Re: [pfSense-discussion] squid.inc gotchas
On Sun, Jun 5, 2011 at 6:10 AM, Odhiambo Washington odhia...@gmail.comwrote: Hello Everyone, I am new to pfsense - using it for the first time, though I've known about it all these years. Kindly bear with me on this one. I am running *2.0-RC2* and I've been trying to achieve a few things with Squid (3.1.9). It's not been well as squid refuses to start. I managed to spend some time on this matter and figured out that the problems are resident inside squid.inc. I still do not understand why we have this on line 903 of squid.inc, especially the deny all bit. $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . deny all\n; So here is my patch, which also contains a few changes required in squid-3. (14:02:35 ~) 0 $ less squid.inc.diff 527c527 } --- } 813,814c813,814 acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 --- acl all src all acl localhost src 127.0.0.1/32 903c903 $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . deny all\n; --- $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . KB\n; I stand corrected though. Thanks for the diff Odhiambo, can you please submit this as a pull request via github: https://github.com/bsdperimeter/pfsense-packages (you can edit the file directly on github and create a fork with the change). --Bill
Re: [pfSense-discussion] article: Millions of Home Routers at Risk
On Tue, Aug 3, 2010 at 3:25 AM, Tortise tort...@paradise.net.nz wrote: - Original Message - From: John Dakos gda...@enovation.gr To: discussion@pfsense.com Sent: Tuesday, August 03, 2010 6:57 PM Subject: RE: [pfSense-discussion] article: Millions of Home Routers at Risk Re pf.jpg can someone clarify what a Yes in the right column represents please: a) Yes the router was successful in preventing the attack b) Yes the attack was shown to succeed c) Something else (just in case...) Obviously if it is b) then that is different to the quoted article pfSense 1.2.3 does not protect against DNS rebind attacks. The vulnerability does not imply that the firewall(s)/routers themselves are open for compromise, only that they don't help protect against the attack (which potentially allows for external access of _any_ web server, not just the firewall). pfSense 2.0 uses a newer version of dnsmasq that allows us to help protect the network (_IF_ pfSense is the DNS server for your network, if it's not, this protection is up to your DNS server to provide). Further, we also detect the hostname used to connect to the web interface and if it's not a previously known name, you will be notified that something is amiss. Again, to be clear. What this attack allows is an outside attacker to gain the ability to access an internally available web site - it does not itself grant the ability to login to the site. Compromise of the web site/application would require other pre-existing vulnerabilities (in application, browser, etc). An attack against the web interface of pfSense itself would have to include as of yet unknown web UI vulnerabilities. --Bill - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PHP uses 100% CPU on 1.2 and 1.2.1-RC2
On Tue, Dec 2, 2008 at 8:39 PM, Chris Buechler [EMAIL PROTECTED] wrote: On Mon, Dec 1, 2008 at 11:21 PM, Roland Giesler [EMAIL PROTECTED] wrote: I use 9488 static route entries m0n0wall and pfSense aren't exactly designed to work with 9500 static routes (is anything? if you need 9500 routes, you need a routing protocol). I'm sure you're the first to even try it. I understand the reasoning, though BGP is certainly more suitable. Such a configuration does make for an interesting test case though - mind emailing me the XML of those static routes off list? That would be interesting to play with, though it will be quite a while before I have time to do so. Ditto here. Large, slow, configs would be helpful to have prior to the next hackathon where I'll have some time dedicated to performance profiling and tuning of the UI. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] SLC or MLC flash for full install
On Thu, Oct 23, 2008 at 6:10 AM, Eugen Leitl [EMAIL PROTECTED] wrote: I'm thinking about trying the full instead of embedded install on WRAP/ALIX devices, on compact flash. With increased sizes and better flash it seems a year or a couple is a reasonable lifetime to expect in a domestic usage pattern these days. Have any of you made especially good/bad experiences wtith either SLC or MLC CF? Any vendors to recommend, or to stay away from? According to everything I've looked at, SLC is what you want for this use. I'm personally a fan of Transcend media, it's less expensive than Sandisk and seems to be every bit as good. My last round of purchases was 4gb 133x cards that were half the price of the similarly spec'd Sandisk media (of note, I use most of my CF media in my camera, so YMMV). --Bill
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 1:32 PM, Eugen Leitl [EMAIL PROTECTED] wrote: http://www.provos.org/index.php?/pages/dnstest.html DNS Resolver Test For secure name resolution, it is important that your DNS resolver uses random source ports. The box below will tell you if there is something you need to worry about. Your DNS Resolver needs to be updated. If the box says that you are using random ports, there is nothing to worry about. If it shows a red border, your resolver does not use completely random source ports. This could imply a security problem; see the following CERT advisory. However, some resolvers have implemented countermeasures that do not solely rely on random source sources. There is a little bit more information about this security problem on Dan Kaminsky's blog. Should be we getting worried now? You probably should be. I have nothing to worry about according to that page. Your DNS Resolver uses random ports. This is an unpatched BIND caching name server (that is certainly NOT using random ports) sitting behind a pfSense box. However, the checker at doxpara.com, absolutely DOES show the issue. From what I understand, it's not necessarily an issue that pfSense can solve for you as it's keeping quasi state on the UDP traffic for the queries and they'll have the same tuple multiple times within the state timeout so all the queries will match the first state. --Bill
Re: [pfSense-discussion] Captive Portal on pfsense
On Wed, Jul 16, 2008 at 9:38 PM, muhammad panji [EMAIL PROTECTED] wrote: Thanks for the answer Chris. Several months ago I help my friend setup his WRT54GL but as I remember this AP have no option on set it up as a bridge. Must I do a firmware upgrade? will it void the warranty? Considering that you are talking about the Linux variant of the WRT54G, I think it's safe to say that Chris probably assumed you were not running the stock Linksys firmware on it. --Bill
Re: [pfSense-discussion] ARP traffic causing routers to hang - single ARP cache with both LAN and WAN ARP entries?
On Fri, Apr 4, 2008 at 3:28 PM, Tortise [EMAIL PROTECTED] wrote: Yes I am using 192.168.0.0/24 I have no devices from those manufacturers. This was not the response I wanted to hear, changing the LAN is a major(!) H, more or less major than the incidents that prompted this dicussion? :) Can you clarify the nature of the pfSense ARP cache? Is it relevant? (I am not convinced that it is - either the ARP packet is correct or it isn't) Correct or not, FreeBSD is warning you that it's seeing a machine with the wrong subnet on the wrong side of your firewall. I don't think FreeBSD is actually honoring it, but don't quote me on that, I haven't tested this specific configuration. Should the ISP be responsible for the integrity of its network and ensuring rogue ARP traffic is eliminated? Should? Yes. Would I personally expect them to actually take responsibility for it? Nope. Run our supported operating system is the answer I expect them to give you. Should the ISP respond to requests to remove devices off the network with erroneous ARP traffic, as identified by the devices MAC address from pfSense logs? That could clean things up? Should? Yes. But again, I expect you won't get past first level tech support unless you are a business account (and even then *shudder*). You're on a shared medium connection, the rest of the idiots out there that have no idea how to configure a network (and be neighborly on a shared network) are going to take you down whenever they feel like it. Honestly, I know it's painful. But this isn't any different than a new neighbor moving in that decides to use the same wireless channel as you, but are broadcasting a high enough signal that they're stomping all over you. You either figure out who it is and shoot them (figuratively of course ;-P) or you change your stuff (and in the human way, you massively amp your signal and hope there's no FCC goons - or hams - in the area). :) --Bill
Re: [pfSense-discussion] Pfsense without NAT
Look at the mailing list archive please. Matthias May answered your question on the 14th of March. --Bill On Fri, Mar 28, 2008 at 6:18 AM, John Dakos [ Enovation Technologies ] [EMAIL PROTECTED] wrote: hello all. a question. we have 1 lan 2 wan and load balance for 2 wans we dont want firewall and NAT from pfsense, we have another router to do that. i disable from the system tab the firewall who disable and nat together but i have no internet! any idea ? ps : when i try this configuration with 1 lan and 1 wan without load balance all thinks are good i suppose load balance make this... thanks all
Re: [pfSense-discussion] miniupnpd No buffer space available
On Thu, Mar 27, 2008 at 12:41 PM, Dennis Karlsson [EMAIL PROTECTED] wrote: Hi I get lots of these in the System log. miniupnpd[96542]: sendto(udp_notify): No buffer space available I read this; http://forum.pfsense.org/index.php?topic=7058.0;prev_next=next The miniupnpd developer assumes some interface is down but that is not the case. Could possibly be related to traffic shaping. --Bill
Re: [pfSense-discussion] Traffic shaper bug ?
On Mon, Mar 24, 2008 at 3:18 AM, Jan Hoevers [EMAIL PROTECTED] wrote: Bill Marquette wrote on 23-3-2008 18:54: PS. It's probably worth noting that I'm also the author of the existing annoying wizard. Sorry about that qualification Bill. The fact that it cannot be bypassed annoyed me, not the wizard itself. Not a problem - I'm not posting from a pfsense.org address so, I figured it was worth noting that I have some amount of personal interest in it :) --Bill
Re: [pfSense-discussion] Traffic shaper bug ?
On Sun, Mar 23, 2008 at 3:50 AM, Jan Hoevers [EMAIL PROTECTED] wrote: This is 100% completely open source. The source ported to RELENG_1_2 is even in the public CVS server in its own branch. It's just the images including it are not publicly available. It was back ported as a thanks to those who contributed. You could figure out what it is in CVS and sync a 1.2 install with that code. I see. Guess that makes it open source strictly speaking, but it is not the 100% openness I would expect from an open source project. While I understand that people have to earn a living, this bounty policy makes things difficult for people who want to evaluate before deciding. Seeing as how the feature is targeted for 1.3 and we don't have public 1.3 test images (hello, we JUST released 1.2) yet, it will be difficult for those that have donated to the feature to test that it's actually been done right. The easiest way for Ermal to get the feedback from those that are financially interested in the feature is to provide a special release for those users. I've done the same for features I've developed - _I_ support those special images, I'm only willing to provide that supported them being created. I imagine Ermal feels the same way. When we start rolling public 1.3 images (if you can't wait, feel free to do a developers install and roll your own, just don't expect any support on it), the larger group of developers (and hopefully users) will be able to provide support. As with all products, I fully recommend basing evaluations against current released feature sets, not vapor-ware features (in the interest of releasing a better product in a timely manner, vendors inevitably pull incomplete features that had been promised - Apple, wake up, I want my bloody iSCSI Initiator in Leopard thank you!). --Bill
Re: [pfSense-discussion] Traffic shaper bug ?
PS. It's probably worth noting that I'm also the author of the existing annoying wizard.
Re: [pfSense-discussion] how to change wan interface media from autoselect?
On Tue, Mar 18, 2008 at 3:33 PM, Fabio C Flores [EMAIL PROTECTED] wrote: ifconfig em1 shows me the following: ... media: Ethernet autoselect (100baseTX half-duplex) status: active On the other side the switch is full-duplex. How can I setup the interface to be full-duplex and not autoselect the speed? This used to be in our docs somewhere (either the faq site or the actual docs, not sure), but at any rate, pfSense currently still supports all the hidden config.xml options that m0n0wall supported. You can find them at: http://doc.m0n0.ch/handbook/faq-hiddenopts.html --Bill
Re: [pfSense-discussion] pfSense / Time Service
On Wed, Mar 5, 2008 at 5:00 PM, jason whitt [EMAIL PROTECTED] wrote: i may be wrong here however i thought there was a default time server sync setup in the config? There is. Look in System-General. Bottom of the page I believe. --Bill
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
On Dec 24, 2007 5:41 AM, Paul M [EMAIL PROTECTED] wrote: Bill Marquette wrote: or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). java RMI being one major PITA! Yup, that's one of them there bad protocols ;) we've developers working from home and trying to get their openvpn connections working was a massive PITA. rant developers being developers seem to think that security considerations can be swept aside to let them do whatever they need to do. /rant That's users in general. Developers just tend to be in a rush more than most users due to working on projects that are often over promised and under manned. --Bill
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
On Dec 22, 2007 2:22 AM, Paolo Gentili [EMAIL PROTECTED] wrote: Anyway i still have some little doubts on implementing a DMZ containing all the servers, behind NAT. This because i don't know how pfsense's NAT implementation can handle the new internet applications/protocols like AJAX or WEB-SERVICES This is simple HTTP on port 80 (or wherever your web server lives). Nothing new other than it's use of the existing TCP port for transit here. What might be useful is describing how your previous firewall was going to handle this. or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). Don't you think pfsense (actually NAT) can suffer this? 1:1 NAT (if you have enough IP space) and then it's just rules you have to add. Inbound, I don't expect you'll run into many of these. Most applications you are likely to run on your server will stick to a single inbound port. --Bill
Re: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.
