Re: Re: [pfSense Support] Filtering streaming - peer to peer - instant messaging
Not to take anything away from pfSense. Because pfSense rocks at layer 2 3. But you might look at IPcop w/ L7-filter. http://l7-filter.sourceforge.net/ http://www.ipcop.org/index.php?module=pnWikkatag=IPCopAddons In fact we use pfSense with this very same add-on(s) (IPcop L7-Filter) at several clients to address this exact scenario. HTH -- David L. Strout Engineering Systems Plus, LLC - Original Message - SUBJECT: Re: [pfSense Support] Filtering streaming - peer to peer - instant messaging FROM: ...@pfsense.org TO: supp...@pfsense.com DATE: 07-15-2009 2:44 pm On Wed, Jul 15, 2009 at 8:48 AM, bsd wrote: Hello, I am about to answer a public tender and am looking for a reliable open-source filtering solution. I need to filter layer 3 and 4 of TCP/IP stack (TCP and Application layer) specially for stream such as Peer to Peer - IM - Streaming - Virus. You have your layers wrong. L3 (IPs) and L4 (protocol, TCP, UDP, GRE, ESP, etc.) are fully supported. I presume you mean higher layers, identifying what traffic is based on the actual payload rather than L3/4 header. 2.0 does have some application intelligence but that's not an option for immediate use. There aren't any similar open source options that do have that kind of functionality unless you build it yourself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
I did as you'd said below and found no difference, but one thing I did notice is that when doing the upgrade that (I thought) broke reflective routing appears to have unchecked the option under the advanced section about bypassing rules for networks that share the same interface. I have always had this checked before, but in reviewing the complete configuration I found this option unchecked. I know that it was checked before on pre RC2 1.2.1 test-rigs ... sorry for all the chatter here, and claim of a broken release. I am doing some testing to see if I can do route reflection without this option checked and by crafting some rules. If anyone cares I will share my findings. Thanks!! Please backup /tmp/rules.debug on a working and non working machine. Then run diff -rub working.config notworking.config Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
So let's see if I am getting this If the intermediate router sees the destination address as part of its connected network then it passes the packet to the destination directly. Then the destination host sees its default gateway as the pfSense box and passes the return traffic to it and lets it route accordingly ... I'm assuming that's what you mean by asymmetric routing. So if I dedicate interfaces on the pfSense boxes to the intermediate router then that takes all the reflective routing capabilities away right? I understand that asymmetric routing is NOT a best practice - nor the preferred method, but in some cases I'd think it is appropriate, but I do see what you mean. What you have is asymmetric routing. You can't state fully filter traffic with any firewall if it's only seeing part of the connection. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
I just updated our 1.2.1-RC2 to the newest SNAP: 1.2.1-RC2 built on Thu Nov 27 13:35:44 EST 2008 I had been having issues w/ reflective routing in past 1.2.1 SNAPs but it got resolved back a couple weeks ago with a new SNAP. After this morning update I see that it is broken again. I preform the same battery of testing on all 1.2.1-RC? and 2.0AA versions. This SNAP is only giving one line in the FW deny: The rule that triggered this action is: @63 block drop in log quick all label Default deny rule (see this forum post, FMI - http://forum.pfsense.org/index.php/topic,12647.0.html) -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
As a follow up to this post ... here is the ticket that fixed this issue earlier in the 1.2.1 testing SNAP http://cvstrac.pfsense.org/chngview?cn=26056 -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP From: [EMAIL PROTECTED] To: support@pfsense.com Date: 11-27-2008 10:55 am I just updated our 1.2.1-RC2 to the newest SNAP: 1.2.1-RC2 built on Thu Nov 27 13:35:44 EST 2008 I had been having issues w/ reflective routing in past 1.2.1 SNAPs but it got resolved back a couple weeks ago with a new SNAP. After this morning update I see that it is broken again. I preform the same battery of testing on all 1.2.1-RC? and 2.0AA versions. This SNAP is only giving one line in the FW deny: The rule that triggered this action is: @63 block drop in log quick all label Default deny rule (see this forum post, FMI - http://forum.pfsense.org/index.php/topic,12647.0.html) -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
PROXY: Allow traffic to localhost pass in quick on le0 inet proto tcp from any to $loopback port 21 keep state label FTP PROXY: Allow traffic to localhost pass in quick on le1 inet proto tcp from port 20 to (le1) port 49000 flags S/SA keep state label FTP PROXY: PASV mode data connection # enable ftp-proxy # IMSpector anchor imspector # uPnPd anchor miniupnpd #--- # default deny rules #--- block in log quick all label Default deny rule block out log quick all label Default deny rule -- David L. Strout Engineering Systems Plus, LLC - Original Message - SUBJECT: Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] DATE: 11-27-2008 11:22 am On Thu, Nov 27, 2008 at 10:55 AM, DLStrout wrote: I just updated our 1.2.1-RC2 to the newest SNAP: 1.2.1-RC2 built on Thu Nov 27 13:35:44 EST 2008 I had been having issues w/ reflective routing in past 1.2.1 SNAPs but it got resolved back a couple weeks ago with a new SNAP. After this morning update I see that it is broken again. I preform the same battery of testing on all 1.2.1-RC? It's not the same cause then, the rules are generated correctly in RC2. Post your entire ruleset. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
If I back down (using the console UG method - 13) to the image below (from mirror) and restore the backed-up configuration (interfaces portion only) ... all seems to work as before. pfSense-Full-Update-1.2.1-RC2.tgz 19-Nov-2008 21:5439M -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: Re: Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
