Re: [pfSense] [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches

[Walter Parker]

I'd suggest installing pfSense at a home location for benefits that pfSense
provides. The ability for you to see what is going on on your network is
much greater than with any of the consumer routers.

If you get a little Netgate SBC, you can have a ofSense router with the
same size and power specs. as a Netgear, Linksys, Buffalo, etc HW router.
Also, there is a chance that your pfSense will be more secure as it is a
active project that takes security seriously. I've seen too many problems
with cheapo HW routers to trust them...


Walter


On Wed, Sep 4, 2013 at 5:33 PM, Robert Guerra wrote:

>
> Curious on people's comments on  types of routers, firewalls and other
> appliances that might be affected as well as mitigation strategies. Would
> installing a pfsense and/or other open source firewall be helpful in anyway
> at a home net location?
>
>
>
>
>
>
> --
> R. Guerra
> Phone/Cell: +1 202-905-2081
> Twitter: twitter.com/netfreedom
> Email: rgue...@privaterra.org
>
> On 2013-09-04, at 4:12 PM, Eugen Leitl wrote:
>
> >
> > http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
> >
> > NSA Laughs at PCs, Prefers Hacking Routers and Switches
> >
> > BY KIM ZETTER09.04.136:30 AM
> >
> > Photo: Santiago Cabezas/Flickr
> >
> > The NSA runs a massive, full-time hacking operation targeting foreign
> > systems, the latest leaks from Edward Snowden show. But unlike
> conventional
> > cybercriminals, the agency is less interested in hacking PCs and Macs.
> > Instead, America’s spooks have their eyes on the internet routers and
> > switches that form the basic infrastructure of the net, and are largely
> > overlooked as security vulnerabilities.
> >
> > Under a $652-million program codenamed “Genie,” U.S. intel agencies have
> > hacked into foreign computers and networks to monitor communications
> crossing
> > them and to establish control over them, according to a secret black
> budget
> > document leaked to the Washington Post. U.S. intelligence agencies
> conducted
> > 231 offensive cyber operations in 2011 to penetrate the computer
> networks of
> > targets abroad.
> >
> > This included not only installing covert “implants” in foreign desktop
> > computers but also on routers and firewalls — tens of thousands of
> machines
> > every year in all. According to the Post, the government planned to
> expand
> > the program to cover millions of additional foreign machines in the
> future
> > and preferred hacking routers to individual PCs because it gave agencies
> > access to data from entire networks of computers instead of just
> individual
> > machines.
> >
> > Most of the hacks targeted the systems and communications of top
> adversaries
> > like China, Russia, Iran and North Korea and included activities around
> > nuclear proliferation.
> >
> > The NSA’s focus on routers highlights an often-overlooked attack vector
> with
> > huge advantages for the intruder, says Marc Maiffret, chief technology
> > officer at security firm Beyond Trust. Hacking routers is an ideal way
> for an
> > intelligence or military agency to maintain a persistent hold on network
> > traffic because the systems aren’t updated with new software very often
> or
> > patched in the way that Windows and Linux systems are.
> >
> > “No one updates their routers,” he says. “If you think people are bad
> about
> > patching Windows and Linux (which they are) then they are … horrible
> about
> > updating their networking gear because it is too critical, and usually
> they
> > don’t have redundancy to be able to do it properly.”
> >
> > He also notes that routers don’t have security software that can help
> detect
> > a breach.
> >
> > “The challenge [with desktop systems] is that while antivirus don’t work
> well
> > on your desktop, they at least do something [to detect attacks],” he
> says.
> > “But you don’t even have an integrity check for the most part on routers
> and
> > other such devices like IP cameras.”
> >
> > Hijacking routers and switches could allow the NSA to do more than just
> > eavesdrop on all the communications crossing that equipment. It would
> also
> > let them bring down networks or prevent certain communication, such as
> > military orders, from getting through, though the Post story doesn’t
> report
> > any such activities. With control of routers, the NSA could re-route
> traffic
> > to a different location, or intelligence agencies could alter it for
> > disinformation campaigns, such as planting information that would have a
> > detrimental political effect or altering orders to re-route troops or
> > supplies in a military operation.
> >
> > According to the budget document, the CIA’s Tailored Access Programs and
> > NSA’s software engineers possess “templates” for breaking into common
> brands
> > and models of routers, switches and firewalls.
> >
> > The article doesn’t say it, but this would likely involve pre-written
> scripts
> > or backdoor tools and root kits for attacking known but unpatched
> > vulnera

Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?

[Walter Parker]

The big problem with asking the question "Has the NSA required you to add a
back door?" is that no small company that wants to say in business can or
will say yes (If they do, no one will trust/use the product unless forced
themselves). The company will agree/be forced to say no. How does one tell
that no from an authentic no?

Therefore, once trust is question, the only way to be sure is to do the
self review suggested earlier...

However, from my perspective, the code in pfSense is more like to be secure
than any commercial, closed source solution. See prior threads about
FreeBSD security.


Walter


On Wed, Oct 9, 2013 at 9:10 AM, Thinker Rix wrote:

> On 2013-10-09 19:03, Jim Thompson wrote:
>
>> (TIC mode: on)
>>
> Sorry, but I guess the whole matter - not only concerning pfSense, but the
> current threat to our civilization by our criminal governments as a whole -
> is much too serious for any "TIC-modes"..
>
> __**_
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?

[Walter Parker]

About that made in the USA thing, the NSA has deals with overseas companies
as well...

Plus, the GCHQ and several other foreign spy agency's have done similar
things, so if you starting asking, you discover that the major governments
are trying to do this and have succeed more often than we would like.

Also, the whole "We have to ask to ask the question to get the denial on
record" only matters for the government or people with lots of money. The
Government can sue you/arrest you for a lie, but do "you" have enough money
to pay for lawsuits against a company? Most lawyers want money upfront
unless you have clear suit against a company with lots of money.

 When was the last (or even first time) that a company was sued and lost to
a private party for something like this, outside of class action lawsuits?


Walter


On Wed, Oct 9, 2013 at 9:51 AM, Eugen Leitl  wrote:

> On Wed, Oct 09, 2013 at 11:42:31AM -0500, Adam Thompson wrote:
>
> > Argh.  Anyone who answered "Yes" to your question (correctly, mind you)
> would immediately be committing a federal crime.
>
> All assuming the company in question resides in the US, or has
> significant presence in the US. There is, of course, considerable
> strong-arming and informal co-operation going on behind the
> scenes, so geography is not exactly a good protection.
>
> I've personally given up on any commercial software, and
> moved to purely community-built tools, and will take considerable
> protection now that we know that Ft. Meade is in the business
> of hacking end users and companies.
>
> > Considering the consequences, no-one in their right mind would ever
> confirm that they had been approached or received a NSL.
> > Which makes asking the question quite irrelevant.
>
> The question is useful, since it produced this thread.
> As I suggested, if you're not trusting pfSense, you can
> always manually verify the rules generated by it, and
> load it into a pf-speaking device you consider trustable.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?

[Walter Parker]

To answer your question about throwing the first stone. Your question reads
a bit like the "Are you a criminal/commie?" questions. Many people would
object to the question at the start because it implies that the people
being asked the question has done something wrong. Watching the reactions
to political debates shows that asking the question can be enough to get a
sizable amount of the audience to think the answer is yes, even when no
proof is ever given that something happened.

Then when the question was deleted, you demanded that pfSense take a stand
on it.

Let me show you what it looks like from the other side:

Have you planned to overthrow the government? When will you show that you
are not plotting to kill your fellow country men?

It is a simple question, when will we here something from you? I just ask
because I want to be sure that you are not trying to kill me.


For the tool in question, pfSense, once you start questioning it, there is
no way to get the bottom without eithering trusting the pfSense people
(which means that the question is pointless because if you trust them,
asking them if they have violated your trust means that you don't trust
them) or getting an external validation (trusting another group of people
or doing the work yourself).

FYI, there is a long history on the Internet of people asking simple
"innocent " question, not to get actually answers, but to cause trouble by
causing the effect described at the beginning of my email (these are called
trolls).



Walter



On Wed, Oct 9, 2013 at 11:31 AM, Thinker Rix wrote:

> On 2013-10-09 20:22, Jim Thompson wrote:
>
>> On Oct 9, 2013, at 7:13 PM, Thinker Rix  wrote:
>>
>>  Hello Jim!
>>>
>>> On 2013-10-09 19:50, Jim Thompson wrote:
>>>
 IMO, this bullshit thread only serves to assist those asking the
 question in stroking their own ego.

