Re: [pfSense-discussion] squid.inc gotchas

2011-06-05 Thread Bill Marquette
On Sun, Jun 5, 2011 at 6:10 AM, Odhiambo Washington odhia...@gmail.comwrote:

 Hello Everyone,

 I am new to pfsense - using it for the first time, though I've known about
 it all these years.

 Kindly bear with me on this one.

 I am running *2.0-RC2* and I've been trying to achieve a few things with
 Squid (3.1.9). It's not been well as squid refuses to start.
 I managed to spend some time on this matter and figured out that the
 problems are resident inside squid.inc.

 I still do not understand why we have this on line 903 of squid.inc,
 especially the deny all bit.

 $conf .= 'reply_body_max_size ' . ($down_limit * 1024) .  deny all\n;


 So here is my patch, which also contains a few changes required in squid-3.

 (14:02:35 ~) 0 $ less squid.inc.diff
 527c527
  }
 ---
}
 813,814c813,814
  acl all src 0.0.0.0/0.0.0.0
  acl localhost src 127.0.0.1/255.255.255.255
 ---
  acl all src all
  acl localhost src 127.0.0.1/32
 903c903
$conf .= 'reply_body_max_size ' . ($down_limit * 1024) .  deny
 all\n;
 ---
$conf .= 'reply_body_max_size ' . ($down_limit * 1024) .  KB\n;


 I stand corrected though.


Thanks for the diff Odhiambo, can you please submit this as a pull request
via github:
https://github.com/bsdperimeter/pfsense-packages (you can edit the file
directly on github and create a fork with the change).

--Bill


Re: [pfSense-discussion] article: Millions of Home Routers at Risk

2010-08-04 Thread Bill Marquette
On Tue, Aug 3, 2010 at 3:25 AM, Tortise tort...@paradise.net.nz wrote:

 - Original Message - From: John Dakos gda...@enovation.gr
 To: discussion@pfsense.com
 Sent: Tuesday, August 03, 2010 6:57 PM
 Subject: RE: [pfSense-discussion] article: Millions of Home Routers at Risk


 Re pf.jpg can someone clarify what a Yes in the right column represents
 please:

 a) Yes the router was successful in preventing the attack
 b) Yes the attack was shown to succeed
 c) Something else (just in case...)

 Obviously if it is b) then that is different to the quoted article

pfSense 1.2.3 does not protect against DNS rebind attacks.  The
vulnerability does not imply that the firewall(s)/routers themselves
are open for compromise, only that they don't help protect against the
attack (which potentially allows for external access of _any_ web
server, not just the firewall).  pfSense 2.0 uses a newer version of
dnsmasq that allows us to help protect the network (_IF_ pfSense is
the DNS server for your network, if it's not, this protection is up to
your DNS server to provide).  Further, we also detect the hostname
used to connect to the web interface and if it's not a previously
known name, you will be notified that something is amiss.

Again, to be clear.  What this attack allows is an outside attacker to
gain the ability to access an internally available web site - it does
not itself grant the ability to login to the site.  Compromise of the
web site/application would require other pre-existing vulnerabilities
(in application, browser, etc).  An attack against the web interface
of pfSense itself would have to include as of yet unknown web UI
vulnerabilities.

--Bill

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] PHP uses 100% CPU on 1.2 and 1.2.1-RC2

2008-12-02 Thread Bill Marquette
On Tue, Dec 2, 2008 at 8:39 PM, Chris Buechler [EMAIL PROTECTED] wrote:
 On Mon, Dec 1, 2008 at 11:21 PM, Roland Giesler
 [EMAIL PROTECTED] wrote:

  I use 9488 static route entries

 m0n0wall and pfSense aren't exactly designed to work with 9500 static
 routes (is anything?  if you need 9500 routes, you need a routing
 protocol). I'm sure you're the first to even try it. I understand the
 reasoning, though BGP is certainly more suitable.

 Such a configuration does make for an interesting test case though -
 mind emailing me the XML of those static routes off list? That would
 be interesting to play with, though it will be quite a while before I
 have time to do so.

Ditto here.  Large, slow, configs would be helpful to have prior to
the next hackathon where I'll have some time dedicated to performance
profiling and tuning of the UI.

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] SLC or MLC flash for full install

2008-10-23 Thread Bill Marquette
On Thu, Oct 23, 2008 at 6:10 AM, Eugen Leitl [EMAIL PROTECTED] wrote:

 I'm thinking about trying the full instead of embedded
 install on WRAP/ALIX devices, on compact flash. With increased
 sizes and better flash it seems a year or a couple is a reasonable
 lifetime to expect in a domestic usage pattern these days.

 Have any of you made especially good/bad experiences wtith either
 SLC or MLC CF? Any vendors to recommend, or to stay away from?

According to everything I've looked at, SLC is what you want for this
use.  I'm personally a fan of Transcend media, it's less expensive
than Sandisk and seems to be every bit as good.  My last round of
purchases was 4gb 133x cards that were half the price of the similarly
spec'd Sandisk media (of note, I use most of my CF media in my camera,
so YMMV).

--Bill


Re: [pfSense-discussion] DNS resolver test

2008-07-22 Thread Bill Marquette
On Tue, Jul 22, 2008 at 1:32 PM, Eugen Leitl [EMAIL PROTECTED] wrote:

 http://www.provos.org/index.php?/pages/dnstest.html

 DNS Resolver Test

 For secure name resolution, it is important that your DNS resolver uses 
 random source ports. The box below will tell you if there is something you 
 need to worry about.

 Your DNS Resolver needs to be updated.

 If the box says that you are using random ports, there is nothing to worry 
 about. If it shows a red border, your resolver does not use completely random 
 source ports. This could imply a security problem; see the following CERT 
 advisory. However, some resolvers have implemented countermeasures that do 
 not solely rely on random source sources.

 There is a little bit more information about this security problem on Dan 
 Kaminsky's blog.

 Should be we getting worried now?

You probably should be.  I have nothing to worry about according to that page.

Your DNS Resolver uses random ports.

This is an unpatched BIND caching name server (that is certainly NOT
using random ports) sitting behind a pfSense box.  However, the
checker at doxpara.com, absolutely DOES show the issue.  From what I
understand, it's not necessarily an issue that pfSense can solve for
you as it's keeping quasi state on the UDP traffic for the queries and
they'll have the same tuple multiple times within the state timeout so
all the queries will match the first state.

--Bill


Re: [pfSense-discussion] Captive Portal on pfsense

2008-07-16 Thread Bill Marquette
On Wed, Jul 16, 2008 at 9:38 PM, muhammad panji [EMAIL PROTECTED] wrote:
 Thanks for the answer Chris. Several months ago I help my friend setup
 his WRT54GL but as I remember this AP have no option on set it up as a
 bridge. Must I do a firmware upgrade? will it void the warranty?

Considering that you are talking about the Linux variant of the
WRT54G, I think it's safe to say that Chris probably assumed you were
not running the stock Linksys firmware on it.

--Bill


Re: [pfSense-discussion] ARP traffic causing routers to hang - single ARP cache with both LAN and WAN ARP entries?

2008-04-04 Thread Bill Marquette
On Fri, Apr 4, 2008 at 3:28 PM, Tortise [EMAIL PROTECTED] wrote:
 Yes I am using 192.168.0.0/24

  I have no devices from those manufacturers.

  This was not the response I wanted to hear, changing the LAN is a major(!)

H, more or less major than the incidents that prompted this dicussion? :)

  Can you clarify the nature of the pfSense ARP cache?  Is it relevant?  (I am 
 not convinced that it is - either the ARP packet is
  correct or it isn't)

Correct or not, FreeBSD is warning you that it's seeing a machine with
the wrong subnet on the wrong side of your firewall.  I don't think
FreeBSD is actually honoring it, but don't quote me on that, I haven't
tested this specific configuration.

  Should the ISP be responsible for the integrity of its network and ensuring 
 rogue ARP traffic is eliminated?

Should?  Yes.  Would I personally expect them to actually take
responsibility for it?  Nope.  Run our supported operating system is
the answer I expect them to give you.

  Should the ISP respond to requests to remove devices off the network with 
 erroneous ARP traffic, as identified by the devices MAC
  address from pfSense logs?  That could clean things up?

Should?  Yes.  But again, I expect you won't get past first level tech
support unless you are a business account (and even then *shudder*).
You're on a shared medium connection, the rest of the idiots out there
that have no idea how to configure a network (and be neighborly on a
shared network) are going to take you down whenever they feel like it.

Honestly, I know it's painful.  But this isn't any different than a
new neighbor moving in that decides to use the same wireless channel
as you, but are broadcasting a high enough signal that they're
stomping all over you.  You either figure out who it is and shoot them
(figuratively of course ;-P) or you change your stuff (and in the
human way, you massively amp your signal and hope there's no FCC goons
- or hams - in the area). :)

--Bill


Re: [pfSense-discussion] Pfsense without NAT

2008-03-28 Thread Bill Marquette
Look at the mailing list archive please.  Matthias May answered your
question on the 14th of March.

--Bill

On Fri, Mar 28, 2008 at 6:18 AM, John Dakos [ Enovation Technologies ]
[EMAIL PROTECTED] wrote:
 hello all.

  a question.

  we have 1 lan 2 wan

  and  load balance for 2 wans

  we dont want firewall and NAT from pfsense, we have another router to do
  that.

  i disable from the system tab  the firewall who disable and nat together
  but i have no internet!

  any idea ?

  ps : when i try this configuration with  1 lan and 1 wan   without load
  balance all thinks are good

  i suppose load balance make this...


  thanks all





Re: [pfSense-discussion] miniupnpd No buffer space available

2008-03-28 Thread Bill Marquette
On Thu, Mar 27, 2008 at 12:41 PM, Dennis Karlsson
[EMAIL PROTECTED] wrote:
 Hi

  I get lots of these in the System log.
  miniupnpd[96542]: sendto(udp_notify): No buffer space available

  I read this;
  http://forum.pfsense.org/index.php?topic=7058.0;prev_next=next The
  miniupnpd developer assumes some interface is down but that is not the case.

Could possibly be related to traffic shaping.

--Bill


Re: [pfSense-discussion] Traffic shaper bug ?

2008-03-24 Thread Bill Marquette
On Mon, Mar 24, 2008 at 3:18 AM, Jan Hoevers [EMAIL PROTECTED] wrote:
 Bill Marquette wrote on 23-3-2008 18:54:

  PS. It's probably worth noting that I'm also the author of the
   existing annoying wizard.

  Sorry about that qualification Bill. The fact that it cannot be bypassed
  annoyed me, not the wizard itself.

Not a problem - I'm not posting from a pfsense.org address so, I
figured it was worth noting that I have some amount of personal
interest in it :)

--Bill


Re: [pfSense-discussion] Traffic shaper bug ?

2008-03-23 Thread Bill Marquette
On Sun, Mar 23, 2008 at 3:50 AM, Jan Hoevers [EMAIL PROTECTED] wrote:
   This is 100% completely open source. The source ported to RELENG_1_2 is
   even in the public CVS server in its own branch. It's just the images
   including it are not publicly available. It was back ported as a thanks
   to those who contributed. You could figure out what it is in CVS and
   sync a 1.2 install with that code.

  I see. Guess that makes it open source strictly speaking, but it is not
  the 100% openness I would expect from an open source project.  While I
  understand that people have to earn a living, this bounty policy makes
  things difficult for people who want to evaluate before deciding.

Seeing as how the feature is targeted for 1.3 and we don't have public
1.3 test images (hello, we JUST released 1.2) yet, it will be
difficult for those that have donated to the feature to test that it's
actually been done right.  The easiest way for Ermal to get the
feedback from those that are financially interested in the feature is
to provide a special release for those users.  I've done the same for
features I've developed - _I_ support those special images, I'm only
willing to provide that supported them being created.  I imagine Ermal
feels the same way.  When we start rolling public 1.3 images (if you
can't wait, feel free to do a developers install and roll your own,
just don't expect any support on it), the larger group of developers
(and hopefully users) will be able to provide support.

As with all products, I fully recommend basing evaluations against
current released feature sets, not vapor-ware features (in the
interest of releasing a better product in a timely manner, vendors
inevitably pull incomplete features that had been promised - Apple,
wake up, I want my bloody iSCSI Initiator in Leopard thank you!).

--Bill


Re: [pfSense-discussion] Traffic shaper bug ?

2008-03-23 Thread Bill Marquette
PS. It's probably worth noting that I'm also the author of the
existing annoying wizard.


Re: [pfSense-discussion] how to change wan interface media from autoselect?

2008-03-18 Thread Bill Marquette
On Tue, Mar 18, 2008 at 3:33 PM, Fabio C Flores [EMAIL PROTECTED] wrote:
 ifconfig em1 shows me the following:

  ...
  media: Ethernet autoselect (100baseTX half-duplex)
  status: active

  On the other side the switch is full-duplex. How can I setup the
  interface to be full-duplex and not autoselect the speed?

This used to be in our docs somewhere (either the faq site or the
actual docs, not sure), but at any rate, pfSense currently still
supports all the hidden config.xml options that m0n0wall supported.
You can find them at:
http://doc.m0n0.ch/handbook/faq-hiddenopts.html

--Bill


Re: [pfSense-discussion] pfSense / Time Service

2008-03-05 Thread Bill Marquette
On Wed, Mar 5, 2008 at 5:00 PM, jason whitt [EMAIL PROTECTED] wrote:
 i may be wrong here however i thought there was a default time server sync
 setup in the config?

There is.  Look in System-General.  Bottom of the page I believe.

--Bill


Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-24 Thread Bill Marquette
On Dec 24, 2007 5:41 AM, Paul M [EMAIL PROTECTED] wrote:
 Bill Marquette wrote:
  or others that could make use of mechanisms like dynamic allocation of 
  port.
  That could cause you problems potentially.  But would be no different
  in any other firewall that didn't already understand your protocol.  I
  regularly force vendors to redesign their applications to not use
  dynamic ports at work, it's a stupid design and really, there's zero
  reason to do it (other than sheer laziness on the developers side - or
  pissy legacy reasons when it comes to FTP, which is still not a good
  excuse IMO).

 java RMI being one major PITA!

Yup, that's one of them there bad protocols ;)

 we've developers working from home and trying to get their openvpn
 connections working was a massive PITA.

 rant
 developers being developers seem to think that security considerations
 can be swept aside to let them do whatever they need to do.
 /rant

That's users in general.  Developers just tend to be in a rush more
than most users due to working on projects that are often over
promised and under manned.

