Re: [pfSense] 10GBASE-T hardware

[Yehuda Katz]

I agree with everything my brother said except recommending the Uniquiti
EdgeSwitch.
We have seen a few instances of the EdgeSwitch locking up without any
apparent reason (once we traced it to a thermal issue, but we couldn't find
a cause for the others).
The EdgeSwitch also only has a 1 year warranty while the Netgear you
mentioned has a Lifetime Warranty (for whatever that is worth).
At (insert university name here) we were happily standardizing on Brocade
ICX switches until we hit major OSPF firmware bugs. Dell N and S series are
good, but also more expensive than that Netgear.

- Y

On Tue, Mar 27, 2018 at 8:10 PM, Moshe Katz  wrote:

> According to the specs that I found on HP's website, your HP switch does
> not support 10Gb, only 1Gb on its mini-GBIC ports. You will definitely need
> a new switch to take advantage of 10Gb.
>
> If you do get a switch that supports 10GBase-T, you should definitely
> consider the Intel X540. The vast majority of reports that I have seen say
> that it works great. (There was one report I found on a forum claiming
> performance issues, but others on the same thread said it worked fine for
> them.)
>
> There are also many dual-port SFP+ cards out there (such as the Intel X520)
> that are not too expensive and support lots of different types of SFP+
> connectors. Although Intel does not make a 10GBase-T SFP+ itself, there are
> third parties that make it. You would use one of those to connect to the
> 10GbE feed into the rack and then a regular fiber SFP (or the option listed
> below) to connect to the switch.
>
> To connect the pfSense to the switch, I would probably use a Direct-Attach
> cable (DAC) instead of fiber or Ethernet. Approved Optics
>  is a company that makes many OEM network
> connectors under contract and they also make their own versions of them at
> significantly reduced prices. Their DAC Finder
>  tool lets you order a cable that
> has SFP+ ends for different manufacturers (for example, an Intel end for
> your pfSense and an HP end for your switch). There's no need to worry about
> fiber or CAT7A Ethernet cables; just plug the cable in (taking care to make
> sure it is oriented correctly) and that's it.
>
> Since you have a limited budget, I really recommend going the
> direct-attached route. They are so much cheaper and more resilient than
> fiber, and switches with SFP+ slots are often much cheaper than switches
> with 10GbE. For example, you can get a Uniquiti EdgeSwitch with 48 Gb ports
> and 2 SFP+ ports for just around $400. These are the switches I have used
> in many of our limited-budget installations in the past (including in a
> University setting like yours seems to be from your email address) and they
> perform well. (Note that Approved Optics does not have official Ubiquiti
> cables, but many on the Ubiquiti forums report that it works with Cisco and
> other brand cables as long as they are 2 meters or shorter. In a single
> rack, that should not be an issue.)
>
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
> On Tue, Mar 27, 2018 at 6:41 PM, Paul Mather 
> wrote:
>
> > A 10GBASE-T port became available to us in our server rack.  The rack
> > currently has a 20-node Hadoop cluster, each node having dual Intel i350
> > 1000BASE-T NICs.  The Hadoop nodes connect to an old HP 2910al-48G
> 48-port
> > GbE switch that, in turn, connects to an old Dell R310 server running
> > pfSense that serves as the WAN gateway for the cluster.
> >
> > It appears that the choice (not ours) of RJ45 for the 10 GbE provided for
> > us in the rack will necessitate some equipment changes if we are to
> utilise
> > the 10 GbE connection.  Having done some investigation, I've decided the
> > following changes are likely needed, and I would like to solicit from the
> > list comment regarding any obvious blunders in the plan below:
> >
> > 1) I need a 10 GbE uplink capability from my switch to the pfSense
> gateway
> > and also 10GBASE-T WAN connectivity from my pfSense gateway to the
> > 10GBASE-T port in the rack.
> >
> > 2) The 10 GbE expansion options for the HP 2910al-48G are limited and I
> > couldn't actually find any 10GBASE-T solutions (IIRC).  If I went for 10
> > GbE SFP+ in the HP 2910al-48G that would mean I would also need 10 GbE
> SFP+
> > capability in my pfSense gateway---likely meaning I would need two 10 GbE
> > NICs (one SFP+ and one 10GBASE-T), which means...
> >
> > 3) It is probably cheaper (alas, we are on a budget) to buy a new switch
> > to replace the HP 2910al-48G that includes 10GBASE-T uplink capability.
> > That would let me just have a single 10 GbE card for the pfSense gateway.
> > I think the Netgear GS752TX 52-port switch would be a good candidate as
> it
> > includes two 10GBASE-T ports in addition to the 48 1000BASE-T ports.
> >
> > 4) I am considering a Chelsio NIC for the 10GBASE-T WAN/LAN 

