Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Actually, this is the first time I've heard subnetting explained in a way that actually made sense. Kudos! And thank you! - Original Message - From: "Adrian Wenzel" To: Sent: Saturday, February 28, 2009 9:22 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) > > My apologies, I meant Network layer, not Transport. Sheesh. Serves me right for spamming the list with general info (as I spam it again with my correction ;) > > > > > So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the "local" subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). > > > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
The rules are the easy part. I had to do a similar thing for a pfSense box that had 4 interfaces. I'm just going to share my advice now, but you'll need to get the subnetting figured out before you can add these rules. One the LAN2 interface, create a block rule that goes at the very top of the rules list that prevents any connection originating in LAN2 from connecting to LAN1. Then after that you can have the standard "LAN2 -> any" rule and everything should work as expected. On the LAN1 interface, you shouldn't have to add any rules except the default "LAN -> any" rule. I understand I may have misunderstood your needs, but as I understand them, that is the rule set-up you will want. It should still allow LAN1 to print to a printer on LAN2, but not allow LAN2 to access LAN1. - Original Message - From: "Tortise" To: Sent: Saturday, February 28, 2009 12:53 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) > Hi Adrian > > Thank you so much for your response. > > I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a > default and start over (I hate that!) > > I have since tried configuring as: > LAN1: 10.aaa.bbb.ccc/8 > LAN2: 10.(aaa+1).bbb.ccc/9 > > I presume I have still got it wrong. > > I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what > this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course > they can be changed if necessary) > > Also I assume I will need to do some LAN2 rules to 1) give access to the Internet > and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... > > Still as you say we need to get LAN2 working for a start. > > Kind regards > David > > > - Original Message - > From: "Adrian Wenzel" > To: > Sent: Saturday, February 28, 2009 7:05 PM > Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) > > > > Hello, > >So, it seems you are configuring as such: > > LAN1: 10.aaa.bbb.ccc/8 > > LAN2: 10.xxx.yyy.zzz/8 > > This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the > same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. > > You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct > differentiate the subnets and allow routing to occur ;) > > We can get into separating your LANs to disallow your desired access after this is working. > > Thanks, > Adrian > > > - Original Message - > From: "Tortise" > To: discussion@pfsense.com > Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern > Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) > > Hi > > I have been trying to setup a WAN and two LAN. (3 NIC's) > > I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. > > i.e. visitors can connect to the "Public" LAN2 and browse the Internet etc while not having any access to LAN1 > > LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. > > WAN is a static IP to Cable. > > LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie > I lose Internet connection from LAN things become unresponsive. > > As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the > config there? I was using the ee editor. > > Has anyone done this sort of thing and what am I missing to get it working? > > In anticipation many thanks indeed. > > Kind regards > David > > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] SLC or MLC flash for full install
SLC, since storage isn't the most important factor. It gives better performance (a nice bonus, since it's also not primary) and more importantly it gives a longer lifetime, since fewer cells are over written with each write. FYI, Although not specifically about CF, I found this article enlightening regarding other manufacturers. http://www.anandtech.com/cpuchipsets/intel/showdoc.aspx?i=3403 The lesson learned is to stay away from bargain-basement makers. (And JMicron controllers, apparently...) - Original Message - From: "Eugen Leitl" <[EMAIL PROTECTED]> To: Sent: Thursday, October 23, 2008 4:10 AM Subject: [pfSense-discussion] SLC or MLC flash for full install > > I'm thinking about trying the full instead of embedded > install on WRAP/ALIX devices, on compact flash. With increased > sizes and better flash it seems a year or a couple is a reasonable > lifetime to expect in a domestic usage pattern these days. > > Have any of you made especially good/bad experiences wtith either > SLC or MLC CF? Any vendors to recommend, or to stay away from? > > Thanks. >
Re: [pfSense-discussion] W.O.L. Security Question
Thank you for your answer. - Original Message - From: "Chris Buechler" <[EMAIL PROTECTED]> To: Sent: Tuesday, September 30, 2008 5:43 PM Subject: Re: [pfSense-discussion] W.O.L. Security Question > On Tue, Sep 30, 2008 at 2:39 AM, DarkFoon <[EMAIL PROTECTED]> wrote: > > Greetings all, > > > > I recently upgraded my pfsense platform to a new(er) motherboard with an > > integrated NIC with Wake On LAN. > > If I use this as my WAN interface, does it pose any security vulnerability? > > I do not see a way in the BIOS or as a jumper to turn off WOL. > > > > I would normally assume that it would get ignored by pfSense, as all > > unsolicited traffic is, but I want to be sure. > > > > The most anyone could do (barring some sort of future exploit in WoL, > which is unlikely) is turn on the machine if it's off. The default > firewall rules will block the WoL traffic when the machine is on, > though even if it didn't you can't wake a machine that's on already. >
[pfSense-discussion] W.O.L. Security Question
Greetings all, I recently upgraded my pfsense platform to a new(er) motherboard with an integrated NIC with Wake On LAN. If I use this as my WAN interface, does it pose any security vulnerability? I do not see a way in the BIOS or as a jumper to turn off WOL. I would normally assume that it would get ignored by pfSense, as all unsolicited traffic is, but I want to be sure. Thank you for your time.
Re: [pfSense-discussion] CD-ROM + floppy
To be honest, I was wondering a similar thing. - Original Message - From: "Paul M" <[EMAIL PROTECTED]> To: Sent: Tuesday, March 04, 2008 2:01 AM Subject: Re: [pfSense-discussion] CD-ROM + floppy > Chris Buechler wrote: > > DarkFoon wrote: > >>> Yes. just the config is kept on the floppy. > >>> > >> > >> This means that the RRD graphs don't save across reboots, right? > >> And packages can't be installed. (well that's sort of obvious...) > >> > > > > Correct on both accounts. > > is there any reason why the shutdown scripts couldn't copy the RRD files > and any .pkg's across to the secondary storage and reload on boot? >
Re: [pfSense-discussion] CD-ROM + floppy
> Yes. just the config is kept on the floppy. This means that the RRD graphs don't save across reboots, right? And packages can't be installed. (well that's sort of obvious...) - Original Message - From: "Chris Buechler" <[EMAIL PROTECTED]> To: Sent: Saturday, March 01, 2008 5:44 PM Subject: Re: [pfSense-discussion] CD-ROM + floppy > DarkFoon wrote: > > Does pfSense 1.2 still support booting from CD-rom and storing the > > config (and possibly other data) on a floppy disk? > Yes. just the config is kept on the floppy. USB flash drives are also > supported, and recommended over floppies. > >
[pfSense-discussion] CD-ROM + floppy
Does pfSense 1.2 still support booting from CD-rom and storing the config (and possibly other data) on a floppy disk?
[pfSense-discussion] ntpd irregular behavior
I've had my pfsense box up and running for 124 days straight (woo hoo) but back in July, the NTPD log page reported this: >Jul 26 06:29:02 ntpd[588]: Terminating >Jul 26 06:29:02 ntpd[588]: dispatch_imsg in main: pipe closed There was nothing new since those reports. I assumed that the whole time since then that it had been keeping my clock up to date. Much to my surprise I discovered on November 4th that the clock on my pfsense box had had fallen behind by over 20 minutes. So I checked the running processes by running "ps auxc", and I noticed that NTPD was no longer running. So I went to System -> General removed all the time servers (CTRL+X) and then added them again (CTRL+V), hit "save" and then checked the NTPD log page again. I was happy to find this: >Nov 4 15:24:09 ntpd[51443]: set local clock to Sun Nov 4 15:24:09 PST 2007 (offset 1229.461968s) So is this a bug? Or does NTPD exit when it has tried long enough to set the time?(IIRC, the chipset in this machine has a well-documented bug where the clock always loses time)
Re: [pfSense-discussion] noob question
There is no logout (AFAIK) You can't install plain old 3rd party apps, you have you install a pfSense package. Only some software is available as pfSense packages, and many of them are beta or alpha. But you can make your own packages, something I haven't personally tried yet. To browse the packages available, log in and go to System -> Packages. To install the package you want, click the + button to the right of the package listing. I hope that helps. - Original Message - From: "Zied Fakhfakh" <[EMAIL PROTECTED]> To: Sent: Tuesday, September 18, 2007 3:33 PM Subject: [pfSense-discussion] noob question > Hello everybody, > > I'm just starting with pfSense, nd I have a couple of questions > > - is there any logout button from the web interface ? > - how canI install third party softwares, like squid, on pfSense > > thank you very much. > > -- > Zied Fakhfakh > dot TN - CTO > Centre Molka, Esc E, Bur 17 | Tel : +216 71 886112 > El Manar II | Fax : +216 71 885499 > 2092 - Tunis | mob : +216 22 535604 > Tunisia | web : http://www.dottn.com > GPG Key : gpg --keyserver pgp.mit.edu --recv-keys D2F4EE8C > >
[pfSense-discussion] location of dnsmasq.conf
I was able to find the dhcpd.conf file under /var/dhcpd/etc and I feel like I've scoured every nook and cranny, but I cannot find dnsmasq.conf. I require these two files because I'm attempting (for my own improvement) to set up a linux box to do pretty much the same thing as my pfSense box. Where is dnsmasq.conf hidden? Or is it even used?