--Bill


Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-22 Thread Bill Marquette
On Dec 22, 2007 2:22 AM, Paolo Gentili [EMAIL PROTECTED] wrote:
 Anyway i still have some little doubts on implementing a DMZ containing all
 the servers, behind NAT.
 This because i don't know how pfsense's NAT implementation can handle the
 new internet applications/protocols
 like AJAX or WEB-SERVICES

This is simple HTTP on port 80 (or wherever your web server lives).
Nothing new other than it's use of the existing TCP port for transit
here.  What might be useful is describing how your previous firewall
was going to handle this.

 or others that could make use of mechanisms like dynamic allocation of port.

That could cause you problems potentially.  But would be no different
in any other firewall that didn't already understand your protocol.  I
regularly force vendors to redesign their applications to not use
dynamic ports at work, it's a stupid design and really, there's zero
reason to do it (other than sheer laziness on the developers side - or
pissy legacy reasons when it comes to FTP, which is still not a good
excuse IMO).

 Don't you think pfsense (actually NAT) can suffer this?

1:1 NAT (if you have enough IP space) and then it's just rules you
have to add.  Inbound, I don't expect you'll run into many of these.
Most applications you are likely to run on your server will stick to a
single inbound port.

--Bill


Re: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

2007-11-19 Thread Bill Marquette
I'm not sure, based on your email, if the pfSense box is in front of
the PPTP server or not.  If t is, then go to the VPN menu, select
PPTP, on Configuration tab, select Redirect incoming PPTP
connections to: radio button and fill in the text box (PPTP
redirection) with the IP address of your internal PPTP server.
Remove the rules you created too, btw :)

--Bill

On Nov 19, 2007 7:07 AM, Luciano Areal [EMAIL PROTECTED] wrote:

 Good morning, folks!

 Here in my company, we have this network scenario:

 Our network has one internal VPN server, based on a Windows 2003 Enterprise,
 using PPTP and GRE protocol. We have several workers who eventually need to
 connect in our network, to get some data and disconnect. Sometimes, they
 need to work in our network from home, airport, etc., just like in a
 roadwarrior way. Following:

 --   --   -
 |PPTP SERVER|  --- |GATEWAY| --- |INTERNET| --- |ROADWARRIOR|
 --   --   -
 192.168.0.0 /24  200.*.*.* /28(ISP IP) *.*.*.* (any IP)

 I did a basic installation of pfSense firewall solution on a machine here,
 and set up all needed ports for our basic NAT (webserver, e-mail, etc.).
 Here follows the part mentioned for PPTP:

 Firewall: NAT: Port Forward Options

 If  Proto   Ext. port range NAT IP  Int. port range
 Description
 WAN TCP 1723192.168.0.141723
 Allow PPTP (TCP 1723)
 WAN GRE 192.168.0.14
 Allow GRE (Protocol 47)

 These rules were also inserted on Firewall: Rules (WAN section)

 Proto   Source  PortDestination PortGateway
 Description
 TCP WAN address 1723192.168.0.141723*
 Allow PPTP (TCP 1723)
 GRE WAN address *   192.168.0.14*   *
 Allow GRE (Protocol 47)

 Then, I tried to connect from home to my server, putting its WAN IP on my
 VPN connection, but when I try to connect, nothing happens.

 Am I doing anything wrong here? Did I forget any point here? I tried to get
 some info on pfSense mail discussion archives, but didn't find anything
 similar to my problem. :-(

 Is there anything that I still need to do in order to free up traffic of
 PPTP and GRE protocols, from my box to the internal server? If anyone here
 have passed through this issue, please light up my path. ;-)

 Best regards,

 Luciano Pereira Areal
 Network Administrator
 E-mail: [EMAIL PROTECTED]
 Mobile #1: +55 21 8176-7376
 Mobile #2: +55 21 8169-3362
 Nextel ID: 55*8*64731
 Skype: luciano_areal

 Bizvox Voice Services
 Avenida Nilo Peçanha, 50 Grupo 1516 - Centro
 CEP: 20020-906
 Rio de Janeiro - RJ - Brasil
 Phone: +55 21 2212-1650
 Fax: +55 21 2212-1675
 Website: http://www.bizvox.com.br/




   _

 avast! Antivirus http://www.avast.com : Outbound message clean.


 Virus Database (VPS): 071119-0, 19/11/2007
 Tested on: 19/11/2007 10:07:26
 avast! - copyright (c) 1988-2007 ALWIL Software.






Re: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

2007-11-19 Thread Bill Marquette
That's a standalone setting.  You don't want the frickin' package
(which as Chris mentioned, may be broken anyway) if you use this
setting.

--Bill

On Nov 19, 2007 12:06 PM, Luciano Areal [EMAIL PROTECTED] wrote:
 Hi Bill!

 The pfSense box is in front of the PPTP server. In other ways, it will act
 as the main gateway, and the PPTP server will be on the LAN. Clients will
 access it from WAN, passing through the pfSense box.

 I just did what you said. Removed all rules from NAT and firewall using
 PPTP/GRE, and activated that option (Redirect incoming PPTP connections
 to:). I also installed Frickin PPTP proxy package on system, and did a bind
 of this software on WAN port.

 I'll test it as soon as I arrive at home, and hope it will work correctly.

 Regards,

 Luciano Areal


  I'm not sure, based on your email, if the pfSense box is in front of
  the PPTP server or not.  If t is, then go to the VPN menu, select
  PPTP, on Configuration tab, select Redirect incoming PPTP
  connections to: radio button and fill in the text box (PPTP
  redirection) with the IP address of your internal PPTP server.
  Remove the rules you created too, btw :)
 
  --Bill
 




   _

 avast! Antivirus http://www.avast.com : Outbound message clean.


 Virus Database (VPS): 071119-0, 19/11/2007
 Tested on: 19/11/2007 15:06:20

 avast! - copyright (c) 1988-2007 ALWIL Software.






Re: [pfSense-discussion] multiwan ftp proxy

2007-11-19 Thread Bill Marquette
Assuming I ftp at home (don't recall the last time I intentionally did
that!) then ftp works just fine via the primary wan as Chris mentions.
 I think I did have to create a rule for traffic destined to 127.0.0.1
to use the default gateway instead of a load balance pool.  Don't
recall if that's still needed or not but it's still in my ruleset:
 *   LAN net *   127.0.0.1   *   *   Use 
routing table
for loopback traffic

--Bill

On Nov 19, 2007 11:53 AM, Chris Buechler [EMAIL PROTECTED] wrote:
 Robert Schwartz wrote:
  On 19 Nov 2007 13:25:31 -, Scott Ullrich [EMAIL PROTECTED]
  mailto:[EMAIL PROTECTED] wrote:
 
 
   What is the current status ?
 
  No work has been done on this as of since.   Unfortunately it is not
  high on my list so if someone else wants to pick it up and finish up
  from where Bill and I left off, please do so.
 
 
 
  Hi - Is there /any /kind of work around for getting FTP working
  through a multiwan PFSense setup? Even if it means forcing all FTP
  traffic out 1 Wan interface with no fail over or load balancing?

 FTP works fine out the primary WAN, just not out any OPT WANs.




Re: [pfSense-discussion] noob question

2007-09-19 Thread Bill Marquette
On 9/19/07, Paul M [EMAIL PROTECTED] wrote:
 Zied Fakhfakh wrote:
  Hello everybody,
 
  I'm just starting with pfSense, nd I have a couple of questions
 
  - is there any logout button from the web interface ?

 it uses basic authentication, so you have to close browser (FYI, it's a
 long running bug/issue with firefox/mozilla to be able to forget the
 password and thus logout). I guess somebody might like to rewrite it to
 use cookies and thus have a logout function if they really cared?

This functionality has already been written and will be in a future
release after 1.2.

--Bill


Re: [pfSense-discussion] did something change in 1.2rc1?

2007-08-31 Thread Bill Marquette
On 8/31/07, Eugen Leitl [EMAIL PROTECTED] wrote:
 On Fri, Aug 31, 2007 at 11:48:07AM +0200, Eugen Leitl wrote:
 
  I'm defining firewall rules according to
http://pfsense.trendchiller.com/transparent_firewall.pdf
  but they seem to get ignored. There's a comment which says
  the logic is now reversed -- before I lock myself out, can
  someone confirm or deny this (that I need to define things on
  WAN tab instead of LAN tab in Firewal-Rules)?

 Strange, whatever I do I get no change:

 # pfctl -s rules
 pass quick proto carp all keep state
 pass quick proto pfsync all
 pass out proto tcp from any to any port = domain keep state
 pass out proto udp from any to any port = domain keep state

 Any ideas?

If those are all the rules you have, we must have loaded the fallback
(bootup) ruleset.  Try a pfctl -nf /tmp/rules.debug and post the
output and the rule file here (or send me the rule file - billm at
pfsense.org - if you don't want it in a public forum).  Sounds like we
have a rule creation problem.  Thanks

--Bill


Re: [pfSense-discussion] did something change in 1.2rc1?

2007-08-31 Thread Bill Marquette
Not sure how you got into this state - it appears that the boot
stopped at some point (maybe console would have or did have more
information on this).  In the meantime, you can try running
/etc/rc.filter_configure_sync from the shell - that should force your
box to regen the /tmp/rules.debug file and attempt to load it.

--Bill

On 8/31/07, Eugen Leitl [EMAIL PROTECTED] wrote:
 On Fri, Aug 31, 2007 at 08:31:37AM -0500, Bill Marquette wrote:

  If those are all the rules you have, we must have loaded the fallback
  (bootup) ruleset.  Try a pfctl -nf /tmp/rules.debug and post the

 Dang. I was already wondering why I didn't have those -- thought I
 needed to enable debug mode.

 I don't have those. That's all my /tmp has:

 # ls -la /tmp
 total 787
 drwxr-xr-x   4 root  wheel  1536 Aug 31 15:13 .
 drwxr-xr-x  21 root  wheel  1024 Aug 31 11:28 ..
 drwxrwxr-x   2 root  operator512 Aug 31 11:28 .snap
 -rw-r--r--   1 root  wheel89 Aug 31 11:29 bootup_messages
 -rw-r--r--   1 root  wheel   168 Aug 31 11:29 bridge_config_vr0
 -rw-r--r--   1 root  wheel 0 Aug 31 11:29 carp.sh
 -rw-r--r--   1 root  wheel 9 Aug 31 16:00 check_reload_status
 -rw-r--r--   1 root  wheel  4918 Aug 31 15:14 config.cache
 -rw-r--r--   1 root  wheel   365 Aug 31 11:29 dhcpd.sh
 -rw-r--r--   1 root  wheel11 Aug 31 14:41 last_term_seen
 -rw---   1 root  wheel 0 Aug 31 11:29 nohup.out
 srwxr-xr-x   1 root  wheel 0 Aug 31 11:29 php-fastcgi.socket-0
 srwxr-xr-x   1 root  wheel 0 Aug 31 11:29 php-fastcgi.socket-1
 srwxr-xr-x   1 root  wheel 0 Aug 31 11:29 php-fastcgi.socket-2
 srwxr-xr-x   1 root  wheel 0 Aug 31 11:29 php-fastcgi.socket-3
 -rw-r--r--   1 root  wheel   128 Aug 31 11:29 rules.boot
 -rw-r--r--   1 root  wheel 59372 Aug 31 16:00 system-processor.rrd-16h.png
 -rw-r--r--   1 root  wheel 38471 Aug 31 16:00 system-processor.rrd-16m.png
 -rw-r--r--   1 root  wheel 47291 Aug 31 16:00 system-processor.rrd-32d.png
 -rw-r--r--   1 root  wheel 63118 Aug 31 16:00 system-processor.rrd-48h.png
 -rw-r--r--   1 root  wheel 50512 Aug 31 16:00 system-processor.rrd-4h.png
 -rw-r--r--   1 root  wheel 49014 Aug 31 16:00 system-processor.rrd-6m.png
 -rw-r--r--   1 root  wheel 33873 Aug 31 16:00 system-states.rrd-16h.png
 -rw-r--r--   1 root  wheel 32982 Aug 31 16:00 system-states.rrd-16m.png
 -rw-r--r--   1 root  wheel 33608 Aug 31 16:00 system-states.rrd-32d.png
 -rw-r--r--   1 root  wheel 32267 Aug 31 16:00 system-states.rrd-48h.png
 -rw-r--r--   1 root  wheel 28716 Aug 31 16:00 system-states.rrd-4h.png
 -rw-r--r--   1 root  wheel 39146 Aug 31 16:00 system-states.rrd-6m.png
 -rw-r--r--   1 root  wheel 48408 Aug 31 16:00 
 system-throughput.rrd-16h.png
 -rw-r--r--   1 root  wheel 32916 Aug 31 16:00 
 system-throughput.rrd-16m.png
 -rw-r--r--   1 root  wheel 39258 Aug 31 16:00 
 system-throughput.rrd-32d.png
 -rw-r--r--   1 root  wheel 49743 Aug 31 16:00 
 system-throughput.rrd-48h.png
 -rw-r--r--   1 root  wheel 40834 Aug 31 16:00 system-throughput.rrd-4h.png
 -rw-r--r--   1 root  wheel 41193 Aug 31 16:00 system-throughput.rrd-6m.png
 lrwxr-xr-x   1 root  wheel 1 Aug 31 11:28 tmp - /
 -rw-r--r--   1 root  wheel 0 Aug 31 15:57 tmpHOSTS
 drwxrwxrwx   2 root  wheel   512 Aug 31 11:28 uploadbar

 Any ideas how I can recover from this?

  output and the rule file here (or send me the rule file - billm at
  pfsense.org - if you don't want it in a public forum).  Sounds like we
  have a rule creation problem.  Thanks

 --
 Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
 __
 ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE



Re: [pfSense-discussion] did something change in 1.2rc1?

2007-08-31 Thread Bill Marquette
On 8/31/07, Eugen Leitl [EMAIL PROTECTED] wrote:
 On Fri, Aug 31, 2007 at 09:56:27AM -0500, Bill Marquette wrote:

  Not sure how you got into this state - it appears that the boot
  stopped at some point (maybe console would have or did have more

 I rebooted the machine -- unfortunately the system with the serial
 console is now behind the firewall.

Fair enough.

  information on this).  In the meantime, you can try running
  /etc/rc.filter_configure_sync from the shell - that should force your
  box to regen the /tmp/rules.debug file and attempt to load it.

