[pfSense] Bandwidth quota on pfsense.
i have been working on Pfsense for few years its a best firewall tool that i have worked with. Now i want assign quota to every IP behind the firewall. let say i have a static quota of 10 GB . now i want to assign 10 GB each client ip. for example. 192.168.1.10 = 10GB limit 192.168.1.11 = 10GB limit 192.168.1.12 = 10GB limit and so on i see the option Limiter in QOS, it can be use for channeling the bandwidth but what i want is to limit total download of the month. a user can not go beyond that limit. Can anyone please help. Thanks, MYK ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Added ntopng.pbi via command line, how do I add to webui?
On Sep 17, 2014, at 20:48, Wade Blackwell wa...@bablam.com wrote: Good afternoon all, I added ntopng to my platform via command line and restarted the webconfigurator. I was expecting to see the package show up under diagnostics, as it did on my other platform that I installed the package via webui package installer, but it doesn't. Is there a way to add that? Searches on this topic have been inconslusive. Thanks, install looked like this; [2.1.5-RELEASE][r...@firewall.domain.com]/usr/local/pkg(21): pbi_add --no-checksig ntopng-1.1_1-amd64.pbi Verifying Checksum...OK Extracting to: /usr/pbi/ntopng-amd64 Adding group: redis Adding user: redis Installed: ntopng-1.1_1 Web interface components are not distributed inside PBI. You should install it using System - Packages menu. -- Renato Botelho ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] CVE-2004-0230
Hi ! Does CVE-2004-0230 affect pfSense 2.1.5 ? regards, Martin ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] CVE-2004-0230
According to https://www.freebsd.org/security/advisories/FreeBSD-SA-14:19.tcp.asc the workaround is to turn on pf. Therefore, the answer to your question is technically yes but in practice no. On Thu, Sep 18, 2014 at 8:55 AM, Martin Fuchs mar...@fuchs-kiel.de wrote: Hi ! Does CVE-2004-0230 affect pfSense 2.1.5 ? regards, Martin ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] CVE-2004-0230
sounds reasonable ;-) thanks a lot, martin Date: Thu, 18 Sep 2014 09:03:16 -0400 From: vi...@khera.org To: list@lists.pfsense.org Subject: Re: [pfSense] CVE-2004-0230 According to https://www.freebsd.org/security/advisories/FreeBSD-SA-14:19.tcp.asc the workaround is to turn on pf. Therefore, the answer to your question is technically yes but in practice no. On Thu, Sep 18, 2014 at 8:55 AM, Martin Fuchs mar...@fuchs-kiel.de wrote: Hi ! Does CVE-2004-0230 affect pfSense 2.1.5 ? regards, Martin ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Routing issue
Hail, I have a strange issue. I get default route by OSPF. And that is fine. But I, then, need not to have default routes and gateways configured in. So far, so good. Now I need to set a route to another network, no default route then. I create the gateway, and as I have no other one the WebUI sets it as default: GW_OI (default) OSPF_1 172.16.1.1 172.16.1.1 no matter how much times I unclick on the default box. When I create it, it is not click as well. Although this shows, my routes won't show that router as default: netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.199.2 UG1 0 1267 em0_vl 127.0.0.1 link#5 UH 0 6723lo0 172.16.1.0/24 link#10U 0 392 em0_vl 172.16.1.2 link#10UHS 00lo0 172.18.1.2 192.168.199.2 UGH100 em0_vl 192.168.1.0/24 link#7 U 0 2409242779ue0 192.168.1.1link#7 UHS 00lo0 192.168.197.0/24 192.168.199.2 UG1 00 em0_vl 192.168.198.0/32 172.16.1.1 UGS 00 em0_vl = 192.168.198.0/24 192.168.199.2 UG1 05 em0_vl 192.168.199.0/24 link#9 U 0 24 em0_vl 192.168.199.3 link#9 UHS 00lo0 My main concern is this be great now, but later then it changes something, as in a reboot. This is a test environment but will soon get in production. Anyone have seen this ? Is it really harmless ? thanks, matheus -- We will call you Cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] CVE-2004-0230