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Yehuda Katz]

If you are forwarding the ports to other machines, it is those machines
which need and update, not pfSense.
This is the test: get out your ssh client of choice and connect to the port
from outside. If you get something that is not pfSense, then upgrading ssh
on your firewall isn't going to help.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
On Jul 24, 2015 6:20 PM, Ted Byers r.ted.by...@gmail.com wrote:

 This is an external scan.  We forward ports such as 443 and 22 to specific
 Ubuntu machines.  But both sshd and apache have been configured to accept
 only TLS1.2

 Port 443 must be open to support the web server in our DMZ, and we need ssh
 to connect to each machine for administration purposes.  (if there is a
 better way, I do not know what it is or how to do it --I am a programmer
 tasked with setting this up, so network and system administration is new to
 me - I am out of my area of expertise here).

 Thanks

 Ted


 On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates st...@teamits.com wrote:

  Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:
 
   First, the scanner complains that TLS1 is supported and we need to
  restrict
   it to TLS1.2.
 
   Second, it appears that ssh-server on pfsense is version 6.6
 
  Is this an internal scan or external?  Hopefully those aren't
  exposed externally.  If internal, can access be limited to certain IPs?
 
  This probably isn't the forum to discuss, but the TLS 1.0 one is
 a
  fun one...that will catch Remote Desktop Services, and Vista and below
  don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't
  have TLS 1.1+ enabled by default.
 
  --
 
  Steve Yates
  ITS, Inc.
 
 
  ___
  pfSense mailing list
  https://lists.pfsense.org/mailman/listinfo/list
  Support the project with Gold! https://pfsense.org/gold
 



 --
 R.E.(Ted) Byers, Ph.D.,Ed.D.
 t...@merchantservicecorp.com
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] polling pfsense status for a combined dashboard

[Yehuda Katz]

I am also using NRPE (with Icinga). I have Icinga creating the reports
which I include elsewhere. The information you get is limited to what
Icinga or other NRPE client can pull.

- Y

On Tue, Jan 27, 2015 at 12:15 PM, James Records james.reco...@gmail.com
wrote:

 Not sure if this is exactly what your asking but I have a dashboard setup
 for pf logs, I made a reddit post about it a while back:

 http://www.reddit.com/r/PFSENSE/comments/2rlm8h/pfsense_docker_elk/

 I also use nagios (which i was going to try to package in docker as well
 when I get around to it) which essentially uses the NRPE plugin to get some
 metrics out of pfsense, it does provide some graphing of cpu/memory
 utilization.

 Also I've been looking into monit lately, someone should make a monit
 package for pfSense :)

 Thanks,

 On Tue, Jan 27, 2015 at 8:55 AM, Wolf Noble w...@wolfspyre.com wrote:

 I'm sure this has been asked, but I've not found anything in the few
 minutes I poked around on the forums/google.

 I'm looking to pull some metrics from my pfSense firewall to display on a
 dashboard. I was wondering what my options are for API-esque access, or
 curl-able graph images with authentication handled by a token conveyed via
 a header.

 What are others doing?
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold



 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS-based inbound NAT?

[Yehuda Katz]

HTTP Host headers are not even seen by the firewall unless some type of
Deep Packet Inspection is running or the firewall is the destination and
runs a proxy to the other servers.

The alias method suggested will not work in this case (as you found)
because pfSense does not check the host headers.

Squid might be able to do the job, but I don't think the pfSense package of
squid supports multiple FQDNs (Fully Qualified Domain Names).
A quick look at the settings page shows only options for proxy by path, not
by full URL.
Once you install the plugin, look under Services - Reverse Proxy for the
settings.