 Didn't work. I'll just assume the firmware upgrade misfired, and
 I'll have to fix two firewalls instead of one whenever I get to the
 hosting place.

Can you elaborate on the didn't work?  Did it throw an error, or
just exit?  Let us know what you find.  If there's an issue with
either the upgrade or the current code, we'd like to get it fixed
before release.  Thanks

--Bill


Re: [pfSense-discussion] Start other processes inside pfSense?

2007-07-24 Thread Bill Marquette

Just to add/restate some of the things said in this conversation.
FreeBSD 6.2 (which pfSense is based on) cannot run under Xen - while
it may be possible to run it with hardware virtualization under Xen,
I'd recommend against it at this time.  It does however run perfectly
fine on both VMWare Server and VMWare ESX Server.  MS Virtual server
has been shown to have some issues (something about the virtual
hardware it emulates...or doesn't...that FreeBSD barfs on).  Bottom
line is if you want to run pfSense as a guest in VMWare, it'll work
fine, use bridged interfaces and don't assign an IP to the host (or at
least not on the external interface) and let the virtualized pfSense
handle the traffic.  You can even have an entire virtual DMZ then
*shudder*.  Have fun.

--Bill

On 7/24/07, Roland Giesler [EMAIL PROTECTED] wrote:

Thanks for your suggestions and comment everyone.  I think I'll go
with multiple VM guests on a host OS.  My mind is much clearer about
this now.

regards

Roland



Re: [pfSense-discussion] network layout

2007-06-19 Thread Bill Marquette

On 6/19/07, Greg Hennessy [EMAIL PROTECTED] wrote:

  Mixing different trust levels on the same switch is rather frowned
 upon.

 Because of potential vulnerabilities in the switch OS, allowing an
 attacker to reassign VLANs?

Yes. The switch may be in a locked cabinet/cage, but never say never when it
comes to internet facing equipment.
Things like setting protected ports etc are essential in this scenario.


Low end switches have a tendency to not have enough ram or cpu to
handle a high volume mac spoofing attack and will usually end up
turning into a hub under this kind of attack, rendering your vlans
useless.  Plus you are relying on software to keep your network
segregated, physical separation is easier to keep the paranoia down ;)

--Bill


Re: [pfSense-discussion] network layout

2007-06-19 Thread Bill Marquette

On 6/19/07, Eugen Leitl [EMAIL PROTECTED] wrote:

On Tue, Jun 19, 2007 at 01:47:22PM -0500, Bill Marquette wrote:

 Low end switches have a tendency to not have enough ram or cpu to
 handle a high volume mac spoofing attack and will usually end up

If the switches are behind the pfsense firewall, and the users
are trusted, will this still happen? (Okay, if DMZ is compromised,
and attack is launched from within).


Ahh, see there's your first problem.  You trust your users :)  I don't
even trust myself, I'm certainly not about to trust my users :)  At
any rate, sounds like you don't have a solid need for the physical
separation, it's best practice, but not always the right answer to the
problem at hand.  Any separation is better than no separation.  And
honestly, if your DMZ gets compromised, the LAN is likely the least of
your worries - the hope would be that you have good enough logging
practices that if the DMZ is compromised that you _catch_ it before
the attacker makes it to the LAN.


 turning into a hub under this kind of attack, rendering your vlans
 useless.  Plus you are relying on software to keep your network
 segregated, physical separation is easier to keep the paranoia down ;)

My dayjob is not exactly Fort Knox, and we do occasionally have


Mine is ;)


incidents (best firewall is useless if people put default
accounts out, or the web application behind the firewall
is written by security naifs).


Those are all audited pre-deployment, nothing goes online unless it's
certified (sometimes that process is ummm challenging ;))

--Bill


Re: [pfSense-discussion] SunFire X2100 M2 gmirror

2007-06-04 Thread Bill Marquette

If it works in FreeBSD 6.2, it'll probably work with pfSense.  I do
know that HP DL145's work perfectly on FreeBSD 6.2 (including the
lights out management board which I have concerns on with the Sun
box).  We ended up buying the DL145's (100+ units) cause Sun took two
months to get a unit to us (we purchased instead of requesting an
actual eval cause we had a number of groups trying to test it out).

--Bill

On 6/4/07, Eugen Leitl [EMAIL PROTECTED] wrote:

On Mon, Jun 04, 2007 at 05:45:41PM +0200, Rainer Duffner wrote:

 Hello,

 I think I would go for the equivalent Tyan Barebone (GT 20 derivate with
 Nforce4 chipset).

Since you seem to be based in Germany, any good sources to purchase
that barebone, and a matching CPU to go with it? Oh, it's only got 2 NICs.

The point of the X2100 M2 is that's it's cheap (though no longer 620 EUR),
comes with a useful LOM, and 4 NICs.

 The status of the nve(4) is a good question - but in either case, there
 should be room for a PCIe Quad GE card.

...which would cost probably as much as the entire barebone. I dunno...

 I've got one of those GT20s as Nagios-server. I don't use the nve(4)...

Anyone else here running a X2100 M2 with pfSense, using both the Broadcom
and the nVidia NICs? It seems to be kinda, sorta supported on FreeBSD 6.2,
but can pfSense do it?

--
Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE



[pfSense-discussion] Usermanager code commited to releng_1

2007-04-12 Thread Bill Marquette

Heads up for those that are using snapshots - I just commited the
usermanager code from the HEAD branch to the RELENG_1 branch (this
won't go into 1.2).  There may be some breakage in the tree - it was
tested pre-commit, but the diff was rather ugly so I'm not 100% sure
until the next snap run that I didn't horribly break something when I
applied it.  There is some UI ugliness in this commit, please don't
report display issues at this time, I know they exist.  I would be
interested in hearing about breakage though if it's obviously related
to authentication.  Thanks

--Bill


Re: [pfSense-discussion] Allowing multiple IPs for the same hostname in the WebGUI

2007-04-05 Thread Bill Marquette

On 4/4/07, Fabian Steiner [EMAIL PROTECTED] wrote:

Thanks - this page helped me a lot getting started. My patches against HEAD. I
would be looking forward to seeing them committed.


Thanks, we're reviewing the patches now.

--Bill


Re: [pfSense-discussion] Allowing multiple IPs for the same hostname in the WebGUI

2007-04-04 Thread Bill Marquette

On 4/4/07, Fabian Steiner [EMAIL PROTECTED] wrote:

Therefore I would really be looking forward to adding this parameter to the
existing options that are passed to the dnsmasq binary. If any patches are
welcome, please let me know.


Patches are almost always welcome.  I'd suggest in this case that you
still allow for the checking of duplicate host names and and just
extend the edit screen to allow multiple hostnames in the way you
want.  Then check for it in the backend and launch dnsmasq in the
appropriate way.

--Bill


Re: [pfSense-discussion] Cisco EtherChannel support in pfSense?

2007-03-09 Thread Bill Marquette

On 3/9/07, Kyle Mott [EMAIL PROTECTED] wrote:

Is anybody interested? I've begun hacking together a package, would the
developers be interested in taking it as either a third-party package or
right into main-line pfSense? It does require some changes to the PHP
init scripts and the addition of a modified kernel module (ng_fec.ko).
It also allows 802.1q VLAN's across the bonded NIC's (as long the NIC's
support VLANs).


I think there would be some interest.  Let us know when you get closer.

--Bill


Re: [pfSense-discussion] Developer bootstrap errors

2007-02-28 Thread Bill Marquette

On 2/28/07, Paul [EMAIL PROTECTED] wrote:

Bill Marquette wrote:
 Comment out the call to update_cvs_depot?  Or update that routine to
 better handle a development model that has no CVS access?
Modifying the function to handle SKIP_CHECKOUT (which is documented in
in the wiki) is trivial, as is more trivial to comment it out all toghether.

flameWhat beats me is that there seems to be a documented method to
skip the checkout process, hence it's clearly not implemented (I
wonder...).
You can imagine my surprise when a few hours of work were wiped away
because the build scripts just delete the pfsense source directory and
then proceed to checkout the CVS version. This and other things I
encountered in the build scripts certainly raise the bar for starting
development./flame


I'm sure.


I will be very happy to provide a patch for builder_common.sh but I'm
not sure if I should just post it or submit it by other means. I am sure
Scott and other developers have fixed this in their local scripts, and
perhaps forgot to put it in CVS.


Not really - most of us modify stuff on our test systems, if it works,
we commit it.  Any builds done locally end up using the remote
repository.


The point is that CVS can already handle a local/remote repository (as
can mercurial, subversion etc) All you need is to point it to the


You can't sync two cvs tree's without using vendor branches which is
ugly and painful.


a cvsupdate_current.sh would be expected to do this: update the cvs to
the version specified in the tags of pfsense_local.sh
a build_iso.sh should just do that... build.


I thought the build scripts did just that, but I never really paid
close attention as I've only ever needed to build something that I've
had in CVS already.

--Bill


Re: [pfSense-discussion] Developer bootstrap errors

2007-02-27 Thread Bill Marquette

Comment out the call to update_cvs_depot?  Or update that routine to
better handle a development model that has no CVS access?  I know, not
optimal, but FWIW, I wouldn't mind it if someone hacked in a method to
pull down the tree via other means (such as say mercurial, or
subversion) so you could have a local cvs-other scm bridge and worked
on the local scm.

--Bill

On 2/25/07, Paul [EMAIL PROTECTED] wrote:

I will answer my own question:

the problem is that RELENG_6_1 does not (currently) compile. To fix I
changed the freebsd_branch variable in pfsense_local.sh to RELENG_6_2
that compiled cleanly.

Now I have a second problem: Each time I call build_iso.sh the builder
script will resync with the pfsense CVS hence loosing any changes that I
make.

On the wiki there's some info pointing me to define a SKIP_CHECKOUT
variable, but update_cvs_depot defined in builder_common.sh which is
responsible for taking care of this, only checks for SKIP_RSYNC and
always updates from CVS (regardles what it states):

update_cvs_depot() {
# Update cvs depot. If SKIP_RSYNC is defined, skip the RSYNC update
# and prompt if the operator would like to download cvs.tgz from
pfsense.com
.
# If also SKIP_CHECKOUT is defined, don't update the tree at all
if [ -z ${SKIP_RSYNC:-} ]; then
rm -rf $BASE_DIR/pfSense
rsync -avz [EMAIL PROTECTED]:/cvsroot /home/pfsense/
(cd $BASE_DIR  cvs -d /home/pfsense/cvsroot co -r
${PFSENSETAG} pfSense)
fixup_libmap
else
cvsup pfSense-supfile
rm -rf pfSense
rm -rf $BASE_DIR/pfSense
(cd $BASE_DIR  cvs -d /home/pfsense/cvsroot co -r
${PFSENSETAG} pfSense)
(cd $BASE_DIR/tools/  cvs update -d)
fixup_libmap
fi
}

Am I looking at the wrong code or is there a different way to not update
from CVS during build?

Paul.



Re: [pfSense-discussion] Can pfSense be ported to Intel IXP425?

2007-02-02 Thread Bill Marquette

At this time we don't support the processor - I believe there's some
work in the FreeBSD camp to support the architecture.  Whether the
rest of the hardware in that unit would be supported would remain to
be seen.  32M RAM and 16M flash are both rather light for pfSense, we
barely run in 64M today and need a tad over 64M flash.  I'm sure it
would be possible to make a pfsense-lite type distribution that would
run on a box such as this, but it'd likely be better to start from
scratch and make use of the pfsense code as a reference for how stuff
works than to try and lean out the ram and disk requirements we have.

--Bill

On 2/2/07, ryn jackson [EMAIL PROTECTED] wrote:

Having been running pfsense for a week now, i have to say i trule enjoy it, and 
i have qos that works!
I had been using the Linksys RV082 in several of our offices and the only thing 
i don't like about them is their flexibility and weak QoS.
The specs and performance on these boxes are pretty amazing for the price:
Intel IXP425 533MHz
32 Meg RAM
16 Meg Flash
Dual Wan
8 LAN ports that can supposedly be separated into VLAN's (fake, they still use 
the same subnet but traffic doesn't pass between them)
Too bad the existing firmware doesn't harness the power of the hardware. I've 
clocked a consistent 27Mbps of 3DES IPsec with these.
These linksys boxes are running Linux 2.4 with openswan and iptables i believe.

There is a Firmware project to update the Linksys RV seres to the 2.6 kernel 
and tweak some other stuff. One is called OpenWRV http://www.phj.hu/wrv54g/ 
which seems to be focused on the wireless version and the other one is OpenIXP 
which is tied to this project focusing on the IXP platform. Neither of them 
seem to have gone anywhere, maybe the members are too busy? I think pfSense 
would be much better than modifying the crappy firmware that linksys provides 
anyways.

I am under the impression that Free BSD is not only lighter, but more efficient 
with networking (network stack)  than Linux is so i was wondering if it would 
be possible to port to this platform. there's more info on its little brother 
here: http://www.linksysinfo.org/forums/showthread.php?t=34276
That thread is about the RV042 [EMAIL PROTECTED], 32Meg ram but it's 
interesting that these boxes have 2 serial ports, mini pci and even HDD 
capability built in.
I cannot, for the life of me find this but there's a project going on now to 
hack and rewrite the existing firmware but why start with crap if you could 
port over something like pfSense, even it has some features stripped out.

What do you guys think? Is it feasible/possible? I would really like to have an 
appliance using this platform and pfSense. It's got way more power than the 
Soekris/wrap the only thing i'm concerned about is the 32meg of ram, but i 
think it would be possible.

I think the best way to actually make the VLANs function on this device (i 
don't think it would support 802.1q) would be to assign subnet interfaces to 
vlans (up to 8) and then assign vlan's to lan ports. All traffic on ports with 
the same vlan assigned is bridged. That's the way routing assignments work on 
the Adtran Netvanta 1224R's i work with and it's very intuitive.

=
Buy Your Aromatic Vaporizer For Less
All major brands in stock. Find Volcano, Vapir, VaporWarez, and Aromed 
vaporizers at great prices. Same-day free shipping and cool freebies with all 
orders. 75,000 positive feedbacks.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=5a645f954582396c441f2a7301d3ac8a




Re: [pfSense-discussion] Allways someone different

2006-12-24 Thread Bill Marquette

On 12/24/06, Peter May [EMAIL PROTECTED] wrote:

Hi all.

Yep there is always someone that has to do things unlike everyone else
and I am that person.

I live remotely and have looked at Pfsense for traffic shaping as I have
a 2 way satellite feed. Here in Oz, its all I can get out back. Problem
is, the feed isn't consistant. I am meant to have 256/64 but at the
moment, its up to around 1.5mb/512

So if I set my incoming and outgoing limits, it can effectively cause
the traffic shaper to cut some of my bandwidth.


Some of the bandwidth you aren't paying for ;-P


Is there a way to have PFSense detect THE TOTAL BEING USED and then
alter QUEUES from that? What I am trying to achieve is a percentage for
each queue depending on how much I have available coming in?


Nope.  Such a tool might be able to be written, but I'm not even sure
where I'd start if I was to do it.  Dynamic bandwidth detection and
modification would be significantly harder than detecting it to do the
initial bandwidth allocation.  And of course detecting that you have
more bandwidth available while running at lower capacity would be
uhhh...challenging.


Trust me, at 256/64 its slow so anything more than that is very welcome
but if I fail to check, Pfsense cuts it back. If I simply turn off the
shaper, then some things hog all the bandwidth.


--Bill


Re: [pfSense-discussion] Any active quagga development?

2006-11-30 Thread Bill Marquette

As far as I know, nobody with commit access is working on this and I
haven't seen anything regarding someone else working on it.

--Bill

On 11/30/06, Nick Buraglio [EMAIL PROTECTED] wrote:

Is there any active development being done on the quagga package?   I
noticed it's still on my local mirror but not in the packages list.  I
started messing around with making it work since I have need for simple
ospf.  Since I'm lazy by nature I don't want to replicate work being done by
someone more qualified than I, especially since it's been a while since I
worked under the hood on pfsense and I'm having to re-learn everything.


nb


Re: [pfSense-discussion] OpenVPN running on pfsense 1.0.1

2006-11-30 Thread Bill Marquette

Chris, you may want to update your address book entry for discussion@
- it's name isn't Bill Marquette :)

I can't answer your question though...I don't use OpenVPN, sorry.

-Bill

On 11/30/06, Chris Noble [EMAIL PROTECTED] wrote:


Has anyone experienced problems with OpenVPN since the upgrade to v
1.0 / 1.0.1 ?

Its completly dead on all of my 1.0.1 boxes :( I also reinstalled from
fresh to try and fix it.

I use public keys, all are ok. Nothing expired.


Thanks,
ChrisN




Re: [pfSense-discussion] layer2 filtering/shaping possibility?

2006-11-16 Thread Bill Marquette

On 11/16/06, qoska kotfare [EMAIL PROTECTED] wrote:

On freebsd-net@ list was posted this maessage:
http://lists.freebsd.org/pipermail/freebsd-net/2006-November/012449.html

I don't know if any of you does follow this list but this code seems
properly written and can be extended to communicate with PF/ALTQ
system to give a possible traffic filtering/shaping opportuinity on
Layer2.

It can be easily modified to just forward/tag packets to/for PF if
that is needed.
Since it uses pfil(9) framework maybe an order of loading might be
needed for correct functionality.

What do you guys think of this?


Sure, the idea is sound.  Feel free to extend pfSense to allow this
functionality and we'll consider importing it.

--Bill


Re: [pfSense-discussion] PPPoE and multiple IP addresses

2006-10-30 Thread Bill Marquette

They'll likely configure the PPPoE tunnel with a /29 CIDR block (maybe
smaller, maybe larger, depending on addresses).  You are correct, the
addresses will essentially just appear on the pfSense endpoint.  All
you need to do to make use of them is create an other type virtual
IP (hey, for all those wondering what the hell other was for...this is
it!) as the traffic is already routed to you and you just need pfSense
to handle it.

FWIW, before my last move, I had exactly this type of setup from SBC.

--Bill

On 10/30/06, Sam Newnam [EMAIL PROTECTED] wrote:





I'm dealing with this small town ISP on a project and they informed the
customer that they can run multiple IP's over PPPoE. I've googled a bit
can't tell for sure whether this is supported vary widely, but has anyone
setup this configuration with a pfsense box?



Do you have to create a new alias for each IP? I've seem to read that once
you connect your first pppoe session that the other addresses seem to
appear (don't laugh, I know).



Any thoughts would be helpful as I'm suppose to set this up on Wed of this
week. Thanks!



Sam Newnam
 SystemSam Technologies, LLC
 www.systemsam.com




Re: [pfSense-discussion] pfSense Version 1.0.1 available - Upgrade recommended

2006-10-30 Thread Bill Marquette

On 10/30/06, Holger Goetz [EMAIL PROTECTED] wrote:


 Hi Bill,

 i'm running a Acrosser AR-B1662. In other words that's a VIA Processor Eden
667 MHz Process with a VIA (r) Apollo PLE133T chipset and on-board 4 National
Semiconductor 83816, (10/100) NICs. It's got 256MMemory installed.
 Why? Can you imagine a change that has any influence?


Just surprised that anyone saw any speed difference between 1.0 and
1.0.1.  We made one change that affected page caching, but it
certainly shouldn't have sped anything up, just freed up a tad bit of
ram.

--Bill


Re: [pfSense-discussion] ssl load balancing

2006-10-26 Thread Bill Marquette

On 10/26/06, Greg Hennessy [EMAIL PROTECTED] wrote:



Being familiar with both platforms, you're out by the side of it TBH.
Pfsense has a lot of meaty goodness, however does not have bigip LTM style
ssl termination in any way or form.

They are not comparable.


Right.  pfSense's load balancer code is TCP only.  We're a firewall w/
load balancing add-ons, not a load balancer with firewall add-ons.  If
you want a load balancer, buy F5 (or one of their competitors), if you
want a firewall that can also balance tcp flows to your web server and
check for port availability, then pfSense can handle it.  Guess it
really boils down to, do you want to do it for free, or $25k ? :)

--Bill


Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work

2006-10-19 Thread Bill Marquette

If IPFilter has the ability to keep state on the ipsec protocols
itself (it did last I looked) _and_ m0n0 turns that feature on, then
m0n0 might work.

--Bill

On 10/19/06, Mikael Syska [EMAIL PROTECTED] wrote:

Hi again Bill,

Dont know they use any different implementation or any thing, but will
it work with m0n0wall or are there any other products that I can use on
a Soekris 4801 ... ?

Kind regards
Mikael Syska

-Oprindelig meddelelse-
Fra: Bill Marquette [mailto:[EMAIL PROTECTED]
Sendt: 19. oktober 2006 02:09
Til: discussion@pfsense.com
Emne: Re: [pfSense-discussion] 2 vpn client connections from the same ip
does not work

pfsense

--Bill

On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote:
 hey,

 so its a problem on the client side or server side?

 not the hardcore firewall dude, I had it working on a openbsd with
isakmpd, is there implementation any different?

 kind regards
 mikael syska

 

 From: Bill Marquette [mailto:[EMAIL PROTECTED]
 Sent: Wed 18-10-2006 18:57
 To: discussion@pfsense.com
 Subject: Re: [pfSense-discussion] 2 vpn client connections from the
 same ip does not work



 pf doesn't have any method of seperating out the isakmp or esp
 traffic.  There's been some talk of ipsec state code, but I don't know

 when FreeBSD will see it (certainly not before it's implemented in
 Opens pf I'm sure).  If you have multiple IP addresses, you could use
 1:1 nats to solve this (I have coworkers that use this to have
 multiple workstations connected to our IPSec devices).

 --Bill

 On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote:
 
 
  Hi,
 
  Thank for a great product,
 
  I am running the Racoon IPSEC server and it all works great, except
  that if
  2 clients are behind the same firewall, only one of them will be
  able to make the connection to the VPN server, am I doing any thing
wrong here?
 
  I have problems with roadwarriors using agressive mode.
 
 
  I'm using SafeNet SoftRemoteLT VPN clients.
 
  I know it works with the isakmpd IPSEC server from an erlier setup I

  have had.
 
  its does not work both behind a other pfsense firewall, and some
  other unknown firewall that I dont know the name of .
 
  What are my options?
 
  Is this the right behavior? or are there something setup completely
  wrong in the Racoon ipset setup?
 
  kind regards
  Mikael Syska







Re: [pfSense-discussion] pf rules for load balancing

2006-10-19 Thread Bill Marquette

On 10/19/06, Raja Subramanian [EMAIL PROTECTED] wrote:

The PF Pools FAQ:
http://www.openbsd.org/faq/pf/pools.html

section Load Balance Outgoing Traffic, mentions the
following:


To ensure that packets with a source address belonging to
$ext_if1 are always routed to $ext_gw1 (and similarly for
$ext_if2 and $ext_gw2), the following two lines should be
included in the ruleset:

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from
$ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from
$ext_if1 to any


I have a dual WAN setup with pfSense, but I don't find such
rules in /tmp/rules.debug.  How does pfSense implement this?


We don't.  This is the same issue you asked about months ago in
regards to squid and ftp-proxy.

--Bill


Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work

2006-10-18 Thread Bill Marquette

pf doesn't have any method of seperating out the isakmp or esp
traffic.  There's been some talk of ipsec state code, but I don't know
when FreeBSD will see it (certainly not before it's implemented in
Opens pf I'm sure).  If you have multiple IP addresses, you could use
1:1 nats to solve this (I have coworkers that use this to have
multiple workstations connected to our IPSec devices).

--Bill

On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote:



Hi,

Thank for a great product,

I am running the Racoon IPSEC server and it all works great, except that if
2 clients are behind the same firewall, only one of them will be able to
make the connection to the VPN server, am I doing any thing wrong here?

I have problems with roadwarriors using agressive mode.


I'm using SafeNet SoftRemoteLT VPN clients.

I know it works with the isakmpd IPSEC server from an erlier setup I have
had.

its does not work both behind a other pfsense firewall, and some other
unknown firewall that I dont know the name of .

What are my options?

Is this the right behavior? or are there something setup completely wrong in
the Racoon ipset setup?

kind regards
Mikael Syska


Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work

2006-10-18 Thread Bill Marquette

pfsense

--Bill

On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote:

hey,

so its a problem on the client side or server side?

not the hardcore firewall dude, I had it working on a openbsd with isakmpd, is 
there implementation any different?

kind regards
mikael syska



From: Bill Marquette [mailto:[EMAIL PROTECTED]
Sent: Wed 18-10-2006 18:57
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] 2 vpn client connections from the same ip 
does not work



pf doesn't have any method of seperating out the isakmp or esp
traffic.  There's been some talk of ipsec state code, but I don't know
when FreeBSD will see it (certainly not before it's implemented in
Opens pf I'm sure).  If you have multiple IP addresses, you could use
1:1 nats to solve this (I have coworkers that use this to have
multiple workstations connected to our IPSec devices).

--Bill

On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote:


 Hi,

 Thank for a great product,

 I am running the Racoon IPSEC server and it all works great, except that if
 2 clients are behind the same firewall, only one of them will be able to
 make the connection to the VPN server, am I doing any thing wrong here?

 I have problems with roadwarriors using agressive mode.


 I'm using SafeNet SoftRemoteLT VPN clients.

 I know it works with the isakmpd IPSEC server from an erlier setup I have
 had.

 its does not work both behind a other pfsense firewall, and some other
 unknown firewall that I dont know the name of .

 What are my options?

 Is this the right behavior? or are there something setup completely wrong in
 the Racoon ipset setup?

 kind regards
 Mikael Syska






Re: [pfSense-discussion] IDS yet?

2006-10-04 Thread Bill Marquette

On 10/4/06, Tommaso Di Donato [EMAIL PROTECTED] wrote:

On 10/4/06, Rainer Duffner [EMAIL PROTECTED] wrote:
 At least in this respect, pfSense is still a clear packet-filter only ;-)
 And ideally, it should stay this way while analyzing packet-content
 should occur elsewhere (because it also needs much more CPU-power).


Sorry, but I do not agree totally with you: the thing I love with pfSense is
that it is possible to install it everywhere, so it could be a _real_
competitor to enterprise products (like Cisco ASA). So, I think that
CPU-power should not be a limit.


We have a serious disadvantage against hardware firewalls.  Where they
can crank out ASICs tuned to specific needs (which comes with a
disadvantage we don't have...flexibility), we're stuck with general
purpose CPU's which aren't necessarily fast.  Thankfully, encryption
boards supported by FreeBSD aren't terribly difficult to come by, but
there's other code paths that could be sped up considerably by
hardware optimized for it.

Let us also not forget that CPU's aren't getting faster, they're
scaling wider (in fact, I think most gamers would confirm that dual
core procs don't necessarily speed up their games).  FreeBSD doesn't
multi-thread routing.  The fastest proc today will be no faster than
the fastest proc next year (unless AMD comes through with it's inverse
SMP plans - presenting multiple cores as a single core to the OS).
Also, interrupts are a KILLER on x86 hardware - FreeBSD w/ polling is
better at this than OpenBSD (although I haven't personally benched
this yet), but it's not free and theres still a limit.

--Bill


Re: [pfSense-discussion] IDS yet?

2006-10-04 Thread Bill Marquette

On 10/4/06, Holger Bauer [EMAIL PROTECTED] wrote:

No, it sees everything. For example running at my WAN though nearly everything 
is blocked it detects portscans too and will block this IP (if enabled) so it 
can't start a bruteforce against my open ports. If you are lucky it will even 
block the intruder before it reaches open ports on your system for example :-)



To be fair, ONLY stateless signatures (or signatures of attacks that
only need one packet to do the damage) and the port scan engine can
make any kind of detection on traffic blocked at the firewall.  But
hey, who really cares that someone is trying some uber attack against
you if there's nothing listening?  If you want to know that, I'm
afraid you need a honeypot.

--Bill


Re: [pfSense-discussion] IDS yet?

2006-10-04 Thread Bill Marquette

On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote:


I tried to install the snort package but get an error. This was on my Soekris 
embedded box with the embedded version 1.0-RC1a.


Two problems here.
1. RC1 is ancient, the snort package only works on RC3 and above
2. Embedded doesn't support packages, either we still had that in RC1
(unlikely) or you've bypassed those checks somehow

--Bill


Re: [pfSense-discussion] IDS yet?

2006-10-04 Thread Bill Marquette

On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote:


According to my rough calculations, I can do maybe 40mbps throughput before I 
peg the cpu. Or maybe I'm just dreaming, but I plan on testing it.


With a 4801 or wrap???  Try again :)  We peg the CPU on those boards
well before 40mbit...I think the last benchmark I saw was 30+mbit.

--Bill


Re: [pfSense-discussion] FTP Helper on WAN - bug?

