Re: [pfSense] ZFS on 2.4.2

[Walter Parker]

On Thu, Mar 8, 2018 at 10:12 AM, Vick Khera  wrote:

> On Thu, Mar 8, 2018 at 11:10 AM, Zandr Milewski 
> wrote:
>
> > As someone who has spent easily 100 hours troubleshooting, rebuilding,
> and
> > restoring UFS based Netgate boxes that have to function in environments
> > with less-that-datacenter grade power availability, I'll take "potential
> > corruption in corner cases" over "1 in 4 chance it won't come back from a
> > power cycle"
> >
> > *Any* journaled filesystem is an improvement.
> >
>
> Journaling on UFS is just one setting away. Boot single user from USB, then
> run "tunefs -j enable /dev/da0" for your boot device da0. Done. I don't
> know why FreeBSD does not recommend this for the boot volume, but I think
> as long as you never fill up the disk you're ok. I've no had issues with
> it.
> __
>

That is an interesting idea. As I bought mine directly from the hardware
store, I don't install pfSense myself. I've never booted it from USB. As
this system doesn't have VGA, I may not be able to use a standard FreeBSD
image out of the box.

Are the FreeBSD 10.2 instructions (
https://www.netgate.com/docs/platforms/rcc-dff-2220/freebsd.html) still
valid for 11.1?


   - Connect the console cable (I have that setup)
   - Boot from from a memstick image plugged into the USB port
   - From the Menu select 3, Escape to the loader prompt
   - Enter the following commands
  - set comconsole_port=0x2F8
  - set comconsole_speed=38400
  - set hint.uart.0.flags=0x0
  - set hint.uart.1.flags=0x10
  - set console=comconsole
  - boot
   - Select shell or LiveCD from the FreeBSD installer menu
   - Run tunefs

Or does the 2.4 memstick installer give one an escape to shell option?


Walter



> _
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Walter Parker]

On Wed, Mar 7, 2018 at 2:31 PM, Peder Rovelstad 
wrote:

> > That is an urban legend. One of original developers of ZFS was
> > interviewed
>
> OK, then.  Not my data.  Best of luck.
>
> I've had other ZFS servers without ECC that have run successfully for
several years. I know the risks and issues. While, yes, servers should run
with ECC, the idea that that that ZFS requires ECC appears to a scare story
to get people to buy ECC hardware. From my research over the last 10 years,
I would say that 98% of the people sharing this information are passing on
a scary story that someone else told them. This is a like the urban legends
that we used to tell around the camp fire. Note, urban legends still get
told and believed. You heard the one about flashing headlights, some people
still tell and believe that story today.

The closest I've seen to a reason for why it matters to ZFS is that it is
one of the few file systems that can actually tell you when your data is
corrupt before as well as after the fact. It solves many data issues and
people seem to have taken that and require that the rest of the system be
as robust as ZFS. When asked to present actual/real data as to why someone
should use UFS instead of ZFS on a non-ECC system, I notice that the
conversation changes from file systems to don't store data on systems that
don't use ECC. Can anyone show why my solution should switch file systems
(given that I'm keeping my existing hardware) without changing the subject?
I've read many of the scare stories from FreeNAS and they all seem to end
up as a call to authority or a "fine, risk your data" without actually
answering the question.

Does any make a standalone pfSense compatible router that is low power and
not expensive [<$300] with enough ECC [or any ECC] memory?

What would you do on a home budget to get multiple local backups of a
multi-TB file server if you didn't have deep corporate pockets?

I have the Netgate router, it is a real nice box. I don't see why using ZFS
on it in addition to the other systems I have should be an issue, but there
seem to be lots of cooks in the kitchen giving advice without sampling the
product or explaining how they know there is a problem.


Walter




> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Walter Parker]

On Wed, Mar 7, 2018 at 7:36 AM, Peder Rovelstad 
wrote:

> OH, and w/o ECC memory, it's a time bomb.
>
> That is an urban legend. One of original developers of ZFS was interviewed
and asked about the "Scrub of Death", he said that ZFS doesn't fail in that
way. ZFS is no worse than any other file system when running on a system
without ECC. If there is a time bomb, then it exists for all file systems
running on computers without ECC. As this one of multiple backups for the
system, the risks are acceptable.

If you have an actual failure method that makes ZFS worse, I'd love to see
the details. Then I could publish a paper and be "Internet famous."


Walter



> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Peder
> Rovelstad
> Sent: Wednesday, March 7, 2018 9:33 AM
> To: 'pfSense Support and Discussion Mailing List' 
> Subject: Re: [pfSense] ZFS on 2.4.2
>
> Oh, for certain.  Lz4 compression is certainly stressful enough (too much
> actually) for as low power a device as a SG-2220.
>
> Only posting to fan the flames!  :)
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick Khera
> Sent: Wednesday, March 7, 2018 8:57 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] ZFS on 2.4.2
>
> On Tue, Mar 6, 2018 at 6:51 PM, Peder Rovelstad 
> wrote:
>
> > Here's a ZFS tuning guide if you have not seen.
> > https://wiki.freebsd.org/ZFSTuningGuide
> >
> > But only goes to v9.
> >
>
> You 100% do not want nor need to turn on de-dupe. Especially on a boot
> volume of pfSense.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Walter Parker]

On Mon, Mar 5, 2018 at 6:38 PM, Curtis Maurand <cmaur...@xyonet.com> wrote:

> ZFS is a memory hog.   you need 1 GB of RAM for each TB of disk.


Curtis, can you provide some more details? I have been testing this for the
last couple of weeks and ZFS doesn't require 1G for each TB to function
(which is the standard meaning of need).
>From my direct testing and experience 1G per TB is a rule of thumb for
suggested memory sizing on general purpose servers. Do you have specific
information that violating this rule of thumb will cause functional issues?

To be more blunt, was this a case of drive by nerd sniping or do you know
something that will cause my specific use case to fail at some point in the
future?


Walter



> On 3/1/2018 1:49 AM, Walter Parker wrote:
>
>> Forgot to CC the list.
>>
>> On Wed, Feb 28, 2018 at 10:13 PM, Walter Parker <walt...@gmail.com>
>> wrote:
>>
>> Thank you for the backup script.
>>>
>>> By my calculations, 2G should be enough. If I limit the ARC cache to 1G,
>>> that leaves 1G for applications & kernel memory. As I'm not serving the
>>> 6TB
>>> drive up as a file server, but using it for one specific task (to receive
>>> the backups from one host) I figure that I don't need lots of memory. ZFS
>>> as a quick file server or busy server needs lots of memory to be quick.
>>> I've seen testing showing ZFS doing fast file copies on as little as 768M
>>> total system after proper memory tuning.
>>>
>>> I need ZFS because it is the only file system that can receive
>>> incremental
>>> ZFS snapshots and apply them. I have not setup the ZFS backup software
>>> yes,
>>> so I'm just using rsnapshot. First time it ran, it filled all 1G of the
>>> cache. I rebooted the firewall afterwards and now ZFS with 60-100M of
>>> usage
>>> (the amount of data that rsync updates on a daily basis is pretty small).
>>> Right now, the data from the other server is ~8.8G, compressed to 1.7G
>>> with
>>> lz4.
>>>
>>> When I get the full backup running, I will be ~1.5TB in size. ZFS
>>> snapshots should be pretty small and quick (as it can send just the data
>>> that was updated without having to walk the entire filesystem). An rsync
>>> backup would have to walk the whole system to find all of the changes.
>>> Most
>>> of the data on the system doesn't change (as it is a media library).
>>>
>>> I'll post back more results if people are interested, after I get the
>>> backup software working (I'm thinking about using ZapZend).
>>>
>>>
>>> Walter
>>>
>>>
>>>
>>> On Wed, Feb 28, 2018 at 8:54 PM, ED Fochler <soek...@liquidbinary.com>
>>> wrote:
>>>
>>> I feel like I'm late in responding to this, but I have to say that 2GB of
>>>> RAM doesn't seem like nearly enough for a 6TB zfs volume.  ZFS is great
>>>> in
>>>> a lot of ways, but is a RAM consuming monster.  For something RAM
>>>> limited
>>>> like the 2220 I'd use a different, simpler file format.  Then I'd use
>>>> rsync
>>>> based snapshots.
>>>>
>>>> Here's my personal backup script.  :-)  I haven't tried it FROM pfsense,
>>>> but I've used it to back up pfsense.
>>>>
>>>>  ED.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 2018, Feb 21, at 12:23 PM, Walter Parker <walt...@gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just
>>>>>
>>>> bought
>>>>
>>>>> a 6TB powered USB drive from Costco and it works great (the drive has
>>>>>
>>>> its
>>>>
>>>>> own power supply and a USB hub). I want to use it take ZFS backups from
>>>>>
>>>> my
>>>>
>>>>> home server.
>>>>>
>>>>> I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on
>>>>>
>>>> boot
>>>>
>>>>> and created a pool and a file system. That worked, but the memory ran
>>>>>
>>>> low
>>>>
>>>>> so I restricted the ARC cache to 1G to keep a bit more memory free and
>>>>> rebooted. When the system rebooted it did not remount the pool (and
>>>>> therefore the file system) because the pool what ma

Re: [pfSense] ZFS on 2.4.2

[Walter Parker]

Forgot to CC the list.

On Wed, Feb 28, 2018 at 10:13 PM, Walter Parker <walt...@gmail.com> wrote:

> Thank you for the backup script.
>
> By my calculations, 2G should be enough. If I limit the ARC cache to 1G,
> that leaves 1G for applications & kernel memory. As I'm not serving the 6TB
> drive up as a file server, but using it for one specific task (to receive
> the backups from one host) I figure that I don't need lots of memory. ZFS
> as a quick file server or busy server needs lots of memory to be quick.
> I've seen testing showing ZFS doing fast file copies on as little as 768M
> total system after proper memory tuning.
>
> I need ZFS because it is the only file system that can receive incremental
> ZFS snapshots and apply them. I have not setup the ZFS backup software yes,
> so I'm just using rsnapshot. First time it ran, it filled all 1G of the
> cache. I rebooted the firewall afterwards and now ZFS with 60-100M of usage
> (the amount of data that rsync updates on a daily basis is pretty small).
> Right now, the data from the other server is ~8.8G, compressed to 1.7G with
> lz4.
>
> When I get the full backup running, I will be ~1.5TB in size. ZFS
> snapshots should be pretty small and quick (as it can send just the data
> that was updated without having to walk the entire filesystem). An rsync
> backup would have to walk the whole system to find all of the changes. Most
> of the data on the system doesn't change (as it is a media library).
>
> I'll post back more results if people are interested, after I get the
> backup software working (I'm thinking about using ZapZend).
>
>
> Walter
>
>
>
> On Wed, Feb 28, 2018 at 8:54 PM, ED Fochler <soek...@liquidbinary.com>
> wrote:
>
>> I feel like I'm late in responding to this, but I have to say that 2GB of
>> RAM doesn't seem like nearly enough for a 6TB zfs volume.  ZFS is great in
>> a lot of ways, but is a RAM consuming monster.  For something RAM limited
>> like the 2220 I'd use a different, simpler file format.  Then I'd use rsync
>> based snapshots.
>>
>> Here's my personal backup script.  :-)  I haven't tried it FROM pfsense,
>> but I've used it to back up pfsense.
>>
>> ED.
>>
>>
>>
>>
>>
>> > On 2018, Feb 21, at 12:23 PM, Walter Parker <walt...@gmail.com> wrote:
>> >
>> > Hi,
>> >
>> > I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just
>> bought
>> > a 6TB powered USB drive from Costco and it works great (the drive has
>> its
>> > own power supply and a USB hub). I want to use it take ZFS backups from
>> my
>> > home server.
>> >
>> > I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on
>> boot
>> > and created a pool and a file system. That worked, but the memory ran
>> low
>> > so I restricted the ARC cache to 1G to keep a bit more memory free and
>> > rebooted. When the system rebooted it did not remount the pool (and
>> > therefore the file system) because the pool what marked as in use by
>> > another system (itself). That means that the pool was not properly
>> > exported/umounted at shutdown.
>> >
>> > Taking a quick look a rc.shutdown, I notice that it calls a customized
>> > pfsense shutdown script at the beginning and then exits. Is there a good
>> > place in the configuration where I can put/call the proper zfs shutdown
>> > script so that the pool is properly stopped/exported so that it imports
>> > correctly on boot?
>> >
>> >
>> > Walter
>> >
>> > --
>> > The greatest dangers to liberty lurk in insidious encroachment by men of
>> > zeal, well-meaning but without understanding.   -- Justice Louis D.
>> Brandeis
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>>
>>
>>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] ZFS on 2.4.2

[Walter Parker]

Hi,

I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just bought
a 6TB powered USB drive from Costco and it works great (the drive has its
own power supply and a USB hub). I want to use it take ZFS backups from my
home server.

I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on boot
and created a pool and a file system. That worked, but the memory ran low
so I restricted the ARC cache to 1G to keep a bit more memory free and
rebooted. When the system rebooted it did not remount the pool (and
therefore the file system) because the pool what marked as in use by
another system (itself). That means that the pool was not properly
exported/umounted at shutdown.

Taking a quick look a rc.shutdown, I notice that it calls a customized
pfsense shutdown script at the beginning and then exits. Is there a good
place in the configuration where I can put/call the proper zfs shutdown
script so that the pool is properly stopped/exported so that it imports
correctly on boot?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

[Walter Parker]

iperf3 on a 5 Gbps link is 4.63 gbps
> for AES-CBC-128 HMAC-SHA1 and 4.65 gbps for AES-GCM-128 ICV16.
>
> Net-net, it’s probably faster than that, since we’re obviously hitting the
> Amazon-imposed bandwidth limit.  Between a pair of i7-6950s (so Broadwell
> cores) we see 13.7 gbps (single-stream) AES-GCM-128 and 7.42 gbps
> AES-GCM-128 + HMAC-SHA1 (again, single-stream).  Adding our CPIC QAT card
> gets us to 32.68/32.73 gbps respectively.
>
> > I cannot counter the attack possibility, but I would like to ask: is
> this unsolvable without hardware acceleration?
>
> It has a lot to do with what one might consider “acceptable” performance
> of the web gui.
>
> >
> >> I side with Mr. Parker here.  How long does a project have to wait
> before demanding certain features for future revisions, assuming it gives
> adequate warning to the existing and future users of that project?  I’ll
> note that you didn’t answer his question.
> >
> > I never answered the question because I did not think the answer or the
> > question was relevant. Until today, it was my understanding that AES-NI
> > was simply to improve throughput of applications utilizing AES. I had
> > previously not been presented with anything to indicate that it helps
> > with any security issues such as the timing attacks discussed here.
>
> OK, but I did point these out in the blog posts of last May.  Quoting:
>
> "With AES you either design, test, and verify a bitslice software
> implementation, (giving up a lot of performance in the process), leverage
> hardware offloads, or leave the resulting system open to several known
> attacks. We have selected the “leverage hardware offloads” path. The other
> two options are either unthinkable, or involve a lot of effort for
> diminishing returns.”
>
> I’ve listed the performance of the various implementations in OpenSSL
> above.
>
> > However, to address the question in some way, I do agree that features
> > like this should be taken advantage of as much as possible. However,
> > unlike other advances such as x86 to x86_64, AES-NI does not create any
> > new functionality that did not already exist. Until the security
> > benefits have been presented, I did not see any use case where AES-NI
> > would be necessary over the software implementation.
> >
> > I would like to point out that AES-NI is not "in everything" since 2008
> > as previously indicated. While I understand these may not fall under the
> > "all major x64 processors" category, Intel has launched CPUs without
> > AES-NI within the past couple of years.
>
> It’s true that not everything Intel and AMD have released in the last
> decade has AES-NI.
>
> >
> > See:
> > https://ark.intel.com/Search/FeatureFilter?productType=
> processors=false=Q4%2716
> >
> >> And, finally, Mr. Volotinen called it exactly.   We announced this in
> May last year, so that those buying hardware in the now would know about
> the future requirements.  Anyone buying hardware now can make an informed
> decision as to if they want to buy or otherwise obtain a platform for
> pfSense that supports AES-NI, or not.  Either will work as long as they are
> running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
> includes support until, at least, 2020.
> >
> > This is acceptable. It just also just sucks, and I understand it must be
> > faced.
> >
> > This is, however, beyond just replacing some networking equipment, as I
> > have to replace my primary VM host due to CPU replacements supporting
> > AES-NI not existing. Before knowing that the AES-NI requirement was to
> > address the timing attack, I felt as if I have to pay for new hardware
> > due to Netgate not "wanting" non-AES-NI AES implementations being
> > utilized. Until this, I have not exactly had software support issues
> > with even this aging hardware.
>
> Nor do you now.  It’s only (at least) a year after the release of 2.5 that
> we’ll stop supporting 2.4, and then it’s a matter of when a security issue
> or other bug that is important enough to you switch gets addressed in 2.5
> but not in 2.4 might occur (gosh that’s an awful sentence, Jim).
>
> > I understand that a lot of people are effectively threatening to switch
> > to OpnSense due to this, but I fear that I will *have to* if I can't
> > replace my hardware by the time support for software AES ends entirely.
>
> People should run what suits their purpose best.  Perhaps someone else
> will fork pfSense and continue the 2.4 train on a different track.  That’s
> the beauty of open source software.
>
>
> > See:
> &g

Re: [pfSense] Configs or hardware?