I'm not sure, based on your email, if the pfSense box is in front of the PPTP server or not. If t is, then go to the VPN menu, select PPTP, on Configuration tab, select Redirect incoming PPTP connections to: radio button and fill in the text box (PPTP redirection) with the IP address of your internal PPTP server. Remove the rules you created too, btw :) --Bill On Nov 19, 2007 7:07 AM, Luciano Areal [EMAIL PROTECTED] wrote: Good morning, folks! Here in my company, we have this network scenario: Our network has one internal VPN server, based on a Windows 2003 Enterprise, using PPTP and GRE protocol. We have several workers who eventually need to connect in our network, to get some data and disconnect. Sometimes, they need to work in our network from home, airport, etc., just like in a roadwarrior way. Following: -- -- - |PPTP SERVER| --- |GATEWAY| --- |INTERNET| --- |ROADWARRIOR| -- -- - 192.168.0.0 /24 200.*.*.* /28(ISP IP) *.*.*.* (any IP) I did a basic installation of pfSense firewall solution on a machine here, and set up all needed ports for our basic NAT (webserver, e-mail, etc.). Here follows the part mentioned for PPTP: Firewall: NAT: Port Forward Options If Proto Ext. port range NAT IP Int. port range Description WAN TCP 1723192.168.0.141723 Allow PPTP (TCP 1723) WAN GRE 192.168.0.14 Allow GRE (Protocol 47) These rules were also inserted on Firewall: Rules (WAN section) Proto Source PortDestination PortGateway Description TCP WAN address 1723192.168.0.141723* Allow PPTP (TCP 1723) GRE WAN address * 192.168.0.14* * Allow GRE (Protocol 47) Then, I tried to connect from home to my server, putting its WAN IP on my VPN connection, but when I try to connect, nothing happens. Am I doing anything wrong here? Did I forget any point here? I tried to get some info on pfSense mail discussion archives, but didn't find anything similar to my problem. :-( Is there anything that I still need to do in order to free up traffic of PPTP and GRE protocols, from my box to the internal server? If anyone here have passed through this issue, please light up my path. ;-) Best regards, Luciano Pereira Areal Network Administrator E-mail: [EMAIL PROTECTED] Mobile #1: +55 21 8176-7376 Mobile #2: +55 21 8169-3362 Nextel ID: 55*8*64731 Skype: luciano_areal Bizvox Voice Services Avenida Nilo Peçanha, 50 Grupo 1516 - Centro CEP: 20020-906 Rio de Janeiro - RJ - Brasil Phone: +55 21 2212-1650 Fax: +55 21 2212-1675 Website: http://www.bizvox.com.br/ _ avast! Antivirus http://www.avast.com : Outbound message clean. Virus Database (VPS): 071119-0, 19/11/2007 Tested on: 19/11/2007 10:07:26 avast! - copyright (c) 1988-2007 ALWIL Software.
Re: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.
That's a standalone setting. You don't want the frickin' package (which as Chris mentioned, may be broken anyway) if you use this setting. --Bill On Nov 19, 2007 12:06 PM, Luciano Areal [EMAIL PROTECTED] wrote: Hi Bill! The pfSense box is in front of the PPTP server. In other ways, it will act as the main gateway, and the PPTP server will be on the LAN. Clients will access it from WAN, passing through the pfSense box. I just did what you said. Removed all rules from NAT and firewall using PPTP/GRE, and activated that option (Redirect incoming PPTP connections to:). I also installed Frickin PPTP proxy package on system, and did a bind of this software on WAN port. I'll test it as soon as I arrive at home, and hope it will work correctly. Regards, Luciano Areal I'm not sure, based on your email, if the pfSense box is in front of the PPTP server or not. If t is, then go to the VPN menu, select PPTP, on Configuration tab, select Redirect incoming PPTP connections to: radio button and fill in the text box (PPTP redirection) with the IP address of your internal PPTP server. Remove the rules you created too, btw :) --Bill _ avast! Antivirus http://www.avast.com : Outbound message clean. Virus Database (VPS): 071119-0, 19/11/2007 Tested on: 19/11/2007 15:06:20 avast! - copyright (c) 1988-2007 ALWIL Software.
Re: [pfSense-discussion] multiwan ftp proxy
Assuming I ftp at home (don't recall the last time I intentionally did that!) then ftp works just fine via the primary wan as Chris mentions. I think I did have to create a rule for traffic destined to 127.0.0.1 to use the default gateway instead of a load balance pool. Don't recall if that's still needed or not but it's still in my ruleset: * LAN net * 127.0.0.1 * * Use routing table for loopback traffic --Bill On Nov 19, 2007 11:53 AM, Chris Buechler [EMAIL PROTECTED] wrote: Robert Schwartz wrote: On 19 Nov 2007 13:25:31 -, Scott Ullrich [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What is the current status ? No work has been done on this as of since. Unfortunately it is not high on my list so if someone else wants to pick it up and finish up from where Bill and I left off, please do so. Hi - Is there /any /kind of work around for getting FTP working through a multiwan PFSense setup? Even if it means forcing all FTP traffic out 1 Wan interface with no fail over or load balancing? FTP works fine out the primary WAN, just not out any OPT WANs.
Re: [pfSense-discussion] noob question
On 9/19/07, Paul M [EMAIL PROTECTED] wrote: Zied Fakhfakh wrote: Hello everybody, I'm just starting with pfSense, nd I have a couple of questions - is there any logout button from the web interface ? it uses basic authentication, so you have to close browser (FYI, it's a long running bug/issue with firefox/mozilla to be able to forget the password and thus logout). I guess somebody might like to rewrite it to use cookies and thus have a logout function if they really cared? This functionality has already been written and will be in a future release after 1.2. --Bill
Re: [pfSense-discussion] did something change in 1.2rc1?
On 8/31/07, Eugen Leitl [EMAIL PROTECTED] wrote: On Fri, Aug 31, 2007 at 11:48:07AM +0200, Eugen Leitl wrote: I'm defining firewall rules according to http://pfsense.trendchiller.com/transparent_firewall.pdf but they seem to get ignored. There's a comment which says the logic is now reversed -- before I lock myself out, can someone confirm or deny this (that I need to define things on WAN tab instead of LAN tab in Firewal-Rules)? Strange, whatever I do I get no change: # pfctl -s rules pass quick proto carp all keep state pass quick proto pfsync all pass out proto tcp from any to any port = domain keep state pass out proto udp from any to any port = domain keep state Any ideas? If those are all the rules you have, we must have loaded the fallback (bootup) ruleset. Try a pfctl -nf /tmp/rules.debug and post the output and the rule file here (or send me the rule file - billm at pfsense.org - if you don't want it in a public forum). Sounds like we have a rule creation problem. Thanks --Bill
Re: [pfSense-discussion] did something change in 1.2rc1?
Not sure how you got into this state - it appears that the boot stopped at some point (maybe console would have or did have more information on this). In the meantime, you can try running /etc/rc.filter_configure_sync from the shell - that should force your box to regen the /tmp/rules.debug file and attempt to load it. --Bill On 8/31/07, Eugen Leitl [EMAIL PROTECTED] wrote: On Fri, Aug 31, 2007 at 08:31:37AM -0500, Bill Marquette wrote: If those are all the rules you have, we must have loaded the fallback (bootup) ruleset. Try a pfctl -nf /tmp/rules.debug and post the Dang. I was already wondering why I didn't have those -- thought I needed to enable debug mode. I don't have those. That's all my /tmp has: # ls -la /tmp total 787 drwxr-xr-x 4 root wheel 1536 Aug 31 15:13 . drwxr-xr-x 21 root wheel 1024 Aug 31 11:28 .. drwxrwxr-x 2 root operator512 Aug 31 11:28 .snap -rw-r--r-- 1 root wheel89 Aug 31 11:29 bootup_messages -rw-r--r-- 1 root wheel 168 Aug 31 11:29 bridge_config_vr0 -rw-r--r-- 1 root wheel 0 Aug 31 11:29 carp.sh -rw-r--r-- 1 root wheel 9 Aug 31 16:00 check_reload_status -rw-r--r-- 1 root wheel 4918 Aug 31 15:14 config.cache -rw-r--r-- 1 root wheel 365 Aug 31 11:29 dhcpd.sh -rw-r--r-- 1 root wheel11 Aug 31 14:41 last_term_seen -rw--- 1 root wheel 0 Aug 31 11:29 nohup.out srwxr-xr-x 1 root wheel 0 Aug 31 11:29 php-fastcgi.socket-0 srwxr-xr-x 1 root wheel 0 Aug 31 11:29 php-fastcgi.socket-1 srwxr-xr-x 1 root wheel 0 Aug 31 11:29 php-fastcgi.socket-2 srwxr-xr-x 1 root wheel 0 Aug 31 11:29 php-fastcgi.socket-3 -rw-r--r-- 1 root wheel 128 Aug 31 11:29 rules.boot -rw-r--r-- 1 root wheel 59372 Aug 31 16:00 system-processor.rrd-16h.png -rw-r--r-- 1 root wheel 38471 Aug 31 16:00 system-processor.rrd-16m.png -rw-r--r-- 1 root wheel 47291 Aug 31 16:00 system-processor.rrd-32d.png -rw-r--r-- 1 root wheel 63118 Aug 31 16:00 system-processor.rrd-48h.png -rw-r--r-- 1 root wheel 50512 Aug 31 16:00 system-processor.rrd-4h.png -rw-r--r-- 1 root wheel 49014 Aug 31 16:00 system-processor.rrd-6m.png -rw-r--r-- 1 root wheel 33873 Aug 31 16:00 system-states.rrd-16h.png -rw-r--r-- 1 root wheel 32982 Aug 31 16:00 system-states.rrd-16m.png -rw-r--r-- 1 root wheel 33608 Aug 31 16:00 system-states.rrd-32d.png -rw-r--r-- 1 root wheel 32267 Aug 31 16:00 system-states.rrd-48h.png -rw-r--r-- 1 root wheel 28716 Aug 31 16:00 system-states.rrd-4h.png -rw-r--r-- 1 root wheel 39146 Aug 31 16:00 system-states.rrd-6m.png -rw-r--r-- 1 root wheel 48408 Aug 31 16:00 system-throughput.rrd-16h.png -rw-r--r-- 1 root wheel 32916 Aug 31 16:00 system-throughput.rrd-16m.png -rw-r--r-- 1 root wheel 39258 Aug 31 16:00 system-throughput.rrd-32d.png -rw-r--r-- 1 root wheel 49743 Aug 31 16:00 system-throughput.rrd-48h.png -rw-r--r-- 1 root wheel 40834 Aug 31 16:00 system-throughput.rrd-4h.png -rw-r--r-- 1 root wheel 41193 Aug 31 16:00 system-throughput.rrd-6m.png lrwxr-xr-x 1 root wheel 1 Aug 31 11:28 tmp - / -rw-r--r-- 1 root wheel 0 Aug 31 15:57 tmpHOSTS drwxrwxrwx 2 root wheel 512 Aug 31 11:28 uploadbar Any ideas how I can recover from this? output and the rule file here (or send me the rule file - billm at pfsense.org - if you don't want it in a public forum). Sounds like we have a rule creation problem. Thanks -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: [pfSense-discussion] did something change in 1.2rc1?
On 8/31/07, Eugen Leitl [EMAIL PROTECTED] wrote: On Fri, Aug 31, 2007 at 09:56:27AM -0500, Bill Marquette wrote: Not sure how you got into this state - it appears that the boot stopped at some point (maybe console would have or did have more I rebooted the machine -- unfortunately the system with the serial console is now behind the firewall. Fair enough. information on this). In the meantime, you can try running /etc/rc.filter_configure_sync from the shell - that should force your box to regen the /tmp/rules.debug file and attempt to load it. Didn't work. I'll just assume the firmware upgrade misfired, and I'll have to fix two firewalls instead of one whenever I get to the hosting place. Can you elaborate on the didn't work? Did it throw an error, or just exit? Let us know what you find. If there's an issue with either the upgrade or the current code, we'd like to get it fixed before release. Thanks --Bill
Re: [pfSense-discussion] Start other processes inside pfSense?
