Re: [pfSense] installing a database server

[Moshe Katz]

On Friday, September 21, 2012, Vieri wrote:
>
> --- On Fri, 9/21/12, Jostein Elvaker Haande >
> wrote:
>
> > > Hi,
> > >
> > > How "unstable" would it be to install a database server
> > such as MySQL on pfSense?
> > > Why would you not recommend installing MySQL on
> > pfSense, supposing I'd want it to do more than firewalling
> > (apart from the possible MySQL software "security" leaks).
> >
> > Hello Vieri,
> >
> > The whole point of a firewall is to add security to your
> > infrastructure. The way pfSense acheives this, is by acting
> > as a
> > secure entry point for your network. One of the reasons
> > pfSense is
> > secure, is that it only runs a limited set of services,
> > thus
> > minimizing the risk of potential threats posed by flaws in
> > the
> > programs/services running on the pfSense machine.
> >
> > By introducing more programs/services on the pfSense machine
> > that
> > doesn't really have *anything* to do with a firewall, you
> > add an extra
> > unnecessary layer of potential threats that might be exposed
> > if
> > someone gains access to your pfSense box or machines sitting
> > behind
> > it.
> >
> > The simple rule of firewalling: don't run anything that
> > isn't needed
> > on your firewall, keep it simple, keep it safe, and you'll
> > be able to
> > sleep tight at night :)
> >
> > You'd do yourself a *huge* favour by ditching your plans of
> > getting
> > mysql to run on your pfSense, and run it on another machine
> > on your
> > network.
>
> Thanks, I got it. However, suppose I did install it (just for kicks).
> Would the MySQL server installed on pfSense run just as stable as if it
> were installed on a native FreeBSD system? (supposing for a moment that
>  "security" is not an issue - I'm referring to stability and performance)
>
> Vieri
>
> ___
> List mailing list
> List@lists.pfsense.org 
> http://lists.pfsense.org/mailman/listinfo/list
>

Yes, it should be stable.  In testing, I have been able to run all kinds of
other services on a pfSense box that I use for testing.

The main issue will likely be network  performance.  As has been discussed
many times on this list in the past, software routing is inherently slower
than routing at a hardware level using purpose-built devices.  Any
additional services running on the firewall/router can usually only reduce
network performance.  That said, you can test easily to determine wether
this will be an issue for you.  If you do simultaneous database- and
network- stress tests, you can compare the results to one-at-a-time tests
of database and network independently.


-- 
--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] apinger gateway down

[sl...@webii.net]

On 21.09.2012 16:17, master8...@aol.com wrote:
> If you have a single wan, you could disable gateway monitoring as
> well. The only advantage to using it on single wan is it flushes
> firewall states in the case of outage.
Thanks Jonathon.
That's what I did - disabled gw monitoring, as we have a single wan.
Hope, that will keep us up much longer, because we had several such
issues this year, which we cannot afford at least one.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] apinger gateway down

[master8...@aol.com]

What is happening is your gateway is ignoring/dropping the icmp probes 
used by pfSense to verify your gateway is up.


You need to adjust these variables under 
system>>>routing>>>gateways>>>Edit next to your gateway.


Down
This defines the down time for the alarm to fire, in seconds.

Frequency Probe
This defines the frequency in seconds that an icmp probe will be sent. 
Default is 1 second.


Maybe change the frequency probe to 10 seconds and dead time to 2 
minutes. If you have a dual wan, you obviously will want to try and keep 
your dead time lower.


Another solution is to find a monitor ip that doesn't drop pings.

If you have a single wan, you could disable gateway monitoring as well. 
The only advantage to using it on single wan is it flushes firewall 
states in the case of outage.


-Jonathon

On 9/21/2012 7:47 AM, sl...@webii.net wrote:

On 21.09.2012 02:56, Vick Khera wrote:
On Tue, Sep 18, 2012 at 5:11 PM, sl...@webii.net 
 mailto:sl...@webii.net>> 
wrote:


Hi,

Once in a while we got such errors:

 apinger: : WANGW(x.x.x.1)  *** WANGWdown ***
 apinger: ALARM: WANGW(x.x.x.1)  *** WANGWdown ***
 apinger: alarm canceled: WANGW(x.x.x.1)  *** WANGWdown ***


What were the timestamps on those?  And did pfsense actually mark 
your WAN GW as down?

Here is the log:
04:07:59 pfs1 apinger: : WANGW(x.x.x.1)  *** WANGWdown ***
04:08:09 pfs1 check_reload_status: Reloading filter
04:13:17 pfs1 apinger: alarm canceled: WANGW(x.x.x.1)  *** WANGWdown ***
04:13:27 pfs1 check_reload_status: Reloading filter
04:15:38 pfs1 apinger: ALARM: WANGW(x.x.x.1)  *** WANGWdown ***
04:15:48 pfs1 check_reload_status: Reloading filter
04:16:38 pfs1 apinger: alarm canceled: WANGW(x.x.x.1)  *** WANGWdown ***
04:16:48 pfs1 check_reload_status: Reloading filter

Single random pings fail from time to time, as do all packets that 
get sent over the wires.
No, interface is down, and no packets can be send over via that 
pfsense instance.
I switch traffic manually to a spare pfsense, and can see that apinger 
has marked WANGW down.
Providers told they haven't had any outages. I'm not sure if this is 
pfsense misconfiguration.