Re: [pfSense-discussion] Start other processes inside pfSense?
I, too, would like to thank you all for your comments and suggestions. This is a solution that I had not even considered for a problem that I have been having, and I like this solution much better than the other one I had considered. The problem I've been having, in short, is that I get invited to a lot of LAN parties as the "network guy", becuase I bring my nice pfSense router along. ;) But, there are some particular services, such as a dedicated game server, that I have had to bring a second box along to host. But since most of the network traffic is on the LAN, running a game server AND pfSense on the same (more powerful) box would save on weight, stuff to carry, etc. Thanks again! - Original Message - From: "Roland Giesler" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 24, 2007 8:57 AM Subject: Re: [pfSense-discussion] Start other processes inside pfSense? > Thanks for your suggestions and comment everyone. I think I'll go > with multiple VM guests on a host OS. My mind is much clearer about > this now. > > regards > > Roland >
[pfSense-discussion] MiniUPnPd security risks
I'm considering installing the UPnP daemon on some home/home office boxes, and I'm curious what the security issues are. >From my own (simple) analysis, the worst that could happen is a malicious >application could ask for many, many (almost all?) of the ports above 1024 to >be routed to a machine, and that an external attacker might be able to use all >the port forwards to control said malicious program from the internet and >perhaps wreak havoc on the LAN net and maybe even the pfSense box (with a >keylogger and sniff the pw for the pfSense admin). This is assuming I don't use the custom rules that I can specify. (which I could use to mitigate some of the damage) Did I miss anything? Thank you for your comments.
Re: [pfSense-discussion] Windows shares across the firewall
I was hired to do the same thing for a small business a year ago. I learned about a month and a half into the project that windows shares, while they work across subnets, the hostname can't be used because of WINS, only the IP address. Workgroups especially do not work across subnets. I would like to know if DNS will work for your workgroup. I can't remember if I tried that, or even had the proper settings for get it to work. My employer's entire network was set up with a workgroup that had been tweaked to act sorta like a domain. I set up a FreeBSD domain server, but he wanted a "god box" that was his domain server, web server, firewall-which I wouldn't build due to security reasons-and he had some custom server software that would only work under windows, so I was let go; his son can do windows stuff for free. Sorry, I got off topic there. WebDAV over https sounds like an interesting idea. I hope I have been of some help. - Original Message - From: "David Brown" <[EMAIL PROTECTED]> To: Sent: Thursday, January 04, 2007 12:09 AM Subject: [pfSense-discussion] Windows shares across the firewall > I'm planning to set up a new firewall/router at our company, and am > leaning towards using pfSense because I want several green networks > (either using multiple ports on the firewall machine, or using a managed > switch and VLANs - as far as I understand it, they can work the same way). > > There are going to be a couple of server machines on different branches > of the LANs, but I need access to them from the other branches. The > setup I've planned looks like this: > > > /---\ > | |-red1internet > | pfSense |-red2(second internet connection, optional) > | | > | |-orange--DMZ---web server, mail server, squid, etc. > | | > | |-blue---(wireless for laptops, including visitors) > | | | || > | | LinkSys WRT54GLLinkSys LinkSys > | |/ \ / \/ \ > | | laptops, etc. > | | > | |-green1---LAN (192.168.1.x)---server1.1, pc1.1, pc1.2, etc. > | | > | |-green2---LAN (192.168.2.x)---server2.1, pc2.1, pc2.2, etc. > | | > | |-green3---LAN (192.168.3.x)---server3.1, pc3.1, pc3.2, etc. > | | > \---/ > > > Making appropriate firewall and routing rules for access to the DMZ > servers from the green LANs is easy enough, as are things like allowing > ssh access on different LANs for administrative purposes. But it is > also important that I can get windows share access in some way across > the LANs. For example, pc1.2 (say, 192.168.1.102) should be able to > mount a share on server2.1 (192.168.2.1), while the reverse is not true > (i.e., no machine on LAN2 should see the pc's on LAN1). Is it > sufficient, and safe, to simply open a pinhole for traffic on port 139 > towards 192.168.2.1 from 192.168.1.x ? I suppose I could set up VPNs > somewhere to tunnel traffic around, but I can't see that this would > actually improve matters (I have no need to encrypt traffic passing > between greens) - I would need similar rules to limit the VPN traffic. > In fact, I'm assuming that once I've got things figured for cross-green > routing, I can use the same sorts of rules for VPN's from laptops on the > blue zone or attaching via the internet. > > As far as I can tell, it is only the share access that I need from the > SMB/CIFS protocols. pfSense's DNS server should be able to handle > naming, and I am not running a windows domain (it's all set up as a > workgroup). > > If I can't get a stable and secure arrangement for SMB sharing, what are > my other options? At the moment, we have a couple of linux file servers > and one old windows one, which can be replaced if it is not flexible > enough. I've heard of using WebDAV as a protocol - W2K and XP (and > linux, and presumably FreeBSD :-) can mount WebDAV paths, and use them > directly. If the WebDAV access is over https, then it could be used > directly from outside the LANs without needing a VPN. Another idea I > have read about is using a SFTP server along with WebDrive software. > > Any hints, tips, website pointers, or comments about how only an idiot > would arrange things like that, would be much appreciated. > > mvh., > > David > > > >
Re: [pfSense-discussion] PPTP VPN on OPT1/WAN2
Seems to me that with PPTP (and other protocols) if the source IP address of packets sent to the client differs from the IP the client sends packets to, the PPTP software discards (as it should) the packets because they could be coming from an untrusted third-party. - Original Message - From: "Heath Henderson" <[EMAIL PROTECTED]> To: Sent: Tuesday, October 17, 2006 7:51 PM Subject: [pfSense-discussion] PPTP VPN on OPT1/WAN2 > Does anyone know if there is a limitation to the PPTP VPN connection to only > connect via WAN connection and not vai OPT1 or WAN2? > > I have a successful server running and can connect via WAN but times out > whenever I try and hit the WAN2/OPT1 connection with the same setup. I > checked all of my rules and they are identical. > > Thanks > > -- > Heath Henderson > [EMAIL PROTECTED] > 1800 288 7750 > -- > > >
[pfSense-discussion] Policy Enforcement: Can pfSense beat it?
Hi everybody. A friend of mine recently informed me that his college is going to be adding some "policy enforcement" devices (Cisco brand) to their network that will push Symantec Security software onto all computers on the campus network. If your computer doesn't meet the policy, it is denied internet access. Linux computers are exempt frm this for some reason (yeah *BSD != linux, I know). He doesn't want this Norton garbage pushed onto his PC, so he asked me if a firewall like pfSense would stop this nonsense. However he says that the machine must "look" like a Linux box to the campus "policy enforcement" device. My questions are: is pfSense immune to fingerprinting? Or can I alter the values it reports back? Also, do you think this would even work? (Would it trick the policy enforcement and allow him access through it?) I ask because you are the experts. I no longer have the free time I once had to research this myself (being a student also), so I am asking for the knowledge that comes with experience in the field. I understand that this question is a little "out there" and highly off-topic; my apologies if it belongs elsewhere. Thanks you very much in advanced. -a Rossi
Re: [pfSense-discussion] Dynamic DNS - no password encryption
I see, thank you for the clarification. - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Tuesday, August 29, 2006 7:59 AM Subject: Re: [pfSense-discussion] Dynamic DNS - no password encryption > On 8/29/06, DarkFoon <[EMAIL PROTECTED]> wrote: > > I was looking through my XML configuration recently, and I noticed that my > > Dynamic DNS password is not encrypted like the PFsense password is. > > It seems to me that this is a rather important password and should be > > encrypted (if possible). > > http://faq.pfsense.com/index.php?action=artikel&cat=1&id=37&artlang=en&highlight=encrypted > > Refer to mailing list history for juicy flame wars. We are not going > there again. > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.405 / Virus Database: 268.11.6/430 - Release Date: 8/28/2006 > >
[pfSense-discussion] Dynamic DNS - no password encryption
I was looking through my XML configuration recently, and I noticed that my Dynamic DNS password is not encrypted like the PFsense password is. It seems to me that this is a rather important password and should be encrypted (if possible).