Just to add/restate some of the things said in this conversation. FreeBSD 6.2 (which pfSense is based on) cannot run under Xen - while it may be possible to run it with hardware virtualization under Xen, I'd recommend against it at this time. It does however run perfectly fine on both VMWare Server and VMWare ESX Server. MS Virtual server has been shown to have some issues (something about the virtual hardware it emulates...or doesn't...that FreeBSD barfs on). Bottom line is if you want to run pfSense as a guest in VMWare, it'll work fine, use bridged interfaces and don't assign an IP to the host (or at least not on the external interface) and let the virtualized pfSense handle the traffic. You can even have an entire virtual DMZ then *shudder*. Have fun. --Bill On 7/24/07, Roland Giesler [EMAIL PROTECTED] wrote: Thanks for your suggestions and comment everyone. I think I'll go with multiple VM guests on a host OS. My mind is much clearer about this now. regards Roland
Re: [pfSense-discussion] network layout
On 6/19/07, Greg Hennessy [EMAIL PROTECTED] wrote: Mixing different trust levels on the same switch is rather frowned upon. Because of potential vulnerabilities in the switch OS, allowing an attacker to reassign VLANs? Yes. The switch may be in a locked cabinet/cage, but never say never when it comes to internet facing equipment. Things like setting protected ports etc are essential in this scenario. Low end switches have a tendency to not have enough ram or cpu to handle a high volume mac spoofing attack and will usually end up turning into a hub under this kind of attack, rendering your vlans useless. Plus you are relying on software to keep your network segregated, physical separation is easier to keep the paranoia down ;) --Bill
Re: [pfSense-discussion] network layout
On 6/19/07, Eugen Leitl [EMAIL PROTECTED] wrote: On Tue, Jun 19, 2007 at 01:47:22PM -0500, Bill Marquette wrote: Low end switches have a tendency to not have enough ram or cpu to handle a high volume mac spoofing attack and will usually end up If the switches are behind the pfsense firewall, and the users are trusted, will this still happen? (Okay, if DMZ is compromised, and attack is launched from within). Ahh, see there's your first problem. You trust your users :) I don't even trust myself, I'm certainly not about to trust my users :) At any rate, sounds like you don't have a solid need for the physical separation, it's best practice, but not always the right answer to the problem at hand. Any separation is better than no separation. And honestly, if your DMZ gets compromised, the LAN is likely the least of your worries - the hope would be that you have good enough logging practices that if the DMZ is compromised that you _catch_ it before the attacker makes it to the LAN. turning into a hub under this kind of attack, rendering your vlans useless. Plus you are relying on software to keep your network segregated, physical separation is easier to keep the paranoia down ;) My dayjob is not exactly Fort Knox, and we do occasionally have Mine is ;) incidents (best firewall is useless if people put default accounts out, or the web application behind the firewall is written by security naifs). Those are all audited pre-deployment, nothing goes online unless it's certified (sometimes that process is ummm challenging ;)) --Bill
Re: [pfSense-discussion] SunFire X2100 M2 gmirror
If it works in FreeBSD 6.2, it'll probably work with pfSense. I do know that HP DL145's work perfectly on FreeBSD 6.2 (including the lights out management board which I have concerns on with the Sun box). We ended up buying the DL145's (100+ units) cause Sun took two months to get a unit to us (we purchased instead of requesting an actual eval cause we had a number of groups trying to test it out). --Bill On 6/4/07, Eugen Leitl [EMAIL PROTECTED] wrote: On Mon, Jun 04, 2007 at 05:45:41PM +0200, Rainer Duffner wrote: Hello, I think I would go for the equivalent Tyan Barebone (GT 20 derivate with Nforce4 chipset). Since you seem to be based in Germany, any good sources to purchase that barebone, and a matching CPU to go with it? Oh, it's only got 2 NICs. The point of the X2100 M2 is that's it's cheap (though no longer 620 EUR), comes with a useful LOM, and 4 NICs. The status of the nve(4) is a good question - but in either case, there should be room for a PCIe Quad GE card. ...which would cost probably as much as the entire barebone. I dunno... I've got one of those GT20s as Nagios-server. I don't use the nve(4)... Anyone else here running a X2100 M2 with pfSense, using both the Broadcom and the nVidia NICs? It seems to be kinda, sorta supported on FreeBSD 6.2, but can pfSense do it? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[pfSense-discussion] Usermanager code commited to releng_1
Heads up for those that are using snapshots - I just commited the usermanager code from the HEAD branch to the RELENG_1 branch (this won't go into 1.2). There may be some breakage in the tree - it was tested pre-commit, but the diff was rather ugly so I'm not 100% sure until the next snap run that I didn't horribly break something when I applied it. There is some UI ugliness in this commit, please don't report display issues at this time, I know they exist. I would be interested in hearing about breakage though if it's obviously related to authentication. Thanks --Bill
Re: [pfSense-discussion] Allowing multiple IPs for the same hostname in the WebGUI
On 4/4/07, Fabian Steiner [EMAIL PROTECTED] wrote: Thanks - this page helped me a lot getting started. My patches against HEAD. I would be looking forward to seeing them committed. Thanks, we're reviewing the patches now. --Bill
Re: [pfSense-discussion] Allowing multiple IPs for the same hostname in the WebGUI
On 4/4/07, Fabian Steiner [EMAIL PROTECTED] wrote: Therefore I would really be looking forward to adding this parameter to the existing options that are passed to the dnsmasq binary. If any patches are welcome, please let me know. Patches are almost always welcome. I'd suggest in this case that you still allow for the checking of duplicate host names and and just extend the edit screen to allow multiple hostnames in the way you want. Then check for it in the backend and launch dnsmasq in the appropriate way. --Bill
Re: [pfSense-discussion] Cisco EtherChannel support in pfSense?
On 3/9/07, Kyle Mott [EMAIL PROTECTED] wrote: Is anybody interested? I've begun hacking together a package, would the developers be interested in taking it as either a third-party package or right into main-line pfSense? It does require some changes to the PHP init scripts and the addition of a modified kernel module (ng_fec.ko). It also allows 802.1q VLAN's across the bonded NIC's (as long the NIC's support VLANs). I think there would be some interest. Let us know when you get closer. --Bill
Re: [pfSense-discussion] Developer bootstrap errors
Comment out the call to update_cvs_depot? Or update that routine to
better handle a development model that has no CVS access? I know, not
optimal, but FWIW, I wouldn't mind it if someone hacked in a method to
pull down the tree via other means (such as say mercurial, or
subversion) so you could have a local cvs-other scm bridge and worked
on the local scm.
--Bill
On 2/25/07, Paul [EMAIL PROTECTED] wrote:
I will answer my own question:
the problem is that RELENG_6_1 does not (currently) compile. To fix I
changed the freebsd_branch variable in pfsense_local.sh to RELENG_6_2
that compiled cleanly.
Now I have a second problem: Each time I call build_iso.sh the builder
script will resync with the pfsense CVS hence loosing any changes that I
make.
On the wiki there's some info pointing me to define a SKIP_CHECKOUT
variable, but update_cvs_depot defined in builder_common.sh which is
responsible for taking care of this, only checks for SKIP_RSYNC and
always updates from CVS (regardles what it states):
update_cvs_depot() {
# Update cvs depot. If SKIP_RSYNC is defined, skip the RSYNC update
# and prompt if the operator would like to download cvs.tgz from
pfsense.com
.
# If also SKIP_CHECKOUT is defined, don't update the tree at all
if [ -z ${SKIP_RSYNC:-} ]; then
rm -rf $BASE_DIR/pfSense
rsync -avz [EMAIL PROTECTED]:/cvsroot /home/pfsense/
(cd $BASE_DIR cvs -d /home/pfsense/cvsroot co -r
${PFSENSETAG} pfSense)
fixup_libmap
else
cvsup pfSense-supfile
rm -rf pfSense
rm -rf $BASE_DIR/pfSense
(cd $BASE_DIR cvs -d /home/pfsense/cvsroot co -r
${PFSENSETAG} pfSense)
(cd $BASE_DIR/tools/ cvs update -d)
fixup_libmap
fi
}
Am I looking at the wrong code or is there a different way to not update
from CVS during build?
Paul.
Re: [pfSense-discussion] Can pfSense be ported to Intel IXP425?
At this time we don't support the processor - I believe there's some work in the FreeBSD camp to support the architecture. Whether the rest of the hardware in that unit would be supported would remain to be seen. 32M RAM and 16M flash are both rather light for pfSense, we barely run in 64M today and need a tad over 64M flash. I'm sure it would be possible to make a pfsense-lite type distribution that would run on a box such as this, but it'd likely be better to start from scratch and make use of the pfsense code as a reference for how stuff works than to try and lean out the ram and disk requirements we have. --Bill On 2/2/07, ryn jackson [EMAIL PROTECTED] wrote: Having been running pfsense for a week now, i have to say i trule enjoy it, and i have qos that works! I had been using the Linksys RV082 in several of our offices and the only thing i don't like about them is their flexibility and weak QoS. The specs and performance on these boxes are pretty amazing for the price: Intel IXP425 533MHz 32 Meg RAM 16 Meg Flash Dual Wan 8 LAN ports that can supposedly be separated into VLAN's (fake, they still use the same subnet but traffic doesn't pass between them) Too bad the existing firmware doesn't harness the power of the hardware. I've clocked a consistent 27Mbps of 3DES IPsec with these. These linksys boxes are running Linux 2.4 with openswan and iptables i believe. There is a Firmware project to update the Linksys RV seres to the 2.6 kernel and tweak some other stuff. One is called OpenWRV http://www.phj.hu/wrv54g/ which seems to be focused on the wireless version and the other one is OpenIXP which is tied to this project focusing on the IXP platform. Neither of them seem to have gone anywhere, maybe the members are too busy? I think pfSense would be much better than modifying the crappy firmware that linksys provides anyways. I am under the impression that Free BSD is not only lighter, but more efficient with networking (network stack) than Linux is so i was wondering if it would be possible to port to this platform. there's more info on its little brother here: http://www.linksysinfo.org/forums/showthread.php?t=34276 That thread is about the RV042 [EMAIL PROTECTED], 32Meg ram but it's interesting that these boxes have 2 serial ports, mini pci and even HDD capability built in. I cannot, for the life of me find this but there's a project going on now to hack and rewrite the existing firmware but why start with crap if you could port over something like pfSense, even it has some features stripped out. What do you guys think? Is it feasible/possible? I would really like to have an appliance using this platform and pfSense. It's got way more power than the Soekris/wrap the only thing i'm concerned about is the 32meg of ram, but i think it would be possible. I think the best way to actually make the VLANs function on this device (i don't think it would support 802.1q) would be to assign subnet interfaces to vlans (up to 8) and then assign vlan's to lan ports. All traffic on ports with the same vlan assigned is bridged. That's the way routing assignments work on the Adtran Netvanta 1224R's i work with and it's very intuitive. = Buy Your Aromatic Vaporizer For Less All major brands in stock. Find Volcano, Vapir, VaporWarez, and Aromed vaporizers at great prices. Same-day free shipping and cool freebies with all orders. 75,000 positive feedbacks. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=5a645f954582396c441f2a7301d3ac8a
Re: [pfSense-discussion] Allways someone different
On 12/24/06, Peter May [EMAIL PROTECTED] wrote: Hi all. Yep there is always someone that has to do things unlike everyone else and I am that person. I live remotely and have looked at Pfsense for traffic shaping as I have a 2 way satellite feed. Here in Oz, its all I can get out back. Problem is, the feed isn't consistant. I am meant to have 256/64 but at the moment, its up to around 1.5mb/512 So if I set my incoming and outgoing limits, it can effectively cause the traffic shaper to cut some of my bandwidth. Some of the bandwidth you aren't paying for ;-P Is there a way to have PFSense detect THE TOTAL BEING USED and then alter QUEUES from that? What I am trying to achieve is a percentage for each queue depending on how much I have available coming in? Nope. Such a tool might be able to be written, but I'm not even sure where I'd start if I was to do it. Dynamic bandwidth detection and modification would be significantly harder than detecting it to do the initial bandwidth allocation. And of course detecting that you have more bandwidth available while running at lower capacity would be uhhh...challenging. Trust me, at 256/64 its slow so anything more than that is very welcome but if I fail to check, Pfsense cuts it back. If I simply turn off the shaper, then some things hog all the bandwidth. --Bill
Re: [pfSense-discussion] Any active quagga development?
As far as I know, nobody with commit access is working on this and I haven't seen anything regarding someone else working on it. --Bill On 11/30/06, Nick Buraglio [EMAIL PROTECTED] wrote: Is there any active development being done on the quagga package? I noticed it's still on my local mirror but not in the packages list. I started messing around with making it work since I have need for simple ospf. Since I'm lazy by nature I don't want to replicate work being done by someone more qualified than I, especially since it's been a while since I worked under the hood on pfsense and I'm having to re-learn everything. nb
Re: [pfSense-discussion] OpenVPN running on pfsense 1.0.1
Chris, you may want to update your address book entry for discussion@ - it's name isn't Bill Marquette :) I can't answer your question though...I don't use OpenVPN, sorry. -Bill On 11/30/06, Chris Noble [EMAIL PROTECTED] wrote: Has anyone experienced problems with OpenVPN since the upgrade to v 1.0 / 1.0.1 ? Its completly dead on all of my 1.0.1 boxes :( I also reinstalled from fresh to try and fix it. I use public keys, all are ok. Nothing expired. Thanks, ChrisN
Re: [pfSense-discussion] layer2 filtering/shaping possibility?
