Re: [pfSense-discussion] pfSense comment packetpushers.net
This sort of points the finger then at a commercial need for a hardened pfsense product running on a specialized ASIC of some sort. So when can Chris sort that out? :) On Wed, May 25, 2011 at 9:32 AM, Ian Bowers iggd...@gmail.com wrote: I think the gist of what he's saying is that because it's running on a *nix, anyone can log in and install any software they want on it. Ultimately this is a gaping security hole from certain perspectives. I don't mean that the firewall software or the OS contains gaping security holes. Don't get me wrong, I love OpenBSD, pf, FreeBSD, and PFsense when I tried it. What Greg is saying is that because, in this case, it's FreeBSD underneath, anyone with root access can go in and install stuff. So the only way you can certify the performance and security is as it exists when its still in the box. Then take an ASA for example. You get it in state X. It's capable of almost limitless config variations, but the underlying functions the platform can perform are static. You can never SSH from the ASA to another device. you can never run mysql on it. And all I mean by this is that some asshole or rogue IT guy can come along and install whatever they want on a PFSense firewall. In a proper environment there would be controls against this, but thats dependent on the environment the device is installed in so you can't really roll that up into a security specification/certification. I think he's also getting at that it's just software, and it depends on the hardware you run it on. Take Soekris for example... Love Soekris, love their hardware, but I hate VIA chipsets. Less now as before, but over time they've proven a headache and a burden. You can't certify pfsense to perform and operate a certain way unless you wrap up the software with specific tested hardware. and having the ability to install arbitrary software on it makes it open to more than just config errors. I'm digressing a little bit, but it's mostly related. Basically his point is you can't trust IT staff to not muck something up. So having a platform where arbitrary stuff can be installed isn't something that can be afforded in many cases. Again I'm a huge proponent of open source, BSD, and pf. And personally believe they're a great solution in many of cases. I'm just responding based on what I think Greg's thinking. He's very knowledgeable and he's been in the networking game a while. I've rarely seen him hate on products simply because they're niche. -Ian On Wed, May 25, 2011 at 11:59 AM, BSDwiz bsd...@gmail.com wrote: Guys, I was Listening to a packetpushers.netpodcast regarding the topic of firewalls and decided to chime in. I thought you may have some thoughts or opinions to add. Basically, I mentioned pfSense and was not very happy with his(Greg Ferro) response. If you get a minute, check out this guys reasoning behind not using pfSense. http://packetpushers.net/show-42-hating-firewalls-wrong-checkpoint/#comment-425 Best, Phil(phospher) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Considering Switching to Pfsense
The snort plugin has this functionality built in. Just enter your oink code and set how often you want it to update. On Thu, Feb 10, 2011 at 7:16 AM, Tony Zakula tonyzak...@gmail.com wrote: Yes, but I was just wondering if this is routing for say several hundred hosted sites, if it would be appropriate to do that on the main router or not. I guess you could start with that, but then turn it off right? How then do people update their rules if they are using say snort? Purchase a contract direct? Any other solutions out there for Pfsense? Tony Z On Thu, Feb 10, 2011 at 2:38 AM, Greg Hennessy greg.henne...@nviz.net wrote: Any thoughts on whether IDS is appropriate at the perimeter or not? If you take a look at any serious commercial firewall offering on the market, integrated IDS/IPS is the order of the day. More sophisticated solutions offer application control. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Considering Switching to Pfsense
Hi Tony, I have a /24 public subnet for a school district running behind an old pail of proliant dual CPU (single core) opteron box, 2GB ram each. It is ridiculous overkill with my 100Mbit pipe and ~10,000 simultaneous sessions. I used to run squid on it, but moved that elsewhere as it made it just that much simpler. I moved from IPCop and have never looked back. pfSense is a way better platform for this kind of task compared to any linux solution. It is a bit hardware picky IMHO, so make sure to check the BSD HCL before you jump. Cheers, On Wed, Feb 9, 2011 at 2:41 PM, Tony Zakula tonyzak...@gmail.com wrote: Hi, I have been using a Linux distribution router/firewall for a number of years for a small company. I have been aware of Pfsense for a few years, but have never switched. I am now in the position that we are going beyond a few servers and will be running web and email servers for third parties. I am going to do a hardware upgrade and so I have a chance to switch. A couple of questions to try to get a sense of the differences. Our layout, I would plan to install pfsense as the main router at the end of the ISP line. We have lots of public ip addresses which will be mapped to VPS servers behind this machine. I currently NAT all traffic, but was considering assigning the public ips to the VPSs themselves to simplify things. Ranges of ip addresses have different subnets and gateways. IDS and updates is provided for a fee for us right now. In a setup like this, is IDS a good idea? Or will it probably cause headaches locking some clients out accidentally? I would assume PFS is hardened to withstand attacks against it. We have multiple wans, but we run all traffic on one pipe and lan traffic on the other which has another firewall to separate it from the servers. Would running a firewall on PFS in this situation be a good idea? Or just run it as a router? The fail over sounds great, especially for a production environment. If I start with one machine now, can I add a second one later while things are running? We have a 5mb line, is a quad core processor with 4gb of ram overkill? I will want to do ip accounting. Thanks for any info from the experts! TonyZ - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] anyone using Netgear GSM7352S-200 ?