pfctl -sr scrub all random-id fragment reassemble anchor ftpsesame/* all anchor firewallrules all block drop quick proto tcp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any port = 0 to any block drop quick proto udp from any to any port = 0 block drop quick from snort2c to any label Block snort2c hosts block drop quick from any to snort2c label Block snort2c hosts anchor loopback all pass in quick on lo0 all flags S/SA keep state label pass loopback pass out quick on lo0 all flags S/SA keep state label pass loopback anchor packageearly all anchor carp all pass quick inet proto icmp from x.x.x.132 to any keep state anchor dhcpserverlan all pass in quick on le0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label allow access to DHCP server on LAN pass in quick on le0 inet proto udp from any port = bootpc to 192.168.22.2 port = bootps keep state label allow access to DHCP server on LAN pass out quick on le0 inet proto udp from 192.168.22.2 port = bootps to any port = bootpc keep state label allow access to DHCP server on LAN block drop in log quick on le1 inet proto udp from any port = bootps to 192.168.22.0/24 port = bootpc label block dhcp client out wan block drop in on ! le0 inet from 192.168.22.0/24 to any block drop in inet from 192.168.22.2 to any block drop in on le0 inet6 from fe80::20c:29ff:fef0:c9d4 to any anchor spoofing all anchor spoofing all block drop in on ! le1 inet from x.x.x.128/29 to any block drop in inet from x.x.x.132 to any block drop in on le1 inet6 from fe80::20c:29ff:fef0:c9de to any block drop in log quick on le1 inet from 10.0.0.0/8 to any label block private networks from wan block 10/8 block drop in log quick on le1 inet from 127.0.0.0/8 to any label block private networks from wan block 127/8 block drop in log quick on le1 inet from 172.16.0.0/12 to any label block private networks from wan block 172.16/12 block drop in log quick on le1 inet from 192.168.0.0/16 to any label block private networks from wan block 192.168/16 anchor limitingesr all block drop in quick from virusprot to any label virusprot overload table anchor wanbogons all block drop in log quick on le1 from bogons to any label block bogon networks from wan pass out quick on le0 proto icmp all keep state label let out anything from firewall host itself pass out quick on le1 proto icmp all keep state label let out anything from firewall host itself pass out quick on le1 all flags S/SA keep state (tcp.closed 5) label let out anything from firewall host itself anchor firewallout all pass out quick on le1 all flags S/SA keep state label let out anything from firewall host itself pass out quick on le0 all flags S/SA keep state label let out anything from firewall host itself pass out quick on enc0 all flags S/SA keep state label IPSEC internal host to host anchor anti-lockout all pass in quick on le0 inet from any to 192.168.22.2 flags S/SA keep state label anti-lockout web rule block drop in log quick proto tcp from sshlockout to any port = ssh label sshlockout anchor ftpproxy all anchor pftpx/* all pass in quick on le0 inet from 192.168.22.0/24 to any flags S/SA keep state label USER_RULE: Default LAN - any pass in quick on le0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label FTP PROXY: Allow traffic to localhost pass in quick on le0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label FTP PROXY: Allow traffic to localhost pass in quick on le1 inet proto tcp from any port = ftp-data to (le1) port 49000 flags S/SA keep state label FTP PROXY: PASV mode data connection anchor imspector all anchor miniupnpd all block drop in log quick all label Default deny rule block drop out log quick all label Default deny rule-- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP From: [EMAIL PROTECTED] To: support@pfsense.com Date: 11-27-2008 7:34 pm On Thu, Nov 27, 2008 at 6:16 PM, DLStrout [EMAIL PROTECTED] wrote: Let me know if I can provide anything else. I want to see the working rule(s). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reflective routing broken in newest 1.2.1-RC2 SNAP
It looks like it is getting hung up on the way back out of the virtual (test) environment Nov 27 21:41:55 LAN 192.168.22.22:5900 192.168.1.2:33150 TCP The rule that triggered this action is: @62 block drop in log quick all label Default deny rule And I have the default allow LAN net to ANY rule in play pass in quick on le0 inet from 192.168.22.0/24 to any flags S/SA keep state label USER_RULE: Default LAN - any -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routed Subnet
Turn off automatic NAT and check your NAT rules w/ status.php page. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] Routed Subnet From: [EMAIL PROTECTED] To: support@pfsense.com Date: 11-23-2008 11:46 am Hi All, I'm trying to configure a pfsense embedded system to route a public subnet through to OPT1. My ISP has provided me with a /27 routed subnet through my /30 static IP. /30: x.y.z.238 - gateway x.y.z.237 - WAN on pfsense /27: a.b.c.1 - OPT1 on pfsense a.b.c.[2-30] - assigned to various servers (using a.b.c.1 as gateway) I can't get this too work. The pfsense router can ping any host on the internet and any host on OPT1 subnet. All of the hosts in OPT1 subnet can ping OPT1 address; but nothing beyond that. Not even x.y.z.238. I've: - Checked Disable Firewall in the Advanced Options - Have also added any any any rules to both the WAN and OPT1 tabs under firewall rules. Can someone tell me what I've missed? Please Thanks, Andrew - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] Reflective routing ?
Absolutely NOT disappointed at all, just pointing out an issue ... quite the contrary in fact, and I am as anxious as any to see some of the fantastic new features of 2.0 in a STABLE release. Really just try to provide some input into 2.0 from our prospective. So just so I have this straight .. (and hopefully it will enlighten other as well) ... any questions relating to 1.3/2.0 belong on the forum? Because I was told early on to post them to the list ... kind of mixed messages about where to post for what ... but no harm no foul. So, is the forum the desired endpoint for ALL 1.3/2.0 questions, bugs, etc. -- David L. Strout Engineering Systems Plus, LLC - Original Message - 2.0 bug reports belong on the forum, not on the mailing list. I should remind you that it is a moving target and NOT ready for public testing where you will be disappointed. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reflective routing ?
