Re: [pfSense-discussion] VLANs on dumb switches

2009-06-27 Thread Paul M
Eugen Leitl wrote:
 Thanks. It's a Netgear, so I might be in luck.

if you REALLY must do it, consider reducing MTU?

To unsubscribe, e-mail:
For additional commands, e-mail:

Commercial support available -

Re: [pfSense-discussion] clog size

2008-04-14 Thread Paul M
RB wrote:
 I've had a request to increase logging duration on systems that have
 no access to an external syslog server, so am making the necessary
 changes to maintain much larger ring-log files.  Incredibly larger -

what we've done is to make a few tweaks and install syslog-ng

1/ change the system include file so that it starts syslog with -b so that it doesn't bind to an external IP.

2/ add some lines to /etc/rc.conf.local to make a restart of syslog also
bind only to localhost:
syslogd_flags= -s -f /var/etc/syslog.conf -b

3/ install syslog-ng and write config so that it does full logging to
local file system as well as copying to a main log server

3a/ pkg_add -r syslog-ng
3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf
(if interested, I can provide ours after sanitisation)
3c/ make syslog-ng listen on, say, the sync interface or lan.

4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng
starts up

5/ use the pfsense gui to tell it to log to the syslog-ng IP address

this works for us, and the key thing is that apart from having to fix
the /etc/inc/ file when upgrading pfsense (I offered the
diffs/patch, I think it might have been accepted), you don't have to
bend the system too far as you don't have to hack any other part of pfsense.


Re: [pfSense-discussion] clog size

2008-04-14 Thread Paul M
Scott Ullrich wrote:
 On 4/14/08, Scott Ullrich [EMAIL PROTECTED] wrote:
 I have commited some code to help with this:;content-type=text%2Fx-cvsweb-markup
 Woops, wrong URL:;content-type=text%2Fx-cvsweb-markup

if clog is turned off, does it then use tail -N and look at a normal
log file instead of using clog to view?

Re: [pfSense-discussion] ARP traffic causing routers to hang - ingle ARP cache with both LAN and WAN ARP entries?

2008-04-03 Thread Paul M
Tortise wrote:
 kernel: arp: unknown hardware address format (0x)
 kernel: arp: unknown hardware address format (0xdd1f)
 kernel: arp: is on em1 but got reply from 00:00:cd:1c:14:1a on em0
 kernel: arp: is on em1 but got reply from 00:09:bf:55:71:b0 on em0

could it be you have two machines accidentally set up with the same IP -
perhaps broken DHCP? if you've got managed switches, can you check their
arp tables to see where those mac addresses live?

are you using vlans, and if so could you have accidentally joined them?

[pfSense-discussion] freebsd 6.2 ports archive

2008-03-13 Thread Paul M
I was looking for the syslog-ng package to install on my pfsense boxes,
and discovered that the main freebsd site no longer has the ports for
that release - only 6.3.

I found the site still had it, so I did an evil hack
to the hosts file thus:

and I was able to pkg_add -r syslog-ng.

anyway, my point is that anyone wanting to play with pfsense1.2 release
and needs access to the ports might want to consider maintaining their
own archive of the freebsd downloads otherwise they'll lose out!

or, perhaps, should website keep a mirror for this purpose?


Re: [pfSense-discussion] freebsd 6.2 ports archive

2008-03-13 Thread Paul M
Scott Ullrich wrote:

  or, perhaps, should website keep a mirror for this purpose?
 We are working on it:

freebsd is nice in that the paths to the files are the same on each
mirror, so hacking the hosts file made it work with no changes; the
equivalent path was this:

a bit of wget -r should suffice?

Re: [pfSense-discussion] pfSense / Time Service

2008-03-06 Thread Paul M
RB wrote:
 No, really - I asked you once in private, now I ask you again in

I too have asked him privately. I suspect he's using Lotus Notes or
something equally horrible which cannot be configured sanely!

