Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Return Receipt Your Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ? document: was[EMAIL PROTECTED] received by: at:12/29/2007 14:11:10 EST
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Bill Marquette wrote: or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). java RMI being one major PITA! we've developers working from home and trying to get their openvpn connections working was a massive PITA. rant developers being developers seem to think that security considerations can be swept aside to let them do whatever they need to do. /rant
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
On Dec 24, 2007 5:41 AM, Paul M [EMAIL PROTECTED] wrote: Bill Marquette wrote: or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). java RMI being one major PITA! Yup, that's one of them there bad protocols ;) we've developers working from home and trying to get their openvpn connections working was a massive PITA. rant developers being developers seem to think that security considerations can be swept aside to let them do whatever they need to do. /rant That's users in general. Developers just tend to be in a rush more than most users due to working on projects that are often over promised and under manned. --Bill
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Hi, Thanks a lot to everybody for coming in this discussion and for sharing their experiences that convinced me to traslate into a production environment with no problems! Anyway i still have some little doubts on implementing a DMZ containing all the servers, behind NAT. This because i don't know how pfsense's NAT implementation can handle the new internet applications/protocols like AJAX or WEB-SERVICES or others that could make use of mechanisms like dynamic allocation of port. Don't you think pfsense (actually NAT) can suffer this? Again thanks to everybody! Bye Paolo
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
On Dec 22, 2007 2:22 AM, Paolo Gentili [EMAIL PROTECTED] wrote: Anyway i still have some little doubts on implementing a DMZ containing all the servers, behind NAT. This because i don't know how pfsense's NAT implementation can handle the new internet applications/protocols like AJAX or WEB-SERVICES This is simple HTTP on port 80 (or wherever your web server lives). Nothing new other than it's use of the existing TCP port for transit here. What might be useful is describing how your previous firewall was going to handle this. or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). Don't you think pfsense (actually NAT) can suffer this? 1:1 NAT (if you have enough IP space) and then it's just rules you have to add. Inbound, I don't expect you'll run into many of these. Most applications you are likely to run on your server will stick to a single inbound port. --Bill
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
I'm in full agreement with Chris. The CD burning issue is not unique to pfSense. It will happen with any system if you have bad compatibility between your CD/DVD burner, media, and your drive reading the result. I've seen it with certain media with many other OSes given the wrong combination. This is not an issue with the OS, pfSense or any other system that has issues with booting from the CD/DVD media after it is burned. I have some media that will repeat this problem almost every time and the same ISO burnt to some other media is rock solid every time. I bet if you verify the md5sum of the media you're having trouble booting from it will show the burn was bad when compared to the original ISO. It's not pfSense. Ron On Friday 21 December 2007 8:19:40 pm Chris Buechler wrote: Jure Pečar wrote: Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. I know a very small percentage of people have issues of this nature. On dozens of different systems I have used, I've never personally seen it, and the vast majority of users have never seen it. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) 1.2 has that disabled, and also fixed some other issues that caused file system and/or configuration corruption. 1.2 beta/RC has been the recommended version for months now for this reason and others. Unfortunately we can't release 1.0 bug fix updates because we didn't tag that release in CVS, 1.2 will receive interim bug fix updates as necessary to address issues of this nature. Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. 1.2 should be better in that area, but those are likely FreeBSD issues specific to your hardware. If it's something you can replicate with 1.2, it might be worthwhile to install the developer kernel with debugging tools (an option during the install now), and get a back trace. Start a new thread if you want to investigate in the future. For the original poster: The only really common issue going from a test environment into production, when replacing an existing firewall (which is common to any network device, not pfsense-specific) is ARP caches - your perimeter router, or your ISP's router (depending on the type of connection you have) has an ARP cache with your existing firewall's MAC address. When you change the firewall, it can take several hours for that cache to timeout and recognize the new system. On Cisco routers, the ARP cache is 4 hours by default. You may need cooperation from your ISP if you don't have access to that router. If you do have access to the router, you can just power cycle it. Cable and DSL modems commonly require a power cycle to pick up a replaced system. Aside from that, which is common to any firewall migration regardless of software, we haven't seen any widespread issues with going from testing to production.