- Y


On Sun, Dec 14, 2014 at 1:29 PM, Mike Bobkiewicz sec...@commobil.de wrote:

 Hello,
 we have a problem: we´re running a pfSense 2.1.5 firewall with a single
 WAN address in front of a DMZ zone with two web servers. What we now want
 to do is that pfSense redirects a http call to server1.example.com to
 webserver 1 and a http call to server2.example.com to webserver 2.
 We have found two threads on the pfSense board but we couldn´t make them
 run.
 First thread mentioned to add aliases for the dns names and create
 redirect nat rules. That doesn´t work because pfSense seams to replace the
 dns entries from the aliases at run time so the first matching rule is the
 winner: when server1.example.com is the first rule webserver 1 answers
 for both server1.example.com and server2.example.com. After moving the
 rule for server2.example.com before the server1 rule webserver 2 answers
 all calls.
 The second thread mentions to install the squid3 3.1.20 package and to use
 it´s reverse proxy function but we can´t figure out where to find it in the
 settings.
 Any help or advice is highly welcome.

 Best regards,

 Mike Bobkiewicz
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Heartbleed and OpenVPN

[Yehuda Katz]

This project: https://github.com/FiloSottile/Heartbleed (which I have
contributed to) allows you to check any STARTTLS-based service
(POP/IMAP/SMTP/etc).
I am not sure what would need to be changed for OpenVPN.

- Y


On Fri, Apr 11, 2014 at 9:57 AM, Tim Nelson tnel...@rockbochs.com wrote:

 Greetings-

 Hot on the heels of the OpenSSL debacle, and a fresh new release of
 pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's
 actual surface attack area. All of the relevant information, reports, and
 PoC's are pointing at exploit only via an affected HTTPS webserver.
 However, I have not yet seen any PoC for exploiting other SSL based
 services, specifically OpenVPN.

 At this time, are there PoC's for Heartbleed and OpenVPN? I understand
 regardless the upgrade/patch is needed, but curious to know if an exploit
 is yet in the wild for OpenVPN (TCP or UDP, using PKI or even static keys).

 Thanks!

 --Tim

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] website and upgrade procedure

[Yehuda Katz]

I can get to it with no problem.
http://www.downforeveryoneorjustme.com/http://www.pfsense.org/

I will let someone else chime in on the upgrade question, since I have not
done that type of upgrade, but it has come up on the list.

- Y


On Tue, Nov 5, 2013 at 9:39 AM, Curtis Maurand cmaur...@xyonet.com wrote:

 www.pfsense.org is not answering this morning.  Just thought you all
 should know.  I was about to go look for instructions.

 Trying to do two things at once.  Change hardware (the old one
 is...well...old.)  How long it will continue to run is anyone's guess.  It
 already doesn't recover from power failures gracefully. I have a very nice
 little supermicro box to replace it with. However, the current one has been
 in place for 5+ years and has been rock solid.  It's on borrowed time.
  It's a personal PC that has just been getting it done with a pair of
 realtek network cards.

 I'm sure there are going to be gotchas.  Is there a procedure in the docs
 to moving a configuration  to a new hardware platform?  I'm assuming that I
 should install the current version on the new hardware, get the
 configuration onto it then upgrade or should I just install new and go
 through the configuration by hand?

 Thanks,
 Curtis
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0

[Yehuda Katz]

I know some Cisco switches have the option to block DHCP replies on ports
not marked as trusted (DHCP Snooping). I have never seen one where I had
access to the configuration and the setting was on, so I am not sure what
to expect, but it might explain why you don't see the reply in a mirror.

- Y

On Saturday, October 26, 2013, Wade Blackwell wrote:

 Good afternoon all,
I have *2.1-RELEASE * (amd64) running on esxi 5.0 with a Cisco
 managed L2 switch (SG200-26) in between esxi and the charter cable modem.
 I see my dhcp discovers go out (broadcast) I never see any dhcp traffic
 come back. Charter's been out a few times, they did determine that they see
 my discover and they respond though I don't see the reply. With a dedicated
 interface they can get an address off the modem. ASCII art below;

 charter cable modem--g24 cisco vlan 5---esxi vlan5--pf em0.

 I've tried this dedicating a vnic to a standalone vswitch with no 802.1q
 and I've tried 802.1q on the esxi side. The cable modem port is always an
 access port in vlan 5. STP has been disabled on the charter modem port.
 Every port has portfast enabled and the mac timers have been cranked down
 to the minimum, 10 seconds I believe. I've captured traffic from vlan 5 and
 g24 (cable modem port) and seen the same thing, dhcp discovers go out,
 nothing comes back. I'm thinking there has to be a handful of folks on this
 list who have dealt with this and succeeded. Any advice would be fabulous,
 I'd like to keep my L3 in software if I can. Thanks so much.