Re: [pfSense-discussion] VPN with ipsec setup question
Title: VPN with ipsec setup question Seconded. I too, have a similar situation with mobile IPSec VPN clients, and this information would be quite helpful. - Original Message - From: Heath Henderson To: discussion@pfsense.com Sent: Wednesday, August 23, 2006 7:55 AM Subject: [pfSense-discussion] VPN with ipsec setup question We just opened a new building and I have been tasked with setting up a Load Balanced Firewall/RouterOK, Pfsense fit the ticket there. Works like a charm. Havent been able to try the LB and Failover stuff just yet, because our DSL line isnt hooked up yet. Only Cable at this point. Kudos on this package. Now for the question.I have a few remote office users who need to have access to our internal Network and our Phone System.They travel, so Mobile VPN clients on their Laptops is what I am going to have to setup.My Question. What is involved in setting up an IPSEC vpn server (I saw the steps which I am going to work on going through).But, can I get a Client on both Windows and Mac OSX (maybe use the built in) to authenticate? How is this setup?Any pointers would be great.-- Heath Henderson[EMAIL PROTECTED]1800 288 7750-- No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.405 / Virus Database: 268.11.5/426 - Release Date: 8/23/2006
Re: [pfSense-discussion] Benchmarking
Thank you very much, Holger. >No, aliases are not broken. I must be using them wrong, because I had some NAT and firewall rules that used aliases, and the NAT didn't work until I used the actual IP address, not the alias. - Original Message - From: "Holger Bauer" <[EMAIL PROTECTED]> To: Sent: Thursday, July 27, 2006 7:34 PM Subject: AW: [pfSense-discussion] Benchmarking > I'm using netio usually to do banchmarking the factory defaults with a netio server sitting at wan and a netio client at lan connecting to it. A wrap 266MHz 128MB benches at up to 32 mbit/s with latest release fyi. > > Holger > > -Ursprüngliche Nachricht- > Von: DarkFoon [mailto:[EMAIL PROTECTED] > Gesendet: Fr 28.07.2006 00:42 > An: discussion@pfsense.com > Cc: > Betreff: [pfSense-discussion] Benchmarking > > > > > > > Virus checked by G DATA AntiVirusKit > > No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/402 - Release Date: 7/27/2006
[pfSense-discussion] Benchmarking
I've recently upgraded my pfSense box from a pentium-MMX 233Mhz to a Celeron-MMX 333MHZ and I am curious how the developers (or anybody on the list) would go about benchmarking the system (max throughput is what I'm mostly curious about) One quick question: aliases are broken in 1.0 RC-1, right? Just checking. Thanks in advanced
[pfSense-discussion] Thank you
I just upgraded to RC-1 from Beta2, and I must say that I am impressed. I like the new features, such as the RRD graphs (well, they're new to me) and the filter status page. The product is very polished. So I am thanking the pfSense team for the excellent job they have done!
Re: [pfSense-discussion] artwork
Mr. Leitl, I don't quite understand your problem here. You claim that the m0n0 interface has better usability, and is superior in look, however, you do not support these claims with any useful examples that would allow the pfSense team to improve their interface. pfSense is not m0n0; it has more features, packages, and the like, and therefore needs a different interface to accomodate these differences. I've done web design before, and as far as I can see, I cannot think of a way to improve the pfSense interface. Perhaps your browser sucks and cannot display the menus properly? (I've had that problem before) Your statement that your claims are a "bug report" is a lie. Any useful bug report contains information that would be helpful to the developers; yours contains only incendiary comments. Learn how to code and port the m0n0 interface over to pfSense, or better yet, learn how to be respectful over the internet. The people who develop pfSense have other things to do than develop pfSense. We'd all be S.O.L. if it weren't for them. (Care to learn OpenBSD and write your own pf filter rules at console? Neither do I.) Good day sir A.C. R.
Re: [pfSense-discussion] packet A/V?
I would never venture to assume that any approach is 100% effective. But all the 99% solutions together approach 100% effectiveness (note, I say approach) I do appreciate your work very much, and I look forward to the great benefits that your hard work will provide. - Original Message - From: "Rajkumar S" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 06, 2006 11:04 PM Subject: Re: [pfSense-discussion] packet A/V? > DarkFoon wrote: > > Is there anybody working on a package that does anti-vir scanning on > > incoming internet packets? > > Well, I am trying to get it done. My approach is to get snort and snortsam working with pf > first. Snortsam is a package that can add rules dynamically to variety of firewalls, > including pf, based on alerts from snort. Right now there is a bug in pf2 plugin for > snortsam that is stopping the show, I am trying to get it fixed. Next step would be to get > the clamav plugin for snort working. All these 3 working together will scan all packets > for virus and will terminate any connection that has virus. > > But one thing you have to keep in mind is that such approaches are never going to be 100% > perfect. > > raj > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006 > >
Re: Re[2]: [pfSense-discussion] P2P Blocker
Thank you very much - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 06, 2006 1:48 PM Subject: Re: Re[2]: [pfSense-discussion] P2P Blocker > On 6/6/06, DarkFoon <[EMAIL PROTECTED]> wrote: > > I may have over looked it, but where in pfSense can you set the maximum > > number of states a workstation can have? I like that idea for P2P blocking. > > Firewall -> Rules -> Edit -> Advanced > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006 > >
[pfSense-discussion] packet A/V?
Is there anybody working on a package that does anti-vir scanning on incoming internet packets? I get the impression that SonicWalls do it, and it'd be killer if PfSense (becaouse sonicWalls do not look cheap) www.sonicwall.com I remember some time ago somebody was working on this with squid and squidclam, but I haven't heard anything about it since. Any progress? Or was it given up upon? (it does sound very difficult, indeed)
Re: Re[2]: [pfSense-discussion] P2P Blocker
I may have over looked it, but where in pfSense can you set the maximum number of states a workstation can have? I like that idea for P2P blocking. - Original Message - From: "Bill Marquette" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 06, 2006 1:07 PM Subject: Re: Re[2]: [pfSense-discussion] P2P Blocker > On 6/6/06, Chris Noble <[EMAIL PROTECTED]> wrote: > > Ah good idea, pfsense has Traffic Shaper in it.. I could play with > > that and give P2Pa silly speed like 500 byte/sec heh. > > There were some threads on this in the forum also. I believe someone > even went so far as to restrict the number of states individual > workstations could have. Between castrating the bandwidth and > castrating the amount of connections you're allowed, it should pretty > effectively communicate the message. > > --Bill > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006 > >
Re: [pfSense-discussion] Setup advice wanted, devices for public library
> In most of the other locations I would rather > go with CF so there are no moving parts. I am looking at Kingston Elite > Pro CF cards, 512mb for $30 dollars, I saw them mentioned on the list. > Does anyone have any recommendations of other brands. http://anandtech.com/storage/showdoc.aspx?i=2654 I know this article is a little dated, and the sizes are much more than you need, but it came to mind and I thought it might be of use.
[pfSense-discussion] VPN questions
Hello all, my client wants himself and his franchisees to be able to securely access a fileserver (actually it's his workgroup-soon to be domain-server) behind the pfSense box and upload important data files to it. These clients are using laptops with wireless connections(3G access, not wi-fi, but possibly wi-fi too), or desktops at home behind little home firewall/routers with broadband internet. All are running windows XP Pro. pfSense offers me three kinds of VPN, as you all know: PPTP (about which I've read numerous articles citing security flaws in its authentications using MS-CHAP), IPSec is for site-to-site (and impossibly to set up under windows, because all methods I've reasearched require a static IP on the windows computer, and 3G doesn't offer static IPs), and finally OpenVPN which is experimental and messes up the OPTx interfaces (of which this pfSense box has 4). I would like to give Stunnel a try, but the package doesn't install on pfSense (despite saying that it's stable). So as you can see, I've got a bit of a problem. If there is an easier way to set up IPSec on a mobile windows client, I'd love to hear it. If there's a way to secure PPTP (other than upgrading the PPTP server in pfSense which, I have been told, will not be done) I'm all ears. If OpenVPN is more stable than the warning on its config pages makes it sound, let me know. I'm out of ideas. Thank you all A Rossi
Re: [pfSense-discussion] PPTP
I did some research into m0n0's PPTP implementation, mpd, and I found that it does not use the more secure EAP-TLS authentication method (MSCHAP-v2 leaks the password during authentication). The newer version of mpd does use EAP-TLS however. I was curious about the amount of work it would take to upgrade mpd. If it is a triviality, and a developer felt like doing it, I would submit myself as a guinea pig for the testing snapshot of the new mpd (which does more than just the PPTP server) I would do it myself if I had the platform for development, and the time (finals week). That is not to say I assume the devs have more free time than me, just more efficient knowledge. thanks. A - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Thursday, March 16, 2006 10:53 AM Subject: Re: [pfSense-discussion] PPTP Not sure which one it is. Whatever m0n0wall uses, we use. Scott On 3/16/06, DarkFoon <[EMAIL PROTECTED]> wrote: > > I was wondering what authentication method is used by the PPTP server in > pfsense: MSCHAP-v2 or EAP-TLS? > > Where can I find more information about the PPTP implmentation used by > pfSense? > > Thanks > Anthony -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.2.4/282 - Release Date: 3/15/2006
[pfSense-discussion] PPTP
I was wondering what authentication method is used by the PPTP server in pfsense: MSCHAP-v2 or EAP-TLS? Where can I find more information about the PPTP implmentation used by pfSense? Thanks Anthony
[pfSense-discussion] First bug of beta 2?
