Re: [pfSense] Access Point Recommendations?
On 24/Jul/15 08:53, Seth Mos wrote: In a pinch I use the Linksys E2500 or EA2700 dual band wireless access points. Set a static IP, disable the DCHP server and connect the cable to the LAN ports. That's handy for connecting the Xbox in the living room. I mounted it behind the TV using one of the VESA mount screw holes for hanging it off, and route the wires through the base of the TV. Excellent wireless signal in the room. You get a 3 free switch ports on location as well for just ~40 euros. I'm using the EA2700 as one of the AP's in my house. I've had to run only one band (2.4GHz), because maintaining a wireless connection on either band with a multi-band client is terrible with the unit. This is with and without the software update (although I've read reports about this being caused mostly by the latest update that modifies the wireless controller drivers some). Nonetheless, happy with the unit when running 2.4GHz band only. Streams my DLNA services across the house quite nicely, can't complain. I'm running it in AP mode, as I have a Netgear wi-fi router doing the routing, NAT, e.t.c., for my ADSL connection. Mark. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
On 2015-07-23 21:24, Adam Thompson wrote: On 2015-07-23 10:46 AM, Karl Fife wrote: Your point about having a one-off solution is a great one. Installing a single UniFi AP would be unnecessarily complex. The TP-Link TL-WA801nd is a BGN-only device. Do you (or anyone) have a preferred stand-alone AC access point? Not a recommendation at all, but stay away from EnGenius devices. OK hardware good price, but (e.g.) my AP comes with an open DNS resolver that can't be disabled, and they don't seem to think it's a problem at all... I like the EnGenius hardware, when it works, but if it doesn't, support doesn't seem to care about much. I'm trying to map SSIDs to VLANs, the traffic just won't pass, switch doesn't even see it, and support hasn't be useful. Looks like a bug, but still, it's literally the reason I bought the device over my previous solution. On the other hand, the speed is amazing, so I'm not ripping it out. I noticed the DNS resolver, but it didn't bother me personally as I have other resolvers similarly positioned in my network. As a possible workaround, does it need DNS at all? If not, either remove it's DNS settings, or configure your resolver to refuse packets. Not perfect, but it's better than being an open resolver if it's exposed to untrusted users. And for whatever it's worth, it looks like a non-caching forwarder, not a full resolver. Still, it concerns me that support doesn't understand how it's a potential issue. If you use it for NAT/routing/anything, does it listen on the WAN interface, or only the LAN side? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
Karl Fife schreef op 23-7-2015 om 17:46: Your point about having a one-off solution is a great one. Installing a single UniFi AP would be unnecessarily complex. In a pinch I use the Linksys E2500 or EA2700 dual band wireless access points. Set a static IP, disable the DCHP server and connect the cable to the LAN ports. That's handy for connecting the Xbox in the living room. I mounted it behind the TV using one of the VESA mount screw holes for hanging it off, and route the wires through the base of the TV. Excellent wireless signal in the room. You get a 3 free switch ports on location as well for just ~40 euros. The TP-Link TL-WA801nd is a BGN-only device. Do you (or anyone) have a preferred stand-alone AC access point? If anyone is going to deploy anything new then BGN is not a valid solution anymore. I see way too many issues with channel overlap in 2.4Ghz. Especially in densely populated areas. The record so far is 38 SSIDs from a table at a cafe in Barcelona, Spain. Then there was the genius that installed all APs on the same channel, don't do that :( At work we use the Ubiquiti Unifi-Pro access points, about 20 of them. One of them is a repeater with a wireless backhaul (over 5Ghz). We have a Debian VM for the controller which is handy as well. All wireless traffic is put on a seperate VLAN, and that works well as intended, pfSense routes it out to the internet. I've also not found any issues so far with the IPv6 support on any of the devices attached to the wireless, it works. The roaming is also quite good, I have no dropping 3CX soft phone calls whilst roaming through the building. Cheers, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Primer for AP/bridge setup? (based on Re: Access Point Recommendations?)
Kenward Vaughan wrote on Fri, Jul 24 2015 at 10:00 am: We have a laser printer down the hall to which I attached an old home wifi router (don't recall the brand) making it accessible to people. Thought it would be nice to have this also bridge to the LAN Usually devices can be access points, wireless clients, or bridges, but not more than one. I would expect if you connect the printer to the LAN, then anyone using the printer would need to connect to the LAN's AP instead of directly to the printer. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Primer for AP/bridge setup? (based on Re: Access Point Recommendations?)