2006-10-03 Thread Bill Marquette

On 10/3/06, Peter Allgeyer [EMAIL PROTECTED] wrote:

Am Dienstag, den 03.10.2006, 09:09 -0400 schrieb Scott Ullrich:
 I am telling you how to solve your problem now, not long term.  I
 agree that the FTP system is a mess.
Ok, fine, how? At the moment I start the ftpsesame per hand after
booting up the firewall (which gladly isn't so often).

 Sounds good.  If you want to submit patches, feel free.  I am focused
 on getting on 1.0 out the door then I plan on taking a vacation for a
 bit but will be happy to review a patch.
So I'll wish you happy holidays.

BTW: It was a question to all devs here. Anyone else? I'm especially
looking for a solution to point 3). Maybe someone might know a good way
to implement this.


FTP is a broken and insecure protocol.  If I had my way, you wouldn't
see any FTP helpers in pfSense.  If you want it working a certain way,
make it work, send in patches, rejoice when they get commited.  It
works as is for 99% of our user base, the few users who need more
are certainly technical enough to come up with a solution that works
(and doesn't break the other 99% of the users).

--Bill


Re: [pfSense-discussion] FTP Helper on WAN - bug?

2006-10-03 Thread Bill Marquette

On 10/3/06, Peter Allgeyer [EMAIL PROTECTED] wrote:

No, as I told you already, the system_start_ftp_helpers() is launched
_after_ filter_configure_sync in /etc/rc.bootup. And ftpsesame is killed
by killall in system_start_ftp_helpers() after been started in
filter_configure_sync :-( So, you can see, that the
afterfilterchangeshellcmd command isn't any solution for that problem.
When I'm posting lines of source code, you can believe me that I have
bravely taken a look at it ;-)


I wonder if the package system is called far enough into the boot
process to shim this in after start_ftp_helpers is called.  You might
be able to create a start script that calls /etc/rc.filter_configure.
Looks like this is what you want in /etc/rc.bootup
mwexec(sh /usr/local/etc/rc.d/{$filename} start /tmp/bootup_messages 21);

it's well past the ftp_helpers.



OK, I'll write my own code, since I'm experienced enough. I wanted a
clean solution for all users, but that's apparently not the goal here.
People will further cry at the forum that ftp isn't working. I do know
the reason why and now you know too.


Yeah, 1.0 is too close, we can't afford to break FTP for this somewhat
edge case.  Hopefully we can come up with a better long term solution.


BTW: I do love the way the netfilter connection tracking modules in
linux are solving that problem and don't know any reason why that code
isn't adapted by the pf devs. There must be any reason for not using
such an API. I'll have to search why. Maybe you can give me a link.


There's plenty of discussions on this, I don't have any links handy,
sorry.  But it goes along the lines of layer7 protocol analysis in
kernel is a bad idea - protocol bugs directly result in ring0
compromise (bad!).  Using divert() style sockets is moderately better,
but results in dropping the analysis and throughput to userland which
can be slow.  ftpsesame is a better compromise in that all it really
needs to do is run a bpf listener and add/remove rules as needed.
Some protocols (pptp, ipsec), etc, can only be NAT'd in kernel due to
the way the protocols work, but in those cases, it's not a rule issue,
it's a NAT issue that can't be solved outside of the kernel.  IPFilter
has various proxy modules to handle some of this.  At the end of the
day, the linux folks are more open to polluting their kernel with junk
than the OpenBSD folks.

--Bill


Re: [pfSense-discussion] Tutorial - configuring the captive portal with the integrated user manager

2006-09-28 Thread Bill Marquette

I randomly chose one of the mirrors and the tutorial came up for me.

--Bill

On 9/28/06, Richard Davis [EMAIL PROTECTED] wrote:



I was looking at the pfSense tutorial section and tried to connect to
configuring the captive portal with the integrated user manager .
All I got was dead links.  Does anybody know if this is a good tutorial and
if it is where can I get it?

Thanks
Richard



Re: [pfSense-discussion] IDS yet? (+IPS)

2006-09-21 Thread Bill Marquette

On 9/21/06, Sam Newnam [EMAIL PROTECTED] wrote:

I was thinking about using something like this product too...
http://www.stillsecure.org/index.php?rf=vmw

Says it integrates with IP Tables... Quick thoughts on its compatibility
with PF?


It's a dedicated linux install.

--Bill


Re: [pfSense-discussion] pfSense and TTL (time to live) = 1

2006-09-04 Thread Bill Marquette

Or if you want fuck with the ISP and have a full blown network behind
the pfSense box.

Change the following line in /etc/inc/filter.inc
   $rules .= scrub all {$scrubnodf} {$mssclamp} fragment
reassemble\n; // reassemble all directions
to:
   $rules .= scrub all min-ttl 255 {$scrubnodf} {$mssclamp}
fragment reassemble\n; // reassemble all directions

That will reset the TTL to 255 (substitute whatever sufficiently high
value appeals to you) as it passes through the pfSense box.  The above
line lives on line 166 in filter.inc version 1.575.2.235.  BTW, this
will have the other added advantage of being able to mask different
OSs behind your pfSense box and the network layout as ALL packets will
have a normalized TTL after traversing the firewall.

I don't expect to ever put a gui wrapper around this, I feel it has
rather limited use.

--Bill


On 9/4/06, Scott Ullrich [EMAIL PROTECTED] wrote:

On 9/4/06, Georgi Petrov [EMAIL PROTECTED] wrote:
 Hello everybody,

 I've sent this feature request to the m0n0wall mailing list, so it's a
 copy-paste. Everything written can be applied to pfSense as well!



 Here in Bulgaria we love m0n0wall and many people use it for home
 routing purposes. Our internet is delivered by LAN cables (insane,
 isn't it?) and some of my smarter friends split the service to the
 neighbours. This is pretty cool because you have to pay 2-3 times less
 and believe me - Bulgaria isn't the cheapest place to live in ;)

 Ok, you would say - you put one m0n0wall router under your bed and pay
 2 times less for internet (as well as your neighbours). What's the
 problem? Here comes the problem: Almost all ISPs in Bulgaria modify
 the TTL (time to live) value of all incoming packets to 1, so when
 they enter the m0n0wall router, it decrements the TTL to 0 and being
 zero, the packet gets dropped (and doesn't reach any of the computers
 in the local network).

 There is a very simple way to work around that. The FreeBSD kernel
 should be compiled with IPSTEALTH option enabled. This is absolutely
 harmless and does the following:

 When the kernel is compiled with this option, later you can set one
 sysctl variable to 1 (enabled), which will turn on the IPSTEALTH
 mode. In this mode the router hides itself, becomes intraceable with
 tracert and the most important thing is that it doesn't decrement the
 TTL, so the little trick played by most ISP becomes irrelevant.

 This is completely harmless to m0n0wall - it won't be enabled by
 default, nothing will change for the default install, but this
 functionality will be present for whoever need it! May be later a
 checkbox could be added in the webGUI for easier accessibility.

 I already run m0n0wall's FreeBSD IPSTEALTH enabled kernel and enabling
 IPSTEALTH in running m0n0wall is as easy as adding

 shellcmdsysctl net.inet.ip.stealth=1/shellcmd

 just before

 /system

 The whole procedure is explained by another smart bulgarian on this
 page (bulgarian language):
 http://hardwarebg.com/forum/showthread.php?t=76480highlight=TTL

 So - this way the whole problem is solved and the day - saved ;)

 I ask for one simple thing - could you please enable IPSTEALTH in the
 next m0n0wall release, please! It's a great router/firewall - make it
 even better!


# sysctl -a | grep stealth
net.inet.ip.stealth: 0
net.inet6.ip6.stealth: 0

It's already compiled in.

Have fun!

Scott



Re: [pfSense-discussion] source-hash and sticky-address in pf pools

2006-08-17 Thread Bill Marquette

On 8/17/06, Raja Subramanian [EMAIL PROTECTED] wrote:

Hi,

I have a pfSense box with 5 wan links, 1 wan and 1 dmz and
the load balancing and policy based routing in pfSense is
simply fantastic.

The one missing feature that I would like to see, is the ability to
specify the source-hash or sticky-address option in pf pools.
With this, I would be able to load balance troublesome websites
and protocols (eg. pptp) instead of pushing them all through the
default gateway.

I noticed that Bill M's pf sticky patches to slbd got included circa
Beta2.  Will we be able to use this feature anytime soon?


slbd isn't used for gateway balancing, just for monitoring the
gateways.  The sticky patches that Scott committed (not me) were for
server load balancing.

--Bill


Re: [pfSense-discussion] unable to view revison log for filter.inc on cvstrac

2006-08-16 Thread Bill Marquette

Thanks, reported to the cvstrac authors.

--Bill

On 8/16/06, Raja Subramanian [EMAIL PROTECTED] wrote:

Viewing cvs revision history for /etc/inc/filter.inc by accessing
   http://cvstrac.pfsense.com/rlog?f=pfSense/etc/inc/filter.inc

always throws the following error.


 error message ---
Database Error
db_exists: Database exists query failed

SELECT filename FROM filechng WHERE filename='tmp/{$rule['if']}_router'

Reason: near if: syntax error
-

Accessing the changesets or revisions directly is working fine.

- Raja



Re: [pfSense-discussion] FreeBSD LSI Logic fixes for VMware

2006-08-16 Thread Bill Marquette

Which version of ESX?  Thanks

--Bill

On 8/16/06, Jason Tyler [EMAIL PROTECTED] wrote:

I was able to get it to work by building the VM in VMware workstation,
then copying the disk image to ESX and modifying the .vxd file.

Hope this helps,

Jason

-Original Message-
From: Scott Ullrich [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 16, 2006 10:09 AM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] FreeBSD LSI Logic fixes for VMware

Interesting.  We merged what we thought was all of the fixes from
FreeBSD current but they where not working.   I'll look into this
further as w really want ESX supported for pfSense.

On 8/16/06, Dmitry Sorokin [EMAIL PROTECTED] wrote:
 Hi All,

 First, thanks a lot for a GREAT product. pfSense rules!

 Recently I was trying to install pfSense on VMware ESX server (for
some testing
 and dev projects) but failed to do so.
 Further inverstigation led me to this:
 http://www.vmware.com/community/thread.jspa?threadID=40606

 So, It's the LSI Logic driver that doesn't work properly with VMware
ESX Server.
 They claim it's fixed in FreeBSD 6.1.
 Is it possible to incorporate that fix into pfSense for  the next
release (RC3
 or 1.0-RELEASE)?

 Again, thanks a lot for a great product.

 Dmitry





Re: [pfSense-discussion] unable to view revison log for filter.inc on cvstrac

2006-08-16 Thread Bill Marquette

And fixed.

--Bill

On 8/16/06, Bill Marquette [EMAIL PROTECTED] wrote:

Thanks, reported to the cvstrac authors.

--Bill

On 8/16/06, Raja Subramanian [EMAIL PROTECTED] wrote:
 Viewing cvs revision history for /etc/inc/filter.inc by accessing
http://cvstrac.pfsense.com/rlog?f=pfSense/etc/inc/filter.inc

 always throws the following error.


  error message ---
 Database Error
 db_exists: Database exists query failed

 SELECT filename FROM filechng WHERE filename='tmp/{$rule['if']}_router'

 Reason: near if: syntax error
 -

 Accessing the changesets or revisions directly is working fine.

 - Raja




[pfSense-discussion] routed package

2006-07-08 Thread Bill Marquette

Hey, there was a bounty for the routed package, but the person
sponsoring this package isn't currently in a position to test it.
He's volunteered to send the funds on if we can get some people to
test it out and comment on it.
http://forum.pfsense.org/index.php?topic=1271.msg9066#msg9066

Can I get a couple people to load it up and make sure routes show up,
make sure it stops routed on exit, works on boot, etc. ?  Even better
if it can be tested on a machine also running OLSR (I have my
suspicions that it won't work, but I don't have a way to test it).
It's a $100 bounty and will go a LONG way towards my hotel bill for
the hackathon.  Thanks

--Bill


Re: [pfSense-discussion] load balancing - fail over

2006-06-28 Thread Bill Marquette

Try a rule for your client/lan - remote IP any port any protocol (I
understand you may wish to lock it down later).  Look at the state
entries to that remote IP after a successful connection, that should
help determine the exact rules you want.

--Bill

On 6/28/06, Allen Laymon [EMAIL PROTECTED] wrote:

Ok, I have gone into one of my interfaces under rules and opened ports 500,
1 and 62515 for UDP.  I have created all three rules the same way using
'any' source, port #, Destination 'any', port #, and Gateway 'default'.
I've also attempted using a 'specific' gateway of my WAN interface that I
want to designate for the Cisco VPN Client.

I have also tried using the source as my 'internal network' and the gateway
as my 'specific' external wan interface.

I can connect but it is VERY intermittent if it allows.  I may get to
connect 1/3 of the time, if I'm lucky.  Any suggestions on what I'm doing
wrong on the rules?

Allen

-Original Message-
From: Bill Marquette [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 27, 2006 10:49 PM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] load balancing - fail over

On 6/27/06, Allen Laymon [EMAIL PROTECTED] wrote:
 I'm having an issue using load balancing/failover and using a Cisco VPN
 client to connect to a remote machine.  It's hit and miss whether or not
the
 Cisco VPN client works.  It appears to go out one of my internet
 connections, but can return on the second internet connection?  I'm not
sure
 how to resolve this.  Anyone have a similar instance?

 Allen

You'll want to create a rule that sends this traffic out only one WAN
link (you won't get failover on that rule...sorry).  The issue here is
that most IPSec clients usually use two connections, UDP 500 (or
whatever NAT-T lives on) and proto ESP.  Unless you get lucky and both
make it out the same WAN and establish state that way, the remote
gateway is going to drop you when it see's different source addresses
from the connections.

--Bill




Re: [pfSense-discussion] load balancing - fail over

2006-06-27 Thread Bill Marquette

On 6/27/06, Allen Laymon [EMAIL PROTECTED] wrote:

I'm having an issue using load balancing/failover and using a Cisco VPN
client to connect to a remote machine.  It's hit and miss whether or not the
Cisco VPN client works.  It appears to go out one of my internet
connections, but can return on the second internet connection?  I'm not sure
how to resolve this.  Anyone have a similar instance?