On 11/16/06, qoska kotfare [EMAIL PROTECTED] wrote: On freebsd-net@ list was posted this maessage: http://lists.freebsd.org/pipermail/freebsd-net/2006-November/012449.html I don't know if any of you does follow this list but this code seems properly written and can be extended to communicate with PF/ALTQ system to give a possible traffic filtering/shaping opportuinity on Layer2. It can be easily modified to just forward/tag packets to/for PF if that is needed. Since it uses pfil(9) framework maybe an order of loading might be needed for correct functionality. What do you guys think of this? Sure, the idea is sound. Feel free to extend pfSense to allow this functionality and we'll consider importing it. --Bill
Re: [pfSense-discussion] PPPoE and multiple IP addresses
They'll likely configure the PPPoE tunnel with a /29 CIDR block (maybe smaller, maybe larger, depending on addresses). You are correct, the addresses will essentially just appear on the pfSense endpoint. All you need to do to make use of them is create an other type virtual IP (hey, for all those wondering what the hell other was for...this is it!) as the traffic is already routed to you and you just need pfSense to handle it. FWIW, before my last move, I had exactly this type of setup from SBC. --Bill On 10/30/06, Sam Newnam [EMAIL PROTECTED] wrote: I'm dealing with this small town ISP on a project and they informed the customer that they can run multiple IP's over PPPoE. I've googled a bit can't tell for sure whether this is supported vary widely, but has anyone setup this configuration with a pfsense box? Do you have to create a new alias for each IP? I've seem to read that once you connect your first pppoe session that the other addresses seem to appear (don't laugh, I know). Any thoughts would be helpful as I'm suppose to set this up on Wed of this week. Thanks! Sam Newnam SystemSam Technologies, LLC www.systemsam.com
Re: [pfSense-discussion] pfSense Version 1.0.1 available - Upgrade recommended
On 10/30/06, Holger Goetz [EMAIL PROTECTED] wrote: Hi Bill, i'm running a Acrosser AR-B1662. In other words that's a VIA Processor Eden 667 MHz Process with a VIA (r) Apollo PLE133T chipset and on-board 4 National Semiconductor 83816, (10/100) NICs. It's got 256MMemory installed. Why? Can you imagine a change that has any influence? Just surprised that anyone saw any speed difference between 1.0 and 1.0.1. We made one change that affected page caching, but it certainly shouldn't have sped anything up, just freed up a tad bit of ram. --Bill
Re: [pfSense-discussion] ssl load balancing
On 10/26/06, Greg Hennessy [EMAIL PROTECTED] wrote: Being familiar with both platforms, you're out by the side of it TBH. Pfsense has a lot of meaty goodness, however does not have bigip LTM style ssl termination in any way or form. They are not comparable. Right. pfSense's load balancer code is TCP only. We're a firewall w/ load balancing add-ons, not a load balancer with firewall add-ons. If you want a load balancer, buy F5 (or one of their competitors), if you want a firewall that can also balance tcp flows to your web server and check for port availability, then pfSense can handle it. Guess it really boils down to, do you want to do it for free, or $25k ? :) --Bill
Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work
If IPFilter has the ability to keep state on the ipsec protocols itself (it did last I looked) _and_ m0n0 turns that feature on, then m0n0 might work. --Bill On 10/19/06, Mikael Syska [EMAIL PROTECTED] wrote: Hi again Bill, Dont know they use any different implementation or any thing, but will it work with m0n0wall or are there any other products that I can use on a Soekris 4801 ... ? Kind regards Mikael Syska -Oprindelig meddelelse- Fra: Bill Marquette [mailto:[EMAIL PROTECTED] Sendt: 19. oktober 2006 02:09 Til: discussion@pfsense.com Emne: Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work pfsense --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: hey, so its a problem on the client side or server side? not the hardcore firewall dude, I had it working on a openbsd with isakmpd, is there implementation any different? kind regards mikael syska From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wed 18-10-2006 18:57 To: discussion@pfsense.com Subject: Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work pf doesn't have any method of seperating out the isakmp or esp traffic. There's been some talk of ipsec state code, but I don't know when FreeBSD will see it (certainly not before it's implemented in Opens pf I'm sure). If you have multiple IP addresses, you could use 1:1 nats to solve this (I have coworkers that use this to have multiple workstations connected to our IPSec devices). --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: Hi, Thank for a great product, I am running the Racoon IPSEC server and it all works great, except that if 2 clients are behind the same firewall, only one of them will be able to make the connection to the VPN server, am I doing any thing wrong here? I have problems with roadwarriors using agressive mode. I'm using SafeNet SoftRemoteLT VPN clients. I know it works with the isakmpd IPSEC server from an erlier setup I have had. its does not work both behind a other pfsense firewall, and some other unknown firewall that I dont know the name of . What are my options? Is this the right behavior? or are there something setup completely wrong in the Racoon ipset setup? kind regards Mikael Syska
Re: [pfSense-discussion] pf rules for load balancing
On 10/19/06, Raja Subramanian [EMAIL PROTECTED] wrote: The PF Pools FAQ: http://www.openbsd.org/faq/pf/pools.html section Load Balance Outgoing Traffic, mentions the following: To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any I have a dual WAN setup with pfSense, but I don't find such rules in /tmp/rules.debug. How does pfSense implement this? We don't. This is the same issue you asked about months ago in regards to squid and ftp-proxy. --Bill
Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work
pf doesn't have any method of seperating out the isakmp or esp traffic. There's been some talk of ipsec state code, but I don't know when FreeBSD will see it (certainly not before it's implemented in Opens pf I'm sure). If you have multiple IP addresses, you could use 1:1 nats to solve this (I have coworkers that use this to have multiple workstations connected to our IPSec devices). --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: Hi, Thank for a great product, I am running the Racoon IPSEC server and it all works great, except that if 2 clients are behind the same firewall, only one of them will be able to make the connection to the VPN server, am I doing any thing wrong here? I have problems with roadwarriors using agressive mode. I'm using SafeNet SoftRemoteLT VPN clients. I know it works with the isakmpd IPSEC server from an erlier setup I have had. its does not work both behind a other pfsense firewall, and some other unknown firewall that I dont know the name of . What are my options? Is this the right behavior? or are there something setup completely wrong in the Racoon ipset setup? kind regards Mikael Syska
Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work
pfsense --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: hey, so its a problem on the client side or server side? not the hardcore firewall dude, I had it working on a openbsd with isakmpd, is there implementation any different? kind regards mikael syska From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wed 18-10-2006 18:57 To: discussion@pfsense.com Subject: Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work pf doesn't have any method of seperating out the isakmp or esp traffic. There's been some talk of ipsec state code, but I don't know when FreeBSD will see it (certainly not before it's implemented in Opens pf I'm sure). If you have multiple IP addresses, you could use 1:1 nats to solve this (I have coworkers that use this to have multiple workstations connected to our IPSec devices). --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: Hi, Thank for a great product, I am running the Racoon IPSEC server and it all works great, except that if 2 clients are behind the same firewall, only one of them will be able to make the connection to the VPN server, am I doing any thing wrong here? I have problems with roadwarriors using agressive mode. I'm using SafeNet SoftRemoteLT VPN clients. I know it works with the isakmpd IPSEC server from an erlier setup I have had. its does not work both behind a other pfsense firewall, and some other unknown firewall that I dont know the name of . What are my options? Is this the right behavior? or are there something setup completely wrong in the Racoon ipset setup? kind regards Mikael Syska
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Tommaso Di Donato [EMAIL PROTECTED] wrote: On 10/4/06, Rainer Duffner [EMAIL PROTECTED] wrote: At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products (like Cisco ASA). So, I think that CPU-power should not be a limit. We have a serious disadvantage against hardware firewalls. Where they can crank out ASICs tuned to specific needs (which comes with a disadvantage we don't have...flexibility), we're stuck with general purpose CPU's which aren't necessarily fast. Thankfully, encryption boards supported by FreeBSD aren't terribly difficult to come by, but there's other code paths that could be sped up considerably by hardware optimized for it. Let us also not forget that CPU's aren't getting faster, they're scaling wider (in fact, I think most gamers would confirm that dual core procs don't necessarily speed up their games). FreeBSD doesn't multi-thread routing. The fastest proc today will be no faster than the fastest proc next year (unless AMD comes through with it's inverse SMP plans - presenting multiple cores as a single core to the OS). Also, interrupts are a KILLER on x86 hardware - FreeBSD w/ polling is better at this than OpenBSD (although I haven't personally benched this yet), but it's not free and theres still a limit. --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Holger Bauer [EMAIL PROTECTED] wrote: No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) To be fair, ONLY stateless signatures (or signatures of attacks that only need one packet to do the damage) and the port scan engine can make any kind of detection on traffic blocked at the firewall. But hey, who really cares that someone is trying some uber attack against you if there's nothing listening? If you want to know that, I'm afraid you need a honeypot. --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Two problems here. 1. RC1 is ancient, the snort package only works on RC3 and above 2. Embedded doesn't support packages, either we still had that in RC1 (unlikely) or you've bypassed those checks somehow --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: According to my rough calculations, I can do maybe 40mbps throughput before I peg the cpu. Or maybe I'm just dreaming, but I plan on testing it. With a 4801 or wrap??? Try again :) We peg the CPU on those boards well before 40mbit...I think the last benchmark I saw was 30+mbit. --Bill
Re: [pfSense-discussion] FTP Helper on WAN - bug?
On 10/3/06, Peter Allgeyer [EMAIL PROTECTED] wrote: Am Dienstag, den 03.10.2006, 09:09 -0400 schrieb Scott Ullrich: I am telling you how to solve your problem now, not long term. I agree that the FTP system is a mess. Ok, fine, how? At the moment I start the ftpsesame per hand after booting up the firewall (which gladly isn't so often). Sounds good. If you want to submit patches, feel free. I am focused on getting on 1.0 out the door then I plan on taking a vacation for a bit but will be happy to review a patch. So I'll wish you happy holidays. BTW: It was a question to all devs here. Anyone else? I'm especially looking for a solution to point 3). Maybe someone might know a good way to implement this. FTP is a broken and insecure protocol. If I had my way, you wouldn't see any FTP helpers in pfSense. If you want it working a certain way, make it work, send in patches, rejoice when they get commited. It works as is for 99% of our user base, the few users who need more are certainly technical enough to come up with a solution that works (and doesn't break the other 99% of the users). --Bill
Re: [pfSense-discussion] FTP Helper on WAN - bug?
On 10/3/06, Peter Allgeyer [EMAIL PROTECTED] wrote:
No, as I told you already, the system_start_ftp_helpers() is launched
_after_ filter_configure_sync in /etc/rc.bootup. And ftpsesame is killed
by killall in system_start_ftp_helpers() after been started in
filter_configure_sync :-( So, you can see, that the
afterfilterchangeshellcmd command isn't any solution for that problem.
When I'm posting lines of source code, you can believe me that I have
bravely taken a look at it ;-)
I wonder if the package system is called far enough into the boot
process to shim this in after start_ftp_helpers is called. You might
be able to create a start script that calls /etc/rc.filter_configure.
Looks like this is what you want in /etc/rc.bootup
mwexec(sh /usr/local/etc/rc.d/{$filename} start /tmp/bootup_messages 21);
it's well past the ftp_helpers.
OK, I'll write my own code, since I'm experienced enough. I wanted a
clean solution for all users, but that's apparently not the goal here.
People will further cry at the forum that ftp isn't working. I do know
the reason why and now you know too.
Yeah, 1.0 is too close, we can't afford to break FTP for this somewhat
edge case. Hopefully we can come up with a better long term solution.
BTW: I do love the way the netfilter connection tracking modules in
linux are solving that problem and don't know any reason why that code
isn't adapted by the pf devs. There must be any reason for not using
such an API. I'll have to search why. Maybe you can give me a link.
There's plenty of discussions on this, I don't have any links handy,
sorry. But it goes along the lines of layer7 protocol analysis in
kernel is a bad idea - protocol bugs directly result in ring0
compromise (bad!). Using divert() style sockets is moderately better,
but results in dropping the analysis and throughput to userland which
can be slow. ftpsesame is a better compromise in that all it really
needs to do is run a bpf listener and add/remove rules as needed.
Some protocols (pptp, ipsec), etc, can only be NAT'd in kernel due to
the way the protocols work, but in those cases, it's not a rule issue,
it's a NAT issue that can't be solved outside of the kernel. IPFilter
has various proxy modules to handle some of this. At the end of the
day, the linux folks are more open to polluting their kernel with junk
than the OpenBSD folks.
--Bill
Re: [pfSense-discussion] Tutorial - configuring the captive portal with the integrated user manager
I randomly chose one of the mirrors and the tutorial came up for me. --Bill On 9/28/06, Richard Davis [EMAIL PROTECTED] wrote: I was looking at the pfSense tutorial section and tried to connect to configuring the captive portal with the integrated user manager . All I got was dead links. Does anybody know if this is a good tutorial and if it is where can I get it? Thanks Richard
Re: [pfSense-discussion] IDS yet? (+IPS)
On 9/21/06, Sam Newnam [EMAIL PROTECTED] wrote: I was thinking about using something like this product too... http://www.stillsecure.org/index.php?rf=vmw Says it integrates with IP Tables... Quick thoughts on its compatibility with PF? It's a dedicated linux install. --Bill
Re: [pfSense-discussion] pfSense and TTL (time to live) = 1
Or if you want fuck with the ISP and have a full blown network behind
the pfSense box.
