I had promised a couple of people that I'd post results after I tested this
out, so here goes.
I have a Pfsense 0.81 box set up with three realtek cards set up in this
configuration:
rl0: OPT1 (bridged to WAN)
rl1: WAN(static IP address)
rl2: LAN(NAT'd RFC 1918 network)
The
> I would like to point out that it has unfettered access due to the
> defeault allow all LAN rule. Changing this will allow finer grained
> control.
Yep, sorry I meant to include that point. I tested with a finer tuned set
of LAN rules and, as you might expect, it works just fine.
I'm trying to get an updated squid package out the door using a squid 3.0
release candidate. The new package will also be interfaceable in the
webGUI. Unfortunately, I don't have a projected release date for this. I'm
hoping to have something for people to play with by the end of the month,
but
Dominic,
The pfSense packages are very easy to build. You'll find enough to get you
started in the Developer's Docs part of the website:
http://www.pfsense.org/index.php?id=30
Best,
Gary
-Original Message-
From: D.Pageau [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 07, 2005 9:0
We have been using pfsense for a limited production use for a little while
now. I have said it repeatedly and will say it again, for alpha software,
pfsense is amazingly stable. I would feel comfortable installing 2 boxes in
a hot-failover scenario for wider production use even at this early stag
I have
also seen this behavior on several different machines with no rhyme or reason to
it. I have seen this issue in 0.82.4 as well as 0.84 (I don't remember
off-hand if I saw it happening in a version previous to 0.82.4 or if so, what
version it was).
This
issue does not appear to be
Scott,
It might be useful to turn logging on for mini-httpd (even as an optional
item) and of course to have an init script for instances like these. I've
only had mini-httpd die on me once, but rebooting the machine in order to
bring back the webGUI seems a lot like swatting mosquitos with sting
Important point of note: Snort-Inline is currently a linux-only project. It
works specifically with iptables. A significant amount of development would
be required to make it work with pf.
-Original Message-
From: christiaan [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 17, 2005 6:
19/05, Gary
Buckmaster <[EMAIL PROTECTED]> wrote:
Important
point of note: Snort-Inline is currently a linux-only
project. Itworks specifically with iptables. A
significant amount of development wouldbe required to make it work with
pf.
Feel free to write a package for it.
-Original Message-
From: christiaan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 5:27 AM
To: discussion@pfsense.com
Subject: [pfSense-discussion] HoneyD
Hi
Any plans for HoneyD in pfsense?
Chris
As has
been mentioned previously on this thread, this kind of "inspection" is simply a
series of regex comparisons compared on the payload data. This can be a
real performance hog at best and extremely insecure at worst. Aside
from a marketing bullet point, this isn't a terribly practical
What
he's talking about is using Squid and a redirector to check inbound http traffic
for viral content. This is a reasonably simple, very effective
solution. Your idea of capturing every single packet, scanning it for
viral content and sending it on its way is not only not feasible, its a
There
is already a port of p3scan using pf including the requisite freebsd
packages. It does not currently include the latest (just released late last
week) version of p3scan, but it's there and actively being
developed:
http://www.undergroundsecurity.com/p3scan/
-Original Message-
Chris,
I'm
looking at the web page for copfilter and it's a decent enough looking project,
although it seems to be geared more towards virus and spam filtering for email,
and virus filtering of http traffic. Is that an accurate statement?
If so, it will not do the same job that squid+squ
Chris,
The
big problem there is that dansguardian is licensed to be free only for
non-commercial use. The same is true for DCC which is a component of
copfilter. This means that while businesses are using these tools, they're
using them in violation of their license. I don't know how th
bject: Re: [pfSense-discussion] Re: Content Filtering
Gary Buckmaster wrote:
> Chris,
>
> The big problem there is that dansguardian is licensed to be free only
> for non-commercial use. The same is true for DCC which is a component
> of copfilter.
are you sure about DCC?
The
There are lots of superior open source solutions for spam and virus
filtering at the firewall level. The same is true for doing virus filtering
of http traffic. Content Filtering (ie: URL filtering) has several really
good options as well. My personal opinion is that we encourage people who
have
really seen a compelling reason to move away from clamav,
but others may have different viewpoints.
-Original Message-
From: chris [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 26, 2005 12:24 PM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] Re: Content Filtering
Gary
http://faq.pfsense.org/index.php?sid=14110&lang=en&action=artikel&cat=10&id=
32&artlang=en
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 14, 2005 7:49 PM
To: PfSense Mailing List
Subject: [pfSense-discussion] Blocking by MAC address
I need
You're assuming that IPCop's primary motivation is for supporting only
the highest quality hardware, when in fact they have no such goals.
They are supporting the most common hardware to make a very simple
firewall package that even a mouthbreathing retard can figure out.
Don't assume that si
t are out there, nor
about the intelligence level of ipcop users :-)
On 5/2/06, Gary Buckmaster <[EMAIL PROTECTED]> wrote:
You're assuming that IPCop's primary motivation is for supporting only
the highest quality hardware, when in fact they have no such goals.