[Walter Parker]

ns utilizing AES. I had
> previously not been presented with anything to indicate that it helps
> with any security issues such as the timing attacks discussed here.
>
> However, to address the question in some way, I do agree that features
> like this should be taken advantage of as much as possible. However,
> unlike other advances such as x86 to x86_64, AES-NI does not create any
> new functionality that did not already exist. Until the security
> benefits have been presented, I did not see any use case where AES-NI
> would be necessary over the software implementation.
>
> I would like to point out that AES-NI is not "in everything" since 2008
> as previously indicated. While I understand these may not fall under the
> "all major x64 processors" category, Intel has launched CPUs without
> AES-NI within the past couple of years.
>
> See:
> https://ark.intel.com/Search/FeatureFilter?productType=
> processors=false=Q4%2716
>
> > And, finally, Mr. Volotinen called it exactly.   We announced this in
> May last year, so that those buying hardware in the now would know about
> the future requirements.  Anyone buying hardware now can make an informed
> decision as to if they want to buy or otherwise obtain a platform for
> pfSense that supports AES-NI, or not.  Either will work as long as they are
> running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
> includes support until, at least, 2020.
>
> This is acceptable. It just also just sucks, and I understand it must be
> faced.
>
> This is, however, beyond just replacing some networking equipment, as I
> have to replace my primary VM host due to CPU replacements supporting
> AES-NI not existing. Before knowing that the AES-NI requirement was to
> address the timing attack, I felt as if I have to pay for new hardware
> due to Netgate not "wanting" non-AES-NI AES implementations being
> utilized. Until this, I have not exactly had software support issues
> with even this aging hardware.
>
> I understand that a lot of people are effectively threatening to switch
> to OpnSense due to this, but I fear that I will *have to* if I can't
> replace my hardware by the time support for software AES ends entirely.
>
> See:
> https://ark.intel.com/Search/FeatureFilter?productType=
> processors=LGA771=true
>
>
> I thank you for addressing this with me. I appreciate your conduct with
> me despite my comment.
>
> > Jim
> >
> >> On Feb 15, 2018, at 2:11 PM, Kyle Marek <pspps...@gmail.com> wrote:
> >>
> >> I think you're missing the point that software support exists; pfSense
> >> supports software AES *now*, and this is being removed. New technology
> >> is cool; things not working anymore is not.
> >>
> >> Anyway, what are are other projects such as the TLS libraries doing
> >> about this? Is hardware acceleration really the only solution?
> >>
> >> On 02/15/2018 01:39 PM, Walter Parker wrote:
> >>> Well, both Intel and AMD starting shipping the AES-NI instructions 8
> years
> >>> ago...
> >>>
> >>> How long does a project need to wait before it can require a feature
> found
> >>> on all major x64 processors? Waiting 8-9 years seems reasonable to me.
> >>>
> >>> Given the fact that the project is only supporting 64-bit and suggests
> >>> using a modern processor this requirement should be a non issue for
> most
> >>> users.
> >>>
> >>> The only place where the AES-NI instructions are not found is in a
> small
> >>> number of embedded/dev boards using older Celeron processors.
> >>>
> >>>
> >>> Walter
> >>>
> >>> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek <pspps...@gmail.com>
> wrote:
> >>>
> >>>> This is silly. I shouldn't have to replace my hardware to support a
> >>>> feature I will not use...
> >>>>
> >>>> I shame Netgate for such an artificial limitation...
> >>>>
> >>>> Thank you for the information.
> >>>>
> >>>> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> >>>>> Well:
> >>>>>
> >>>>> https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> >>>> talking
> >>>>> about 2.5 not 3.x ?
> >>>>>
> >>>>> "While we’re not revealing the extent of our plans, we do want to
> give
> >>>>> early notice that, in order to support the increased cryptographic
> loads
&

Re: [pfSense] Configs or hardware?

[Walter Parker]

Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...

How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.

Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for most
users.

The only place where the AES-NI instructions are not found is in a small
number of embedded/dev boards using older Celeron processors.


Walter

On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek  wrote:

> This is silly. I shouldn't have to replace my hardware to support a
> feature I will not use...
>
> I shame Netgate for such an artificial limitation...
>
> Thank you for the information.
>
> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> > Well:
> >
> > https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> talking
> > about 2.5 not 3.x ?
> >
> > "While we’re not revealing the extent of our plans, we do want to give
> > early notice that, in order to support the increased cryptographic loads
> > that we see as part of pfSense verison 2.5, pfSense Community Edition
> > version 2.5 will include a requirement that the CPU supports AES-NI. On
> > ARM-based systems, the additional load from AES operations will be
> > offloaded to on-die cryptographic accelerators, such as the one found on
> > our SG-1000 . ARM v8 CPUs
> > include instructions like AES-NI
> >  that can be
> > used to increase performance of the AES algorithm on these platforms."
> >
> >
> > Eero
> >
> > On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers  wrote:
> >
> >> I believe I read somewhere that the new version that requires aes-ni
> will
> >> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
> will be
> >> a major rewrite
> >>
> >>
> >> -Ed
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Thursday, February 15, 2018 12:14 PM
> >> To: Kyle Marek 
> >> Cc: pfSense Support and Discussion Mailing List  >
> >> Subject: Re: [pfSense] Configs or hardware?
> >>
> >> Well. Next version of pfsense (2.5) will not install into hardware that
> >> does not support AES-NI, so buying such hardware is not wise ?
> >>
> >> Eero
> >>
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

[Walter Parker]

On Wed, Jan 3, 2018 at 2:25 PM, Steve Yates  wrote:

> I'm not a developer but I would think it's dependent on FreeBSD releasing
> the update, plus testing by pfSense/Netgate.  However, I would think
> there's not much concern with PCs running pfSense, since raw code would not
> normally be running on the pfSense box...?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Wednesday, January 3, 2018 10:47 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] 'Kernel memory leaking' Intel processor design flaw
> forces Linux, Windows redesign • The Register - patch to pfsense?
>
> https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>
> is there patch soon available on pfsense kernel?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

From the FreeBSD mailing list:

With respect to
https://newsroom.intel.com/news/intel-responds-to-
security-research-findings/

The FreeBSD Security Team recently learned of the details of these
issues that affect certain CPUs. Details could not be discussed
publicly, but mitigation work is in progress.

Work is ongoing to develop and commit these mitigations to the FreeBSD
repository as soon as possible, with updates for releases to follow.



Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Moving traffic between LAN & OPT1

[Walter Parker]

On Fri, Dec 22, 2017 at 8:25 PM, Antonio  wrote:

> Hi,
>
> I'm not sure how you move traffic between the above interfaces. I was
> under the impression that all you needed was a "Default allow LAN to any
> rule" and job done. Yet i'm struggling to get devices of different
> interfaces to communicate. What am I missing?
>
> That rule allows the LAN to move traffic. Traffic on OPT1 is a different
network. You will have addition rules to allow it talk to LAN. You will
need to add two sets of rules (or floating rules) depending on how you wish
to design your network.


Walter



>
> Thanks
>
>
>
> --
>
>
> Respect your privacy and that of others, don't give your data to big
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your
> messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] acme package: DNS-nsupdate configurable update zone

[Walter Parker]

On Thu, Nov 16, 2017 at 4:22 AM, Brian Candler  wrote:

> On 16/11/2017 10:30, Brian Candler wrote:
>
>> Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure
>> this.
>>
>> I would like either:
>>
>> - an extra setting for "dynamic update zone", which is appended to the
>> nsupdate name
>> - an override for the whole name (i.e. can replace _
>> acme-challenge.www.foo.com with an arbitrary nsupdate target)
>>
>> Does this sound reasonable?
>>
>
> FYI, I was able to make it work by manually hacking
> /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
>
> +NSUPDATE_SUFFIX=acme.example.net.
>
> -  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
> +  _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt
> \"${txtvalue}\""
>
> -update add ${fulldomain}. 60 in txt "${txtvalue}"
> +update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}"
>
> -  _info "removing ${fulldomain}. txt"
> +  _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt"
>
> -update delete ${fulldomain}. txt
> +update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt
>
> Of course, this will probably be overwritten by some future update :-(
>
> In addition, I had to change the generation of the key name in
> acme_inc.sh, to match the key name on the DNS server, otherwise I got TSIG
> error "NOTAUTH(BADKEY)".
>
> In my case, the key name on the server is "acme-update", so I changed this
> line:
>
> file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key",
> "*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");
>
> Being able to override the key name via the GUI would also be helpful.
>
> Cheers,
>
>
> Brian.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


IIRC, when I setup the dynamic DNS for the challenage, I setup just the
hostname itself for dynamic DNS.
You can configure just www.foo.com as zone for dynamic DNS, you don't need
the whole of foo.com to be dynamic DNS. This can make the logistics
simpler.


Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Walter Parker]

Thank you,

To document how I did it for others:

Create your key using dnssec-keygen (use a keysize of 256 to prevent
wrapping/spacing issues)
Note, you most define you key with the exact name that pfSense will use. If
the firewall is named fw.sample.com, the named.conf must look like
something below. Note that one of leads for BIND's named was also a lead
for sendmail. so this has many of the same issues (I think they were doing
lots of dope in Berkeley when they designed it and have not changed for
compatibility reasons). The names of the keys must match the names of the
zones for this to work. After creating the you will need to create NS
records in the fw.sample.com zone so that _acme-challenge.fw.sample.com can
be found. Use rndc freeze fw.sample.com or nsupdate to add these records.



key _acme-challenge.fw.sample.com. {

algorithm HMAC-MD5;

secret "<>";

};
zone "_acme-challenge.fw.sample.com" {

type master;

file "dynamic/_acme-challenge.fw.sample.com";

allow-update { key _acme-challenge.fw.sample.com.; };

notify yes;

};

key fw.sample.com. {

algorithm HMAC-MD5;

secret "<>";

};

zone "fw.sample.com" {

type master;

file "dynamic/fw.sample.com";

allow_update { key fw.sample.com; };

notify yes;

};

key sample.com. {

algorithm HMAC-MD5;

secret "<>";

};

zone "sample.com" {


type master;
file "dynamic/sample.com";
allow_update { key sample.com; };
notify yes;

};











On Sun, Aug 6, 2017 at 7:05 PM, Jim Pingle <li...@pingle.org> wrote:

>
> On 8/6/2017 9:47 PM, Walter Parker wrote:
> > How do I  get the Acme package to let me update the sample.com
> > <http://sample.com> zone, to add the host for
> > _acme-challenge.fw.sample.com <http://acme-challenge.fw.sample.com>? I
> > think I missed a step. This is for a firewall that I don't want to setup
> > external web access on.
>
> At the moment it only supports host keys, not zone keys. It will need to
> have a key made for that host specifically.
>
> Also, make sure the update-policy for the dynamic zone grants the
> ability to update TXT records specifically, or ANY.
>
> Jim P.
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Walter Parker]

I replaced the secret with the one that didn't have a space in it. It
continues to fail.

[Sun Aug 6 18:13:10 PDT 2017] adding _acme-challenge.fw.sample.com. 60 in
txt "Ovv8F-OwpeprtA2ZhICx9ct3pWlcGViHvPpTtgFkR8A"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

I have found another issue. When I ran nsupdate by hand, I was using  'zone
sample.com' and then  'update add _acme-challenge.fw.sample.com <>' as the new RR. That works fine. If I run nsupdate and set the zone to
fw.sample.com, it fails with an auth error. This is because named is
configured to allow updates for the zone sample.com, and not a zone named
fw.sample.com (but will save RRs in the fw.sample.com domain).

So I tried to change the Domainname in pfSense to sample.com (that is the
domain that I want to update) and it would not take sample.com (I don't
have an A record for sample.com, just for hosts in sample.com).

How do I  get the Acme package to let me update the sample.com zone, to add
the host for _acme-challenge.fw.sample.com? I think I missed a step. This
is for a firewall that I don't want to setup external web access on.


Walter

On Sun, Aug 6, 2017 at 5:48 PM, Jim Pingle <li...@pingle.org> wrote:

> On 8/6/2017 8:03 PM, Walter Parker wrote:
> > I think I'm missing something simple with my Acme Client setup in
> pfsense.
> > I followed the following steps and I'm get a TSIG error (note NSUPDATE
> > worked when run by hand).
> >
> >
> >- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
> >- Copy secret from Kfw.sample.com.*.key (note this secret has a space
> in
> >the middle)
>
> Use the copy of the key from the .private file. It shouldn't have a
> space in it.
>
> Jim P.
>
>


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Acme client - DNS server setup/dns client secret issue.

[Walter Parker]

I think I'm missing something simple with my Acme Client setup in pfsense.
I followed the following steps and I'm get a TSIG error (note NSUPDATE
worked when run by hand).


   - dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
   - Copy secret from Kfw.sample.com.*.key (note this secret has a space in
   the middle)
   - Added the following to named.conf and then restarted name
  - key "fw.sample.com." {
 - algorithm HMAC-MD5;
 - secret "<>";
  - };
  - zone "sample.com" {
 - type master;
 - file "dynamic/sample.com";
 - allow-update key fw.sample.com; };
  - };
   - I then setup a Acme account
   - I configured the Domain SAN List like this:
  - Domainname = fw.landsraad.org
  - Method = DNS-NSUpdate
  - Server = DNSServer hostname
  - Key Type = HOST
  - Key Algorith = HMAC-MS5
  - Key = "<>"
   - I click on issue/renew
   - I get the follow error in the DNS server logs:
  - client x.y.z.t#11498: request has invalid signature: TSIG _
  acme-challenge.fw.sample.com: tsig verify failure (BADKEY)

What piece did I miss, do wrong? If I copy both of the Kfw.sample.com
records to a different server, I can run nsupdate by hand and it works.


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to ...

[Walter Parker]

One thing to consider with a DNS query to mapping system is the effect of
DNS caching. Many systems now have local caches, so you will only see the
DNS lookup once. For the traffic flows. you might want to look at netflow.
It can be setup to send the data to a collector system and you will be able
to see addresses, bandwidth, protocol types.


Walter

On Wed, Feb 22, 2017 at 6:44 PM, Richard A. Relph 
wrote:

> Hi,
> I have to believe this doable on an SG-2440. But I don’t have the
> expertise to implement it.
> I have configured the software to force all DNS connections through
> the SG-2440 (except for 1 or 2 IoT devices that seem to insist on talking
> to their manufacturer’s DNS servers - bad form, in my opinion.)
> What I’d like to do now is monitor all outgoing traffic and pair the
> IP address it is destined for against the DNS requests.
> I’d further like at least a report - and possibly block - outbound
> traffic that is destined for a “hard-coded” IP address.
> And, naturally, I’d like a report of all DNS requests and how much
> traffic is exchanged with each and when.
> The effort is an attempt to discover software running inside my
> network that might be “undesirable”.
> Any pointers, suggested reading, etc. would be greatly appreciated.
> I’m not incompetent, just uneducated.
> Thanks,
> Richard
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense default firewall configuration

[Walter Parker]

I moved from IPCop to pfSense years ago. It was good enough then. It is
better now. Without an idea of what you customization are, we can't tell
you how many rules you might need to add to get the same functionality from
a pfSense setup.

On Tue, Nov 15, 2016 at 8:19 AM, Ryan Coleman  wrote:

> I would add that it is “good enough” to start from and do what you need
> after that.
>
>
> > On Nov 15, 2016, at 7:46 AM, Vick Khera  wrote:
> >
> > On Tue, Nov 15, 2016 at 3:17 AM, user49b  wrote:
> >> I have heavily modified my IPcop configuration and just wanted to know
> if
> >> pfSesnse's default firewall configuration is good enough.
> >
> > The default is deny everything inbound, and allow everything outbound.
> > Nobody can say what's "good enough" for you without knowing your
> > requirements.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 3 hard locks this week... any ideas?

[Walter Parker]

On Thu, Sep 1, 2016 at 3:06 PM, compdoc  wrote:

> >>Coming back tonight to do memtest, SpinRite on the SSD, etc...,
>
> Spinrite on an ssd is a terrible idea. It's an ancient program thats even a
> bad idea to use on hard drives.
>
> It doesn't even work on drives larger than 1TB, because it was written in a
> time when drives were not that big. And there was no such thing as an SSD
> back then. Toss spinrite in the trash.
>
> If you want to know if a drive is failing, you just have to ask it. Just
> read the SMART info recorded in the drive.
>
> Memtest86+ on the other hand is a great idea, but you should let it run as
> many passes as possible. One or two passes is fine for new equipment, but
> with old ram that might be flakey, its best to run overnight or at least 4
> or 5 passes.
>
> If the motherboard is 4 or 5 years old, you might check for swollen
> capacitors, and many of the low cost power supplies go bad in a year or
> two.
>
>
I suggest you update your knowledge base on SpinRite. It has found a new
life in helping SSD drives to fix themselves. FYI, the SMART info is often
different depend on if the drive is under load. SpinRite puts the drive
under load, so you may not errors on the drive unless are running your own
seek application. The size limit is 2TB and the program will have a free
update in the near future to support drives >2TB. Most recommendations are
to use SpinRite in Level 2 mode (read only), but given that modern drives
have wear leveling, even running it read-write will not kill a drive that
does caching and basic wear leveling.

I'd suggest that before you slag programs, you not rely on old, outdated,
biased information. But that is just me...


Walter




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense store router positioning

[Walter Parker]

Hi,

I've be doing a bit of remodeling in the household and I noticed an
interesting issue with the temperature of the the router (an SG-2220). If I
put the router flat, it heated up to 53 Celsius (9AM mid 70's Fahrenheit
room temp). WHen I turned the router in the side, it dropped from 53 to 46
in 20 minutes and if the last experiment holds it should level out at 41).

Have other people send the temp on the router higher when it is flat then
when it is on the side?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] enabling authenticated ntp ?

[Walter Parker]

Not that I have seen.

I had an idea for authenticated NTP awhile back, but was waiting until I
had upgraded to 2.3 before I looked at what it would take to add. This
weekend I had the time to build a test environment, so I might try doing it
over the next few months.


Walter

On Mon, May 30, 2016 at 3:46 AM, Valerio Bellizzomi 
wrote:

> Hello, there is a ntp authenticated with public key feature in ntp, does
> pfsense support that?
>
> thanks
>
>
> On Thu, 2016-05-26 at 20:18 +0200, Valerio Bellizzomi wrote:
> > Is it possible to do from the web interface?
> >
> > thanks
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Restoring DHCP table from 2.2.x into 2.3.x

[Walter Parker]

When I moved from 2.2 to 2.3, I had a list of 20+ static leases (all the
phones, tables, printers, laptops and desktops in the household), so I
didn't really want to recreate them.

I uninstalled the packages that don't exist in 2.3 and then backed up the
the config. On the new 2.3 box, I restored from that config and things
worked just fine.


Walter

On Sun, May 29, 2016 at 4:44 PM, Dave Warren <da...@hireahit.com> wrote:

> On 2016-05-29 17:35, Walter Parker wrote:
>
>> You could try copying the the entries from the old XML and paste it in the
>> new XML file.
>>
>
> Is the backup/restore mechanism similar and compatible? This would at
> least bring static assignments and configuration across, without restoring
> anything else, which would probably be Good Enough for my purposes, in
> general any machine that is powered on when it's lease expires will tend to
> request the same IP from the new server, although it's a bit of an
> imperfect solution.
>
> I'm more nervous about copying entire sections into the XML right now,
> although if the data appears similar, it may be worth considering.
>
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Restoring DHCP table from 2.2.x into 2.3.x

[Walter Parker]

You could try copying the the entries from the old XML and paste it in the
new XML file.


Walter

On Sun, May 29, 2016 at 3:32 PM, Dave Warren  wrote:

> Howdy!
>
> I am looking at replacing my 2.2.something pfSense box with a fresh
> install of 2.3. Is it possible to restore just the DHCP configuration
> (leases, statics, and custom DHCP options)?
>
> Enough of the other stuff is being tossed that a fresh install would seem
> to make sense, but it would be convenient if IP assignments didn't need to
> change as this makes it easier to bring the new firewall up side by side
> with the old one and transfer over relatively seamlessly.
>
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Strange fe80::1:1 link-local address on LAN interface

[Walter Parker]

In IPv6, Link Local fe80::1:1  is like what IPv4 does when there isn't a
DHCP server (it auto assigns an address from 169.254.0.0/16 ). The IPv6 RFC
documents two ways to generate these link local address. The second method
generates addresses that are not dependent on the MAC address. Unlike the
IPv4 standard, the IPv6 standard requires that this address always exists,
even when a "real" (read globally routable)  IPv6 address exists.