   -W

 --
 Wade Blackwell
 Solutions Architect
 (D) 805.457.8825 X998
 (C) 805.400.8485
 (S) coc.wadeblackwell



-- 
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Feature Request: DHCP Option 60

[Yehuda Katz]

This looks like it was added in
f4dd8b4c6663c172371b7b1317eb911d4e1e5db8https://github.com/pfsense/pfsense/commit/f4dd8b4c6663c172371b7b1317eb911d4e1e5db8
but
was not backported from master to 2.1.

- Y


On Sat, Oct 19, 2013 at 3:29 PM, İhsan Doğan ih...@dogan.ch wrote:

 Hi,

 My FTTH ISP here in Switzerland, Swisscom, requires that the DHCP option
 60 is sent with the DHCP request. As a workaround, I've added this line
 to /etc/inc/interfaces.inc, so while booting, the option is written to
 the dhclient.conf file.

 send dhcp-class-identifier 18,0001,,pfSense dhclient 2.1;

 It would be really great, if this option could be set through the web
 interface.



 Ihsan

 --
 ih...@dogan.ch  http://blog.dogan.ch/
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] issue a STARTTLS command

[Yehuda Katz]

As of about a month ago (
https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0)
StartTLS is an independant setting and should work no matter what port you
are using.
I do not know whether that code has made it to a release (can log in to
check from where I am now) and I don't know how much that changed the
behavior from before, but it is probably worth a look.

- Y


On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer anme...@anup.de wrote:

 Hello!

 Moshe Katz mo...@ymkatz.net wrote:

  On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer anme...@anup.de wrote:
 
   Hello all!
  
   php: /system_advanced_notifications.php: Could not send
the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS
   command first
  
   Is starttls possible with pfsense?

  There is a checkbox on the System - Advanced - Notifications page
  that says Enable SSL/TLS Authentication.  Make sure that box is
 checked,
  and it should work.

 Isn't that checkbox for port 465 only?
 php: /system_advanced_notifications.php: Could not send the message to
  i...@anup.de -- Error: could not connect to the host mail.anup.de: ??

 
  Moshe

   Andreas
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Yehuda Katz]

Probably would not work (or would get whoever did that thrown in jail).
This is similar to a Warrant Canary, but the USDoJ has indicated that
Warrant Canaries would probably be grounds for prosecution of violation of
the non-disclosure order.

- Y

On Friday, October 11, 2013, Adrian Zaugg wrote:


 Dear all

 After having read the whole NSA thread on this list, it came up to my
 mind that pfsense web GUI could declare itself conform to US laws upon
 the point when there are known backdoors included or otherwise the code
 was compromised on pressure of govermental authorities. It would be the
 sign for the users to review the code and maybe to fork an earlier
 version and host it in a free country, where the protection of personal
 data is a common sense and national security is not so much an issue.

 Regards, Adrian.
 ___
 List mailing list
 List@lists.pfsense.org javascript:;
 http://lists.pfsense.org/mailman/listinfo/list



-- 
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Yehuda Katz]

On Fri, Oct 11, 2013 at 1:41 PM, Thinker Rix thinke...@rocketmail.comwrote:

  Probably would not work (or would get whoever did that thrown in jail).
 This is similar to a Warrant Canary, but the USDoJ has indicated that
 Warrant Canaries would probably be grounds for prosecution of violation of
 the non-disclosure order.

 inspired by the keyword you dropped, I researched a little bit and found:
 https://en.wikipedia.org/wiki/Warrant_canary
 It seems that you are correct: What Adrian suggests, is called a Warrant
 canary.
 In the wikipedia article it says that: The intention is to allow the
 provider to inform customers of the existence of a subpoena passively,
 without violating any laws. The legality of this method has not been tested
 in any court. Is that wrong or in conflict with what you wrote?


I do not know of any prosecution for using a Warrant Canary, but that does
not change whether the government would intend to prosecute it (and I have
discussed it with lawyers in the DoJ and other areas). It just means that
the situation has not come up: either because no place that uses a Warrant
Canary has received a secret order or because no place that has received
one has been willing to really use it as designed. This is what it boils
down to: Do you want to go in front of a federal judge and say I did not
say we received a subpoena, I just stopped saying we did not receive one.?
I know I would not want to.

If anyone wants to talk more about Warrant Canaries, email me off the list.