Can the list admin get the mail system changed to strip the recipient
request headers out?

 public: please turn off your foolish Outlook receipts.  It is
 ridiculous that we have to wade through your mail client's automated
 spew that just tells us you received/read a given message. Most of us
 really don't care (or actively dislike it), and you clutter stuff up
 by not being a good list citizen.
 On 3/5/08, Ryan Neily [EMAIL PROTECTED] wrote:
 Return Receipt

 Your document: [pfSense-discussion] pfSense / Time Service

Re: [pfSense-discussion] pfSense / Time Service

2008-03-06 Thread Paul M
Eugen Leitl wrote:
 On Thu, Mar 06, 2008 at 02:53:19PM +, Paul M wrote:
 RB wrote:
 Bwa ha ha!  Delicious, delicious irony!  I knew it was inevitable
 since Ryan had to read the thread at least once more before fixing
 things, but it was worth it to see this one come in.
 has he fixed things?
 Just forward his spam to [EMAIL PROTECTED] and [EMAIL PROTECTED]
 with full headers. 
 If anyone on this list would start doing it, maybe his admins
 would wise up, and LART him.

shame SLTP never made it to a proper RFC

Re: [pfSense-discussion] suggestions for a decent hardware

2008-03-04 Thread Paul M
has anyone tried installing freebsd/pfSense on an AppleTV? you'd need a
vlan-aware switch to expand the number of network ports, but it's
compact, low power, commodity hardware... in the meanwhile I've asked

[pfSense-discussion] internal load balancer doesn't return traffic to originator

2008-02-11 Thread Paul M

scenario: two machines, on (A) 10.x.x.11 and (B) 10.x.x.12 run web
servers on port 1024 which are made available to the world via public IP
on port 80 by a pfsense firewall (F) (1.2RC4) running a load balancer.
the internal IP of the firewall is 10.x.x.254.

an application which runs on the 10.x.x.11,12 and others wishes to
connect to the web server pool.

nat reflection doesn't work, so we thought we could run a load balancer
on the firewall's internal IP address. however, this doesn't work.

using tcpdump on A, we see the firewall connecting to the web and the
packets being returned normally, everything OK.

using tcpdump on F, we can see the packets arrive on the firewall
heading for10.x.x.254:80, and go off to the web server on port 1024,
and come back to the firewall. the firewall doesn't then send the
packets back to the host which originated the connection.

firewall logs indicate the connection is being permitted from A to A, no
indication of anything being refused!

is what we are trying to do sensible, i.e. to use a load balancer on the
*inside* of our network to allow callbacks to a webapp to be made resilient?


[pfSense-discussion] prioritising ACKs

2008-02-05 Thread Paul M
I came across this, an interesting idea for improving throughput, works
on openBSD, wondering if it can be done on pfsense/freebsd?


Re: [pfSense-discussion] bogons update issue

2008-02-04 Thread Paul M
Jan Hoevers wrote:
 I'm running the embedded version of pfSense on a Soekris 4801.
 1. The script starts with sleeping a random interval. This caused it to
 abort with a 'od: command not found' message. Apparently the od command
 is missing on the embedded platform, and I worked around this by
 commenting out the random interval sleep.

hmm, yes, the non-embedded 1.2rc4 suffers this too... as a quick hack I
just created a /bin/od script which does echo 10.. Scott's fix to the
URL allowed the rest to work.

Re: [pfSense-discussion] which VPN client?

2008-01-24 Thread Paul M
Ronald L. Rosson Jr. wrote:
 On my linux box, I can set my resolv.conf to the office's resolver (we
 have internal DNS which points everything to rfc1918 addresses) and it
 all works just fine!
 On OSX boxes, I can change resolv.conf but it doesn't seem to take
 effect  :-(
 I have found this script and it works without any issue for OSX and

thanks for that, I shall give it a go.

Re: [pfSense-discussion] which VPN client?

