Eugen Leitl wrote: Thanks. It's a Netgear, so I might be in luck. if you REALLY must do it, consider reducing MTU? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RB wrote: I've had a request to increase logging duration on systems that have no access to an external syslog server, so am making the necessary changes to maintain much larger ring-log files. Incredibly larger - what we've done is to make a few tweaks and install syslog-ng 1/ change the system include file so that it starts syslog with -b 127.0.0.1 so that it doesn't bind to an external IP. 2/ add some lines to /etc/rc.conf.local to make a restart of syslog also bind only to localhost: syslogd_enable=YES syslogd_flags= -s -f /var/etc/syslog.conf -b 127.0.0.1 3/ install syslog-ng and write config so that it does full logging to local file system as well as copying to a main log server 3a/ pkg_add -r syslog-ng 3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf (if interested, I can provide ours after sanitisation) 3c/ make syslog-ng listen on, say, the sync interface or lan. 4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng starts up 5/ use the pfsense gui to tell it to log to the syslog-ng IP address this works for us, and the key thing is that apart from having to fix the /etc/inc/system.inc file when upgrading pfsense (I offered the diffs/patch, I think it might have been accepted), you don't have to bend the system too far as you don't have to hack any other part of pfsense. HTH Paul
Scott Ullrich wrote: On 4/14/08, Scott Ullrich [EMAIL PROTECTED] wrote: I have commited some code to help with this: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/usr/local/www/guiconfig.inc?rev=184.108.40.206;content-type=text%2Fx-cvsweb-markup Woops, wrong URL: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/usr/local/www/guiconfig.inc?rev=220.127.116.11;content-type=text%2Fx-cvsweb-markup if clog is turned off, does it then use tail -N and look at a normal log file instead of using clog to view?
Re: [pfSense-discussion] ARP traffic causing routers to hang - ingle ARP cache with both LAN and WAN ARP entries?
Tortise wrote: kernel: arp: unknown hardware address format (0x) kernel: arp: unknown hardware address format (0xdd1f) kernel: arp: 192.168.0.7 is on em1 but got reply from 00:00:cd:1c:14:1a on em0 kernel: arp: 192.168.0.7 is on em1 but got reply from 00:09:bf:55:71:b0 on em0 could it be you have two machines accidentally set up with the same IP - perhaps broken DHCP? if you've got managed switches, can you check their arp tables to see where those mac addresses live? are you using vlans, and if so could you have accidentally joined them?
Hi, I was looking for the syslog-ng package to install on my pfsense boxes, and discovered that the main freebsd site no longer has the ports for that release - only 6.3. I found the ftp.de.freebsd.org site still had it, so I did an evil hack to the hosts file thus: 18.104.22.168ftp.freebsd.org and I was able to pkg_add -r syslog-ng. anyway, my point is that anyone wanting to play with pfsense1.2 release and needs access to the ports might want to consider maintaining their own archive of the freebsd downloads otherwise they'll lose out! or, perhaps, should pfsense.org website keep a mirror for this purpose? Paul
Scott Ullrich wrote: or, perhaps, should pfsense.org website keep a mirror for this purpose? We are working on it: http://blog.pfsense.org/?p=179 freebsd is nice in that the paths to the files are the same on each mirror, so hacking the hosts file made it work with no changes; the equivalent path was this: ftp://ftp.de.freebsd.org/pub/FreeBSD/releases/i386/6.2-RELEASE/ a bit of wget -r should suffice?