On 9/18/2014 8:55 AM, Martin Fuchs wrote: Does CVE-2004-0230 affect pfSense 2.1.5 ? As Vick mentions, practically the answer is 'no'. There are some rare cases when it might, however. It would require: 1. Disabled pf (System Advanced, Firewall/NAT tab, check Disable all packet filtering) 1a. Or the default rules were replaced by interface and floating rules in every direction set to 'no state' 2. The firewall is still reachable by the attacker 3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g. local services such as the GUI, packages such as haproxy or squid, etc, *NOT* WAN-to-LAN or LAN-to-DMZ type connections. If all of the above are true then it may be susceptible to the attack described in the FreeBSD SA. I don't think I have ever witnessed a setup that met all of those criteria, and even those that could meet the criteria wouldn't necessarily have long-lived connections for which such a TCP session reset would have any meaningful impact. We will have the fix in 2.2 but I'm not sure if there will be another 2.1.x release at this time, but we'll see what happens. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] CVE-2004-0230
Maybe a blog post about this? -- Jim On Sep 18, 2014, at 10:01, Jim Pingle li...@pingle.org wrote: On 9/18/2014 8:55 AM, Martin Fuchs wrote: Does CVE-2004-0230 affect pfSense 2.1.5 ? As Vick mentions, practically the answer is 'no'. There are some rare cases when it might, however. It would require: 1. Disabled pf (System Advanced, Firewall/NAT tab, check Disable all packet filtering) 1a. Or the default rules were replaced by interface and floating rules in every direction set to 'no state' 2. The firewall is still reachable by the attacker 3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g. local services such as the GUI, packages such as haproxy or squid, etc, *NOT* WAN-to-LAN or LAN-to-DMZ type connections. If all of the above are true then it may be susceptible to the attack described in the FreeBSD SA. I don't think I have ever witnessed a setup that met all of those criteria, and even those that could meet the criteria wouldn't necessarily have long-lived connections for which such a TCP session reset would have any meaningful impact. We will have the fix in 2.2 but I'm not sure if there will be another 2.1.x release at this time, but we'll see what happens. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] VIP,MAC Arp
Hi I'll try to make this as short as possible without leaving important information I've been running a pfsense 1.2 box for several years, all is fine. I now need to have an additional WAN connection which will be made up of 3 adsl lines bonded by a firebrick. From the POV of the pfsense its just a very good adsl connection. We have a new /27 range to go with this new installation and here is the problem, external ping/connectivity to the new IPs doesn't work except one the .225 address, it seems the firebrick requires ARP in order to route them. I have setup several different Virtual IPs (tried different types, individually and as a range) and they don't work, the firebrick ARP table only contains the .255 with a MAC address, the rest don't have one and so are not used (I'm told). How can I configure the VIP's so that they will all have a pseudo-MAC and hence work. Nick Upson, Telensa Ltd, Senior Operations Network Engineer direct +44 (0) 1799 533252, support hotline +44 (0) 1799 399200 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VIP,MAC Arp
On 18/9/14 8:13 pm, Nick Upson wrote: We have a new /27 range to go with this new installation and here is the problem, external ping/connectivity to the new IPs doesn't work except one the .225 address, it seems the firebrick requires ARP in order to route them. I have setup several different Virtual IPs (tried different types, individually and as a range) and they don't work, the firebrick ARP table only contains the .255 with a MAC address, the rest don't have one and so are not used (I'm told). In my experience (and one of our clients had a similar setup a couple of years back before they got FTTC), you want a Proxy ARP entry on your pfSense VIP page for the whole IP range, so assuming the subnet you've been given is a.b.c.224/27, just create a corresponding VIP rule. Here's one of mine for a much smaller range: a.b.c.176/29ADSL2 proxy arp (note the choice of interface - make sure you choose the interface to which you've connected the Firebrick) As an idle curiosity - is this an AAISP connection you're using? If so, their IRC channel is usually populated with some pretty clueful folks, some of whom run pfSense, so it might also be worth asking on there. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