2008-01-18 Thread Paul M
one last thing, has anyone made the openvpn client automatically fix the
DNS resolver settings on the client?

I can't get this to work  :-(
so people working from home have to know IP addresses

On my linux box, I can set my resolv.conf to the office's resolver (we
have internal DNS which points everything to rfc1918 addresses) and it
all works just fine!
On OSX boxes, I can change resolv.conf but it doesn't seem to take
effect  :-(

thanks again

Re: [pfSense-discussion] which VPN client?

2008-01-17 Thread Paul M
Curtis LaMasters wrote:
 I am using the OpenVPN GUI v1.0.3 from the link below and I have also
 included a copy of my client side configuration file on the Vista laptop.

OK, well, I (reluctantly) booted up vista on my computer which didn't
have OV installed so that I could do it from scratch, and followed the
instructions to the letter... and basically it worked (once I remembered
that my linux box at home was using it, and killed that connection!)

So, I conclude that it's something wrong with my colleague's vista
install! And, with relief, I can shutdown my vista install again,
shudder quietly, and boot linux! :-D

Oh, one thing.. each openvpn user has a dedicated OV daemon (different
port) on the vpn server, so that I can have very tight control over what
they're doing.

 ##c:/program files/openvpn/config/

I don't have either of the above two lines in the config(s), either on
the linux box or vista box, didn't stop it working though.

 dev tun
 dev-node openvpn
 proto tcp-client
 remote xx.xx.xx.xx 1194

each user has an ifconfig line thus:

ifconfig 10.xx.yy.2 10.xx.yy.1

 route-method exe

I've also got:
route-delay 2

as recommended elsewhere



 ca ca.crt
 cert client1.crt
 key client1.key
 ns-cert-type server

am using shared key, each user has their own key, each openvpn daemon is
thus specific to each user


yup, need same setting at both ends

 ping 10

I'm using this:
keepalive 10 60
instead of ping.


not using pull

 verb 4

have verb 3 which is sufficiently detailed

I'll double-check my colleague's install.

thanks again

Re: [pfSense-discussion] which VPN client?

2008-01-17 Thread Paul M
Paul M wrote:
 I am using the OpenVPN GUI v1.0.3 from the link below and I have also

I checked my colleague's version and he was running the older stable
release, got him to upgrade and also got openvpn to delete and re-add
the tunnel interface, and it now works (not sure which action solved it)

thanks for taking time to discuss this with me!


Re: [pfSense-discussion] which VPN client?

2008-01-16 Thread Paul M
Curtis LaMasters wrote:
 Sorry to keep nagging on this one, but, are you using the OpenVPN gui or

no, I'm very glad to have your help.

 the normal version?  And what version of the software are you using?

my colleague is using the openvpngui as downloaded from which comes with an openvpn binary.

hmm, that's quite an old version of the openvpn binary, isn't it?

Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-24 Thread Paul M
Bill Marquette wrote:
 or others that could make use of mechanisms like dynamic allocation of port.
 That could cause you problems potentially.  But would be no different
 in any other firewall that didn't already understand your protocol.  I
 regularly force vendors to redesign their applications to not use
 dynamic ports at work, it's a stupid design and really, there's zero
 reason to do it (other than sheer laziness on the developers side - or
 pissy legacy reasons when it comes to FTP, which is still not a good
 excuse IMO).

java RMI being one major PITA!

we've developers working from home and trying to get their openvpn
connections working was a massive PITA.

developers being developers seem to think that security considerations
can be swept aside to let them do whatever they need to do.


Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?

2007-12-20 Thread Paul M
Paolo Gentili wrote:
  your thoughts or experiences about  how much trust can i have on pfsense

we've got seven boxes doing pfsense - three pairs of 1U servers as
firewall clusters protecting public facing web services, and one acting
as a VPN concentrator for road warriors. we rely on carp and the load
balancer to give resilience.

when one machine threw a disk, it took less than half an hour to
restore functionality.

all are 1.2RC3, some began as 1.2rc2.

we considered Astaro during early eval, but it would have been expensive
to have so many boxes, so we'd have had to compromise on the design of
our network, pfsense has thus made it possible to adopt a much more
flexible solution.