>>> This is already the second time that you insult me indirectly.
>>>
>> It’s amusing that you don’t understand that you threw the first stone
>> here.
>>
>
> This is correct. I do not understand where I am supposed to have thrown
> any stones or insult anybody, indeed. If you would like to show me, I would
> really be thankful.
>
>
>  May I ask again if you are an staff member of Electric Sheep Fencing LLC?
>>>
>> Staff members get paid.
>>
>> I’m a co-owner, and have never taken a dime from ESF (or BSDP).
>>
>> jim
>>
>
> Thank you for the info.
>
> Regards
> Thinker Rix
>
> __**_
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?

[Walter Parker]

Also, per the founder's statements, this was not the first request. He had
"helped" the government with requests for information about other users in
the past...

See the latest Wired/Ars Tech write ups for what was different this time.


Walter


On Wed, Oct 9, 2013 at 1:16 PM, David Ross wrote:

> On 10/9/13 11:56 AM, Thinker Rix wrote:
>
>> 1. Recently they forced the small encrypted-email-service "Lavabit" to
>> comply with them (hand out their SSL-masterkeys & install a "black-box"
>> at their premises). Lavabit did not agree - and they shut him down.
>>
>
> Actually "they" didn't "shut him down". Per news reports and the founder's
> statements.
>
> You can read the details and fact if you want.
>
> David
>
> __**_
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?

[Walter Parker]

But, your initial question was not "What level of security and integrity is
provided by pfSense?" or "How do judge the safety and security of pfSense?"

Your question was "Has pfSense been compromised by Big Brother?"

In the context of your Bank  question it reads more like "Have you been
robbed yet?" or "Are you working with crooks?" and not "How safe is my
money?"
For Microsoft it reads "How broken is Word", not "How good is Word?" Or
closer to the question "Are you in bed with the NSA", not "How safe are are
Word documents from others?"

Most people are happy to engage in questions of the form "Tell about what
your product does to solve/fix the problem?" and consider questions of the
form "Have you sold out to the NSA?" or "How broken is your product?" to be
insulting.

I ask you "How broken are you?" It is a simple question, what is your
response? Do you feel at all insulted by that question.

You seem to be missing the idea that the context of the question matters.
Do some research on the parse "Have you stopped beating your wife yet?" and
tell me if you would be upset if someone asked you that question.



Walter





On Wed, Oct 9, 2013 at 1:26 PM, Thinker Rix wrote:

> Hi Walter,
>
>
> On 2013-10-09 21:53, Walter Parker wrote:
>
>> To answer your question about throwing the first stone. Your question
>> reads a bit like the "Are you a criminal/commie?" questions. Many people
>> would object to the question at the start because it implies that the
>> people being asked the question has done something wrong. Watching the
>> reactions to political debates shows that asking the question can be enough
>> to get a sizable amount of the audience to think the answer is yes, even
>> when no proof is ever given that something happened.
>>
>
> Interesting what all kinds of different things you do interpret into my
> question.
> By my comprehension I just asked simple but important question and did
> this quite straight-forwardly.
>
>
>
>> Then when the question was deleted, you demanded that pfSense take a
>> stand on it.
>>
>
> Yes. Censorship always raises questions.
>
>
>  Let me show you what it looks like from the other side:
>>
>> Have you planned to overthrow the government? When will you show that you
>> are not plotting to kill your fellow country men?
>> It is a simple question, when will we here something from you? I just ask
>> because I want to be sure that you are not trying to kill me.
>>
>
> Well, your example neglects one important aspect: pfSense is a kind of
> security software project. Asking it about it's level of security and
> integrity is a question that such a project must stand, IMHO. It is like
> asking a bank how safe my money is. Or asking Microsoft how good "Word" is
> for writing letters; while asking me about if I plan to overthrow some
> government or kill other people refers to nothing.
>
>
>  For the tool in question, pfSense, once you start questioning it, there
>> is no way to get the bottom without eithering trusting the pfSense people
>> (which means that the question is pointless because if you trust them,
>> asking them if they have violated your trust means that you don't trust
>> them) or getting an external validation (trusting another group of people
>> or doing the work yourself).
>>
>
> I guess for anybody related to computer security it is a must to question
> anything anytime and take nothing for granted. You should question
> everything any time and any player in this domain should accept any
> questions any time, IMHO.
>
>
>  FYI, there is a long history on the Internet of people asking simple
>> "innocent " question, not to get actually answers, but to cause trouble by
>> causing the effect described at the beginning of my email (these are called
>> trolls).
>>
>
> What trouble do you refer to? I only read some aggressive/ snappy answers
> which - frankly - I find pretty awkward reactions to my simple question.
>
>
> Regards
> Thinker Rix
> __**_
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list>
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?

[Walter Parker]

Sorry. I'll stop.


On Wed, Oct 9, 2013 at 1:43 PM, Pim van Stam  wrote:

> All,
>
> Can this flame be put to an end or continued via private mail?
> This endless discussion would be reason for me to unsubscribe and that's
> not the goal of the list i guess.
>
> Regards, Pim
>
>
> On 9 okt. 2013, at 22:26, Thinker Rix wrote:
>
> > Hi Walter,
> >
> > On 2013-10-09 21:53, Walter Parker wrote:
> >> To answer your question about throwing the first stone. Your question
> reads a bit like the "Are you a criminal/commie?" questions. Many people
> would object to the question at the start because it implies that the
> people being asked the question has done something wrong. Watching the
> reactions to political debates shows that asking the question can be enough
> to get a sizable amount of the audience to think the answer is yes, even
> when no proof is ever given that something happened.
> >
> > Interesting what all kinds of different things you do interpret into my
> question.
> > By my comprehension I just asked simple but important question and did
> this quite straight-forwardly.
> >
> >>
> >> Then when the question was deleted, you demanded that pfSense take a
> stand on it.
> >
> > Yes. Censorship always raises questions.
> >
> >> Let me show you what it looks like from the other side:
> >>
> >> Have you planned to overthrow the government? When will you show that
> you are not plotting to kill your fellow country men?
> >> It is a simple question, when will we here something from you? I just
> ask because I want to be sure that you are not trying to kill me.
> >
> > Well, your example neglects one important aspect: pfSense is a kind of
> security software project. Asking it about it's level of security and
> integrity is a question that such a project must stand, IMHO. It is like
> asking a bank how safe my money is. Or asking Microsoft how good "Word" is
> for writing letters; while asking me about if I plan to overthrow some
> government or kill other people refers to nothing.
> >
> >> For the tool in question, pfSense, once you start questioning it, there
> is no way to get the bottom without eithering trusting the pfSense people
> (which means that the question is pointless because if you trust them,
> asking them if they have violated your trust means that you don't trust
> them) or getting an external validation (trusting another group of people
> or doing the work yourself).
> >
> > I guess for anybody related to computer security it is a must to
> question anything anytime and take nothing for granted. You should question
> everything any time and any player in this domain should accept any
> questions any time, IMHO.
> >
> >> FYI, there is a long history on the Internet of people asking simple
> "innocent " question, not to get actually answers, but to cause trouble by
> causing the effect described at the beginning of my email (these are called
> trolls).
> >
> > What trouble do you refer to? I only read some aggressive/ snappy
> answers which - frankly - I find pretty awkward reactions to my simple
> question.
> >
> > Regards
> > Thinker Rix
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > http://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Alix Update 2.0.3 to 2.1 fails with 11 interfaces (/var full)

[Walter Parker]

There is an issue with doing NanoBSD (the embedded image) upgrades from
2.0.X to 2.1 that can cause /var to fill up. The fallout effect of this
causes the interfaces to not come up. If you search the mailing list
archives you will see that it has hit other people and that workarounds are
required to upgrade and save the RRD data.


Walter


On Wed, Oct 9, 2013 at 4:21 PM, Jens Kühnel wrote:

> Hi,
>
> My questions:
>
> Has anyone successfully updated a PFSense on an Alix board with 10 or
> more interfaces (2 phy, 8 VLANs, 1 WAN).
> Or is running a PFSense 2.1 setup like this successfully?
>
> Reason:
>
> I just upgrade my home firewall from PFSense 2.0.3 to 2.1 (Nano 2G
> Serial) running on a Alix board. Or tried to do it.
>
> The reboot after the update failed. I connected to the serial and
> initiated another reboot only to see that during boot a message says
> something like "/var is full". Another reboot later the rrd is
> automatically cleaned up and the message disappeared, but the content of
> the RRD files is gone as well. Because it is late (1 AM) I booted the
> other slide (with 2.0.3) and restored the config backup from before the
> update. Everything works fine now again.
>
> My next try:
> I will create a virtual machine, restore my 2.0.3 config, update this
> virtual machine from 2.0.3 to 2.1 and restore it into the updated 2.1
> version running on my Alix board. I hope the extended disc space is only
> needed during upgrade. Or does anybody has a better idea?
>
> Thanks for any help.
>
> CU
> Jens
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

As I see it, there are are two things that can happen here

1) NSA breaks into pfSense without knowledge of the staff => The only
solution is source code and binary review. This is not an option for people
like Thinker Rix or other non coders. The mostly spot for this to happen is
upstream from the project (in FreeBSD itself, in the libraries that FreeBSD
uses). This will require resources outside of the pfSense project to
validate.