Walter

On Thu, May 26, 2016 at 5:39 AM, Olivier Mascia  wrote:

> By the way, this is on a pfSense/Netgate device and I still have at least
> 2 support incidents available. I'd happily burn at least one of them to
> have someone remotely check this.
>
> I'll be back on site within 2 hours from this post, I'll check the web by
> then for the proper procedure to open a case.
>
> --
> Meilleures salutations, Met vriendelijke groeten,  Best Regards,
> Olivier Mascia (from mobile device), integral.be/om
>
>
> > Le 26 mai 2016 à 13:03, Olivier Mascia  a écrit :
> >
> > LAN Interface (lan, igb0)
> > Statusup
> > MAC Address00:08:a2:09:58:96
> > IPv4 Address10.32.0.1
> > Subnet mask IPv4255.255.0.0
> > IPv6 Link Localfe80::1:1%igb0  (???)
> > IPv6 Address2a02:578:4d07::1
> > Subnet mask IPv664
> > MTU1500
> > Media1000baseT 
> >
> > I do not understand where this fe80:1:1 comes from, it clearly isn't
> derived from the MAC.
> >
> > Indeed workstations on the LAN capture fe80::1:1 for their default
> gateway and even pinging that IP from a workstation doesn't work:
> >
> > ping6 fe80::1:1
> > PING6(56=40+8+8 bytes) fe80::aa20:66ff:fe21:7c8e%en2 --> fe80::1:1
> > ping6: sendmsg: No route to host
> > ping6: wrote fe80::1:1 16 chars, ret=-1
> > ping6: sendmsg: No route to host
> > ping6: wrote fe80::1:1 16 chars, ret=-1
> >
> > Not surprised.
> > The question is where could this fe80::1:1 come from?
> > So I could get rid of it and get there a proper link-local address?
> >
> > Reboot does not help.
> > Downloaded config file, there is no fe80::1:1 anywhere in there.
> >
> > --
> > Meilleures salutations, Met vriendelijke groeten, Best Regards,
> > Olivier Mascia, integral.be/om
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] USB hard drive on SG-2220

[Walter Parker]

Hi,

I just plugged a small WDC USB 2.0 hard drive into my pfSense firewall as
an external, second drive and everything booted:
da1 at umass-sim1 bus 1 scbus7 target 0 lun 0
da1:  Fixed Direct Access SCSI device
da1: 40.000MB/s transfers
da1: 238475MB (488397168 512 byte sectors)
da1: quirks=0x2

But when I tried to plug in a Seagate 2TB or 4TB drive (USB 3.0), the
system crashes with a power outage and doesn't restart (even after a power
cycle). It appears as if it doesn't post because the network indicators
never start flashing and the console never shows any output.

When plugged into a full sized desktop/server running FreeBSD 10.3, it
shows:

da0 at umass-sim0 bus 0 scbus8 target 0 lun 0
da0:  Fixed Direct Access SPC-4 SCSI device
da0: Serial Number XXX
da0: 400.000MB/s transfers
da0: 3815447MB (7814037167 512 byte sectors)
da0: quirks=0x2

My first guess would be that the first drive takes less power than the
second. My second guess would be that there is some incompatibility between
the USB2.0 on the the Atom board and the USB3.0 on the drive (on the full
FreeBSD machine, the drive is plugged into a USB3.0 outlet).

If I got USB drive with an external power supply, could I use a 4TB drive
on the firewall?


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Upgraded to new pfSense Router, can't find RRD graphs after restore

[Walter Parker]

Hi,

I just upgraded from my old ALIX router that I brought from Netgate several
years ago (which has worked great for the past several years).

The new box is nice, it is much faster. I restored my old 2.2.5 config on
the new system and I have a few questions:

Where are the RRD graphs (I don't see a menu option for the graphs)
How do I remove the vnstat2 menu item (the package was removed during
upgrade because it is not supported in 2.3).


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!

[Walter Parker]

For a list of Packages in 2.3, see
https://doc.pfsense.org/index.php/Package_Port_List

For a list of packages removed from 2.3, see
https://doc.pfsense.org/index.php/2.3_Removed_Packages


Walter

On Wed, Apr 13, 2016 at 3:17 PM, Steve Yates  wrote:

> I should restate/clarify that I was looking at the
> https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes page which
> mentions the package system changed but doesn't specifically mention the
> below, which is on the
> https://doc.pfsense.org/index.php/Upgrade_Guide#Package_System page that
> I mentioned in another message.
>
> The New Features and Changes page is what is linked from
> https://doc.pfsense.org/index.php/Category:Releases (on the doc Main
> Page: "pfSense Release Versions - Change logs and other information for
> past and present releases")
>
> Also by "specific" I meant, say, the bind package the OP asked about,
> which was covered in other messages also.
>
> Steve
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
> Buechler
> Sent: Wednesday, April 13, 2016 5:02 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] 2.3 show stopper - bind package missing -- don't
> install if you need bind!
>
> On Wed, Apr 13, 2016 at 1:48 PM, Steve Yates  wrote:
> > The release notes don't mention specific package compatibility
>
> Yes it does.
>
> "Packages
>
> The list of available packages in pfSense 2.3 has been significantly
> trimmed.  We have removed packages that have been deprecated upstream, no
> longer have an active maintainer, or were never stable. A few have yet to
> be converted for Bootstrap and may return if converted. See the
> 2.3 Removed Packages list for details."
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[Walter Parker]

On Tue, Feb 23, 2016 at 3:19 PM, Giles Davis  wrote:

> On 19/02/2016 17:12, David Burgess wrote:
> > I'm a little surprised at your experience. A few years ago I built a
> > PFSense unit with an Intel motherboard, 1st gen Core i3 CPU, and a
> > single onboard Intel (em) GBE NIC. All routing was done through vlans
> > and it had no trouble reaching wire speed with around 50% CPU usage.
> >
> > I do recommend using the net.inet.ip.fastforwarding=1 tweak if you
> > can. Note that it breaks IPSEC and captive portal.
> >
> > As far as 10G NICs, I was sure I read recently that the FreeNAS people
> > were recommending Chelsio, but I can't find the reference now.
> I imagine it's probably going to be our ridiculous PPS figures that
> start to bottleneck things. There's 2-3 thousand hardcore gamers behind
> these boxes when we run our events all generating shedloads of tiny UDP
> packets, as well as a big demand for normal web browsing, downloading,
> streaming on top of all that. What we used to see was the ix (and before
> the 10G NICs the bge) driver heavily pushing single CPU cores - but at
> about ~1.2Gbit we just start seeing small amounts of packet loss - even
> when there's no obvious single cause. I'm guessing its a combination of
> a few factors, but to be honest we just move traffic off to another box
> - PL for gamers is the end of the world. :(
>
> I don't think we had set fastforwarding yet - so i'll definitely look
> into that. Don't care about IPSec or captive portal at all!
>
> We're also getting pricing for Chelsio NICs now too - so perhaps that'll
> help as well.
>
> Thanks again (and thanks Ed for those stats too).
>
> Cheers,
> Giles.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


Fun fact, Netflix is using FreeBSD and is pushing >30 Gbps from systems
using Chelsio NICs. See
http://www.slideshare.net/facepalmtarbz2/slides-41343025 for details.


Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[Walter Parker]

There is an optimization coming for pfsense. There is a new user space
routing daemon. netmap I think, that can reach line rate on 10G NICs (14.88
Mpps). There was a BSDCon that talked about a future version of pfsense
using this system. It uses ipfw, so there a bit a work to adapt it to
pfsense.


Walter

On Thu, Feb 18, 2016 at 9:26 AM, Giles Davis  wrote:

> Hello PFSense Collective,
>
> At the risk of sounding slightly 'cheap', does anyone (else) on this
> list have experience of 'good combinations' of hardware for PFSense
> appliances that will handle high-traffic levels and comments on
> reasonable max-levels of throughput to expect from it?
>
> We've been using PFSense for quite some time for large events and these
> days are pushing up to 4Gbit/sec to the internet via our PFSense boxes,
> to 2-3k clients - with expectation of bigger events in the reasonably
> near future.
>
> Using Intel E3-1270s and Intel 10G NICs (forget the exact model, but
> they use the BSD ix driver) we start seeing packet loss and a general
> maximum throughput at around 1-1.2Gbit. Our 'solution' so far of just
> adding more appliances and splitting the load really won't scale
> forever, so if anyone has any suggestions of 'better hardware' or BSD
> optimizations that would let us push more through a single appliances,
> i'd love to hear it. We've got a reasonable set of BSD networking tweaks
> and optimizations that certainly help, but we still can't manage to push
> more than our little-over-a-gigabit maximum before things start wobbling.
>
> We're not asking a huge amount of traffic inspection from our
> envrironment (used to do a fair bit of traffic shaping, but have managed
> to provide sufficient bandwidth to meet natural demand for a while now)
> - but historically PFSense has been a great appliance to have in the
> network for firewalling and monitoring.
>
> Thanks in advance for any suggestions and thanks to the maintainers for
> such a great firewall implementation. :)
>
> Cheers,
> Giles.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bandwidth graph

[Walter Parker]

It was vnstat2. In the package list, it said it was a console app. However,
the app does have a web page that shows the graphs that I was remembering.


Walter

On Fri, Oct 16, 2015 at 8:30 AM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:

> Typically packages are removed because they are no longer supported by the
> developer.
>
>
> > On Oct 16, 2015, at 1:11 AM, Walter Parker <walt...@gmail.com> wrote:
> >
> > Years ago, there was a package for pfSense that graphed total bandwidth
> for
> > the Day, Month, Year using bar charts. It would show the top days with
> > bandwidth and total usage for the month.
> >
> > It was not bandwidthD or the RRD graphs. I can't find it anymore. What
> was
> > it called and why was it removed?
> >
> >
> > Walter
> >
> > --
> > The greatest dangers to liberty lurk in insidious encroachment by men of
> > zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Bandwidth graph

[Walter Parker]

Years ago, there was a package for pfSense that graphed total bandwidth for
the Day, Month, Year using bar charts. It would show the top days with
bandwidth and total usage for the month.

It was not bandwidthD or the RRD graphs. I can't find it anymore. What was
it called and why was it removed?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Notification about soon-to-expire certificates

[Walter Parker]

The application on the nagios server would make a web request to the
https port and would check the exp date when it connected. I suppose
you could use the openssl client to connect to the VPN service if it
uses a different cert with a different date.


Walter

On Fri, Jun 19, 2015 at 1:17 AM, Philipp Tölke pt+pfse...@fos4x.de wrote:
 Hi Walter,

 thanks for your answer!

 On 19.06.2015 01:24, Walter Parker wrote:

 If your network is large enough to have a monitoring package (like
 Nagios), some of them support certificate checking.


 Can nagios access the certificates on the pfSense or would I have to upload
 all interesting certificates?

 Regards,

 --
 Philipp Tölke
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold



-- 
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.   -- Justice Louis D.
Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Using on Fiber

[Walter Parker]

There is a serverfault question about this:
http://serverfault.com/questions/380778/vmware-seems-to-throttle-scp-copies-what-can-be-the-reason?rq=1

SCP does (did) have performance problems. They fall into two groups.
First, over a WAN the internal buffer was a bit too small for high
speed (100 meg) connections with a round trip time of greater than 30
milliseconds. When connections pushed toward 1 gig, it was way too
slow. I think recent copies of OpenSSH have a bigger buffer that
reduces the speed limiting. Second, as described in the above link,
the CPU requirements for the encryption in SCP can hit the host CPU
limiter in ESX and that can limit bandwidth. Check that as well.

I've got an ESX 5 machine and the limiting factor on copies is the 100
meg ethernet switch that I'm plugged into (big ISO copies top out at
12.5MB/sec, which is limit for a 100 meg TCP/IP connection).


Walter






On Fri, Jun 5, 2015 at 8:54 AM, Ryan Coleman ryan.cole...@cwis.biz wrote:
 I’m not running this data through the firewalls - this is across the LAN 
 right now. :-\

 On Jun 5, 2015, at 10:46 AM, Espen Johansen pfse...@gmail.com wrote:

 Any chance you have set something in the shaper that causes it?

 fre. 5. juni 2015, 17:43 skrev Ryan Coleman ryan.cole...@cwis.biz:


 On Jun 5, 2015, at 10:12 AM, Brennan H. McNenly 
 bmcne...@singularisit.com wrote:


 And those of you with VMware experience… if I run the virtual firewall
 I would need to have at least a VMware Essentials license to come close to
 the throughput, right? Since the IOps are capped at something like 10MB/sec
 in the free version.

 There are no IOP or throughput limits on the free version of the ESXi
 hypervisor.  The VMWare Essentials license gets you vSphere which can be
 used to manage up to three ESXi hosts.  This also lets you setup an HA
 cluster with those hosts.

 Otherwise you can run ESXi stand alone for free without vSphere and
 without any performance limits.

 Hmm. I wonder why my file transfers never exceed 10MB/sec then… I’ve been
 trying to migrate many TB of data via SCP to the datastore but I also have
 similar caps when doing FTP over the LAN to a server.

 If there’s someone here that would be interested in giving me a hand with
 this off list I’d be most appreciative. Moving 13TB of data at 10MB/sec has
 been very challenging.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold



-- 
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.   -- Justice Louis D.
Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] testing email

[Walter Parker]

After renabling my account, I saw this email (but not the earlier emails
from today).


Walter

On Wed, Apr 8, 2015 at 11:58 AM, Mike Montgomery onezero1010...@gmail.com
wrote:

 I got the same re-enable email to my gmail account.

 On Wed, Apr 8, 2015 at 2:48 PM, WebDawg webd...@gmail.com wrote:

  Same here,
 
  
   Viruses being detected by my ASSP spam filter coming in from the list
 and
   denying delivery.  Had to re-enable my account this AM.
  
   Doug
  
   --
   Ben Franklin quote:
  
   Those who would give up Essential Liberty to purchase a little
 Temporary
   Safety, deserve neither Liberty nor Safety.
  
  
  
  I am on gmail and I received an email to follow to re enable my account.
  ___
  pfSense mailing list
  https://lists.pfsense.org/mailman/listinfo/list
  Support the project with Gold! https://pfsense.org/gold
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] testing email

[Walter Parker]

Thank you.

On Wed, Apr 8, 2015 at 12:16 PM, Chris Buechler c...@pfsense.com wrote:

 This should be fixed. mailer-daemon@ ended up as a list member in
 mailman, AFAICT from day one of this list, but in the past few days
 ended up being spoofed to send a couple viruses to the list. Those
 messages bounced for a number of people, and mailman can't
 differentiate between what type of bounce it is.

 The bounce counter was reset for everyone, so you can disregard any
 messages you received along those lines.

 Mailman was setup to block a number of risky file attachment types
 (exe, scr, etc.), but I hadn't noticed the functionality that actually
 applies that extension block list wasn't enabled. It is now.

 Sorry for the noise, should be all good now.



 On Wed, Apr 8, 2015 at 12:42 PM, Jeremy Porter
 jpor...@electricsheepfencing.com wrote:
  We are having some problem with apparent bounces, this is a test.  No
  need to reply.
  I'll announce when everything is back to normal.
 
  Thanks
  Jeremy Porter
 
  ___
  pfSense mailing list
  https://lists.pfsense.org/mailman/listinfo/list
  Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setup Question - Routing

[Walter Parker]

Using a chart like
http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf
you
can see the different /28 and /29 subnets that exist on a /24 network.

You would bind the .248/29 network to the WAN interface (use a /29 to leave
a few extra addresses).

Then you would bind an reserved network (10.X, 192,168,X 172.16,X) to the
LAN interface.

Then on your third interface, you would bind multiple networks, .240/29,
.232/29, .224/29, etc to the OPT1/DMZ interface. Then each customer would
use put there equipment directly on that that network. If the customers
have routers themselves, you might want to setup a bunch of /30 networks
(.252/30, .248/30, .244/30, .236/30, .232/30) for your and the customer's
WAN interfaces. Then start down from .224 and assign /29 networks for the
customer's DMZ/OPT1 interfaces. Unless the customer is running without NAT,
then the addresses could be put on the customer's LAN interfaces.

The big trick here is make sure than none of your networks have overlapping
IP address ranges. The chart above is very helpful for tracking different
sizes. This means that you can't put .254 on one interface and .249/29 on a
different interface as those networks overlap.


Walter




On Tue, Mar 24, 2015 at 5:24 PM, Chris L c...@viptalk.net wrote:


  On Mar 24, 2015, at 5:12 PM, Joseph H jharde...@cirracore.com wrote:
 
  I have a buddy and he wants to use pfSense as his firewall to protect
 his devices and also provide a gateway for customers.  And he has asked me
 if I know of a good way to set this up, so I decided to ask the list
 
  He has gotten a /24 subnet, he wants to use a small section of it for
 his web site and stuff, and then split off subnets to several customers.
 For instance, he was given a gateway of x.x.x.254 by his provider, he will
 use the x.x.x.249/29 for his own use, then wants to pass subnets through to
 his customers in say several /28's or /29's.
 
  Does anyone know of an easy way to set this up?  He has a server with 3
 interfaces to use for this.
 

 To make this a LOT easier (or even possible at all without 1:1 NAT) he
 should ask the provider for a /29 or /30 for his WAN interface with the /24
 routed to an IP address on that.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Cannot install 2.2 on Alix board (latest firmware)

[Walter Parker]

I installed it on an ALIX with a 4GB card without issues. I'd suggest
getting a serial cable so that you can see the output from the system as it
boots (make sure you a null modem cable or adapter).


Walter

On Mon, Mar 9, 2015 at 5:11 AM, Kostas Backas kos...@i-system.gr wrote:

 Hello,

 I have difficulties installing pfsense 2.2 on Alix board (with the latest
 firmware 0.99) to a 2 GB CF card. I had success install 2.1.5 and upgrade,
 but direct install of 2.2 not working (sequencial blinking lights).

 Best regards

 Kostas


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] serial port sadness

[Walter Parker]

I had a problem like this, so I replaced the cheap converted with one
made by a California company (it was much nicer, real drivers and
instructions for $5 more). I got no output until I remembered that I might
need a null modem adapter. Once I added that to mix everything worked like
a charm (text started flowing).

Check you setup to see what kind of serial cable you have, as a regular
modem cable will not work between a PC and an ALIX box. It needs to be
the other kind (host to host).