Re: [pfSense-discussion] Beginner's Tutorial

2007-12-17 Thread Paul M
jason whitt wrote:
 download iso burn to cd install set interfaces go to lan ip address
 login with default login admin/pfsense go from there.

I'd add, if you've got an existing network with its own DHCP server,
don't plug in the LAN port until you've fully installed pfsense and
disabled its DHCP server!

Re: [pfSense-discussion] 1.2-RC3 released!

2007-11-08 Thread Paul M
David Bottrill wrote:
 Paul M wrote:
 p.s .any chance of an upgrade image for those of us who installed it on
 a regular x86 server?

 Go to the downloads page an click on updates you need:

d'oh, I was looking in the main download area. thanks.

meanwhile, I noticed many of the mirrors are not doing too well so I
reported them

 I installed this earlier today and it upgraded my system without any issues.

thanks for that feedback.

Re: [pfSense-discussion] Via LAN drivers

2007-10-29 Thread Paul M
sai wrote:
 Realtek and Via ethernet interfaces are supported and are used by many
 on this list, but the hadware and the drivers are not as good as the
 Intel ethernet.

especially realtek's! We have a machine or two with realtek giga, and
they simply cannot achieve anything like theoretical maximum gigabit
throughput - just google for realtek performance problem or similar.

so why are they so popular? very cheap to embed, and most people don't
know the difference when they buy their desktop PC.

Re: [pfSense-discussion] Cacti Template

2007-10-25 Thread Paul M
Ronald L. Rosson Jr. wrote:
 Has anyone come across or developed a template for pfsense firewalls to
 be polled by a Cacti server. Any information is helpful.

dunno about cacti, but I got munin (node) to work quite happily using
freebsd ports, so if there's a cacti in the freebsd port, you might try

Re: [pfSense-discussion] noob question

2007-09-19 Thread Paul M
Zied Fakhfakh wrote:
 Hello everybody,
 I'm just starting with pfSense, nd I have a couple of questions
 - is there any logout button from the web interface ?

it uses basic authentication, so you have to close browser (FYI, it's a
long running bug/issue with firefox/mozilla to be able to forget the
password and thus logout). I guess somebody might like to rewrite it to
use cookies and thus have a logout function if they really cared?

 - how canI install third party softwares, like squid, on pfSense

it's freebsd based so you can use 'ports'. I installed munin from ports
and it works pretty well.

Re: [pfSense-discussion] any plans to implement smtp spam filter/ clam av?

2007-09-19 Thread Paul M
ryn jackson wrote:
 just wanted to know if there were any plans to implement an smtp proxy 
 package that could do spam filtering and email greylisting/blacklisting. act 
 as a tarpit etc.
 also possibly clamav as well?

could you not install these from freebsd ports?

Re: [pfSense-discussion] full instalation on 4 GB SSD

2007-08-29 Thread Paul M
Eugen Leitl wrote:
 I was thinking a real 2.5 SSD would have a MTBF comparable to a
 real hard drive (SanDisk claims 2 Mh MTBF, can't find any such
 for Hama SSD, which is a bargain at about 100 EUR for 4 GByte,
 which probably already answers my question).

I think that proper ssd units designed to replace a regular magnetic
hard drive have to have very sophisticated wear-levelling algorithms,
and probably have an intermediate store for written data, e.g. some
battery-backed SRAM or non-wearable memory.

By ensuring you mount the drive noatime and async
 you can reduce the number or writes; mounting everything except
/var/log as read-only would enforce no writing. Perhaps put /var/log
into a ram disk, rotate logs frequently and rsync them to flash would
help too. However, this is speculation on my part as I've never created
my own unix/linux flash based system (although I do have a zaurus, but
rely on the distro creaters to solve the problem!).