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] fail2ban

[Yehuda Katz]

We use Fail2Ban with pfSense with a custom php script (on the firewall)
that adds the appropriate firewall rules.
We have fail2ban set up with multiple levels - so the action to ban in
pfSense only happens after several attempts at other services on one
machine. That way we can assume the ban should be permanent.

Talk about a real API has come up before, but last time I looked into it,
the current authentication system would make it very difficult.

- Y


On Thu, Oct 10, 2013 at 3:01 AM, Aristedes Maniatis a...@ish.com.au wrote:

 We get a lot of attempts to guess weak ftp passwords on our servers. A
 tool which we've used before (and is really nice) is fail2ban. In response
 to a certain type or number of failed attempts, it can run a script (for
 example, to load a firewall rule blocking that user).

 However, we'd ideally like to add those rules at the firewall rather than
 the individual ftp servers. Has anyone attempted something similar.
 Ideally, an API in pfSense which allowed us to send through ip addresses to
 add to a list. They would be added to a deny table and purged after some
 period of time.

 Does this sound useful? Has anyone managed a similar problem?

 Ari



 --
 --
 Aristedes Maniatis
 ish
 http://www.ish.com.au
 Level 1, 30 Wilson Street Newtown 2042 Australia
 phone +61 2 9550 5001   fax +61 2 9550 4001
 GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Yehuda Katz]

Since we keep coming back to FreeBSD as it pertains to security:

 3) FreeBSD is very mature, and very well reviewed.  I've looked into
 FreeBSD to my personal satisfaction.  OpenBSD may be abrasive as a
 community at times, but their work product is pretty impressive in terms of
 being clean and funcitonal.  I was very happy with how they handled that
 whole IPSec fiasco in 2011.  I've been following pfSense for a while now,
 and I've used it off and on for years.  I'm very satisfied by the quality
 and oversight of the coding.   But by all means dig as long as your
 curiosity holds out.  you can never be 100% sure of the security of any
 software, but sufficiently sure is absolutely worth looking into.


FreeBSD is not the distribution in the BSD
familyhttp://www.freebsdworld.gr/freebsd/bsd-family-tree.htmlthat is
best known for
securityhttp://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/introduction.html#idp7515.
Indeed OpenBSD has a specific focus on security
(whichhttp://www.openbsd.net/papers/crypt-paper.pdf
has http://www.benzedrine.cx/pf-paper.html
beenhttp://openbsd.md5.com.ar/papers/eurobsdcon2009/otto-malloc.pdf
studied http://research.microsoft.com/pubs/79177/milkorwine.pdf, as has
the relationship between the
BSDshttp://www.cs.gmu.edu/~offutt/rsrch/papers/srs-bsd.pdf),
but FreeBSD focuses on being more inclusive of a variety of hardware at a
cost of not being 100% open source.
That is a tradeoff, but it does not mean that FreeBSD is not secure, it
just means ... well I have not found a study about that yet.

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] [MOTION TO END THREAD] NSA: Is pfSense infiltrated by big brother NSA or others?

[Yehuda Katz]

On Wed, Oct 9, 2013 at 5:16 PM, Thinker Rix thinke...@rocketmail.comwrote:

 Can this flame be put to an end or continued via private mail?

 But: Interpreting your message, I guess you are participating at this
 mailing list with a mail reader that just pours all incoming mail into one
 folder - which is not the proper way to read mailing lists.
 Please let me inform you that it is highly advisable to participate at
 mailing lists only with a mail reader that allows you to view incoming mail
 in threaded mode. This way you only get to read messages that interest
 you, instead of being flooded by all messages of all users with all
 subjects.


*I think I speak for everyone who was a member of this list before 10:20 AM
EST today when I say that this discussion does not belong here and we would
all like it to stop.
*
*Use pfSense or don't. Inspect the code yourself, trust that it is OK, or
not.*
*Either way, this list is for helping the users, not for discussing
politics, personal attacks, or anything else.*
*
*
*This list is NOT a place where anyone is welcome to barge in and tell
people the proper way of using it.
*
*Again, I think I speak for everyone that we, the list members, do not want
to let [you] inform [us] that it is highly advisable to do anything.
(Maybe if you have significant relevant experience in pf-based firewalls or
other project components and you are providing a solution to a question
that was specifically asked, but otherwise this is not the place.)*
*
*
*Unless there is something significant to add to this (or any members more
than ~7 hours old who disagree), do not reply to it.*

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Bouncing DNS access between different VLAN's on thier public addresses?

