Re: [pfSense] A unique problem requires a unique solution. PFsense behind shorewall
On 5-9-2013 13:09, Asim Ahmed Khan wrote: Hi, Let me first briefly explain my setup. I have redundant internet link from two ISPs. Before pfsense, I was using two gateway boxes. One for each internet link. Each box is CentOs, with Shorewall + Squid. I have certain rules imposed on each box. Each box has two NIC, one for public IP from is, and one for LAN. Now to implement failover and few other things, i setup a pfsense box. Now network is like : Both Gateway boxes' public interface has been reconfigured on different subnet which is being shared by pfsense's local NIC. i.e. Both old gateways get internet from pfsense instead of ISPs. Now what I need to do (or at least know if possible), is to be able to see who from my LAN is consuming most bandwidth. pfsense provide bandwidthd for that. But the problem is, pfsense only see the two clients connecting to it and those are public interfaces of gateway boxes. So I can't get the real picture. Is there anyway, pfsense can see who actually is sending request to pfsense through public interface of gateway ? Maybe I'm mistaken here, but the shorewall devices are behind your pfSense firewall and they perform NAT making only those 2 addresses visible. If that is the case you need to set up static routes on pfSense and drop the NAT on the gateway boxes. I'm not understanding too well why you don't put everything into one box, or maybe add carp for failover. This seems very convoluted. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] A unique problem requires a unique solution. PFsense behind shorewall
The point of setting up this way is that pfSense does not offer that kind of Web content filtering which we need and squid provides. I know I can setup squid on pfSense box as well. But being not very expert in pfSense, I don't want to open too many fronts and start fighting on all at once. - Asim On Thu, Sep 5, 2013 at 5:08 PM, Seth Mos seth@dds.nl wrote: On 5-9-2013 13:09, Asim Ahmed Khan wrote: Hi, Let me first briefly explain my setup. I have redundant internet link from two ISPs. Before pfsense, I was using two gateway boxes. One for each internet link. Each box is CentOs, with Shorewall + Squid. I have certain rules imposed on each box. Each box has two NIC, one for public IP from is, and one for LAN. Now to implement failover and few other things, i setup a pfsense box. Now network is like : Both Gateway boxes' public interface has been reconfigured on different subnet which is being shared by pfsense's local NIC. i.e. Both old gateways get internet from pfsense instead of ISPs. Now what I need to do (or at least know if possible), is to be able to see who from my LAN is consuming most bandwidth. pfsense provide bandwidthd for that. But the problem is, pfsense only see the two clients connecting to it and those are public interfaces of gateway boxes. So I can't get the real picture. Is there anyway, pfsense can see who actually is sending request to pfsense through public interface of gateway ? Maybe I'm mistaken here, but the shorewall devices are behind your pfSense firewall and they perform NAT making only those 2 addresses visible. If that is the case you need to set up static routes on pfSense and drop the NAT on the gateway boxes. I'm not understanding too well why you don't put everything into one box, or maybe add carp for failover. This seems very convoluted. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Regards, Asim Ahmed Khan *Senior Manager IT Cloud Services,* Folio3 Pvt. Ltd Ph: 021-34323721 Cell : 03452109368 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On 9/4/2013 8:33 PM, Robert Guerra wrote: Curious on people's comments on types of routers, firewalls and other appliances that might be affected as well as mitigation strategies. Would installing a pfsense and/or other open source firewall be helpful in anyway at a home net location? The text you sent seems to primarily focus on infrastructure routers -- those used at ISPs, peering points, etc. Home routers are a different breed, but suffer the same or more problems. Aside from the example Chris gave, here's another good one from earlier this year: http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On Sep 5, 2013, at 7:57 AM, Jim Pingle li...@pingle.org wrote: But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. This speaks to a service that keeps the software updated. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On 9/5/2013 9:43 AM, Jim Thompson wrote: On Sep 5, 2013, at 7:57 AM, Jim Pingle li...@pingle.org wrote: But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. This speaks to a service that keeps the software updated. Cisco/Linksys caught a lot of flack for doing that[1][2]. Shipping with an auto-update flag on can be unexpected and dangerous, but if it's shipped off, it would probably never be turned on by those who need it most. For many end users it does make sense, but then again that's also yet another channel that can be exploited to compromise the router, too. Jim [1] http://www.zdnet.com/cisco-connect-cloud-chaos-700282/ [2] http://www.computerworld.com/s/article/9228687/Linksys_firmware_upgrade_for_Wi_Fi_routers_angers_some_users ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
