Re: [pfSense] Two factor Authentication

[RB]

On Thu, Dec 8, 2016 at 2:33 AM, user49b  wrote:
> Any idea's on how to get two factor authentication to work in console and/or
> GUI?

Should be pretty simple.  Point the system to third-party
authentication (say, AD).  Configure that third-party option to use
2-factor.  Enter your username, password, a separator (usually comma)
and your token value.  Done.  No need for three fields.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[RB]

On Sun, Jun 5, 2016 at 7:02 PM, Volker Kuhlmann
 > This is a laughable argument!

I'm not here to argue, you are.  More specifically, you're here to
press your personal point for open switch firmware.  Your paranoia,
it's showing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[RB]

On Thu, May 26, 2016 at 10:42 AM, WebDawg  wrote:
> I posted this a while ago:
>
>
> http://seclists.org/fulldisclosure/2016/Jan/77
>
> http://seclists.org/fulldisclosure/2016/Mar/25

I see, but that has nothing to do with the security of the VLAN
implementation, rather of the switch as a whole.  That switch is
certainly awful, but it's no reason to impugn the viability of using
VLANs across the board.

> Also, just because a vulnerability has not been reported or discovered,
> does not mean it does not exist.

Nor does it mean we avoid using an entire technology because there
"might" be vulnerabilities in what has otherwise remained a stable and
useful paradigm for decades.

The question of VLAN jumping remains open, in my mind.  An
appropriate, well-configured switch fabric should have no problem
carrying vastly different security levels in different VLANs,
vulnerabilities in its management software notwithstanding.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[RB]

On Wed, May 25, 2016 at 6:25 PM, Volker Kuhlmann
> I disagree. While it'll work, its security is nowhere near the same. It
> depends on the VLAN switch's firmware being bugfree (we all know about
> how likely that is), it adds complexity, and it mixes physically
> separate networks together on one cable. Perhaps it might be acceptable
> to merge networks of the same security level, merging LAN and WAN
> networks doesn't sound like a good idea to me.

Entertain me, it's been literally a decade since I last saw someone
imply that switch VLAN implementations were generally of dubious
nature.  Can you perhaps point me to a recent VLAN-crossing
vulnerability, or documented VLAN crosstalk?  We all know about the
old CAM table overflows, but that's been long fixed.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] blocking torrents and web based https proxies

[RB]

On Fri, Mar 27, 2015 at 3:36 AM, Chris Bagnall
pfse...@lists.minotaur.cc wrote:
 On 27/3/15 3:56 am, WebDawg wrote:

 May I ask why you would like to block it all?


 +1. It looks like the OP is looking for a technical solution to a
 social/political problem. I can understand it if your users are primary
 school children, but surely once your users are university age, you really
 shouldn't need to be filtering them at all...

A look at the OP's address might suggest an answer to your question.
Whether one agrees with the premise is up to the individual, but
turning a simple technical question into a political one isn't very
useful in the detached forum of online discussion.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Locked myself out by disabling LAN

[RB]

On Mon, Mar 23, 2015 at 9:05 PM, Jean-Stéfane Bergeron j...@jsbergeron.ca 
wrote:
 I'm on the road for another two weeks - is there anyway I can re-enable my 
 lan or connect to my router remotely to restore access? Or am I pooched until 
 I can get back to my router physically?

Without one of shell (console, ssh) or web access, you're pretty
stuck.  Since you applied the change, a reboot won't help.  Usually
when I'm on the road I have a red light switch tied to critical
equipment that friends/family/petsitters can manage without too much
drama.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OT: Good network switch for 10 machines?

[RB]

On Tue, Sep 23, 2014 at 11:36 AM, Moshe Katz mo...@ymkatz.net wrote:
 If you don't need to do any fancy routing or VLAN stuff, just go on Amazon
 or NewEgg and get the top-rated 16-port unmanaged gigabit switch.


I would slightly disagree - note that it's a compute cluster and that
the machines have dual NIC ports.  If the cluster's application is
network-heavy or needs each host to have a highly-available network
link, I'd suggest at least a managed switch that can do LACP.  I've
had decent results with the Linksys/Cisco SMB switches and the ZyXel
GS1900 range.

If one NIC is okay, any unmanaged 16-port will do.  If dual links are
required, I'd suggest either a trio of 16s (two access and one core
that's dual-linked to the access switches) or a single 24 if
redundancy isn't a concern.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Fwd: [Announce] 2.1.5 Release

[RB]

On Thu, Aug 28, 2014 at 2:59 PM, Ryan Coleman ryanjc...@me.com wrote:
 FYI.

Oh, hey - sweet!  I didn't even realize I wasn't subscribed to announce@
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recommendations for Analyzing Firewall logs

[RB]

rsyslog + elasticsearch + kibana

On Wed, May 14, 2014 at 8:22 AM, Jan Tichý ja...@me.com wrote:
 This is bugging me too.

 Jan

 14. 5. 2014 v 21:45, Robert Guerra rgue...@privaterra.org:


 I’m curious what, if any, packages or tools folks on this list might be 
 using to analyze Pfsense firewall logs.


 My interest is to , if possible, have the firewall logs sent to a Remote 
 Syslog Server running on a raspberry pi on my network and from there have 
 the logs aggregated and presented in a report of some kind. Open to other 
 options, including having the logs sent to a cloud service for visualization.