All seems well on 1.2.1, but when testing 2.0Ax2 I noticed one of the start up scripts hangs and produces the below output. Not real sure how to debug it and had to CTRL-C to get it to finally finish booting up. I appears to be something w/ the apinger function/piece of the startup process. The reflective routing piece works mint on 1.2.1 but is still seems borked on 2.0. -- output from system log after boot rc script hangs and CTRL-C issued to release it. -- Nov 12 06:41:54 kernel: pflog0: promiscuous mode disabled Nov 12 06:41:54 sshlockout[42775]: sshlockout starting up Nov 12 06:41:54 sshlockout[42775]: sshlockout starting up Nov 12 06:41:54 init: /bin/sh on /etc/rc terminated abnormally, going to single user mode Nov 12 06:41:54 init: /bin/sh on /etc/rc terminated abnormally, going to single user mode Nov 12 06:41:42 apinger: command (touch /tmp/filter_dirty) exited with status: 1 Nov 12 06:41:42 apinger: Error while starting command. Nov 12 06:41:38 php: : Creating rrd update script Nov 12 06:41:32 apinger: ALARM: wan(127.0.0.2) *** down *** Nov 12 06:41:29 kernel: ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding enabled, default to accept, logging disabled -- On Tue, Nov 11, 2008 at 8:31 PM, DLStrout [EMAIL PROTECTED] wrote: Excellent .. is this change committed to both 1.2.1 and 2.0 versions? Yes. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] Reflective routing ?
I've notice in recent releases that reflective routing is broken. Most notably all releases 1.2 STABLE. The most notable is having multiple routers on one network and being able to default gateeways the host of that network and place static routes on the gateway (pfSense) and have it reflect the route to the appropriate exit router for the destination network. Has anyone else experienced this or is this a known issue already. I've done some searches and come up with nothing on either pfSense itself or FreeBSD 6/7 -- David L. Strout Engineering Systems Plus, LLC
Re: Re: [pfSense Support] Reflective routing ?
Excellent .. is this change committed to both 1.2.1 and 2.0 versions? -- David L. Strout Engineering Systems Plus, LLC - Original Message - SUBJECT: Re: [pfSense Support] Reflective routing ? FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] DATE: 11-11-2008 8:20 pm On Tue, Nov 11, 2008 at 7:48 PM, DLStrout wrote: I've notice in recent releases that reflective routing is broken. Most notably all releases 1.2 STABLE. Fixed. http://cvstrac.pfsense.org/chngview?cn=26056 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive portal questions
I've been running CP on a 1.2 install for about 6 months now and we now are noticing that there is no authentication happening. Thing we've tried: Moving the CP to another interface (ie WLAN (WAP connected ethernet)). Starting and restarting the CP service (fails the webConfigurator when we restart CP service. tail the /var/log/lighttpd.error.log (here is what we are seeing when a client hits the CP ... 2008-11-06 21:44:02: (connections.c.279) SSL: 1 error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2008-11-06 21:44:02: (connections.c.279) SSL: 1 error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Any ideas on how to revive the CP functionality are greatly appreciated -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: Re: Re: [pfSense Support] Force Speed/Duplex on NIC
Agreed! All switch/FW/routers have the ability/feature in either CLI or GUI, so I guess that I was just wondering why it wasn't part of pfS. I agree on most point you make and there are those out there that have and will continue to bungle connectivity with setting S/D incorrectly, but why not make it available (wo/ editing the XML) for those of us that know how and when to use it? Every single Cisco, Juniper, Foundry engineer I know (or I've taken advanced seminars from) has stringently recommended the use of static S/D settings on edge routers and core switching. Given that I did some asking around and googling and it seems that Cisco at least has changed their view in recent years on their S/D philosophy ==SNIP== Recommended Port Configuration (Autonegotiation or Manual Configuration) There are many opinions on the subject of autonegotiation. Previously, many engineers advised customers not to use autonegotiation with any switch-connected device. However, improvements in the interoperation of autonegotiation and the maturity of the technology has recently changed the view of autonegotiation and its use. In addition, performance issues due to duplex mismatches, caused by the manual setting of speed and duplex on only one link partner, are more common. Because of these recent issues, the use of autonegotiation is regarded as a valid practice. ==SNIP== Source - http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800a7af0.shtml I totally understand that it presents many, many threads of list chatter when it comes to bite someone who doesn't understand the ramifications of the settings, but none the less, I feel it is a valuable configuration setting for the great enterprise ready product you've all put forth, and for those among us that use this setup and know it IMHO .. as always! - Original Message - Subject: Re: Re: [pfSense Support] Force Speed/Duplex on NIC From: [EMAIL PROTECTED] To: support@pfsense.com Date: 11-06-2008 9:53 pm On Thu, Nov 6, 2008 at 6:21 AM, DLStrout [EMAIL PROTECTED] wrote: After all this is pretty industry standard/best practice (hard coding speed/duplex on edge devices/routers/firewalls). No, no, no it's *not*. That's the common misperception. Autonegotiation is the single most misunderstood and abused thing in networking in my experience. What ends up happening is it's done inconsistently and creates duplex mismatches all over the place. Virtually all network equipment made in this decade will autonegotiate without any trouble. Every networking vendor recommends using autonegotiate and has for years. The only scenario where you should force is when autonegotiate fails when both ends are set to auto. This will happen occasionally, but is the exception to the rule, not the rule. Autonegotiation got a bad name because it didn't work well in the early days (mid 90s), with the standard being implemented in different incompatible ways by different vendors. Some of that sentiment has carried over, which is why you find some networks where everything is forced. It's hidden because it was that way in m0n0wall, and we keep it that way because otherwise people will see it there and think it should be set, which in reality will just cause serious problems 99.999% of the time because people don't understand it and rarely deploy it properly. In the rare scenarios where it's needed, the config can be manually edited. /rant induced by fixing way too many networks where people screw this up Recommended reading: http://www.sun.com/blueprints/0704/817-7526.pdf http://en.wikipedia.org/wiki/Autonegotiation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] config.xml decrytp ???
Is there a default password to decrypt the config.xml file in the latest 1.3AA? I recently updated 1.3Ax2 and now get prompted for a password to decrypt the config.xml and if I CTRL-C out the box will only come up in single user mode. Any insight is great appreciated
Re: Re: [pfSense Support] config.xml decrytp ???
