Re: [pfSense-discussion] Dynamic DNS
Some dyndns providers require us to supply an IP, some don't. I think DynDNS isn't one of those, but it does allow us to enter an IP, which we do - the only one we know. FWIW, traffic sourced from pfSense will always (for now) go out your primary WAN interface (the one with the default route), regardless of what policy routing says. --Bill On 10/16/06, Stefan Tunsch <[EMAIL PROTECTED]> wrote: I'm talking about the integrated dyndns client. Luckily I installed the ADSL with the dynamic ip address on the WAN interface... How can I report an IP other than the WAN IP? I understand that in many situations my configuration is the one most people will use, where there is a router between pfSense and the Internet. In this scenario, reporting the WAN interface IP makes absolutely no sense. I should be reporting the router's public IP. Of course, a solution might be to install the client software provided by DynDNS on some other machine and route this traffic via an appropriate firewall rule through my WAN interface. But doing it with pfSense would be much cleaner. Regards, Stefan -Mensaje original- De: Holger Bauer [mailto:[EMAIL PROTECTED] Enviado el: lunes, 16 de octubre de 2006 16:58 Para: discussion@pfsense.com Asunto: RE: [pfSense-discussion] Dynamic DNS The dyndns client only works at WAN interface and is always reporting the WAN interface IP. We have code in the next version do dyndns per interface. Are you talking about the integrated dyndns client or a client that is running inside your LAN on a workstation or server? Holger -Original Message- From: Stefan Tunsch [mailto:[EMAIL PROTECTED] Sent: Monday, October 16, 2006 4:26 PM To: discussion@pfsense.com Subject: [pfSense-discussion] Dynamic DNS Hi there! I recently set up my first pfSense firewall into production. I am using the load balancing feature. One of the two ADSL connections I'm using has a dynamic IP address. The loadbalancing itself is working fine, but I'm having trouble with the Dynamic DNS client set up. I have created an account with DynDNS and set up pfSense accordingly. The problem is that pfSense reports the IP address of the WAN interface instead of providing the public IP of my router. The second issue is that I don't want to "balance" this url from one interface to the other. I want to use just one of the WAN interfaces I've set up. Curiously, pfSense always checks the same interface, which is the one where I have dhcp set up between WAN and the router. Any comments on this would be appreciated. regards. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006
RE: [pfSense-discussion] Dynamic DNS
It only supports reporting it's interface IP (which is in your setup already a natted IP behind another device). Either connect the pfSense directly to WAN or use dyndns at the host in front of you that is connected to the real wan or use a dyndns update client on LAN that frequently checks for the changed IP and send it's request out the appropriate wan by utilizing policybased routing. Holger > -Original Message- > From: Rainer Duffner [mailto:[EMAIL PROTECTED] > Sent: Monday, October 16, 2006 5:41 PM > To: discussion@pfsense.com > Subject: Re: [pfSense-discussion] Dynamic DNS > > > Stefan Tunsch wrote: > > I'm talking about the integrated dyndns client. > > > > Luckily I installed the ADSL with the dynamic ip address on the WAN > > interface... > > > > How can I report an IP other than the WAN IP? > > > > > I think he said "next version". > Or did I misread that? > > Bear with them - they're probably going to have to take a > vacation, now > that the release is actually out > ;-) > > > > > cheers, > Rainer >
Re: [pfSense-discussion] Policy Enforcement: Can pfSense beat it?
I did a quick search on Cisco policy enforcement and apparently they have user agents available for Windows and Linux systems. You say Linux is exempt which could be for any number of reasons and if so, I would expect BSD to also be exempt but I would never count on consistency in policy from a college information services department. The more recent of these systems have been designed to deal with firewalls and NAT with various degrees of success (hence the switch to user agents instead of network scans) but whether your friend could use a BSD firewall to protect his Windows system from detection depends on the details of what the college is implementing. I would think twice before attempting to disguise my Windows machine without more information. The use of external firewall devices is common enough however that trying it as a matter of course should be safe and unremarkable. pfsense or m0n0wall should at the minimum just look like any other external NAT/firewall device. On Mon, 16 Oct 2006 01:02:20 -0700, you wrote: >Hi everybody. >A friend of mine recently informed me that his college is going to be adding >some "policy enforcement" devices (Cisco brand) to their network that will >push Symantec Security software onto all computers on the campus network. If >your computer doesn't meet the policy, it is denied internet access. >Linux computers are exempt frm this for some reason (yeah *BSD != linux, I >know). >He doesn't want this Norton garbage pushed onto his PC, so he asked me if a >firewall like pfSense would stop this nonsense. However he says that the >machine must "look" like a Linux box to the campus "policy enforcement" device. > >My questions are: is pfSense immune to fingerprinting? Or can I alter the >values it reports back? >Also, do you think this would even work? (Would it trick the policy >enforcement and allow him access through it?) > >I ask because you are the experts. I no longer have the free time I once had >to research this myself (being a student also), so I am asking for the >knowledge that comes with experience in the field. > >I understand that this question is a little "out there" and highly off-topic; >my apologies if it belongs elsewhere. > >Thanks you very much in advanced. >-a Rossi
Re: [pfSense-discussion] Dynamic DNS
Stefan Tunsch wrote: I'm talking about the integrated dyndns client. Luckily I installed the ADSL with the dynamic ip address on the WAN interface... How can I report an IP other than the WAN IP? I think he said "next version". Or did I misread that? Bear with them - they're probably going to have to take a vacation, now that the release is actually out ;-) cheers, Rainer
RE: [pfSense-discussion] Dynamic DNS
I'm talking about the integrated dyndns client. Luckily I installed the ADSL with the dynamic ip address on the WAN interface... How can I report an IP other than the WAN IP? I understand that in many situations my configuration is the one most people will use, where there is a router between pfSense and the Internet. In this scenario, reporting the WAN interface IP makes absolutely no sense. I should be reporting the router's public IP. Of course, a solution might be to install the client software provided by DynDNS on some other machine and route this traffic via an appropriate firewall rule through my WAN interface. But doing it with pfSense would be much cleaner. Regards, Stefan -Mensaje original- De: Holger Bauer [mailto:[EMAIL PROTECTED] Enviado el: lunes, 16 de octubre de 2006 16:58 Para: discussion@pfsense.com Asunto: RE: [pfSense-discussion] Dynamic DNS The dyndns client only works at WAN interface and is always reporting the WAN interface IP. We have code in the next version do dyndns per interface. Are you talking about the integrated dyndns client or a client that is running inside your LAN on a workstation or server? Holger -Original Message- From: Stefan Tunsch [mailto:[EMAIL PROTECTED] Sent: Monday, October 16, 2006 4:26 PM To: discussion@pfsense.com Subject: [pfSense-discussion] Dynamic DNS Hi there! I recently set up my first pfSense firewall into production. I am using the load balancing feature. One of the two ADSL connections I'm using has a dynamic IP address. The loadbalancing itself is working fine, but I'm having trouble with the Dynamic DNS client set up. I have created an account with DynDNS and set up pfSense accordingly. The problem is that pfSense reports the IP address of the WAN interface instead of providing the public IP of my router. The second issue is that I don't want to "balance" this url from one interface to the other. I want to use just one of the WAN interfaces I've set up. Curiously, pfSense always checks the same interface, which is the one where I have dhcp set up between WAN and the router. Any comments on this would be appreciated. regards. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006
RE: [pfSense-discussion] Dynamic DNS
The dyndns client only works at WAN interface and is always reporting the WAN interface IP. We have code in the next version do dyndns per interface. Are you talking about the integrated dyndns client or a client that is running inside your LAN on a workstation or server? Holger -Original Message- From: Stefan Tunsch [mailto:[EMAIL PROTECTED] Sent: Monday, October 16, 2006 4:26 PM To: discussion@pfsense.com Subject: [pfSense-discussion] Dynamic DNS Hi there! I recently set up my first pfSense firewall into production. I am using the load balancing feature. One of the two ADSL connections I'm using has a dynamic IP address. The loadbalancing itself is working fine, but I'm having trouble with the Dynamic DNS client set up. I have created an account with DynDNS and set up pfSense accordingly. The problem is that pfSense reports the IP address of the WAN interface instead of providing the public IP of my router. The second issue is that I don't want to "balance" this url from one interface to the other. I want to use just one of the WAN interfaces I've set up. Curiously, pfSense always checks the same interface, which is the one where I have dhcp set up between WAN and the router. Any comments on this would be appreciated. regards. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006
[pfSense-discussion] Dynamic DNS
Hi there! I recently set up my first pfSense firewall into production. I am using the load balancing feature. One of the two ADSL connections I'm using has a dynamic IP address. The loadbalancing itself is working fine, but I'm having trouble with the Dynamic DNS client set up. I have created an account with DynDNS and set up pfSense accordingly. The problem is that pfSense reports the IP address of the WAN interface instead of providing the public IP of my router. The second issue is that I don't want to "balance" this url from one interface to the other. I want to use just one of the WAN interfaces I've set up. Curiously, pfSense always checks the same interface, which is the one where I have dhcp set up between WAN and the router. Any comments on this would be appreciated. regards. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006
Re: [pfSense-discussion] Policy Enforcement: Can pfSense beat it?
DarkFoon wrote: Hi everybody. A friend of mine recently informed me that his college is going to be adding some "policy enforcement" devices (Cisco brand) to their network that will push Symantec Security software onto all computers on the campus network. If your computer doesn't meet the policy, it is denied internet access. Linux computers are exempt frm this for some reason (yeah *BSD != linux, I know). He doesn't want this Norton garbage pushed onto his PC, so he asked me if a firewall like pfSense would stop this nonsense. However he says that the machine must "look" like a Linux box to the campus "policy enforcement" device. My questions are: is pfSense immune to fingerprinting? Or can I alter the values it reports back? Also, do you think this would even work? (Would it trick the policy enforcement and allow him access through it?) The policy-enforcement probably only works with either some kind of agent allready installed on the PC or via Windows Group Policies forcing the installation of such an agent. It's impossible to to fool such a system, IMO. Maybe also some kind of captive portal that checks for the existence of the above. Then, with a bridged pfSense, you might be able do it. I ask because you are the experts. I no longer have the free time I once had to research this myself (being a student also), so I am asking for the knowledge that comes with experience in the field. Trying to circumvent the policy is not a good idea. He should be positively sure that he can get away with it (e.g. because he "can't" be fired). cheers, Rainer
Re: [pfSense-discussion] Policy Enforcement: Can pfSense beat it?
nothing is immune to fingerprinting, but the Cisco device is probably just looking for Windows boxes. If it isn't a Windows box then it should ignore it. It might even recognise a BSD box and skip it. If ll else fails he can just claim that it is Linux. What is the Cisco device that is doing the checking? sai On 10/16/06, DarkFoon <[EMAIL PROTECTED]> wrote: Hi everybody. A friend of mine recently informed me that his college is going to be adding some "policy enforcement" devices (Cisco brand) to their network that will push Symantec Security software onto all computers on the campus network. If your computer doesn't meet the policy, it is denied internet access. Linux computers are exempt frm this for some reason (yeah *BSD != linux, I know). He doesn't want this Norton garbage pushed onto his PC, so he asked me if a firewall like pfSense would stop this nonsense. However he says that the machine must "look" like a Linux box to the campus "policy enforcement" device. My questions are: is pfSense immune to fingerprinting? Or can I alter the values it reports back? Also, do you think this would even work? (Would it trick the policy enforcement and allow him access through it?) I ask because you are the experts. I no longer have the free time I once had to research this myself (being a student also), so I am asking for the knowledge that comes with experience in the field. I understand that this question is a little "out there" and highly off-topic; my apologies if it belongs elsewhere. Thanks you very much in advanced. -a Rossi
[pfSense-discussion] Policy Enforcement: Can pfSense beat it?
Hi everybody. A friend of mine recently informed me that his college is going to be adding some "policy enforcement" devices (Cisco brand) to their network that will push Symantec Security software onto all computers on the campus network. If your computer doesn't meet the policy, it is denied internet access. Linux computers are exempt frm this for some reason (yeah *BSD != linux, I know). He doesn't want this Norton garbage pushed onto his PC, so he asked me if a firewall like pfSense would stop this nonsense. However he says that the machine must "look" like a Linux box to the campus "policy enforcement" device. My questions are: is pfSense immune to fingerprinting? Or can I alter the values it reports back? Also, do you think this would even work? (Would it trick the policy enforcement and allow him access through it?) I ask because you are the experts. I no longer have the free time I once had to research this myself (being a student also), so I am asking for the knowledge that comes with experience in the field. I understand that this question is a little "out there" and highly off-topic; my apologies if it belongs elsewhere. Thanks you very much in advanced. -a Rossi