The $Customer will have his Pizza and Entertainment well served, functioning and NOW for $0 costs. So how will you provide security under this circumstances? Impossible. Beside the fact, that this entire NSA-Story is funny as hell. Why? Deal with it, deal with the world you (the crowd) would like to have. You got already warned. More than once. do you really care about security? yes? thats funny in times were big Companies like the T-Com are shipping their OEM-Ed Netgear hardware with all credentials printed on the back side. there are: SSID, WLAN-WPA2-KEY, MAC. What do you need more? So the customer isn't interested in security. the Workers at the backbones are customers too that also use this shit and they didn't care about is. only few ppl. like us care about it. otherwise it wouldn't possible that the NSA could spread their tentacles so far. So forget about it. do not worry be happy. Netgear, for the fun called their App for mobiles Genie. lol The Customers (the crowd) called out ppl. that warned them as paranoid idiots. OTOH they dictate you to invent and make bullshit, even if you pointed the bullshit and the consequences out. they like to get bullshit. so they should get it. Without my help please. i stopped to work at those areas after i got pressed to make to much bullshit. This is not only spreaded in the B2C market, its spreaded all around. even if there are planned out times for exactly this. Upgrade the backbone Switches. the planned times get not used for it. huh its too dangerous huuuhhit will not go afterwards i anwered all the times such sayings with: fine, silence. we need more of it. So do not care to much about it. Make a business out of if and specialize at a certain point on closing security holes the easy way, just by upgrading. Tell them about some black magic and things they would never understand and that those things are so crazy that they are close to god. may be they believe you than and may be they honor your work not just for the fact that everything runs. = also interesting: ACPI-Hypervisor Trojans. I watched 2004-2007 goings on Black Hat around http://en.wikipedia.org/wiki/Blue_Pill_(software) and afterwards the Proof-Of-Concept ACPI-VM-Trojan got taken off from the net. everything seemed cleaned up. Though i am not sure if i have a back up. lol what about ACPI and Switches/Routers an VMM capabilities of their CPU's? if that ACPI-VMM-Thingy is in the hands of Intelligence Agencies, we must not longer care only about Operating Systems and Customer Software. Any Ideas to this? = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Rev. Michael Schuhhttp://dudeism.com/ordcertificate?ordname=Michael+Schuhorddate=05/20/2012 *Ordained Dudeist Priest http://dudeism.com/* Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = 2013/9/5 Jim Pingle li...@pingle.org On 9/4/2013 8:33 PM, Robert Guerra wrote: Curious on people's comments on types of routers, firewalls and other appliances that might be affected as well as mitigation strategies. Would installing a pfsense and/or other open source firewall be helpful in anyway at a home net location? The text you sent seems to primarily focus on infrastructure routers -- those used at ISPs, peering points, etc. Home routers are a different breed, but suffer the same or more problems. Aside from the example Chris gave, here's another good one from earlier this year: http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On Thursday, September 05, 2013 04:55:31 PM Jim Pingle wrote: I'm not opposed to auto-update if it's done securely and opt-in. Especially if you can schedule the time it takes place (e.g. specific day, specific time frame). The problem with updating router/switch software, as you know, is that you can't guarantee that what was working before won't be broken after the update. In addition to the downtime (large routers and switches can take several, several minutes to boot), a lot of service providers won't update for this reason. That said, the vendors tend to issue workarounds that don't require software updates, and as such, reboots. This is not always the case, and in some scenarios, a software update is your only option. Vendors have attempted in-service updates (ISSU and friends), but this is not very practical as of now, and tends to work less often than not. Monitoring your infrastructure with simple tools like RANCID is an effective and quick way to know what has changed on your network, so you can investigate any potential breaches. Unlike laptops and desktops, the latest software for routers and switches isn't always the greatest :-). Mark. signature.asc Description: This is a digitally signed message part. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On 9/5/2013 1:08 PM, Mark Tinka wrote: On Thursday, September 05, 2013 04:55:31 PM Jim Pingle wrote: I'm not opposed to auto-update if it's done securely and opt-in. Especially if you can schedule the time it takes place (e.g. specific day, specific time frame). The problem with updating router/switch software, as you know, is that you can't guarantee that what was working before won't be broken after the update. In addition to the downtime (large routers and switches can take several, several minutes to boot), a lot of service providers won't update for this reason. Very true, though it doesn't always apply to pfSense (especially where CARP is involved). It certainly applies to Cisco and friends. That said, someone running CARP would be less likely to opt-in to an auotmatic upgrade, but the functionality could still be used to notify the admin if needed even if it does not actually apply anything. If that much relies on a single router, though, ultimately the design is the problem not the boot time. Where is this fully redundant and self-healing Internet we were promised oh so many years ago? :-) Seems to be lost to companies that cheaped out and went for many single points of failure. Unlike laptops and desktops, the latest software for routers and switches isn't always the greatest :-). Very true for Cisco (if you can decide which of the thousand trains and versions it would actually be updating _to_...), but the latest pfSense is always the best. :-) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On 9/5/2013 9:58 AM, Jim Pingle wrote: On 9/5/2013 9:43 AM, Jim Thompson wrote: On Sep 5, 2013, at 7:57 AM, Jim Pingle li...