Hello, At my school I own a small LAN with a VPN to the outside world, and use pfSense to control that part of things with a regular HP 2530 switch internally. I'd like to be able to have students/professors access the LAN outside of the boxes themselves, so getting an AP seems like an obvious solution; based on the other thread the Ubiquiti UniFi AP seems like a good choice to attach to the switch. We have a laser printer down the hall to which I attached an old home wifi router (don't recall the brand) making it accessible to people. Thought it would be nice to have this also bridge to the LAN, so profs could access that and the LAN's own printer through one connection. The LAN/pfSense would manage this so the wifi router should become a bridging device, yes? Can someone point me to something online which would explain how the above HW setup might be done, if it's even possible with the connectivity described? I've looked at several places which describe various permutations, but am uncertain if they apply here. Questions which I believe involve pfSense: Can the (Ubiquiti) AP both handle requests from outside laptops, and serve as the link to the other printer? Is it possible to set things up in pfSense in a way that all incoming LAN requests are shunted to an Apache server on one of the LAN machines, while printer requests go to the printers instead? Would this involve the AP and printers being on a DMZ? Thanks for any help! Kenward -- In a completely rational society, the best of us would aspire to be _teachers_ and the rest of us would have to settle for something less, because passing civilization along from one generation to the next ought to be the highest honor and the highest responsibility anyone could have. - Lee Iacocca ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] How do I harden my pfsense install WRT TLS and ssh?
I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
I'm 95% sure the answer is wait for the developers to fix those issues and/or become a developer and fix those issues :-). Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that generates the configuration. In theory, all you need to add to /var/etc/lighty-webConfigurator.conf would be |ssl.cipher-list DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC3-SHA AES256-SHA AES128-SHA DES-CBC3-SHA DES-CBC3-MD5 RC4-SHA RC4-MD5| but you need to find where in the PHP framework that file gets written. I can't find it in under 60 seconds, so you're on your own there. As to updating sshd, that's replacing a core piece of the system. I'm not even going to speculate how or what the impact would be. -Adam On 07/24/2015 03:51 PM, Ted Byers wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally. If internal, can access be limited to certain IPs? This probably isn't the forum to discuss, but the TLS 1.0 one is a fun one...that will catch Remote Desktop Services, and Vista and below don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ enabled by default. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Primer for AP/bridge setup? (based on Re: Access Point Recommendations?)
Kenward Vaughan wrote on Fri, Jul 24 2015 at 11:00 am: I currently use the older router wired to the laserjet because I expected it to have more range, and honestly haven't tried setting up a printer's wifi connection before. So it is a standalone system right now. Would that printer work directly with the LANs AP as a bridge, getting its IP address, etc, from there? I don't want unlimited access to it. If the printer has wireless you can connect the printer to any access point. That is the same as plugging in a cable so that wouldn't limit access. However bridging it to the network doesn't limit access either unless the bridge has some sort of security set up. I was just skimming this thread but I think to use pfSense you'd have to have the printer on a different subnet or in some way have pfSense do the routing so it could have firewall rules set up. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
On 2015-07-24 10:15, Adam Thompson wrote: To clarify, I have an EAP-600, which is a pure access point, not a router at all. It only has one LAN port, grand total. There is *no* universe where it makes sense for an access point to run a DNS server/forwarder/whatever. I have the EAP900H, which is inherently similar (it's outwardly physically identical). However, it has the capability to enable a guest network, which has NAT, so in this configuration, the DNS forwarder does make sense. They probably used the same basic firmware. But there's no excuse for not making it configurable, nor should it be enabled by default unless the guest network is enabled. Ultimately I'm not unhappy with the overall performance of the unit, but it's still not one I'd wholeheartedly recommend, mostly because of the support experience. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
If you are forwarding the ports to other machines, it is those machines which need and update, not pfSense. This is the test: get out your ssh client of choice and connect to the port from outside. If you get something that is not pfSense, then upgrading ssh on your firewall isn't going to help. - Y Sent from a gizmo with a very small keyboard and hyperactive autocorrect. On Jul 24, 2015 6:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 Port 443 must be open to support the web server in our DMZ, and we need ssh to connect to each machine for administration purposes. (if there is a better way, I do not know what it is or how to do it --I am a programmer tasked with setting this up, so network and system administration is new to me - I am out of my area of expertise here). Thanks Ted On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates st...@teamits.com wrote: Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally. If internal, can access be limited to certain IPs? This probably isn't the forum to discuss, but the TLS 1.0 one is a fun one...that will catch Remote Desktop Services, and Vista and below don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ enabled by default. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