BTW I've seen very few reports of people having problems with the
microdrive in their zauruses which take the 4 or 6GB drives, but people
who've replaced their microdrives with CF cards report early failures!


Re: [pfSense-discussion] transient network drops

2007-08-29 Thread Paul M
Eugen Leitl wrote:

  switch1--diverse hosts
 what's interesting is that I have transient outages to *some* IPs
 (it could be just one IP, actually). I can still ping that IP locally

is your switch manageable? can you turn logging on it? can you look up
the mac of the missing host (also check arp table on pfsense)?

Re: [pfSense-discussion] transient network drops

2007-08-29 Thread Paul M
Eugen Leitl wrote:
 On Wed, Aug 29, 2007 at 02:33:45PM +0100, Paul M wrote:
 Eugen Leitl wrote:

  switch1--diverse hosts

 what's interesting is that I have transient outages to *some* IPs
 (it could be just one IP, actually). I can still ping that IP locally
 is your switch manageable? can you turn logging on it? can you look up
 The gateway switch is a Netgear GS724T, the second switch is HP ProCurve.
 Logging, as in redirecting traffic to a sniffer port, and capture
 all traffic there?

logging, as in getting the managed switch to send syslog messages to a
server and seeing if it reports any errors. I don't know procurves, but
in cisco it's fairly straight forward... add this to config for example:

logging facility local5

 The hoster advised doing an mtr, which I will do once the host
 drops offline again.

yeah, also check arp table on the disappearing host

Re: [pfSense-discussion] acx100 and 1.2 beta

2007-08-07 Thread Paul M
Marius Schrecker wrote:
   I'm currently running 1.0.1 (developer) with the acx100 native driver
 from which I compiled using the recommended patch.  Works okay,
 but I remember it being quite a bit of work.
 What's the status on this driver in 1.2? Will it be built-in, or easier to
 compile, or is there a procedure for using ndiswrapper for this.

I guess the only way to find out is to try the live CD version!

[pfSense-discussion] wiki signups

2007-07-26 Thread Paul M
is there any chance of the wiki allowing signups again, or having a
login created for me (mailme offlist pls)

whilst the documentation on pfsense is quite good there's some useful
notes on it in the wiki which could do with some small updates

BTW, I am a newcomer to pfsense, tried the 1.2 first beta and didn't get
on with it as it would crash/kernel panic all the time, but then tried
rc1 and it's pretty good, only crashed once (when I was changing virtual



RE: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall

2005-11-28 Thread Paul M. Impellizzeri
Title: Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter

Is there any way we can reboot the mail
server now? It is running at 100% cpu but they are services that should
normally be runningI think we need to shake it out.


From: Scott Ullrich
Sent: Monday, November 28, 2005
1:27 PM
Subject: Re: [pfSense-discussion]
Re: Newbie Q: security of php on perimeter firewall

There are
still a few other small ones. In paticular with the status
queues screen + fast cgi. When we kill pfctl somehow its signal is
being passed up and killing off the fast-cgi handler.


On 11/28/05, Bill Marquette [EMAIL PROTECTED] wrote:
 On 11/28/05, Lists [EMAIL PROTECTED] wrote:
  well hell maybe i should do devel work for pfsense cause ive already
  migrated my build to lighttpd :) then when browsing the cvs trees
  noticed it was in there

 We had some problems with lighty when we first imported it - firmware
 upgrades didn't work on embedded due to a bug in their handling of
 large POSTs. That's been fixed in a recent release, so we're moving
 back (that was the only bug that I know of, but it was kinda big ;-P)


avast! Antivirus: Inbound message clean.
Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:27:38 PMavast! - copyright (c) 1988-2005 ALWIL Software.

avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:52:52 PMavast! - copyright (c) 1988-2005 ALWIL Software.