I'm experiencing some strange behavior with my beta2 box. I have to keep manually renewing the WAN dhcp. I'll connect to a website from a client on the LAN, and then maybe five minutes later, when I go to another page, it "can't find the page" (none of my internet based things work, actually), so I open up the webGUI and go to the interfaces page, and there the WAN DHCP is down, and I have to click renew. This probablem happens intermittently (like it started last night, and now it's not doing it) I don't quite understand even why this should be happening. I thought, though, in the past that it automatically renewed DHCP leases on the WAN. More than likely, however, it's a hardware or ISP problem, and has nothing to do with the pfSense box. I thought I should post this here in case this is a pfsense issue. My hardware: pentium-MMX 200mhz 64MB sd100 ram 2x 3com 905* nics (one's a 905b-tx, the other a 905-tx) CD-ROM platform (I don't like the noise added by harddrives) floppy-drive (with my config) The webGUI is a little sluggish in comparison to m0n0. But of course it should be: m0n0 was designed for this kind of hardware, and pfsense, well, wasn't. But, I like the features of pfsense more than m0n0, so I use it now. $ dmesg Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-PRERELEASE #0: Thu Mar 2 04:13:56 UTC 2006 [EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/pfSense.6 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Pentium/P55C (200.46-MHz 586-class CPU) Origin = "GenuineIntel" Id = 0x544 Stepping = 4 Features=0x8001bf real memory = 62914560 (60 MB) avail memory = 51826688 (49 MB) Intel Pentium detected, installing workaround for F00F bug wlan: mac acl policy registered kbd1 at kbdmux0 ath_hal: 0.9.16.16 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) npx0: [FAST] npx0: on motherboard npx0: INT 16 interface cpu0 on motherboard pcib0: pcibus 0 on motherboard pci0: on pcib0 isab0: at device 1.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x4000-0x400f at device 1.1 on pci0 ata0: on atapci0 ata1: on atapci0 xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xf000-0xf07f mem 0xffadff80-0xffad irq 3 at device 13.0 on pci0 miibus0: on xl0 xlphy0: <3Com internal media interface> on miibus0 xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto xl0: Ethernet address: 00:10:4b:62:a1:f4 xl1: <3Com 3c905-TX Fast Etherlink XL> port 0xec80-0xecbf irq 4 at device 15.0 on pci0 miibus1: on xl1 nsphy0: on miibus1 nsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto xl1: Ethernet address: 00:60:08:1f:39:69 pci0: at device 20.0 (no driver attached) pmtimer0 on isa0 orm0: at iomem 0xc-0xc7fff on isa0 atkbdc0: at port 0x60,0x64 on isa0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] fdc0: at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 ppc0: parallel port not found. sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio0: configured irq 4 not in bitmap of probed irqs 0 sio0: port may not be enabled sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 8250 or not responding sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa-0xb on isa0 unknown: can't assign resources (port) speaker0: at port 0x61 on isa0 unknown: can't assign resources (port) unknown: can't assign resources (port) Timecounter "TSC" frequency 200456760 Hz quality 800 Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. acd0: CDRW at ata0-master PIO4 GEOM_LABEL: Label for provider fd0 is msdosfs/ . GEOM_LABEL: Label for provider acd0 is iso9660/pfSense. Trying to mount root from cd9660:/dev/iso9660/pfSense md0.uzip: 1511 x 65536 blocks acd0: FAILURE - READ_BIG MEDIUM ERROR asc=0x02 ascq=0x00 error=0 acd0: FAILURE - READ_BIG MEDIUM ERROR asc=0x02 ascq=0x00 error=0 xl0: link state changed to UP xl1: link state changed to UP xl1: link state changed to DOWN xl1: link state changed to UP pflog0: promiscuous mode enabled xl1: transmission error: 90 xl1: tx underrun, increasing tx start threshold to 120 bytes xl1: transmission error: 90 xl1: tx underrun, increasing tx start threshold to 180 bytes xl1: transmission error: 90 xl1: tx underrun, increasing tx start threshold to 240 bytes
Re: [pfSense-discussion] pfSense merge with freebsd?
FreeNAS sounds like a neat idea, unfortunately it's not quite what I had in mind for this backup computer. I was going to write a cron job for this computer so that every night (or maybe once a week) it would turn on(the BIOS has an auto-boot function), and use smbtar to grab all of the files from a fileserver and back them up on that computer, then it would shutdown. If the disk got too full, it would delete older backups to make room for new ones. Right now the file srver is running windows XP, so I can't really tell it to send its files to that backup computer at a specific time. What about that jumpering thing, though? I remember from linux that if you have a drive jumpered to be smaller than its actual size, you need to have hdx=stroke as a boot parameter so linux can use all of the space. Well I've gotten off topic perhaps. I'll do some reading in the FreeBSD pages. Thanks! Anthony - Original Message - From: "Holger Bauer" <[EMAIL PROTECTED]> To: Sent: Thursday, March 09, 2006 9:34 PM Subject: RE: [pfSense-discussion] pfSense merge with freebsd? I doubt that a bios flash will make that drive usable at that old machine. And for these utilities... I don't like them too much. I have used such a utility a very long time ago to bypass bios limitations. It actually went in the bootsector to get loaded before anything else (like the old evil masterbootrecord viruses ;-). It worked fine for some time until I needed to reinstall my OS as it was broken. The OS replaced the tool in the bootrecord and all my data stored at all partitions was gone with that. There was no way to reinstall the tool without doing a full preperation of the disk again whiping everything that existed there. In business environments things like these are really the worst ideas one can come up with. However I might have a solution for you to try. First find out what the max size limit is that box is natively supporting for hdds. Then get a bunch of these and run them with http://www.freenas.org/ . You even can build RAIDs with this (stripes and mirrors should be supported afaik), however I haven't tried it out personally. Just a suggestion. Holger > -Original Message- > From: DarkFoon [mailto:[EMAIL PROTECTED] > Sent: Friday, March 10, 2006 6:24 AM > To: discussion@pfsense.com > Subject: Re: [pfSense-discussion] pfSense merge with freebsd? > > > > The "god box" is always a bad idea. > > Yeah, I told him the "God Box" idea was a bad one. Figured I > should look > into it anyways. Right now his pfSense box is a Dell pentium > III 866Mhz > (same as the box I'm using right now to make this email) with 256Mb > SD-100 ram and 5 added in Nics (plus the integrated, for a > total of 6). > I had a similar box running a SAMBA domain server and it was > alright, so > I thought I'd try to combine the two. But I digress. The God > Box is out. > Got that. > > As a matter of fact (this is probably a generic BSD question) he wants > me to do the impossible again: He has an old K6-2 box laying > around and > he wants me to put in a 300GB seagate drive to do a network > back up to. > I told him the tech is too old to support 300GB (its ATA/UDMA66 or > whatever; too many titles for the same thing) > But he read some tidbit on Seagate's site that a mobo BIOS flash or > using the seagate software will make it so the drive can be used, and > apparently that means I can do it (completely ignoring the > fact that the > hardware came years before even 100 GB drives) and I'm a > slacker for not > making it happen. > So the question is, if I jumper the drive to limit it to 32GB so the > darn computer will actually boot (the BIOS freezes detecting > the drive), > can I get FreeBSD to recognize all 300GB? I probably should check the > FreeBSD man pages, but being as ill as I am right now, I feel like > asking you guys first (ya'll seem nice enough ;) ) > > thanks for the help! > Anthony > (stupid flu!) > > - Original Message - > From: "Andrew Burnette" <[EMAIL PROTECTED]> > To: > Sent: Thursday, March 09, 2006 6:49 PM > Subject: Re: [pfSense-discussion] pfSense merge with freebsd? > > > > DarkFoon wrote: > > > I am curious if it is possible to "merge"-for want of a better > > > word-pfSense with a FreeBSD install. Why? Well, I have a > client who > > > wants to integrate everything into 1 box if possible. I > told him its > not > > > possible, but I wouldn't be doing my job if I didn't > check to see if > I > > > am wrong. > > > > You could of course snag the pf rules out of a pfsense box > and put in > a > > *bsd box if absolutely required. > > &
Re: [pfSense-discussion] pfSense merge with freebsd?
