Re: [pfSense] ICMPv6 filtering recommendations with pfSense?
Le 14 mai 2014 à 03:37, Chris Buechler c...@pfsense.com a écrit : IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP has had a bad reputation for a long time, and it's mostly undeserved in recent times. Jim How should I interpret the code you pointed to? That pfSense do let ICMPv6 flow freely (at least most of it deemed to be required for IPv6 correct behavior) by default, and it then is not dropped by the default block rule? The ICMPv6 traffic that's considered required for things to function properly is automatically allowed. Excellent. Thanks! __ Olivier Mascia tipgroup.com/om ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] squid3
dear all, today i fresh installed squid 3 then i rebooted my pfsense firewall then i try to access pfsense firewall its not access i have gettting msg pls help ... ERRORThe requested URL could not be retrieved -- The following error was encountered while trying to retrieve the URL: https://172.16.100.4/ *Unable to forward this request at this time.* This request could not be forwarded to the origin server or to any parent caches. Some possible problems are: - An Internet connection needed to access this domains origin servers may be down. - All configured parent caches may be currently unreachable. - The administrator may not allow this cache to make direct connections to origin servers. Your cache administrator is admin@localhostadmin@localhost?subject=CacheErrorInfo%20-%20ERR_CANNOT_FORWARDbody=CacheHost%3A%20localhost%0D%0AErrPage%3A%20ERR_CANNOT_FORWARD%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Wed,%2021%20May%202014%2007%3A11%3A03%20GMT%0D%0A%0D%0AClientIP%3A%20172.16.103.21%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AHost%3A%20172.16.100.4%0D%0AConnection%3A%20keep-alive%0D%0ACache-Control%3A%20max-age%3D0%0D%0AAccept%3A%20text%2Fhtml,application%2Fxhtml+xml,application%2Fxml%3Bq%3D0.9,image%2Fwebp,*%2F*%3Bq%3D0.8%0D%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%20NT%205.1)%20AppleWebKit%2F537.36%20(KHTML,%20like%20Gecko)%20Chrome%2F34.0.1847.137%20Safari%2F537.36%0D%0ADNT%3A%201%0D%0AReferer%3A%20https%3A%2F%2F172.16.100.4%2F%0D%0AAccept-Encoding%3A%20gzip,deflate,sdch%0D%0AAccept-Language%3A%20en-US,en%3Bq%3D0.8,hi%3Bq%3D0.6%0D%0ACookie%3A%20PHPSESSID%3Dfa4f5cafcf48504aa166d52db63b38d6%0D%0A%0D%0A%0D%0A . -- Generated Wed, 21 May 2014 07:11:03 GMT by localhost (squid/3.1.20) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ICMPv6 filtering recommendations with pfSense?
On 21-5-2014 9:11, Olivier Mascia wrote: Le 14 mai 2014 à 03:37, Chris Buechler c...@pfsense.com mailto:c...@pfsense.com a écrit : IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP has had a bad reputation for a long time, and it's mostly undeserved in recent times. Jim How should I interpret the code you pointed to? That pfSense do let ICMPv6 flow freely (at least most of it deemed to be required for IPv6 correct behavior) by default, and it then is not dropped by the default block rule? The ICMPv6 traffic that's considered required for things to function properly is automatically allowed. Excellent. Thanks! The rules should automatically allow ICMP6 echo, packet to big and neighbor discovery on the link-local addresses so that basic functionality works. Iirc ICMP6 echo is not allowed from the internet using the GUA addresses, but ND, RA and RS is for normal operation. The rules are specifically higher in the ruleset to prevent accidentally blocking (and breaking) your IPv6 internet. To be fair, we could make the RA and RS rules a bit more fine grained for ICMP6, but those would apply to the link-local scope and are of limited reachability (atleast not from the internet). We already toggle a sysctl if we want to accept a RS for a given interface, so that would be of limited use. Regards, Seth ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ICMPv6 filtering recommendations with pfSense?
