>
> It's very often that out CARP flaps.
>
> We have 5 Interfaces and it's about 10 times a day, but it's since the 
> update, before it was ok.
>
> I have configured each CARP master with base 1, 2, 3 and so on, skew 0 
> and each CARP slave with base 1, 2, 3 and so on, skew 100.

Base should be 1 on everything, or set to the same value on everything if
you don't want to advertise as frequently.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Levelof Support

[Fons Hof]

+1 here as well



Fons Hof 

systeembeheerder stichting De Balie 

denk aan het milieu voordat je deze email print !! 

Scan de QR-code voor uitgebreide contactgegevens 



- Oorspronkelijk bericht -
Van: "Roberto Tufik" 
Aan: list@lists.pfsense.org
Verzonden: Zondag 13 april 2014 05:04:07
Onderwerp: Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED   Levelof 
Support

+1 here


"Ryan Coleman"  escreveu na mensagem 
news:33110045-3714-4e0c-af18-8c24cbba8...@me.com...
> +1
>
> --
> Ryan Coleman
> ryanjc...@me.com
> m. 651.373.5015
> o. 612.568.2749
>
>> On Apr 10, 2014, at 20:18, Mehma Sarja 
>>  wrote:
>>
>> Thanks go out to Chris, Jim and the whole pfSense team for what must be 
>> back breaking work coming on the heels of the 2.1.1 release! This kind of 
>> commitment speaks volumes for the quality of products coming out of 
>> Netgate.
>>
>> Yudhvir
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list 



---
Este email está limpo de vírus e malwares porque a proteção do avast! Antivírus 
está ativa.
http://www.avast.com


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list