Doesn’t seem to be unreasonable TBH. It's a case of horses for courses.
Some use cases take seperation of duties really seriously.
Can completely understand where he is coming from.
The commentary on Chokepoint is particularly apt.
Greg
From: BSDwiz [mailto:bsd...@gmail.com]
Sent: 26 May 2011
their own IDS or paying customers would be
> behind another router/firewall?
>
> Thanks for all this great info!
>
> Tony
>
> On Thu, Feb 10, 2011 at 9:30 AM, Greg Hennessy
> wrote:
> > For hosted sites, I would suggest enablement on a site by site basis.
, 2011 at 2:38 AM, Greg Hennessy
mailto:greg.henne...@nviz.net>> wrote:
>
>>
>> Any thoughts on whether IDS is appropriate at the perimeter or not?
>>
>
> If you take a look at any serious commercial firewall offering on the market,
> integrated IDS/IPS is th
>
> Any thoughts on whether IDS is appropriate at the perimeter or not?
>
If you take a look at any serious commercial firewall offering on the market,
integrated IDS/IPS is the order of the day.
More sophisticated solutions offer application control.
-
>
> We have a 5mb line, is a quad core processor with 4gb of ram overkill?
Just ever so slightly.
I've used dual core Opteron with 2GB in multi gig/sec (large packet)
applications with PF.
-
To unsubscribe, e-mail: discussio
Depends on what you mean by Gbit ?
Gigabit @ imix packet distribution ? possibly.
Gigabit @ high rate, small packet size, very doubtful.
Greg
> -Original Message-
> From: Eugen Leitl [mailto:eu...@leitl.org]
> Sent: 26 October 2010 5:35 PM
> To: discussion@pfsense.com
> Subject: [p
If I may add one thought to this,
Chokepoint have recently announced a virtual version of their 'blade' product
which uses the VMSafe API to enable more efficient inspection of traffic
travelling between virtual machines and the outside world.
http://www.networkworld.com/news/2010/090110-chec
ar 11, 2010 at 04:20:32PM +0000, Greg Hennessy wrote:
> tor natted behind an address pool should do the trick.
Hmm, Tor typically binds to one address though. How can
I make it spread traffic across a network? I could 1:1
NAT a /24 to an internal /24 network, check. But I still
would have to ru
tor natted behind an address pool should do the trick.
Greg
From: Eugen Leitl [eu...@leitl.org]
Sent: 11 March 2010 16:17
To: discussion@pfsense.com
Subject: [pfSense-discussion] filling network with meaningful traffic
I've just got a bit of an ultimatu
Possibly an issue with TCP window scaling or PMTU-D.
Are the logs generating any drops for the flow ?
-Original Message-
From: Angus Jordan [mailto:angus.jor...@gmail.com]
Sent: 15 July 2009 22:08
To: discussion@pfsense.com
Subject: [pfSense-discussion] Very odd issue - Transparent Fi
Take a look at JFFNMS.
Greg
From: jason whitt [mailto:jason.wh...@gmail.com]
Sent: 08 April 2009 19:57
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] Tool to monitor pfSense
Using Ground Work Community Edition
On Wed, Apr 8, 2009 at 12:48 PM, Adam Van Ornum
mailto:greatb...@hotma
Vlan 1 is usually the default and management VLAN.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009
explains it in a Cisco context.
-Original Message-
From: David Rees [mailto:dree...@gmail.com]
Sent: 03 April 2009 20:34
To: disc
What he said :-).
Using a /16 is guaranteed to come back and bite you in the posterior at some
later stage. Go to a /22 if you're worried about running out.
Greg
From: Aarno Aukia [aarnoau...@gmail.com]
Sent: 03 April 2009 13:33
To: discussion@pfsense.com; eu
> I think he understood,
He did :-).
> but was suggesting other virtualization ideas that he felt would be a more
> rewarding use of developer resources.
Indeed and stay within the scope of what Scott et al have delivered with bells
on over the past several years.
Greg
---
http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html
is a good intro to the issues of trying to make that scale.
From: Adam Van Ornum [greatb...@hotmail.com]
Sent: 29 January 2009 00:30
To: discussion@pfsense.com
Subject: RE: [pfSense-discussion]
As the others have said, it depends on what you mean by 'integrate'
Ignoring the lack of Xen dom0 support in FreeBSD for a moment.