Ok ... thanks for the update. I luckily save the config every time I make a change in the dev enviroment and was able to re-install via the latest ISO and restore the config ... all is well now. Thanks again!!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] config.xml decrytp ??? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 10-26-2008 10:54 am On Sun, Oct 26, 2008 at 9:54 AM, DLStrout [EMAIL PROTECTED] wrote: Is there a default password to decrypt the config.xml file in the latest 1.3AA? I recently updated 1.3Ax2 and now get prompted for a password to decrypt the config.xml and if I CTRL-C out the box will only come up in single user mode. No, what you're seeing is a bug that made it into a few builds, you'll have to reinstall to get past this. Note these are the risks of running actively developed versions intended for developers only. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 1.3Ax2 question
Is there a special list/forum for 1.3 Alpha/Alpha questions ... just don't want to muddy the water here with alpha testing questions. Thanks!
[pfSense Support] Newest pfS 1.3AX2 error on VM1.0.5
Just a small this time through on ... pfSense-20080803-1138.iso.gz /libexec/ld-elf.so.1: /usr/local/lib/php/20060613/xml.so: Undefined symbol XML_ParseCreate_MM Just wanted to keep up with testing. -- David L. Strout Engineering Systems Plus, LLC
Re: [pfSense Support] 1.3 alpha2X on VMware server 1.0.5
Bill, Anyone, Would it be possible to get notified when you all feel this issue is resolved and ready for -re-testing?? I'd welcome the opportunity to dive into 1.3 A2X, but unfortunately we are short on standalone server hardware ... so VM is my only option now. -- David L. Strout Engineering Systems Plus, LLC
Re: [pfSense Support] Snort Install Missing
I was just wondering if there was something drastically broke in the past latest release? Why the removal (just to far out of date?) I uninstalled on a test box and I can't even get it back in its old version/state ... is there a reason that the older version wasn't left available? Seem that older is better than nothing (unless of course drastically broken/flawed). Just wondering. -- David L. Strout Engineering Systems Plus, LLC
Re: [pfSense Support] 1.3 alpha2X on VMware server 1.0.5
Thanks for the update will keep an eye out for them. -- David L. Strout Engineering Systems Plus, LLC - Original Message - SUBJECT: Re: [pfSense Support] 1.3 alpha2X on VMware server 1.0.5 FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] DATE: 07-30-2008 7:00 pm On Wed, Jul 30, 2008 at 6:26 PM, DLStrout wrote: Bill, Anyone, Would it be possible to get notified when you all feel this issue is resolved and ready for -re-testing?? I'd welcome the opportunity to dive into 1.3 A2X, but unfortunately we are short on standalone server hardware ... so VM is my only option now. It's not specific to VMware, something is broken in 1.3 at the moment. The snapshots have been taken offline (well, covered with an index.html), check back on the snapshot server periodically to see when they're available again. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] 1.3 alpha2X on VMware server 1.0.5
I see loads of errors when trying to configure interfaces/addresses. I can fire it up here in a bit and give you more details unless you've pinpointed the issue and need nothing from me. Just recalling ... seems they were references to foreach() calls in serveral *.inc files. Let me know if you want more particulars. - Original Message - SUBJECT: Re: [pfSense Support] 1.3 alpha2X on VMware server 1.0.5 FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] DATE: 07-29-2008 8:52 pm I think you ran into something we just noticed ourselves yesterday. --Bill On Mon, Jul 28, 2008 at 5:40 PM, DLStrout wrote: et al, So I was inspired to dig into the newest Alpha2X 1.3 today and fired up the VM and was pleasantly greeted w/ an XML error: XML error: no pfSense object found! Any thoughts anyone??? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPsec VPN (Shrew) ?
I have been tinkering w/ the Shrew Soft VPN client and was wondering if there is anyway (maybe I'm missing it) to setup IPsec clients to be dhcp over IPsec or IKE config pull/push clients? I see in the Shrew docs that this method is supported by the client, but I don't see any options for this setup in IPsec Mobile Clients in pfSense. From my experience w/ IPsecTools this is something that can be done, but (I'm guessing) it isn't part of pfSense yet. Is this a correct assumption? Are there any plans for these features (true IPsec roadwarrior gateway mode) in upcoming pfSense releases??? P.S. I am aware that OVPN will do this, but for this thread I am focusing on IPsec roadwarrior access. Thanks in advance everyone! -- David L. Strout Engineering Systems Plus, LLC
Re: Re: [pfSense Support] IPsec VPN (Shrew) ?