Walter

On Mon, Feb 23, 2015 at 4:56 PM, Chris Bagnall pfse...@lists.minotaur.cc
wrote:

 On 24/2/15 12:08 am, Jeremy Bennett wrote:

 I've got a USB to serial adapter (which has worked in the past), a Windows
 7 computer and Teraterm, but whenever I connect everything up I just get
 the cursor blinking at me.


 Agree with others that the most likely culprit here is the USB to serial
 adapter itself. Having said that, I've never had a Prolific one fail, and
 I've a chain of a dozen shops using them extensively (their point of sale
 supplier uses serial connections to open the cash drawers).

  Set the port to 9600, N, 1 as instructions indicate (usb to serial usually
 is showing up on COM7).


 It's worth adding that the ALIX boards use - IIRC - 38400 on their BIOS
 and only bounce to 9600 when pfSense takes over from the BIOS. Though even
 with a speed mismatch, you'd still expect to see junk characters appearing,
 not just a cursor.

  What else can I try?


 The ones that come to mind, given you've already tried a different adapter
 are (not in any particular order):

 a) different terminal program: on Windows I use PuTTY (which will talk
 serial quite happily); on a Mac I use ZTerm; on Linux I use screen
 (someone's already posted the syntax for that I see)

 b) different drivers for the adapter - IIRC there's a Prolific open driver
 project that might be worth a look.

 c) different (i.e. non-Windows) OS.

 d) try the USB/serial adapter and cable on another serial device and see
 if it works with that - many managed switches have serial ports, for
 example.

 Kind regards,

 Chris
 --
 This email is made from 100% recycled electrons

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid not logging traffic

[Walter Parker]

I'd recommend doing it on a second box (Or turn it into a pfSense package).


On Mon, Feb 16, 2015 at 3:48 PM, Brian Caouette bri...@dlois.com wrote:

 I looked at cacti a few days ago. It looks real nice but I have no clue
 how to set this up on the pfSense box.

 Sent from my iPad

 On Feb 16, 2015, at 6:27 PM, Walter Parker walt...@gmail.com wrote:

 For the real time monitor, if you switch from WAN to LAN, you can see who
 is doing spikes. For the other items, you can see how much bandwidth each
 internal IP addresses has used in one of those packages. Unless you have
 servers in a DMZ outside of the firewall or are doing some sort of traffic
 reflection to internal hosts, all traffic to/from a desktop to the firewall
 is traffic to the internet.

 I might do some screenshots to show what I mean (if I can find the time).

 For netflow, I setup a Windows application in a VM (from ManageEngine I
 think). It had simple instructions to tell the netflow generator (the
 firewall) to send the stats traffic to the Windows box. Then I used the the
 reporting features in the application to view how much data each host was
 sending/receiving. I was able to tell that one web server had way to much
 traffic and that a music streaming server was running 800% of normal. I
 understand that there are open source versions of this program that run on
 Linux/FreeBSD. Setting one of these up is on my todo list. With a bit of
 programming, I'm sure you do this with Cacti/RRD, but then again, I've been
 a perl programmer for 20 years, so my idea of a bit of programming might
 radically differ from yours :)

 If I can find the time, I'll see if I can find any notes.


 Walter

 On Mon, Feb 16, 2015 at 2:58 PM, Volker Kuhlmann list0...@paradise.net.nz
  wrote:

 On Tue 17 Feb 2015 10:33:21 NZDT +1300, Walter Parker wrote:

  In Realtime, you can use the dashboard app.

 The pfsense dashboard? I don't think so. traffic going through a
 particular interface is not so interesting.

  For plugins, BandwidthD and Darkstat have some information.

 Unfortuntely the info is of no value. I am not interested in any traffic
 volume between LAN, DMZ, WIFI, LAN2, etc. I am only interested in the
 traffic going through WAN, and with which *internal* host. The above
 packages can only tell me which *Internet* sites had how much traffic
 through WAN, but that side of the connection is of no interest to me. I
 want to know which of my clients have created the traffic for which I
 have to pay my ISP, so I can work out which flatmate has to pay for it,
 or fix the computer with a problem that wastes my money.

 I realise those in the USA and a few other countries don't have this
 problem, but it sure exists where I live and I'm sure it's not the only
 country. In any case it's good to know what gobbles up resources, even
 if they're free.

  I've used netflow on other systems to get this sort of information, but
 for
  pfSense you would have to setup a second box that ran the netflow
  visualizer to see the traffic information from one of the netflow
 plugins.

 Copying a file onto another computer to look at its content isn't too
 much of a problem. Do you know of a good tutorial that lists the
 software needed, and basic config for each part?

 Thanks,

 Volker

 --
 Volker Kuhlmann
 http://volker.top.geek.nz/  Please do not CC list postings to me.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




 --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid not logging traffic

[Walter Parker]

For the real time monitor, if you switch from WAN to LAN, you can see who
is doing spikes. For the other items, you can see how much bandwidth each
internal IP addresses has used in one of those packages. Unless you have
servers in a DMZ outside of the firewall or are doing some sort of traffic
reflection to internal hosts, all traffic to/from a desktop to the firewall
is traffic to the internet.

I might do some screenshots to show what I mean (if I can find the time).

For netflow, I setup a Windows application in a VM (from ManageEngine I
think). It had simple instructions to tell the netflow generator (the
firewall) to send the stats traffic to the Windows box. Then I used the the
reporting features in the application to view how much data each host was
sending/receiving. I was able to tell that one web server had way to much
traffic and that a music streaming server was running 800% of normal. I
understand that there are open source versions of this program that run on
Linux/FreeBSD. Setting one of these up is on my todo list. With a bit of
programming, I'm sure you do this with Cacti/RRD, but then again, I've been
a perl programmer for 20 years, so my idea of a bit of programming might
radically differ from yours :)

If I can find the time, I'll see if I can find any notes.


Walter

On Mon, Feb 16, 2015 at 2:58 PM, Volker Kuhlmann list0...@paradise.net.nz
wrote:

 On Tue 17 Feb 2015 10:33:21 NZDT +1300, Walter Parker wrote:

  In Realtime, you can use the dashboard app.

 The pfsense dashboard? I don't think so. traffic going through a
 particular interface is not so interesting.

  For plugins, BandwidthD and Darkstat have some information.

 Unfortuntely the info is of no value. I am not interested in any traffic
 volume between LAN, DMZ, WIFI, LAN2, etc. I am only interested in the
 traffic going through WAN, and with which *internal* host. The above
 packages can only tell me which *Internet* sites had how much traffic
 through WAN, but that side of the connection is of no interest to me. I
 want to know which of my clients have created the traffic for which I
 have to pay my ISP, so I can work out which flatmate has to pay for it,
 or fix the computer with a problem that wastes my money.

 I realise those in the USA and a few other countries don't have this
 problem, but it sure exists where I live and I'm sure it's not the only
 country. In any case it's good to know what gobbles up resources, even
 if they're free.

  I've used netflow on other systems to get this sort of information, but
 for
  pfSense you would have to setup a second box that ran the netflow
  visualizer to see the traffic information from one of the netflow
 plugins.

 Copying a file onto another computer to look at its content isn't too
 much of a problem. Do you know of a good tutorial that lists the
 software needed, and basic config for each part?

 Thanks,

 Volker

 --
 Volker Kuhlmann
 http://volker.top.geek.nz/  Please do not CC list postings to me.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid not logging traffic

[Walter Parker]

In Realtime, you can use the dashboard app.

For plugins, BandwidthD and Darkstat have some information.

I've used netflow on other systems to get this sort of information, but for
pfSense you would have to setup a second box that ran the netflow
visualizer to see the traffic information from one of the netflow plugins.

On Mon, Feb 16, 2015 at 1:13 PM, Volker Kuhlmann list0...@paradise.net.nz
wrote:

 On Tue 17 Feb 2015 06:15:46 NZDT +1300, Brian Caouette wrote:

  I also notice it doesn't log torrents. Is there a way to tell it to
  log everything

 I don't know about lightsquid. Squid is a web cache and I'm not sure it
 is even able to deal with anything but http. If you look at its config
 file you see that it only deals with a short list of ports in the first
 place, and is not involved in the rest at all. You are looking for an
 application filter (like squid is for http). pfsense is mainly a packet
 filter, those packages are already add-ons.

  so I can get an accurate picture of what each device on
  the network is using?

 With pfsense, short answer: no. This is my longest standing problem with
 pfsense. It is not able to tell me which LAN device caused how much WAN
 traffic. There may be half a dozen different add-on packages but all are
 of no use here (for different reasons). I'd really like to hear that I
 missed something...

 Volker

 --
 Volker Kuhlmann is list0570 with the domain in header.
 http://volker.top.geek.nz/  Please do not CC list postings to me.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Firewall Hardware/Setup for Datacenter...

[Walter Parker]

If you really want to setup two copies of pfSense, both running on ESXi
hosts, using VMWare replication is a very expensive solution. pfSense
supports router replication using CARP, so you don't need VM level
replication only the data replication in CARP.

If VMWare costs are your big issue, you might think about loading one
system bare (just a simple SSD). If you want mirroring of the drive, use
FreeBSD GEOM mirroring or even BIOS mirroring. Given modern SSDs, the
chance of failure would be very low. Compared to most Windows Servers,
pfSense is tiny and almost stateless (every can be restored using one tiny
XML file). How you setup up the second host depends on what you trust most.
But, then i guess it gets into a case of CYA if solutions other than VMWare
replication are frowned upon.


Walter

On Thu, Feb 5, 2015 at 7:22 PM, Chuck Mariotti cmario...@xunity.com wrote:

  Thanks… I am leaning that way I think… just trying to wrap my head
 around if it is worth trying to buy more ram + more storage (HW RAID) to
 make them ESXI worthy to run VMs, or if I should just keep it basic… the
 ESXI is tempting since I can at least make the secondary server do other
 stuff instead of just waiting for a failure on primary. Trying to think of
 a useful virtual machines to run that are not mission critical if a machine
 dies (since not raid), don’t have license to real-time replicate it on the
 VMWare side, but that might be useful for datacenter...







 *From:* List [mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Jason
 Whitt
 *Sent:* February-05-15 3:23 PM
 *To:* pfSense Support and Discussion Mailing List
 *Subject:* Re: [pfSense] Firewall Hardware/Setup for Datacenter...



 I would add that for data center workloads the apu's may not be the best
 choice ... Those 8 core atoms are plenty for multi 1gig feeds and the nic's
 are solid.




 Sent from my iPhone


 On Feb 5, 2015, at 12:38 PM, Jeremy Bennett jbenn...@hikitechnology.com
 wrote:

  Jason is correct. Those Supermicro boxes are awesome. Be careful when
 ordering though... they want ECC memory.



 The APUs from Netgate are nice too–the year of bundled support has already
 saved my bacon a number of times. Well worth the cost.



 On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt jason.wh...@gmail.com wrote:

  Ive ran as vm's using vmxnet3's as well as physical on these
 http://m.newegg.com/Product/index?itemnumber=16-101-837



 Both are viable options.



 Jason

 Sent from my iPhone


 On Feb 5, 2015, at 11:11 AM, Walter Parker walt...@gmail.com wrote:

  I've used pfSense in a VM on my ESXi application server. This is mostly
 to firewall the Windows VMs from the Internet.



 If you want fail-over, I'd suggest getting one of the new Netgate (
 http://store.netgate.com/NetgateAPU2.aspx or
 http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense (
 https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an
 SSD. Then you can run a full install that supports package installs with a
 power budget of ~10-15 Watts for the APU units. Then you have a choice of
 getting a second HW unit for an additional $400 to $1000, or setting up
 pfSense in a VM (not on a separate VMware server, on an existing VM server).



 The higher end HW systems on those pages are 8 core Atom systems built for
 run pfSense (of course, the power requirements will be in the 100W range).
 With an SSD, these systems should last for a long time with no issues.



 How much firewall horsepower do you need? What are your constrains (time,
 money, space)?



 P.S. You can run packages on embedded in 2.2, you just want to be careful
 not to run packages that would trash the SD card with too many writes.





 Walter



 On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti cmario...@xunity.com
 wrote:

  Have been using pfSense for years at our datacenter, very happy with it
 running on old dedicate hardware with failover. The hardware is overdue to
 be retired and I’m wondering what people are doing/recommending for a
 datacenter setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so
 need to keep out option open for the ability to run packages... behind it
 we are running multiple servers and vCenter/ESXI servers.



 What’s the go-to setup for a datacenter these days?



 Do we stick with two dedicated boxes?
 Since we pay for power, nice to have lower power… So do we go as low as
 using embedded hardware? It used to not be recommended for packages… still
 the case I assume?

 So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core,
 or 8 core!!??! etc…).



 But then I see so many people running pfSense in VMWare and I wonder if we
 should consider this. Then I think about the hardware needs and VMWare
 Licensing (would like to avoid)… and what else can I run on the hardware
 along side without hurting pfSense from running properly, etc…



 If pfSense is setup to failover, that means the hardware can be cheap…. No
 RAID needed

Re: [pfSense] Firewall Hardware/Setup for Datacenter...

[Walter Parker]

I've used pfSense in a VM on my ESXi application server. This is mostly to
firewall the Windows VMs from the Internet.

If you want fail-over, I'd suggest getting one of the new Netgate (
http://store.netgate.com/NetgateAPU2.aspx or
http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense (
https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an
SSD. Then you can run a full install that supports package installs with a
power budget of ~10-15 Watts for the APU units. Then you have a choice of
getting a second HW unit for an additional $400 to $1000, or setting up
pfSense in a VM (not on a separate VMware server, on an existing VM server).

The higher end HW systems on those pages are 8 core Atom systems built for
run pfSense (of course, the power requirements will be in the 100W range).
With an SSD, these systems should last for a long time with no issues.

How much firewall horsepower do you need? What are your constrains (time,
money, space)?

P.S. You can run packages on embedded in 2.2, you just want to be careful
not to run packages that would trash the SD card with too many writes.


Walter

On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti cmario...@xunity.com wrote:

  Have been using pfSense for years at our datacenter, very happy with it
 running on old dedicate hardware with failover. The hardware is overdue to
 be retired and I’m wondering what people are doing/recommending for a
 datacenter setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so
 need to keep out option open for the ability to run packages... behind it
 we are running multiple servers and vCenter/ESXI servers.



 What’s the go-to setup for a datacenter these days?



 Do we stick with two dedicated boxes?
 Since we pay for power, nice to have lower power… So do we go as low as
 using embedded hardware? It used to not be recommended for packages… still
 the case I assume?

 So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core,
 or 8 core!!??! etc…).



 But then I see so many people running pfSense in VMWare and I wonder if we
 should consider this. Then I think about the hardware needs and VMWare
 Licensing (would like to avoid)… and what else can I run on the hardware
 along side without hurting pfSense from running properly, etc…



 If pfSense is setup to failover, that means the hardware can be cheap…. No
 RAID needed.

 If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages…
 can I run it off of USB stick then or do I still need HDD/SSD?



 If setting up new hardware so can run pfSense as Virtual Machines… I would
 need two VM Hosts running pfSense as VM’s so would have the failover...
 What should we consider for the hardware in this case… should I go with
 RAID w/HDD/SSD on ESXI? If pfSense is setup for failover, do I really need
 RAID? But I assume I would need something reliable if I’m going to run
 other non-pfsense VMs on the same hardware… so I would need RAID w/HDD/SSD
 and it would need to be larger… what are other people running in datacenter
 setups along side the pfSense? I don’t want to put it onto our existing
 vCenter infrastructure, licensing/costs and isolation needed. Do I setup
 one hardware as basic, no RAID running ESXI and pfSense, and the other more
 robust setup (RAID, more memory).



 I’m really interested in what people are using in production
 environments/datacenters.



 Regards,

 Chuck




 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CVE-2015-0235 - Uncertain if pfSense/OpenBSD is vulnerable?

[Walter Parker]

First, pfSense is from FreeBSD, not OpenBSD. Second xBSD uses libc by
default, not glibc. glibc is a GNU/Linux port of the libc from UNIX
systems. I wouldn't expect to see recent glibc errors in xBSD, as there are
separate code bases at the system level.


Walter

On Tue, Jan 27, 2015 at 10:45 AM, Wolf Noble w...@wolfspyre.com wrote:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
 http://www.openwall.com/lists/oss-security/2015/01/27/9

 a glibc bug in gethostbyname allows for a remote execution exploit...

 I don't see a mention of exposure, or lack thereof, for openbsd (and thus
 pfSense). Hoping someone on the list might be slightly more knowledgable
 than I?
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense 2.2RC resolv.conf settings

[Walter Parker]

Hi,

I just put pfSense 2.2RC on my filewall and I noticed that the PHP code
that generates the resolv.conf file will add the line options edns0 to
resolv.conf if the the unbound config has the edns option set.

I didn't see any way in the GUI to set this option. I'm I missing
something, or has this not been impletemented yet? How/when will this
option be available?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Today's Infoworld Deep End column

[Walter Parker]

Just thought I'd note that Paul Venezia, who does the Deep End column for
Infoworld, just gave a positive heads up to pfSense and the APU1 DIY kit
from Netgate.

http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recomend

[Walter Parker]

What I mean is that there is project under development that has an SSD
style device with a lifespan of 100 years for writes to the drive. The
lifespan of the SSD in your new firewall will last 5-10 years (assuming
lots of writes). Therefore, the new super long life SSD should hit the
market long before your new SSD will have any end of life issues. I didn't
mean to imply that the SSD had any specific issues other than the base
issue that all SSD drives have (the electron tunneling that allows an SSD
to work results in limited life span as compared to DRAM or spinning rust
drive writes).

If/when I upgrade my firewall, the APU is what I want.


Walter

On Tue, Dec 16, 2014 at 6:41 AM, Brian Caouette bri...@dlois.com wrote:

  Just tracked my order and its suppose to arrive today. Can't wait! I
 went with the SSD they offer.

 What drive project are you referring too? I don't understand your comment
 about get it now before it has any issues.

 Brian


 On 11/30/2014 3:07 PM, Walter Parker wrote:

 If you are getting the Netgate kit, I'd suggest just getting the Intel
 m525 SSD that they offer. This is a modern SSD with wear leveling that
 keeps software like a squid cache from burning out the drive early. It will
 fit and work without having to build a custom cable and have to tape a
 drive to the case. IIRC, your setup is for a home network, so the amount of
 data that is likely to flow will be quite a bit below the SSD's limits.
 Also, I think the guys at Netgate picked that specific SSD from Intel
 because tested different SSD drives and found that the Intel drive worked
 well and has a good reputation for quality and longevity.

  Why are you moving to the kit? If it because you want a small, low
 energy box that you can put in a corner and then forget about the hardware
 because it just works, then get the SSD and buy a backup device (SD card or
 SSD). Then in 5-10 years, if the SSD fails, you will have a replacement
 device on hand to replace the SSD that went out.

  I suggest you get the SSD now. Before the SSD has any issues, Jim's new
 drive project will be complete and that one should last for life of the
 router.