RB wrote: No, really - I asked you once in private, now I ask you again in I too have asked him privately. I suspect he's using Lotus Notes or something equally horrible which cannot be configured sanely! Can the list admin get the mail system changed to strip the recipient request headers out? public: please turn off your foolish Outlook receipts. It is ridiculous that we have to wade through your mail client's automated spew that just tells us you received/read a given message. Most of us really don't care (or actively dislike it), and you clutter stuff up by not being a good list citizen. On 3/5/08, Ryan Neily [EMAIL PROTECTED] wrote: Return Receipt Your document: [pfSense-discussion] pfSense / Time Service
Eugen Leitl wrote: On Thu, Mar 06, 2008 at 02:53:19PM +, Paul M wrote: RB wrote: Bwa ha ha! Delicious, delicious irony! I knew it was inevitable since Ryan had to read the thread at least once more before fixing things, but it was worth it to see this one come in. has he fixed things? Just forward his spam to [EMAIL PROTECTED] and [EMAIL PROTECTED] with full headers. If anyone on this list would start doing it, maybe his admins would wise up, and LART him. shame SLTP never made it to a proper RFC http://buffy.sighup.org.uk/hfiles/aeds.html
has anyone tried installing freebsd/pfSense on an AppleTV? you'd need a vlan-aware switch to expand the number of network ports, but it's compact, low power, commodity hardware... in the meanwhile I've asked http://www.appletvhacks.net/
scenario: two machines, on (A) 10.x.x.11 and (B) 10.x.x.12 run web servers on port 1024 which are made available to the world via public IP on port 80 by a pfsense firewall (F) (1.2RC4) running a load balancer. the internal IP of the firewall is 10.x.x.254. an application which runs on the 10.x.x.11,12 and others wishes to connect to the web server pool. nat reflection doesn't work, so we thought we could run a load balancer on the firewall's internal IP address. however, this doesn't work. using tcpdump on A, we see the firewall connecting to the web and the packets being returned normally, everything OK. using tcpdump on F, we can see the packets arrive on the firewall heading for10.x.x.254:80, and go off to the web server on port 1024, and come back to the firewall. the firewall doesn't then send the packets back to the host which originated the connection. firewall logs indicate the connection is being permitted from A to A, no indication of anything being refused! is what we are trying to do sensible, i.e. to use a load balancer on the *inside* of our network to allow callbacks to a webapp to be made resilient? thanks Paul
I came across this, an interesting idea for improving throughput, works on openBSD, wondering if it can be done on pfsense/freebsd? http://www.benzedrine.cx/ackpri.html thanks
Jan Hoevers wrote: I'm running the embedded version of pfSense on a Soekris 4801. 1. The script starts with sleeping a random interval. This caused it to abort with a 'od: command not found' message. Apparently the od command is missing on the embedded platform, and I worked around this by commenting out the random interval sleep. hmm, yes, the non-embedded 1.2rc4 suffers this too... as a quick hack I just created a /bin/od script which does echo 10.. Scott's fix to the URL allowed the rest to work.
Ronald L. Rosson Jr. wrote: On my linux box, I can set my resolv.conf to the office's resolver (we have internal DNS which points everything to rfc1918 addresses) and it all works just fine! On OSX boxes, I can change resolv.conf but it doesn't seem to take effect :-( I have found this script and it works without any issue for OSX and tunnelblick. http://openvpn.net/archive/openvpn-users/2006-10/msg00120.html thanks for that, I shall give it a go.