Though this is a great idea (to test on 1.3) I/we aren't ready to put a 1.3 alpha2x box into production at this site, and have had several scaving emails this morning at the suggestion from me to do so (ah ha ha, -- go figure). I have had some issues getting 1.3 to run in a VMware enviroment and haven't allocated resources (stand-alone server) to this platform yet. For the imediate need I really need to stay focused on the 1.2 train, but certainly appreciate your suggestion and see some of the benefits of 1.3 just by the little work w/ it and following the threads so far. That all said, I am more than anxious to see 1.3 and all its many new features. It looks to be the best of the best so far and I can't wait for it to get a little further down the stability path, but thus far I can't justify to the powers that be to deploy 1.3 given it's state of development (i.e. alpha-alpha). SIDE NOTE: Anyone having issues running 1.3 on VMware w/ Ubuntu 6.06LTS as the host. I can start a seperate thread if there is cause to. Thanks again ALL !!! DLStrout- Original Message - SUBJECT: Re: [pfSense Support] IPsec VPN (Shrew) ? FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] DATE: 07-28-2008 9:53 am This may be handled in the 1.3 codebase, but I'll let Matthew talk in detail as to the changes he's made to IPsec for 1.3. You might want to pull down a 1.3 snapshot and test, with the code having been more or less rewritten, it would be real nice to get some feedback on it. --Bill
[pfSense Support] 1.3 alpha2X on VMware server 1.0.5
et al, So I was inspired to dig into the newest Alpha2X 1.3 today and fired up the VM and was pleasantly greeted w/ an XML error: XML error: no pfSense object found! Any thoughts anyone??? -- David L. Strout Engineering Systems Plus, LLC
Re: Re: [pfSense Support] SSL VPN
I've watched the stream all afternoon and just wanted to offer my .02 worth on the matter as we have a rather large multi-VPN deployment with a mix of solutioning to fit the appropriate needs. Point I: I agree whole-heartedly that if you are in control of the workstations/laptops abroad and the users have NO administrative rights to install augment its OS/apps then OpenVPN is a great RWA (road warrior access) method and works flawlessly on pfSense. We have a couple of dedicated VPN servers (RWA and S2S) sitting in a DMZ off from another heavy edge pfSense box, that way we have the granularity of policy (rules) to pear down what is accessed and what is not when the RWA client is auth'd and has connectivity. We also have it taylored to S2S (site to site) VPN connectivity (both IPsec and OVPN) so that all traffic and routing are choked via policy rules within the edge pfSense and a backend (behind the edge pfSense) router w/ simple ACLs. All of this can be acomplished quite easily w/ pfSense and some time spent on the mail lists to see how to setup multiple OVPN and IPsec connectivity. Point II: For the untrusted client or the ones you don't manage and admin you might consider a RDP solution ... i.e., have the auth and establish to a very restrictive pfSense OVPN server {in a controlled DMZ} and then ONLY allow RDP to a trusted and hardened term-server for the apps they need inside your network. Point III: Ah yes, the SSL-VPN mis-conception ... well browser-based VPN is all of the rage and is certainly making justification of client based IPsec VPN a toughER sell. It has it's perts and it is without question a easy-deploy thus begging the question (like has been stated earlier in this stream) is the end-point to be trusted (and if not ... how do we mitigate)? Another deployment we have here for those VERY few I couldn't sell on either of the two previous solutions was to grab a fairly cheap Netgear SSL312 off the net and put it in yet another dedicated VLAN/DMZ/security-zone and allow those few that had to have it connect and then pare the access down with tried and true pfSense. You can also very easily with some older hardware ramp up a SSL-Explorer community edition (again ... as has been stated) and it should provide relatively the same feel for the end-user experience. Conclusion: I would vest in a decent and fairly robust edge pfSense (hardware) and then make that your point of CONTROL (not termination) for VPN access. IMHO, it is a safe bet that if you loose a VPN server someday (and you probably will) due to hack, mis-config, client compromise, etc.) then you'll still have your main firewall intact and helping in control and mitigation. Follow-on: All of the above is assuming you are doing this VPN design for a business. If we are talking SOHO then you can (and I have several such clients outside that are perfectly comfortable running the whole RWA and edge firewall on one box) ... pfSense is without question capable and ready for this task as well. As is the mantra out of the devs at pfSense ... home, SOHO, ROBO or enterprise ... pfSense can fit in all of these spaces very well and is rivited with features and accessories to meet just about any ACCESS task .. head-on! Again ... just my .02 worth. Regards, -- David L. Strout Engineering Systems Plus, LLC - Original Message - SUBJECT: Re: [pfSense Support] SSL VPN FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] DATE: 07-08-2008 8:34 pm On Tue, Jul 8, 2008 at 6:06 PM, Chris Buechler wrote: On 7/8/08, Bill Marquette wrote: With OpenVPN, you only have control of the client at time of install. With the clientless solutions from Juniper, F5, et al, they usually have the ability to check the security of the environment they're running in, in some manner (antivirus running, up to date patches, firewall, etc). They can then grant or deny access based on that security - with OpenVPN, if the credentials are good, you get in. I won't argue the points as to which is better, or whether you should even have remote access to your network, just wanted to point out some missing information in your argument. Yeah none of the VPN options in pfSense currently offer any client side policy enforcement (patches accepted). Whether or not that's a concern depends on your environment. Personally, almost all the VPN deployments I've seen that have this capability do not use it for various reasons. It usually becomes a support nightmare when you allow personal workstations on your network. But it can easily be argued (to RB's points) that you shouldn't allow that in the first place. These solutions have a place, but it's usually mis-deployed to pretend to mitigate a security issue that is better solved with policy, education, and dollars spent giving your employees the tools they need to do their jobs instead of forcing them to use their own money to perform your work. --Bill
[pfSense Support] CP broken ??
I upgraded a pfS box over vacation to SNAP: 1.2-RC3 built on Sat Dec 29 09:06:06 EST 2007 and I have several users that are complaining (well not complaining .. cheering actually) that they never get challenged for UN/PW. I just confirmed this with my WiFi laptop and sure enough ... no UN/PW prompt. I ran through the setting on the FW and nothing seems to have changed. I also stopped and restarted the lighttpd (CP) service and nothing! I wonder if anyone else has seen this CP issue? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP broken ??
Another complexity seems to be that when I restart or stop/start the lighttpd service it chokes the webConfigurator (ie. no web management service) and I have to restart the webConfigurator with the shell option 11. Just an added FYI. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] CP broken ?? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 01-04-2008 6:15 pm I upgraded a pfS box over vacation to SNAP: 1.2-RC3 built on Sat Dec 29 09:06:06 EST 2007 and I have several users that are complaining (well not complaining .. cheering actually) that they never get challenged for UN/PW. I just confirmed this with my WiFi laptop and sure enough ... no UN/PW prompt. I ran through the setting on the FW and nothing seems to have changed. I also stopped and restarted the lighttpd (CP) service and nothing! I wonder if anyone else has seen this CP issue? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] CP broken ??
I have tried everything I can think of to get CP to auth, but to no avail. It (lighttpd) seems to be running ... # ps -ax | grep lighttpd 643 ?? S 0:00.90 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf 5560 ?? S 0:00.13 /usr/local/sbin/lighttpd -f /var/etc/lighty-CaptivePortal.conf I am hesitant to post the ipfw output as there are many global addresses I wouldn't imagine the client would want published publicly is there something I can look for and relay to you? I suppose I could do a global find and replace too, but that seems to defeat the purpose I suspect. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] CP broken ?? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 01-04-2008 6:33 pm DLStrout wrote: I upgraded a pfS box over vacation to SNAP: 1.2-RC3 built on Sat Dec 29 09:06:06 EST 2007 and I have several users that are complaining (well not complaining .. cheering actually) that they never get challenged for UN/PW. I just confirmed this with my WiFi laptop and sure enough ... no UN/PW prompt. I ran through the setting on the FW and nothing seems to have changed. I also stopped and restarted the lighttpd (CP) service and nothing! I wonder if anyone else has seen this CP issue? The only thing that's changed in CP in ages is the locking change to fix rule removal in high load environments. We put significant testing effort into that change, so I very much doubt it broke anything. Plus it's been in there for a while now and nobody has screamed, and there are some large production environments running the current code. Can you paste the output of ipfw show? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] URL Aliases ?
