Re: [pfSense-discussion] tool you might want to include in pfsense

2005-09-22 Thread Travis H.
Well it's not set in stone. C seems too unsafe a language to me in which to write security applications. -- http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: [pfSense-discussion] Payload inspection

2005-09-29 Thread Travis H.
On 9/21/05, A Rossi [EMAIL PROTECTED] wrote: I was thinking of payload inspection as a way to check to see if the payload contains requested data (like HTML, or mp3 or whatever the user is downloading) to make sure that it doesn't contain infected data (with a worm or such) that is

Re: [pfSense-discussion] block vs reject?

2005-09-29 Thread Travis H.
On 9/26/05, Greg Hennessy [EMAIL PROTECTED] wrote: so its safe to assume that internet - WAN stuff should be blocked. but for internal access between my LAN/OPT interfaces and outbound WAN i can use reject and it wouldn't be considered bad form? Hmm, rejecting on the outbound WAN link?

Re: [pfSense-discussion] What about a Ramdisk?

2005-09-30 Thread Travis H.
I want to mention that you can also use SOCKS as a proxy. Many clients support this non-transparently (as a configuration option), and you could maybe even do it transparently. Keeping the proxy on the gateway host will reduce the latency compared with having it on a seperate host (TCP

Re: [pfSense-discussion] What about a Ramdisk?

2005-09-30 Thread Travis H.
Note that not all proxies are equal: I have found that some HTTP proxies work with GET/POST/HEAD but don't support CONNECT, which is essential for streaming. Yes. We are speaking about Squid, don't we?? You may be. I'm speaking generally of HTTP proxies. I do not know the details of

Re: [pfSense-discussion] authpf package

2005-10-28 Thread Travis H.
ssh need to be open on WAN interface and all user that have real shell could be disabled for security concern. Be careful when trying to disable users via their login shell: http://www.csh.rit.edu/~psionic/articles/ssh-security/ -- http://www.lightconsulting.com/~travis/ -- We already have

Re: [pfSense-discussion] Restricted viewing...

2005-11-04 Thread Travis H.
http://www.loganalysis.org/ For all your log analysis needs. -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: [pfSense-discussion] Hamachi and PFSense

2006-08-19 Thread Travis H.
On 8/18/06, Chris Godwin [EMAIL PROTECTED] wrote: If I disable the bimap while pinging, the pings still come through. Because the state for the outbound ICMP echo request is still in the state table. If I disconnect and reconnect hamachi after the bimap has been deleted the hosts become

Re: [pfSense-discussion] Dynamic DNS - no password encryption

2006-08-31 Thread Travis H.
On 8/29/06, DarkFoon [EMAIL PROTECTED] wrote: I was looking through my XML configuration recently, and I noticed that my Dynamic DNS password is not encrypted like the PFsense password is. It seems to me that this is a rather important password and should be encrypted (if possible). This is

Re: [pfSense-discussion] need some advice/help on multiple WAN subnet

2006-09-24 Thread Travis H.
Ewww, HTML in email. You are aware of the dangers of using a browser to read email, right? I am also trying to avoid cascading pfsense boxes, like routing from one to another, and the second doing the NAT - as it is the opposite of high availability. The way this is normally done for HA

Re: [pfSense-discussion] IDS yet?

2006-10-03 Thread Travis H.
On 9/20/06, Sam Newnam [EMAIL PROTECTED] wrote: I've read a couple places but couldn't find a clear answer to whether SQUID or another intrusion diction system had been integrated yet. SQUID is a cache, not a NIDS. -- Enhance your calm, fellow citizen; it's just ones and zeroes. Unix guru for

Re: [pfSense-discussion] IDS yet?

2006-11-03 Thread Travis H.
On 10/6/06, Chris Buechler [EMAIL PROTECTED] wrote: Scott Ullrich wrote: It is a delayed IDS. Generally an IPS hooks into the network stack directly and does not allow the traffic to pass through until its scanned. Yep, sometimes these are called intrusion reaction systems, reactive

Re: [pfSense-discussion] IDS yet?

2006-11-03 Thread Travis H.
Going through some old email, sorry for the anachronism. On 10/4/06, Bill Marquette [EMAIL PROTECTED] wrote: Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products