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
I have follow the thread but i don´t understand it, not reallly., i have many pfs 1.2rcx firewalls up and running around the world, what is your mission critical needed feature? Sorry! Greetings Heiko Ron Lockard schrieb: I'm in full agreement with Chris. The CD burning issue is not unique to pfSense. It will happen with any system if you have bad compatibility between your CD/DVD burner, media, and your drive reading the result. I've seen it with certain media with many other OSes given the wrong combination. This is not an issue with the OS, pfSense or any other system that has issues with booting from the CD/DVD media after it is burned. I have some media that will repeat this problem almost every time and the same ISO burnt to some other media is rock solid every time. I bet if you verify the md5sum of the media you're having trouble booting from it will show the burn was bad when compared to the original ISO. It's not pfSense. Ron On Friday 21 December 2007 8:19:40 pm Chris Buechler wrote: Jure Pečar wrote: Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. I know a very small percentage of people have issues of this nature. On dozens of different systems I have used, I've never personally seen it, and the vast majority of users have never seen it. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) 1.2 has that disabled, and also fixed some other issues that caused file system and/or configuration corruption. 1.2 beta/RC has been the recommended version for months now for this reason and others. Unfortunately we can't release 1.0 bug fix updates because we didn't tag that release in CVS, 1.2 will receive interim bug fix updates as necessary to address issues of this nature. Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. 1.2 should be better in that area, but those are likely FreeBSD issues specific to your hardware. If it's something you can replicate with 1.2, it might be worthwhile to install the developer kernel with debugging tools (an option during the install now), and get a back trace. Start a new thread if you want to investigate in the future. For the original poster: The only really common issue going from a test environment into production, when replacing an existing firewall (which is common to any network device, not pfsense-specific) is ARP caches - your perimeter router, or your ISP's router (depending on the type of connection you have) has an ARP cache with your existing firewall's MAC address. When you change the firewall, it can take several hours for that cache to timeout and recognize the new system. On Cisco routers, the ARP cache is 4 hours by default. You may need cooperation from your ISP if you don't have access to that router. If you do have access to the router, you can just power cycle it. Cable and DSL modems commonly require a power cycle to pick up a replaced system. Aside from that, which is common to any firewall migration regardless of software, we haven't seen any widespread issues with going from testing to production.
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
On Wed, 19 Dec 2007 23:05:08 +0100 Paolo Gentili [EMAIL PROTECTED] wrote: your thoughts or experiences about how much trust can i have on pfsense Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. Despite all this, pfSense is still by far the best thing you can get today. -- Jure Pečar http://jure.pecar.org/
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
I have never had a problem with burning the PFSense ISO on CD. The CD-R brand I use is Memorex. The only stability problem I saw was caused by the network cards. To fix this simply switch out the network cards for something else until you get a good combination. For best stability it has been recommended on the forum to use Intel network cards. I'm running 1.2RC3 on all the systems I manage. I've used numerous firewalls and PFSense is my favorite followed by m0n0wall. Best Regards, Mark J Crane Jure Pečar wrote: On Wed, 19 Dec 2007 23:05:08 +0100 Paolo Gentili [EMAIL PROTECTED] wrote: your thoughts or experiences about how much trust can i have on pfsense Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. Despite all this, pfSense is still by far the best thing you can get today.