> The "god box" is always a bad idea. Yeah, I told him the "God Box" idea was a bad one. Figured I should look into it anyways. Right now his pfSense box is a Dell pentium III 866Mhz (same as the box I'm using right now to make this email) with 256Mb SD-100 ram and 5 added in Nics (plus the integrated, for a total of 6). I had a similar box running a SAMBA domain server and it was alright, so I thought I'd try to combine the two. But I digress. The God Box is out. Got that. As a matter of fact (this is probably a generic BSD question) he wants me to do the impossible again: He has an old K6-2 box laying around and he wants me to put in a 300GB seagate drive to do a network back up to. I told him the tech is too old to support 300GB (its ATA/UDMA66 or whatever; too many titles for the same thing) But he read some tidbit on Seagate's site that a mobo BIOS flash or using the seagate software will make it so the drive can be used, and apparently that means I can do it (completely ignoring the fact that the hardware came years before even 100 GB drives) and I'm a slacker for not making it happen. So the question is, if I jumper the drive to limit it to 32GB so the darn computer will actually boot (the BIOS freezes detecting the drive), can I get FreeBSD to recognize all 300GB? I probably should check the FreeBSD man pages, but being as ill as I am right now, I feel like asking you guys first (ya'll seem nice enough ;) ) thanks for the help! Anthony (stupid flu!) - Original Message - From: "Andrew Burnette" <[EMAIL PROTECTED]> To: Sent: Thursday, March 09, 2006 6:49 PM Subject: Re: [pfSense-discussion] pfSense merge with freebsd? > DarkFoon wrote: > > I am curious if it is possible to "merge"-for want of a better > > word-pfSense with a FreeBSD install. Why? Well, I have a client who > > wants to integrate everything into 1 box if possible. I told him its not > > possible, but I wouldn't be doing my job if I didn't check to see if I > > am wrong. > > You could of course snag the pf rules out of a pfsense box and put in a > *bsd box if absolutely required. > > The "god box" is always a bad idea. Generally does everything poorly > (think of what a fantastic pair of scissors are included in a swiss army > knife). I have very very large clients that think the same of optical > long haul gear, routers, and switches and how they all belong in one > box. Invariably, they get burned by lousy functionality and cost > overruns. (yes, think US DoD...) > > boxen sufficient for a pfsense firewall are $100 or so from many sources > (I paid $109 on ebay for the first one, then $100 for a rack mount job > that fit in my cabinet better). Same size/capacity box should do for an > SMB server (sans Big Fantastic Disks of course). > > if that's too much $$, then the client likely can't afford you ;-) But, > isn't that what they pay you for in the first place? > > Good luck, > andy > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 > >
Re: [pfSense-discussion] pfSense merge with freebsd?
I don't know how to program, nor do I know PHP (I could probably learn
it). That's a bit of a roadblock.
And implementing all the SaMBa features that I would need with a nice
webGUI would take me months of PHP. (Unless I just made one big
writeable space and the user would have to know what they're doing and
do it all by hand, but that is less elegant)
And the final nail in that ideas coffin (it is a good idea though) is
that I lack a sufficient platform to develop and test with. My client's
network is not a good place to do it. And my home network uses the
liveCD because I lack a crappy harddrive to install to.
- Original Message -
From: "Jim Thompson" <[EMAIL PROTECTED]>
To:
Sent: Thursday, March 09, 2006 12:18 PM
Subject: Re: [pfSense-discussion] pfSense merge with freebsd?
> DarkFoon wrote:
>
> > I am curious if it is possible to "merge"-for want of a better
> > word-pfSense with a FreeBSD install. Why? Well, I have a client who
> > wants to integrate everything into 1 box if possible. I told him its
> > not possible, but I wouldn't be doing my job if I didn't check to
see
> > if I am wrong.
> >
> > Basically, the box needs to be a firewall and SMB server. I like
> > pfSense's webGUI (I would hate to have to write all the pf.conf
rules
> > by hand) and all the easy controls it provides for me. (The more I
> > type this email, the less likely it seems that this is possible) So
I
> > would like to try to combine the two, if possible. Yes, I am aware
of
> > the security and stability implications of this. ("Why is the SMB
> > transfer so slow?" Well, little Timmy is using bittorrent right
> > now... or "The internet is down? I can't transfer files?!" The box
> > crashed...)
> >
> Why not just write a package (if one doesn't exist already) for SMB?
> http://www.pfsense.com/screens/package_manager.JPG
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
3/9/2006
>
>
[pfSense-discussion] pfSense merge with freebsd?
I am curious if it is possible to "merge"-for want
of a better word-pfSense with a FreeBSD install. Why? Well, I have a client who
wants to integrate everything into 1 box if possible. I told him its not
possible, but I wouldn't be doing my job if I didn't check to see if I am
wrong.
Basically, the box needs to be a firewall and SMB
server. I like pfSense's webGUI (I would hate to have to write all the pf.conf
rules by hand) and all the easy controls it provides for me. (The more I type
this email, the less likely it seems that this is possible) So I would like to
try to combine the two, if possible. Yes, I am aware of the security and
stability implications of this. ("Why is the SMB transfer so slow?" Well, little
Timmy is using bittorrent right now... or "The internet is down? I
can't transfer files?!" The box crashed...)
Hey! This gave me an idea for a feature (probably
after 1.0) how about the ability to export the filter rules as pf.conf
file that could be put on another system? Certainly problems would arise if the
two systems aren't identically configured, but that's what a big warning on the
webGUI page is for ;)
Anyways, sorry for the long post. I think I am
coming down with some illness, and my mind is in another state.
Apologies.
Anthony
Re: [pfSense-discussion] Wierd display problem in IE
stupid CTRL+MwheelUP. You're right. I accidentally (probably when I was selecting files to delete with CTRL and wheeling around the window) made my font smaller. But google and my other sites looked normal. - Original Message - From: "Holger Bauer" <[EMAIL PROTECTED]> To: Sent: Sunday, March 05, 2006 7:04 AM Subject: RE: [pfSense-discussion] Wierd display problem in IE No Problem here. Check your Fontsize settings of the browser. You probably have modified them. Holger -Original Message- From: DarkFoon [mailto:[EMAIL PROTECTED] Sent: Sunday, March 05, 2006 10:19 AM To: discussion@pfsense.com Subject: [pfSense-discussion] Wierd display problem in IE I probably should have posted this bug before the beta2 release. but oops on my part. (sorry!) In IE all the pfsense text is way too small (like 6 font or smaller) using the pfsense-pulldown "skin". I have a screenshot, but I don't know how to show it to ya guys. do I send it as an attachment? Virus checked by G DATA AntiVirusKit -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.1.2/274 - Release Date: 3/3/2006
[pfSense-discussion] Wierd display problem in IE
I probably should have posted this bug before the beta2 release. but oops on my part. (sorry!) In IE all the pfsense text is way too small (like 6 font or smaller) using the pfsense-pulldown "skin". I have a screenshot, but I don't know how to show it to ya guys. do I send it as an attachment?
Re: [pfSense-discussion] PANIC! problems with OPTx interfaces
Well, I have seemed to have fixed it, but the solution makes no sense to me. Perhaps it will make more sense to those of you with more networking knowledge than I. All of the cables leaving the PfSense box went to switches. The one hooked up to the LAN had the cable plug into a regular port on the LAN switch, all the others were plugged into the "uplink" port on those switches. So, when I moved all of the cables from the "uplink" port on the switches, to a regular port on those switches, all of a sudden things worked just fine. Why? I thought the purpose of the uplink was to connect to a higher "switch" (in this case, the PfSense box a.k.a router). The former router (a commercial speedstream that the pfsense box replaces) worked just fine with all the switches hooked up with the uplink port. Heck, even my pfsense box at home worked just fine with my linksys switch using the uplink port. what is with this ambiguity?! Anyways, thanks to you all for help. I'm sorry if I may have caused any problems. If anybody knows why what I did works (why the uplink port seems to be a curse/miracle) please explain, I would love to know. And besides, if somebody ever has the same problem, and they search the mailing lists, they'll find the answer. Thanks again! Anthony -- Original message -- From: "Bill Marquette" <[EMAIL PROTECTED]> > So let me get this straight. > > The cable that's plugged into the LAN nic if unplugged from LAN and > plugged into each of the OPT nics works? Sounds like a switch or > cable issue. Have you tried the reverse? Plug the cables that are in > the non-working OPT interfaces into the known working interface (LAN)? > And for that matter, plugging the known working cable and the known > working interface into the switch ports that you are trying to plug > the OPT interfaces in? > > --Bill > > On 3/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago. > > The system is a Dell Optiplex (I can't find the model number at this time) > > It > has a Pentium 3 and a 10 GB harddrive, if that helps at all. > > > > > > -- Original message -- > > From: "Scott Ullrich" <[EMAIL PROTECTED]> > > > On 3/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > [snip] > > > > I'm using Beta 1 right now, because I don't think that upgrading to > > > > Beta2 > > > would > > > > fix this. > > > > > > Upgrade. There was only 91+ fixes between beta1 and beta2 and > > > countless FreeBSD fixes. > > > > > > Scott > > > >
Re: [pfSense-discussion] PANIC! problems with OPTx interfaces
nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago. The system is a Dell Optiplex (I can't find the model number at this time) It has a Pentium 3 and a 10 GB harddrive, if that helps at all. -- Original message -- From: "Scott Ullrich" <[EMAIL PROTECTED]> > On 3/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > [snip] > > I'm using Beta 1 right now, because I don't think that upgrading to Beta2 > would > > fix this. > > Upgrade. There was only 91+ fixes between beta1 and beta2 and > countless FreeBSD fixes. > > Scott
[pfSense-discussion] PANIC! problems with OPTx interfaces
I just set up a PfSense firewall for a company, and I seem to be having problems with the OPTx interfaces. There are 4 of them, three of which are connected to cables which are connected to switches (the fourth OPT i/f is currently unused). The interfaces are all set up in the webGUI (non conflicting IP addresses and all that. Ex: lan = 10.1.1.0/24, OPTx = 10.1.x.0/24, and so on), but the NICs show no sign of connection, and this is verified by the interfaces page which says "no carrier" under the status part for all the OPTx interfaces. The lights on the cards don't even blink, even though they are all using straight-through cables connected to switches, to which the computers connect. But here's the strange part: when I unplug the cable hooked up to the LAN interface and plug it into any of the other NICs on the PfSense box, that NIC all of a sudden lights up and becomes active (from all visible means on the box, I can't really check the webGUI at that point anymore). When I unplug the LAN cable and plug back in the cable that's supposed to be connected to that interface, the lights go out again. I'm using Beta 1 right now, because I don't think that upgrading to Beta2 would fix this. Please, this is a very urgent matter and any responses that I can get ASAP are extremely appreciated. Thank you very much in advance. Anthony
Re: [pfSense-discussion] Timed Rules?