Change the following line in /etc/inc/filter.inc
$rules .= scrub all {$scrubnodf} {$mssclamp} fragment
reassemble\n; // reassemble all directions
to:
$rules .= scrub all min-ttl 255 {$scrubnodf} {$mssclamp}
fragment reassemble\n; // reassemble all directions
That will reset the TTL to 255 (substitute whatever sufficiently high
value appeals to you) as it passes through the pfSense box. The above
line lives on line 166 in filter.inc version 1.575.2.235. BTW, this
will have the other added advantage of being able to mask different
OSs behind your pfSense box and the network layout as ALL packets will
have a normalized TTL after traversing the firewall.
I don't expect to ever put a gui wrapper around this, I feel it has
rather limited use.
--Bill
On 9/4/06, Scott Ullrich [EMAIL PROTECTED] wrote:
On 9/4/06, Georgi Petrov [EMAIL PROTECTED] wrote:
Hello everybody,
I've sent this feature request to the m0n0wall mailing list, so it's a
copy-paste. Everything written can be applied to pfSense as well!
Here in Bulgaria we love m0n0wall and many people use it for home
routing purposes. Our internet is delivered by LAN cables (insane,
isn't it?) and some of my smarter friends split the service to the
neighbours. This is pretty cool because you have to pay 2-3 times less
and believe me - Bulgaria isn't the cheapest place to live in ;)
Ok, you would say - you put one m0n0wall router under your bed and pay
2 times less for internet (as well as your neighbours). What's the
problem? Here comes the problem: Almost all ISPs in Bulgaria modify
the TTL (time to live) value of all incoming packets to 1, so when
they enter the m0n0wall router, it decrements the TTL to 0 and being
zero, the packet gets dropped (and doesn't reach any of the computers
in the local network).
There is a very simple way to work around that. The FreeBSD kernel
should be compiled with IPSTEALTH option enabled. This is absolutely
harmless and does the following:
When the kernel is compiled with this option, later you can set one
sysctl variable to 1 (enabled), which will turn on the IPSTEALTH
mode. In this mode the router hides itself, becomes intraceable with
tracert and the most important thing is that it doesn't decrement the
TTL, so the little trick played by most ISP becomes irrelevant.
This is completely harmless to m0n0wall - it won't be enabled by
default, nothing will change for the default install, but this
functionality will be present for whoever need it! May be later a
checkbox could be added in the webGUI for easier accessibility.
I already run m0n0wall's FreeBSD IPSTEALTH enabled kernel and enabling
IPSTEALTH in running m0n0wall is as easy as adding
shellcmdsysctl net.inet.ip.stealth=1/shellcmd
just before
/system
The whole procedure is explained by another smart bulgarian on this
page (bulgarian language):
http://hardwarebg.com/forum/showthread.php?t=76480highlight=TTL
So - this way the whole problem is solved and the day - saved ;)
I ask for one simple thing - could you please enable IPSTEALTH in the
next m0n0wall release, please! It's a great router/firewall - make it
even better!
# sysctl -a | grep stealth
net.inet.ip.stealth: 0
net.inet6.ip6.stealth: 0
It's already compiled in.
Have fun!
Scott
Re: [pfSense-discussion] source-hash and sticky-address in pf pools
On 8/17/06, Raja Subramanian [EMAIL PROTECTED] wrote: Hi, I have a pfSense box with 5 wan links, 1 wan and 1 dmz and the load balancing and policy based routing in pfSense is simply fantastic. The one missing feature that I would like to see, is the ability to specify the source-hash or sticky-address option in pf pools. With this, I would be able to load balance troublesome websites and protocols (eg. pptp) instead of pushing them all through the default gateway. I noticed that Bill M's pf sticky patches to slbd got included circa Beta2. Will we be able to use this feature anytime soon? slbd isn't used for gateway balancing, just for monitoring the gateways. The sticky patches that Scott committed (not me) were for server load balancing. --Bill
Re: [pfSense-discussion] FreeBSD LSI Logic fixes for VMware
Which version of ESX? Thanks --Bill On 8/16/06, Jason Tyler [EMAIL PROTECTED] wrote: I was able to get it to work by building the VM in VMware workstation, then copying the disk image to ESX and modifying the .vxd file. Hope this helps, Jason -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 16, 2006 10:09 AM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] FreeBSD LSI Logic fixes for VMware Interesting. We merged what we thought was all of the fixes from FreeBSD current but they where not working. I'll look into this further as w really want ESX supported for pfSense. On 8/16/06, Dmitry Sorokin [EMAIL PROTECTED] wrote: Hi All, First, thanks a lot for a GREAT product. pfSense rules! Recently I was trying to install pfSense on VMware ESX server (for some testing and dev projects) but failed to do so. Further inverstigation led me to this: http://www.vmware.com/community/thread.jspa?threadID=40606 So, It's the LSI Logic driver that doesn't work properly with VMware ESX Server. They claim it's fixed in FreeBSD 6.1. Is it possible to incorporate that fix into pfSense for the next release (RC3 or 1.0-RELEASE)? Again, thanks a lot for a great product. Dmitry
Re: [pfSense-discussion] unable to view revison log for filter.inc on cvstrac
And fixed.
--Bill
On 8/16/06, Bill Marquette [EMAIL PROTECTED] wrote:
Thanks, reported to the cvstrac authors.
--Bill
On 8/16/06, Raja Subramanian [EMAIL PROTECTED] wrote:
Viewing cvs revision history for /etc/inc/filter.inc by accessing
http://cvstrac.pfsense.com/rlog?f=pfSense/etc/inc/filter.inc
always throws the following error.
error message ---
Database Error
db_exists: Database exists query failed
SELECT filename FROM filechng WHERE filename='tmp/{$rule['if']}_router'
Reason: near if: syntax error
-
Accessing the changesets or revisions directly is working fine.
- Raja
[pfSense-discussion] routed package
Hey, there was a bounty for the routed package, but the person sponsoring this package isn't currently in a position to test it. He's volunteered to send the funds on if we can get some people to test it out and comment on it. http://forum.pfsense.org/index.php?topic=1271.msg9066#msg9066 Can I get a couple people to load it up and make sure routes show up, make sure it stops routed on exit, works on boot, etc. ? Even better if it can be tested on a machine also running OLSR (I have my suspicions that it won't work, but I don't have a way to test it). It's a $100 bounty and will go a LONG way towards my hotel bill for the hackathon. Thanks --Bill
Re: [pfSense-discussion] load balancing - fail over
Try a rule for your client/lan - remote IP any port any protocol (I understand you may wish to lock it down later). Look at the state entries to that remote IP after a successful connection, that should help determine the exact rules you want. --Bill On 6/28/06, Allen Laymon [EMAIL PROTECTED] wrote: Ok, I have gone into one of my interfaces under rules and opened ports 500, 1 and 62515 for UDP. I have created all three rules the same way using 'any' source, port #, Destination 'any', port #, and Gateway 'default'. I've also attempted using a 'specific' gateway of my WAN interface that I want to designate for the Cisco VPN Client. I have also tried using the source as my 'internal network' and the gateway as my 'specific' external wan interface. I can connect but it is VERY intermittent if it allows. I may get to connect 1/3 of the time, if I'm lucky. Any suggestions on what I'm doing wrong on the rules? Allen -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 27, 2006 10:49 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] load balancing - fail over On 6/27/06, Allen Laymon [EMAIL PROTECTED] wrote: I'm having an issue using load balancing/failover and using a Cisco VPN client to connect to a remote machine. It's hit and miss whether or not the Cisco VPN client works. It appears to go out one of my internet connections, but can return on the second internet connection? I'm not sure how to resolve this. Anyone have a similar instance? Allen You'll want to create a rule that sends this traffic out only one WAN link (you won't get failover on that rule...sorry). The issue here is that most IPSec clients usually use two connections, UDP 500 (or whatever NAT-T lives on) and proto ESP. Unless you get lucky and both make it out the same WAN and establish state that way, the remote gateway is going to drop you when it see's different source addresses from the connections. --Bill
Re: [pfSense-discussion] load balancing - fail over
On 6/27/06, Allen Laymon [EMAIL PROTECTED] wrote: I'm having an issue using load balancing/failover and using a Cisco VPN client to connect to a remote machine. It's hit and miss whether or not the Cisco VPN client works. It appears to go out one of my internet connections, but can return on the second internet connection? I'm not sure how to resolve this. Anyone have a similar instance? Allen You'll want to create a rule that sends this traffic out only one WAN link (you won't get failover on that rule...sorry). The issue here is that most IPSec clients usually use two connections, UDP 500 (or whatever NAT-T lives on) and proto ESP. Unless you get lucky and both make it out the same WAN and establish state that way, the remote gateway is going to drop you when it see's different source addresses from the connections. --Bill
Re: [pfSense-discussion] PFSense and Tables
On 6/26/06, Forrest Aldrich [EMAIL PROTECTED] wrote: Maybe something standarized - with XML formatted files? It would be nice to issue a command, securely, from an internal machine to update the PFSense firewall in either case. Why doesn't PFSense use real Tables... ? Just curious about the design decision, etc. Aliases were easier to implement (and we wanted to get 1.0 out the door some day). Tables won't be terribly difficult to implement and certainly are required, but we gotta leave _some_ room for improvement ;-P --Bill
Re: [pfSense-discussion] artwork
On 6/21/06, Eugen Leitl [EMAIL PROTECTED] wrote: I suggest to move back to default m0n0wall design and artwork. It is much superior in look and usability, imo. I would go so far to file this as a bug. That's kind of inflamatory, but change the theme to pfsense and you'll have the ugly old look back. --Bill
Re: [pfSense-discussion] artwork
On 6/21/06, Eugen Leitl [EMAIL PROTECTED] wrote: On Wed, Jun 21, 2006 at 02:09:41PM -0500, Bill Marquette wrote: That's kind of inflamatory, but change the theme to pfsense and you'll No trolling intended. I do really consider the current pfsense artwork a major regression on m0n0wall look and feel. have the ugly old look back. No, the icons and the color scheme are still different. For instance, the firewall rules buttons are absurdly overwrought. It would be a major improvement to get the m0n0 default ones back. pfSense != m0n0wall. We're a fork. We may have regressed on a theme that is no longer our default. We certainly welcome patches - cascading style sheets can be a real pain to get right. And honestly, we spend a LOT of time writing themeable code (I'm constantly fixing items with hard-coded paths) - it's certainly easier to write non-themeable code which would result in the old pfSense theme disappearing. With that said alot of the color scheme is still in code I believe which will make it difficult to make a non-red theme. --Bill
Re: [pfSense-discussion] Known PFsense Limits?
On 6/6/06, Odette [EMAIL PROTECTED] wrote: Hi all, I need to substitute our production firewall, and I'd like to use PFsense which I've already successfully used for home or small office environments. The solution I'm going to substitute is based on Linux-iptables which requires more than 1000 rules. I need more than 25 static routes, and 5 VPNs. Furthermore, in the next future we are migrating 2 of 3 network branches on Gbit. I'd like to try with PFsense, but my boss (I'm sure) will kill me in the event I spend half a week in setting up the new PFsense and writing down all the rules to see that PFsense is not the right solution. Seems like the effort falls under research and development. At least in my shop, that wouldn't be considered a waste of time as it can vette the existing design (which obviously is considered inadequate), determine what if any use pfSense has to us, and whether we need to keep looking. There aren't any free answers - you'll have to take the time to try out the solution you believe will work for you. Is there a rules number limit or a session number limit implemented in PFsense? Not per se. Do you really have 1000 rules, or are there numerous duplicates with only source/destination IPs (or ports) changed? You may be able to shrink that rule base down considerably with pfSense. The only concern I'd have with the number is the speed of the webGUI - depending on how many interfaces you have, displaying 1000 rules on a single screen could be bad (some day I'll have to generate a test bed that stresses out the webGUI so we can try and improve the speed). Also, you may or may not want to increase the state table limit which defaults to 10K state entries. There are 2-3 (depending on NAT) state table entries for every connection through your firewall. More info on state table sizes can be found in other threads on this list or the forum (I've answered this a few times) Does somebody have some expertize in similar situations? Can't speak for pfSense in a large install, but the underlying packet filter engine works like a champ in my commercial installs and those are couple thousand rule machines (text files for editing...I'm not relishing converting those machines to pfSense). --Bill
Re: Re[2]: [pfSense-discussion] P2P Blocker
On 6/6/06, Chris Noble [EMAIL PROTECTED] wrote: Ah good idea, pfsense has Traffic Shaper in it.. I could play with that and give P2Pa silly speed like 500 byte/sec heh. There were some threads on this in the forum also. I believe someone even went so far as to restrict the number of states individual workstations could have. Between castrating the bandwidth and castrating the amount of connections you're allowed, it should pretty effectively communicate the message. --Bill
Re: [pfSense-discussion] Routing
On 5/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi everyone, I have 3 WAN interfaces (WAN, OPT1 and OPT2) I want to route packets to the WAN interfaces based on the source IP. For example, 10.0.1.X/24 packets should be forwarded to WAN, 10.0.2.X/24 packets to OPT1 and 10.0.3.X/24 packets to OPT2. Is this possible? Yes. http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing read the policy based balancing section. --Bill --Bill
Re: [pfSense-discussion] broken http interface install..