Utilising VT technology to deliver physical as well as logical isolation of
multiple concurrent PFSense instances in a manner analagous to
Fortinet VDOM : http://kc.
Just as an FYI and to give the creative juices something to consider :-).
Other firewall solutions terminate IPSEC on a Layer two firewall, by
configuring the tunnel endpoint address on the device as a Cisco style
'loopback' interface. As you can imagine, this has a lot of advantages.
> -
[EMAIL PROTECTED] wrote:
There are! But only the default 0.pfsense.pool.ntp.org server is
specified.
What I see is that my pfSense talks to a number of different time
servers and many of those looks like ordinary ADSL subscribers which
scares me a little.
That's the whole point
http://www.p
Luciano Areal wrote:
Then, I tried to connect from home to my server, putting its WAN IP on my
VPN connection, but when I try to connect, nothing happens.
Am I doing anything wrong here? Did I forget any point here? I tried to get
some info on pfSense mail discussion archives, but didn't find an
>
> I've just switched to jumbo frames on the home network (enabled
> jumbo frames (mtu 9014) on NIC and one switch). I'm running a recentish
> (1.2-BETA-1-TESTING-SNAPSHOT-05-11-2007) pfsense on WRAP, with
> mtu 1500 there (I don't think WRAP NICs can do jumbo frames).
>
> Should I run into pro
> Managed switches are highly useful with pfsense.
> The cheapest managed switch (and fanless to boot)
> I've been able to find was Netgear GS108T (around $100).
Dell 2716 powerconnect is fanless, 16 gig-e ports, jumbo frames & vlans
managed through a web interface for around the same money.
It
>
> I have received a somewhat strange setup from our new provider.
>
> There's the following I've had to put on WAN:
>
> IP 10.0.2.6
This is the address of your firewall ?
> mask 255.255.255.252
> gateway 10.0.2.5
This is the ISP router ?
>
> There's 192.168.0.1/24 on LAN, and it works wel
> Hi ...
>
> I'm just got the "duty" to find possible solutions for a kollegium
> network(where alot of young people uses p2p programs)
How many users ?
> with a new router/firewall ... considering pfsense in a soekris box or
maybe even
> a computer.
If you're talking about a typical college c
> Ahh, see there's your first problem. You trust your users :) I don't
> even trust myself, I'm certainly not about to trust my users :) At
> any rate, sounds like you don't have a solid need for the physical
> separation, it's best practice, but not always the right answer to the
> problem at
> > Who do you propose to bribe @ RIPE to get a /24 ? Can you pass me
> their
> > details via pm :-)
>
> Well, it's just 256 addresses, which is not excessive.
I remember those days :-). It was 1994 (cue the flashback LOL).
> I have a /24
> myself (thinly populated so far, but vservers can
>
> Quick question, assuming I can get a /24 public network,
Who do you propose to bribe @ RIPE to get a /24 ? Can you pass me their
details via pm :-)
> and have
> a private /24 address (quite densely occupied), does it have any
> advantages,
> from the firewall simplicity point of view, or sh
> One of the 10% patches have already been ported and in our tree. We
> are seeing up to a 33% improvement in performance on some machines
> such as Soekris 266. Stay tuned, Chris plans on blogging about the
> improvements soon.
>
Looking forward to reading all about it.
Greg
> It also allows 802.1q VLAN's across the bonded NIC's (as long
> the NIC's support VLANs).
That would be useful indeed.
Greg
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.8/714 - Release Date: 08/03/2007
10:58
> Nope. Such a tool might be able to be written, but I'm not
> even sure where I'd start if I was to do it. Dynamic
> bandwidth detection and modification would be significantly
> harder than detecting it to do the initial bandwidth
> allocation. And of course detecting that you have more
>
> interface itself? Perhaps that's the wrong approach.
> Do I need WAN/LAN bridging? Something else?
Start subnetting, create a /29 for the external untrusted interface(s) +
vips.
Take the remainder and salt and pepper amongst dmz interfaces as required.
If you're going to use vlans, do not
> I used to run just one NIC in my pfsense box, so I had LAN,
> WAN, and DMZ all on the same physical interface using a
> seperate VLAN for each logical interface.
Mixing zones of trust on a single switch/interface is a fundamental design
flaw.
It works, but not something I would ever put
> i was wondering, what exactly is the purpose of the VLAN
> support on the LAN interface? can someone give me a quick
> example of how, why or where this might be used?