If I were to contribute to fixing this particular problem, what kind of skills would I need? Programming in C, writing PHP, making pretty GUI webpages? I'd like to help, but I do not know how to program, nor do I know PHP, but I have written webpages (yeah, I'm lame)... in notepad. This seems simple enough for me to work on (famous last words, right?) which is why I'm interested in helping. - Original Message - From: "Chris Buechler" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 22, 2006 7:16 PM Subject: Re: [pfSense-discussion] Timed Rules? > Bill Marquette wrote: > > If you read the OpenBSD lists, that will never be a feature in pf > > since you can "easily" implement it with tables or anchors and cron. > > We'll have to do this ourselves. Waiting on pf to support this means > > it'll never happen. > > > > ah, thanks Bill. I believe when Scott and I last discussed it, which > was 6+ months ago, there was some discussion on it happening. I could > be dreaming things up though. :) > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 268.0.0/267 - Release Date: 2/22/2006 > >
[pfSense-discussion] Timed Rules?
I did not notice an option in PfSense that allows a user to set a rule for certain time periods. Is there any plans for this later on, or experimental versions with it now? An example for clarification: block all access until 12:00a (midnight) then allow access for an hour, and block access until the next midnight. The above could be implemented with a block rule active all the time, and in front of it(or above or on top, depending on how you look at it), a timed allow rule that only activates for the hour between 12:00a and 1:00a; I believe that would be the correct order for operation. I've thought of a hack to do this, but given my limited knowledge of PfSense, it probably wouldn't work. Basically, the rule is written to a file when the user creates it, when the time comes around a cron task puts the text into the rules, and reloads the config. Then at the time the rule it supposed to exit, a cron task runs, removes the rule (using grep), and reloads the config. Thanks Anthony
Re: [pfSense-discussion] VPN woes
Besides, I'm faily certain that my client does not
want his franchisees using a browser for the VPN. It defeats teh purpose of his
VPN. He wants them to join the domain, so he can log whether they log in and
such. And to control their access (but that could be done through the SSL-VPN
tunnel). They have to be able to join the domain (as in domain
logon).
It's crazy. I hope there are other options that I
have, or maybe a little help that doesn't involve SSL-VPN solutions. I'm not
ruling them out completely yet, but I want to try other options.
- Original Message -
From:
DarkFoon
To: discussion@pfsense.com
Sent: Saturday, February 18, 2006 5:09
PM
Subject: Re: [pfSense-discussion] VPN
woes
The Stunnel package won't install on my PFsense
box.
Installing stunnel and its
dependencies.Downloading package configuration file... done.Saving
updated package information... done.Downloading stunnel and its
dependencies... done.Checking for successful package installation...
failed!
Installation aborted.
if there's any more information I could
post, please tell me where to look for it, and I will.
- Original Message -
From:
Chad Frerer
To: discussion@pfsense.com
Sent: Saturday, February 18, 2006 4:54
PM
Subject: RE: [pfSense-discussion] VPN
woes
Use ssl tunnels
-> google for ssl explorer
-chad
From:
DarkFoon [mailto:[EMAIL PROTECTED] Sent: Saturday, February 18, 2006 5:38
PMTo: discussion@pfsense.comSubject: [pfSense-discussion] VPN
woes
My client wants VPN for his
company, so his franchisees can VPN connect to the domain in his office and
share files or something (he's rather vague about this).
Right now, I've got his PfSense
box at my house so I can test it. I'd like to test the VPN from his office,
but they're behind a router/firewall (a SpeedStream consumer POS).
From what I can tell (and
Google) PPTP is the easiest to use and I could probably use it from behind
their firewall/router, but it has some serious flaws: Microsoft patched it
and it randomly drops connections and is more
insecure.
I'd use IPSec, but IPSec
requires router/firewall to router/firewall connection (to connect subnets
to subnets), or so it seems, and I doubt that little crappy SpeedStream even
knows what VPN means. Besides, we're both on DHCP ISPs, and it sounds like
that makes things different. Once I switch his office over to the PfSense
box, I could test it using my m0n0wall box at my house, but I'd
rather test that it works before I do
that.
OpenVPN, being experimental, is
at the bottom of my list. I don't really want to deal with that at this
moment in time, but it sounds like it might make it easier for my client's
sometimes-computer illiterate franchisees to log in (I tried it with the
windows GUI on an XP box) ... eventually.
After all this complaining, I
should explain completely what my client wants in the hopes that it will
help you to help me. Basically, he wants
to:
a) be able to log into the
in-office domain from his home and work there without actually having to
copy the files and such.
and
b) have his franchisees log into
the in-office domain and put their earnings and other business related
information in a central place.
His access from home would be
from a laptop with a wireless internet (not wifi, but cingular 3G)
The franchisees would be
accessing from personal computers, and possibly from their own offices that
I could put behind PfSense boxes (but I don't know about the offices part;
my client has been a little vague in this
area)
ask any questions to help
further clarify.
Thanks
No virus found in this incoming message.Checked by AVG Free
Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date:
2/17/2006
No virus found in this incoming message.Checked by AVG Free
Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date:
2/17/2006
Re: [pfSense-discussion] VPN woes
The Stunnel package won't install on my PFsense box. Installing stunnel and its dependencies.Downloading package configuration file... done.Saving updated package information... done.Downloading stunnel and its dependencies... done.Checking for successful package installation... failed! Installation aborted. if there's any more information I could post, please tell me where to look for it, and I will. - Original Message - From: Chad Frerer To: discussion@pfsense.com Sent: Saturday, February 18, 2006 4:54 PM Subject: RE: [pfSense-discussion] VPN woes Use ssl tunnels -> google for ssl explorer -chad From: DarkFoon [mailto:[EMAIL PROTECTED] Sent: Saturday, February 18, 2006 5:38 PMTo: discussion@pfsense.comSubject: [pfSense-discussion] VPN woes My client wants VPN for his company, so his franchisees can VPN connect to the domain in his office and share files or something (he's rather vague about this). Right now, I've got his PfSense box at my house so I can test it. I'd like to test the VPN from his office, but they're behind a router/firewall (a SpeedStream consumer POS). From what I can tell (and Google) PPTP is the easiest to use and I could probably use it from behind their firewall/router, but it has some serious flaws: Microsoft patched it and it randomly drops connections and is more insecure. I'd use IPSec, but IPSec requires router/firewall to router/firewall connection (to connect subnets to subnets), or so it seems, and I doubt that little crappy SpeedStream even knows what VPN means. Besides, we're both on DHCP ISPs, and it sounds like that makes things different. Once I switch his office over to the PfSense box, I could test it using my m0n0wall box at my house, but I'd rather test that it works before I do that. OpenVPN, being experimental, is at the bottom of my list. I don't really want to deal with that at this moment in time, but it sounds like it might make it easier for my client's sometimes-computer illiterate franchisees to log in (I tried it with the windows GUI on an XP box) ... eventually. After all this complaining, I should explain completely what my client wants in the hopes that it will help you to help me. Basically, he wants to: a) be able to log into the in-office domain from his home and work there without actually having to copy the files and such. and b) have his franchisees log into the in-office domain and put their earnings and other business related information in a central place. His access from home would be from a laptop with a wireless internet (not wifi, but cingular 3G) The franchisees would be accessing from personal computers, and possibly from their own offices that I could put behind PfSense boxes (but I don't know about the offices part; my client has been a little vague in this area) ask any questions to help further clarify. Thanks No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
[pfSense-discussion] VPN woes
My client wants VPN for his company, so his franchisees can VPN connect to the domain in his office and share files or something (he's rather vague about this). Right now, I've got his PfSense box at my house so I can test it. I'd like to test the VPN from his office, but they're behind a router/firewall (a SpeedStream consumer POS). From what I can tell (and Google) PPTP is the easiest to use and I could probably use it from behind their firewall/router, but it has some serious flaws: Microsoft patched it and it randomly drops connections and is more insecure. I'd use IPSec, but IPSec requires router/firewall to router/firewall connection (to connect subnets to subnets), or so it seems, and I doubt that little crappy SpeedStream even knows what VPN means. Besides, we're both on DHCP ISPs, and it sounds like that makes things different. Once I switch his office over to the PfSense box, I could test it using my m0n0wall box at my house, but I'd rather test that it works before I do that. OpenVPN, being experimental, is at the bottom of my list. I don't really want to deal with that at this moment in time, but it sounds like it might make it easier for my client's sometimes-computer illiterate franchisees to log in (I tried it with the windows GUI on an XP box) ... eventually. After all this complaining, I should explain completely what my client wants in the hopes that it will help you to help me. Basically, he wants to: a) be able to log into the in-office domain from his home and work there without actually having to copy the files and such. and b) have his franchisees log into the in-office domain and put their earnings and other business related information in a central place. His access from home would be from a laptop with a wireless internet (not wifi, but cingular 3G) The franchisees would be accessing from personal computers, and possibly from their own offices that I could put behind PfSense boxes (but I don't know about the offices part; my client has been a little vague in this area) ask any questions to help further clarify. Thanks
[pfSense-discussion] Why is it called pfsense?