  Walter


 On Sun, Nov 30, 2014 at 11:16 AM, Volker Kuhlmann hid...@paradise.net.nz
 wrote:

 On Fri 28 Nov 2014 13:56:32 NZDT +1300, Ryan Coleman wrote:

  Have you considered a small 2.5 SATA HD for the machine? If
  you're talking APU, of course. You can run it off 5V from the board
  (I THINK?) I know there are SATA headers there.

 There is one SATA header on the board, and you get 5V power from a 2-pin
 header close-by. Butcher a SATA power cable and solder something up
 yourself, or better buy the specially-made short SATA/power cable from
 PC Engines.

 A tip from PC Engines was to tape the disk under the lid, so all fits
 into the box. Might pay to check disk temperature afterwards. I noticed
 the latest revision of the APU board has a 2x3 test header missing to
 make more space for a 2.5 disk.

 I am about to try an SSD for pfsense and a 2.5 for the squid cache.
 Currently it all runs fine off a 2.5.

 I can't comment on the other hardware mentioned by the OP because of
 lack of experience.

 Volker

 --
 Volker Kuhlmann is list0570 with the domain in header.
 http://volker.top.geek.nz/  Please do not CC list postings to me.
  ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




  --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis


 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recomend

[Walter Parker]

If you are getting the Netgate kit, I'd suggest just getting the Intel m525
SSD that they offer. This is a modern SSD with wear leveling that keeps
software like a squid cache from burning out the drive early. It will fit
and work without having to build a custom cable and have to tape a drive to
the case. IIRC, your setup is for a home network, so the amount of data
that is likely to flow will be quite a bit below the SSD's limits. Also, I
think the guys at Netgate picked that specific SSD from Intel because
tested different SSD drives and found that the Intel drive worked well and
has a good reputation for quality and longevity.

Why are you moving to the kit? If it because you want a small, low energy
box that you can put in a corner and then forget about the hardware because
it just works, then get the SSD and buy a backup device (SD card or SSD).
Then in 5-10 years, if the SSD fails, you will have a replacement device on
hand to replace the SSD that went out.

I suggest you get the SSD now. Before the SSD has any issues, Jim's new
drive project will be complete and that one should last for life of the
router.


Walter


On Sun, Nov 30, 2014 at 11:16 AM, Volker Kuhlmann hid...@paradise.net.nz
wrote:

 On Fri 28 Nov 2014 13:56:32 NZDT +1300, Ryan Coleman wrote:

  Have you considered a small 2.5 SATA HD for the machine? If
  you're talking APU, of course. You can run it off 5V from the board
  (I THINK?) I know there are SATA headers there.

 There is one SATA header on the board, and you get 5V power from a 2-pin
 header close-by. Butcher a SATA power cable and solder something up
 yourself, or better buy the specially-made short SATA/power cable from
 PC Engines.

 A tip from PC Engines was to tape the disk under the lid, so all fits
 into the box. Might pay to check disk temperature afterwards. I noticed
 the latest revision of the APU board has a 2x3 test header missing to
 make more space for a 2.5 disk.

 I am about to try an SSD for pfsense and a 2.5 for the squid cache.
 Currently it all runs fine off a 2.5.

 I can't comment on the other hardware mentioned by the OP because of
 lack of experience.

 Volker

 --
 Volker Kuhlmann is list0570 with the domain in header.
 http://volker.top.geek.nz/  Please do not CC list postings to me.
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recomend

[Walter Parker]

I'd be a little worried about the SD card and squid, but not the current
ADD solution from Netgate.
On Nov 27, 2014 2:05 PM, Brian Caouette bri...@dlois.com wrote:

 I've been looking at the kit at Netgate for $199 to replace my poweredge
 2850 for pfSense. My concern is the sd/flash memory and the use of squid
 primarily for content filtering but also limited caching. My understanding
 is the SSD or SD card will have its life limited by the extensive r/w. Can
 anyone with experience with the 2850 and this device comment as to how it
 will compare beyond the obviously smaller sizer and lower power
 consumption. Is there anything I should know consider?

 Sent from my iPad
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Install CD - I don't know where to go with this

[Walter Parker]

I use imgburn to burn all of my pfSense CDs (and Windows, Linux and FreeBSD
DVDs). I second the recommendation. If you have picked the correct image,
it should boot unless there is something strange with the HP hardware. The
fact that a Windows disk boots doesn't prove that hardware isn't strange
or have some sort of other issue. I'd double check that everything is
correct.


Walter

On Thu, Oct 30, 2014 at 4:19 PM, Harlan Stenn har...@pfcs.com wrote:

 I use imgburn to put a .iso on a CD.

 I use imgburn to burn all of my windows optical media.

 H

 On 10/30/14 4:01 PM, Mark Hisel wrote:
 
  I'm trying to make an install CD but no joy.  Upfront, this is not a
  pfSense issue but maybe someone can help.  Thanks to those who have
  already responded.
 
  I used WinISO, which lets me fiddle with the boot record, so I burned a
  CD and then made an ISO from it and the ISO has a boot record.
 
  But it won't boot.  I went through the same exercise with Oracle Linux
  and got the same results.  The same machine boots up a Windows OS just
  fine.  I'm trying to boot onto a DL380 G3
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Reports

[Walter Parker]

First time I would do is make sure that you have added static IP address
reservations for those the MAC addresses using the DHCP server page for
each piece of IP gear that your children have. If you click on All Leases,
it will show you every device that has tried to get an address. You can
take the MAC addresses from this page to make static leases. That way each
device will always have the same IP address and then you can use the
existing IP reports in pfSense to get sense for the traffic flows.

If you can't get the reporting you need, you might look at exporting the
logs and then processing them on separate box using other packages. If you
know a scripting language (perl, python, ruby, etc..) you might whip a
script of your own to generate basic reports of the style that you need.


Walter

On Fri, Sep 26, 2014 at 12:23 PM, Brian Caouette bri...@dlois.com wrote:

 Is there a way to do a weekly report based on MAC address showing times
 used, total time and date for the period? Trying to prove a point how much
 the kids use and that they are still online after bedtime.

 Sent from my iPad
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Pftop confusion.

[Walter Parker]

To see which client is eating your bandwidth, when using Traffic Graph,
switch from WAN to LAN. Then the dynamic list of hosts will show client IP
addresses and not your link address.

On Wed, Sep 24, 2014 at 7:55 AM, Muhammad Yousuf Khan sir...@gmail.com
wrote:

 Exactly this is how i learn that my whole link is eaten by someone. now i
 want to check which client is eating all the bandwidth.
 Traffic graph is showing whole link activity. what i want to find is which
 client IP is using most of it.

 Thanks,
 MYK


 On Wed, Sep 24, 2014 at 7:33 PM, Oliver Hansen oliver.han...@gmail.com
 wrote:

 Status -  Traffic Graph is where I usually look in the GUI.
 On Sep 24, 2014 7:25 AM, Muhammad Yousuf Khan sir...@gmail.com wrote:

 hi guys actually i want to check which IP is using most of the internet
 traffic. i see pftop a bit confusing i tried changing sorting via o  but
 it is still confusing me . can you guys please guide me how can i viiew
 live monitoring. what i want to check is which one host is eating up the
 whole bandwidth.

 Thanks,
 MYK

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Https blocking

[Walter Parker]

A suggestion: Null route all facebook addresses. That usually kills any
traffic. Be aware that it kills all traffic to those addresses (HTTP,
HTTPS, SMTP, POP3, DNS).


FYI, getting snotty to people that are asking for help usually turns them
off of wanting to help you...


Walter

On Wed, Sep 24, 2014 at 10:21 AM, A Mohan Rao mohanra...@gmail.com wrote:

 Hello
 If u really a expert so then pls resolve bmy problem. I have do all the
 things but still people can access blocked website in pfsense.
  On Sep 24, 2014 9:50 PM, Ryan Coleman ryanjc...@me.com wrote:

  You've asked this question many times and we've given many options for
 resolving it but you keep coming back.

 https://duckduckgo.com/?q=blocking+torrents+in+pfsense
 https://duckduckgo.com/?q=blocking+facebook+in+pfsense
 https://doc.pfsense.org/index.php/Blocking_websites
 https://forum.pfsense.org/index.php?topic=36274.0

 A little web searching will go a long way.


 On 9/24/2014 11:10 AM, A Mohan Rao wrote:

 Actually due to wasting of time employees... management need to block
 these sites if have any solutions pls give..
 I really very appritiate ..
 On Sep 24, 2014 9:00 PM, Ryan Coleman ryanjc...@me.com wrote:

  Block port 443 in the Firewall rules outbound - no need for a
 transparent proxy.

 That said - why do you need to block them? Because you're snooping 100%
 of the traffic to see what people are reading/sending?


 On 9/24/2014 10:16 AM, A Mohan Rao wrote:

 How can i completely and properly block https facebook, torrentz, exe
 download and proxy sites through transparent proxy.

 Thanks
 Mohan


 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Cannot go to HTTPS sites using WAN interface

[Walter Parker]

Yes, check to make sure that the WebConsole interface (on 443) is not
conflicting with with your other rules.


Check for allow/deny rules in both Squid and pfSense to make sure that you
don't have a conflict.

On Tue, Sep 9, 2014 at 1:34 PM, Satvinder Singh 
satvinder.si...@nc4worldwide.com wrote:

  Hi,

  In my setup I am using WAN interface as a DMZ. I have Squid3 and
 SquidGuard3 installed for proxy. When I try to access a https site using
 LAN interface IP as proxy address it works. But if I try to access a HTTPS
 site using DMZ IP (WAN IP) I am not able to access HTTPS sites. The same
 site responds fine in http but not in https. I have Squid servicing the DMZ
 interface, the Rule is in place in the firewall. Anything I am overlooking?

  Thanks
Satvinder Singh
 Security Systems Engineer
 satvinder.si...@nc4worldwide.com
 804.744.9630 x273 direct
 703.989.8030 cell
 www.NC4worldwide.com

  http://www.linkedin.com/company/nc4
 Disclaimer: This message is intended only for the use of the individual or
 entity to which it is addressed and may contain information which is
 privileged, confidential, proprietary, or exempt from disclosure under
 applicable law. If you are not the intended recipient or the person
 responsible for delivering the message to the intended recipient, you are
 strictly prohibited from disclosing, distributing, copying, or in any way
 using this message. If you have received this communication in error,
 please notify the sender and destroy and delete any copies you may have
 received.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

[Walter Parker]

Then you stuck with setting up reverse proxies for those services.


Walter


On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell 
bcorn...@integrissecurity.com wrote:

  Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
 services.

 I would prefer staying within the framework of the interface or nominal
 BSD magic.

 --
 Blake Cornell
 CTO, Integris Security LLC
 501 Franklin Ave, Suite 200
 Garden City, NY 11530 USAhttp://www.integrissecurity.com/
 O: +1(516)750-0478
 M: +1(516)900-2193
 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
 Free Tools: https://www.integrissecurity.com/SecurityTools
 Follow us on Twitter: @integrissec

 On 07/12/2014 09:54 PM, Chris Buechler wrote:

  I don't see the point. If you don't want people to see the path, don't
 allow traceroute in (or stop it after the first NAT). If you do, what do
 you care if the layers of NAT can be enumerated. If anything even remotely
 useful to an attacker can be done to your network because someone knows how
 many layers of NAT you have, you have a lot bigger problems than showing
 that in a traceroute.

  pf scrub does have a min-ttl option but it's not one that's exposed
 anywhere in the GUI and would require changing the source to use. Not
 something I've ever seen a real need to use.


 On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell 
 bcorn...@integrissecurity.com wrote:

  I would put it on a report as an issue.. further more...  no
 comment

 --
 Blake Cornell
 CTO, Integris Security LLC
 501 Franklin Ave, Suite 200
 Garden City, NY 11530 USAhttp://www.integrissecurity.com/
 O: +1(516)750-0478
 M: +1(516)900-2193
 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
 Free Tools: https://www.integrissecurity.com/SecurityTools
 Follow us on Twitter: @integrissec

   On 07/10/2014 05:29 PM, Walter Parker wrote:

 I disagree that this is a vulnerability/weakness. If this is truly your
 only issue with the network, I'd call it good and done if you are not the
 DOD/NSA.

  If you are, then you need to start again with an even more secure
 foundation.


  Walter


  On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell 
 bcorn...@integrissecurity.com wrote:

 There is a reason for it. It works well except for this ONE issue.

 I like setting up 0 vulnerability/weakness networks. This is the only
 one minus presentation/application issues.

 Thank you both for your input. I'll touch base when I determine a
 resolution strategy.

 --
 Blake Cornell
 CTO, Integris Security LLC
 501 Franklin Ave, Suite 200
 Garden City, NY 11530 USA
 http://www.integrissecurity.com/
 O: +1(516)750-0478
 M: +1(516)900-2193
 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
 Free Tools: https://www.integrissecurity.com/SecurityTools
 Follow us on Twitter: @integrissec

  On 07/10/2014 01:49 PM, James Bensley wrote:
  Further to what Walter has said - Double NATB!
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




  --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis


 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

[Walter Parker]

I think you might have a misconception in your request. Whe you say:

To resolve this issue I need to mangle forwarded IP packets by
incrementing their TTL by 1.  This would effectively hide the above
included results.  If anyone knows how to do this either through the web
interface or through custom configurations then please let me know.

That is how IP normally works. Traceroute uses this feature by sending a
packet with the TTL set to 1, then the TTL set to 2, then the TTL set to 3,
etc. Each router on the chain reduces the value by one. Each time the
packet expires, an ICMP TTL message packet is sent to sender saying that
packet exipred in transit. Those are the messages that traceroute uses to
map the network. The problem with filtering those messages is if you hit a
loop on the Internet (often due to a network with static routes being
down), your packets will loop forever.

My best guess, a custom rule that drops all packets with a TTL  5 and live
with the fact that some people on the Internet might have issues talking to
you if they are the far perimeter of the Internet. This assumes that there
is a advanced feature in pfSense (and pf) that allows for filtering based
on TTL values.

Personally, I don't see why you need to keep the inside topology secret,
but if do, use a reverse proxy on the outside and not 1 to 1 NAT.  Then the
packets will terminate at the proxy and not internally. If you are worried
about security and secrecy at this level, then you should not be using 1 to
1 NAT, as it exposes to much information and has too high of a risk. You
need to use proxies and other items that intercept and rewrite traffic to
hide the inside equipment, or decide that maybe you don't actually need to
be quite so much of a back box.


Walter


On Thu, Jul 10, 2014 at 7:36 AM, Blake Cornell 
bcorn...@integrissecurity.com wrote:

 Any thoughts anyone?

 --
 Blake Cornell
 CTO, Integris Security LLC
 501 Franklin Ave, Suite 200
 Garden City, NY 11530 USA
 http://www.integrissecurity.com/
 O: +1(516)750-0478
 M: +1(516)900-2193
 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
 Free Tools: https://www.integrissecurity.com/SecurityTools
 Follow us on Twitter: @integrissec

 On 07/03/2014 06:15 PM, Blake Cornell wrote:
  Hello,
 
  I have a pfSense network that uses multiple layers of NAT translation.
  Public IP's are mapped to specific NAT addresses using a 1 to 1 mapping
  on the edge device.  The packets are then forwarded to another pfSense
  device using another layer of NAT translation.
 
  Ex: public ip - NAT network 1 - NAT network 2 - target machine.
 
  The issue lies when using the example IP of 1.1.1.1, on an example open
  port 80.
 
  # tcptraceroute 1.1.1.1 80
  [removed for brevity]
   3  1.1.1.1  29.247 ms  17.670 ms  14.007 ms
   4  1.1.1.1  20.142 ms  16.119 ms  16.609 ms
   5  1.1.1.1 [open]  21.387 ms  17.176 ms  70.283 ms
 
  As you can see, the results show three instances of 1.1.1.1.  This
  allows an attacker the ability to enumerate the depth of NAT
  translation.  This is a low risk issue.
 
  To resolve this issue I need to mangle forwarded IP packets by
  incrementing their TTL by 1.  This would effectively hide the above
  included results.  If anyone knows how to do this either through the web
  interface or through custom configurations then please let me know.
 
  EMail me directly for a real world example for your analysis.
 
  Thanks in Advance,
 

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

[Walter Parker]

I disagree that this is a vulnerability/weakness. If this is truly your
only issue with the network, I'd call it good and done if you are not the
DOD/NSA.

If you are, then you need to start again with an even more secure
foundation.


Walter


On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell 
bcorn...@integrissecurity.com wrote:

 There is a reason for it. It works well except for this ONE issue.

 I like setting up 0 vulnerability/weakness networks. This is the only
 one minus presentation/application issues.

 Thank you both for your input. I'll touch base when I determine a
 resolution strategy.

 --
 Blake Cornell
 CTO, Integris Security LLC
 501 Franklin Ave, Suite 200
 Garden City, NY 11530 USA
 http://www.integrissecurity.com/
 O: +1(516)750-0478
 M: +1(516)900-2193
 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
 Free Tools: https://www.integrissecurity.com/SecurityTools
 Follow us on Twitter: @integrissec

 On 07/10/2014 01:49 PM, James Bensley wrote:
  Further to what Walter has said - Double NATB!
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] https transparent proxy project failed...

[Walter Parker]

HTTPS was designed to cause a transparent proxy to fail (that was one of
the major design goals, no third party [such as squid] could read to the
traffic). As mentioned before, to make this work, you must either drop the
requirement that the proxy be transparent (Note, explicit proxies can be
auto configured, and this is default state of IE and Chrome on Windows.),
or you will need to drop the requirement for a caching proxy (squid) and
just block on IP or DNS name.


Walter


On Thu, Jun 26, 2014 at 7:19 AM, Martin Fuchs mar...@fuchs-kiel.de wrote:

 It is also not legal everywhere ;-)

 -Ursprüngliche Nachricht-
 Von: List [mailto:list-boun...@lists.pfsense.org] Im Auftrag von Ryan
 Coleman
 Gesendet: Donnerstag, 26. Juni 2014 14:00
 An: pfSense Support and Discussion Mailing List
 Betreff: Re: [pfSense] https transparent proxy project failed...

 Typically that would because no one here has experience with it and you
 should try to find another resource.


  On Jun 26, 2014, at 2:45, A Mohan Rao mohanra...@gmail.com wrote:
 
  i think squid3-dev https transparent proxy project failed...
  still no body gave positive feedback.
 
 
 
  Thanks
 
   Mohan
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Squid3 with https filtering

[Walter Parker]

There is a way to auto configure the proxy settings on modern browsers, so
that you don't have to manually configure them individually

WPAD and Proxy auto-config
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
http://en.wikipedia.org/wiki/Proxy_auto-config


Walter


On Wed, Jun 18, 2014 at 8:14 AM, A Mohan Rao mohanra...@gmail.com wrote:

 I m using squid3-dev and squardguard-squid3 with transparent proxy with
 https proxy.
 All works fine but gmail or goole not open. Other sites working good.
 When i try to access google or gmail its given certificate error. i
 checked my level best also many times create or delete certificates then
 also import that certificate on browser but still m having same problem...
 Really very appritiate and lots of thanks in advance if give any positive
 IDEA.