@pingle.org wrote: But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. This speaks to a service that keeps the software updated. Cisco/Linksys caught a lot of flack for doing that[1][2]. Shipping with an auto-update flag on can be unexpected and dangerous, but if it's shipped off, it would probably never be turned on by those who need it most. For many end users it does make sense, but then again that's also yet another channel that can be exploited to compromise the router, too. To clarify a little since my reply was a bit short and could be misconstrued: I'm not opposed to auto-update if it's done securely and opt-in. Especially if you can schedule the time it takes place (e.g. specific day, specific time frame). If it's done with an eye on caution to secure the update mechanism and informing the user about what will happen and when, it would be a nice extra option. A few other random alternate strategies/improvements: * Send a notification some time (24 hrs?) before the update to give the user a chance to opt out of a specific update or reschedule. * Optionally have the update download to the unit so it is staged/ready and then notify the user it is ready to apply, and offer a means to schedule it from there. * Have a knob to control whether it would accept only point releases, minor version upgrades, and/or major version upgrades Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
Read ‘em and weep: http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0 My take is that most places don’t enable PFS (because it’s “hard”) in IPSec. In theory, Transport Layer Security (TLS) can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer PFS or only provide it with very low encryption grade. http://www.ietf.org/mail-archive/web/tls/current/msg02134.html I don’t know the situation on pfSense (I’ve not gone to look, as I’m elbows deep in an IPv6 IPsec issue atm.) In theory, OpenSSL supports perfect forward secrecy using elliptic curve Diffie–Hellman since version 1.0. Do we set enable-ec_nistp_64_gcc_128” on pfSense? Do we enable the DHE-RSA-AES128-SHA cipher suite? How about ECDHE-RSA-AES128-SHA? Do we build the 64-bit optimized version for 64-bit images? http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html Anyway, the ‘evidence’ is that there is some fundamental weakness in DH, since the NSA itself recommends EC crypto rather than DH in their “Suite B” offering. http://www.nsa.gov/ia/programs/suiteb_cryptography/ One would think that pfSense would follow suit. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On 9/5/2013 7:57 AM, Jim Pingle wrote: On 9/4/2013 8:33 PM, Robert Guerra wrote: Curious on people's comments on types of routers, firewalls and other appliances that might be affected as well as mitigation strategies. Would installing a pfsense and/or other open source firewall be helpful in anyway at a home net location? The text you sent seems to primarily focus on infrastructure routers -- those used at ISPs, peering points, etc. Home routers are a different breed, but suffer the same or more problems. Aside from the example Chris gave, here's another good one from earlier this year: http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. Jim Its not like this is new or anything: http://security.sdsc.edu/self-help/alcatel/alcatel-bugs.html (non fixable backdoor in Alcatel DSL modems) 1999. Alcatel, when pressured by the Bell companies, sold off the DSL business unit. It was estimated that Alcatel lost an estimated 1-2 billion dollars, when ATT threatened to stop using them, because the refused to fix the bug. http://connectedplanetonline.com/news/telecom_alcatel_unloads_dsl/ From $80/share to $2/share. If Alcatel had released a patch, the ILECs could have send a update over the ATM/DSLAM to the devices to upgrade the code, so, someone didn't *want* to upgrade those devices. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On Sep 5, 2013, at 12:08 PM, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, September 05, 2013 04:55:31 PM Jim Pingle wrote: I'm not opposed to auto-update if it's done securely and opt-in. Especially if you can schedule the time it takes place (e.g. specific day, specific time frame). The problem with updating router/switch software, as you know, is that you can't guarantee that what was working before won't be broken after the update. In addition to the downtime (large routers and switches can take several, several minutes to boot), a lot of service providers won't update for this reason. Wait, wait. Show me, again where pfSense is used in a non-trivial service provider environment in a position where it actually routes traffic. And show me again where auto-update was *required*, rather than an option? That said, the vendors tend to issue workarounds that don't require software updates, and as such, reboots. This is not always the case, and in some scenarios, a software update is your only option. Vendors have attempted in-service updates (ISSU and friends), but this is not very practical as of now, and tends to work less often than not. It’s all doable. (It’s just software.) but it’s decidedly non-trivial. Monitoring your infrastructure with simple tools like RANCID is an effective and quick way to know what has changed on your network, so you can investigate any potential breaches. Unlike laptops and desktops, the latest software for routers and switches isn't always the greatest :-). if by “isn’t always” you mean “occasionally isn’t”, fine. If you mean “often isn’t”, then I fundamentally disagree. jim___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On 09/05/2013 08:58 AM, Jim Pingle wrote: On 9/5/2013 9:43 AM, Jim Thompson wrote: On Sep 5, 2013, at 7:57 AM, Jim Pingle li...