[Yehuda Katz]

Short reply since I am on a mobile device: NAT Relection

On Monday, April 29, 2013, Bryant Zimmerman wrote:

 I have several vlans on a pfsense deployment. VLAN 100 has one of our
 public DNS servers on it. I have a customer VLAN 2000 that needs to be able
 to relay through the DNS server. The customers vlan is routed out one block
 of address and our vlan is on another.

 The issue is we do not allow routing of private addresses between the
 vlans so I need the customer vlan to be able to bounce out on it's public
 address and back in on the public address of our DNS server. I can pin
 correctly but port 53 DNS traffic is not working. I am really stumped as to
 what is going on. If I open up a pinhole to the private address it works
 but this against our security protocol.   Is there somthing special I might
 need to add to the outbound NAT rules to get this to work?

 Thank
 Bryant



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Setup Questions

[Yehuda Katz]

Lets start by defining the terms to make sure we are all talking about the
same things:
http://www.ipcop.org/2.0.0/en/install/html/preparation-network-interfaces.html

On Sat, Sep 29, 2012 at 4:36 PM, Johnny mill...@cinci.rr.com wrote:

  1 nic is on green

 *GREEN - This network only connects to the computer(s) that IPCop is
 protecting. It is presumed to be local. Traffic to it is routed through an
 Ethernet NIC.*

This is equivalent to the pfSense LAN.

1 nic is on red

*RED - This network is the Internet or other untrusted network. IPCop's
 primary purpose is to protect the GREEN, BLUE and ORANGE networks and their
 computers from traffic originating on the RED network. Your current
 connection method and hardware are used to connect to this network.*

This is equivalent to the pfSense WAN

Those are the only default interfaces in pfSense, However you can add more
(as I do at my office).



 1 nic is on blue – Wi-Fi, I have a router on this nic. DHCP is turned off
 and users get ip assigned by ipcop. I have also approve people by their mac
 address to access my blue network.

*This optional network allows you to place wireless and/or wired devices on
 a separate network. Computers on this network cannot get to the GREEN
 network except via tightly controlled “pinholes”, or via a VPN. Traffic to
 this network is routed through an Ethernet NIC.*

 This requires configuration in pfSense, but many people are doing it, so
you should be able to get help on this list.



 1 nic is on orange for DMZ – Never able to get DMZ working correctly.

*This optional network allows you to place publicly accessible servers on a
 separate network. Computers on this network cannot get to the GREEN or BLUE
 networks, except through tightly controlled “pinholes”. Traffic to this
 network is routed through an Ethernet NIC.*

This is programatically the same as BLUE, and, yes, lots of people do it.


 

 I was wondering if this same setup is possible with pfsence? Any help
 would be appreciated


To sum it up, yes. If you set it up and have more specific questions, just
ask here and someone should be able to help you.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Forwarding Protocol 41 for 1:1 IP Addresses

[Yehuda Katz]

I would like add a HE IPv6 tunnel to two of my servers without adding a
tunnel for the whole network.
I was looking at adding an option for each 1:1 to forward protocol 41 just
for that public IP. (maybe a checkbox on the 1:1 create/edit page)
Is there any reason this would not work?

If I understand the code correctly, a rule would look something like:
rdr on {$natif} proto ipv6 from any to {$dstaddr} - {$target}

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] whiltelist of mac address

[Yehuda Katz]

I think you got your answer already about a week ago from Ermal and Chris.
http://lists.pfsense.org/pipermail/list/2012-June/002312.html
http://lists.pfsense.org/pipermail/list/2012-June/002318.html
pfSense has significant customization in the kernel.

If you really need this feature that much help, you should use pfSense or
you should pay someone who knows how to make the changes you need in stock
BSD.
I can't speak for them, but maybe one of the pfSense developers would be
willing to do that.
(pfSense Commercial Support:
https://portal.pfsense.org/index.php/support-subscription )



On Mon, Jun 11, 2012 at 9:25 AM, Bill Yuan byc...@gmail.com wrote:

 come on , developer come on

 i really need help on this, how come it works on pfsense !!



 On Mon, Jun 11, 2012 at 9:13 PM, Bill Yuan byc...@gmail.com wrote:

 Yes ,it works on pfsense,

 I have cleaned the pf rules and only left the ipfw rules, it works !!!

 come and find the reason together !

  On Mon, Jun 11, 2012 at 9:03 PM, Ryan Rodrigue 
 radiote...@aaremail.comwrote:

   This works on PFsense?