Le 21 mai 2014 à 09:23, Seth Mos seth@dds.nl a écrit : The ICMPv6 traffic that's considered required for things to function properly is automatically allowed. Excellent. Thanks! The rules should automatically allow ICMP6 echo, packet to big and neighbor discovery on the link-local addresses so that basic functionality works. Iirc ICMP6 echo is not allowed from the internet using the GUA addresses, but ND, RA and RS is for normal operation. The rules are specifically higher in the ruleset to prevent accidentally blocking (and breaking) your IPv6 internet. To be fair, we could make the RA and RS rules a bit more fine grained for ICMP6, but those would apply to the link-local scope and are of limited reachability (atleast not from the internet). We already toggle a sysctl if we want to accept a RS for a given interface, so that would be of limited use. In followup of this discussion and before reading you above, I had updated my ruleset to allow ICMPv6 echoreq (with log) on the WAN from 2000::/3 only. I have no blocking rule for ICMPv6. Only that echoreq additional allow rule, which if correctly understood is not strictly required, but it fits my will until the day I would get a flooding attack on that. On the LAN, I have no ICMP rules whatsoever and if reading you correctly, should be just right. It at least just seems so, LAN interface pingable from LAN and we see no issue with our IPv6 network, being able to reach any IPv6 target, either LAN or WAN side. To my understanding, I'm then just fine set, with the added 'pingability' from the WAN (albeit on ICMPv6 only, not ICMPv4 which is blocked by default rules). If I'm wrong and still have understood something wrong, I'll gladly stand corrected. Thanks! __ Olivier Mascia tipgroup.com/om ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] installing vmtools
Hi, I'm trying to install the VMWare tools on my pfsense host. Specifically I'm looking at this documentation - https://doc.pfsense.org/index.php/VMware_Tools Because I don't have a public facing interface, I'm going with this set of instructions - mount -t cd9660 /dev/acd0 /mnt/ cd /tmp tar xvzf /mnt/vmware-freebsd-tools.tar.gz cd vmware-tools-distrib/ ./vmware-install.pl -d When doing this, it becomes apparent that perl is not installed on this pfSense host. Is there an option to install perl typically or what can I do from here? Any ideas? Thanks! -Chris ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
Oh I feel dumb, the first thing is to install perl, which I can't do given my location on the network. Ok so nevermind, sorry. On May 21, 2014, at 2:30 PM, Florio, Christopher N flo...@email.unc.edumailto:flo...@email.unc.edu wrote: Hi, I'm trying to install the VMWare tools on my pfsense host. Specifically I'm looking at this documentation - https://doc.pfsense.org/index.php/VMware_Tools Because I don't have a public facing interface, I'm going with this set of instructions - mount -t cd9660 /dev/acd0 /mnt/ cd /tmp tar xvzf /mnt/vmware-freebsd-tools.tar.gz cd vmware-tools-distrib/ ./vmware-install.pl -d When doing this, it becomes apparent that perl is not installed on this pfSense host. Is there an option to install perl typically or what can I do from here? Any ideas? Thanks! -Chris ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
Hi Chris, Have you thought about installing the vmware tools from the package list? They are 3rd party, but they work on all I have setup. Joe On Wed, May 21, 2014 at 2:31 PM, Florio, Christopher N flo...@email.unc.edu wrote: Oh I feel dumb, the first thing is to install perl, which I can't do given my location on the network. Ok so nevermind, sorry. On May 21, 2014, at 2:30 PM, Florio, Christopher N flo...@email.unc.edu wrote: Hi, I'm trying to install the VMWare tools on my pfsense host. Specifically I'm looking at this documentation - https://doc.pfsense.org/index.php/VMware_Tools Because I don't have a public facing interface, I'm going with this set of instructions - mount -t cd9660 /dev/acd0 /mnt/ cd /tmp tar xvzf /mnt/vmware-freebsd-tools.tar.gz cd vmware-tools-distrib/ ./vmware-install.pl -d When doing this, it becomes apparent that perl is not installed on this pfSense host. Is there an option to install perl typically or what can I do from here? Any ideas? Thanks! -Chris ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Filtering on source == gateway addresses
Le 21 mai 2014 à 16:09, Paul Beriswill paul.berisw...@pdfcomplete.com a écrit : On 05/19/2014 01:14 PM, Olivier Mascia wrote: pfSense 2.1.3 Would it be possible to write rules filtering on one (or all) of the gateway addresses? For instance, using the gateway names as an ALIAS. Or creating an ALIAS whose value is resolved to this or that gateway or all gateway addresses. That sounds like the normal way of doing it. If you define an alias that includes all GW addrs you can then use the alias in place of a IP address on your filters. Paul The gateway addresses are obtained by PPPOE for the IPv4 part of the link and DHCPv6 for the IPv6 part. So I can't define an ALIAS, not knowing the exact gateway IPs which can vary if there is a disconnection (VDSL technology on that specific site I'm referring to). To be honest, I have seen that these addresses do not seem to change often (more or less one short disconnection per 20 days and the gateway addresses do not change on each disconnect). But I think the interest for some ALIAS or other mean to refer to the actual gateway addresses in rules might be useful. Or I might have missed something big. :) __ Olivier Mascia tipgroup.com/om ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