So I was telling one of my friends the other day about PfSense. At one point, he stopped me and said, "You know what that stands for, don't you?"I said, "Duh! 'Packet Filter'" Then came his reply, "Nononono. It stands for 'Plain F**king sense'" And then I had to write this email about it. Sounds like it could be a catchy project motto, or something:"Packet Filter makes plain f-ing sense, Pfsense" If this is totally offensive to someone, my apologies. Blame my friend who wouldn't stop bugging me until I wrote this.
[pfSense-discussion] Newbie rule order question
So I (finally) have a pfSense box that I can experiment with (I've been but a spectator here for the last few months) . It has several OPTx interfaces in it, and I don't want them to communicate with one another. I have made block rules on each interface blocking outgoing traffic to the other OPT i/fs and put them before the default "allow all outgoing connections" rule. Is that the correct order to give me the result I want?Unfortunately, I cannot test these rules right now because I do not have enough switches/hubs or computers to hook up each i/f and try to ping a computer on another i/f.
Re: [pfSense-discussion] Polling?
One more question about polling, in PfSense, if I turn on polling, but I have 1 interface that doesn't support it, does that mean they all don't have polling turned on? Or is it activated just for the ones that do support it, and the ones that don't use the regular interupt system? - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 15, 2006 7:32 AM Subject: Re: [pfSense-discussion] Polling? SUPPORTED DEVICES Device polling requires explicit modifications to the device drivers. As of this writing, the bge(4), dc(4), em(4), fwe(4), fwip(4), fxp(4), ixgb(4), nge(4), re(4), rl(4), sf(4), sis(4), ste(4), vge(4), vr(4), and xl(4) devices are supported, with others in the works. The modifications are rather straightforward, consisting in the extraction of the inner part of the interrupt service routine and writing a callback function, *_poll(), which is invoked to probe the device for events and process them. (See the conditionally compiled sections of the devices mentioned above for more details.) As in the worst case the devices are only polled on clock interrupts, in order to reduce the latency in processing packets, it is not advisable to decrease the frequency of the clock below 1000 Hz. On 2/14/06, DarkFoon <[EMAIL PROTECTED]> wrote: > > I can't seem to find a list of devices that support polling on the site. > Is it the exact same list as the one for m0n0wall? > If so, may I reccomend that someday somebody make a more detailed list? > For example, the m0n0wall website says that some support hardware VLAN > tagging while others support long frames. It implies that these two are > related, but they sound like different things (to me at least).
Re: [pfSense-discussion] Polling?
ah, man polling I forgot about that one *blushes* thanks! - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 15, 2006 7:32 AM Subject: Re: [pfSense-discussion] Polling? SUPPORTED DEVICES Device polling requires explicit modifications to the device drivers. As of this writing, the bge(4), dc(4), em(4), fwe(4), fwip(4), fxp(4), ixgb(4), nge(4), re(4), rl(4), sf(4), sis(4), ste(4), vge(4), vr(4), and xl(4) devices are supported, with others in the works. The modifications are rather straightforward, consisting in the extraction of the inner part of the interrupt service routine and writing a callback function, *_poll(), which is invoked to probe the device for events and process them. (See the conditionally compiled sections of the devices mentioned above for more details.) As in the worst case the devices are only polled on clock interrupts, in order to reduce the latency in processing packets, it is not advisable to decrease the frequency of the clock below 1000 Hz. On 2/14/06, DarkFoon <[EMAIL PROTECTED]> wrote: > > I can't seem to find a list of devices that support polling on the site. > Is it the exact same list as the one for m0n0wall? > If so, may I reccomend that someday somebody make a more detailed list? > For example, the m0n0wall website says that some support hardware VLAN > tagging while others support long frames. It implies that these two are > related, but they sound like different things (to me at least).
[pfSense-discussion] Polling?
I can't seem to find a list of devices that support polling on the site.Is it the exact same list as the one for m0n0wall? If so, may I reccomend that someday somebody make a more detailed list?For example, the m0n0wall website says that some support hardware VLAN tagging while others support long frames. It implies that these two are related, but they sound like different things (to me at least).
Re: [pfSense-discussion] Clients... ugh
wow, that's quite a bit. Thanks for the comprehensive reply. Indeed I will take a look at those books that you reccomended. The problem is that I'm a college student living on financial aid, so I don't really have money to buy it, but I will try to find it in the library. I talked to my client again today, and told him that pfSense would be the best bet. I did actually look at a commercial solution (more than one, really), some thing from D-link, and I told him the price: $6999. He proposed that he just buy 4 firewall/routers (like the little netgear things) and hook them up. He claimed it would be cheaper for him because, at about $50 a piece, it would only set him back $200. I guess he firgued that an integrated box (like a WRAP or one of the more powerful ones, most likely) would cost more than that. I haven't verified, so don't hold me to supporting that. Like I said before, it sounds simple, inelegant, and wasteful. As for preventing viruses from spreading by separating everything. > The problems don't arise from the things you block, but from what you > let through. Indeed, truer words have not been spoken. I think, though, what he is more worried about is damage control. Like compartmentalizing a ship, if one part floods, they can close off that section to keep the whole boat from sinking. So if his kids accidentally get a worm (they're only about 3 years younger than me, and very computer literate) it doesn't ruin his business. Besides, email is more of a threat on the business side, than the kids' side. Though, I guess VLANs would be affected by the high levels of traffic. Well, anyways. Thanks very much for your help. I think I'll try to read those books before I continue on this. I've plenty of other things to work on that I am better at for the time-being. His firewall solution for now does it's job. Anthony - Original Message - From: "Rainer Duffner" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 01, 2006 4:03 PM Subject: Re: [pfSense-discussion] Clients... ugh > DarkFoon wrote: > > >Hmm. You have talked a little over my head... (I do not know what dot1q > >trunking is, and I have a vague memory of what layer 2 is... *eep*) > >Anyways > > > > > >>an individual broadcast domain per segment. Maybe > >>that is what he wants and/or I'm overlooking something. > >> > >> > >I don't think my client would know what that means. (I only have a vague > >understanding) > >Networking isn't my strongest point. So, I'm learning a whole lot right now. > > > > > > > > > That process never stops in this business. > > > >From what I've looked at, it would seem that a pfSense box best suits my > >client. I haven't looked at prices for the commercial solutions, but it > >would appear that even some of the lower-end ones lack some features I need, > >and are rather pricey. > > > > > > > > > If firewalls with VLAN-capabilities could be had at WalMart, Netscreen > wouldn't charge the equivalent of a small house for their top-end gear. > You will also find it next to impossible to find an online-pricelist > for, say, Checkpoint's Firewall One. > (It's also doubtful you would be able to grasp its complexity, I'm told...) > > > >But I'd like to understand one thing first, on the firewall page under > >pfSense, can I assign different rules for each interface? > > > > > Yep. > Even the most humble > "Joey-designed-a-linux-firewall-gui"-freshmeat-of-the-week project can > do this ;-) > You should checkout freshmeat - there must be hundrets of mostly > one-shot attempts at creating a GUI for the Linux-firewalling-commands > (which change every release) and none of them can match or even come > close to pfSense. > > > >See, allow to explain why my client wants the separate ports. His office > >network will soon have a domain server with the roaming profiles > >bells-and-whistles and he wants that to not affect any other computers on > >the network(I don't think it will). But more importantly, he wants his > >business network separate from his kids' network (that's my nickname for it) > >in case one of them contracts the Windows XP "Worm of the Week" and it > >starts spewing infected packets all over the network (like Sasser, if I > >understood that one correctly) and infects/crashes his business portion. At > >least the last part makes sense to me. (I personally use windows ME, so I > >avoid all those things by obscurity.) > > > > > > > > Good idea - pfSense can do that easily. > But you need a swit