Thanks.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] installing a database server

[Vieri]

--- On Fri, 9/21/12, Jostein Elvaker Haande  wrote:

> > Hi,
> >
> > How "unstable" would it be to install a database server
> such as MySQL on pfSense?
> > Why would you not recommend installing MySQL on
> pfSense, supposing I'd want it to do more than firewalling
> (apart from the possible MySQL software "security" leaks).
> 
> Hello Vieri,
> 
> The whole point of a firewall is to add security to your
> infrastructure. The way pfSense acheives this, is by acting
> as a
> secure entry point for your network. One of the reasons
> pfSense is
> secure, is that it only runs a limited set of services,
> thus
> minimizing the risk of potential threats posed by flaws in
> the
> programs/services running on the pfSense machine.
> 
> By introducing more programs/services on the pfSense machine
> that
> doesn't really have *anything* to do with a firewall, you
> add an extra
> unnecessary layer of potential threats that might be exposed
> if
> someone gains access to your pfSense box or machines sitting
> behind
> it.
> 
> The simple rule of firewalling: don't run anything that
> isn't needed
> on your firewall, keep it simple, keep it safe, and you'll
> be able to
> sleep tight at night :)
> 
> You'd do yourself a *huge* favour by ditching your plans of
> getting
> mysql to run on your pfSense, and run it on another machine
> on your
> network.

Thanks, I got it. However, suppose I did install it (just for kicks). Would the 
MySQL server installed on pfSense run just as stable as if it were installed on 
a native FreeBSD system? (supposing for a moment that  "security" is not an 
issue - I'm referring to stability and performance)

Vieri

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] installing a database server

[Ryan Rodrigue]

> -Original Message-
> From: list-boun...@lists.pfsense.org [mailto:list-
> boun...@lists.pfsense.org] On Behalf Of Vieri
> Sent: Friday, September 21, 2012 7:29 AM
> To: list@lists.pfsense.org
> Subject: [pfSense] installing a database server
> 
> Hi,
> 
> How "unstable" would it be to install a database server such as MySQL on
> pfSense?
> Why would you not recommend installing MySQL on pfSense, supposing I'd
> want it to do more than firewalling (apart from the possible MySQL
> software "security" leaks).
> 
> Thanks,
> 
> Vieri
> 
> ___


I Have no clue as to your answer.  As an alternative, have you considered
setting up a hypervisor (such as VMware ESXi) and running PFsense as a
virtual machine.  You could then run whatever other servers you would like
and still have them in one box.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] installing a database server

[Jostein Elvaker Haande]

On 21 September 2012 14:29, Vieri  wrote:
> Hi,
>
> How "unstable" would it be to install a database server such as MySQL on 
> pfSense?
> Why would you not recommend installing MySQL on pfSense, supposing I'd want 
> it to do more than firewalling (apart from the possible MySQL software 
> "security" leaks).

Hello Vieri,

The whole point of a firewall is to add security to your
infrastructure. The way pfSense acheives this, is by acting as a
secure entry point for your network. One of the reasons pfSense is
secure, is that it only runs a limited set of services, thus
minimizing the risk of potential threats posed by flaws in the
programs/services running on the pfSense machine.

By introducing more programs/services on the pfSense machine that
doesn't really have *anything* to do with a firewall, you add an extra
unnecessary layer of potential threats that might be exposed if
someone gains access to your pfSense box or machines sitting behind
it.

The simple rule of firewalling: don't run anything that isn't needed
on your firewall, keep it simple, keep it safe, and you'll be able to
sleep tight at night :)

You'd do yourself a *huge* favour by ditching your plans of getting
mysql to run on your pfSense, and run it on another machine on your
network.

-- 
Yours sincerely Jostein Elvaker Haande
"A free society is a place where it is safe to be unpopular"
- Adlai Stevenson

http://tolecnal.net -- tolecnal at tolecnal dot net
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] installing a database server

[Vieri]

Hi,

How "unstable" would it be to install a database server such as MySQL on 
pfSense?
Why would you not recommend installing MySQL on pfSense, supposing I'd want it 
to do more than firewalling (apart from the possible MySQL software "security" 
leaks).

Thanks,

Vieri

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] apinger gateway down

[sl...@webii.net]

On 21.09.2012 02:56, Vick Khera wrote:
> On Tue, Sep 18, 2012 at 5:11 PM, sl...@webii.net
>  mailto:sl...@webii.net>> wrote:
>
> Hi,
>
> Once in a while we got such errors:
>
>  apinger: : WANGW(x.x.x.1)  *** WANGWdown ***
>  apinger: ALARM: WANGW(x.x.x.1)  *** WANGWdown ***
>  apinger: alarm canceled: WANGW(x.x.x.1)  *** WANGWdown ***
>
>
> What were the timestamps on those?  And did pfsense actually mark your
> WAN GW as down? 
Here is the log:
04:07:59 pfs1 apinger: : WANGW(x.x.x.1)  *** WANGWdown ***
04:08:09 pfs1 check_reload_status: Reloading filter
04:13:17 pfs1 apinger: alarm canceled: WANGW(x.x.x.1)  *** WANGWdown ***
04:13:27 pfs1 check_reload_status: Reloading filter
04:15:38 pfs1 apinger: ALARM: WANGW(x.x.x.1)  *** WANGWdown ***
04:15:48 pfs1 check_reload_status: Reloading filter
04:16:38 pfs1 apinger: alarm canceled: WANGW(x.x.x.1)  *** WANGWdown ***
04:16:48 pfs1 check_reload_status: Reloading filter

> Single random pings fail from time to time, as do all packets that get
> sent over the wires.
No, interface is down, and no packets can be send over via that pfsense
instance.
I switch traffic manually to a spare pfsense, and can see that apinger
has marked WANGW down.
Providers told they haven't had any outages. I'm not sure if this is
pfsense misconfiguration.

Thanks.

<>___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list