On 5/21/2014 2:31 PM, Florio, Christopher N wrote: Oh I feel dumb, the first thing is to install perl, which I can't do given my location on the network. Ok so nevermind, sorry. You can fetch the .tbz file for perl and the compat package mentioned on the page to another system and then copy it to the vm locally, and pkg_add perl.tbz from the shell (or whatever its name may be...) For pkg_add there isn't a remote requirement, it's easier, but it's not necessary. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
Any idea a URL that I could get this package from? Sounds like a good option. On May 21, 2014, at 2:37 PM, Doug Lytle supp...@drdos.info wrote: Joseph H wrote: Have you thought about installing the vmware tools from the package list? They are 3rd party, but they work on all I have setup. I use this as well. Doug ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
Login to pfsense gui, go to Systems - Packages - Available Packages, do a search for Open-VM-Tools and click on the add icon to the right of the package. As long as it has Internet Access it will download and install all necessary packages. On Wed, May 21, 2014 at 2:39 PM, Florio, Christopher N flo...@email.unc.edu wrote: Any idea a URL that I could get this package from? Sounds like a good option. On May 21, 2014, at 2:37 PM, Doug Lytle supp...@drdos.info wrote: Joseph H wrote: Have you thought about installing the vmware tools from the package list? They are 3rd party, but they work on all I have setup. I use this as well. Doug ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
On Wed, May 21, 2014 at 2:39 PM, Florio, Christopher N flo...@email.unc.edu wrote: Any idea a URL that I could get this package from? Sounds like a good option. One of these should do it (pick the one appropriate for your architecture) http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/perl5-5.16.3_6.tbz http://ftp1.freebsd.org/pub/FreeBSD/ports/i386/packages-9-current/perl5/perl5-5.16.3_6.tbz I'm not sure if a specific version of Perl is required - there are some breaking changes between 5.8 and 5.10, for example. If 5.16 doesn't work, you can look in http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/(or the i386 location) for other versions of 5.12, 5.14, and 5.18 Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] apu.4c silently dies
On Tue, May 20, 2014 at 1:15 AM, mayak ma...@australsat.com wrote: unit will run sometimes for days, or sometimes for several hours, before becoming unresponsive: My gut says overheating. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] apu.4c silently dies
On 05/21/2014 10:14 PM, Vick Khera wrote: On Tue, May 20, 2014 at 1:15 AM, mayak ma...@australsat.com wrote: unit will run sometimes for days, or sometimes for several hours, before becoming unresponsive: My gut says overheating. hi vick, man -- you're good -- i was waiting a bit more to post back, but yes, this appears to be thermal. clearly, this means that the heat sync/case has been incorrectly engineered. unit is flat on a shelf with nothing above it for 1.4 meters and the room is not that hot. i'd hate to see this unit in a warm space or with suppressed air flow. i have placed it vertically on the shelf -- allowing air to circulate on both sides (bottom and top). placing the heat sync on the bottom of the board/case doesn't seem to sufficient heat dissipation -- indeed, the rest of the case, and the motherboard itself, become heat collectors. i'll be curious to see pc engines proposes a new mounting/heat sync method. if the case had air flow slits on top and on the sides, i'd bet that it would be much cooler. cheers m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] apu.4c silently dies
On 05/21/2014 10:59 PM, Stefan Baur wrote: Am 21.05.2014 22:53, schrieb mayak: i'll be curious to see pc engines proposes a new mounting/heat sync method. if the case had air flow slits on top and on the sides, i'd bet that it would be much cooler. Out of curiosity, did you buy a new case for you APU or or recycle an old one from an ALIX board you used earlier? IIRC from other threads on here, older cases are not compatible, even though at first sight they seem to be. The problem with the old cases is indeed insufficient heat dissipation. hi stefan, case was purchased and was factory installed -- it's the new one (apparently) as the stand-offs are correctly sized to accommodate the heat sync . cheers m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
Given than pfSense 2.1.3 uses FreeBSD 8.3 as the base OS, wouldn't http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/perl5/ be better location to use for packages? Walter On Wed, May 21, 2014 at 11:57 AM, Moshe Katz mo...@ymkatz.net wrote: On Wed, May 21, 2014 at 2:39 PM, Florio, Christopher N flo...@email.unc.edu wrote: Any idea a URL that I could get this package from? Sounds like a good option. One of these should do it (pick the one appropriate for your architecture) http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/perl5-5.16.3_6.tbz http://ftp1.freebsd.org/pub/FreeBSD/ports/i386/packages-9-current/perl5/perl5-5.16.3_6.tbz I'm not sure if a specific version of Perl is required - there are some breaking changes between 5.8 and 5.10, for example. If 5.16 doesn't work, you can look in http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/(or the i386 location) for other versions of 5.12, 5.14, and 5.18 Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfsense performance
Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense performance
On 14-05-21 08:27 PM, Joseph H wrote: Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe Jim just had this argument with Henning Brauer at BSDCan... at those speeds, bandwidth doesn't really matter, packets-per-second matters. In most normal situations, pfSense can pass almost 10Gbit/sec of traffic. However, in a DDOS - or VoIP - scenario, its limited PPS rates (compared to stupidly expensive hardware-accelerated appliances) rapidly will become a bottleneck. Depending on your traffic patterns, you will probably max out on PPS long before you max out on bandwidth. Transparent mode vs. routed mode probably won't make all that much difference at the scales you're talking about, but I admit I've never tried transparent mode at 1Gbps. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense performance
Hi Adam, Thanks for the response, I wonder if I setup a pfsense and use a packet generator maybe I can find out an answer. Once I get a couple of servers freed up which has dual 10G nics, I might give this a try. I have a couple of HP servers with I think 48 cores and 128G of ram being decommed from their current role in the next month, so I might use them to test this before we reload and redeploy them. Joe On Wed, May 21, 2014 at 9:44 PM, Adam Thompson athom...@athompso.netwrote: On 14-05-21 08:27 PM, Joseph H wrote: Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe Jim just had this argument with Henning Brauer at BSDCan... at those speeds, bandwidth doesn't really matter, packets-per-second matters. In most normal situations, pfSense can pass almost 10Gbit/sec of traffic. However, in a DDOS - or VoIP - scenario, its limited PPS rates (compared to stupidly expensive hardware-accelerated appliances) rapidly will become a bottleneck. Depending on your traffic patterns, you will probably max out on PPS long before you max out on bandwidth. Transparent mode vs. routed mode probably won't make all that much difference at the scales you're talking about, but I admit I've never tried transparent mode at 1Gbps. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Web GUI certs
The web GUI uses a default auto-generated cert, which (as expected) causes browser errors. An improved aproach would be to generate a CA, a key, and to load the CA into the browser. That way I can be assured to not accidentally OK the wrong connection, and it tests my understanding of the cert system in pfsense. I can't get it to work quite the way I prefer: * accept all XXX.site host names * accept the IP address * accept any IP address in the subnet When creating the certs, only the CN field seems to have some significance, and then only for the server cert. For the CA, any free text is accepted. For the server cert I select type: server, but CNs of *.site *.pfsense.site pfsense.site Only the CN of pfsense.site makes the browser not complain with https://pfsense.site/, but https://10.x.x.x/ still gives an error. Entering an alternative name of 10.x.x.x when creating the server cert does nothing. I get the same results with firefox and konqueror, however openssl s_client -connect .. -verify -CApath /etc/ssl .. does not complain (I installed the CA cert into /etc/ssl/certs/). Other websites seem to have no problems with wildcard name certificates valid for *.site. What exactly should I be putting into the pfsense cert manager to get a similar effect? And make the browser accept the IP address(es) too? pfsense 2.1.3 Thanks muchly, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing vmtools
On Wed, May 21, 2014 at 5:23 PM, Walter Parker walt...@gmail.com wrote: Given than pfSense 2.1.3 uses FreeBSD 8.3 as the base OS, wouldn't http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/perl5/ be better location to use for packages? Walter On Wed, May 21, 2014 at 11:57 AM, Moshe Katz mo...@ymkatz.net wrote: On Wed, May 21, 2014 at 2:39 PM, Florio, Christopher N flo...@email.unc.edu wrote: Any idea a URL that I could get this package from? Sounds like a good option. One of these should do it (pick the one appropriate for your architecture) http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/perl5-5.16.3_6.tbz http://ftp1.freebsd.org/pub/FreeBSD/ports/i386/packages-9-current/perl5/perl5-5.16.3_6.tbz I'm not sure if a specific version of Perl is required - there are some breaking changes between 5.8 and 5.10, for example. If 5.16 doesn't work, you can look in http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/(or the i386 location) for other versions of 5.12, 5.14, and 5.18 Moshe Yes, you are correct. It would be better to use the 8.3 versions of the packages. A slip of the mouse on my part - I clicked the wrong version. Just for completeness' sake, here are the correct links: 64-bit: http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/perl5/perl-5.10.1_7.tbz 32-bit: http://ftp1.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/perl5/perl-5.10.1_7.tbz As before, other versions of perl are also available. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] syslog server IP/name
https://pfsense/diag_logs_settings.php Has 3 fields for syslog servers. Says IP addresses must be entered. Does accept names (corresponding entry exists in DHCP server or DNS forwarder). Either the comment is wrong, or error checking is absent (intentionally or accidentally). Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list