>
Ideal for firewalling off multiple services which all live at the same trust
level.
E.g in the bad old days, if one ne
Being familiar with both platforms, you're out by the side
of it TBH.
Pfsense has a lot of meaty goodness, however does not
have bigip LTM style ssl termination in any way or form.
They are not comparable.
greg
From: the taloner [mailto:[EMAIL PROTECTED]
Sent: Thursday,
Snort hooks into bpf, bpf gets 1st look at all traffic.
Greg
> -Original Message-
> From: Jason J. Ellingson [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 04, 2006 2:58 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] IDS yet?
>
> So far, I like the new Snor
> I've recently upgraded my pfSense box from a pentium-MMX 233Mhz to a
Celeron-MMX 333MHZ
> and I am curious how the developers (or anybody on the list) would go
about benchmarking
> the system (max throughput is what I'm mostly curious about)
Max throughput is easily benched using I
> So maybe sponsoring some of the devs would speed up the process :)
>
> WAI is another story. For example I would like to know
> whether the Ajax technology hinders the implementation of the
> WAI principles...
>
Given pfsense's target market & being realistic and politically incorrect,
the
.
>
> The solution I'm going to substitute is based on
> Linux-iptables which requires more than 1000 rules.
You have my deepest sympathies, it must be a nightmare to manage.
> Is there a rules number limit or a session number limit
> implemented in PFsense?
Nothing which isnt documented a
>
> I hate GMail sometimes.
>
> K62-300 +256M is nearly perfect - quiet,
LOL, quiet is something which doesn't apply to Nokias.
Greg
> guys,
> 2.2MBs, 2.2 megabytes per second (120)
> 7MBs, 7 megabytes pers second (athlon)
Are the Athlon figures on a Via chipset motherboard ?
Some of the early Via athlon chipsets had pretty lousy PCI performance.
You could try tweaking the PCI latency timers in the bios to give the em
ca
> HP DL380G3 w/ Broadcom and Intel NICs. I also ran an iperf
> test, but ran out of physical boxes to generate and receive
> the load at around 900Mbit
That's around the same figure I managed to generate with iperf here while
testing 12 months ago.
>(I did determine the maximum
> xmit/rec
HPAQ do a gig-e 4 port switched card called the NC150T which does a similar
job.
> Sorry, the link is in german but you should get the facts:
> http://www.level-one.de/products3.php?sklop=14&id=520056
> it's a NIC with integrated 5 port switch. If you use a
> soekris 4801 you could add such a c
>
> Quite a bit. I ran out of Avalanche/Reflector capacity at
> 750Mbit, but the OpenBSD box I pointed the firehose at, was
> only hitting about 30% CPU load at the time.
Interesting, what nics were in the box ?
> I expect I'd
> see better performance out of FreeBSD (w/ or w/out Andre's
> Hi,
> I have two fw platforms, mono 1.21 running on a Nokia120 and
> pfsense1.0beta2 running on an AMD athlon 900.
>
> I can get 2.2MBs on the 120 platform, at >96% cpu usage.
That's ~20 megabits/sec, not bad for an IP-120 given its horsepower, What
sort of traffic ?
>On
> the athlon, 32b
>
> The interface is on a cross-over which is 10M.
>
I would definitely hardset a non gig-e connection running off of a
crossover, have had one too many issues running autoneg in such a topology.
Greg
> Of course, the ISP that I am consulting with is blaming
> pfsense. What can I do to prove that pfSense it working
> optimally and the problem is with the telco?
>
> Any pointer would be greatly appreciated!
Take PFsense out of the equation, hang a PC directly off of the router and
do your n
Set 'stty erase' as appropriate.
greg
Hi ..Please could you adivse.. when I use the
back space or delete keys I get chars printed and does not delete anything
..how do i fix this ?my keyboard works fine with fedora core and
windows .. many thanks-- Gregory Machin[EMA
Damn, I want a 'free' one, relicense that under the GPL right now or I'll
let /. loose on you LOL.
> Can't licence my proprietary cap to you ;-)
> From my small amount of testing and the experiences of
> others, it seems as if the more "proper" way to do things
> where dhcp will work is to assign your LAN IP and bind dhcpd
> to bridge0 rather than to one of the interfaces in the
> bridge. I used the shell to do this myself and it wo
IIRC one can tag with the recently imported if_bridge code and then refer to
these tags in /etc/pf.conf.