This happening on index.php, or when trying packages? Sounds like there's a corrupt XML file floating around somewhere, usually this is due to the machine getting powered off in 'odd' states. --Bill On 5/16/06, Gregory Machin [EMAIL PROTECTED] wrote: Hi Lookis like I did the imposible and broke the web interface .. here is the error i'm getting ... Notice: Object of class PEAR_Error could not be converted to int in /etc/inc/xmlparse.inc on line 135 XML error: No pfsense object found! Many Thanks -- Gregory Machin [EMAIL PROTECTED] [EMAIL PROTECTED] www.linuxpro.co.za www.exponent.co.za Web Hosting Solutions Scalable Linux Solutions www.iberry.info (support and admin) +27 72 524 8096
Re: [pfSense-discussion] CF-IDE install help
On 5/16/06, Angelo Turetta [EMAIL PROTECTED] wrote: And what about the case in original post? He has installed the full version from CD-ROM to a CF (used as a hard disk). I'm confident that such a setup results in a platform setting of 'pfsense'. If I later change the platform to 'embedded', can I use it on a 'Real PC'? (for example, using an ATA-to-CF adapter). Of course I'll lose the package manager, but will the VGA work as usual? Correct, the two major differences between embedded and full are the kernel (the embedded images lack VGA and keyboard) and the disk being mounted rw/ro. There are other minor differences.../var/* are symlinks to /tmp on embedded and /tmp is a ramdisk - this is why most things disappear on reboot for embedded images, we simply don't preserve them. I don't recall if the /var stuff is part of the build, or something that's created on the fly if platform == embedded. --Bill
Re: [pfSense-discussion] CF-IDE install help
On 5/16/06, Craig FALCONER [EMAIL PROTECTED] wrote: Ahh cool thanks - I haven't rebooted a post beta2 machine yet :) yeah, added for beta4 I believe :) --Bill
Re: [pfSense-discussion] No altq support on linitx.com appliances? Also, plug for packaging on embedded version.
On 5/2/06, Carl Youngblood [EMAIL PROTECTED] wrote: So you are volunteerig to get this working? Keep in mind we do not have endless amounts of resources. I'm totally willing to help with this, but if the developers aren't open to the idea, then it can be a really uphill battle. So I wanted to make sure you guys were supportive of the idea, especially since I am not nearly as skilled with BSD as you guys are. But I am willing to help out, and our sysadmin here also has some good linux experience and some exposure to BSD. As long as you guys are willing to point us in the right direction on occasion. We're willing and want some subset of packages on embedded platforms. However, we don't have the resources to put it in ourselves - it's a fair amount of work to make it stable. Also, embedded platforms usually have a limited amount of RAM (my two development WRAPs for example have 64M RAM - the absolute minimum pfSense will even run on) - I can't imagine losing any RAM on most of those platforms for ramdisk. So, we need a way to determine how much ram and/or ramdisk a package will require and detect if your machine is even qualified to run it. Currently, it's easier to disable the functionality as it's a very conditional item. Anyone willing to make it work and make it work right is welcome to try - just understand that it's not as simple as well I've got a 256M embedded box and it'll work here, so it must be good. --Bill
Re: [pfSense-discussion] Vmware Tools and pfSense
FWIW, while the lnc device reports as 10Mbit, it'll actually do more. It's still slower than either the vmware tools driver or the e1000 interface, but it's definitely faster than 10Mbit. --Bill On 4/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I'm planning to get pfSense running inside vmware, so to have routing and firewall functions within the hosts attached to the internal virtual switches. However, as far as I got to know, 10 Mbps functionality only would be obtainable out of the interfaces of the virtual machines, unless Vmware Tools are properly installed into the guest operating system, along with the benefit of 100 Mbps speed. For such reason, I thought to add Vmware Tools to the VM hosting the pfSense software but, unfortunately, the pfSense installation image does not come with a suitable perl interpreter, as required by the Vmware Tools installation process. Thank you for any hint on this subject, pfSense installation image shipped in the future with a perl interpreter bundled altogether perhaps? Best regards Marco Masotti
Re: [pfSense-discussion] web interface and dependancies...
On 4/18/06, Gregory Machin [EMAIL PROTECTED] wrote: Hi. I'm looking for a list of dependancies for the web interface ... I know it require php and and http server .. but are there any others.. Any advise would be grate.. Many Thanks pfSense is a firewall distribution, not a standalone package. --Bill
Re: [pfSense-discussion] when IPv6 support?
On 4/11/06, Eugen Leitl [EMAIL PROTECTED] wrote: [Previous message didn't seem to have come through, so I'll try this one without signing.] Folks, when is IPv6 support planned? No time frame. Nobody is working on it at this time, feel free to submit patches. --Bill
[pfSense-discussion] IPSEC diff to test
Can I get a couple people to try out the following diff? It (I think)
fixes the 'prefer older sa' option that actually prefers newer SA's
issue (the one where we tell you to click that option to prefer it :))
Before I commit this, I'd like some feedback from people that have
done this to fix ipsec issues as well as people that haven't used this
option (and can confirm it's not breaking anything). If it's
absolutely required, I can post a full version of the file, but the
full install (I know embedded doesn't have it) should have diff and
patch, so this should apply.
Save to /tmp/vpn.inc.diff and run:
cd / patch /tmp/vpn.inc.diff
If there are no rejected entries, reboot. If it fails - go to
Diagnostics - Edit file and update /etc/inc/vpn.inc with
http://cvstrac.pfsense.com/getfile?f=pfSense/etc/inc/vpn.incv=1.89.2.18
Thanks
--Bill
Index: vpn.inc
===
RCS file: /cvsroot/pfSense/etc/inc/vpn.inc,v
retrieving revision 1.112
diff -u -r1.112 vpn.inc
--- vpn.inc 11 Mar 2006 22:45:22 - 1.112
+++ vpn.inc 29 Mar 2006 14:00:23 -
@@ -118,9 +118,9 @@
}
if(isset($config['ipsec']['preferredoldsa'])) {
- mwexec(/sbin/sysctl net.key.preferred_oldsa=0);
+ mwexec(/sbin/sysctl -w net.key.preferred_oldsa=30);
} else {
- mwexec(/sbin/sysctl -w net.key.preferred_oldsa=-30);
+ mwexec(/sbin/sysctl -w net.key.preferred_oldsa=0);
}
$number_of_gifs = find_last_gif_device();
@@ -1233,4 +1233,4 @@
return 0;
}
-?
\ No newline at end of file
+?
Re: [pfSense-discussion] Re: Outbound load-balancing
On 3/30/06, Craig Roy [EMAIL PROTECTED] wrote: Hi David, You are fortunate that your ISP supports aggregate connections. Here in Australia, all ISP's don't want to know about it. There attitudes are, if you want to go faster, then get a faster connection and pay up to 10 times the price. However, I did download a 600MB files since replying to your email and my PFSense did download this file across both connections at the same time. It took me 26minutes to get this file down. I could see that doth DSL Routers were being hammered quite hard simultaneously, and when viewed in the Traffic graphs for WAN and OPT interfaces, the bandwidth incoming and outgoing was exactly the same. I have 2 1.5/256 DSL connections configured as Round Robin, but only on my end as I mentioned earlier all ISP's here don't support aggregating. My good fortunate on downloading that large file was most likely something to do with the server that I was getting it from, recognising both IP's. Any chance you're using a download manager? A number of them will open up multiple connections to the destination server and request individual chunks of a file. FWIW, we round robin network flows, so this would have HAD to use multiple tcp connections to work the way you are describing. --Bill
Re: [pfSense-discussion] Traffic Shaper wizard thoughts
On 3/21/06, Josh Stompro [EMAIL PROTECTED] wrote: I think this would be a great idea, I am also in this boat where I would like to shape on more than one interface. I realize it can be done manually, but it would be nice if the wizard took care of it. Is there any more documentation on pfsense's traffic shaping that what is listed in the monowall handbook? http://doc.m0n0.ch/handbook/trafficshaper.html I would like to limit the opt interface to 384kbits up/down and guarantee that a certain machine or machine's on the lan side get higher priority than anything else, for any traffic they send. Along with the Ack rules so that downloads don't kill latency. Since you can only shape traffic what is sent on an interface, the Wan queue has to deal with limiting traffic coming from opt1, which I don't understand how to do yet. The code to do this got backed out 9 months ago. It'll be put back in later after I get positive feedback on the current code. I'm tired of tracking down shaper bugs and trying to get the simple stuff we have working right (it should now, but I want to work on other stuff for a while - I'm kinda burnt out on it). --Bill
Re: [pfSense-discussion] throughput - cpu, bus
On 3/15/06, Chun Wong [EMAIL PROTECTED] wrote: Chipset ? I'm not sure tbh, its an abit board I purchased 4-5 years ago. The source is on a HP Netserver LH3000 (2 x P3 866Mhz, 2.25Gb RAM) with dual 64 bit PCI bus. 3 x Intel Pro MT1000 gig nics (64bit). The disk subsystem is 2 x megaraid scsi/sata controllers, with scsi3 and sata raid 5 arrays. I doubt the bottle neck is there. Although it is running vmware 2.5.1 at the moment. The guest OS is Windows XP SP2. I guess I need to see what happens when I run straight linux on the box. VMWare performance regardless of whether this is ESX or not (I'm assuming ESX, not workstation or GSX) sucks. Use a physical box for this type of testing. --Bill
Re: [pfSense-discussion] throughput - cpu, bus
On 3/14/06, Jim Thompson [EMAIL PROTECTED] wrote: Chun Wong wrote: Hi, I have two fw platforms, mono 1.21 running on a Nokia120 and pfsense1.0beta2 running on an AMD athlon 900. I can get 2.2MBs on the 120 platform, at 96% cpu usage. On the athlon, 32bit, 33Mhz pci, I can get 7MBs using Intel PRO 1000MT 64 bit PCI cards. My question is what speed/type cpu do I need to use to improve on this with a PCI-X bus? (64bit, 33Mhz or maybe 66Mhz) I would like to get 15-20MBs, but without spending too much. I am looking at a 2nd hand Supermicro FPGA370 dual Pentium mb, with PCI-X bus. All my NICs are Intelpro MT1000, 64bit. Thanks Something else is wrong. Either of these platforms should be able to forward at something close to 100Mbps, if not higher. Agreed...unless those MT1000's are plugged into 100Mbit ports (but I guess that would fall under the something else is wrong) :) Then 70Mbit wouldn't be entirely out of line (depending on the test software). 500Mbit throughput is about all you'll practically get on a 33Mhz 32bit slot and in practice, it'll be somewhat slower (closer to 3-400Mbit). A 64bit/66Mhz slot will make that a much higher ceiling. --Bill
Re: [pfSense-discussion] throughput - cpu, bus
On 3/14/06, Chun Wong [EMAIL PROTECTED] wrote: On the fw traffic graph, I see 30 megabits per second on the 120 (95% cpu) and 75 megabits peak on the athlon platform (45% cpu). This certainly suggests that CPU on the athlon is not your limiting factor. to be honest I was expecting a lot more. I am using an 8 port SMC gigabit switch that supports jumbo frames - how do I increase the ethernet frame size on the firewall interface ? I believe there is a hidden option to change MTU - I'll leave it to someone else to provide that option. I'll see if I can rig up an extra long crossover cable to bypass the switch. If I am supposed to see 400 megabits, then I presume this is split between the incoming nic and outgoing nic, so 200 megabits per second ?? No, that's 400Mbit throughput :) A [EMAIL PROTECTED] bus is roughly around 1Gbit transfer rate so 500Mbit would be the absolute max. Any ideas where I should be checking ? netstat -ni from the shell and see if you're taking any interface errors on all the machines involved in the test. --Bill
Re: [pfSense-discussion] throughput - cpu, bus
On 3/14/06, Rainer Duffner [EMAIL PROTECTED] wrote: Am 14.03.2006 um 20:52 schrieb Greg Hennessy: I'd love to get the chance to throw an Avalanche at a decent system running PF to see what it really can stand upto. Quite a bit. I ran out of Avalanche/Reflector capacity at 750Mbit, but the OpenBSD box I pointed the firehose at, was only hitting about 30% CPU load at the time. I expect I'd see better performance out of FreeBSD (w/ or w/out Andre's work). I plan on running the same tests against pfSense 1.0 when released. --Bill
Re: [pfSense-discussion] throughput - cpu, bus
On 3/14/06, Greg Hennessy [EMAIL PROTECTED] wrote: Quite a bit. I ran out of Avalanche/Reflector capacity at 750Mbit, but the OpenBSD box I pointed the firehose at, was only hitting about 30% CPU load at the time. Interesting, what nics were in the box ? HP DL380G3 w/ Broadcom and Intel NICs. I also ran an iperf test, but ran out of physical boxes to generate and receive the load at around 900Mbit (I did determine the maximum xmit/receive rate of a Sun v120 running Solaris 8 though ;) ) During the iperf tests, the cpu load was closer to 25%, but iperf generates larger packets, so that's no huge surprise and why Avalanche is a much closer to real life test. I've got some interestingly crappy test results while working on the shaper before Beta 2 on a 1Ghz Via cpu here: http://www.pfsense.com/~billm/spirent/1/ And I do mean crappy. I wasn't trying too hard to get a good working test, just tossing traffic to see what's blowing up and why. I expect I'd see better performance out of FreeBSD (w/ or w/out Andre's work). I plan on running the same tests against pfSense 1.0 when released. Looking forward to it. Putting in a DL-385 for the same client, on 6.x/PF with 4 * em to firewall off a large network backup environment. I should have some pretty symon pictures soon. Very interested in results from a high throughput environment. I'm probably a good year or so away from deploying pfSense anywhere near our high throughput (high dollar) production environment but I'm interested in others results in the meantime. For now, that environment is staying on OpenBSD (and pf's native OS). We're a large company and pfSense doesn't meet our internal audit requirements just yet - that's on my todo list (multi-user, change logs, etc). --Bill
Re: [pfSense-discussion] Everything else sucks
Now with better traffic shaping. Many thanks go to our new dev. Leon on the find (and fix). --Bill On 3/11/06, Scott Ullrich [EMAIL PROTECTED] wrote: Fresh out of the oven: http://www.pfsense.com/~sullrich/RELENG_1_SNAPSHOT_03-10-2006/ On 3/11/06, Randy B [EMAIL PROTECTED] wrote: I've spent the last month making a grand tour of the firewall world - tried everything from IPCop to Smoothwall, a fully-licensed PIX-515E from work to m0n0wall, and I still come back to pfSense. Not only is this my hobby, I oversee a flock of ~70 PIXen FWSMs at work every day. There's just nothing quite as feature-rich, easy to use, or quick to set up. GNAP comes close, and I'm working on making some custom extensions to it that may draw me away from pfSense again, but making it do 95% of what I want takes _so long_. I just wish I was more conversant with *BSD so I could really dig under the covers like I did on the Linux-based ones, even though I was greatly disappointed when I did. Granted, you're going to get more horsepower, support, and scalability with a commercial appliance, but they leave out things that should be simple - like setting up port-forwarding. Then there are the *really nice* things, like 3rd-party extensions. Like I said, I may be drawn away again some day, but for the time being I'm back to stay. In that light, is there anything newer than Beta-2? RB
Re: [pfSense-discussion] Small suggestion