Good evening all Just wondering if there are any plans for URL aliases? I see that it was planned or has been introduced into the HEAD build but I am running 1.2 RC3. I have several users that I would like to restrict to several web sites ONLY and also apply a schedule (using the GREAT scheduler feature) to restrict their online time. P.S. I looked at/installed the SquidGuard package and tinkered w/ it for a couple weeks, but didn't have very much luck getting it to work (stably/reliable). Any thoughts/updates are greatly welcomed. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] RE: VIP/NAT Issues
Just wondering if this is a known issue or is there anyone who might lend some advice? Should I submit a ticket on this issue? Has anyone been able to reproduce? Should I upgrade again to a more current build? Thoughts, suggestions, feedback ? - Original Message - Has anyone experienced VIP/NAT issues w/ the current rel? 1.2-RC3 built on Wed Oct 10 05:44:26 EDT 2007 === HERE'S THE SETUP === OPT1-[host=10.0.0.100] | LAN--[net=192.168.1.0/24][pfSense=192.168.1.1/VIP=192.168.1.200] | WAN--[net=x.x.x.x] === HERE'S THE VIP SETUP === virtualip vip modeother/mode interfacelan/interface descrNAT VIP Address/descr typesingle/type subnet_bits32/subnet_bits subnet192.168.1.200/subnet /vip /virtualip === HERE'S THE NAT SETUP {EDITED} === nat ipsecpassthru/ advancedoutbound rule source network10.0.0.100/32/network /source sourceport/ descrTESTNET2LAN NAT/descr target192.168.1.200/target interfacelan/interface destination address192.168.1.0/24/address /destination natport / dstport / /rule {LINES OMITTED} nat {LINES OMITTED} rule external-address192.168.1.200/external-address protocoltcp/protocol external-port5900/external-port target10.0.0.100/target local-port5900/local-port interfacelan/interface descrAdmin VNC2/descr nosync / /rule So, here is the issue this setup has been working fine with RC2 release. Thereby allowing me to masq the 10.0.0.100 address as 192.168.1.200 for any work I had to do from the OPT1 network into the LAN network. And also allowing me to VNC into the 10.0.0.100 box with an address of 192.168.1.200. Points for clarification: - AON (auto NATting) is disabled, all NATting is manual. - Policies/rules have not changed. - Only change was upgrade to RC3 (see build date above) - I know I can perform the same level of access through routing/policies, but that is NOT an option in this case (see below). I know that is a little skewed, but the reason is beyond the scope of this email to describe, but suffices to say that it is an audit issue and HAS to remain this way so that access from the 10.0.0.100 host looks like 192.168.1.200 and vice-versa. Any thoughts? Need more info? Just ask. Thanks in advance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] VIP/NAT Issues
Has anyone experienced VIP/NAT issues w/ the current rel? 1.2-RC3 built on Wed Oct 10 05:44:26 EDT 2007 === HERE'S THE SETUP === OPT1-[host=10.0.0.100] | LAN--[net=192.168.1.0/24][pfSense=192.168.1.1/VIP=192.168.1.200] | WAN--[net=x.x.x.x] === HERE'S THE VIP SETUP === virtualip vip modeother/mode interfacelan/interface descrNAT VIP Address/descr typesingle/type subnet_bits32/subnet_bits subnet192.168.1.200/subnet /vip /virtualip === HERE'S THE NAT SETUP {EDITED} === nat ipsecpassthru/ advancedoutbound rule source network10.0.0.100/32/network /source sourceport/ descrTESTNET2LAN NAT/descr target192.168.1.200/target interfacelan/interface destination address192.168.1.0/24/address /destination natport / dstport / /rule {LINES OMITTED} nat {LINES OMITTED} rule external-address192.168.1.200/external-address protocoltcp/protocol external-port5900/external-port target10.0.0.100/target local-port5900/local-port interfacelan/interface descrAdmin VNC2/descr nosync / /rule So, here is the issue this setup has been working fine with RC2 release. Thereby allowing me to masq the 10.0.0.100 address as 192.168.1.200 for any work I had to do from the OPT1 network into the LAN network. And also allowing me to VNC into the 10.0.0.100 box with an address of 192.168.1.200. Points for clarification: - AON (auto NATting) is disabled, all NATting is manual. - Policies/rules have not changed. - Only change was upgrade to RC3 (see build date above) - I know I can perform the same level of access through routing/policies, but that is NOT an option in this case (see below). I know that is a little skewed, but the reason is beyond the scope of this email to describe, but suffices to say that it is an audit issue and HAS to remain this way so that access from the 10.0.0.100 host looks like 192.168.1.200 and vice-versa. Any thoughts? Need more info? Just ask. Thanks in advance. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Squid package ?
Nice .. THANKS -- -- David L. Strout -- ENGINEERING SYSTEMS PLUS, LLC -- [EMAIL PROTECTED] -- -Original Message- From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 19, 2007 12:23 PM To: support@pfsense.com Subject: AW: [pfSense Support] Squid package ? Use the squid logviewer lightsquid available as a package. Von: David L. Strout [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 19. Juli 2007 16:53 An: pfSense Support Betreff: [pfSense Support] Squid package ? Is there a way to rotate logs within the squid package or in the underlying FBSD OS? I have a specific need to capture all internet web traffic for auditing purposes and I can't seem to find anything on this. Any thoughts? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] spoke and hub ipsec vpn?