Allen


You'll want to create a rule that sends this traffic out only one WAN
link (you won't get failover on that rule...sorry).  The issue here is
that most IPSec clients usually use two connections, UDP 500 (or
whatever NAT-T lives on) and proto ESP.  Unless you get lucky and both
make it out the same WAN and establish state that way, the remote
gateway is going to drop you when it see's different source addresses
from the connections.

--Bill


Re: [pfSense-discussion] PFSense and Tables

2006-06-26 Thread Bill Marquette

On 6/26/06, Nick Buraglio [EMAIL PROTECTED] wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I've been thinking about adding pftabled to pfsense but have not had
the time to really do it yet since I'm slow at writing the gui
parts.  It's certainly possible to use pftabled to remotely
manipulate a pf table, even via scripts.  If I get some time maybe
I'll play with adding it without a gui and see how it works.


FWIW, aliases don't yet use tables.  That's something I'm interested
in fixing post 1.0 sometime (maybe I'll get bored at the hackathon and
fix it then :))

--Bill


Re: [pfSense-discussion] PFSense and Tables

2006-06-26 Thread Bill Marquette

On 6/26/06, Forrest Aldrich [EMAIL PROTECTED] wrote:

Maybe something standarized - with XML formatted files?

It would be nice to issue a command, securely, from an internal machine
to update the PFSense firewall in either case.

Why doesn't PFSense use real Tables... ?  Just curious about the design
decision, etc.


Aliases were easier to implement (and we wanted to get 1.0 out the
door some day).  Tables won't be terribly difficult to implement and
certainly are required, but we gotta leave _some_ room for improvement
;-P

--Bill


Re: [pfSense-discussion] artwork

2006-06-21 Thread Bill Marquette

On 6/21/06, Eugen Leitl [EMAIL PROTECTED] wrote:


I suggest to move back to default m0n0wall design and artwork.
It is much superior in look and usability, imo. I would go so
far to file this as a bug.


That's kind of inflamatory, but change the theme to pfsense and you'll
have the ugly old look back.

--Bill


Re: [pfSense-discussion] artwork

2006-06-21 Thread Bill Marquette

On 6/21/06, Eugen Leitl [EMAIL PROTECTED] wrote:

On Wed, Jun 21, 2006 at 02:09:41PM -0500, Bill Marquette wrote:

 That's kind of inflamatory, but change the theme to pfsense and you'll

No trolling intended. I do really consider the current pfsense
artwork a major regression on m0n0wall look and feel.

 have the ugly old look back.

No, the icons and the color scheme are still different.
For instance, the firewall rules buttons are absurdly
overwrought. It would be a major improvement to get
the m0n0 default ones back.


pfSense != m0n0wall.  We're a fork.  We may have regressed on a
theme that is no longer our default.  We certainly welcome patches -
cascading style sheets can be a real pain to get right.  And honestly,
we spend a LOT of time writing themeable code (I'm constantly fixing
items with hard-coded paths) - it's certainly easier to write
non-themeable code which would result in the old pfSense theme
disappearing.  With that said alot of the color scheme is still in
code I believe which will make it difficult to make a non-red theme.

--Bill


Re: [pfSense-discussion] Known PFsense Limits?

2006-06-06 Thread Bill Marquette

On 6/6/06, Odette [EMAIL PROTECTED] wrote:

Hi all,

 I need to substitute our production firewall, and I'd like to use PFsense
which I've already successfully used for home or small office environments.

The solution I'm going to substitute is based on Linux-iptables which requires
more than 1000 rules. I need more than 25 static routes, and 5 VPNs.

Furthermore, in the next future we are migrating 2 of 3 network branches on
Gbit.

I'd like to try with PFsense, but my boss (I'm sure) will kill me in the event
I spend half a week in setting up the new PFsense and writing down all the
rules to see that PFsense is not the right solution.


Seems like the effort falls under research and development.  At least
in my shop, that wouldn't be considered a waste of time as it can
vette the existing design (which obviously is considered inadequate),
determine what if any use pfSense has to us, and whether we need to
keep looking.  There aren't any free answers - you'll have to take the
time to try out the solution you believe will work for you.


Is there a rules number limit or a session number limit implemented in
PFsense?


Not per se.  Do you really have 1000 rules, or are there numerous
duplicates with only source/destination IPs (or ports) changed?  You
may be able to shrink that rule base down considerably with pfSense.
The only concern I'd have with the number is the speed of the webGUI -
depending on how many interfaces you have, displaying 1000 rules on a
single screen could be bad (some day I'll have to generate a test bed
that stresses out the webGUI so we can try and improve the speed).

Also, you may or may not want to increase the state table limit which
defaults to 10K state entries.  There are 2-3 (depending on NAT) state
table entries for every connection through your firewall.  More info
on state table sizes can be found in other threads on this list or the
forum (I've answered this a few times)


Does somebody have some expertize in similar situations?


Can't speak for pfSense in a large install, but the underlying packet
filter engine works like a champ in my commercial installs and those
are couple thousand rule machines (text files for editing...I'm not
relishing converting those machines to pfSense).

--Bill


Re: Re[2]: [pfSense-discussion] P2P Blocker

2006-06-06 Thread Bill Marquette

On 6/6/06, Chris Noble [EMAIL PROTECTED] wrote:

Ah good idea, pfsense has Traffic Shaper in it.. I could play with
that and give P2Pa silly speed like 500 byte/sec heh.


There were some threads on this in the forum also.  I believe someone
even went so far as to restrict the number of states individual
workstations could have.  Between castrating the bandwidth and
castrating the amount of connections you're allowed, it should pretty
effectively communicate the message.

--Bill


Re: [pfSense-discussion] Routing

2006-05-24 Thread Bill Marquette

On 5/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:



Hi everyone,

I have 3 WAN interfaces (WAN, OPT1 and OPT2)
I want to route packets to the WAN interfaces based on the source IP.
For example, 10.0.1.X/24 packets should be forwarded to WAN, 10.0.2.X/24
packets to OPT1 and 10.0.3.X/24 packets to OPT2.
Is this possible?


Yes.  http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
read the policy based balancing section.

--Bill

--Bill


Re: [pfSense-discussion] broken http interface install..

2006-05-16 Thread Bill Marquette

This happening on index.php, or when trying packages?  Sounds like
there's a corrupt XML file floating around somewhere, usually this is
due to the machine getting powered off in 'odd' states.

--Bill

On 5/16/06, Gregory Machin [EMAIL PROTECTED] wrote:

Hi
Lookis like I did the imposible and broke the web interface ..
here is the error i'm getting ...

Notice: Object of class PEAR_Error could not be converted to int in
/etc/inc/xmlparse.inc on line 135
 XML error: No pfsense object found!

Many Thanks
--
Gregory Machin
[EMAIL PROTECTED]
[EMAIL PROTECTED]
www.linuxpro.co.za
www.exponent.co.za
Web Hosting Solutions
Scalable Linux Solutions
www.iberry.info (support and admin)

+27 72 524 8096


Re: [pfSense-discussion] CF-IDE install help

2006-05-16 Thread Bill Marquette

On 5/16/06, Angelo Turetta [EMAIL PROTECTED] wrote:

And what about the case in original post?
He has installed the full version from CD-ROM to a CF (used as a hard
disk). I'm confident that such a setup results in a platform setting of
'pfsense'. If I later change the platform to 'embedded', can I use it on
a 'Real PC'? (for example, using an ATA-to-CF adapter). Of course I'll
lose the package manager, but will the VGA work as usual?


Correct, the two major differences between embedded and full are the
kernel (the embedded images lack VGA and keyboard) and the disk being
mounted rw/ro.

There are other minor differences.../var/* are symlinks to /tmp on
embedded and /tmp is a ramdisk - this is why most things disappear on
reboot for embedded images, we simply don't preserve them.  I don't
recall if the /var stuff is part of the build, or something that's
created on the fly if platform == embedded.

--Bill


Re: [pfSense-discussion] CF-IDE install help

2006-05-16 Thread Bill Marquette

On 5/16/06, Craig FALCONER [EMAIL PROTECTED] wrote:

Ahh cool thanks - I haven't rebooted a post beta2 machine yet :)


yeah, added for beta4 I believe :)

--Bill


Re: [pfSense-discussion] No altq support on linitx.com appliances? Also, plug for packaging on embedded version.

2006-05-08 Thread Bill Marquette

On 5/2/06, Carl Youngblood [EMAIL PROTECTED] wrote:

 So you are volunteerig to get this working?   Keep in mind we do not
 have endless amounts of resources.

I'm totally willing to help with this, but if the developers aren't
open to the idea, then it can be a really uphill battle.  So I wanted
to make sure you guys were supportive of the idea, especially since I
am not nearly as skilled with BSD as you guys are.  But I am willing
to help out, and our sysadmin here also has some good linux experience
and some exposure to BSD.  As long as you guys are willing to point us
in the right direction on occasion.


We're willing and want some subset of packages on embedded platforms. 
However, we don't have the resources to put it in ourselves - it's a

fair amount of work to make it stable.  Also, embedded platforms
usually have a limited amount of RAM (my two development WRAPs for
example have 64M RAM - the absolute minimum pfSense will even run on)
- I can't imagine losing any RAM on most of those platforms for
ramdisk.  So, we need a way to determine how much ram and/or ramdisk a
package will require and detect if your machine is even qualified to
run it.  Currently, it's easier to disable the functionality as it's a
very conditional item.  Anyone willing to make it work and make it
work right is welcome to try - just understand that it's not as simple
as well I've got a 256M embedded box and it'll work here, so it must
be good.

--Bill


Re: [pfSense-discussion] Vmware Tools and pfSense

2006-04-24 Thread Bill Marquette
FWIW, while the lnc device reports as 10Mbit, it'll actually do more. 
It's still slower than either the vmware tools driver or the e1000
interface, but it's definitely faster than 10Mbit.

--Bill

On 4/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 Hello,

 I'm planning to get pfSense running inside vmware, so to have routing and 
 firewall functions within the hosts attached to the internal virtual switches.
 However, as far as I got to know, 10 Mbps functionality only would be 
 obtainable out of the interfaces of the virtual machines, unless Vmware Tools 
 are properly installed into the guest operating system, along with the 
 benefit of 100 Mbps speed.  For such reason, I thought to add Vmware Tools to 
 the VM hosting the pfSense software but, unfortunately, the pfSense 
 installation image does not come with a suitable perl interpreter, as 
 required by the Vmware Tools installation process.


 Thank you for any hint on this subject, pfSense installation image shipped in 
 the future with a perl interpreter bundled altogether perhaps?

 Best regards

 Marco Masotti





Re: [pfSense-discussion] web interface and dependancies...

2006-04-18 Thread Bill Marquette
On 4/18/06, Gregory Machin [EMAIL PROTECTED] wrote:
 Hi.
 I'm looking for a list of dependancies for the web interface ...
 I know it require php and and http server .. but are there any others..
 Any advise would be grate..

 Many Thanks

pfSense is a firewall distribution, not a standalone package.

--Bill


Re: [pfSense-discussion] when IPv6 support?

2006-04-11 Thread Bill Marquette
On 4/11/06, Eugen Leitl [EMAIL PROTECTED] wrote:

 [Previous message didn't seem to have come through, so I'll
 try this one without signing.]

 Folks, when is IPv6 support planned?

No time frame.  Nobody is working on it at this time, feel free to
submit patches.

--Bill


[pfSense-discussion] IPSEC diff to test

2006-04-04 Thread Bill Marquette
Can I get a couple people to try out the following diff?  It (I think)
fixes the 'prefer older sa' option that actually prefers newer SA's
issue (the one where we tell you to click that option to prefer it :))
 Before I commit this, I'd like some feedback from people that have
done this to fix ipsec issues as well as people that haven't used this
option (and can confirm it's not breaking anything).  If it's
absolutely required, I can post a full version of the file, but the
full install (I know embedded doesn't have it) should have diff and
patch, so this should apply.

Save to /tmp/vpn.inc.diff and run:
cd /  patch  /tmp/vpn.inc.diff
If there are no rejected entries, reboot.  If it fails - go to
Diagnostics - Edit file and update /etc/inc/vpn.inc with
http://cvstrac.pfsense.com/getfile?f=pfSense/etc/inc/vpn.incv=1.89.2.18

Thanks

--Bill


Index: vpn.inc
===
RCS file: /cvsroot/pfSense/etc/inc/vpn.inc,v
retrieving revision 1.112
diff -u -r1.112 vpn.inc
--- vpn.inc 11 Mar 2006 22:45:22 -  1.112
+++ vpn.inc 29 Mar 2006 14:00:23 -
@@ -118,9 +118,9 @@
   }

   if(isset($config['ipsec']['preferredoldsa'])) {
-   mwexec(/sbin/sysctl net.key.preferred_oldsa=0);
+   mwexec(/sbin/sysctl -w net.key.preferred_oldsa=30);
   } else {
-   mwexec(/sbin/sysctl -w net.key.preferred_oldsa=-30);
+   mwexec(/sbin/sysctl -w net.key.preferred_oldsa=0);
   }

   $number_of_gifs = find_last_gif_device();
@@ -1233,4 +1233,4 @@
   return 0;
 }

-?
\ No newline at end of file
+?


Re: [pfSense-discussion] Re: Outbound load-balancing

2006-03-30 Thread Bill Marquette
On 3/30/06, Craig Roy [EMAIL PROTECTED] wrote:
 Hi David,

 You are fortunate that your ISP supports aggregate connections. Here in
 Australia, all ISP's don't want to know about it. There attitudes are, if
 you want to go faster, then get a faster connection and pay up to 10 times
 the price.

 However, I did download a 600MB files since replying to your email and my
 PFSense did download this file across both connections at the same time. It
 took me 26minutes to get this file down.

 I could see that doth DSL Routers were being hammered quite hard
 simultaneously, and when viewed in the Traffic graphs for WAN and OPT
 interfaces, the bandwidth incoming and outgoing was exactly the same.

 I have 2 1.5/256 DSL connections configured as Round Robin, but only on my
 end as I mentioned earlier all ISP's here don't support aggregating. My good
 fortunate on downloading that large file was most likely something to do
 with the server that I was getting it from, recognising both IP's.

Any chance you're using a download manager?  A number of them will
open up multiple connections to the destination server and request
individual chunks of a file.  FWIW, we round robin network flows, so
this would have HAD to use multiple tcp connections to work the way
you are describing.

--Bill


Re: [pfSense-discussion] Traffic Shaper wizard thoughts

2006-03-26 Thread Bill Marquette
On 3/21/06, Josh Stompro [EMAIL PROTECTED] wrote:
 I think this would be a great idea, I am also in this boat where I would
 like to shape on more than one interface.  I realize it can be done
 manually, but it would be nice if the wizard took care of it.

 Is there any more documentation on pfsense's traffic shaping that what
 is listed in the monowall handbook?
 http://doc.m0n0.ch/handbook/trafficshaper.html

 I would like to limit the opt interface to 384kbits up/down and
 guarantee that a certain machine or machine's on the lan side get higher
 priority than anything else, for any traffic they send. Along with the
 Ack rules so that downloads don't kill latency.  Since you can only
 shape traffic what is sent on an interface, the Wan queue has to deal
 with limiting traffic coming from opt1, which I don't understand how to
 do yet.

The code to do this got backed out 9 months ago.  It'll be put back in
later after I get positive feedback on the current code.  I'm tired of
tracking down shaper bugs and trying to get the simple stuff we have
working right (it should now, but I want to work on other stuff for a
while - I'm kinda burnt out on it).

--Bill


Re: [pfSense-discussion] throughput - cpu, bus

2006-03-15 Thread Bill Marquette
On 3/15/06, Chun Wong [EMAIL PROTECTED] wrote:
 Chipset ? I'm not sure tbh, its an abit board I purchased 4-5 years ago.

 The source is on a HP Netserver LH3000 (2 x P3 866Mhz, 2.25Gb RAM) with dual
 64 bit PCI bus. 3 x Intel Pro MT1000 gig nics (64bit).  The disk subsystem
 is 2 x megaraid scsi/sata controllers, with scsi3 and sata raid 5 arrays.

 I doubt the bottle neck is there. Although it is running vmware 2.5.1 at the
 moment. The guest OS is Windows XP SP2. I guess I need to see what happens
 when I run straight linux on the box.

VMWare performance regardless of whether this is ESX or not (I'm
assuming ESX, not workstation or GSX) sucks.  Use a physical box for
this type of testing.

--Bill


Re: [pfSense-discussion] throughput - cpu, bus

2006-03-14 Thread Bill Marquette
On 3/14/06, Jim Thompson [EMAIL PROTECTED] wrote:
 Chun Wong wrote:

 Hi,
 I have two fw platforms, mono 1.21 running on a Nokia120 and pfsense1.0beta2
 running on an AMD athlon 900.
 
 I can get 2.2MBs on the 120 platform, at 96% cpu usage. On the athlon,
 32bit, 33Mhz pci, I can get 7MBs using Intel PRO 1000MT 64 bit PCI cards.
 
 My question is what speed/type cpu do I need to use to improve on this with
 a PCI-X bus? (64bit, 33Mhz or maybe 66Mhz)
 
 I would like to get 15-20MBs, but without spending too much. I am looking at
 a 2nd hand Supermicro FPGA370 dual Pentium mb, with PCI-X bus.
 
 All my NICs are Intelpro MT1000, 64bit.
 
 Thanks
 
 
 Something else is wrong.  Either of these platforms should be able to
 forward at something close to 100Mbps, if not higher.

Agreed...unless those MT1000's are plugged into 100Mbit ports (but I
guess that would fall under the something else is wrong) :)  Then
70Mbit wouldn't be entirely out of line (depending on the test
software).  500Mbit throughput is about all you'll practically get on
a 33Mhz 32bit slot and in practice, it'll be somewhat slower (closer
to 3-400Mbit).  A 64bit/66Mhz slot will make that a much higher
ceiling.

--Bill


Re: [pfSense-discussion] throughput - cpu, bus

2006-03-14 Thread Bill Marquette
On 3/14/06, Chun Wong [EMAIL PROTECTED] wrote:
 On the fw traffic graph, I see 30 megabits per second on the 120 (95% cpu)
 and 75 megabits peak on the athlon platform (45% cpu).

This certainly suggests that CPU on the athlon is not your limiting factor.

 to be honest I was expecting a lot more.

 I am using an 8 port SMC gigabit switch that supports jumbo frames - how do
 I increase the ethernet frame size on the firewall interface ?

I believe there is a hidden option to change MTU - I'll leave it to
someone else to provide that option.

 I'll see if I can rig up an extra long crossover cable to bypass the switch.

 If I am supposed to see 400 megabits, then I presume this is split between
 the incoming nic and outgoing nic, so 200 megabits per second ??

No, that's 400Mbit throughput :)  A [EMAIL PROTECTED] bus is roughly around
1Gbit transfer rate so 500Mbit would be the absolute max.

 Any ideas where I should be checking ?

netstat -ni from the shell and see if you're taking any interface
errors on all the machines involved in the test.

--Bill


Re: [pfSense-discussion] throughput - cpu, bus

2006-03-14 Thread Bill Marquette
On 3/14/06, Rainer Duffner [EMAIL PROTECTED] wrote:

 Am 14.03.2006 um 20:52 schrieb Greg Hennessy:

 
 
  I'd love to get the chance to throw an Avalanche at a decent system
  running
  PF to see what it really can stand upto.

Quite a bit.  I ran out of Avalanche/Reflector capacity at 750Mbit,
but the OpenBSD box I pointed the firehose at, was only hitting about
30% CPU load at the time.  I expect I'd see better performance out of
FreeBSD (w/ or w/out Andre's work).  I plan on running the same tests
against pfSense 1.0 when released.

--Bill


Re: [pfSense-discussion] throughput - cpu, bus

2006-03-14 Thread Bill Marquette
On 3/14/06, Greg Hennessy [EMAIL PROTECTED] wrote:

 
  Quite a bit.  I ran out of Avalanche/Reflector capacity at
  750Mbit, but the OpenBSD box I pointed the firehose at, was
  only hitting about 30% CPU load at the time.

 Interesting, what nics were in the box ?

HP DL380G3 w/ Broadcom and Intel NICs.  I also ran an iperf test, but
ran out of physical boxes to generate and receive the load at around
900Mbit (I did determine the maximum xmit/receive rate of a Sun v120
running Solaris 8 though ;) )  During the iperf tests, the cpu load
was closer to 25%, but iperf generates larger packets, so that's no
huge surprise and why Avalanche is a much closer to real life test.

I've got some interestingly crappy test results while working on the
shaper before Beta 2 on a 1Ghz Via cpu here:
http://www.pfsense.com/~billm/spirent/1/
And I do mean crappy.  I wasn't trying too hard to get a good working
test, just tossing traffic to see what's blowing up and why.

  I expect I'd
  see better performance out of FreeBSD (w/ or w/out Andre's
  work).  I plan on running the same tests against pfSense 1.0
  when released.

 Looking forward to it.

 Putting in a DL-385 for the same client, on 6.x/PF with 4 * em to firewall
 off a large network backup environment.
 I should have some pretty symon pictures soon.

Very interested in results from a high throughput environment.  I'm
probably a good year or so away from deploying pfSense anywhere near
our high throughput (high dollar) production environment but I'm
interested in others results in the meantime.  For now, that
environment is staying on OpenBSD (and pf's native OS).  We're a large
company and pfSense doesn't meet our internal audit requirements just
yet - that's on my todo list (multi-user, change logs, etc).

--Bill


Re: [pfSense-discussion] Everything else sucks

2006-03-11 Thread Bill Marquette
Now with better traffic shaping.  Many thanks go to our new dev.
Leon on the find (and fix).

--Bill

On 3/11/06, Scott Ullrich [EMAIL PROTECTED] wrote:
 Fresh out of the oven:

 http://www.pfsense.com/~sullrich/RELENG_1_SNAPSHOT_03-10-2006/


 On 3/11/06, Randy B [EMAIL PROTECTED] wrote:
  I've spent the last month making a grand tour of the firewall world -
  tried everything from IPCop to Smoothwall, a fully-licensed PIX-515E
  from work to m0n0wall, and I still come back to pfSense.  Not only is
  this my hobby, I oversee a flock of ~70 PIXen  FWSMs at work every
  day.
 
  There's just nothing quite as feature-rich, easy to use, or quick to
  set up.  GNAP comes close, and I'm working on making some custom
  extensions to it that may draw me away from pfSense again, but making
  it do 95% of what I want takes _so long_.  I just wish I was more
  conversant with *BSD so I could really dig under the covers like I did
  on the Linux-based ones, even though I was greatly disappointed when I
  did.
 
  Granted, you're going to get more horsepower, support, and scalability
  with a commercial appliance, but they leave out things that should be
  simple - like setting up port-forwarding.  Then there are the *really
  nice* things, like 3rd-party extensions.
 
  Like I said, I may be drawn away again some day, but for the time
  being I'm back to stay.  In that light, is there anything newer than
  Beta-2?
 
  RB
 



Re: [pfSense-discussion] Small suggestion

2006-03-05 Thread Bill Marquette
On 3/5/06, Lawrence Farr [EMAIL PROTECTED] wrote:
 How about having the ip's pop up if you hover over the
 interface name?

Where?  Care to do a mockup of what you are envisioning?  Thanks

--Bill


Re: [pfSense-discussion] PANIC! problems with OPTx interfaces

2006-03-03 Thread Bill Marquette
So let me get this straight.

The cable that's plugged into the LAN nic if unplugged from LAN and
plugged into each of the OPT nics works?  Sounds like a switch or
cable issue.  Have you tried the reverse?  Plug the cables that are in
the non-working OPT interfaces into the known working interface (LAN)?
 And for that matter, plugging the known working cable and the known
working interface into the switch ports that you are trying to plug
the OPT interfaces in?

--Bill

On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago.
 The system is a Dell Optiplex (I can't find the model number at this time) It 
 has a Pentium 3 and a 10 GB harddrive, if that helps at all.


  -- Original message --
 From: Scott Ullrich [EMAIL PROTECTED]
  On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
  [snip]
   I'm using Beta 1 right now, because I don't think that upgrading to Beta2
  would
   fix this.
 
  Upgrade.  There was only 91+ fixes between beta1 and beta2 and
  countless FreeBSD fixes.
 
  Scott




Re: [pfSense-discussion] PANIC! problems with OPTx interfaces

2006-03-03 Thread Bill Marquette
So called uplink ports are meant to plug a switch into another
switch, not a router.  Some newer switches also do cable autosense and
will cross the RX/TX pairs if needed (your Linksys probably does
this).

--Bill

On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 Well, I have seemed to have fixed it, but the solution makes no sense to me. 
 Perhaps it will make more sense to those of you with more networking 
 knowledge than I.

 All of the cables leaving the PfSense box went to switches. The one hooked up 
 to the LAN had the cable plug into a regular port on the LAN switch, all the 
 others were plugged into the uplink port on those switches.

 So, when I moved all of the cables from the uplink port on the switches, to 
 a regular port on those switches, all of a sudden things worked just fine.

 Why? I thought the purpose of the uplink was to connect to a higher switch 
 (in this case, the PfSense box a.k.a router). The former router (a commercial 
 speedstream that the pfsense box replaces) worked just fine with all the 
 switches hooked up with the uplink port. Heck, even my pfsense box at home 
 worked just fine with my linksys switch using the uplink port.
 what is with this ambiguity?!

 Anyways, thanks to you all for help. I'm sorry if I may have caused any 
 problems.
 If anybody knows why what I did works (why the uplink port seems to be a 
 curse/miracle) please explain, I would love to know. And besides, if somebody 
 ever has the same problem, and they search the mailing lists, they'll find 
 the answer.
 Thanks again!
 Anthony


  -- Original message --
 From: Bill Marquette [EMAIL PROTECTED]
  So let me get this straight.
 
  The cable that's plugged into the LAN nic if unplugged from LAN and
  plugged into each of the OPT nics works?  Sounds like a switch or
  cable issue.  Have you tried the reverse?  Plug the cables that are in
  the non-working OPT interfaces into the known working interface (LAN)?
   And for that matter, plugging the known working cable and the known
  working interface into the switch ports that you are trying to plug
  the OPT interfaces in?
 
  --Bill
 
  On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
   nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago.
   The system is a Dell Optiplex (I can't find the model number at this 
   time) It
  has a Pentium 3 and a 10 GB harddrive, if that helps at all.
  
  
-- Original message --
   From: Scott Ullrich [EMAIL PROTECTED]
On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
[snip]
 I'm using Beta 1 right now, because I don't think that upgrading to 
 Beta2
would
 fix this.
   
Upgrade.  There was only 91+ fixes between beta1 and beta2 and
countless FreeBSD fixes.
   
Scott
  
  




Re: [pfSense-discussion] licience of php interface ?

2006-02-28 Thread Bill Marquette
On 2/28/06, Adam Gibson [EMAIL PROTECTED] wrote:

 Just to be sure we are on the same page.  I am referring to static port
 mappings.  Not static IP NAT mappings.  I am pretty sure most
 firewalling filters can do static IP mappings through NAT (1 to 1, etc).
 Basically just making sure that the src port stays the same during the
 NAT traversal.

 Where 10.10.10.10 is LAN client behind firewall NAT
 Where 12.1.1.1 is some internet server
 Where Firewall WAN has ip 69.1.1.1

 src 10.10.10.10:1000 dst 12.1.1.1:2
|
 firewall with IP 69.1.1.1
|
 src 69.1.1.1:1000 dst 12.1.1.1:2

 The static-port feature only exists in pf from 5.x versions of freebsd.
 I am very confident you wont find that feature in ipfilter on freebsd.
 I looked for an equivalent feature and it just wasn't there.

IPFilter does this by default.  To quote the man page:

For  map rules, the destination address will be one for which the tuple
   combining the new source and destination is known to be unique.  If the
   packet  is either a TCP or UDP packet, the destination and source ports
   come into the equation too.  If the tuple  already  exists,  IP  Filter
   will increment the port number first, within the available range speci-
   fied with portmap and if there  exists  no  unique  tuple,  the  source
   address  will be incremented within the specified netmask.  If a unique
   tuple cannot be determined, then the packet  will  not  be  translated.

And the BNF syntax:
   map ::= mapit ifname ipmask - dstipmask [ mapport ] mapoptions.
   map ::= mapit ifname fromto - dstipmask [ mapport ] mapoptions.
.
.
.
  mapport ::= portmap tcpudp portspec .

portmap is not a require parameter.

Also, the ipf howto (dated Dec 11, 2002) on obfuscation.org also
claims this to be default IPFilter behaviour. 
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_29

pf can also do it, we could generate the rules to do it by default. 
We don't.  FWIW, in FreeBSD pf has only been in tree since 5.3, you
won't find it available on m0n0 which is IPFilter based.  I can't
speak any more towards m0n0's usage of IPFilter as I don't use m0n0,
never have, never will - nor have I ever seen m0n0's code outside of
what we've imported into our tree (which no longer includes the
IPFilter code).

   - Time rules without needing scripts or cron jobs.
 
  Yeah, that's never going to happen in PF, nor should it.  Cron was
  designed to schedule jobs to run, it can do a perfectly adequate job,
  we just need to write the code.

 opinions are just that... everyone has one.  So you would rather have a
 cron script inject and remove rules than have the filter code take care
 of it?  This just works in iptables and works well.

Yes, I would.  I don't see the need to make the kernel code more
complex.  Stateful inspection code is already complex enough without
contaminating it with time management code that doesn't belong there. 
Userland can handle this just fine and should.

   - conntrack(nat) modules for irc, amanda, netbiosns, and many other
   modules to make protocols work or work better by default without needing
   helper applications to get them working behind NAT.
  The NAT modules just aren't there yet as nobody with the skill and
  desire has written them.  I agree that it's a pain, but I personally
  find the linux filtering engines to be a pain to work with too.
 

 Hince wanting to use iptables.  It has more features that I personal
 need.  As far as being a pain, I would disagree.  Everyone has their
 opinions and so there is no right or wrong here.  As long as we are both
 happy :).  That is what choice is all about with Linux, *bsd, etc.  It's
 all free and all good.  Just have to choose what works for you.

   - Ability to pick from a bunch of extra features in patch-o-matic for
   even more nat modules and such.
 
  sounds scary
 

 Not as long as you don't grab alpha quality modules :).  Being in
 control of picking them makes the difference.

   - different logging features.  Ability to put a text description in
   syslog logging messages for firewall rules.
 
  Hrm, that may actually already be doable, we just don't expose it.
  I've got better ideas along these lines anyway.
 

 Again... this just works the way I want with iptables hince wanting to
 use it for my firewalling needs.

   - Ability to push accept/drop/reject decisions to userspace using ipq.
   Imagine a firewall that blocks everything by default and then when you
   run the firewall administration web page, any new connections will be
   displayed and allow the user to accept or deny it so that the user can
   automatically generate rules based on that information.  I mainly use
   this for creating zonealarm type functionality on Linux currently where
   a gui X windows comes up asking the user to allow are reject any
   incoming or outgoing connections.
 
  There are good reasons to not do that.  With that said, it's trivial
  to do 

Re: [pfSense-discussion] pfsense on VMware ESX Server

2006-02-27 Thread Bill Marquette
On 2/27/06, Chris Buechler [EMAIL PROTECTED] wrote:
 Dave C. Arthur wrote:
  The system boots and runs. However when I try to install the system to
  the virtual HD, I receive a response that no HDD can be found (using the
  LSI controller).
 
  Any ideas on how to get the controller recognized?
 

 You can't.  FreeBSD 6 (and hence pfsense) is not supported in ESX
 Server, and in fact, VMware is completely dropping FreeBSD support on
 ESX 3.0.  If you have a support contract, I urge you to submit a support
 request, requesting FreeBSD support in ESX (as suggested by a VMware
 employee here:
 http://www.vmware.com/community/thread.jspa?messageID=356876#356876)

 I just submitted a support request myself, but it'll take a lot more
 voices to make it happen.

Arrghh, they just added it back in 2.5.  We've got a sizeable contract
with VMWare and a much more sizable contract with their parent company
EMC.  I'll see if I can't get someone to send a few complaint emails
around.

--Bill


Re: [pfSense-discussion] Routing

2006-02-20 Thread Bill Marquette
On 2/20/06, Kim C. Callis [EMAIL PROTECTED] wrote:
 And what differnces and benefits will one get from the
 OpenBSD deployment?

This is just a test image to see if pfsense is screwing up altq in any
way or if it's an OS issue as I suspect.  There will be many
differences and many things not working - which won't be fixed.  The
benefit, determining where the shaper bug is - if the sucky
performance follows the OS, then it's our code, if it performs
wonderfully in openbsd, then it's the OS and we've got something to
report back to the freebsd devs (I've already performed line by line
code comparisons on ALTQ between FreeBSD and OpenBSD - there are no
significant differences).  There is a known bug report for CBQ (that
I've reproduced in pfSense) on FreeBSD, so I've got reason to suspect
it's not our code (although it's not out of the question, I've
certainly created and fixed enough bugs in it ;))

With that said, we did make a timing change on the embedded platform
that may or may not affect ALTQ.  If this is the platform you are
having issues on, I'd appreciate you trying
http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/
and reporting back.

--Bill


Re: [pfSense-discussion] Routing

2006-02-20 Thread Bill Marquette
On 2/20/06, Nick Buraglio [EMAIL PROTECTED] wrote:
 This is somewhat related...
 I just ran the shaping wizard (which I had not done in quite some
 time) has it changed much?  It seemed to be a little different to me.

Not visibly - but the rules it generates has changed over time.

 Didn't there used to be an option to not use the wizard and create
 your own rules (I'm trying to remember how I did it)?

Sure, just create rules - good luck, right now that's not easy and I'm
not going to spend any time supporting user generated rules until we
can make it easy to create them.

 Is there a reason that ssh (bulk and interactive) isn't in the
 default protocol list for higher priority?  I remember this from last
 time I did it, it seemed odd to me.

Assuming OpenSSH which sets the TOS bits so we can tell, interactive
will be default end up in the ack queues and bulk will end up in the
default queue.  There's intentionally no way of changing these as
outside of OpenSSH, vendors don't tend to set the TOS bits and I don't
believe it's part of the protocol spec to enforce that.  At any rate,
I believe OpenSSH interactive would just end up in the ack queue based
on how pf works anyway.

--Bill


Re: [pfSense-discussion] Routing

2006-02-19 Thread Bill Marquette
On 2/19/06, Kim C. Callis [EMAIL PROTECTED] wrote:
 Nick,

 You are right... Before I started fooling around, I removed
 traffic shaping and suddenly my download was good to go. I
 think I still need to do something useful with the Cisco,
 but I think I need to really do some homework on the traffic
 shaper.

 Does anyone have a pointer to where I can read up on
 optimizing the traffic shaper? It would seem that the wizard
 caused mucho problems.

What release are you running?  I'm very interested in shaper issues on
anything post beta1.  Before that, it sucked, there were some bugs we
recently fixed.  But, it's looking like there may be an OS level bug,
we're not sure - the issues can sometimes be difficult to replicate.

http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/92949

--Bill


Re: [pfSense-discussion] Routing

2006-02-19 Thread Bill Marquette
On 2/19/06, Kim C. Callis [EMAIL PROTECTED] wrote:
 I am currently running 1.0-BETA1-TESTING-SNAPSHOT-2-2-06.
 Several days ago, I found my bandwidth greatly reduced. On
 my E-1, I would getting about between 41-140K coming down
 and at best 20K going up. As soon as I removed the shapper,
 everything returned to normal.

Thanks, that's what I needed.  The shaper was working for a while
though I take it?  Also, after upgrading, did you re-run the wizard? 
Or was this with a beta1 config file?

--Bill


Re: [pfSense-discussion] Routing

2006-02-19 Thread Bill Marquette
On 2/20/06, Kim C. Callis [EMAIL PROTECTED] wrote:
 I started the traffic shapping on
 1.0-BETA1-TESTING-SNAPSHOT-2-2-06. I had it running for
 awhile and then I stopped. About two weeks ago, I restarted
 the shaper. It seemed to be working well, and I had
 forgotten about it. Then I started having throughput
 problems. As soon as I stopped the shaper, everything went
 back to normal. Currently, I have the shaper of and am
 monitoring service.

OK, thanks again.  I'm working on an openbsd embedded image to do some
testing with, I'll send out a general announcement asking for testers
when it's ready.

--Bill


Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option

2006-01-27 Thread Bill Marquette
On 1/27/06, Adam Gibson [EMAIL PROTECTED] wrote:
 I need quake4 UDP master server updates to try and keep the real source
 port when going through NAT.  The master servers use the src port that
 they receive when listing your server.  I noticed that pf does support
 that capability through the static-port option but I do not see a way of
 adding that to the pfsense rules.

 I read somewhere in the pfsense discussions that this might be a 1.0
 Beta2 feature addition.  I am currently testing the 20060125 snapshot
 and do not see an obvious feature addition for that.  Anyone know if
 this will be added sometime in the future?

It's in outbound nat.  You'll have to create an advanced rule for this.

 This is one feature that I believe pfsense can have that m0n0wall can't.
   They use ipfilter which does not seem to have a NAT static-port
 equivalent.

Actually, I believe ipfilter can do this (at least I know I used to
use that feature for IPSec way back when).

--Bill


Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option

2006-01-27 Thread Bill Marquette
On 1/27/06, Adam Gibson [EMAIL PROTECTED] wrote:
 Thanks for the direction.  I found the static-port setting.  Someone has
 probably already noticed the bug but the NAT listing does not display
 properly for the rule I just created(the fields are in the wrong spot in
 the table but editing the rule looks like it is setup correctly).  I
 wont be able to test it until later tonight.  This is the xml that was
 generated.  The UDP packets in question that originate from the OPT1
 network are src=192.168.1.140 srcport=28004 dst=192.246.40.28
 dstport=27650 .

Odd, I fixed that display issue a while ago, it should be in the
latest snapshot :-/

--Bill


Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option

2006-01-27 Thread Bill Marquette
On 1/27/06, Adam Gibson [EMAIL PROTECTED] wrote:
 Bill Marquette wrote:
  On 1/27/06, Adam Gibson [EMAIL PROTECTED] wrote:
  Thanks for the direction.  I found the static-port setting.  Someone has
  probably already noticed the bug but the NAT listing does not display
  properly for the rule I just created(the fields are in the wrong spot in
  the table but editing the rule looks like it is setup correctly).  I
  wont be able to test it until later tonight.  This is the xml that was
  generated.  The UDP packets in question that originate from the OPT1
  network are src=192.168.1.140 srcport=28004 dst=192.246.40.28
  dstport=27650 .
 
  Odd, I fixed that display issue a while ago, it should be in the
  latest snapshot :-/
 
  --Bill

 Below is a link that shows the problem in case you want to see it.  The
 previous email shows the real Outbound NAT settings for it.

 http://www.xstatica.com/pfsense-snapshot20060125-outbound-nat-table-problem.png

Bleh, ok, so I didn't fix this right.  Thanks for reporting it.  As
you mention, it's just a display issue.

--Bill


Re: [pfSense-discussion] feature request: vmps

2006-01-16 Thread Bill Marquette
Looks like something someone interested in writing a package should
do.  The GPL'd nature means that it's unlikely to ever make it into
pfSense core (we're only adding BSD license-compatible software - BSD,
MIT, etc) without a complete rewrite or a license change.

--Bill

On 1/16/06, Jure Pečar [EMAIL PROTECTED] wrote:

 Once, in the not-too-distant future, when pfSense becomes THE opensource 
 firewall :), it might be nice to have this onboard: http://vmps.sf.net/

 --

 Jure Pečar
 http://jure.pecar.org




Re: [pfSense-discussion] access NATed services by the public IP address from LAN review

2006-01-06 Thread Bill Marquette
Someone hasn't done their research.  This has been answered in the ML,
the forum, the FAQ, AND the blog.

--Bill

On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote:
 Scott Ullrich escribió:
  Do you have a question?
 

 Of course, cant you read?

 So, that means that if I have my NATed services in a different
 interface (other than the LAN) e.g. a DMZ, is it possible to access
 this NATed services from the LAN Subnet??
 and is that is correct, HOW do I redirect connections from local
 clients in order to access the NATed services on DMZ?

 And let me add another question, does pfsense include a bopunce utility at 
 this time?


  On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote:
 
  Guys..listen to this:
 
  *Problem. *It is not possible to access NATed services using the
  public (WAN) IP address from within LAN (or an optional network).
  Example: you've got a server in your LAN behind pfSense and added a
  NAT/filter rule to allow external access to its HTTP port. While you
  can access it just fine from the Internet, you cannot access
  http://your-external-ip/ from within your LAN.
 
  *Reason. *This is due to a limitation in pf (the firewalling software
  used in pfSense). pfSense does not include a bounce utility at this
  time
 
  Ok, we all know that, but, looking at here:
  http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions,
  the first one is the same that m0n0 FAQ's propose,
  fordwarding/overriding of DNS. Now, the second..catch my attention, it
  says this:
 
 
   Moving the Server Into a Separate Local Network
 
  Adding an additional network interface to the firewall and moving the
  local server from the client's network into a dedicated network (DMZ)
  allows redirecting of connections from local clients in the same way
  as the redirection of external connections. Use of separate networks
  has several advantages, including improving security by isolating the
  server from the remaining local hosts. Should the server (which in our
  case is reachable from the Internet) ever become compromised, it can't
  access other local hosts directly as all connections have to pass
  through the firewall.
 
  So, that means that if I have my NATed services in a different
  interface (other than the LAN) e.g. a DMZ, is it possible to access
  this NATed services from the LAN Subnet??
  and is that is correct, HOW do I redirect connections from local
  clients in order to access the NATed services on DMZ?
 
  Regards,
 
  Claudio C.
 
 
 
 
 
 
 
 




Re: [pfSense-discussion] Help!!! :)

2005-12-30 Thread Bill Marquette
You see a trend here?

--Bill

On 12/30/05, Scott Ullrich [EMAIL PROTECTED] wrote:
 Add a rule to allow traffic to port 80 on the WAN.

 On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
  Ok, I can ping the interface, I am just not getting the web
  interface to come up
 
  K.
 
  On Fri, Dec 30, 2005 at 03:50:35PM -0500, Scott Ullrich wrote:
  Add rules allowing ICMP to WAN interface.
  On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
   Internally if I ping my external interface, it pings just
   fine. If I go to an external network and attempt to ping the
   WAN interface, it fails... The same is true of my virtual
   interface. I am wondering if I should be NATing something,
   or if there is a rule that I didn't add. Also this is true
   of ssh, webinterface, etc.
  
   K.
  
  
  
   On Fri, Dec 30, 2005 at 03:35:49PM -0500, Scott Ullrich wrote:
   What do you mean access the interface externally?  SSH, webConfigurator?
   
   On 12/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I just installed 1.0beta... I am able to see the access and
see the WAN interface within the LAN, but I am not able to
access the interfaces externally. What rule did I forget to
add. My virtual interface is not viewable from the outside
world either...
   
K.
   
   
  
 



  1   2   >