 Thanks
 Mohan
 +91 98260 61122
 On Jun 18, 2014 1:02 PM, Jan j...@agetty.de wrote:

 On 06/17/2014 05:32 PM A Mohan Rao wrote:
  actually i need to block https sites like https facebook or https
 youtube
  etc with transparent proxy.
 
  now pls give any idea...!

 You may want to try using the CONNECT method in order to filter HTTPS
 requests. Those happen before a secure connection is being established.
 This way you can filter

 I usually run dansguardian which has a quite complex but very effective
 way
 of filtering SSL related traffic.

 From its documentation:

 Blanket SSL blocking so you can block SSL anonymous proxies and allow
 access to legitimate SSL sites such as banking by whitelisting

 = http://dansguardian.org/

 But be aware using CONNECT method based filtering requires the proxy to be
 explicitly configured on respective devices and therefore won't work with
 a
 transparent proxy.

 Additional information on the CONNECT method:

 http://wiki.squid-cache.org/Features/HTTPS

 Cheers


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] installing vmtools

[Walter Parker]

Given than pfSense 2.1.3 uses FreeBSD 8.3 as the base OS, wouldn't
http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/perl5/ be
better location to use for packages?


Walter


On Wed, May 21, 2014 at 11:57 AM, Moshe Katz mo...@ymkatz.net wrote:

 On Wed, May 21, 2014 at 2:39 PM, Florio, Christopher N 
 flo...@email.unc.edu wrote:

 Any idea a URL that I could get this package from?  Sounds like a good
 option.


 One of these should do it (pick the one appropriate for your architecture)

 http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/perl5-5.16.3_6.tbz

 http://ftp1.freebsd.org/pub/FreeBSD/ports/i386/packages-9-current/perl5/perl5-5.16.3_6.tbz

 I'm not sure if a specific version of Perl is required - there are some
 breaking changes between 5.8 and 5.10, for example.  If 5.16 doesn't work,
 you can look in
 http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/(or 
 the i386 location) for other versions of 5.12, 5.14, and 5.18

 Moshe

 --
 Moshe Katz
 -- mo...@ymkatz.net
 -- +1(301)867-3732

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Walter Parker]

The amd64 is for all 64 bit machines (amd64 and Intel EMT64)
The x86 is for all 32 bit machines (Intel and AMD)

According the spec sheet,
http://www.dell.com/downloads/global/products/pedge/en/2850_specs.pdf, that
is a 64 bit machine.

Note, because AMD developed 64 for the x86 first, the BSDs call 64 bit mode
amd64. When Intel licensed it from AMD, they called by a different name
(something without the competitor's name in it). Another common name for
amd64 is x86_64.

The only place where AMD vs. Intel 64 really makes a difference is in VM
servers (such as ESXi and XenServer), where methods for visualizing IO are
different. Most other places, 64 bit is 64 bit and really doesn't matter.


Walter



On Mon, May 19, 2014 at 3:37 PM, Brian Caouette bri...@dlois.com wrote:

 Just ordered a Poweredge 2850. It has the xeno processor. Do I install the
 Intell version or amd64?
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Walter Parker]

Yea, I forgot about Itanium. For Itanium the initials are IA-64.

There is a Tier-2 supported version of FreeBSD for that processor, but
pfSense does not ship an IA-64 version.


Walter


On Mon, May 19, 2014 at 4:18 PM, Ryan Coleman ryanjc...@me.com wrote:

 Itanium is the only one that’s different from AMD64. I’ve never touched an
 Itanium-driven machine.


 On May 19, 2014, at 18:06, Walter Parker walt...@gmail.com wrote:

 The amd64 is for all 64 bit machines (amd64 and Intel EMT64)
 The x86 is for all 32 bit machines (Intel and AMD)

 According the spec sheet,
 http://www.dell.com/downloads/global/products/pedge/en/2850_specs.pdf,
 that is a 64 bit machine.

 Note, because AMD developed 64 for the x86 first, the BSDs call 64 bit
 mode amd64. When Intel licensed it from AMD, they called by a different
 name (something without the competitor's name in it). Another common name
 for amd64 is x86_64.

 The only place where AMD vs. Intel 64 really makes a difference is in VM
 servers (such as ESXi and XenServer), where methods for visualizing IO are
 different. Most other places, 64 bit is 64 bit and really doesn't matter.


 Walter



 On Mon, May 19, 2014 at 3:37 PM, Brian Caouette bri...@dlois.com wrote:

 Just ordered a Poweredge 2850. It has the xeno processor. Do I install
 the Intell version or amd64?
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] High iostat

[Walter Parker]

pfSense has menu options that allow to move/create /tmp and /var in RAM.
These can be found in SystemAdvancedMiscellaneous.

Then logging would be written to the RAM disk.

Note that the logs will be lost when the power goes out. You will need to
setup a scheduled job that does backups if you wish to persist the logs
across reboots.

Also note that all file systems slow down as the get full. As flash runs
out of empty write blocks, its performance also suffers. Something you
might try is the replace the existing flash card with something 2x-4x times
larger.

You might try getting the lsof package/tool from a FreeBSD 8.3 machine
(assuming you are running the current version of pfSense) and
installing/copying it to your system.

FreeBSD has two commands that provide many of the features in lsof:

  fstat
  sockstat

pfSense has both of these commands installed.



On Mon, May 12, 2014 at 8:09 PM, Wajih Ahmed wajih.ah...@gmail.com wrote:

 My pfsense laptop with a PATA CF card is disk bound these days.  The disk
 is always busy above 60% and mostly in the 90's.  Futhermore the service
 times are abysmal.  It takes more than a minute just to refresh the
 dashboard.  Initially the system was very quick but then i later i
 intruduced Captive Portal and then Radius (with accounting).  I think all
 of these are writing constantly to the filesystem.

 I do have plenty of RAM so i was thinking to place the captive portal and
 other logs on a ram disk.  Is this possible in pfsense?

 BTW it would be very nice to have a tool like lsof to see what files a pid
 has open and writing too.  But pfsense does not have lsof package.

 Thanks

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to allow only incoming HTTP/HTTPs traffic from WAN interface?

[Walter Parker]

Yes but, if the website is using css and js from other domains, the web
servers don't pull the css and js from the Internet and resend it the
client.  The client pulls the web page from your server using HTTP,
processes the HTML, sees the CSS and JS links to other domains and then
loads the CSS and JS from those domains (servers). Even that is actually
irrelevant, because CSS and JS are severed up just like HTML, as normal
HTTP requests, so if you host those locally, they are just more files.

If you are building reverse proxy for a public website, then you only need
two access rules (HTTP allow all, HTTPS allow all). Then you setup pass
though rules to pass HTTP and HTTPS to the reverse proxy server.

I'd suggest that you see if the Proxy plugin works for your situation. It
does reverse proxy and has mod_security, which has built-in
filtering/security checks for web traffic. If you are trying to do DDOS
protection, then you need to put the router and reverse proxy servers at
data center with lots of bandwidth. Putting the Reverse Proxy server on the
same network feed as the web server will not migrate the bandwidth denial
features of a DDOS attack.

Also, I would suggest that you might think about conceptualizing the
project in term of what you want rather than how would you re-implement a
system using open source to replace one for one the expensive proprietary
tools that exist on the market (Cisco, Juniper, watchguard, F5, Barrcuda).

How you protect a network of web servers is quite different that how you
would protect a network of desktop computers.


Walter



On Mon, Apr 14, 2014 at 12:17 PM, Oğuz Yarımtepe oguzyarimt...@gmail.comwrote:


 The problem with this setup is, what will happen if the website is using
 some css, js files from other domains? Adding a rule for each of these
 domains will be painfull after a while i assume. But on the other hand, i
 will be using this reverse proxy node as the first entry point to my DDoS
 protection network, so not sure whether DPI is a good thing here or not.


 On Sat, Apr 12, 2014 at 11:40 PM, Walter Parker walt...@gmail.com wrote:

 How about configuring the firewall to block everything and then then
 create a rule that forwards/allows only port 80 and 443 to the reverse
 proxy server. Configure the reverse proxy server to only support HTTP
 traffic (on port 80 and using SSL on 443). Then you don't need to do DPI.
 I'd say you don't actually need to filter the traffic to the reverse proxy
 server if you pick one that that can be configured to only support HTTP
 traffic.



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to allow only incoming HTTP/HTTPs traffic from WAN interface?

[Walter Parker]

How about configuring the firewall to block everything and then then create
a rule that forwards/allows only port 80 and 443 to the reverse proxy
server. Configure the reverse proxy server to only support HTTP traffic (on
port 80 and using SSL on 443). Then you don't need to do DPI. I'd say you
don't actually need to filter the traffic to the reverse proxy server if
you pick one that that can be configured to only support HTTP traffic.


Walter


On Sat, Apr 12, 2014 at 4:39 AM, Oğuz Yarımtepe oguzyarimt...@gmail.comwrote:

 I am trying to design a reverse proxy structure that will direct traffic
 to some web servers behind. At the entry point, i want to allow just HTTP
 or HTTPs traffic. I want to do this by using DPI. I couldn't figured out
 how to do it via PfSense. L7 filtering only lets blocking, firewall rules
 depends ports. I need to define  L7 filtering rule that will only allow
 HTTP traffic but for the traffic coming to WAN interface.

 How can i do it?

 Thank you.

 --
 Oğuz Yarımtepe
 http://about.me/oguzy

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Network Traffic Monitoring w/o Webgui

[Walter Parker]

I've installed in the past. We had 2-3 years of data before we switched
providers (and therefore need to start over). I will be installing on
FreeBSD 10 in the near future and I plan on using the port at
/usr/ports/net-mgmt/cacti.

As I recall the docs are not too bad, and there is now a book out on it.
The big thing you will need to do is enable SNMP on the pfSense routers
(change the community string). Then on Cacti, add those systems as data
sources. After 15 minutes, there will be enough data for the first graphs
to show up. I'd use Cacti's grouping features to organize the routers into
groups. If system running Cacti will talk to the pfSense routers from the
WAN port, then you need to allow that on psSense.

Once you get this working with the routers, you can get it working with
your systems (FreeBSD, Linux, Windows). On Unix like systems, the SNMP
daemon supports all sorts of features (CPU, Disk space, Processes running,
even kicking off scripts). Cacti supports the basic modes and you can use
the command snmpwalk to figure out what options you wosh to monitor, but
note that there is a lot of information. Try not to get overwhelmed and
stick to the simple stuff until you have a handle and then try adding
pieces at time.


On Tue, Apr 8, 2014 at 9:27 AM, James Caldwell 
jamescaldw...@hurricanecs.com wrote:

 I tried hunting this package down in the webgui this morning and I wasn't
 able to find it.  I ended up going to shell and changing the environment
 variable 'PACKAGESITE' using the following command 'setenv PACKAGESITE
 http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`unamehttp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/uname-m`/packages-8.1-release/Latest/.
   Once done, I was able to install iftop
 no problem.  (Credit for the command goes to nooblet.org)



 On to the Cacti comment; that's a really good idea Walter.  Having a way
 to manage historical data would be great.  I'm fairly new to the BSD world
 still, how difficult is it to piece together one of these solutions.  I
 understand that the webgui helps quite a bit but initially I've heard
 monitoring solutions can be a bit of a nightmare to get working properly
 initially.  Is this something that could or should be combined with a
 syslog type solution so that we're not only gathering network data but also
 logs/health from the routers themselves?  Any tips here before I dive
 headlong into this?



 Thanks,
 James



 *From:* List [mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Chuck
 Mariotti
 *Sent:* April-07-14 1:04 PM

 *To:* pfSense Support and Discussion Mailing List
 *Subject:* Re: [pfSense] Network Traffic Monitoring w/o Webgui



 It's been a few years, but a simple windows version...



 http://oss.oetiker.ch/mrtg/





 *From:* List 
 [mailto:list-boun...@lists.pfsense.orglist-boun...@lists.pfsense.org]
 *On Behalf Of *Walter Parker
 *Sent:* April-07-14 2:06 PM
 *To:* pfSense Support and Discussion Mailing List
 *Subject:* Re: [pfSense] Network Traffic Monitoring w/o Webgui



 Sorry,



 FOSS = Free/Open Source Software (what MRTG, Linux, FreeBSD, pfSense are,
 as different from what Microsoft or HP sell)



 Cacti is a web based system, from http://www.cacti.net/, that uses the
 technology that powers MRTG to build a nice web based system that monitors
 network equipment. Unlike MRTG, which has to be configured by hand, Cacti
 allows you to add hosts through the web interface (like how pfSense does
 all the pf stuff through the web rather than requiring you to edit config
 files). It is pretty simple to setup, assuming you have a FreeBSD or Linux
 systems and can install the package or port.



 I've used it on networks to monitor all of the traffic on the routers, on
 the servers and even on the switch ports (that requires a switch with SNMP
 counters, usually known as a managed switch).



 There are also commercial systems that do the same thing, but they quickly
 become expensive (1000's to 10,000's dollars) as the size of your network
 grows.





 Walter







 On Mon, Apr 7, 2014 at 10:47 AM, Brian Caouette bri...@dlois.com wrote:

 What is Cacti? FOSS?



 On 4/7/2014 1:42 PM, Walter Parker wrote:

 I'd expect that you should be able to enable SNMP, set a non default
 password (please don't use public) and add a firewall rule to allow UDP on
 port 161 to/from your mrtg server. I'd recommend using Cacti as your mrtg
 server (if you want a FOSS solution).





 Walter



 On Mon, Apr 7, 2014 at 10:23 AM, Brian Caouette bri...@dlois.com wrote:

 What about using mrtg to graph the various interfaces? Does PF support
 this?



 On 4/7/2014 12:54 PM, Jim Pingle wrote:

 On 4/7/2014 12:29 PM, James Caldwell wrote:

 Happy Monday list...

 Does anyone have a preferred way of monitoring over all traffic throughput
 for various interfaces via shell/putty instead of having to remain logged
 in to the webgui?  I have several alix based appliances that have had their
 ISP connections upgraded and I am

[pfSense] Packages didn't install after upgrade from 2.0 to 2.1.1

[Walter Parker]

I upgraded my ALIX system running 2.0 to 2.1.1. The base upgrade appeared
to go fine, I got the screen that said the system was upgrading all of the
packages, but after the system restarted, none of the pacakges on the old
system were listed as installed on the new system.

But the service screen shows the old packages and the menus still have menu
items for the old packages (clicking on one causes a php error). Installing
the package from the package manager menu does work and the package then
starts working (but in the case of vnstat2, it now appears in the menu
twice).

What do you recommend I do to fix the problem between what package used to
be installed and what is currently installed.




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RDP port forward based on destination name.

[Walter Parker]

The big problem that I see people have that that want to do networking
based on hostnames rather than IP addresses. Such as how named virtual
hosting works on Apache. But the problem is that the hostname is translated
to an IP address on the client side and the only thing the server sees is
the IP address that the client used to connect. Apache knows what hostname
was used because the browser sets a HTTP header that has the hostname. This
was an after the fact addition to the HTTP standard to allow for lots of
websites on one IP address. A few years ago TLS was extended to allow for
the same thing to happen w.r.t. HTTPS web sites. To allow this this on
other internet protocols will require that both the clients and server both
be upgraded to pass the hostname as a parameter (worse, not all protocols
were designed to allow for this to be done in a backwards compatible
fashion), which is now much more of a issue with a billion users than it
was in the mid 90's with only a few million users.

I'd love it if there was simple solution, but I don't see one that would
compatible with today's internet. Much of the original design of the
internet was for a 1 to 1 mapping of IP addresses, rather than a 1 to many
mapping (which is why there is usually a lack of a disambiguation field in
the protocol).


Walter




On Fri, Mar 28, 2014 at 7:54 AM, greg whynott greg.whyn...@gmail.comwrote:

 thanks for all the suggestions folks!   While very nitchy and sure not to
 be a wildly popular function,  it would be nice to see,
 policy-routing/nating based on matching an ACL which can make decisions
 based on data from the higher layers.

 his set up is one comprised solely of virtual hosts and networks
 (excluding the router/firewall which run on its own hardware) under an ESX
 environment.  They have about 12 customers and each has VMs and their own
 L2 network and hosts.

 For now it looks as if the jump host will be the best go.   Have one set
 up where all the clients connect to and based upon who they log in as, will
 determined what they see/have access to.

 The VPN idea is a good one but they would rather not add more gears to the
 machine which may generate support issues.


 thanks again and have a great weekend,
 greg




 On Thu, Mar 27, 2014 at 6:37 PM, Jonathan Bainbridge jbainbri...@avmi.org
  wrote:

 Remote Desktop Gateway, built into Windows 2008 and 2012. Put it behind
 the pfSense, port forward the rdp port to the RDG. It authenticates the
 user and the user can connect to any internal machine.
 In the Remote Desktop Connection you can enter the information for the
 RDG. Protect using an SSL on the RDG.
 Bonus, you can also setup Remote Desktop Web Services so you can have
 programs on Terminal Services available... Note, that part DOES require IE.
 On Mar 27, 2014 2:37 PM, greg whynott greg.whyn...@gmail.com wrote:

 Hello,

 I'm not very familiar with TMG from Microsoft but a client I am helping
 migrate to pfsense from TMG has asked me if they'll be able to use the RDP
 port forward in the same way as TMG handles it.


 Apparently there is a function within TMG which acts similar to named
 based virtual web hosts,  where it parses the DNS name from the request and
 makes a forwarding decision based on that bit of information.

 For example,  the firewall only has 1 public IP facing the internet.

 if you RDP to: you'll land on the internal server:

 host1.foo.com  10.101.1.2
 host2.foo.com  10.101.3.4
 host3.foo.com  10.101.1.8


 host1,2 and 3 all resolve to the same public IP.  And we are not
 specifying ports.

 That is the behaviour he is hoping to achieve,  where he can RDP to
 various internal machines without referencing ports.


 Sound do-able?If pfsense can not do this,  are you aware of anything
 out there that can aside from TMG?

 -g







 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Sending logs to external server

[Walter Parker]

From the status menu, select System Logs
From the system logs page, click on Settings
Scroll down to Remote logging Options

Enable Remote logging
For the remote Syslog Servers, enter the address of your syslog server (any
Linux or FreeBSD server running a copy of syslog that will take outside
logging).
It will send all of the system logs to the syslog host.

Note, squid is an application/package and its log files will not be
included. Either the squid config will have to be changed, or you could try
using rsync to copy the logs.