On 3/5/06, Lawrence Farr [EMAIL PROTECTED] wrote: How about having the ip's pop up if you hover over the interface name? Where? Care to do a mockup of what you are envisioning? Thanks --Bill
Re: [pfSense-discussion] PANIC! problems with OPTx interfaces
So let me get this straight. The cable that's plugged into the LAN nic if unplugged from LAN and plugged into each of the OPT nics works? Sounds like a switch or cable issue. Have you tried the reverse? Plug the cables that are in the non-working OPT interfaces into the known working interface (LAN)? And for that matter, plugging the known working cable and the known working interface into the switch ports that you are trying to plug the OPT interfaces in? --Bill On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago. The system is a Dell Optiplex (I can't find the model number at this time) It has a Pentium 3 and a 10 GB harddrive, if that helps at all. -- Original message -- From: Scott Ullrich [EMAIL PROTECTED] On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [snip] I'm using Beta 1 right now, because I don't think that upgrading to Beta2 would fix this. Upgrade. There was only 91+ fixes between beta1 and beta2 and countless FreeBSD fixes. Scott
Re: [pfSense-discussion] PANIC! problems with OPTx interfaces
So called uplink ports are meant to plug a switch into another switch, not a router. Some newer switches also do cable autosense and will cross the RX/TX pairs if needed (your Linksys probably does this). --Bill On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, I have seemed to have fixed it, but the solution makes no sense to me. Perhaps it will make more sense to those of you with more networking knowledge than I. All of the cables leaving the PfSense box went to switches. The one hooked up to the LAN had the cable plug into a regular port on the LAN switch, all the others were plugged into the uplink port on those switches. So, when I moved all of the cables from the uplink port on the switches, to a regular port on those switches, all of a sudden things worked just fine. Why? I thought the purpose of the uplink was to connect to a higher switch (in this case, the PfSense box a.k.a router). The former router (a commercial speedstream that the pfsense box replaces) worked just fine with all the switches hooked up with the uplink port. Heck, even my pfsense box at home worked just fine with my linksys switch using the uplink port. what is with this ambiguity?! Anyways, thanks to you all for help. I'm sorry if I may have caused any problems. If anybody knows why what I did works (why the uplink port seems to be a curse/miracle) please explain, I would love to know. And besides, if somebody ever has the same problem, and they search the mailing lists, they'll find the answer. Thanks again! Anthony -- Original message -- From: Bill Marquette [EMAIL PROTECTED] So let me get this straight. The cable that's plugged into the LAN nic if unplugged from LAN and plugged into each of the OPT nics works? Sounds like a switch or cable issue. Have you tried the reverse? Plug the cables that are in the non-working OPT interfaces into the known working interface (LAN)? And for that matter, plugging the known working cable and the known working interface into the switch ports that you are trying to plug the OPT interfaces in? --Bill On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago. The system is a Dell Optiplex (I can't find the model number at this time) It has a Pentium 3 and a 10 GB harddrive, if that helps at all. -- Original message -- From: Scott Ullrich [EMAIL PROTECTED] On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [snip] I'm using Beta 1 right now, because I don't think that upgrading to Beta2 would fix this. Upgrade. There was only 91+ fixes between beta1 and beta2 and countless FreeBSD fixes. Scott
Re: [pfSense-discussion] licience of php interface ?
On 2/28/06, Adam Gibson [EMAIL PROTECTED] wrote: Just to be sure we are on the same page. I am referring to static port mappings. Not static IP NAT mappings. I am pretty sure most firewalling filters can do static IP mappings through NAT (1 to 1, etc). Basically just making sure that the src port stays the same during the NAT traversal. Where 10.10.10.10 is LAN client behind firewall NAT Where 12.1.1.1 is some internet server Where Firewall WAN has ip 69.1.1.1 src 10.10.10.10:1000 dst 12.1.1.1:2 | firewall with IP 69.1.1.1 | src 69.1.1.1:1000 dst 12.1.1.1:2 The static-port feature only exists in pf from 5.x versions of freebsd. I am very confident you wont find that feature in ipfilter on freebsd. I looked for an equivalent feature and it just wasn't there. IPFilter does this by default. To quote the man page: For map rules, the destination address will be one for which the tuple combining the new source and destination is known to be unique. If the packet is either a TCP or UDP packet, the destination and source ports come into the equation too. If the tuple already exists, IP Filter will increment the port number first, within the available range speci- fied with portmap and if there exists no unique tuple, the source address will be incremented within the specified netmask. If a unique tuple cannot be determined, then the packet will not be translated. And the BNF syntax: map ::= mapit ifname ipmask - dstipmask [ mapport ] mapoptions. map ::= mapit ifname fromto - dstipmask [ mapport ] mapoptions. . . . mapport ::= portmap tcpudp portspec . portmap is not a require parameter. Also, the ipf howto (dated Dec 11, 2002) on obfuscation.org also claims this to be default IPFilter behaviour. http://www.obfuscation.org/ipf/ipf-howto.html#TOC_29 pf can also do it, we could generate the rules to do it by default. We don't. FWIW, in FreeBSD pf has only been in tree since 5.3, you won't find it available on m0n0 which is IPFilter based. I can't speak any more towards m0n0's usage of IPFilter as I don't use m0n0, never have, never will - nor have I ever seen m0n0's code outside of what we've imported into our tree (which no longer includes the IPFilter code). - Time rules without needing scripts or cron jobs. Yeah, that's never going to happen in PF, nor should it. Cron was designed to schedule jobs to run, it can do a perfectly adequate job, we just need to write the code. opinions are just that... everyone has one. So you would rather have a cron script inject and remove rules than have the filter code take care of it? This just works in iptables and works well. Yes, I would. I don't see the need to make the kernel code more complex. Stateful inspection code is already complex enough without contaminating it with time management code that doesn't belong there. Userland can handle this just fine and should. - conntrack(nat) modules for irc, amanda, netbiosns, and many other modules to make protocols work or work better by default without needing helper applications to get them working behind NAT. The NAT modules just aren't there yet as nobody with the skill and desire has written them. I agree that it's a pain, but I personally find the linux filtering engines to be a pain to work with too. Hince wanting to use iptables. It has more features that I personal need. As far as being a pain, I would disagree. Everyone has their opinions and so there is no right or wrong here. As long as we are both happy :). That is what choice is all about with Linux, *bsd, etc. It's all free and all good. Just have to choose what works for you. - Ability to pick from a bunch of extra features in patch-o-matic for even more nat modules and such. sounds scary Not as long as you don't grab alpha quality modules :). Being in control of picking them makes the difference. - different logging features. Ability to put a text description in syslog logging messages for firewall rules. Hrm, that may actually already be doable, we just don't expose it. I've got better ideas along these lines anyway. Again... this just works the way I want with iptables hince wanting to use it for my firewalling needs. - Ability to push accept/drop/reject decisions to userspace using ipq. Imagine a firewall that blocks everything by default and then when you run the firewall administration web page, any new connections will be displayed and allow the user to accept or deny it so that the user can automatically generate rules based on that information. I mainly use this for creating zonealarm type functionality on Linux currently where a gui X windows comes up asking the user to allow are reject any incoming or outgoing connections. There are good reasons to not do that. With that said, it's trivial to do
Re: [pfSense-discussion] pfsense on VMware ESX Server
On 2/27/06, Chris Buechler [EMAIL PROTECTED] wrote: Dave C. Arthur wrote: The system boots and runs. However when I try to install the system to the virtual HD, I receive a response that no HDD can be found (using the LSI controller). Any ideas on how to get the controller recognized? You can't. FreeBSD 6 (and hence pfsense) is not supported in ESX Server, and in fact, VMware is completely dropping FreeBSD support on ESX 3.0. If you have a support contract, I urge you to submit a support request, requesting FreeBSD support in ESX (as suggested by a VMware employee here: http://www.vmware.com/community/thread.jspa?messageID=356876#356876) I just submitted a support request myself, but it'll take a lot more voices to make it happen. Arrghh, they just added it back in 2.5. We've got a sizeable contract with VMWare and a much more sizable contract with their parent company EMC. I'll see if I can't get someone to send a few complaint emails around. --Bill
Re: [pfSense-discussion] Routing
On 2/20/06, Kim C. Callis [EMAIL PROTECTED] wrote: And what differnces and benefits will one get from the OpenBSD deployment? This is just a test image to see if pfsense is screwing up altq in any way or if it's an OS issue as I suspect. There will be many differences and many things not working - which won't be fixed. The benefit, determining where the shaper bug is - if the sucky performance follows the OS, then it's our code, if it performs wonderfully in openbsd, then it's the OS and we've got something to report back to the freebsd devs (I've already performed line by line code comparisons on ALTQ between FreeBSD and OpenBSD - there are no significant differences). There is a known bug report for CBQ (that I've reproduced in pfSense) on FreeBSD, so I've got reason to suspect it's not our code (although it's not out of the question, I've certainly created and fixed enough bugs in it ;)) With that said, we did make a timing change on the embedded platform that may or may not affect ALTQ. If this is the platform you are having issues on, I'd appreciate you trying http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/ and reporting back. --Bill
Re: [pfSense-discussion] Routing
On 2/20/06, Nick Buraglio [EMAIL PROTECTED] wrote: This is somewhat related... I just ran the shaping wizard (which I had not done in quite some time) has it changed much? It seemed to be a little different to me. Not visibly - but the rules it generates has changed over time. Didn't there used to be an option to not use the wizard and create your own rules (I'm trying to remember how I did it)? Sure, just create rules - good luck, right now that's not easy and I'm not going to spend any time supporting user generated rules until we can make it easy to create them. Is there a reason that ssh (bulk and interactive) isn't in the default protocol list for higher priority? I remember this from last time I did it, it seemed odd to me. Assuming OpenSSH which sets the TOS bits so we can tell, interactive will be default end up in the ack queues and bulk will end up in the default queue. There's intentionally no way of changing these as outside of OpenSSH, vendors don't tend to set the TOS bits and I don't believe it's part of the protocol spec to enforce that. At any rate, I believe OpenSSH interactive would just end up in the ack queue based on how pf works anyway. --Bill
Re: [pfSense-discussion] Routing
On 2/19/06, Kim C. Callis [EMAIL PROTECTED] wrote: I am currently running 1.0-BETA1-TESTING-SNAPSHOT-2-2-06. Several days ago, I found my bandwidth greatly reduced. On my E-1, I would getting about between 41-140K coming down and at best 20K going up. As soon as I removed the shapper, everything returned to normal. Thanks, that's what I needed. The shaper was working for a while though I take it? Also, after upgrading, did you re-run the wizard? Or was this with a beta1 config file? --Bill
Re: [pfSense-discussion] Routing
On 2/20/06, Kim C. Callis [EMAIL PROTECTED] wrote: I started the traffic shapping on 1.0-BETA1-TESTING-SNAPSHOT-2-2-06. I had it running for awhile and then I stopped. About two weeks ago, I restarted the shaper. It seemed to be working well, and I had forgotten about it. Then I started having throughput problems. As soon as I stopped the shaper, everything went back to normal. Currently, I have the shaper of and am monitoring service. OK, thanks again. I'm working on an openbsd embedded image to do some testing with, I'll send out a general announcement asking for testers when it's ready. --Bill
Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
On 1/27/06, Adam Gibson [EMAIL PROTECTED] wrote: Thanks for the direction. I found the static-port setting. Someone has probably already noticed the bug but the NAT listing does not display properly for the rule I just created(the fields are in the wrong spot in the table but editing the rule looks like it is setup correctly). I wont be able to test it until later tonight. This is the xml that was generated. The UDP packets in question that originate from the OPT1 network are src=192.168.1.140 srcport=28004 dst=192.246.40.28 dstport=27650 . Odd, I fixed that display issue a while ago, it should be in the latest snapshot :-/ --Bill
Re: [pfSense-discussion] feature request: vmps
Looks like something someone interested in writing a package should do. The GPL'd nature means that it's unlikely to ever make it into pfSense core (we're only adding BSD license-compatible software - BSD, MIT, etc) without a complete rewrite or a license change. --Bill On 1/16/06, Jure Pečar [EMAIL PROTECTED] wrote: Once, in the not-too-distant future, when pfSense becomes THE opensource firewall :), it might be nice to have this onboard: http://vmps.sf.net/ -- Jure Pečar http://jure.pecar.org
Re: [pfSense-discussion] access NATed services by the public IP address from LAN review
Someone hasn't done their research. This has been answered in the ML, the forum, the FAQ, AND the blog. --Bill On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote: Scott Ullrich escribió: Do you have a question? Of course, cant you read? So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? And let me add another question, does pfsense include a bopunce utility at this time? On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote: Guys..listen to this: *Problem. *It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind pfSense and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN. *Reason. *This is due to a limitation in pf (the firewalling software used in pfSense). pfSense does not include a bounce utility at this time Ok, we all know that, but, looking at here: http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions, the first one is the same that m0n0 FAQ's propose, fordwarding/overriding of DNS. Now, the second..catch my attention, it says this: Moving the Server Into a Separate Local Network Adding an additional network interface to the firewall and moving the local server from the client's network into a dedicated network (DMZ) allows redirecting of connections from local clients in the same way as the redirection of external connections. Use of separate networks has several advantages, including improving security by isolating the server from the remaining local hosts. Should the server (which in our case is reachable from the Internet) ever become compromised, it can't access other local hosts directly as all connections have to pass through the firewall. So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? Regards, Claudio C.
Re: [pfSense-discussion] Help!!! :)
You see a trend here? --Bill On 12/30/05, Scott Ullrich [EMAIL PROTECTED] wrote: Add a rule to allow traffic to port 80 on the WAN. On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Ok, I can ping the interface, I am just not getting the web interface to come up K. On Fri, Dec 30, 2005 at 03:50:35PM -0500, Scott Ullrich wrote: Add rules allowing ICMP to WAN interface. On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Internally if I ping my external interface, it pings just fine. If I go to an external network and attempt to ping the WAN interface, it fails... The same is true of my virtual interface. I am wondering if I should be NATing something, or if there is a rule that I didn't add. Also this is true of ssh, webinterface, etc. K. On Fri, Dec 30, 2005 at 03:35:49PM -0500, Scott Ullrich wrote: What do you mean access the interface externally? SSH, webConfigurator? On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I just installed 1.0beta... I am able to see the access and see the WAN interface within the LAN, but I am not able to access the interfaces externally. What rule did I forget to add. My virtual interface is not viewable from the outside world either... K.
Re: [pfSense-discussion] Guidance for newbies in documentation
On 12/25/05, naveen [EMAIL PROTECTED] wrote: Hi All iam new to PFsense. i have two querires regarding PFsense. 1) Does Pfsense support any IP/any DNS ( which is usefull in hotspots, wireless users no need to change their IP address in Laptops) No, but most laptops use DHCP anyway, so this shouldn't be a big deal. 2) Does PFsense supports Bandwidth Control based on User/Ipaddress Not directly (and I don't know anyone who's actually made this work with our shaper). --Bill
Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall
On 11/28/05, Lists [EMAIL PROTECTED] wrote: system a bit better. the web server is thttpd, but i see lighttpd also in the cvs tree so they might be migrating to it. Actually it's mini_httpd (although we do have thttpd in the tree - not sure why). And yes, we're moving to lighttpd for FastCGI support which should (and does) speed up the webGUI interface. --Bill
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On 11/28/05, Chris Buechler [EMAIL PROTECTED] wrote: This part of the architecture has changed slightly from m0n0wall I believe, so if I go astray here, somebody kick me back into shape. ;) *kick* Basically, you can't get to PHP without first being authenticated. At this point, if you're authenticated, you have root access to the box. These days, the auth is completely handled in PHP. So it's certainly possible. --Bill
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On 11/28/05, Sanjay Arora [EMAIL PROTECTED] wrote: However, I would like to make one request to the project design...users be given easily configured modular way to remove (i.e. not compile in) services they do not want on the pfsense box, i.e. the ones that are not basic to the basic firewall function its GUI e.g. httpd, php cgi. Request evaluated. W/out the webGUI, it wouldn't be pfSense, it'd be FreeBSD. So uhhh, just install FreeBSD and modify pf.conf by hand ;) You can then rewrite pfSense in shell and feel free not to include a webGUI or use an XML config file (face it, it's not easy to parse that in shell!). Seriously, the whole point of pfSense is the GUI, if you don't want it, and I mean this in the nicest way possible, you really really don't want pfSense. --Bill
Re: [pfSense-discussion] Unfork m0n0wall
On 11/27/05, Bennett [EMAIL PROTECTED] wrote: I've been looking for an open source firewall. I found m0n0wall, IPCop, and few others. I thought m0n0wall was great, but then I came across pfSense, and it was even better, picking up where m0n0wall left off. I think you just summarized the fork right here. Picking up where m0n0wall left off - if this was m0n0 with a few patches here and there, it wouldn't pick up where m0n0 left off, it'd be m0n0+patches. patches...Eventually, this bloated mess of patches is so convoluted that no one knows how it works and you're on your way to security holes and compromised networks. m0n0 has a concept of a single administrator (as currently does pfSense). Unless the OS or web server has a remote vulnerability I don't see any merit to your claim. We are adding xmlrpc functionality which will over time increase the security risk of an exposed GUI, but until multiple administrators are added, that's not much of a risk increase (same auth code). Thus, either you've doubled the work with half the developers/testers or you've doomed the code to buggy patches on top of patches. This makes me question the founders of pfSense...Did they not foresee this when they decided to fork? And these short-sighted individuals are who I am counting on to protect my valuable network? Or is this some sort of ego thing? Did the other m0n0wall programmers hurt their feelings so they ran off and made their own little project? Or maybe the m0n0wall developers are unreasonable jerks and so pfSense politely forked rather than bash heads. But those unreasonable developers are the ones who wrote the original m0n0wall code that you're using... Never used m0n0, so I can't really speak about the original fork. I can however say why I started submitting patches to pfSense and not m0n0. pfSense uses pf, a filter software that I am comfortable with, like, and has features far greater than ipfilter has. I stumbled onto pfSense after purchasing a 4801 and finding that the only embedded firewall project ran ipfilter, which I didn't want to run, and had started to write my own (for myself, it would have NEVER been released). To be frank, I work on pfSense BECAUSE it uses pf. If m0n0 switched today, I'd probably still stick with pfSense development, I know the codebase pretty well, I like it's openness. I also see a lot of issues in the codebase, stuff that I'd like to rewrite, stuff that once rewritten will have zero chance in hell of being backported to m0n0 or receiving further updates from m0n0. Again, an example of how the fork is going it's own way and developing it's own code, not just patches. So, having said all that, why should I consider pfSense for my firewall when it's written by a bunch of unreasonable jerks and short-sighted egoists who are churning out a insecure, bloated spaghetti? (Please don't get me wrong--I plan on using pfSense to secure my network and most likely at least two of my clients' networks, too. I'm just looking for answers to quell my concerns.) I've got a better idea. After all you've said, why are you choosing pfSense over m0n0? What have we done right that's made you want to choose pfSense over m0n0? I assume we've done _something_ right for you to choose an alpha project over a released product. --Bill
Re: [pfSense-discussion] Squid and traffic shaper
This couldn't have been a more timely question. Here's a post from the author of pf that explains all you'd ever want to know about shaping. --Bill From: Daniel Hartmeier [EMAIL PROTECTED] This question pops up frequently, if this reply is too wordy, that's just so I can reference it in the future and safe typing. My apologies to the poster if this is all obvious already. ;) Rate-limiting network packets means dropping packets. It's not like a water utility pipe where you can shut the faucet incrementally and slow down the water running towards you from the water company, leaving unused water in their tanks. There are no reservoirs like that in a network (ignoring some very small buffers). If a sender is sending you packets at a rate higher than you can receive them, packets are dropped whereever there are gaps of decreasing bandwidth. And these gaps are on routers at your ISP and further upstream. Many of them will drop random packets. Some can be configured to drop based on criteria, but you don't control those criteria, because they're not your routers. Imagine you have a 1024 kbit/s downlink from your ISP to you. Assume your ISP himself has a much larger downlink himself. You're downloading a file from a web server on the Internet. Then some evil person starts sending you a flood of pings. Let's say that person has an uplink of 2048 kbit/s. Now your ISP is receiving two kinds of packets destined for you: a stream of TCP packets from the web server, and a stream of pings at 2048 kbits/. He can't possibly forward all these packets to you, since only less than half of them fit onto the link to you. So he simply forwards as many packets as he can, randomly dropping the rest. Obviously many of the TCP packets will get dropped randomly now. TCP is clever and adjust to this, the sender recognizes that there is loss between him and you, and will start to send at a lower rate. Meanwhile the flooder continues to send you pings at a happy rate of 2048 kbit/s. You'll notice how your download gets slower and slower, and you consider using rate-limiting incoming packets. You identify that the http packets are those that you prefer over the pings, and tell ALTQ to drop incoming pings exceeding, say, a harmless rate of 64 kbit/s and reserve the rest for the more important http packets. Fine, it could do that. But it wouldn't change anything, because the congestion is upstream of your ALTQ box. You can drop as many packets as you like after you received them, that doesn't free up any bandwidth on your downlink. The downlink will continue to carry mostly ping packets, because you dropping packets has no influence on what happens at either sender, at your ISP's router dropping random packets, or on your downlink. Just like the rate of water you can draw from your water line isn't influenced by what you do with the water that has already come out of it. Rate-limiting is not like a faucet. This is the reason you often get the answer It just doesn't make sense to rate-limit incoming packets, and I guess that's the reason why ALTQ simply doesn't add queues for incoming packets, but only outgoing ones. Now, if we forget about the DoS case, and assume you have only flow-controlled TCP connections with cooperative peers, things are a little different. If you receive two streams of TCP packets, and you start dropping packets of one stream (after you have received them and they have taken up bandwidth on your downlink), the corresponding peer will detect that loss and helpfully slow down sending, freeing up bandwidth on your downlink for the other peer. In fact, if you tell your ALTQ box to limit one stream to, say, 128 kbit/s, and drop all excess packets, that peer will (eventually, by trial and error) come to the conclusion that sending you packets at a rate of about 128 kbit/s is the optimal thing to do. But it's important to realize that you're not really enforcing this limit, but it's the peer that kindly reacts in that way. If you want to do this with ALTQ, you can do so by limiting outgoing packets on the other interface, assuming the box is forwarding all packets between two interfaces. If a browser (on a separate local box) is downloading a file from an external web server _through_ the ALTQ box, you rate-limit packets going out through the internal interface. Every packet coming in on the external interface obviously goes out through the internal interface, hence rate-limiting outgoing packets on the internal interface has the same effect as rate-limiting incoming packets on the external interface. This does not work if the client is on the ALTQ box itself, obviously (there is no other interface to rate-limit on). In this case you're facing a limitation of ALTQ itself. You might have to move ALTQ onto an additional intermediate box, just so you do have a second interface. I don't think there are any plans to introduce incoming queues in ALTQ. On 11/17/05, Kieron Mohindra [EMAIL PROTECTED] wrote: Hi