2) NSA forces pfSense to put a backdoor in the software. Tells pfSense to
be quite about it.

The results of 2) are that either pfSense stays quite or they tell.
i) If they stay quite, then the only solution is the same answer as for 1),
independent evaluation.
ii) If they tell, then the project is over as they will be busy fighting
the government. They can be arrested for telling. Depending on the Judge,
any said or done that tips off someone that the project has a NSL, can be
taken as a violation.

What do you expect from the project? That they promise that they have not
been subverted and further promise to tell you when/if there are subverted,
regardless of the personal and financial costs to them?

This is a free project...  What is reasonable to expect from any project
like this?

Once we question trust in the project, the only reasonable course of action
is independent evaluation. Guess what, that is what the Government does
when it evaluates software. In fact, that is one of the NSA's other jobs.
This does, however, make software much more expensive. How to we get a
trusted evaluation of the software?



On Fri, Oct 11, 2013 at 10:46 AM, Thinker Rix wrote:

> On 2013-10-11 12:57, Adrian Zaugg wrote:
>
>> After having read the whole NSA thread on this list, it came up to my
>> mind that pfsense web GUI could declare itself "conform to US laws" upon
>> the point when there are known backdoors included or otherwise the code
>> was compromised on pressure of govermental authorities. It would be the
>> sign for the users to review the code and maybe to fork an earlier
>> version and host it in a free country, where the protection of personal
>> data is a common sense and national security is not so much an issue.
>>
>
> I think that your idea is worth further consideration.
>
> As I just answered to other postings of this thread, by my comprehension
> infiltrating firewall software such as pfSense should be highly interesting
> for NSA, etc. because they would get a grip onto your internal and VPN
> traffic.
> So it should be only a matter of time, that they knock the door at ESF and
> force them to do things they don't like. We all - as a community - should
> think and act pro-actively to that and take appropriate measures to protect
> pfSense, ESF and the key people such as Chris Buechler and his partners
> from this realistic thread in time.
>
> Best regards
> Thinker Rix
>
> __**_
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

Who would you trust more that ESF? Why,specifically, would you trust
another group of people to be more trustworthy? I admit to have a USA bias,
but for the issue in question, I don't there being a much better choice.
The UK has less freedoms in this matter. But then this is turning into a
case of "I'm worried about things, here lets have you [The project] spend
time and money to fix the problem?"

Unless, of course, you are willing to contribute time and money to fixing
this issue. Otherwise this just an armchair general telling other people
how to run the project.







On Fri, Oct 11, 2013 at 10:41 AM, Thinker Rix wrote:

>  On 2013-10-11 16:20, Yehuda Katz wrote:
>
> Probably would not work (or would get whoever did that thrown in jail).
> This is similar to a Warrant Canary, but the USDoJ has indicated that
> Warrant Canaries would probably be grounds for prosecution of violation of
> the non-disclosure order.
>
>  - Y
>
> On Friday, October 11, 2013, Adrian Zaugg wrote:
>
>>
>> Dear all
>>
>> After having read the whole NSA thread on this list, it came up to my
>> mind that pfsense web GUI could declare itself "conform to US laws" upon
>> the point when there are known backdoors included or otherwise the code
>> was compromised on pressure of govermental authorities. It would be the
>> sign for the users to review the code and maybe to fork an earlier
>> version and host it in a free country, where the protection of personal
>> data is a common sense and national security is not so much an issue.
>>
>> Regards, Adrian.
>>
>
>
> Hi Yehuda,
>
> inspired by the keyword you dropped, I researched a little bit and found:
> https://en.wikipedia.org/wiki/Warrant_canary
> It seems that you are correct: What Adrian suggests, is called a Warrant
> canary.
> In the wikipedia article it says that: "The intention is to allow the
> provider to inform customers of the existence of a subpoena passively,
> without violating any laws. The legality of this method has not been tested
> in any court." Is that wrong or in conflict with what you wrote?
>
> In the case that it would indeed be prosecuted in the USA, we could
> consider to host the project in another country.
> In this case it would be interesting to investigate what needs to be
> hosted elsewhere: The source code versioning control system? The company
> behind pfSense (ESF)?
>
> I guess that the best solution would be to incorporate pfSense itself and
> untie it from ESF. Many other free software projects have done so recently.
> The most prominent example is Libre Office which is now "owned" by the
> Document Foundation (https://en.wikipedia.org/wiki/Document_Foundation).
> The "owned" refers to e.g. the brand name, since the software itself is
> free software, it is not owned by anybody.
>
> So summarizing:
> If pfSense would be incorporated as a foundation at some place (many
> countries would be possible) outside the USA, it could be a solution to
> this I guess.
>
> Regards
> Thinker Rix
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
>


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

Yes, you have been informed correctly. There are more than 2. According the
World Atlas (http://www.worldatlas.com/nations.htm#.UlhOHVFDsnY) the number
is someone between 189 and 196.

But you did not answer the question asked: Name the country that you would
move the project to and why you believe that country would do a better job?

Then because the USA can't be trusted, who is going to replace the
Americans on the project? The name and logo are owned by an American
company. I doubt they want to give them up to a foreign company owned by
non-Americans just to make it harder for the American government to
pressure the project. If the rest of world wants to fork the project
because of concerns about the US government, fine, but I don't think you
will get buy in from ESF [the American company that owns the rights to the
name pfSense].

Once again, name some names. Who do you consider more trustworthy? Follow
the link, which of the 188-195 countries on that list do you propose to
trust more and why? I'd suggest you pick once that is not already in bed
with the NSA (which includes most of major western governments, plus some
of the Middle East and Far East governments). But that is me, maybe you
prefer to decide to move first and then figure out where you are going
after you have left (rather than planning where you are going before you
leave).



Walter


On Fri, Oct 11, 2013 at 12:11 PM, Thinker Rix wrote:

> On 2013-10-11 21:20, Walter Parker wrote:
>
>> Who would you trust more that ESF? Why,specifically, would you trust
>> another group of people to be more trustworthy?
>>
>
> The point is not untrusting ESF or anybody else. The point is that ESF is
> based in the USA, a country where the current government can force you to
> do things against your community without having any chance to escape from
> it; they just force you to do so.
> So the point of the whole idea that we evaluate here is: How can we secure
> pfSense from this nasty government so that they can not just force ESF or
> anybody else to comply with them.
>
>
>  I admit to have a USA bias, but for the issue in question, I don't there
>> being a much better choice. The UK has less freedoms in this matter.
>>
>
> As far as I am informed there are some more countries on the globe than
> the USA and the UK...
>
>
>  But then this is turning into a case of "I'm worried about things, here
>> lets have you [The project] spend time and money to fix the problem?"
>>
>> Unless, of course, you are willing to contribute time and money to fixing
>> this issue. Otherwise this just an armchair general telling other people
>> how to run the project.
>>
>
> Seems like a killer argument to me, which is kind of couterproductive in
> such an early stage of an idea/proposition, as this is.
>
> __**_
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list>
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Walter Parker]

Don't be too sure about Switzerland...
https://www.schneier.com/blog/archives/2008/01/nsa_backdoors_i.html

Which talks about a story that was in the German papers in the late 90's..

For half a century, Crypto AG, a Swiss company located in Zug, has sold to
more than 100 countries the encryption machines their officials rely upon
to exchange their most sensitive economic, diplomatic and military
messages. Crypto AG was founded in 1952 by the legendary (Russian born)
Swedish cryptographer Boris Hagelin. During World War II, Hagelin sold
140,000 of his machine to the US Army.

"In the meantime, the Crypto AG has built up long standing cooperative
relations with customers in 130 countries," states a prospectus of the
company. The home page of the company Web site says, "Crypto AG is the
preferred top-security partner for civilian and military authorities
worldwide. Security is our business and will always remain our business."

And for all those years, US eavesdroppers could read these messages without
the least difficulty. A decade after the end of WWII, the NSA, also known
as No Such Agency, had rigged the Crypto AG machines in various ways
according to the targeted countries. It is probably no exaggeration to
state that this 20th century version of the "Trojan horse" is quite likely
the greatest sting in modern history.



On Fri, Oct 11, 2013 at 12:49 PM, Adrian Zaugg  wrote:

>
>
> On 10/11/13 8:20 PM, Walter Parker wrote:
> > Unless, of course, you are willing to contribute time and money to
> > fixing this issue. Otherwise this just an armchair general telling other
> > people how to run the project.
> I don't think it is a problem to find a sponsered hosting here in
> Switzerland for example. Our law protects citizens from govermental
> despotism quite well. National security is not an issue here.
>
> But this is not the question. The question is wether software projects
> hosted in the US are still trustworthy because of the legal situation
> there. If the pfsense community has the opinion, that it is too risky,
> then it is time to start acting. Once this point is reached, me and
> others would certainly try to contribute. Most of the people here are
> network specialists and do have their connections to hosting
> possibilities, I think.
>
> Regards, Adrian.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Alix Update 2.0.3 to 2.1 fails with 11 interfaces (/var full)

[Walter Parker]

So, if I have an ALIX that I would like to upgrade, how much would I have
to increase /tmp and /var by to have the upgrade run to completion without
filling the partitions?


Walter


On Fri, Oct 11, 2013 at 2:25 PM, Jim Pingle  wrote:

> On 10/11/2013 4:58 PM, Jens Kühnel wrote:
> > I'm not a FreeBSD expert, but /dev/md's are MemDiscs right?
> > Is there a reason why only 60MB (/var) and 40MB(/tmp/) are used?
> > and are where are possibilities to change that? It's not in the fstab!
>
> They are that small because ALIX is the usual NanoBSD target and it only
> has 256MB of RAM so it's a safe low default. NanoBSD wasn't originally
> intended to run on device with gobs of RAM, but times are a-changin' and
> before long all of the viable new hardware will have >1GB of RAM.
>
> On 2.1 you can adjust the /var and /tmp sizes under System > Advanced on
> the Miscellaneous tab.
>
> It might be possible to auto-scale the sizes with a bit of extra logic
> in rc.embedded if someone wants to take a crack at it.
>
> Jim
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Interface stops working

[Walter Parker]

I have a pfSense 2.0.3 box with 5 interfaces, two of which are on
motherboard ethernet controllers using the NVIDIA nForce4 CK804 MCP9
Networking Adapter chipset.

These two connections connect to the upstream IP (WAN) and to the old IP
space for the local network (LAN).

I've been seeing the the connection between the upstream ISP and the WAN go
down (can reach it from the outside world, can't reach the outside world
from it). When this happens, I can get to box by connecting to a box on the
LAN network and then making a local connection to the LAN interface. If
ifconfig down the WAN interface and then ifconfig up the WAN interface from
the CLI, it comes back and works just find.

The first time this happened, a Google search suggested that I was running
out of mbufs (because the error message said no buffers). So I increased
the number of buffers to 128K.  The page that I ready said that problem
with the mbuf could be do to bad wiring causing excessive packet loss on
the interface

This time, I did not get a no buffers error message and according to
netstat -m, there where plenty of mbufs.

Any ideas as to why traffic stops on my WAN interface until it is reset? Is
cabling still a got idea or is it likely to be something else?

The system in question is a two proc system with dual core Opteron 280
running on a Supermicro Server Class Motherboard with 4GB of ECC RAM.

Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Multi-WAN network access

[Walter Parker]

Hi,

I've got a pfSense router with a WAN connection that has 4 interfaces:

WAN - A 200 mbs connection. This is on a /20 subnet and the other side is
the default route.
LAN - This is a static routed /24 network from the company providing the
200 mbs WAN connection
COMCAST - This is a static routed /28 network from Comcast.

I set the WAN interface with a route back to Provider A, and the COMCAST
interface with a route back to the Comcast gateway address. I created two
gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and
another that COMCAST as Tier2 and the WAN network as Tier2. The
instructions on the wiki say firewall rules must be add changed to use
these groups rather than the system routing. I tried changed the allow all
route to use the gateway group (rather than the default of *), but this
didn't seem to route packets out the COMCAST link when the WAN link was
down.

I did a little bit of testing: I used the ping test and was able to ping
the outside world when using WAN as the interface, but when I changed the
interface to COMCAST, I could only ping the Comcast gateway (as if the
packets would not route). From an external host, I was able to do an ICMP
ping to the COMCAST interface, but was not able to do a UDP ping or make a
TCP connection.

Questions:

I think I missed a step in the whole "add a firewall rule for the gateway
group" process, which seem more like a "solution left as exercise for the
reader", what do I need to do to get gateway groups working on the firewall?

When using ping, when I pick the interface, does it work like a Cisco,
where the source IP is the interface address and the next hop router would
be interface's router, in this case the Comcast gateway?

When I have squid running a bound to the LAN interface, I'd like the system
use which ever WAN/COMCAST interface is currently up and working. I want
that to be the WAN interface unless it is down.

When the WAN interface is down, I'd like to be able to ssh/https to the
COMCAST interface address to see what is gong wrong. Can I set up the
system to work like this?


Thank you for any ideas as to what I might has done wrong,


Walter






-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Bug in DynDNS notification sequence

[Walter Parker]

You don't need to open your rule set to allow every one on the internet to
ping any address. Just allow the HE broker subnet to ping any address in
the tunnel subnet.
On Dec 5, 2013 11:51 PM,  wrote:

>
> Hello list,
>
> The DynDNS logic seems to work in this wrong order:
>
>   1 Figure out the new public IP address for the interface
>   2 Send notifications to DynDNS targets (services_dyndns.php)
>   3 Change the interface database entry IP in firewall tables
>
> GRITTY DETAILS
>
> Please see
> http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker#Enable_ICMP
>
>   Assuming a monitored interface 'WAN' with IP 1.2.3.4
>   Assuming a firewall rule 'only pass ICMP to WAN's address'
>   Assuming a DynDNS entry of type 'HE.net Tunnelbroker'
>   Assuming that 'WAN's IP now changes to 22.44.66.88
>
> ...a notification is sent to the HE.net Tunnelbroker using
> the specified HTTP POST to ipv4.tunnelbroker.net/nic/update
> which immediately sends ICMP requests to the new IP 22.44.66.88.
> PFSense blocks these ICMP requests because they don't match the
> rule 'block all ICMP to WAN except 5.6.7.8'
>
> WHY ARE THESE VALID ICMP REQUESTS BLOCKED?
>
> Because PFSense has not yet updated the 'WAN' alias to the new
> IP 22.44.66.88 in the firewall tables. This happens a short time
> later, too late to satisfy Tunnelbroker's link inspection logic.
>
> And that's the bug that keeps Tunnelbroker from working for some.
> The proof is in the logs:
>
>   php: rc.newwanip: phpDynDNS: PAYLOAD: -ERROR: IP is not ICMP
>   pingable.  Please make sure ICMP is not blocked.  If you are
>   blocking ICMP, please allow 66.220.2.74 through your firewall.
>
> ...by the way, when clicking 'Save' or 'Save & Force Update' in
> the HE.net Tunnelbroker PHP interface 'services_dyndns_edit.php',
> the WAN IP is correctly changed in the firewall tables before
> notifying HE.net, so the procedure works correctly then.
>
> (SUCKY) WORKAROUND
>
> Just allow ICMP to any IP address in the firewall rules for WAN.
>
> Regards,
> Michael
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Multiple routing tables

[Walter Parker]

I've been asked if pfSense has multiple routing tables. Specifically, there
is kernel option in FreeBSD:

  options ROUTETABLES=2

Which enables you to setup a second routing table for a second interface.

Does pfSense use multiple ROUTETABLES? If not, why not and does the
existing policy based routing support the same features (the ability to
pick which routing table/interface is used for sending outbound traffic).


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] MultiWAN with SSH

[Walter Parker]

Hi,

I have a pfSense box with multiple WAN connections (on on TW and one on
Comcast)
I appear to got MultiWAN working for outbound traffic, in that:
I can ping/traceroute from either interface and the traffic routes out and
comes back.

But inbound traffic only appears to work if it comes into the TW interface
and not the Comcast interface.
I have a rule on the TW interface that allows all traffic
I have a rule on the Comcast interface the allows all traffic , with the
destination of Comcast net and the the Gateway set to COMCASTGW.

I can ping the Comcast interface address.
But any attempts to connect to Comcast interface address fail.
However I did see a few log file entries of the form

IF  Source   DestProto
COMCAST ExternalIP  ComcastIP:13  TCP:S

Where ExternalIP is a outside host running SSH, ComcastIP is the IP of the
Comcast Interface (and 13 is where SSHD is bound to). I got no response
back to the client.

I then tried telnet ComcastIP 111 and got the same result.

What do I need to do to get the firewall to use the COMCASTGW for responses
to packets sent to the COMCAST interface?


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] is it possible to rename gateways in 2.1 release AMD64?

[Walter Parker]

Once you create a gateway, you can not rename it from the GUI. I had to
delete and re-create my gateway in order to rename it.


On Tue, Jan 7, 2014 at 12:02 PM, Matthias May  wrote:

> Am 07.01.2014 20:52, schrieb Joe Landman:
>
>  Hi folks:
>>
>>   I am trying to match a spec we've been given as precisely as possible.
>>  I can't rename the gateways from the web interface.  Is it possible to
>> rename them from hand editing the config.xml file? or some other method?
>>
>>   Thanks!
>>
>> Joe
>>
>>  Not sure i follow.
> What is not working with:
> Click on the "System --> Routing --> Gateways" on the "e" button next to
> the gateway you want to change the name of.
> Set the name you want in the "Name" field.
>
> Regards
> Matthias May
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] WAN not accepting traffic

[Walter Parker]

By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
traffic, you will need to allow it (add rules on both the WAN and LAN
sides). But you might want to notice something else. If PFSense is
operating as a straight up router where you don't want NATing of the LAN
packets, then you will need to disable NAT. By default, it is auto-enabled
for the LAN side. This is what often prevents the "LAN" side from being
seen by the WAN side. If you don't want any "firewall" style rules, just
routing, you can turn off all the firewall rules from one of the advanced
options.

You need to decide how you want to use PFSense inside the network. I'd make
sure that there is only one NAT router on the network, use the router that
has the actual "real-world IP" connection. Don't NAT on the other routers
and live will be much easier.


Walter


On Tue, Jan 14, 2014 at 9:40 AM, Brian Caouette  wrote:

> Confirmed but as I said its the WAN blocking external traffic from what I
> see.
>
> Brian
>
>
> On 1/14/2014 12:04 PM, Robert Pickett wrote:
>
>> I would start off by checking the firewall section of pfSense to make
>> sure that the LAN has a default allow statement. It should say something
>> like LAN -> any or something like that.
>>
>> -Robert
>>
>> On 1/14/2014 8:53 AM, Brian Caouette wrote:
>>
>>>  I've downloaded Pfsense Live 2.1 and installed it on an old machine
>>> with two nics. The pf machine can ping internally and externally with no
>>> issues. I was able to jump to shell and telnet out to a bbs I'm part of.
>>> Now on the LAN nothing works except the pf web management screen. I have
>>> looked at the logs and it shows all blocked packets for incoming on the
>>> WAN. I went a step further and create a rule to all all traffic on the WAN
>>> to no avail. My network is as follows:
>>>
>>> Cable Modem -> Linksys AP -> PF.
>>>
>>> Yes I know its a little backwards but it should still work as I also
>>> have another ap feeding off the Linksys for a different zone in our house
>>> with no issues.
>>>
>>> Any idea why the PF lan does not work? Yes I did disable the option to
>>> disable private addresses since pf is behind another router with a private
>>> ip.
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> http://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
>>
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] WAN not accepting traffic

[Walter Parker]

>From the PFSense UI, select Firewall->NAT. Then click on the Outbound tab.
Then select the Manual Outbound NAT rule generation radio button (this
turns off Automatic outbound NAT rule generation). Then delete/deactive the
mapping that has your LAN network as a source. This is what is messing up
your routing of packets from the linksys to the LAN side of the PFSense
router. The option you turned off stops spoofing attacks on a router and
turning it off is required when routing private networks, but does do the
whole job (you also need to disable NATing to complete the job).




Walter



On Tue, Jan 14, 2014 at 10:01 AM, Brian Caouette  wrote:

>  The pf wan port is plugged into my Linksys ap so it is already behind
> nat hence the reason I unchecked the option under the interface tab to
> block reserved ips. I see no reason to use nat again. I'm open to
> recommendations as to the easiest solution. Pretty sure I did create a rule
> to allow all traffic on both lan and wan. I will confirm as soon as I have
> access to the machine again. I do see sever options for nat. I think I did
> uncheck the option to disable it but nothing changed. If you can give me a
> step by step what to check / uncheck, etc... To recap my setup is:
>
> Cable Modem (public ip with a 192.168.100.1 management port -> Linksys AP
> dhcp to modem 192.168.100.1 lan ip with all connected pc's in this range
> including -> PF 192.168.100.20 and pf lan of 192.168.1.1 of which is dhcp
> assigns my laptop .101 when plugged in.
>
> Brian
>
>
> On 1/14/2014 12:50 PM, Walter Parker wrote:
>
> By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
> traffic, you will need to allow it (add rules on both the WAN and LAN
> sides). But you might want to notice something else. If PFSense is
> operating as a straight up router where you don't want NATing of the LAN
> packets, then you will need to disable NAT. By default, it is auto-enabled
> for the LAN side. This is what often prevents the "LAN" side from being
> seen by the WAN side. If you don't want any "firewall" style rules, just
> routing, you can turn off all the firewall rules from one of the advanced
> options.
>
>  You need to decide how you want to use PFSense inside the network. I'd
> make sure that there is only one NAT router on the network, use the router
> that has the actual "real-world IP" connection. Don't NAT on the other
> routers and live will be much easier.
>
>
>  Walter
>
>
> On Tue, Jan 14, 2014 at 9:40 AM, Brian Caouette  wrote:
>
>> Confirmed but as I said its the WAN blocking external traffic from what I
>> see.
>>
>> Brian
>>
>>
>> On 1/14/2014 12:04 PM, Robert Pickett wrote:
>>
>>> I would start off by checking the firewall section of pfSense to make
>>> sure that the LAN has a default allow statement. It should say something
>>> like LAN -> any or something like that.
>>>
>>> -Robert
>>>
>>> On 1/14/2014 8:53 AM, Brian Caouette wrote:
>>>
>>>>  I've downloaded Pfsense Live 2.1 and installed it on an old machine
>>>> with two nics. The pf machine can ping internally and externally with no
>>>> issues. I was able to jump to shell and telnet out to a bbs I'm part of.
>>>> Now on the LAN nothing works except the pf web management screen. I have
>>>> looked at the logs and it shows all blocked packets for incoming on the
>>>> WAN. I went a step further and create a rule to all all traffic on the WAN
>>>> to no avail. My network is as follows:
>>>>
>>>> Cable Modem -> Linksys AP -> PF.
>>>>
>>>> Yes I know its a little backwards but it should still work as I also
>>>> have another ap feeding off the Linksys for a different zone in our house
>>>> with no issues.
>>>>
>>>> Any idea why the PF lan does not work? Yes I did disable the option to
>>>> disable private addresses since pf is behind another router with a private
>>>> ip.
>>>> ___
>>>> List mailing list
>>>> List@lists.pfsense.org
>>>> http://lists.pfsense.org/mailman/listinfo/list
>>>>
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> http://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/li

Re: [pfSense] WAN not accepting traffic

[Walter Parker]

You might check the DNS settings on the PFSense router itself to make sure
that it has valid IP addresses for DNS servers. Also check on the override
flags (and maybe add a rule for 53 DNS traffic).


Walter


On Tue, Jan 14, 2014 at 4:47 PM, Brian Caouette  wrote:

>  I think we've made progress. Things in management that didn't work are
> now working. Before it was not able to do a ping or tracert and now they
> do. I think the issue is dns related now because Windows 8 laptop reports a
> dns error. Also the dns lookup in management doesn't give me any results.
> So for whatever reason its not being passed to the lan.
>
>
> On 1/14/2014 1:13 PM, Walter Parker wrote:
>
> From the PFSense UI, select Firewall->NAT. Then click on the Outbound tab.
> Then select the Manual Outbound NAT rule generation radio button (this
> turns off Automatic outbound NAT rule generation). Then delete/deactive the
> mapping that has your LAN network as a source. This is what is messing up
> your routing of packets from the linksys to the LAN side of the PFSense
> router. The option you turned off stops spoofing attacks on a router and
> turning it off is required when routing private networks, but does do the
> whole job (you also need to disable NATing to complete the job).
>
>
>
>
>  Walter
>
>
>
> On Tue, Jan 14, 2014 at 10:01 AM, Brian Caouette  wrote:
>
>>  The pf wan port is plugged into my Linksys ap so it is already behind
>> nat hence the reason I unchecked the option under the interface tab to
>> block reserved ips. I see no reason to use nat again. I'm open to
>> recommendations as to the easiest solution. Pretty sure I did create a rule
>> to allow all traffic on both lan and wan. I will confirm as soon as I have
>> access to the machine again. I do see sever options for nat. I think I did
>> uncheck the option to disable it but nothing changed. If you can give me a
>> step by step what to check / uncheck, etc... To recap my setup is:
>>
>> Cable Modem (public ip with a 192.168.100.1 management port -> Linksys AP
>> dhcp to modem 192.168.100.1 lan ip with all connected pc's in this range
>> including -> PF 192.168.100.20 and pf lan of 192.168.1.1 of which is dhcp
>> assigns my laptop .101 when plugged in.
>>
>> Brian
>>
>>
>> On 1/14/2014 12:50 PM, Walter Parker wrote:
>>
>> By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
>> traffic, you will need to allow it (add rules on both the WAN and LAN
>> sides). But you might want to notice something else. If PFSense is
>> operating as a straight up router where you don't want NATing of the LAN
>> packets, then you will need to disable NAT. By default, it is auto-enabled
>> for the LAN side. This is what often prevents the "LAN" side from being
>> seen by the WAN side. If you don't want any "firewall" style rules, just
>> routing, you can turn off all the firewall rules from one of the advanced
>> options.
>>
>>  You need to decide how you want to use PFSense inside the network. I'd
>> make sure that there is only one NAT router on the network, use the router
>> that has the actual "real-world IP" connection. Don't NAT on the other
>> routers and live will be much easier.
>>
>>
>>  Walter
>>
>>
>> On Tue, Jan 14, 2014 at 9:40 AM, Brian Caouette  wrote:
>>
>>> Confirmed but as I said its the WAN blocking external traffic from what
>>> I see.
>>>
>>> Brian
>>>
>>>
>>> On 1/14/2014 12:04 PM, Robert Pickett wrote:
>>>
>>>> I would start off by checking the firewall section of pfSense to make
>>>> sure that the LAN has a default allow statement. It should say something
>>>> like LAN -> any or something like that.
>>>>
>>>> -Robert
>>>>
>>>> On 1/14/2014 8:53 AM, Brian Caouette wrote:
>>>>
>>>>>  I've downloaded Pfsense Live 2.1 and installed it on an old machine
>>>>> with two nics. The pf machine can ping internally and externally with no
>>>>> issues. I was able to jump to shell and telnet out to a bbs I'm part of.
>>>>> Now on the LAN nothing works except the pf web management screen. I have
>>>>> looked at the logs and it shows all blocked packets for incoming on the
>>>>> WAN. I went a step further and create a rule to all all traffic on the WAN
>>>>> to no avail. My network is as follows:
>>>>>
>>>>

Re: [pfSense] WAN not accepting traffic

[Walter Parker]

If the WAN interface is set to DHCP, then I think there is an option to
override/not override the DNS server addresses from the DHCP server. Check
that. Check that the rule passes TCP&UDP. When I've had this problem
before, I also check from the shell, but then again, I'm an oldtime FreeBSD
user, so I don't fear the CLI (check /etc/resolv.conf).


Walter


On Tue, Jan 14, 2014 at 5:26 PM, bri...@dlois.com  wrote:

> It has 8.8.8.8 & 8.8.4.4
>
> What do you mean by over ride? Where is that located? As for a rule for 53
> I have one I'm there to allow all. Wouldn't that cover it?
>
> Sent from my HTC
>
>
> - Reply message -
> From: "Walter Parker" 
> To: "pfSense support and discussion" 
> Subject: [pfSense] WAN not accepting traffic
> Date: Tue, Jan 14, 2014 8:04 pm
>
>
> You might check the DNS settings on the PFSense router itself to make sure
> that it has valid IP addresses for DNS servers. Also check on the override
> flags (and maybe add a rule for 53 DNS traffic).
>
>
> Walter
>
>
> On Tue, Jan 14, 2014 at 4:47 PM, Brian Caouette  wrote:
>
>>  I think we've made progress. Things in management that didn't work are
>> now working. Before it was not able to do a ping or tracert and now they
>> do. I think the issue is dns related now because Windows 8 laptop reports a
>> dns error. Also the dns lookup in management doesn't give me any results.
>> So for whatever reason its not being passed to the lan.
>>
>>
>> On 1/14/2014 1:13 PM, Walter Parker wrote:
>>
>> From the PFSense UI, select Firewall->NAT. Then click on the Outbound
>> tab. Then select the Manual Outbound NAT rule generation radio button (this
>> turns off Automatic outbound NAT rule generation). Then delete/deactive the
>> mapping that has your LAN network as a source. This is what is messing up
>> your routing of packets from the linksys to the LAN side of the PFSense
>> router. The option you turned off stops spoofing attacks on a router and
>> turning it off is required when routing private networks, but does do the
>> whole job (you also need to disable NATing to complete the job).
>>
>>
>>
>>
>>  Walter
>>
>>
>>
>> On Tue, Jan 14, 2014 at 10:01 AM, Brian Caouette wrote:
>>
>>>  The pf wan port is plugged into my Linksys ap so it is already behind
>>> nat hence the reason I unchecked the option under the interface tab to
>>> block reserved ips. I see no reason to use nat again. I'm open to
>>> recommendations as to the easiest solution. Pretty sure I did create a rule
>>> to allow all traffic on both lan and wan. I will confirm as soon as I have
>>> access to the machine again. I do see sever options for nat. I think I did
>>> uncheck the option to disable it but nothing changed. If you can give me a
>>> step by step what to check / uncheck, etc... To recap my setup is:
>>>
>>> Cable Modem (public ip with a 192.168.100.1 management port -> Linksys
>>> AP dhcp to modem 192.168.100.1 lan ip with all connected pc's in this range
>>> including -> PF 192.168.100.20 and pf lan of 192.168.1.1 of which is dhcp
>>> assigns my laptop .101 when plugged in.
>>>
>>> Brian
>>>
>>>
>>> On 1/14/2014 12:50 PM, Walter Parker wrote:
>>>
>>> By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
>>> traffic, you will need to allow it (add rules on both the WAN and LAN
>>> sides). But you might want to notice something else. If PFSense is
>>> operating as a straight up router where you don't want NATing of the LAN
>>> packets, then you will need to disable NAT. By default, it is auto-enabled
>>> for the LAN side. This is what often prevents the "LAN" side from being
>>> seen by the WAN side. If you don't want any "firewall" style rules, just
>>> routing, you can turn off all the firewall rules from one of the advanced
>>> options.
>>>
>>>  You need to decide how you want to use PFSense inside the network. I'd
>>> make sure that there is only one NAT router on the network, use the router
>>> that has the actual "real-world IP" connection. Don't NAT on the other
>>> routers and live will be much easier.
>>>
>>>
>>>  Walter
>>>
>>>
>>> On Tue, Jan 14, 2014 at 9:40 AM, Brian Caouette wrote:
>>>
>>>> Confirmed but as I said its the WAN blocking external traffic from what
>>>> I see.
>>>

Re: [pfSense] Fwd: lighttpd errors

[Walter Parker]

You could try installing a packet sniffer and watching the traffic.


Walter


On Sun, Mar 23, 2014 at 2:38 PM, Brian Caouette  wrote:

>  How can this happen with only two computers powered up on the lan? Any
> way to get more details?
>
>
> On 3/19/2014 7:58 AM, Brian Caouette wrote:
>
>
>
>
>  Original Message   Subject: lighttpd errors  Date: Thu,
> 13 Mar 2014 12:34:37 -0400  From: Brian Caouette 
>   To:
> pfSense support and discussion 
> 
>
> Any idea why I would have this?
>
>   Mar 13 09:43:13 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.30
> turned away. Too many connections.  Mar 13 09:43:12 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.30 turned away. Too many connections.  Mar
> 13 09:43:10 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.30 turned
> away. Too many connections.  Mar 13 09:43:10 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.30 turned away. Too many connections.  Mar
> 13 09:43:10 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.30 turned
> away. Too many connections.  Mar 13 09:43:10 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.30 turned away. Too many connections.  Mar
> 13 09:43:10 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.30 turned
> away. Too many connections.  Mar 13 09:43:10 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.30 turned away. Too many connections.  Mar
> 13 09:43:10 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.30 turned
> away. Too many connections.  Mar 13 09:43:10 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.30 turned away. Too many connections.  Mar
> 13 07:27:01 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.40 turned
> away. Too many connections.  Mar 13 07:26:59 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.40 turned away. Too many connections.  Mar
> 13 07:26:59 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.40 turned
> away. Too many connections.  Mar 13 07:26:59 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.40 turned away. Too many connections.  Mar
> 13 07:26:59 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.40 turned
> away. Too many connections.  Mar 13 07:26:58 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.40 turned away. Too many connections.  Mar
> 13 07:26:46 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.40 turned
> away. Too many connections.  Mar 13 07:26:46 lighttpd[58752]:
> (mod_evasive.c.183) 192.168.1.40 turned away. Too many connections.  Mar
> 13 07:26:46 lighttpd[58752]: (mod_evasive.c.183) 192.168.1.40 turned
> away. Too many connections.
>
>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Sending logs to external server

[Walter Parker]

>From the status menu, select System Logs
>From the system logs page, click on Settings
Scroll down to Remote logging Options

Enable Remote logging
For the remote Syslog Servers, enter the address of your syslog server (any
Linux or FreeBSD server running a copy of syslog that will take outside
logging).
It will send all of the system logs to the syslog host.