one last thing, has anyone made the openvpn client automatically fix the DNS resolver settings on the client? I can't get this to work :-( so people working from home have to know IP addresses On my linux box, I can set my resolv.conf to the office's resolver (we have internal DNS which points everything to rfc1918 addresses) and it all works just fine! On OSX boxes, I can change resolv.conf but it doesn't seem to take effect :-( thanks again Paul
Curtis LaMasters wrote: Paul, I am using the OpenVPN GUI v1.0.3 from the link below and I have also included a copy of my client side configuration file on the Vista laptop. OK, well, I (reluctantly) booted up vista on my computer which didn't have OV installed so that I could do it from scratch, and followed the instructions to the letter... and basically it worked (once I remembered that my linux box at home was using it, and killed that connection!) So, I conclude that it's something wrong with my colleague's vista install! And, with relief, I can shutdown my vista install again, shudder quietly, and boot linux! :-D Oh, one thing.. each openvpn user has a dedicated OV daemon (different port) on the vpn server, so that I can have very tight control over what they're doing. ##c:/program files/openvpn/config/vpn.domain.com.ovpn float client I don't have either of the above two lines in the config(s), either on the linux box or vista box, didn't stop it working though. dev tun dev-node openvpn proto tcp-client remote xx.xx.xx.xx 1194 each user has an ifconfig line thus: ifconfig 10.xx.yy.2 10.xx.yy.1 route-method exe I've also got: route-delay 2 as recommended elsewhere persist-tun persist-key yup ca ca.crt cert client1.crt key client1.key ns-cert-type server tls-client am using shared key, each user has their own key, each openvpn daemon is thus specific to each user comp-lzo yup, need same setting at both ends ping 10 I'm using this: keepalive 10 60 instead of ping. pull not using pull verb 4 have verb 3 which is sufficiently detailed http://www.openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe I'll double-check my colleague's install. thanks again
Paul M wrote: I am using the OpenVPN GUI v1.0.3 from the link below and I have also I checked my colleague's version and he was running the older stable release, got him to upgrade and also got openvpn to delete and re-add the tunnel interface, and it now works (not sure which action solved it) thanks for taking time to discuss this with me! Paul
Curtis LaMasters wrote: Paul, Sorry to keep nagging on this one, but, are you using the OpenVPN gui or no, I'm very glad to have your help. the normal version? And what version of the software are you using? my colleague is using the openvpngui as downloaded from http://openvpn.se/ which comes with an openvpn binary. hmm, that's quite an old version of the openvpn binary, isn't it?
Bill Marquette wrote: or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). java RMI being one major PITA! we've developers working from home and trying to get their openvpn connections working was a massive PITA. rant developers being developers seem to think that security considerations can be swept aside to let them do whatever they need to do. /rant
Paolo Gentili wrote: your thoughts or experiences about how much trust can i have on pfsense we've got seven boxes doing pfsense - three pairs of 1U servers as firewall clusters protecting public facing web services, and one acting as a VPN concentrator for road warriors. we rely on carp and the load balancer to give resilience. when one machine threw a disk, it took less than half an hour to restore functionality. all are 1.2RC3, some began as 1.2rc2. we considered Astaro during early eval, but it would have been expensive to have so many boxes, so we'd have had to compromise on the design of our network, pfsense has thus made it possible to adopt a much more flexible solution. Paul
jason whitt wrote: download iso burn to cd install set interfaces go to lan ip address login with default login admin/pfsense go from there. I'd add, if you've got an existing network with its own DHCP server, don't plug in the LAN port until you've fully installed pfsense and disabled its DHCP server!
David Bottrill wrote: Paul M wrote: p.s .any chance of an upgrade image for those of us who installed it on a regular x86 server? Go to the downloads page an click on updates you need: d'oh, I was looking in the main download area. thanks. meanwhile, I noticed many of the mirrors are not doing too well so I reported them pfSense-Full-Update-1.2-RC3.tgz I installed this earlier today and it upgraded my system without any issues. thanks for that feedback.
sai wrote: Realtek and Via ethernet interfaces are supported and are used by many on this list, but the hadware and the drivers are not as good as the Intel ethernet. especially realtek's! We have a machine or two with realtek giga, and they simply cannot achieve anything like theoretical maximum gigabit throughput - just google for realtek performance problem or similar. so why are they so popular? very cheap to embed, and most people don't know the difference when they buy their desktop PC.
Ronald L. Rosson Jr. wrote: Has anyone come across or developed a template for pfsense firewalls to be polled by a Cacti server. Any information is helpful. dunno about cacti, but I got munin (node) to work quite happily using freebsd ports, so if there's a cacti in the freebsd port, you might try that.
ryn jackson wrote: just wanted to know if there were any plans to implement an smtp proxy package that could do spam filtering and email greylisting/blacklisting. act as a tarpit etc. also possibly clamav as well? could you not install these from freebsd ports?