 I’m not sure of the options available, and this keen to know how others are 
 doing firewall log analysis.

 regards

 Robert
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recommendations for Analyzing Firewall logs

[RB]

On Wed, May 14, 2014 at 12:16 PM, Travis Hansen travisghan...@yahoo.com wrote:
 Do you have some good grok patterns for indexing pfsense data?

 I started some a while back for this exact setup but gave up.

Unfortunately no, I had to move off of pfSense for non-pfSense reasons
and haven't been chasing its data recently.  I have, however, been
using ES + kibana in the IR world to reasonable success.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DynDNS troubles, once again

[RB]

On Thu, Jul 26, 2012 at 1:09 AM, Stefan Baur
newsgroups.ma...@stefanbaur.de wrote:
 Still no luck. :-( Old IP shows up as red after the nightly IP change.

Crud, sorry to hear but unsurprised.

 You mentioned a cron job for updating; are you hijacking pfSense built-in
 functions for that or did you roll your own script that needs to be passed
 login credentials for the DynDNS provider?

I've switched to another package (ddclient) running on another
internal system for consistency's sake.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DynDNS troubles, once again

[RB]

On Wed, Jul 25, 2012 at 9:55 AM, Stefan Baur
newsgroups.ma...@stefanbaur.de wrote:
 */5 *   *   * *   root/usr/bin/nice -n20
 /etc/rc.dyndns.update

 would solve my issues. However, it does not work (any more?).

 When I log in to the GUI, I see the IP displayed in red, meaning it is not
 current.

I thought there was a maximum allowable frequency (e.g. 10 minutes)
for hitting checkip.dyndns.org, but can't currently find documentation
of that.  Have you tried with 10-20 minutes?
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DynDNS troubles, once again

[RB]

On Wed, Jul 25, 2012 at 10:19 AM, Stefan Baur
newsgroups.ma...@stefanbaur.de wrote:
 I thought there was a maximum allowable frequency (e.g. 10 minutes)
 for hitting checkip.dyndns.org, but can't currently find documentation
 of that.


 The limit is for hitting the update server, not for hitting
 checkip.dyndns.org (but feel free to prove me wrong).

Here you go: http://dyn.com/support/developers/checkip-tool/
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DynDNS troubles, once again

[RB]

On Wed, Jul 25, 2012 at 10:32 AM, Stefan Baur
newsgroups.ma...@stefanbaur.de wrote:
 Okay, indeed it says so there (and I've updated my crontab accordingly).
 Thanks for pointing that out.

Not a problem, the problem you outline is of interest to me because I
even see DDNS update issues having a public IP on my WAN; the trigger
doesn't seem to work very well whereas a cron job does tend to.

 However, repeatedly firing off

 fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address:
 \(.*\)\/body.*$/\1/'
 within the same minute doesn't error out, so it doesn't look like a limit
 that's enforced by dyndns.

My only guess is that they're enforcing by trend rather than burst.
Regardless, I'll be interested to know your outcome.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dynamic DNS

[RB]

On Mon, Jan 9, 2012 at 08:11, newsgroups.ma...@stefanbaur.de
newsgroups.ma...@stefanbaur.de wrote:
 Now, could anyone please tell me how the client built into pfSense 2.0.1
 handles this? Will it only trigger on a changed WAN IP, or does it dial home
 every 5 minutes, no matter what?

The behavior I've observed for DynDNS.org with pfSense is that the
client caches the WAN IP, either by direct assignment or by bouncing
off of checkip.dyndns.org (which clients are allowed to hit every X
minutes).  If it detects a change from cache or it has been more than
the configured maximum days for a change (28?), it updates DynDNS.org.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dynamic DNS

[RB]

On Mon, Jan 9, 2012 at 11:55, newsgroups.ma...@stefanbaur.de
newsgroups.ma...@stefanbaur.de wrote:
 And how about no-ip.com?

I don't use no-ip.com, so I don't have any experimental data to back
it up.  That said, it's the same core client on pfSense (just checked
the code), so you're going to see the same basic behavior.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[RB]

On Thu, Sep 22, 2011 at 07:49, David Brown da...@westcontrol.com wrote:
 I only joined this mailing list a couple of days ago - is it usual for
 threads to wander so off-topic?  (I believe I've got the answers I needed
 for my original questions, plus a few answers to questions I didn't ask.)

Ha, not usually.  I was about to attempt to chase everyone off to a
separate email etiquette thread, since we've obviously threadjacked
yours so thoroughly.  Some threads do go on a ways, but we're normally
pretty good about keeping threads controlled.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[RB]

On Wed, Sep 21, 2011 at 09:58, Bart Grefte b...@ravenslair.nl wrote:
 To give an idea about the interference:
 http://www.ravenslair.nl/GoT2/wifi.jpg , there are probably more networks by
 now.

Nice!  Looks like channels 1-3 are prime territory.  Two tricks I've
also learned are to disable B clients (if your AP supports that) and
disabling lower association speeds, say below 12Mb/s (OFDM rate,
fencing out B altogether).  That doesn't mean you'll magically get at
least 12Mb/s, but can help keep your network from dropping down to a
minimal speed to save power or due to interference.  YMMV.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[RB]

On Wed, Sep 21, 2011 at 14:13, Bart Grefte b...@ravenslair.nl wrote:
 It's called wisdom? Hmm...

Just checked the sources for regdb, not seeing a reference to 'wisdom'.  :-D
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list