@pingle.org wrote: But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. This speaks to a service that keeps the software updated. Cisco/Linksys caught a lot of flack for doing that[1][2]. Shipping with an auto-update flag on can be unexpected and dangerous, but if it's shipped off, it would probably never be turned on by those who need it most. For many end users it does make sense, but then again that's also yet another channel that can be exploited to compromise the router, too. Jim [1] http://www.zdnet.com/cisco-connect-cloud-chaos-700282/ [2] http://www.computerworld.com/s/article/9228687/Linksys_firmware_upgrade_for_Wi_Fi_routers_angers_some_users __ The new Apple operating system = Mavericks or iOS 7 will have an autoupdate feature. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] insert a pfsense box to handle high network load (botnet attack)
Hi all. I have a problem with my home internet connection. My vdsl router gets on the wan interface about 40-50 requests per second on port 80 and when I configure it so that it forwards that traffic to my web server, the router can't bear the load and freezes after a few seconds. All that traffic is not normal.. it's a botnet attack.. on my server I have scripts that examines the logs and adds the violator IPs as DROP in iptables. After a week, this morning I counted over 140'000 unique IP DROP entries! The server seems to face well the attack.. but when the load it's so high, the vdsl router just freezes. So, I thought I may configure the vdsl router as a bridge and put a pfsense box in between the bridge and my home network. Apart from the fact that yet I don't know how the router will behave when configured as a bridge (will it bear the network load? what will happen to the four lan ports? only one will be left active?), I would like to know how should I configure the pfsense box.. I mean.. would it be enough to just move the configuration from the vdsl router to the pfsense box? The vdsl router is now configured with PPPoE over PTM (POTS).. would it be fine if I configure pfsense as PPPoE on the wan interface? Thank you for your help. Best regards. Robi ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On Sep 5, 2013, at 6:49 PM, Bob Gustafson bob...@rcn.com wrote: The new Apple operating system = Mavericks or iOS 7 will have an autoupdate feature. Which can be disabled. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] insert a pfsense box to handle high network load (botnet attack)
It entirely depends on the hardware you use for pfSense as to how much load it can handle. I for one, push a sustained 60-70Mbps, with bursts of 120Mbps or more on a fairly hefty Xeon 64-bit server with 16GB of RAM. I have mostly simple rules, several IPSec and OpenVPN endpoints, and about 8 virtual inbound load balanced servers. It never gets bogged down. At home, I have it installed on a small ALIX based system (embedded AMD i386 compatible) and it can easily max out my FiOS line at 60Mbps download, but the VPN to the main data center maxes out at 30Mbps. I don't have any idea what VDSL is, so cannot speak to how to configure the WAN on the pfSense. On my home system, I just set it to DHCP and let the verizon FiOS router assign it an address. This is also how it worked with my comcast cable modem. If your router gives pfSense a non-routable address like 10.x.x.x or 192.168.x.x, be sure to turn off the block of those IPs on the WAN interface in pfSense. On Thu, Sep 5, 2013 at 8:56 PM, Roberto Nunnari roberto.nunn...@supsi.chwrote: Hi all. I have a problem with my home internet connection. My vdsl router gets on the wan interface about 40-50 requests per second on port 80 and when I configure it so that it forwards that traffic to my web server, the router can't bear the load and freezes after a few seconds. All that traffic is not normal.. it's a botnet attack.. on my server I have scripts that examines the logs and adds the violator IPs as DROP in iptables. After a week, this morning I counted over 140'000 unique IP DROP entries! The server seems to face well the attack.. but when the load it's so high, the vdsl router just freezes. So, I thought I may configure the vdsl router as a bridge and put a pfsense box in between the bridge and my home network. Apart from the fact that yet I don't know how the router will behave when configured as a bridge (will it bear the network load? what will happen to the four lan ports? only one will be left active?), I would like to know how should I configure the pfsense box.. I mean.. would it be enough to just move the configuration from the vdsl router to the pfsense box? The vdsl router is now configured with PPPoE over PTM (POTS).. would it be fine if I configure pfsense as PPPoE on the wan interface? Thank you for your help. Best regards. Robi __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list