I've been a huge fan of Procurve for at least 8 years when I replaced some Cisco and Bay Networks kit for the first gen Procurve gigabit kit in the form of a 5304 chassis. In the last couple of years I've been picking up the 2510G-48's which if you shop around can find for around $1000, especially if you buy more than 5 as there is a lot of margin on them. But the big win that I just tried was picking one up off ebay which was claimed to be dead for $200 (by the time it got to me it was $300 with shipping, brokerage, etc). The CLI was still talking, so I flashed it with the latest greatest and it ran about 1/4 of the ports and 10/100 but had serious problems. I opened a ticket with Procurve, had to pay for the shipping to send it to them, but they sent me a brand new one back (different serial number and had that new switch smell). Theoretically all Procurve stuff has a lifetime warranty, so its worth the gamble I think. And the performance is much better than anything you are ever going to see from a Netgear or the consumer level SMB junk. I even know a couple of folks using Procurve switches as their iSCSI switches for SAN's getting close to 120meg throughput on them across the fabric! Cheers, On Thu, Jan 13, 2011 at 8:19 AM, Eugen Leitl eu...@leitl.org wrote: On Thu, Jan 13, 2011 at 09:52:56AM -0600, Adam Thompson wrote: I'm not using that exact model, but I have two GS724Tv3 units in I have two GS748TS (with a few 1G GBICs) in production, but for a couple dead fans no hardware problems yet. I'm not using the more advanced features, and I'm not driving them with a lot of traffic, so I can't really say how buggy they are. production. Hardware is decent - no dead ports so far (~10 months). Mine are the web smart type without a serial port or CLI, so configuring VLANs is a royal pain in the ass. Other than that, the software is acceptable without being great in any way. I have a good friend who resells that model (and the GS748 also) and he's got about 12 of them in production at various customer sites. In ~3 years, I think he's had to return 2 of them so far due to dead ports. One dead port is a (lifetime) warranty problem. Yeah, I figured even as a couple of L2 switches with 10G optical uplink over about ~50 m of MMF should be acceptable. If they die, I'll RMA them. The problem is that I can't find any reviews or even useful user experiences with that model. That concerns me a bit. If you need to save money, Netgear seems to be OK. But I'd still rather have a ProCurve. I'd rather have a Juniper. If couldn't get that, a ProCurve. But it seems I'm cursed with the Netgears. I'm loath to spend 5.5 kEUR on what might turn out to be lemons, particularly with the security and IPv6 feature set. -Adam Thompson athom...@athompso.net -Original Message- From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Wednesday, January 12, 2011 15:11 To: discussion@pfsense.com Subject: [pfSense-discussion] anyone using Netgear GSM7352S-200 ? This is offtopic, but I figured this would be a good place to ask. Anyone using Netgear GSM7352S-200 in production? http://www.netgear.com/images/GSM7328Sv2_GSM7352Sv2_23Sept1018- 10817.pdf I know, it's Netgear, but how badly does it blow chunks? Inquiring minds, etc. (Disclaimer: I am currently using Netgear and HP ProCurve, and thought to upgrade to Juniper, or at least ProCurve, but have severe budget issues: 6 kEUR for 2 48-port switches). -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --- -- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
Hi folks, I did this for about 6 months to do evaluations of Exchange 2010 and Zimbra. My cluster had two VM hosts, each with 6 nics (2 onboard used for heartbeat, and an an in Intel PCIe quad port). I defined a LAN (vswitch) internal to the cluster only for traffic between all the VM's and the Lan side of the pfsense box. I also added one port from each of the VM hosts and connected to an external switch VLAN which was then directly connected to the internet. DRS and HA worked flawlessly. This worked exceptionally well for the pfsense box. The VM hosts were dual processor dual core P4 Xeon's at 3.0Ghz. The internet connection was 100Mbit and I was easily able to get 80+Mbit across it. CPU use on the VM was never more than 20% of the single vCPU I assigned to it. In the 6 months we had it running it never burped once. It performed exactly like a hardware box. I did not install the VMware tools on pfsense. I would not recommend this for a production scenario though, there are too many unknowns about the footprint that vmware might expose. Especially seeing any only computer will run pfsense very well if all you need is basic routing and NAT'ing. This was on VMware ESXi 4.0 hosts, with a single vSphere manager. We are currently playing with vyatta to do some really neat routing simulations for our larger network which is all cisco at the routing layer. We have several VRF's defined in our cisco's and have been playing with the open source patches to add this to the vyatta project that have not yet been integrated. For us, if we can prove this is stable in vmware, we will consider moving to hardware vyatta boxen. Good luck! Tim
Re: [pfSense-discussion] filling network with meaningful traffic
You could throw up a bunch of virtual ftp sites and leave them wide open (bind multiple IP's or virtual IP's all pointing to one volume). Put a post on usenet and watch the traffic flow in. Suddenly you are a 0-day hoster, ha! Be prepared to be t...@gged though. I wish I had a problem with bandwidth to spare. :) Cheers,