They are supporting
Rainer Duffner wrote:
Some firewalls have everything but the kitchen sink (and I'm not sure
if there aren't some who *do* have the kitchen sink...)
cheers,
Rainer
Is there even a P2P blocking tool that's 1) effective 2) stable enough
for a firewall and 3) not encumbered by some dracon
Kirk Ferguson wrote:
On 6/6/06, Gary Buckmaster <[EMAIL PROTECTED]> wrote:
Is there even a P2P blocking tool that's 1) effective 2) stable enough
for a firewall and 3) not encumbered by some draconian license. If
someone has a decent suggestion maybe a package can be made.
DarkFoon wrote:
One quick question: aliases are broken in 1.0 RC-1, right? Just checking.
Thanks in advanced
No, aliases are not broken.
jason whitt wrote:
Would it ever be a consideration to make several different embedded
images? For instance one for soekris, warp, and a generic image like
what m0n0wall does? Or at least a generic pc image where vga and
keyboard are enabled and that would boot on just generic pc hardware
with
LAGG isn't supported yet, which means that you're not going to get your
question answered here. LAGG support will be coming with the 1.3
release, however, not with the 1.2 series, so this means it will also
not be in any of the 1.2 release candidates.
Fabio C Flores wrote:
Hello there,
I k
John Dakos [ Enovation Technologies ] wrote:
hello . im newbie on FreeBSD and i love this System. i want a proxy
and bandwith limitter. someone tell me to try PFSense.
i download PFSense and i install with 2 nics
re0 = 10.200.1.30 / 24 Lan
re1 = 10.200.1.40 / 24 Wan
on all xp clients i
Javier Enrique Tiá Marín wrote:
Hi:
I'm using pfsense 1.0.1 and I want to use squid with version
2.6.STABLE18. But I can't but this error:
storeDiskdInit: msgget: (28) No space left on device
TIA,
Javier
Don't cross post to lists. This is obviously a support@ question so
keep your support
For those of you who haven't been hitting "reload" on the blog page all
day, pfSense 1.2 has been officially released. This effort is the
culmination of a HUGE effort on behalf of the pfSense development
community. Lots of excellent fixes have made it into pfSense 1.2 check
out the blog (http
Matthias May wrote:
muhammad panji schrieb:
Dear All,
Are there any easy way to detect (or re-detect) a NIC on pfsense? my
NIC is not detected by pfsense after I take the NIC and plug it again.
the NIC itself is in good condition but it is not detected by pfsense.
Thanks
best regards,
Wha
Curtis LaMasters wrote:
This probably is the right place to be asking this but hopefully
someone will still help. Are there any SPAM/eMail filtering devoted
projects like pfSense. I'm just trying to find an extremely cheap
(hopefully free) alternative to a Barracuda for a small company. Than
Lee,
First of all, I'm very glad to hear that the siproxy package is working
so well for you. A lot of people have been needing this package and I
think your experiences serve as good validation for people that this
package is definitely ready for prime time.
Secondly, thank you for the kin
Mike is correct. The ftp helper application cannot, by itself, handle
Multi-WAN. Some people have been successful with writing rules such as
the one that Michael has demonstrated, however YMMV.
Michael Snow wrote:
Hi,
I also had problems with FTP in a multi wan setting. I found a
discuss
This question comes up from time to time and is perpetually (and with
great gusto) shot down. Running services such as Samba, ftpds, et al,
on your firewall are not considered part of best security practices and
are sternly advised against. A firewall should always serve as a
stand-alone devi
Mark Dueck wrote:
Hi everyone,
Is it possible to do website filtering on an Alix board? I setup some
businesses with gateways using squid and dansguardian to blanket block
the internet, and then allowing access on a per ip basis or allow
certain websites for the rest of the users. Is this poss
Eugen Leitl wrote:
On Fri, Nov 07, 2008 at 08:15:36AM -0600, Phillip Gonzalez wrote:
I've seen this happen with nmap decoy scans basically it's a syn
flood. I have generated hundreds of thousands of states using this
method.
Thanks. I've set up state table size to 60 k and occasiona
John,
You don't want to enable sticky connections for outbound load
balancing. There have been reports of problems with this.
Is the common denominator between all the sites you're having problems
with the fact that they're SSL-protected sites? If so you do not want
to load balanced SSL se
Not totally true. It's broken for outbound, but for inbound sticky
connections works fine.
Chris Buechler wrote:
On Thu, Jan 22, 2009 at 3:27 AM, John Dakos [ Enovation Technologies ]
wrote:
hi Ron and thanks for reply
look , i turn ON the sticky connections and for 30 seconds everythin
Nguyen Minh Son wrote:
I have a PC with pfsense was installed on it. I configured my firewall
in transparent mode, add some rules and install bandwith to moniter
the traffic in my network and all of it run okie.
But, now I want to install squid in pfsense to minimize the traffic go
out.
The ins
No, and you should not be using pfSense 1.0.1. It's extremely out of
date and contains many issues that were fixed over the past few years
since its release.
Joe Lagreca wrote:
Why only on the download portion of the test and not the upload portion?
If I switch to pfsense 1.0.1 can I avoid t
Turn off the shaper.
Joe Lagreca wrote:
The problem is the high latency is wreaking havoc with our VOIP PBX.
I know pfSense can work with VOIP, as I have it working at other
customer locations. What do you suggest as a work around to this
problem?
Joe LaGreca
Founder & Owner, BIG Net Online
6
41 matches
Mail list logo