Walter



On Mon, Mar 24, 2014 at 12:13 PM, A Mohan Rao mohanra...@gmail.com wrote:

 Please guide me how u do this on pfsense firewall

 . We've already managed to block one user who lives in close proximity for
 stealing internet (500MB of Youtube videos in less than 3 hours during a
 very busy time of day*)

 Thnx
 Mohan
 On Mar 25, 2014 12:14 AM, Ryan Coleman ryanjc...@me.com wrote:

 Now that I have the network stable (thank you so much!) I have another
 task I need/want to accomplish:

 Does anyone have recommendations or suggestions for off-loading log files
 at the end of the day to another server? Specifically I'm wanting the
 system log and the squid logs sent out and rotated afterwards. We've
 already managed to block one user who lives in close proximity for stealing
 internet (500MB of Youtube videos in less than 3 hours during a very busy
 time of day*) but I would like to set up something that crawls through the
 raw files automatically every night and report back via email.

 I can write the script to crawl the data - that's not a problem - it's
 just that the ALIX board is not powerful enough to handle the needs I have.

 Thanks again,
 Ryan

 * I still have a few stages to hit on the deployment but that user will
 eventually be unblocked. We had to rollback the throttling configuration
 while we were having stability issues. Right now we're at 60 hours and
 counting and I plan to re-implement that limiter tomorrow morning.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] WAN not accepting traffic

[Walter Parker]

By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
traffic, you will need to allow it (add rules on both the WAN and LAN
sides). But you might want to notice something else. If PFSense is
operating as a straight up router where you don't want NATing of the LAN
packets, then you will need to disable NAT. By default, it is auto-enabled
for the LAN side. This is what often prevents the LAN side from being
seen by the WAN side. If you don't want any firewall style rules, just
routing, you can turn off all the firewall rules from one of the advanced
options.

You need to decide how you want to use PFSense inside the network. I'd make
sure that there is only one NAT router on the network, use the router that
has the actual real-world IP connection. Don't NAT on the other routers
and live will be much easier.


Walter


On Tue, Jan 14, 2014 at 9:40 AM, Brian Caouette bri...@dlois.com wrote:

 Confirmed but as I said its the WAN blocking external traffic from what I
 see.

 Brian


 On 1/14/2014 12:04 PM, Robert Pickett wrote:

 I would start off by checking the firewall section of pfSense to make
 sure that the LAN has a default allow statement. It should say something
 like LAN - any or something like that.

 -Robert

 On 1/14/2014 8:53 AM, Brian Caouette wrote:

  I've downloaded Pfsense Live 2.1 and installed it on an old machine
 with two nics. The pf machine can ping internally and externally with no
 issues. I was able to jump to shell and telnet out to a bbs I'm part of.
 Now on the LAN nothing works except the pf web management screen. I have
 looked at the logs and it shows all blocked packets for incoming on the
 WAN. I went a step further and create a rule to all all traffic on the WAN
 to no avail. My network is as follows:

 Cable Modem - Linksys AP - PF.

 Yes I know its a little backwards but it should still work as I also
 have another ap feeding off the Linksys for a different zone in our house
 with no issues.

 Any idea why the PF lan does not work? Yes I did disable the option to
 disable private addresses since pf is behind another router with a private
 ip.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] WAN not accepting traffic

[Walter Parker]

From the PFSense UI, select Firewall-NAT. Then click on the Outbound tab.
Then select the Manual Outbound NAT rule generation radio button (this
turns off Automatic outbound NAT rule generation). Then delete/deactive the
mapping that has your LAN network as a source. This is what is messing up
your routing of packets from the linksys to the LAN side of the PFSense
router. The option you turned off stops spoofing attacks on a router and
turning it off is required when routing private networks, but does do the
whole job (you also need to disable NATing to complete the job).




Walter



On Tue, Jan 14, 2014 at 10:01 AM, Brian Caouette bri...@dlois.com wrote:

  The pf wan port is plugged into my Linksys ap so it is already behind
 nat hence the reason I unchecked the option under the interface tab to
 block reserved ips. I see no reason to use nat again. I'm open to
 recommendations as to the easiest solution. Pretty sure I did create a rule
 to allow all traffic on both lan and wan. I will confirm as soon as I have
 access to the machine again. I do see sever options for nat. I think I did
 uncheck the option to disable it but nothing changed. If you can give me a
 step by step what to check / uncheck, etc... To recap my setup is:

 Cable Modem (public ip with a 192.168.100.1 management port - Linksys AP
 dhcp to modem 192.168.100.1 lan ip with all connected pc's in this range
 including - PF 192.168.100.20 and pf lan of 192.168.1.1 of which is dhcp
 assigns my laptop .101 when plugged in.

 Brian


 On 1/14/2014 12:50 PM, Walter Parker wrote:

 By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
 traffic, you will need to allow it (add rules on both the WAN and LAN
 sides). But you might want to notice something else. If PFSense is
 operating as a straight up router where you don't want NATing of the LAN
 packets, then you will need to disable NAT. By default, it is auto-enabled
 for the LAN side. This is what often prevents the LAN side from being
 seen by the WAN side. If you don't want any firewall style rules, just
 routing, you can turn off all the firewall rules from one of the advanced
 options.

  You need to decide how you want to use PFSense inside the network. I'd
 make sure that there is only one NAT router on the network, use the router
 that has the actual real-world IP connection. Don't NAT on the other
 routers and live will be much easier.


  Walter


 On Tue, Jan 14, 2014 at 9:40 AM, Brian Caouette bri...@dlois.com wrote:

 Confirmed but as I said its the WAN blocking external traffic from what I
 see.

 Brian


 On 1/14/2014 12:04 PM, Robert Pickett wrote:

 I would start off by checking the firewall section of pfSense to make
 sure that the LAN has a default allow statement. It should say something
 like LAN - any or something like that.

 -Robert

 On 1/14/2014 8:53 AM, Brian Caouette wrote:

  I've downloaded Pfsense Live 2.1 and installed it on an old machine
 with two nics. The pf machine can ping internally and externally with no
 issues. I was able to jump to shell and telnet out to a bbs I'm part of.
 Now on the LAN nothing works except the pf web management screen. I have
 looked at the logs and it shows all blocked packets for incoming on the
 WAN. I went a step further and create a rule to all all traffic on the WAN
 to no avail. My network is as follows:

 Cable Modem - Linksys AP - PF.

 Yes I know its a little backwards but it should still work as I also
 have another ap feeding off the Linksys for a different zone in our house
 with no issues.

 Any idea why the PF lan does not work? Yes I did disable the option to
 disable private addresses since pf is behind another router with a private
 ip.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




  --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis


 ___
 List mailing 
 listList@lists.pfsense.orghttp://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] WAN not accepting traffic

[Walter Parker]

You might check the DNS settings on the PFSense router itself to make sure
that it has valid IP addresses for DNS servers. Also check on the override
flags (and maybe add a rule for 53 DNS traffic).


Walter


On Tue, Jan 14, 2014 at 4:47 PM, Brian Caouette bri...@dlois.com wrote:

  I think we've made progress. Things in management that didn't work are
 now working. Before it was not able to do a ping or tracert and now they
 do. I think the issue is dns related now because Windows 8 laptop reports a
 dns error. Also the dns lookup in management doesn't give me any results.
 So for whatever reason its not being passed to the lan.


 On 1/14/2014 1:13 PM, Walter Parker wrote:

 From the PFSense UI, select Firewall-NAT. Then click on the Outbound tab.
 Then select the Manual Outbound NAT rule generation radio button (this
 turns off Automatic outbound NAT rule generation). Then delete/deactive the
 mapping that has your LAN network as a source. This is what is messing up
 your routing of packets from the linksys to the LAN side of the PFSense
 router. The option you turned off stops spoofing attacks on a router and
 turning it off is required when routing private networks, but does do the
 whole job (you also need to disable NATing to complete the job).




  Walter



 On Tue, Jan 14, 2014 at 10:01 AM, Brian Caouette bri...@dlois.com wrote:

  The pf wan port is plugged into my Linksys ap so it is already behind
 nat hence the reason I unchecked the option under the interface tab to
 block reserved ips. I see no reason to use nat again. I'm open to
 recommendations as to the easiest solution. Pretty sure I did create a rule
 to allow all traffic on both lan and wan. I will confirm as soon as I have
 access to the machine again. I do see sever options for nat. I think I did
 uncheck the option to disable it but nothing changed. If you can give me a
 step by step what to check / uncheck, etc... To recap my setup is:

 Cable Modem (public ip with a 192.168.100.1 management port - Linksys AP
 dhcp to modem 192.168.100.1 lan ip with all connected pc's in this range
 including - PF 192.168.100.20 and pf lan of 192.168.1.1 of which is dhcp
 assigns my laptop .101 when plugged in.

 Brian


 On 1/14/2014 12:50 PM, Walter Parker wrote:

 By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
 traffic, you will need to allow it (add rules on both the WAN and LAN
 sides). But you might want to notice something else. If PFSense is
 operating as a straight up router where you don't want NATing of the LAN
 packets, then you will need to disable NAT. By default, it is auto-enabled
 for the LAN side. This is what often prevents the LAN side from being
 seen by the WAN side. If you don't want any firewall style rules, just
 routing, you can turn off all the firewall rules from one of the advanced
 options.

  You need to decide how you want to use PFSense inside the network. I'd
 make sure that there is only one NAT router on the network, use the router
 that has the actual real-world IP connection. Don't NAT on the other
 routers and live will be much easier.


  Walter


 On Tue, Jan 14, 2014 at 9:40 AM, Brian Caouette bri...@dlois.com wrote:

 Confirmed but as I said its the WAN blocking external traffic from what
 I see.

 Brian


 On 1/14/2014 12:04 PM, Robert Pickett wrote:

 I would start off by checking the firewall section of pfSense to make
 sure that the LAN has a default allow statement. It should say something
 like LAN - any or something like that.

 -Robert

 On 1/14/2014 8:53 AM, Brian Caouette wrote:

  I've downloaded Pfsense Live 2.1 and installed it on an old machine
 with two nics. The pf machine can ping internally and externally with no
 issues. I was able to jump to shell and telnet out to a bbs I'm part of.
 Now on the LAN nothing works except the pf web management screen. I have
 looked at the logs and it shows all blocked packets for incoming on the
 WAN. I went a step further and create a rule to all all traffic on the WAN
 to no avail. My network is as follows:

 Cable Modem - Linksys AP - PF.

 Yes I know its a little backwards but it should still work as I also
 have another ap feeding off the Linksys for a different zone in our house
 with no issues.

 Any idea why the PF lan does not work? Yes I did disable the option to
 disable private addresses since pf is behind another router with a private
 ip.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




  --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis

Re: [pfSense] is it possible to rename gateways in 2.1 release AMD64?

[Walter Parker]

Once you create a gateway, you can not rename it from the GUI. I had to
delete and re-create my gateway in order to rename it.


On Tue, Jan 7, 2014 at 12:02 PM, Matthias May matth...@may.nu wrote:

 Am 07.01.2014 20:52, schrieb Joe Landman:

  Hi folks:

   I am trying to match a spec we've been given as precisely as possible.
  I can't rename the gateways from the web interface.  Is it possible to
 rename them from hand editing the config.xml file? or some other method?

   Thanks!

 Joe

  Not sure i follow.
 What is not working with:
 Click on the System -- Routing -- Gateways on the e button next to
 the gateway you want to change the name of.
 Set the name you want in the Name field.

 Regards
 Matthias May

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] MultiWAN with SSH

[Walter Parker]

Hi,

I have a pfSense box with multiple WAN connections (on on TW and one on
Comcast)
I appear to got MultiWAN working for outbound traffic, in that:
I can ping/traceroute from either interface and the traffic routes out and
comes back.

But inbound traffic only appears to work if it comes into the TW interface
and not the Comcast interface.
I have a rule on the TW interface that allows all traffic
I have a rule on the Comcast interface the allows all traffic , with the
destination of Comcast net and the the Gateway set to COMCASTGW.

I can ping the Comcast interface address.
But any attempts to connect to Comcast interface address fail.
However I did see a few log file entries of the form

IF  Source   DestProto
COMCAST ExternalIP  ComcastIP:13  TCP:S

Where ExternalIP is a outside host running SSH, ComcastIP is the IP of the
Comcast Interface (and 13 is where SSHD is bound to). I got no response
back to the client.

I then tried telnet ComcastIP 111 and got the same result.

What do I need to do to get the firewall to use the COMCASTGW for responses
to packets sent to the COMCAST interface?


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Multiple routing tables

[Walter Parker]

I've been asked if pfSense has multiple routing tables. Specifically, there
is kernel option in FreeBSD:

  options ROUTETABLES=2

Which enables you to setup a second routing table for a second interface.

Does pfSense use multiple ROUTETABLES? If not, why not and does the
existing policy based routing support the same features (the ability to
pick which routing table/interface is used for sending outbound traffic).


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Multi-WAN network access

[Walter Parker]

Hi,

I've got a pfSense router with a WAN connection that has 4 interfaces:

WAN - A 200 mbs connection. This is on a /20 subnet and the other side is
the default route.
LAN - This is a static routed /24 network from the company providing the
200 mbs WAN connection
COMCAST - This is a static routed /28 network from Comcast.

I set the WAN interface with a route back to Provider A, and the COMCAST
interface with a route back to the Comcast gateway address. I created two
gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and
another that COMCAST as Tier2 and the WAN network as Tier2. The
instructions on the wiki say firewall rules must be add changed to use
these groups rather than the system routing. I tried changed the allow all
route to use the gateway group (rather than the default of *), but this
didn't seem to route packets out the COMCAST link when the WAN link was
down.

I did a little bit of testing: I used the ping test and was able to ping
the outside world when using WAN as the interface, but when I changed the
interface to COMCAST, I could only ping the Comcast gateway (as if the
packets would not route). From an external host, I was able to do an ICMP
ping to the COMCAST interface, but was not able to do a UDP ping or make a
TCP connection.

Questions:

I think I missed a step in the whole add a firewall rule for the gateway
group process, which seem more like a solution left as exercise for the
reader, what do I need to do to get gateway groups working on the firewall?

When using ping, when I pick the interface, does it work like a Cisco,
where the source IP is the interface address and the next hop router would
be interface's router, in this case the Comcast gateway?

When I have squid running a bound to the LAN interface, I'd like the system
use which ever WAN/COMCAST interface is currently up and working. I want
that to be the WAN interface unless it is down.

When the WAN interface is down, I'd like to be able to ssh/https to the
COMCAST interface address to see what is gong wrong. Can I set up the
system to work like this?


Thank you for any ideas as to what I might has done wrong,


Walter






-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Interface stops working

[Walter Parker]

I have a pfSense 2.0.3 box with 5 interfaces, two of which are on
motherboard ethernet controllers using the NVIDIA nForce4 CK804 MCP9
Networking Adapter chipset.

These two connections connect to the upstream IP (WAN) and to the old IP
space for the local network (LAN).

I've been seeing the the connection between the upstream ISP and the WAN go
down (can reach it from the outside world, can't reach the outside world
from it). When this happens, I can get to box by connecting to a box on the
LAN network and then making a local connection to the LAN interface. If
ifconfig down the WAN interface and then ifconfig up the WAN interface from
the CLI, it comes back and works just find.

The first time this happened, a Google search suggested that I was running
out of mbufs (because the error message said no buffers). So I increased
the number of buffers to 128K.  The page that I ready said that problem
with the mbuf could be do to bad wiring causing excessive packet loss on
the interface

This time, I did not get a no buffers error message and according to
netstat -m, there where plenty of mbufs.

Any ideas as to why traffic stops on my WAN interface until it is reset? Is
cabling still a got idea or is it likely to be something else?

The system in question is a two proc system with dual core Opteron 280
running on a Supermicro Server Class Motherboard with 4GB of ECC RAM.

Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

As I see it, there are are two things that can happen here

1) NSA breaks into pfSense without knowledge of the staff = The only
solution is source code and binary review. This is not an option for people
like Thinker Rix or other non coders. The mostly spot for this to happen is
upstream from the project (in FreeBSD itself, in the libraries that FreeBSD
uses). This will require resources outside of the pfSense project to
validate.

2) NSA forces pfSense to put a backdoor in the software. Tells pfSense to
be quite about it.

The results of 2) are that either pfSense stays quite or they tell.
i) If they stay quite, then the only solution is the same answer as for 1),
independent evaluation.
ii) If they tell, then the project is over as they will be busy fighting
the government. They can be arrested for telling. Depending on the Judge,
any said or done that tips off someone that the project has a NSL, can be
taken as a violation.

What do you expect from the project? That they promise that they have not
been subverted and further promise to tell you when/if there are subverted,
regardless of the personal and financial costs to them?

This is a free project...  What is reasonable to expect from any project
like this?

Once we question trust in the project, the only reasonable course of action
is independent evaluation. Guess what, that is what the Government does
when it evaluates software. In fact, that is one of the NSA's other jobs.
This does, however, make software much more expensive. How to we get a
trusted evaluation of the software?



On Fri, Oct 11, 2013 at 10:46 AM, Thinker Rix thinke...@rocketmail.comwrote:

 On 2013-10-11 12:57, Adrian Zaugg wrote:

 After having read the whole NSA thread on this list, it came up to my
 mind that pfsense web GUI could declare itself conform to US laws upon
 the point when there are known backdoors included or otherwise the code
 was compromised on pressure of govermental authorities. It would be the
 sign for the users to review the code and maybe to fork an earlier
 version and host it in a free country, where the protection of personal
 data is a common sense and national security is not so much an issue.


 I think that your idea is worth further consideration.

 As I just answered to other postings of this thread, by my comprehension
 infiltrating firewall software such as pfSense should be highly interesting
 for NSA, etc. because they would get a grip onto your internal and VPN
 traffic.
 So it should be only a matter of time, that they knock the door at ESF and
 force them to do things they don't like. We all - as a community - should
 think and act pro-actively to that and take appropriate measures to protect
 pfSense, ESF and the key people such as Chris Buechler and his partners
 from this realistic thread in time.

 Best regards
 Thinker Rix

 __**_
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

Who would you trust more that ESF? Why,specifically, would you trust
another group of people to be more trustworthy? I admit to have a USA bias,
but for the issue in question, I don't there being a much better choice.
The UK has less freedoms in this matter. But then this is turning into a
case of I'm worried about things, here lets have you [The project] spend
time and money to fix the problem?

Unless, of course, you are willing to contribute time and money to fixing
this issue. Otherwise this just an armchair general telling other people
how to run the project.







On Fri, Oct 11, 2013 at 10:41 AM, Thinker Rix thinke...@rocketmail.comwrote:

  On 2013-10-11 16:20, Yehuda Katz wrote:

 Probably would not work (or would get whoever did that thrown in jail).
 This is similar to a Warrant Canary, but the USDoJ has indicated that
 Warrant Canaries would probably be grounds for prosecution of violation of
 the non-disclosure order.