Thanks for this. I'd hoped it would be as simple as apt-get-update apt-get upgrade apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found. Thanks Ted On Fri, Jul 24, 2015 at 5:13 PM, Adam Thompson athom...@athompso.net wrote: I'm 95% sure the answer is wait for the developers to fix those issues and/or become a developer and fix those issues :-). Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that generates the configuration. In theory, all you need to add to /var/etc/lighty-webConfigurator.conf would be |ssl.cipher-list DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC3-SHA AES256-SHA AES128-SHA DES-CBC3-SHA DES-CBC3-MD5 RC4-SHA RC4-MD5| but you need to find where in the PHP framework that file gets written. I can't find it in under 60 seconds, so you're on your own there. As to updating sshd, that's replacing a core piece of the system. I'm not even going to speculate how or what the impact would be. -Adam On 07/24/2015 03:51 PM, Ted Byers wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 Port 443 must be open to support the web server in our DMZ, and we need ssh to connect to each machine for administration purposes. (if there is a better way, I do not know what it is or how to do it --I am a programmer tasked with setting this up, so network and system administration is new to me - I am out of my area of expertise here). Thanks Ted On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates st...@teamits.com wrote: Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally. If internal, can access be limited to certain IPs? This probably isn't the forum to discuss, but the TLS 1.0 one is a fun one...that will catch Remote Desktop Services, and Vista and below don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ enabled by default. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
Thanks. I will do this this evening. Thanks ted On Fri, Jul 24, 2015 at 6:18 PM, David Burgess apt@gmail.com wrote: On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers r.ted.by...@gmail.com wrote: Thanks for this. I'd hoped it would be as simple as apt-get-update apt-get upgrade apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found. PFSense is more like a firmware than an OS. While the possibility of updating, replacing, or adding components does exist, it is generally discouraged for the typical user. Log into the web UI and navigate to System: Firmware: Auto Update and run your upgrade from there. db ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
We have version 2.2.2. What is the easiest way to upgrade on eminor versiion? On Ubuntu, I'd use 'apr-get update' and/or 'apt-get upgrade', or one of the variants thereof. But, if I understand correctly, pfsense is built on freeBSD, about which I know nothing. Thanks Ted On Fri, Jul 24, 2015 at 5:13 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: First off you’d upgrade the installation of pfSense - what version do you have installed/running? The current version is 2.2.3. On Jul 24, 2015, at 3:51 PM, Ted Byers r.ted.by...@gmail.com wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers r.ted.by...@gmail.com wrote: Thanks for this. I'd hoped it would be as simple as apt-get-update apt-get upgrade apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found. PFSense is more like a firmware than an OS. While the possibility of updating, replacing, or adding components does exist, it is generally discouraged for the typical user. Log into the web UI and navigate to System: Firmware: Auto Update and run your upgrade from there. db ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Fri, Jul 24, 2015 at 3:51 PM, Ted Byers r.ted.by...@gmail.com wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? That's one where maybe you can disregard compatibility concerns and only allow TLS 1.2. We're a bit more conservative for compatibility reasons where there isn't a significant security risk (though TLSv1 probably will get disabled in 2.3-REL). Update the code in /etc/inc/system.inc to generate the lighttpd config as you desire (and captiveportal.inc if you're using CP). Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) In that case your scanner is stupid, and you can't fix stupid applies. We use the SSH version used in the base FreeBSD version, which is 6.6 for 10.1. That's perfectly fine. You can't reasonably upgrade it, and there is no point at all in trying. Re: upgrading, which you should do as there are legit security reasons your scanner is blind to (though best to wait a few hours and you can go to 2.2.4), details here: https://doc.pfsense.org/index.php/Upgrade_Guide ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote: On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 In the case of forwarded ports it's the Ubuntu machines that are triggering it. That has nothing to do with the firewall. In that case, then, the scan is wrong as all our Ubuntu machines are configured to use only TLS1.2 Thanks. Ted ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Jul 24, 2015, at 7:18 PM, Ted Byers r.ted.by...@gmail.com wrote: On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote: On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 In the case of forwarded ports it's the Ubuntu machines that are triggering it. That has nothing to do with the firewall. In that case, then, the scan is wrong as all our Ubuntu machines are configured to use only TLS1.2 I am curious as to what tool you were using. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold