Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Jul 24, 2015, at 5:18 PM, Ted Byers r.ted.by...@gmail.com wrote: On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote: On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 In the case of forwarded ports it's the Ubuntu machines that are triggering it. That has nothing to do with the firewall. In that case, then, the scan is wrong as all our Ubuntu machines are configured to use only TLS1.2 Or you think they are and they’re really not. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] bsd/pfsense equivalent to fail2ban
hi all, i have a number of asterisk instances behind pfsense -- 5060 is open to the public, and of course, i have incessant attempts to make free calls. for the moment, i use an iptables rule: iptables --append local-external --protocol udp -m udp --sport 5060 -m string --string SIP/2.0 403 Forbidden \ --algo bm --to 66 -j LOG --log-ip-options --log-prefix SIP ABUSE: 403: which inspects udp packets to discern who is trying to hack. enough errors in the log, and the ip gets banned (digging into the packet is only way to correctly eliminate spoofing) i would prefer to move this function to pfsense ... what would be the best way to do that? thanks m ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] DHCP Relay attaching to wrong interface
Hi list, first I want to congratulates all pfsense developoers for this magnificent piece of software. I think I found a simple bug: I configuring a pfsense in a single server to replace a cisco 2821 and an asa 5520, and at the moment almost everithing is working great. But... I'm having troubles with the dhcp relay. I have a 2 real inteface configurations, one on the internet side and the other in de inside, with 8 vlan in there. I cofigured dhcp relay to listen to some vlan interfaces, but it also attaches to the lan interface (the one with out vlan tag), having 2 dhcp responding server on the same collision domain. In shell I can see that dhcrelay in up and has the command is wrong: [2.2.3-RELEASE][r...@inti1.inti.gob.ar]/root: ps auxww | grep dhc root30087 0.0 0.1 20184 9820 - Ss9:34AM 0:00.05 /usr/local/sbin/dhcrelay -i bce1_vlan3 -i bce1_vlan10 -i bce1_vlan20 -i bce1_vlan33 -i bce1_vlan51 -i bce1 -a -m replace 200.10.161.34 it hould not say -i bce this interface (lan) is not selected in the dhcp relay web configration. Saludos, Juan. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold