Re: [pfSense-discussion] VLANs on dumb switches
Eugen Leitl wrote: > Thanks. It's a Netgear, so I might be in luck. if you REALLY must do it, consider reducing MTU? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] clog size
Scott Ullrich wrote: > On 4/14/08, Scott Ullrich <[EMAIL PROTECTED]> wrote: >> I have commited some code to help with this: >> >> http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/usr/local/www/guiconfig.inc?rev=1.90.2.50;content-type=text%2Fx-cvsweb-markup > > Woops, wrong URL: > http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/usr/local/www/guiconfig.inc?rev=1.90.2.49;content-type=text%2Fx-cvsweb-markup if clog is turned off, does it then use "tail -N" and look at a normal log file instead of using clog to view?
Re: [pfSense-discussion] clog size
RB wrote: > I've had a request to increase logging duration on systems that have > no access to an external syslog server, so am making the necessary > changes to maintain much larger ring-log files. Incredibly larger - what we've done is to make a few tweaks and install syslog-ng 1/ change the system include file so that it starts syslog with "-b 127.0.0.1" so that it doesn't bind to an external IP. 2/ add some lines to /etc/rc.conf.local to make a restart of syslog also bind only to localhost: syslogd_enable="YES" syslogd_flags=" -s -f /var/etc/syslog.conf -b 127.0.0.1" 3/ install syslog-ng and write config so that it does full logging to local file system as well as copying to a main log server 3a/ pkg_add -r syslog-ng 3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf (if interested, I can provide ours after sanitisation) 3c/ make syslog-ng listen on, say, the sync interface or lan. 4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng starts up 5/ use the pfsense gui to tell it to log to the syslog-ng IP address this "works for us", and the key thing is that apart from having to fix the /etc/inc/system.inc file when upgrading pfsense (I offered the diffs/patch, I think it might have been accepted), you don't have to bend the system too far as you don't have to hack any other part of pfsense. HTH Paul
Re: [pfSense-discussion] ARP traffic causing routers to hang - ingle ARP cache with both LAN and WAN ARP entries?
Tortise wrote: > kernel: arp: unknown hardware address format (0x) > kernel: arp: unknown hardware address format (0xdd1f) > kernel: arp: 192.168.0.7 is on em1 but got reply from 00:00:cd:1c:14:1a on em0 > kernel: arp: 192.168.0.7 is on em1 but got reply from 00:09:bf:55:71:b0 on em0 could it be you have two machines accidentally set up with the same IP - perhaps broken DHCP? if you've got managed switches, can you check their arp tables to see where those mac addresses live? are you using vlans, and if so could you have accidentally joined them?
Re: [pfSense-discussion] SPAM / eMail Filtering
Curtis LaMasters wrote: > will still help. Are there any SPAM/eMail filtering devoted projects having been down this path at a company where we had 200,000 emails a day of which 98% were spam, we gave in and used postini. the relative cost of server hardware and the labour to manage them simply made a third party more cost effective. OTOH, if you want a complete mail package which integrates anti-spam, Zimbra is quite nice, even our non-tech marketing people like the webmail feature for when working remotely!
Re: [pfSense-discussion] Traffic shaper bug ?
Jan Hoevers wrote: > While not unwilling to donate to projects, this bounty thing is not for > me because of a strict open source policy. you could always buy a support contract, which is entirely different from buying proprietary software. sorry, but I think your understanding of OSS is flawed. for the best explanation... http://www.gnu.org/ What is Free Software? “Free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech”, not as in “free beer”
Re: [pfSense-discussion] SIP Problems
Jiri Mlady wrote: > I've installed this package on my 1.2pfsense, the service siproxd is > started, but in the services is stopped. Which way have i look plese? 2nd. > Qustion, is this proxy transparent or do I need set on all SIPaware device > this proxy on my pfSense (if will work ad1) :-) just a wild guess, but did you do anthing to /etc/rc.conf.local or similar files?
Re: [pfSense-discussion] freebsd 6.2 ports archive
Scott Ullrich wrote: >> or, perhaps, should pfsense.org website keep a mirror for this purpose? > > We are working on it: http://blog.pfsense.org/?p=179 freebsd is nice in that the paths to the files are the same on each mirror, so hacking the hosts file made it work with no changes; the equivalent path was this: ftp://ftp.de.freebsd.org/pub/FreeBSD/releases/i386/6.2-RELEASE/ a bit of "wget -r" should suffice?
[pfSense-discussion] freebsd 6.2 ports archive
Hi, I was looking for the syslog-ng package to install on my pfsense boxes, and discovered that the main freebsd site no longer has the ports for that release - only 6.3. I found the ftp.de.freebsd.org site still had it, so I did an evil hack to the hosts file thus: 213.83.42.56ftp.freebsd.org and I was able to "pkg_add -r syslog-ng". anyway, my point is that anyone wanting to play with pfsense1.2 release and needs access to the ports might want to consider maintaining their own archive of the freebsd downloads otherwise they'll lose out! or, perhaps, should pfsense.org website keep a mirror for this purpose? Paul
Re: [pfSense-discussion] pfSense / Time Service
Eugen Leitl wrote: > On Thu, Mar 06, 2008 at 02:53:19PM +0000, Paul M wrote: >> RB wrote: >>> Bwa ha ha! Delicious, delicious irony! I knew it was inevitable >>> since Ryan had to read the thread at least once more before fixing >>> things, but it was worth it to see this one come in. >> has he fixed things? > > Just forward his spam to [EMAIL PROTECTED] and [EMAIL PROTECTED] > with full headers. > > If anyone on this list would start doing it, maybe his admins > would wise up, and LART him. shame SLTP never made it to a proper RFC http://buffy.sighup.org.uk/hfiles/aeds.html
Re: [pfSense-discussion] pfSense / Time Service
RB wrote: > Bwa ha ha! Delicious, delicious irony! I knew it was inevitable > since Ryan had to read the thread at least once more before fixing > things, but it was worth it to see this one come in. has he fixed things? > > On 3/6/08, Ryan Neily <[EMAIL PROTECTED]> wrote: >> Return Receipt >> >> Your document: RE: [pfSense-discussion] pfSense / Time Service >> >> was received by: [EMAIL PROTECTED] >> >> at: 03/06/2008 09:22:47 EST
Re: [pfSense-discussion] pfSense / Time Service
RB wrote: > No, really - I asked you once in private, now I ask you again in I too have asked him privately. I suspect he's using Lotus Notes or something equally horrible which cannot be configured sanely! Can the list admin get the mail system changed to strip the recipient request headers out? > public: please turn off your foolish Outlook receipts. It is > ridiculous that we have to wade through your mail client's automated > spew that just tells us you received/read a given message. Most of us > really don't care (or actively dislike it), and you clutter stuff up > by not being a good list citizen. > > On 3/5/08, Ryan Neily <[EMAIL PROTECTED]> wrote: >> Return Receipt >> >> Your document: [pfSense-discussion] pfSense / Time Service >>
Re: [pfSense-discussion] Rules Default
Jose Augusto wrote: > Hi, > How pfsense work, begin with all ports closed? And then i open the > necessary ports? by default closed. however, whatever rule set you choose to implement it, you should a/ understand how to test it b/ test it regularly any security product, no matter how good, which is badly configured is useless!
Re: [pfSense-discussion] using CARP as openvpn client source IP
Fabio C Flores wrote: > I wonder if its possible to force OpenVPN client to use my carp IP > address as the source address when connecting. I have a yes, in the NAT rules turn off auto outbound, and add a specific rule for a host to be natted outbound to the specific CARP IP.
Re: [pfSense-discussion] suggestions for a decent hardware
has anyone tried installing freebsd/pfSense on an AppleTV? you'd need a vlan-aware switch to expand the number of network ports, but it's compact, low power, commodity hardware... in the meanwhile I've asked http://www.appletvhacks.net/
Re: [pfSense-discussion] CD-ROM + floppy
Chris Buechler wrote: > DarkFoon wrote: >>> Yes. just the config is kept on the floppy. >>> >> >> This means that the RRD graphs don't save across reboots, right? >> And packages can't be installed. (well that's sort of obvious...) >> > > Correct on both accounts. is there any reason why the shutdown scripts couldn't copy the RRD files and any .pkg's across to the secondary storage and reload on boot?
[pfSense-discussion] internal load balancer doesn't return traffic to originator
scenario: two machines, on (A) 10.x.x.11 and (B) 10.x.x.12 run web servers on port 1024 which are made available to the world via public IP on port 80 by a pfsense firewall (F) (1.2RC4) running a load balancer. the internal IP of the firewall is 10.x.x.254. an application which runs on the 10.x.x.11,12 and others wishes to connect to the web server pool. nat reflection doesn't work, so we thought we could run a load balancer on the firewall's internal IP address. however, this doesn't work. using tcpdump on A, we see the firewall connecting to the web and the packets being returned normally, everything OK. using tcpdump on F, we can see the packets arrive on the firewall heading for10.x.x.254:80, and go off to the web server on port 1024, and come back to the firewall. the firewall doesn't then send the packets back to the host which originated the connection. firewall logs indicate the connection is being permitted from A to A, no indication of anything being refused! is what we are trying to do sensible, i.e. to use a load balancer on the *inside* of our network to allow callbacks to a webapp to be made resilient? thanks Paul
[pfSense-discussion] 1.2RC5 or release
Hi, given the a number of minor bug fixes, we will be seeing a 1.2RC5 variant sometime, or is the next step a full release? thanks Paul
[pfSense-discussion] prioritising ACKs
I came across this, an interesting idea for improving throughput, works on openBSD, wondering if it can be done on pfsense/freebsd? http://www.benzedrine.cx/ackpri.html thanks
Re: [pfSense-discussion] bogons update issue
Jan Hoevers wrote: > I'm running the embedded version of pfSense on a Soekris 4801. > > 1. The script starts with sleeping a random interval. This caused it to > abort with a 'od: command not found' message. Apparently the od command > is missing on the embedded platform, and I worked around this by > commenting out the random interval sleep. hmm, yes, the non-embedded 1.2rc4 suffers this too... as a quick hack I just created a /bin/od script which does "echo 10".. Scott's fix to the URL allowed the rest to work.
Re: [pfSense-discussion] which VPN client?
Ronald L. Rosson Jr. wrote: >> On my linux box, I can set my resolv.conf to the office's resolver (we >> have internal DNS which points everything to rfc1918 addresses) and it >> all works just fine! >> On OSX boxes, I can change resolv.conf but it doesn't seem to take >> effect :-( > I have found this script and it works without any issue for OSX and > tunnelblick. > > http://openvpn.net/archive/openvpn-users/2006-10/msg00120.html thanks for that, I shall give it a go.
Re: [pfSense-discussion] which VPN client?
one last thing, has anyone made the openvpn client automatically fix the DNS resolver settings on the client? I can't get this to work :-( so people working from home have to know IP addresses On my linux box, I can set my resolv.conf to the office's resolver (we have internal DNS which points everything to rfc1918 addresses) and it all works just fine! On OSX boxes, I can change resolv.conf but it doesn't seem to take effect :-( thanks again Paul
Re: [pfSense-discussion] which VPN client?
Paul M wrote: >> I am using the OpenVPN GUI v1.0.3 from the link below and I have also I checked my colleague's version and he was running the older "stable" release, got him to upgrade and also got openvpn to delete and re-add the tunnel interface, and it now works (not sure which action solved it) thanks for taking time to discuss this with me! Paul
Re: [pfSense-discussion] which VPN client?
Curtis LaMasters wrote: > Paul, > > I am using the OpenVPN GUI v1.0.3 from the link below and I have also > included a copy of my client side configuration file on the Vista laptop. OK, well, I (reluctantly) booted up vista on my computer which didn't have OV installed so that I could do it from scratch, and followed the instructions to the letter... and basically it worked (once I remembered that my linux box at home was using it, and killed that connection!) So, I conclude that it's something wrong with my colleague's vista install! And, with relief, I can shutdown my vista install again, shudder quietly, and boot linux! :-D Oh, one thing.. each openvpn user has a dedicated OV daemon (different port) on the vpn server, so that I can have very tight control over what they're doing. > ##c:/program files/openvpn/config/vpn.domain.com.ovpn > float > client I don't have either of the above two lines in the config(s), either on the linux box or vista box, didn't stop it working though. > dev tun > dev-node openvpn > proto tcp-client > remote xx.xx.xx.xx 1194 each user has an ifconfig line thus: ifconfig 10.xx.yy.2 10.xx.yy.1 > route-method exe I've also got: route-delay 2 as recommended elsewhere > persist-tun > persist-key yup > ca ca.crt > cert client1.crt > key client1.key > ns-cert-type server > tls-client am using shared key, each user has their own key, each openvpn daemon is thus specific to each user > comp-lzo yup, need same setting at both ends > ping 10 I'm using this: keepalive 10 60 instead of ping. > pull not using pull > verb 4 have verb 3 which is sufficiently detailed > > http://www.openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe I'll double-check my colleague's install. thanks again
Re: [pfSense-discussion] which VPN client?
Curtis LaMasters wrote: > Paul, > > Sorry to keep nagging on this one, but, are you using the OpenVPN gui or no, I'm very glad to have your help. > the normal version? And what version of the software are you using? my colleague is using the openvpngui as downloaded from http://openvpn.se/ which comes with an openvpn binary. hmm, that's quite an old version of the openvpn binary, isn't it?
Re: [pfSense-discussion] which VPN client?
Curtis LaMasters wrote: > Paul, are you using Vista UAC? Logged in as a super user? Pushed down > full control security permissions on the entire OpenVPN directory for > the user you are logged in as? er, yes, UAC was enabled so I did run-as-admin the openvpngui when connected, the vpn gui raised no errors. "netstat -rn" indicated the correct routes were created! Yet no traffic flowed. Used "tcpdump -l -n -i tun0" on the vpn server and I could see the vpn client ping the server's end of the tunnel but no other traffic came down it! Paul
Re: [pfSense-discussion] which VPN client?
Curtis LaMasters wrote: > Paul, for your vista clients, on the client side, you'll need to change > the route method to exe. If you look at your logs more closely, you'll > see that the route additions most likely are failing. yes, I did try the route/exe method, sorry, I should have quoted the section from the site below where it says to start the vpngui as administator and do the route stuff: > the tunnel (despite trying the hacks at > http://www.ctunion.com/node/226), so if anyone HAS made vista openvpn > work, do shout! so, it should work, so I'll try something else; this is a colleague's computer so I don't know if he has done something weird! thanks Paul
Re: [pfSense-discussion] which VPN client?
Eugen Leitl wrote: > What are the current recommendations for an easy/cheap/free VPN > client which plays well with PfSense 1.2RC3? Something that > works both with Vista and XP? Should I at all bother with > IPsec, or just go OpenVPN? Should I just give my user a preconfigured openvpn has been working pretty well for me, using linux, OSX and WindowsXP clients; we can't get Vista to work presently - despite all the routes being correct the vista box doesn't send any traffic to the remote network via the tunnel (despite trying the hacks at http://www.ctunion.com/node/226), so if anyone HAS made vista openvpn work, do shout! Paul
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Bill Marquette wrote: >> or others that could make use of mechanisms like dynamic allocation of port. > That could cause you problems potentially. But would be no different > in any other firewall that didn't already understand your protocol. I > regularly force vendors to redesign their applications to not use > dynamic ports at work, it's a stupid design and really, there's zero > reason to do it (other than sheer laziness on the developers side - or > pissy legacy reasons when it comes to FTP, which is still not a good > excuse IMO). java RMI being one major PITA! we've developers working from home and trying to get their openvpn connections working was a massive PITA. developers being developers seem to think that security considerations can be swept aside to let them do whatever they "need" to do.
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Paolo Gentili wrote: > > your thoughts or experiences about how much trust can i have on pfsense we've got seven boxes doing pfsense - three pairs of 1U servers as firewall clusters protecting public facing web services, and one acting as a VPN concentrator for "road warriors". we rely on carp and the load balancer to give resilience. when one machine "threw a disk", it took less than half an hour to restore functionality. all are 1.2RC3, some began as 1.2rc2. we considered Astaro during early eval, but it would have been expensive to have so many boxes, so we'd have had to compromise on the design of our network, pfsense has thus made it possible to adopt a much more flexible solution. Paul
Re: [pfSense-discussion] Beginner's Tutorial
jason whitt wrote: > download iso burn to cd install set interfaces go to lan ip address > login with default login admin/pfsense go from there. I'd add, if you've got an existing network with its own DHCP server, don't plug in the LAN port until you've fully installed pfsense and disabled its DHCP server!
Re: [pfSense-discussion] 1.2-RC3 released!
Paul M wrote: > David Bottrill wrote: >> Paul M wrote: >> >>> p.s .any chance of an upgrade image for those of us who installed it on >>> a regular x86 server? >>> >> Go to the downloads page an click on updates you need: > > d'oh, I was looking in the main download area. thanks. > > meanwhile, I noticed many of the mirrors are not doing too well so I > reported them some of the update mirrors are no good either.. in fact the downloads are pretty slow. I would volunteer to help host, but I saw in the wiki somewhere that pfsense team say they don't need any more mirrors - you don't, you need better ones!
Re: [pfSense-discussion] 1.2-RC3 released!
David Bottrill wrote: > Paul M wrote: > >> p.s .any chance of an upgrade image for those of us who installed it on >> a regular x86 server? >> > Go to the downloads page an click on updates you need: d'oh, I was looking in the main download area. thanks. meanwhile, I noticed many of the mirrors are not doing too well so I reported them > > pfSense-Full-Update-1.2-RC3.tgz > > I installed this earlier today and it upgraded my system without any issues. thanks for that feedback.
Re: [pfSense-discussion] 1.2-RC3 released!
Paul M wrote: > Chris Buechler wrote: >> http://blog.pfsense.org/?p=152 >> > > great work, thanks to everyone involved for making this really useful > package. p.s .any chance of an upgrade image for those of us who installed it on a regular x86 server? thanks
Re: [pfSense-discussion] 1.2-RC3 released!
Chris Buechler wrote: > http://blog.pfsense.org/?p=152 > great work, thanks to everyone involved for making this really useful package.
Re: [pfSense-discussion] Via LAN drivers
sai wrote: > Realtek and Via ethernet interfaces are supported and are used by many > on this list, but the hadware and the drivers are not as good as the > Intel ethernet. especially realtek's! We have a machine or two with realtek giga, and they simply cannot achieve anything like theoretical maximum gigabit throughput - just google for "realtek performance problem" or similar. so why are they so popular? very cheap to embed, and most people don't know the difference when they buy their desktop PC.
Re: [pfSense-discussion] Cacti Template
Ronald L. Rosson Jr. wrote: > Has anyone come across or developed a template for pfsense firewalls to > be polled by a Cacti server. Any information is helpful. dunno about cacti, but I got munin (node) to work quite happily using freebsd ports, so if there's a cacti in the freebsd port, you might try that.
[pfSense-discussion] mirroring pfsense
Being a n00b to freebsd, I needed step bt step instructions... everyone here is probably way ahead of me, but just in case... I found the following instructions worked perfectly for me to mirror the disks on my firewalls: http://www.onlamp.com/pub/a/bsd/2005/11/10/FreeBSD_Basics.html I'm using Tyan GT20 boxes with intel core2duo processors, on-board SATA controllers. Paul
Re: [pfSense-discussion] any plans to implement smtp spam filter/ clam av?
ryn jackson wrote: > just wanted to know if there were any plans to implement an smtp proxy > package that could do spam filtering and email greylisting/blacklisting. act > as a tarpit etc. > > also possibly clamav as well? > could you not install these from freebsd ports?
Re: [pfSense-discussion] noob question
Zied Fakhfakh wrote: > Hello everybody, > > I'm just starting with pfSense, nd I have a couple of questions > > - is there any logout button from the web interface ? it uses basic authentication, so you have to close browser (FYI, it's a long running bug/issue with firefox/mozilla to be able to forget the password and thus logout). I guess somebody might like to rewrite it to use cookies and thus have a logout function if they really cared? > - how canI install third party softwares, like squid, on pfSense it's freebsd based so you can use 'ports'. I installed munin from ports and it works pretty well.
Re: [pfSense-discussion] noob question
Paul M wrote: > Zied Fakhfakh wrote: >> Hello everybody, >> >> I'm just starting with pfSense, nd I have a couple of questions >> >> - is there any logout button from the web interface ? > > it uses basic authentication, so you have to close browser (FYI, it's a > long running bug/issue with firefox/mozilla to be able to forget the > password and thus logout). I guess somebody might like to rewrite it to > use cookies and thus have a logout function if they really cared? > >> - how canI install third party softwares, like squid, on pfSense > > it's freebsd based so you can use 'ports'. I installed munin from ports > and it works pretty well. oops, I meant munin-node, the client, and hacked up a 'ping' plugin so I can get an idea of latency from our firewall cluster to the outside world. if you've not encountered munin, it's great! http://munin.sourceforge.net/
Re: [pfSense-discussion] transient network drops
Eugen Leitl wrote: > On Wed, Aug 29, 2007 at 02:33:45PM +0100, Paul M wrote: >> Eugen Leitl wrote: >> >>> wan-pfsense-lan >>> | >>> switch1--diverse hosts >>> >>> what's interesting is that I have transient outages to *some* IPs >>> (it could be just one IP, actually). I can still ping that IP locally >> is your switch manageable? can you turn logging on it? can you look up > > The gateway switch is a Netgear GS724T, the second switch is HP ProCurve. > Logging, as in redirecting traffic to a sniffer port, and capture > all traffic there? logging, as in getting the managed switch to send syslog messages to a server and seeing if it reports any errors. I don't know procurves, but in cisco it's fairly straight forward... add this to config for example: logging facility local5 logging 10.0.0.2 > The hoster advised doing an mtr, which I will do once the host > drops offline again. yeah, also check arp table on the disappearing host
Re: [pfSense-discussion] transient network drops
Eugen Leitl wrote: > wan-pfsense-lan > | > switch1--diverse hosts > > what's interesting is that I have transient outages to *some* IPs > (it could be just one IP, actually). I can still ping that IP locally is your switch manageable? can you turn logging on it? can you look up the mac of the missing host (also check arp table on pfsense)?
Re: [pfSense-discussion] full instalation on 4 GB SSD
Eugen Leitl wrote: > I was thinking a real 2.5" SSD would have a MTBF comparable to a > real hard drive (SanDisk claims 2 Mh MTBF, can't find any such > for Hama SSD, which is a bargain at about 100 EUR for 4 GByte, > which probably already answers my question). I think that "proper" ssd units designed to replace a regular magnetic hard drive have to have very sophisticated wear-levelling algorithms, and probably have an intermediate store for written data, e.g. some battery-backed SRAM or non-wearable memory. By ensuring you mount the drive "noatime" and "async" you can reduce the number or writes; mounting everything except /var/log as read-only would enforce no writing. Perhaps put /var/log into a ram disk, rotate logs frequently and rsync them to flash would help too. However, this is speculation on my part as I've never created my own unix/linux flash based system (although I do have a zaurus, but rely on the distro creaters to solve the problem!). BTW I've seen very few reports of people having problems with the microdrive in their zauruses which take the 4 or 6GB drives, but people who've replaced their microdrives with CF cards report early failures! Paul
Re: [pfSense-discussion] acx100 and 1.2 beta
Marius Schrecker wrote: > Hi, > > I'm currently running 1.0.1 (developer) with the acx100 native driver > from kewl.org which I compiled using the recommended patch. Works okay, > but I remember it being quite a bit of work. > > What's the status on this driver in 1.2? Will it be built-in, or easier to > compile, or is there a procedure for using ndiswrapper for this. I guess the only way to find out is to try the live CD version!
[pfSense-discussion] atmel avr port of pfsense?
http://www.linuxdevices.com/news/NS2837651365.html "32MB of SDRAM and 16MB of flash, expandable via an SD-card slot." is this a powerful enough board to run a minimal pfsense system?
[pfSense-discussion] munin and pfsense (freebsd)
I have found munin (http://munin.projects.linpro.no/) to be an excellent server monitoring tool Is anyone using it on pfsense? I found that the freebsd how-to worked perfectly http://www.freebsdmadeeasy.com/tutorials/web-server/monitoring-with-munin.php it appears to hang after printing Initializing plugins.. but after a while it finished and it worked fine... the only thing I can't to work is the SMART disk plugin... does anyone have this working? thanks Paul
Re: [pfSense-discussion] segfaulting 1.2-beta1 - was Re: [pfSense-discussion] wiki signups
Andrew C Burnette wrote: > Paul M wrote: >> I am using tested hardware: a single core2duo with 2GB memory on Tyan >> motherboard with pairs of 250G sata (memo to self, discover how to do >> mirroring). > nice -n- peppy I bet. it was actually one of the lowest spec machines our supplier could provide - I think each was about GBP700 (US$1400). > My PIII 550Mhz w/ 512Mbytes of old sdram on a lousy i810 chipset barely > sweats at 30Mbps and 6k connections. :-) I would rate pfsense (and of I think ours is more than a bit overspecced - with four giga nics and a 100baseT for sync (the tyan has twin gigas and the 100baseT) it should be enough to handle most things... all the servers are gigE, and with a pair of Cisco 3560E to provide internal wire-speed giga switching should allow us to pump a lot of data around! > Good idea is to pop in Intel nic cards. (shhh, big secret, they sell > 'server cards' with identical everything for 2x-3x the price, so buy the I found that twin PCI-X gigE's are a bit pricey, whether IBM/broadcom or Intel, GBP150 (US$300), but since the firewalls are 1U there's only one card slot. Oh yeah, I booted linux and disabled power management on the motherboard's nics which caused us a lot of grief on similar boxes when running linux: http://e1000.sourceforge.net/wiki/index.php/Issues#82573.28V.2FL.2FE.29_TX_Unit_Hang_messages > Also helps to have last year's motherboard chipset, as the newly > released ones take a couple minor revs to be stable in some cases. indeed! Paul
[pfSense-discussion] segfauling 1.2-beta1 - was Re: [pfSense-discussion] wiki signups
Chris Buechler wrote: > I'll send you an email in a minute. Anybody that wants an account is > going to have to email me, way too few contributors and too many > spammers to open registration back up. cheers! > If you're seeing kernel panics "all the time", you have hardware issues. > Or if you were just seeing them while changing configuration, there was > a known CARP issue a while back that caused kernel panics when you > disabled CARP interfaces. Aside from that, which has been fixed, you now > shouldn't ever see kernel panics on reliable hardware. changing to 1.2-RC1 changed it to being pretty solid, only had one reboot. it also 99% resolved a problem with not reocgnising a USB keyboard at all unless replugged. the old 1.2-beta1 was terrible when I set up CARP, it was fine up till that point and immediately became so bad I'd given up, then along came RC1 and now I am pretty much sold. I am using tested hardware: a single core2duo with 2GB memory on Tyan motherboard with pairs of 250G sata (memo to self, discover how to do mirroring). Paul
[pfSense-discussion] wiki signups
is there any chance of the wiki allowing signups again, or having a login created for me (mailme offlist pls) whilst the documentation on pfsense is quite good there's some useful notes on it in the wiki which could do with some small updates BTW, I am a newcomer to pfsense, tried the 1.2 first beta and didn't get on with it as it would crash/kernel panic all the time, but then tried rc1 and it's pretty good, only crashed once (when I was changing virtual IPs) thanks Paul
RE: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall
Title: Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall Is there any way we can reboot the mail server now? It is running at 100% cpu but they are services that should normally be running…I think we need to shake it out. Paul From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, November 28, 2005 1:27 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall There are still a few other small ones. In paticular with the status queues screen + fast cgi. When we kill pfctl somehow its signal is being passed up and killing off the fast-cgi handler. Woops. On 11/28/05, Bill Marquette <[EMAIL PROTECTED]> wrote: > On 11/28/05, Lists <[EMAIL PROTECTED]> wrote: > > well hell maybe i should do devel work for pfsense cause ive already > > migrated my build to lighttpd :) then when browsing the cvs trees > > noticed it was in there > > We had some problems with lighty when we first imported it - firmware > upgrades didn't work on embedded due to a bug in their handling of > large POSTs. That's been fixed in a recent release, so we're moving > back (that was the only bug that I know of, but it was kinda big ;-P) > > --Bill > avast! Antivirus: Inbound message clean. Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:27:38 PMavast! - copyright (c) 1988-2005 ALWIL Software. avast! Antivirus: Outbound message clean. Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:52:52 PMavast! - copyright (c) 1988-2005 ALWIL Software.