Re: [pfSense-discussion] Clients... ugh
ate networks" he thinks he needs. > Does this client really need that option? If the hosts on these > separate "ports" can talk to each other at all then his theory of > protecting the other hosts if one gets compromised is pretty much > debunked. Unless each port / network is configured to have very > restrictive rules and can't talk to the others at all then all you're > really gaining is an individual broadcast domain per segment. Maybe > that is what he wants and/or I'm overlooking something. > > nb > > > > > On Feb 1, 2006, at 3:57 AM, Rainer Duffner wrote: > > > DarkFoon wrote: > > > >> APPLIANCE! That's the word I was looking for! Thank you! > >> > >> Yes, my client my client means what you said: > >> > >>> an appliance, which is "plug, go to web interface, click, click, > >>> click and it works". > >>> > >> He has one of those (appliance) already, but like I said, its some > >> piece of > >> crap. It can't do hardly anything. I mean, I use m0n0wall (because > >> I like > >> using a CD-ROM instead of a harddisk) and it's got so many > >> functions that I > >> don't use. And pfSense has more, but my client could use some of > >> them. > >> > >> I didn't know that I could do pfSense on a WRAP. I thought pfSense > >> needs a > >> harddisk (for swap and such), and I thought WRAP uses CF (which > >> swap will > >> wear out quickly). > >> But the idea of a 1u rackmount unit is nice. I'll still look > >> around for some > >> commercial appliances that have the same features, but I'll try to > >> push for > >> pfSense with this renewed information. > >> > > > > > > IMO, the only thing that can match and exceed pfSense is a Juniper- > > Netscreen Appliance. > > (I think they can do Active-Active clustering for bridging, too). > > But the bigger ones can be 10x as expensive as a similar machine > > built with pfSense. > > Multiply by 2 for a HA-solution... > > If you can afford it, go Netscreen. > > If not, pfSense or raw OpenBSD ;-) > > > >> My question still stands, though: does anybody know of a commercial > >> (linksys, d-link, and such) firewall/router appliance (that's so > >> much faster > >> to type) with the features my client wants? > >> thanks > >> > > > > http://www.juniper.net/products/integrated/ > > > > I see that Tyan now also makes appliance-barebones: > > http://www.tyan.com/products/html/network.html > > > > I'm not sure if the onBoard cryto-accelerator really supports > > FreeBSD - Cavium do mention FreeBSD on their website and it seems > > that some boards of the series are actually supported. > > > > Those would really make killer-appliances, but I haven't seem them > > sold anywhere and the price tag is probably high. > > > > > > > > > > cheers, > > Rainer > > > > > > > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 267.15.0/248 - Release Date: 2/1/2006 > >
Re: [pfSense-discussion] Clients... ugh
APPLIANCE! That's the word I was looking for! Thank you! Yes, my client my client means what you said: > an appliance, which is "plug, go to web interface, click, click, > click and it works". He has one of those (appliance) already, but like I said, its some piece of crap. It can't do hardly anything. I mean, I use m0n0wall (because I like using a CD-ROM instead of a harddisk) and it's got so many functions that I don't use. And pfSense has more, but my client could use some of them. I didn't know that I could do pfSense on a WRAP. I thought pfSense needs a harddisk (for swap and such), and I thought WRAP uses CF (which swap will wear out quickly). But the idea of a 1u rackmount unit is nice. I'll still look around for some commercial appliances that have the same features, but I'll try to push for pfSense with this renewed information. My question still stands, though: does anybody know of a commercial (linksys, d-link, and such) firewall/router appliance (that's so much faster to type) with the features my client wants? thanks Anthony Rossi - Original Message - From: "Dmitry Sorokin" <[EMAIL PROTECTED]> To: Sent: Tuesday, January 31, 2006 10:39 PM Subject: Re: [pfSense-discussion] Clients... ugh > Quoting DarkFoon <[EMAIL PROTECTED]>: > > > and Secondly, does anybody know of any "hardware" firewall/routers (man, I'm > > tired of typing that) that have the above features? > > > > I'm not trying to snub pfSense; I'd love to use it, but I can't convince him > > (well, possibly, but he wants me to first look for a "hardware" solution) I > > am asking here first because I have been watching the mailing list for > > several months now, and I trust the opinions and information of (most) of the > > people here. ;) > > I think your client means "not regular pc/linux or unix/command line solution", > but rather an appliance, which is "plug, go to web interface, click, click, > click and it works". Also from technical point there should be no hard disk > drive (no file system, that can become inconsistent in case of crash or power > failure), no peripherial (monitor, keybord, mouse(?). > Then pfSense/m0n0wall + WRAP platform is your choice. > look at http://www.m0n0.ch/wall/gallery.php > your firewall cn be an i386 compatible 1u or 2u 19" rack mountable server, or > as small as smallest linksys or D-link or netgear box with no moving parts. > > Hope that helps, > Dmitry > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 1/31/2006 > >
[pfSense-discussion] Clients... ugh
I've got a client who has asked me (among other things) to make him a router/firewall. Currently he has a "hardware" firewall/router but I told him that it doesn't support the features he wants. I attempted to pursuade him to use pfSense, but he would rather have a "hardware" (meaning linksys, netgear, etc.) firewall/router because he thinks they're more secure. The main features he wants are: -> "isolated ports". He wants each port on the LAN to be seperate from the others, but all with the same features for each (so each has its own firewall settings, each has its own DHCP, and so on). Basically, he thinks that with this, if "hacker" breaks into the network of one port, he doesn't have access to computers on the other ports on the firewall/router. (I am not so certain that this is possible; please, prove me wrong) -> VPN. He wants franchisees to be able to login over a secure (encrypted) link and access a special place where they can put sensitive information. -> DMZ (but that's pretty much standard) I figure pfSense would be able to do all these, but, like I said, he wants me to look for "hardware" firewall/routers. First, can anybody explain the difference (if any) between a computer running pfSense, and a "hardware" router/firewall? (I didn't think there was one, except for the ROM chip containing the firewall/router OS) and Secondly, does anybody know of any "hardware" firewall/routers (man, I'm tired of typing that) that have the above features? I'm not trying to snub pfSense; I'd love to use it, but I can't convince him (well, possibly, but he wants me to first look for a "hardware" solution) I am asking here first because I have been watching the mailing list for several months now, and I trust the opinions and information of (most) of the people here. ;) Thanks for your help/time. Anthony Rossi
Re: [pfSense-discussion] block port 25
it sounds to me that what he wants is to block packets to/from port 25, except for outgoing packets to a specific IP address. - Original Message - From: "Holger Bauer" <[EMAIL PROTECTED]> To: Sent: Thursday, December 22, 2005 12:10 AM Subject: AW: [pfSense-discussion] block port 25 At WAN (Incoming) everything is blocked by default. If you want to send this port through to a mailserver just create a NAT for this port to this machine at portforward. make sure the "autocreate firewall rule is checked". If you only want to block port 25 outgoing create a block rule at your LAN interface that blocks proto tcp, source "not mailserver ip" with any port, destination any with port 25. This rule has to go above the default alow lan to any rule. Another option would be to redirect the port 25 "silently" to your mailserver like done in this example: http://www.pfsense.com/screens/redirect_lan_to_another_mail_server.PNG (btw, this belongs to support@pfsense.com and not [EMAIL PROTECTED] please use the appropriate list next time) Holger > -Ursprüngliche Nachricht- > Von: dny [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 22. Dezember 2005 08:54 > An: discussion@pfsense.com > Betreff: [pfSense-discussion] block port 25 > > > is there a way to block all incoming and outgoing access to port 25, > with only one exception if it is going through a legitimate > mail server. > > how can i accomplish this? > > tnx&rgds, > dny > www.ngobrol.com > > ... but that which cometh out of the mouth, > this defileth a man. Mat 15:11 > Virus checked by G DATA AntiVirusKit -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.3/209 - Release Date: 12/21/2005