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Jure Pečar wrote: Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. I know a very small percentage of people have issues of this nature. On dozens of different systems I have used, I've never personally seen it, and the vast majority of users have never seen it. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) 1.2 has that disabled, and also fixed some other issues that caused file system and/or configuration corruption. 1.2 beta/RC has been the recommended version for months now for this reason and others. Unfortunately we can't release 1.0 bug fix updates because we didn't tag that release in CVS, 1.2 will receive interim bug fix updates as necessary to address issues of this nature. Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. 1.2 should be better in that area, but those are likely FreeBSD issues specific to your hardware. If it's something you can replicate with 1.2, it might be worthwhile to install the developer kernel with debugging tools (an option during the install now), and get a back trace. Start a new thread if you want to investigate in the future. For the original poster: The only really common issue going from a test environment into production, when replacing an existing firewall (which is common to any network device, not pfsense-specific) is ARP caches - your perimeter router, or your ISP's router (depending on the type of connection you have) has an ARP cache with your existing firewall's MAC address. When you change the firewall, it can take several hours for that cache to timeout and recognize the new system. On Cisco routers, the ARP cache is 4 hours by default. You may need cooperation from your ISP if you don't have access to that router. If you do have access to the router, you can just power cycle it. Cable and DSL modems commonly require a power cycle to pick up a replaced system. Aside from that, which is common to any firewall migration regardless of software, we haven't seen any widespread issues with going from testing to production.
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Paolo Gentili wrote: your thoughts or experiences about how much trust can i have on pfsense we've got seven boxes doing pfsense - three pairs of 1U servers as firewall clusters protecting public facing web services, and one acting as a VPN concentrator for road warriors. we rely on carp and the load balancer to give resilience. when one machine threw a disk, it took less than half an hour to restore functionality. all are 1.2RC3, some began as 1.2rc2. we considered Astaro during early eval, but it would have been expensive to have so many boxes, so we'd have had to compromise on the design of our network, pfsense has thus made it possible to adopt a much more flexible solution. Paul
re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Paolo I have a customer running it with over 100 clients and 6 servers and it runs flawless. I run it on our production hosting network as well with 20+ servers and heavy VOIP usage. The only major issues I have run into are with FTP + SSL. Thanks Bryant From: Paolo Gentili [EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 5:06 PM To: discussion@pfsense.com Subject: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ? Hi all, i'm planning to use pfsense as a multiwan and firewall solution for an enterprise network of about 40 desktop pc and 15 internet servers (with various HTTP/POP3/SMTP/DNS/DHCP services) I'm currently installed it on a desktop for learning purposes and i'm testing it with no more than 3 or 4 pc with no problems but i'm not sure about its stability when passing to a real case of use with all my network operators. Before do the critical step of making it my main enterprise internet gateway i'd like to hear from you, your thoughts or experiences about how much trust can i have on pfsense and about passing from testing phase to the production regardless to the power of hardware used for running pfsense (which of course have as strong impact on throuhput). Bye Paolo Gentili
RE: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
We were forced to jump from testing to production (our previous firewall bit the dust) with pfSense v0.62.5 (alpha). Remarkably, it was the most stable platform I had tested to date out of numerous open source and commercial offerings. I had it in-place and operational within a couple of hours and it ran for almost 6 months (continuously - no reboots) when I upgraded to a later version for more features. We're currently running ~75 PCs, 50 IP Phones, 16 Servers, 4 VLANs, 5 Subnets and 16 VPNs served up across 6 interfaces on the same hardware as 2 years ago. I've got 48d 18h of uptime right now since I took the firewall down to reroute power to that rack. We've had only one crash: a few days after upgrading to 1.0.1 from BETA2, the hard drive went loopy. New hard drive, fresh install and config restore: back up in 15 minutes. Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. From: Paolo Gentili [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 5:05 PM To: discussion@pfsense.com Subject: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ? Hi all, i'm planning to use pfsense as a multiwan and firewall solution for an enterprise network of about 40 desktop pc and 15 internet servers (with various HTTP/POP3/SMTP/DNS/DHCP services) I'm currently installed it on a desktop for learning purposes and i'm testing it with no more than 3 or 4 pc with no problems but i'm not sure about its stability when passing to a real case of use with all my network operators. Before do the critical step of making it my main enterprise internet gateway i'd like to hear from you, your thoughts or experiences about how much trust can i have on pfsense and about passing from testing phase to the production regardless to the power of hardware used for running pfsense (which of course have as strong impact on throuhput). Bye Paolo Gentili
RE: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
We are using it in 11 sororities and fraternities at the U of I campus. Each house having a min of 50 to 80 college students. Using laptops, desktops and other devices (Xbox/TiVo). And pfSense is running perfectly, we will see loads of 100mb for hours at a time on each firewall (dang kids and their music). People beating on the firewall with bittorrent and other p2p apps and all the time the traffic shaper is keeping the web surfers happy. It even survived halo 3 release day. All this on only AMD 2400+ systems with 512megs of ram. So I would say yes pfSense is ready for whatever you want to throw at it. Zach. Hotwire Networks From: Ted Crow [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 4:51 PM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ? We were forced to jump from testing to production (our previous firewall bit the dust) with pfSense v0.62.5 (alpha). Remarkably, it was the most stable platform I had tested to date out of numerous open source and commercial offerings. I had it in-place and operational within a couple of hours and it ran for almost 6 months (continuously - no reboots) when I upgraded to a later version for more features. We're currently running ~75 PCs, 50 IP Phones, 16 Servers, 4 VLANs, 5 Subnets and 16 VPNs served up across 6 interfaces on the same hardware as 2 years ago. I've got 48d 18h of uptime right now since I took the firewall down to reroute power to that rack. We've had only one crash: a few days after upgrading to 1.0.1 from BETA2, the hard drive went loopy. New hard drive, fresh install and config restore: back up in 15 minutes. Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. _ From: Paolo Gentili [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 5:05 PM To: discussion@pfsense.com Subject: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ? Hi all, i'm planning to use pfsense as a multiwan and firewall solution for an enterprise network of about 40 desktop pc and 15 internet servers (with various HTTP/POP3/SMTP/DNS/DHCP services) I'm currently installed it on a desktop for learning purposes and i'm testing it with no more than 3 or 4 pc with no problems but i'm not sure about its stability when passing to a real case of use with all my network operators. Before do the critical step of making it my main enterprise internet gateway i'd like to hear from you, your thoughts or experiences about how much trust can i have on pfsense and about passing from testing phase to the production regardless to the power of hardware used for running pfsense (which of course have as strong impact on throuhput). Bye Paolo Gentili
RE: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
We currently have 3 pfSense boxes running on our network. Two different subnets, and one master to our Bonded T1. These are simple P4 (2.4ghz)workstations, with 1gb of ram. We have some 20 servers, 32 public IPs (1 to 1 nat on a few servers), and about 70 clients. Performane, uptime, and managability are the three areas I feel pfSense excells in. I would recommend them most anywhere. We even bought 4 M200's from mini-box.com that our remote clients use as a dedicated VPN Box. Take Care, Nate From: Paolo Gentili [EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 3:05 PM To: discussion@pfsense.com discussion@pfsense.com Subject: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ? Hi all, i'm planning to use pfsense as a multiwan and firewall solution for an enterprise network of about 40 desktop pc and 15 internet servers (with various HTTP/POP3/SMTP/DNS/DHCP services) I'm currently installed it on a desktop for learning purposes and i'm testing it with no more than 3 or 4 pc with no problems but i'm not sure about its stability when passing to a real case of use with all my network operators. Before do the critical step of making it my main enterprise internet gateway i'd like to hear from you, your thoughts or experiences about how much trust can i have on pfsense and about passing from testing phase to the production regardless to the power of hardware used for running pfsense (which of course have as strong impact on throuhput). Bye Paolo Gentili The information contained in this electronic mail message is confidential information intended only for the use of the individual or entity named above, and may be privileged. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone (800 248-5882)and delete the original message. Thank you.