Eugen Leitl wrote: I was thinking a real 2.5 SSD would have a MTBF comparable to a real hard drive (SanDisk claims 2 Mh MTBF, can't find any such for Hama SSD, which is a bargain at about 100 EUR for 4 GByte, which probably already answers my question). I think that proper ssd units designed to replace a regular magnetic hard drive have to have very sophisticated wear-levelling algorithms, and probably have an intermediate store for written data, e.g. some battery-backed SRAM or non-wearable memory. By ensuring you mount the drive noatime and async you can reduce the number or writes; mounting everything except /var/log as read-only would enforce no writing. Perhaps put /var/log into a ram disk, rotate logs frequently and rsync them to flash would help too. However, this is speculation on my part as I've never created my own unix/linux flash based system (although I do have a zaurus, but rely on the distro creaters to solve the problem!). BTW I've seen very few reports of people having problems with the microdrive in their zauruses which take the 4 or 6GB drives, but people who've replaced their microdrives with CF cards report early failures! Paul
Eugen Leitl wrote: wan-pfsense-lan | switch1--diverse hosts what's interesting is that I have transient outages to *some* IPs (it could be just one IP, actually). I can still ping that IP locally is your switch manageable? can you turn logging on it? can you look up the mac of the missing host (also check arp table on pfsense)?
Eugen Leitl wrote: On Wed, Aug 29, 2007 at 02:33:45PM +0100, Paul M wrote: Eugen Leitl wrote: wan-pfsense-lan | switch1--diverse hosts what's interesting is that I have transient outages to *some* IPs (it could be just one IP, actually). I can still ping that IP locally is your switch manageable? can you turn logging on it? can you look up The gateway switch is a Netgear GS724T, the second switch is HP ProCurve. Logging, as in redirecting traffic to a sniffer port, and capture all traffic there? logging, as in getting the managed switch to send syslog messages to a server and seeing if it reports any errors. I don't know procurves, but in cisco it's fairly straight forward... add this to config for example: logging facility local5 logging 10.0.0.2 The hoster advised doing an mtr, which I will do once the host drops offline again. yeah, also check arp table on the disappearing host
Marius Schrecker wrote: Hi, I'm currently running 1.0.1 (developer) with the acx100 native driver from kewl.org which I compiled using the recommended patch. Works okay, but I remember it being quite a bit of work. What's the status on this driver in 1.2? Will it be built-in, or easier to compile, or is there a procedure for using ndiswrapper for this. I guess the only way to find out is to try the live CD version!
is there any chance of the wiki allowing signups again, or having a login created for me (mailme offlist pls) whilst the documentation on pfsense is quite good there's some useful notes on it in the wiki which could do with some small updates BTW, I am a newcomer to pfsense, tried the 1.2 first beta and didn't get on with it as it would crash/kernel panic all the time, but then tried rc1 and it's pretty good, only crashed once (when I was changing virtual IPs) thanks Paul
Title: Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall Is there any way we can reboot the mail server now? It is running at 100% cpu but they are services that should normally be runningI think we need to shake it out. Paul From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, November 28, 2005 1:27 PM To: firstname.lastname@example.org Subject: Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall There are still a few other small ones. In paticular with the status queues screen + fast cgi. When we kill pfctl somehow its signal is being passed up and killing off the fast-cgi handler. Woops. On 11/28/05, Bill Marquette [EMAIL PROTECTED] wrote: On 11/28/05, Lists [EMAIL PROTECTED] wrote: well hell maybe i should do devel work for pfsense cause ive already migrated my build to lighttpd :) then when browsing the cvs trees noticed it was in there We had some problems with lighty when we first imported it - firmware upgrades didn't work on embedded due to a bug in their handling of large POSTs. That's been fixed in a recent release, so we're moving back (that was the only bug that I know of, but it was kinda big ;-P) --Bill avast! Antivirus: Inbound message clean. Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:27:38 PMavast! - copyright (c) 1988-2005 ALWIL Software. avast! Antivirus: Outbound message clean. Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:52:52 PMavast! - copyright (c) 1988-2005 ALWIL Software.