This and other mail-list issues related to this NAT/routing/IPSec question begs the question is/are there any plans to integrate NAT-T into pfSense? I see there has been some brief chatter on this in the past, but I was more looking for an update (if any) on what has been, or is being, done to integrate this great NAT/IPSec feature. Maybe this belongs on the feature request forum - sorry if so. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] spoke and hub ipsec vpn?
As an added note (for anyone interested in what I mentioned in the past mail) a couple good articles on the FreeBSD NAT-T integration ... hope to see it in a future pfSense. http://lists.freebsd.org/pipermail/freebsd-net/2005-August/007985.html http://osdir.com/ml/network.ipsec.tools.devel/2007-01/msg00035.html -Original Message- From: DLStrout [mailto:[EMAIL PROTECTED] Sent: Monday, July 16, 2007 4:41 PM To: support@pfsense.com Subject: RE: [pfSense Support] spoke and hub ipsec vpn? This and other mail-list issues related to this NAT/routing/IPSec question begs the question is/are there any plans to integrate NAT-T into pfSense? I see there has been some brief chatter on this in the past, but I was more looking for an update (if any) on what has been, or is being, done to integrate this great NAT/IPSec feature. Maybe this belongs on the feature request forum - sorry if so. -- -- David L. Strout -- ENGINEERING SYSTEMS PLUS, LLC -- [EMAIL PROTECTED] -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] routing over IPsec tunnel
Interesting I have tried opening up the IPsec policy to ANY ANY on both the pfS1/2 boxes. I still see the traceroute (ICMP) packets heading to INET from NET1 when tracing to a NET4 address. Maybe a combo of IPsec policys and static routes??? Not quite sure, not having any luck in trying different combinations of configs. -- -- David L. Strout -- ENGINEERING SYSTEMS PLUS, LLC -- [EMAIL PROTECTED] -- -Original Message- From: Matthew Grooms [mailto:[EMAIL PROTECTED] Sent: Saturday, July 07, 2007 2:30 AM To: support@pfsense.com Subject: Re: [pfSense Support] routing over IPsec tunnel David Strout wrote: I have a need to setup the following topology at several location connected via VPN tunnels. NET1--RTR1--NET2--pfS1--{INET}--pfS2--NET3--RTR2--NET4 --IPsec TUNNEL-- NET1=10.10.10.0/24 NET2=192.168.100.0/24 NET3=192.168.200.0/24 NET4=10.10.20.0/24 I have a VPN tunnel nailed up between the two pfS boxes w/ NET2 NET3 on the LAN side. The pfS1 box has a static route to NET1 via RTR1 and pfS2 has a static route to NET4 via RTR2. The default route on NET1 NET4 is RTR1 RTR2 respectively and RTR1 has a next hop of pfS1 and RTR2's next hop is pfS2. So now that you have your mind wrapped around that here's the problem. In order for NET1 hosts to reach NET3/4 hosts OR NET4 hosts to reach NET1/2 hosts I am assuming there has to be some static routes on the pfS boxes. I added the following static route on pfS1: 10.10.20.0/24{NET4} 192.168.200.254{RTR2s NET3 IP} I added the following static route on pfS2: 10.10.10.0/24{NET1} 192.168.100.254{RTR1s NET2 IP} My assumption is that pfS1 knows about NET3 and pfS2 knows about NET2 via the tunnel. The problem is that when I traceroute from a host on NET1 to a host on NET4 pfS1 forwards the packets to the internet instead of sending them through the tunnel (and vice-versa from NET4 to NET1 pfS2 forwards the packets to the internet instead of through the tunnel). I even added routes to the RTR1/2 for the respective networks as well just to test with and still no go. I must be missing something simple here as I know that this can be done as this is just packet routing. Maybe I haven't had enough coffee yet. Any thoughts are greatly appreciated!!! Static routes won't get you there. Think of IPSEC policies as an alternate end-to-end routing table that is used to determine what traffic will be tunneled to a distant peer. You will need to define separate policies to process traffic between multiple local and distant private networks. In other words, the following policies would be required for your setup ... NET1 - NET3 NET3 - NET1 NET1 - NET4 NET4 - NET1 NET2 - NET3 NET3 - NET2 NET2 - NET4 NET4 - NET2 -Matthew - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] file modify request ...
NOTE: I wouldn't recommend trying to edit either of these 2 files through the [webConfigurator: Diagnostics: Edit File] screen. I ssh'd to the pfSense box and entered the shell and made the edits the old fashion way w/ 'vi'. Would it be possible to fix the following to files in the next update? /usr/local/www/diag_ipsec_sad.php /usr/local/www/diag_ipsec_spd.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] file modify request ...