 ** **

 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *Bill Yuan
 *Sent:* Monday, June 11, 2012 7:59 AM
 *To:* pfSense support and discussion
 *Subject:* [pfSense] whiltelist of mac address

 ** **

 hi ,

  

 i want to create a whitelist of mac address on my own freebsd gateway, i
 want to use the rule like this below,

  

  

 1 allow ip from any to any MAC any mac address

 2 allow ip from any to any MAC mac address any

 3 deny ip from any to any

  

  

 i found it works on pfsense, but it doesnt work on my freebsd, 

  

 can someome please tell me how to activate the mac filtering on freebsd,
 what kind of device need to be activated ? 

 i have rebuild my kernel multiple times already , but still not working !
 

  

 thanks,

 ** **

 This works on PFsense?

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Programatically add IP to Alias

[Yehuda Katz]

On Thu, Mar 15, 2012 at 5:00 AM, Chris Buechler c...@pfsense.org wrote:

 On Thu, Mar 15, 2012 at 5:01 AM, Raimund Sacherer r...@logitravel.com
 wrote:
  I would wish that pfSense integrates a simple REST API for functionality
 like that:

 Me too. Patches welcome.


I would be interested in working on this (it is a feature I would also
like), but I think it might require a complete rewrite of the permissions
system for the web interface.
If this something you are open to? (I don't want to do all the work and
submit a patch and have it rejected because of the scope of the changes.)
Maybe we should take this discussion to the dev list.

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DNS Rebind

[Yehuda Katz]

On Wed, Feb 29, 2012 at 6:14 PM, Jason T. Slack-Moehrle 
slackmoeh...@gmail.com wrote:

 When I plug my laptop into the LAN and try and hit one of the websites I
 host I get forwarded  the pfsense admin URL but get an error that states:

 Potential DNS Rebind attack detected, see
 http://en.wikipedia.org/wiki/DNS_rebinding
 Try accessing the router by IP address instead of by hostname.

 This happens to a few of the sites, but it doesn't seem to happen to all
 of them that are hosted on that box.

 Can anyone help me to understand what is happening and how to fix it?

When you are somewhere else, do the websites work properly?

Usually pfSense does not support accessing a public IP that is on the
pfSense WAN. In order for that to work you need to have NAT-reflection
enabled.
We have never been able to get NAT reflection working on our network, so we
just set up split-DNS (that you have different DNS for those sites your
LAN), so the clients on the LAN do not know about the 1-1 NAT on the
pfSense.

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DNS Rebind

[Yehuda Katz]

On Wed, Feb 29, 2012 at 7:26 PM, Jason T. Slack-Moehrle 
slackmoeh...@gmail.com wrote:

 am I blind in seeing where I would create DNS entries on the pfSense box
 to run it as a DNS Server?


http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F#Method_2:_Split_DNS
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dynamic DNS force update?

[Yehuda Katz]

On Wed, Feb 22, 2012 at 6:03 PM, Karl Fife karlf...@gmail.com wrote:

 The file:
 /cf/conf/dyndns_wanzoneedit'my**.domain.net http://my.domain.net'.cache

 Indeed contains the cached IP address, but the file system is mounted
 read-only.  I assume this is due to the fact that I am running the embedded
 version.

 I'm starting to think that the answer is an unqualified NO.


Just saw your message. The answer is (as I wrote in my other recent post to
this thread) that it is supposed to work (there is a secret way to mount
the config in write-mode), but it is a minor bug. I plan to submit a patch
tonight.

- Y
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense

[Yehuda Katz]

On Wed, Nov 23, 2011 at 1:34 PM, Ugo Bellavance u...@lubik.ca wrote:

 We're thinking about replacing our CheckPoint Firewall-1 by pfSense.  We
 are using only those features on Firewall-1 (R65):



Concerns:
 3- Backups.  Are automated backups (of the config, at least) possible even
 w/o a service contract?

We wrote a very simple config backup script based on the ones that are
already included.
We call it from a shell script that runs on a schedule on another server.
I will try to clean it up and send it to you if you are interested.

Alternatively, you can try this:
http://forum.pfsense.org/index.php/topic,11356.msg62849.html
I have not tried it, so I don't know how out-dated it is.
Note: A modification for how to install rsync:
http://doc.pfsense.org/index.php/Installing_FreeBSD_Packages

- Yehuda
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list