  - Y

 On Friday, October 11, 2013, Adrian Zaugg wrote:


 Dear all

 After having read the whole NSA thread on this list, it came up to my
 mind that pfsense web GUI could declare itself conform to US laws upon
 the point when there are known backdoors included or otherwise the code
 was compromised on pressure of govermental authorities. It would be the
 sign for the users to review the code and maybe to fork an earlier
 version and host it in a free country, where the protection of personal
 data is a common sense and national security is not so much an issue.

 Regards, Adrian.



 Hi Yehuda,

 inspired by the keyword you dropped, I researched a little bit and found:
 https://en.wikipedia.org/wiki/Warrant_canary
 It seems that you are correct: What Adrian suggests, is called a Warrant
 canary.
 In the wikipedia article it says that: The intention is to allow the
 provider to inform customers of the existence of a subpoena passively,
 without violating any laws. The legality of this method has not been tested
 in any court. Is that wrong or in conflict with what you wrote?

 In the case that it would indeed be prosecuted in the USA, we could
 consider to host the project in another country.
 In this case it would be interesting to investigate what needs to be
 hosted elsewhere: The source code versioning control system? The company
 behind pfSense (ESF)?

 I guess that the best solution would be to incorporate pfSense itself and
 untie it from ESF. Many other free software projects have done so recently.
 The most prominent example is Libre Office which is now owned by the
 Document Foundation (https://en.wikipedia.org/wiki/Document_Foundation).
 The owned refers to e.g. the brand name, since the software itself is
 free software, it is not owned by anybody.

 So summarizing:
 If pfSense would be incorporated as a foundation at some place (many
 countries would be possible) outside the USA, it could be a solution to
 this I guess.

 Regards
 Thinker Rix

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

Yes, you have been informed correctly. There are more than 2. According the
World Atlas (http://www.worldatlas.com/nations.htm#.UlhOHVFDsnY) the number
is someone between 189 and 196.

But you did not answer the question asked: Name the country that you would
move the project to and why you believe that country would do a better job?

Then because the USA can't be trusted, who is going to replace the
Americans on the project? The name and logo are owned by an American
company. I doubt they want to give them up to a foreign company owned by
non-Americans just to make it harder for the American government to
pressure the project. If the rest of world wants to fork the project
because of concerns about the US government, fine, but I don't think you
will get buy in from ESF [the American company that owns the rights to the
name pfSense].

Once again, name some names. Who do you consider more trustworthy? Follow
the link, which of the 188-195 countries on that list do you propose to
trust more and why? I'd suggest you pick once that is not already in bed
with the NSA (which includes most of major western governments, plus some
of the Middle East and Far East governments). But that is me, maybe you
prefer to decide to move first and then figure out where you are going
after you have left (rather than planning where you are going before you
leave).



Walter


On Fri, Oct 11, 2013 at 12:11 PM, Thinker Rix thinke...@rocketmail.comwrote:

 On 2013-10-11 21:20, Walter Parker wrote:

 Who would you trust more that ESF? Why,specifically, would you trust
 another group of people to be more trustworthy?


 The point is not untrusting ESF or anybody else. The point is that ESF is
 based in the USA, a country where the current government can force you to
 do things against your community without having any chance to escape from
 it; they just force you to do so.
 So the point of the whole idea that we evaluate here is: How can we secure
 pfSense from this nasty government so that they can not just force ESF or
 anybody else to comply with them.


  I admit to have a USA bias, but for the issue in question, I don't there
 being a much better choice. The UK has less freedoms in this matter.


 As far as I am informed there are some more countries on the globe than
 the USA and the UK...


  But then this is turning into a case of I'm worried about things, here
 lets have you [The project] spend time and money to fix the problem?

 Unless, of course, you are willing to contribute time and money to fixing
 this issue. Otherwise this just an armchair general telling other people
 how to run the project.


 Seems like a killer argument to me, which is kind of couterproductive in
 such an early stage of an idea/proposition, as this is.

 __**_
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

Don't be too sure about Switzerland...
https://www.schneier.com/blog/archives/2008/01/nsa_backdoors_i.html

Which talks about a story that was in the German papers in the late 90's..

For half a century, Crypto AG, a Swiss company located in Zug, has sold to
more than 100 countries the encryption machines their officials rely upon
to exchange their most sensitive economic, diplomatic and military
messages. Crypto AG was founded in 1952 by the legendary (Russian born)
Swedish cryptographer Boris Hagelin. During World War II, Hagelin sold
140,000 of his machine to the US Army.

In the meantime, the Crypto AG has built up long standing cooperative
relations with customers in 130 countries, states a prospectus of the
company. The home page of the company Web site says, Crypto AG is the
preferred top-security partner for civilian and military authorities
worldwide. Security is our business and will always remain our business.

And for all those years, US eavesdroppers could read these messages without
the least difficulty. A decade after the end of WWII, the NSA, also known
as No Such Agency, had rigged the Crypto AG machines in various ways
according to the targeted countries. It is probably no exaggeration to
state that this 20th century version of the Trojan horse is quite likely
the greatest sting in modern history.



On Fri, Oct 11, 2013 at 12:49 PM, Adrian Zaugg a...@ente.limmat.ch wrote:



 On 10/11/13 8:20 PM, Walter Parker wrote:
  Unless, of course, you are willing to contribute time and money to
  fixing this issue. Otherwise this just an armchair general telling other
  people how to run the project.
 I don't think it is a problem to find a sponsered hosting here in
 Switzerland for example. Our law protects citizens from govermental
 despotism quite well. National security is not an issue here.

 But this is not the question. The question is wether software projects
 hosted in the US are still trustworthy because of the legal situation
 there. If the pfsense community has the opinion, that it is too risky,
 then it is time to start acting. Once this point is reached, me and
 others would certainly try to contribute. Most of the people here are
 network specialists and do have their connections to hosting
 possibilities, I think.

 Regards, Adrian.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Alix Update 2.0.3 to 2.1 fails with 11 interfaces (/var full)

[Walter Parker]

So, if I have an ALIX that I would like to upgrade, how much would I have
to increase /tmp and /var by to have the upgrade run to completion without
filling the partitions?


Walter


On Fri, Oct 11, 2013 at 2:25 PM, Jim Pingle li...@pingle.org wrote:

 On 10/11/2013 4:58 PM, Jens Kühnel wrote:
  I'm not a FreeBSD expert, but /dev/md's are MemDiscs right?
  Is there a reason why only 60MB (/var) and 40MB(/tmp/) are used?
  and are where are possibilities to change that? It's not in the fstab!

 They are that small because ALIX is the usual NanoBSD target and it only
 has 256MB of RAM so it's a safe low default. NanoBSD wasn't originally
 intended to run on device with gobs of RAM, but times are a-changin' and
 before long all of the viable new hardware will have 1GB of RAM.

 On 2.1 you can adjust the /var and /tmp sizes under System  Advanced on
 the Miscellaneous tab.

 It might be possible to auto-scale the sizes with a bit of extra logic
 in rc.embedded if someone wants to take a crack at it.

 Jim
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Walter Parker]

The big problem with asking the question Has the NSA required you to add a
back door? is that no small company that wants to say in business can or
will say yes (If they do, no one will trust/use the product unless forced
themselves). The company will agree/be forced to say no. How does one tell
that no from an authentic no?

Therefore, once trust is question, the only way to be sure is to do the
self review suggested earlier...

However, from my perspective, the code in pfSense is more like to be secure
than any commercial, closed source solution. See prior threads about
FreeBSD security.


Walter


On Wed, Oct 9, 2013 at 9:10 AM, Thinker Rix thinke...@rocketmail.comwrote:

 On 2013-10-09 19:03, Jim Thompson wrote:

 (TIC mode: on)

 Sorry, but I guess the whole matter - not only concerning pfSense, but the
 current threat to our civilization by our criminal governments as a whole -
 is much too serious for any TIC-modes..

 __**_
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Walter Parker]

About that made in the USA thing, the NSA has deals with overseas companies
as well...

Plus, the GCHQ and several other foreign spy agency's have done similar
things, so if you starting asking, you discover that the major governments
are trying to do this and have succeed more often than we would like.

Also, the whole We have to ask to ask the question to get the denial on
record only matters for the government or people with lots of money. The
Government can sue you/arrest you for a lie, but do you have enough money
to pay for lawsuits against a company? Most lawyers want money upfront
unless you have clear suit against a company with lots of money.

 When was the last (or even first time) that a company was sued and lost to
a private party for something like this, outside of class action lawsuits?


Walter


On Wed, Oct 9, 2013 at 9:51 AM, Eugen Leitl eu...@leitl.org wrote:

 On Wed, Oct 09, 2013 at 11:42:31AM -0500, Adam Thompson wrote:

  Argh.  Anyone who answered Yes to your question (correctly, mind you)
 would immediately be committing a federal crime.

 All assuming the company in question resides in the US, or has
 significant presence in the US. There is, of course, considerable
 strong-arming and informal co-operation going on behind the
 scenes, so geography is not exactly a good protection.

 I've personally given up on any commercial software, and
 moved to purely community-built tools, and will take considerable
 protection now that we know that Ft. Meade is in the business
 of hacking end users and companies.

  Considering the consequences, no-one in their right mind would ever
 confirm that they had been approached or received a NSL.
  Which makes asking the question quite irrelevant.

 The question is useful, since it produced this thread.
 As I suggested, if you're not trusting pfSense, you can
 always manually verify the rules generated by it, and
 load it into a pf-speaking device you consider trustable.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Walter Parker]

To answer your question about throwing the first stone. Your question reads
a bit like the Are you a criminal/commie? questions. Many people would
object to the question at the start because it implies that the people
being asked the question has done something wrong. Watching the reactions
to political debates shows that asking the question can be enough to get a
sizable amount of the audience to think the answer is yes, even when no
proof is ever given that something happened.

Then when the question was deleted, you demanded that pfSense take a stand
on it.

Let me show you what it looks like from the other side:

Have you planned to overthrow the government? When will you show that you
are not plotting to kill your fellow country men?

It is a simple question, when will we here something from you? I just ask
because I want to be sure that you are not trying to kill me.


For the tool in question, pfSense, once you start questioning it, there is
no way to get the bottom without eithering trusting the pfSense people
(which means that the question is pointless because if you trust them,
asking them if they have violated your trust means that you don't trust
them) or getting an external validation (trusting another group of people
or doing the work yourself).

FYI, there is a long history on the Internet of people asking simple
innocent  question, not to get actually answers, but to cause trouble by
causing the effect described at the beginning of my email (these are called
trolls).



Walter



On Wed, Oct 9, 2013 at 11:31 AM, Thinker Rix thinke...@rocketmail.comwrote:

 On 2013-10-09 20:22, Jim Thompson wrote:

 On Oct 9, 2013, at 7:13 PM, Thinker Rix thinke...@rocketmail.com wrote:

  Hello Jim!

 On 2013-10-09 19:50, Jim Thompson wrote:

 IMO, this bullshit thread only serves to assist those asking the
 question in stroking their own ego.

 This is already the second time that you insult me indirectly.

 It’s amusing that you don’t understand that you threw the first stone
 here.


 This is correct. I do not understand where I am supposed to have thrown
 any stones or insult anybody, indeed. If you would like to show me, I would
 really be thankful.


  May I ask again if you are an staff member of Electric Sheep Fencing LLC?

 Staff members get paid.

 I’m a co-owner, and have never taken a dime from ESF (or BSDP).

 jim


 Thank you for the info.

 Regards
 Thinker Rix

 __**_
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Walter Parker]

But, your initial question was not What level of security and integrity is
provided by pfSense? or How do judge the safety and security of pfSense?

Your question was Has pfSense been compromised by Big Brother?

In the context of your Bank  question it reads more like Have you been
robbed yet? or Are you working with crooks? and not How safe is my
money?
For Microsoft it reads How broken is Word, not How good is Word? Or
closer to the question Are you in bed with the NSA, not How safe are are
Word documents from others?

Most people are happy to engage in questions of the form Tell about what
your product does to solve/fix the problem? and consider questions of the
form Have you sold out to the NSA? or How broken is your product? to be
insulting.

I ask you How broken are you? It is a simple question, what is your
response? Do you feel at all insulted by that question.

You seem to be missing the idea that the context of the question matters.
Do some research on the parse Have you stopped beating your wife yet? and
tell me if you would be upset if someone asked you that question.



Walter





On Wed, Oct 9, 2013 at 1:26 PM, Thinker Rix thinke...@rocketmail.comwrote:

 Hi Walter,


 On 2013-10-09 21:53, Walter Parker wrote:

 To answer your question about throwing the first stone. Your question
 reads a bit like the Are you a criminal/commie? questions. Many people
 would object to the question at the start because it implies that the
 people being asked the question has done something wrong. Watching the
 reactions to political debates shows that asking the question can be enough
 to get a sizable amount of the audience to think the answer is yes, even
 when no proof is ever given that something happened.


 Interesting what all kinds of different things you do interpret into my
 question.
 By my comprehension I just asked simple but important question and did
 this quite straight-forwardly.



 Then when the question was deleted, you demanded that pfSense take a
 stand on it.


 Yes. Censorship always raises questions.


  Let me show you what it looks like from the other side:

 Have you planned to overthrow the government? When will you show that you
 are not plotting to kill your fellow country men?
 It is a simple question, when will we here something from you? I just ask
 because I want to be sure that you are not trying to kill me.


 Well, your example neglects one important aspect: pfSense is a kind of
 security software project. Asking it about it's level of security and
 integrity is a question that such a project must stand, IMHO. It is like
 asking a bank how safe my money is. Or asking Microsoft how good Word is
 for writing letters; while asking me about if I plan to overthrow some
 government or kill other people refers to nothing.


  For the tool in question, pfSense, once you start questioning it, there
 is no way to get the bottom without eithering trusting the pfSense people
 (which means that the question is pointless because if you trust them,
 asking them if they have violated your trust means that you don't trust
 them) or getting an external validation (trusting another group of people
 or doing the work yourself).


 I guess for anybody related to computer security it is a must to question
 anything anytime and take nothing for granted. You should question
 everything any time and any player in this domain should accept any
 questions any time, IMHO.


  FYI, there is a long history on the Internet of people asking simple
 innocent  question, not to get actually answers, but to cause trouble by
 causing the effect described at the beginning of my email (these are called
 trolls).


 What trouble do you refer to? I only read some aggressive/ snappy answers
 which - frankly - I find pretty awkward reactions to my simple question.


 Regards
 Thinker Rix
 __**_
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches

[Walter Parker]

I'd suggest installing pfSense at a home location for benefits that pfSense
provides. The ability for you to see what is going on on your network is
much greater than with any of the consumer routers.

If you get a little Netgate SBC, you can have a ofSense router with the
same size and power specs. as a Netgear, Linksys, Buffalo, etc HW router.
Also, there is a chance that your pfSense will be more secure as it is a
active project that takes security seriously. I've seen too many problems
with cheapo HW routers to trust them...


Walter


On Wed, Sep 4, 2013 at 5:33 PM, Robert Guerra rgue...@privaterra.orgwrote:


 Curious on people's comments on  types of routers, firewalls and other
 appliances that might be affected as well as mitigation strategies. Would
 installing a pfsense and/or other open source firewall be helpful in anyway
 at a home net location?






 --
 R. Guerra
 Phone/Cell: +1 202-905-2081
 Twitter: twitter.com/netfreedom
 Email: rgue...@privaterra.org

 On 2013-09-04, at 4:12 PM, Eugen Leitl wrote:

 
  http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
 
  NSA Laughs at PCs, Prefers Hacking Routers and Switches
 
  BY KIM ZETTER09.04.136:30 AM
 
  Photo: Santiago Cabezas/Flickr
 
  The NSA runs a massive, full-time hacking operation targeting foreign
  systems, the latest leaks from Edward Snowden show. But unlike
 conventional
  cybercriminals, the agency is less interested in hacking PCs and Macs.
  Instead, America’s spooks have their eyes on the internet routers and
  switches that form the basic infrastructure of the net, and are largely
  overlooked as security vulnerabilities.
 
  Under a $652-million program codenamed “Genie,” U.S. intel agencies have
  hacked into foreign computers and networks to monitor communications
 crossing
  them and to establish control over them, according to a secret black
 budget
  document leaked to the Washington Post. U.S. intelligence agencies
 conducted
  231 offensive cyber operations in 2011 to penetrate the computer
 networks of
  targets abroad.
 
  This included not only installing covert “implants” in foreign desktop
  computers but also on routers and firewalls — tens of thousands of
 machines
  every year in all. According to the Post, the government planned to
 expand
  the program to cover millions of additional foreign machines in the
 future
  and preferred hacking routers to individual PCs because it gave agencies
  access to data from entire networks of computers instead of just
 individual
  machines.
 
  Most of the hacks targeted the systems and communications of top
 adversaries
  like China, Russia, Iran and North Korea and included activities around
  nuclear proliferation.
 
  The NSA’s focus on routers highlights an often-overlooked attack vector
 with
  huge advantages for the intruder, says Marc Maiffret, chief technology
  officer at security firm Beyond Trust. Hacking routers is an ideal way
 for an
  intelligence or military agency to maintain a persistent hold on network
  traffic because the systems aren’t updated with new software very often
 or
  patched in the way that Windows and Linux systems are.
 
  “No one updates their routers,” he says. “If you think people are bad
 about
  patching Windows and Linux (which they are) then they are … horrible
 about
  updating their networking gear because it is too critical, and usually
 they
  don’t have redundancy to be able to do it properly.”
 
  He also notes that routers don’t have security software that can help
 detect
  a breach.
 
  “The challenge [with desktop systems] is that while antivirus don’t work
 well
  on your desktop, they at least do something [to detect attacks],” he
 says.
  “But you don’t even have an integrity check for the most part on routers
 and
  other such devices like IP cameras.”
 
  Hijacking routers and switches could allow the NSA to do more than just
  eavesdrop on all the communications crossing that equipment. It would
 also
  let them bring down networks or prevent certain communication, such as
  military orders, from getting through, though the Post story doesn’t
 report
  any such activities. With control of routers, the NSA could re-route
 traffic
  to a different location, or intelligence agencies could alter it for
  disinformation campaigns, such as planting information that would have a
  detrimental political effect or altering orders to re-route troops or
  supplies in a military operation.
 
  According to the budget document, the CIA’s Tailored Access Programs and
  NSA’s software engineers possess “templates” for breaking into common
 brands
  and models of routers, switches and firewalls.
 
  The article doesn’t say it, but this would likely involve pre-written
 scripts
  or backdoor tools and root kits for attacking known but unpatched
  vulnerabilities in these systems, as well as for attacking zero-day
  vulnerabilities that are yet unknown to the vendor and customers.
 
  “[Router software is] just an