Would it be possible to fix the following to files in the next update? /usr/local/www/diag_ipsec_sad.php /usr/local/www/diag_ipsec_spd.php Here is what I came up with ... let me know if I am wrong. == TYPE: File Modification FILE: /usr/local/www/diag_ipsec_spd.php LINE:122 Original line: [CLIP] img src=/themes/?= $g['theme']; ?/images/icon_?=$sp['dir'];?.gif [CLIP] Should read: [CLIP] img src=/themes/?= $g['theme']; /images/icons/icon_?=$sp['dir'];?.gif [CLIP] LINE:132 Original line: [CLIP] img src=/themes/?= $g['theme']; ?/images/icon_x.gif [CLIP] Should read: [CLIP] img src=/themes/?= $g['theme']; ?/images/icons/icon_x.gif [CLIP] LINE:141 Original line: [CLIP] img src=/themes/?= $g['theme']; ?/icons/icon_in.gif [CLIP] Should read: [CLIP] img src=/themes/?= $g['theme']; ?/images/icons/icon_in.gif [CLIP] LINE:148 Original line: [CLIP] img src=/themes/?= $g['theme']; ?/icons/icon_out.gif [CLIP] Should read: [CLIP] img src=/themes/?= $g['theme']; ?/images/icons/icon_out.gif [CLIP] == TYPE: File Modification FILE: /usr/local/www/diag_ipsec_sad.php LINE:130 Original line: [CLIP] img src=/themes/?= $g['theme']; ?/images/icon_x.gif [CLIP] Should read: [CLIP] img src=/themes/?= $g['theme']; ?/images/icons/icon_x.gif [CLIP] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Attention users with ISO installation problems
Scott Ullrich wrote: Please try 0.79.4 and report back if you have had problems with previous LiveCD's. I have just done update (0.79.2 0.79.4), and the first thing I noticed is that you lose all states in the table after the update reboot (ie: all connections broken - http, IPSec, ect.). To get it running, I sinply disabled IPSec and re-enabled it again ... voila, all was well (tunnels, shaping, etc.). P.S. This is a many times updated 0.68.x install. I have not tried the 0.79.2.iso as of yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Avoid 0.70+ if your using IPSEC
I am running 0.74.8 - had a little issue w/ the rules in porting the config backup, but all-in-all everything is stable. alan walters wrote: Have no probs with ipsec on 0.74.6 -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: 15 August 2005 18:55 To: [EMAIL PROTECTED]; support@pfsense.com Subject: Re: [pfSense Support] Avoid 0.70+ if your using IPSEC Does this also apply to versions? say 0.71,2,3 4 branches? -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] Avoid 0.70+ if your using IPSEC From: [EMAIL PROTECTED] To: support@pfsense.com Date: 08-15-2005 12:36 pm We've got a small bug in IPSEC since the introduction of Padlock. An update will correct this soon. So don't use these versions if you do IPSEC! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] javascript:popup('/webapps/groupoffice_205/modules/email/send.php?mail_ to [EMAIL PROTECTED]','650','500') For additional commands, e-mail: [EMAIL PROTECTED] javascript:popup('/webapps/groupoffice_205/modules/email/send.php?mail_ to [EMAIL PROTECTED]','650','500') - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 0.75.1 ISO .. Problems - lua results
/usr/local/bin/lua50c51 /usr/local/share/dfuibe_lua/main.lua dir.root=/FreeSBIE/ option.booted_from_install_media=true [Fri Aug 12 15:50:31 2005] Loading configuration file '/usr/local/share/dfuibe_lua/conf/uinavctl.lua'... BSD Installer started Loading configuration file '/usr/local/share/dfuibe_lua/conf/cmdnames.lua'... DFUI connection on tcp: successfully established [Fri Aug 12 15:50:32 2005] `/FreeSBIE/sbin/sysctl -n hw.physmem` returned: 511139840 `/FreeSBIE/sbin/sysctl -n kern.disks` returned: ad0 Surveying Disk: ad0, 9.31G: 19386/16/63 Surveying Partition: 1: 63,19541025:165/true [Fri Aug 12 15:50:33 2005] Surveying Subpartition on ad0s1: a: 0,13249569: 4.2BSD F=1024, B=8192 Surveying Subpartition on ad0s1: b: 13249569,2097152: swap F=0, B=0 Surveying Subpartition on ad0s1: c: 0,19541025: unused F=0, B=0 Surveying Subpartition on ad0s1: d: 15346721,4194304: 4.2BSD F=2048, B=16384 WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' WARNING: couldn't open '/FreeSBIE/var/log/dmesg.boot' /usr/local/bin/lua50: /usr/local/share/dfuibe_lua/lib/package.lua:415: bad argument #1 to `ipairs' (table expected, got nil) stack traceback: [C]: in function `ipairs' /usr/local/share/dfuibe_lua/lib/package.lua:415: in function `enumerate_installed_on' /usr/local/share/dfuibe_lua/main.lua:143: in main chunk [C]: ? ^C # Scott Ullrich wrote: On 8/12/05, David Strout [EMAIL PROTECTED] wrote: Send me the messages. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic Graphs
Is ther a fix or a plan for a fix?...and has anyone considered a RRDTools replacement such as ifGraph as an alternative to SVG? Bill Marquette wrote: Yup. IE 6 apparently doesn't love us. --Bill On 8/12/05, David Strout [EMAIL PROTECTED] wrote: Yes, I am running the WebGUI in https mode ... is this a known problem? -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] Traffic Graphs From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 08-12-2005 12:10 am https? --Bill On 8/11/05, David Strout [EMAIL PROTECTED] wrote: Did I miss a post or are the traffic graphs still not working w/ 0.74.8 I have the current SVG 3.0.3 plug-in running w/ IE 6 -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- avast! Antivirus: Inbound message clean. Virus Database (VPS): 0532-3, 08/10/2005 Tested on: 8/12/2005 3:31:56 PM avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Noted bug in GUI .....
As per the BLOG you want to know about any bugs uncovered in testing the current ALPHA version (0.73.0). I reported this in an earlier post but the issue remains: On the IPSec SPD page the delete and arrows still do not show up in either IE6 or FireFox 1.0.6 Just thought you should know as per the request to flush out the bugs on the BLOG.
[pfSense Support] Multiple WAN IP addresses .....
Are there any plans for assigning multiple IP addresses to the WAN interface?
Re: [pfSense Support] pfsense shell accounts ???
Are these accounts allowed SSH remote access from a host on either the local LAN segment or an OPT segment (of course there is a rule in place to allow this). I assumed that these were the passwords but I get failed authentication on bith accounts and an error in the logs .. sshd[791]: error: PAM: authentication error for root from 192.168.1.xxx (OPT/WLAN segment) sshd[791]: error: PAM: authentication error for root from 192.168.100.xxx (LAN segmant) Scott Ullrich wrote: SSH: root / pfsense WEB: admin / pfsense On 7/29/05, DLStrout [EMAIL PROTECTED] wrote: Everyone, I am sure this ? has been asked before, but I can't seem to find any reference in the mail-archive or the discussion-archive. What are the fresh-install passwords for the root and toor accounts? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- avast! Antivirus: Inbound message clean. Virus Database (VPS): 0530-3, 07/29/2005 Tested on: 7/29/2005 6:44:27 PM avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]