Greg
> -Original Message-
> From: Marc-Henri Boisis-Delavaud
> [mailto:[EMAIL PROTECTED]
> Sent: 15 October 2005 08:44
> To: discussion@pfsense.com
> Subject: Re: [pfSense-disc
If you use WPA enterprise with Radius, you could try sending back the
FRAMED_IP_ADDRESS radius attribute to assign users an address based on their
login credentials.
Much easier.
greg
> Hi,
>
> This might seem a bit far fetched, but I am looking for a way
> to setup PFsense as TWO wireles
> At 12:24 PM 9/26/2005, you wrote:
> >Something I have noticed, is that playing ball on the internet
> >interface has reduced the amount of scanning traffic significantly.
>
> Greg, that's interesting. Do you have any theories as to why?
I've given that some thought and had one or two discus
> so its safe to assume that internet -> WAN stuff should be
> blocked. but for internal access between my LAN/OPT
> interfaces and outbound WAN i can use reject and it wouldn't
> be considered bad form?
Not at all. It's something I insist on when managing production firewalls of
whatever hu
> Nice thread here:
> http://thread.gmane.org/gmane.os.freebsd.devel.pf4freebsd/952
>
The OP in that thread wasn't the sharpest knife in the tray, he asked the
same question repeatedly elsewhere.
> I would like to see it more protocol aware than it is now,
> though how much we can accompli
Apologies for the late reply, just back from a weeks vacation in Italy.
I've Iperf'd pf on FreeBSD with a 3.4 ghz Xeon with em at > 850
megabits/sec.
scrub chopped that down by about 150 megabits/sec.
Greg
> -Original Message-
> From: Matthew Lenz [mailto:[EMAIL PROTECTED]
> S
Adding something such as
~ # grep -i pflog /etc/rc.local
echo -n "pflog -> syslog"
ifconfig pflog0 up
tcpdump -s 96 -l -e -t -i pflog0 | logger -p local0.info -t pf &
~ #
~ #
~ # grep local0.info /etc/syslog.conf
local0.info /var/log/pflog.txt
local0.info
> more specifically, more than one simultenous connection to
> the *same* PPTP server from multiple clients. That's a
> limitation of any NAT implementation without a PPTP fix up of
> some sort. You can connect out to a million *different* PPTP
> servers, only once to the same server.
That
> I believe that it would be a successful method of advocating
> PFsense among Cisco admins?
>
LOL! Not a hope. Didn't you that the PIX will solve world hunger and bring
about global peace ?
> I am pretty sure I am using the right values because I ran
> the cfgmaker utility for mrtg and it came back with 3
> interfaces for my 3 nics on the nokia.
The indexmaker output doesn't look right, Cant say I've seen a 330 with
realteks on the motherboard, i.e mrtg appears to think it's bei
me
I looked the embedded NICs on the 330 were intel 82xxx.
cheers
Greg
> -Original Message-
> From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Sent: 16 July 2005 19:21
> To: Greg Hennessy
> Cc: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] pfsense + ip330
> BTW, I haven't looked at the code but if we're generating
> truly random MACs we do run a risk of hitting multicast MAC
> addresses and other "special" MACs. Changing the MAC once
> the box is up is highly recommended.
>
I wouldn't suggest generating the entire MAC randomly, follow the ex
> Where would the real mac's be located? On the cards?
>
On Nokias, they are held centrally on the system board, so that one can hot
swap CPCI NICs without having the MACs change as a consequence.
Greg
> correct MAC addresses into the screens. I debated with Chris
> Buechler a bit on generating these random macs and that I was
> somewhat concerned with MAC address collisions and cmb
> pointed out that the
> chances are slim that it would happen. I agree but to play it safe,
> always use t
> |
> My LAN
>
>
> - Original Message -
> From: "Greg Hennessy" <[EMAIL PROTECTED]>
> Cc: "'pfSense Discussion List'"
> Sent: Friday, July 15, 2005 12:09 PM
> Subject: RE: [pfSense-discussion] 2 x ISP to Lan
>
If you control both routers, get them to advertise their routes internally,
enabling dynamic routing on the firewall will take care of the rest.
Greg
> -Original Message-
> From: Peter Parnican [mailto:[EMAIL PROTECTED]
> Sent: 15 July 2005 10:41
> To: Scott Ullrich
> Cc: pfSense Disc
64 matches
Mail list logo