Note, squid is an application/package and its log files will not be
included. Either the squid config will have to be changed, or you could try
using rsync to copy the logs.


Walter



On Mon, Mar 24, 2014 at 12:13 PM, A Mohan Rao  wrote:

> Please guide me how u do this on pfsense firewall
>
> . We've already managed to block one user who lives in close proximity for
> stealing internet (500MB of Youtube videos in less than 3 hours during a
> very busy time of day*)
>
> Thnx
> Mohan
> On Mar 25, 2014 12:14 AM, "Ryan Coleman"  wrote:
>
>> Now that I have the network stable (thank you so much!) I have another
>> task I need/want to accomplish:
>>
>> Does anyone have recommendations or suggestions for off-loading log files
>> at the end of the day to another server? Specifically I'm wanting the
>> system log and the squid logs sent out and rotated afterwards. We've
>> already managed to block one user who lives in close proximity for stealing
>> internet (500MB of Youtube videos in less than 3 hours during a very busy
>> time of day*) but I would like to set up something that crawls through the
>> raw files automatically every night and report back via email.
>>
>> I can write the script to crawl the data - that's not a problem - it's
>> just that the ALIX board is not powerful enough to handle the needs I have.
>>
>> Thanks again,
>> Ryan
>>
>> * I still have a few stages to hit on the deployment but that user will
>> eventually be unblocked. We had to rollback the throttling configuration
>> while we were having stability issues. Right now we're at 60 hours and
>> counting and I plan to re-implement that limiter tomorrow morning.
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RDP port forward based on destination name.

[Walter Parker]

That's what I would recommend. The VPN can serve as a second gateway to
protect the RDP from the outside world, so you could pitch this solution as
higher security method of network access.


Walter


On Thu, Mar 27, 2014 at 1:09 PM, compdoc  wrote:

> > I'm not very familiar with TMG from Microsoft but a client I am helping
> migrate
>
> >to pfsense from TMG has asked me if they'll be able to use the RDP port
> forward
>
> >in the same way as TMG handles it.
>
> It will be interesting to hear if someone knows a way to do what you want,
> but I do it differently: using an ipsec vpn, I just enter the ip address or
> dns name of the host on the remote lan and I'm connected. I hate forwarding
> individual RDP ports.
>
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RDP port forward based on destination name.

[Walter Parker]

The big problem that I see people have that that want to do networking
based on hostnames rather than IP addresses. Such as how named virtual
hosting works on Apache. But the problem is that the hostname is translated
to an IP address on the client side and the only thing the server sees is
the IP address that the client used to connect. Apache knows what hostname
was used because the browser sets a HTTP header that has the hostname. This
was an after the fact addition to the HTTP standard to allow for lots of
websites on one IP address. A few years ago TLS was extended to allow for
the same thing to happen w.r.t. HTTPS web sites. To allow this this on
other internet protocols will require that both the clients and server both
be upgraded to pass the hostname as a parameter (worse, not all protocols
were designed to allow for this to be done in a backwards compatible
fashion), which is now much more of a issue with a billion users than it
was in the mid 90's with only a few million users.

I'd love it if there was simple solution, but I don't see one that would
compatible with today's internet. Much of the original design of the
internet was for a 1 to 1 mapping of IP addresses, rather than a 1 to many
mapping (which is why there is usually a lack of a disambiguation field in
the protocol).


Walter




On Fri, Mar 28, 2014 at 7:54 AM, greg whynott wrote:

> thanks for all the suggestions folks!   While very nitchy and sure not to
> be a wildly popular function,  it would be nice to see,
> "policy-routing/nating" based on matching an ACL which can make decisions
> based on data from the higher layers.
>
> his set up is one comprised solely of virtual hosts and networks
> (excluding the router/firewall which run on its own hardware) under an ESX
> environment.  They have about 12 customers and each has VMs and their own
> L2 network and hosts.
>
> For now it looks as if the jump host will be the best go.   Have one set
> up where all the clients connect to and based upon who they log in as, will
> determined what they see/have access to.
>
> The VPN idea is a good one but they would rather not add more gears to the
> machine which may generate support issues.
>
>
> thanks again and have a great weekend,
> greg
>
>
>
>
> On Thu, Mar 27, 2014 at 6:37 PM, Jonathan Bainbridge  > wrote:
>
>> Remote Desktop Gateway, built into Windows 2008 and 2012. Put it behind
>> the pfSense, port forward the rdp port to the RDG. It authenticates the
>> user and the user can connect to any internal machine.
>> In the Remote Desktop Connection you can enter the information for the
>> RDG. Protect using an SSL on the RDG.
>> Bonus, you can also setup Remote Desktop Web Services so you can have
>> programs on Terminal Services available... Note, that part DOES require IE.
>> On Mar 27, 2014 2:37 PM, "greg whynott"  wrote:
>>
>>> Hello,
>>>
>>> I'm not very familiar with TMG from Microsoft but a client I am helping
>>> migrate to pfsense from TMG has asked me if they'll be able to use the RDP
>>> port forward in the same way as TMG handles it.
>>>
>>>
>>> Apparently there is a function within TMG which acts similar to named
>>> based virtual web hosts,  where it parses the DNS name from the request and
>>> makes a forwarding decision based on that bit of information.
>>>
>>> For example,  the firewall only has 1 public IP facing the internet.
>>>
>>> if you RDP to: you'll land on the internal server:
>>>
>>> host1.foo.com  10.101.1.2
>>> host2.foo.com  10.101.3.4
>>> host3.foo.com  10.101.1.8
>>>
>>>
>>> host1,2 and 3 all resolve to the same public IP.  And we are not
>>> specifying ports.
>>>
>>> That is the behaviour he is hoping to achieve,  where he can RDP to
>>> various internal machines without referencing ports.
>>>
>>>
>>> Sound do-able?If pfsense can not do this,  are you aware of anything
>>> out there that can aside from TMG?
>>>
>>> -g
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Packages didn't install after upgrade from 2.0 to 2.1.1

[Walter Parker]

I upgraded my ALIX system running 2.0 to 2.1.1. The base upgrade appeared
to go fine, I got the screen that said the system was upgrading all of the
packages, but after the system restarted, none of the pacakges on the old
system were listed as installed on the new system.

But the service screen shows the old packages and the menus still have menu
items for the old packages (clicking on one causes a php error). Installing
the package from the package manager menu does work and the package then
starts working (but in the case of vnstat2, it now appears in the menu
twice).

What do you recommend I do to fix the problem between what package used to
be installed and what is currently installed.




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Network Traffic Monitoring w/o Webgui

[Walter Parker]

I'd expect that you should be able to enable SNMP, set a non default
password (please don't use public) and add a firewall rule to allow UDP on
port 161 to/from your mrtg server. I'd recommend using Cacti as your mrtg
server (if you want a FOSS solution).


Walter


On Mon, Apr 7, 2014 at 10:23 AM, Brian Caouette  wrote:

> What about using mrtg to graph the various interfaces? Does PF support
> this?
>
>
> On 4/7/2014 12:54 PM, Jim Pingle wrote:
>
>> On 4/7/2014 12:29 PM, James Caldwell wrote:
>>
>>> Happy Monday list...
>>>
>>> Does anyone have a preferred way of monitoring over all traffic
>>> throughput for various interfaces via shell/putty instead of having to
>>> remain logged in to the webgui?  I have several alix based appliances that
>>> have had their ISP connections upgraded and I am trying to remain outside
>>> the web interface as much as possible due to the load that it puts on the
>>> system.
>>>
>>> Any thoughts or experience is appreciated.
>>>
>> The "iftop" package is great for this.
>>
>> Install it from the GUI and then from the shell run it like so:
>>
>> iftop -nNpPi vr0
>>
>> (Serving suggestion, salt to taste)
>>
>> Jim
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Network Traffic Monitoring w/o Webgui

[Walter Parker]

Sorry,

FOSS = Free/Open Source Software (what MRTG, Linux, FreeBSD, pfSense are,
as different from what Microsoft or HP sell)

Cacti is a web based system, from http://www.cacti.net/, that uses the
technology that powers MRTG to build a nice web based system that monitors
network equipment. Unlike MRTG, which has to be configured by hand, Cacti
allows you to add hosts through the web interface (like how pfSense does
all the pf stuff through the web rather than requiring you to edit config
files). It is pretty simple to setup, assuming you have a FreeBSD or Linux
systems and can install the package or port.

I've used it on networks to monitor all of the traffic on the routers, on
the servers and even on the switch ports (that requires a switch with SNMP
counters, usually known as a "managed switch").

There are also commercial systems that do the same thing, but they quickly
become expensive (1000's to 10,000's dollars) as the size of your network
grows.


Walter




On Mon, Apr 7, 2014 at 10:47 AM, Brian Caouette  wrote:

>  What is Cacti? FOSS?
>
>
> On 4/7/2014 1:42 PM, Walter Parker wrote:
>
> I'd expect that you should be able to enable SNMP, set a non default
> password (please don't use public) and add a firewall rule to allow UDP on
> port 161 to/from your mrtg server. I'd recommend using Cacti as your mrtg
> server (if you want a FOSS solution).
>
>
>  Walter
>
>
> On Mon, Apr 7, 2014 at 10:23 AM, Brian Caouette  wrote:
>
>> What about using mrtg to graph the various interfaces? Does PF support
>> this?
>>
>>
>> On 4/7/2014 12:54 PM, Jim Pingle wrote:
>>
>>> On 4/7/2014 12:29 PM, James Caldwell wrote:
>>>
>>>> Happy Monday list...
>>>>
>>>> Does anyone have a preferred way of monitoring over all traffic
>>>> throughput for various interfaces via shell/putty instead of having to
>>>> remain logged in to the webgui?  I have several alix based appliances that
>>>> have had their ISP connections upgraded and I am trying to remain outside
>>>> the web interface as much as possible due to the load that it puts on the
>>>> system.
>>>>
>>>> Any thoughts or experience is appreciated.
>>>>
>>> The "iftop" package is great for this.
>>>
>>> Install it from the GUI and then from the shell run it like so:
>>>
>>> iftop -nNpPi vr0
>>>
>>> (Serving suggestion, salt to taste)
>>>
>>> Jim
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
>  --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Network Traffic Monitoring w/o Webgui

[Walter Parker]

I've installed in the past. We had 2-3 years of data before we switched
providers (and therefore need to start over). I will be installing on
FreeBSD 10 in the near future and I plan on using the port at
/usr/ports/net-mgmt/cacti.

As I recall the docs are not too bad, and there is now a book out on it.
The big thing you will need to do is enable SNMP on the pfSense routers
(change the community string). Then on Cacti, add those systems as data
sources. After 15 minutes, there will be enough data for the first graphs
to show up. I'd use Cacti's grouping features to organize the routers into
groups. If system running Cacti will talk to the pfSense routers from the
WAN port, then you need to allow that on psSense.

Once you get this working with the routers, you can get it working with
your systems (FreeBSD, Linux, Windows). On Unix like systems, the SNMP
daemon supports all sorts of features (CPU, Disk space, Processes running,
even kicking off scripts). Cacti supports the basic modes and you can use
the command snmpwalk to figure out what options you wosh to monitor, but
note that there is a lot of information. Try not to get overwhelmed and
stick to the simple stuff until you have a handle and then try adding
pieces at time.


On Tue, Apr 8, 2014 at 9:27 AM, James Caldwell <
jamescaldw...@hurricanecs.com> wrote:

> I tried hunting this package down in the webgui this morning and I wasn't
> able to find it.  I ended up going to shell and changing the environment
> variable 'PACKAGESITE' using the following command 'setenv PACKAGESITE
> http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`uname<http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/uname>-m`/packages-8.1-release/Latest/.
>   Once done, I was able to install iftop
> no problem.  (Credit for the command goes to nooblet.org)
>
>
>
> On to the Cacti comment; that's a really good idea Walter.  Having a way
> to manage historical data would be great.  I'm fairly new to the BSD world
> still, how difficult is it to piece together one of these solutions.  I
> understand that the webgui helps quite a bit but initially I've heard
> monitoring solutions can be a bit of a nightmare to get working properly
> initially.  Is this something that could or should be combined with a
> syslog type solution so that we're not only gathering network data but also
> logs/health from the routers themselves?  Any tips here before I dive
> headlong into this?
>
>
>
> Thanks,
> James
>
>
>
> *From:* List [mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Chuck
> Mariotti
> *Sent:* April-07-14 1:04 PM
>
> *To:* pfSense Support and Discussion Mailing List
> *Subject:* Re: [pfSense] Network Traffic Monitoring w/o Webgui
>
>
>
> It's been a few years, but a simple windows version...
>
>
>
> http://oss.oetiker.ch/mrtg/
>
>
>
>
>
> *From:* List 
> [mailto:list-boun...@lists.pfsense.org]
> *On Behalf Of *Walter Parker
> *Sent:* April-07-14 2:06 PM
> *To:* pfSense Support and Discussion Mailing List
> *Subject:* Re: [pfSense] Network Traffic Monitoring w/o Webgui
>
>
>
> Sorry,
>
>
>
> FOSS = Free/Open Source Software (what MRTG, Linux, FreeBSD, pfSense are,
> as different from what Microsoft or HP sell)
>
>
>
> Cacti is a web based system, from http://www.cacti.net/, that uses the
> technology that powers MRTG to build a nice web based system that monitors
> network equipment. Unlike MRTG, which has to be configured by hand, Cacti
> allows you to add hosts through the web interface (like how pfSense does
> all the pf stuff through the web rather than requiring you to edit config
> files). It is pretty simple to setup, assuming you have a FreeBSD or Linux
> systems and can install the package or port.
>
>
>
> I've used it on networks to monitor all of the traffic on the routers, on
> the servers and even on the switch ports (that requires a switch with SNMP
> counters, usually known as a "managed switch").
>
>
>
> There are also commercial systems that do the same thing, but they quickly
> become expensive (1000's to 10,000's dollars) as the size of your network
> grows.
>
>
>
>
>
> Walter
>
>
>
>
>
>
>
> On Mon, Apr 7, 2014 at 10:47 AM, Brian Caouette  wrote:
>
> What is Cacti? FOSS?
>
>
>
> On 4/7/2014 1:42 PM, Walter Parker wrote:
>
> I'd expect that you should be able to enable SNMP, set a non default
> password (please don't use public) and add a firewall rule to allow UDP on
> port 161 to/from your mrtg server. I'd recommend using Cacti as your mrtg
> server (if you want a FOSS solution).
>
>
>
>
>
> Walter
>
&g

Re: [pfSense] How to allow only incoming HTTP/HTTPs traffic from WAN interface?

[Walter Parker]

How about configuring the firewall to block everything and then then create
a rule that forwards/allows only port 80 and 443 to the reverse proxy
server. Configure the reverse proxy server to only support HTTP traffic (on
port 80 and using SSL on 443). Then you don't need to do DPI. I'd say you
don't actually need to filter the traffic to the reverse proxy server if
you pick one that that can be configured to only support HTTP traffic.


Walter


On Sat, Apr 12, 2014 at 4:39 AM, Oğuz Yarımtepe wrote:

> I am trying to design a reverse proxy structure that will direct traffic
> to some web servers behind. At the entry point, i want to allow just HTTP
> or HTTPs traffic. I want to do this by using DPI. I couldn't figured out
> how to do it via PfSense. L7 filtering only lets blocking, firewall rules
> depends ports. I need to define  L7 filtering rule that will only allow
> HTTP traffic but for the traffic coming to WAN interface.
>
> How can i do it?
>
> Thank you.
>
> --
> Oğuz Yarımtepe
> http://about.me/oguzy
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to allow only incoming HTTP/HTTPs traffic from WAN interface?

[Walter Parker]

Yes but, if the website is using css and js from other domains, the web
servers don't pull the css and js from the Internet and resend it the
client.  The client pulls the web page from your server using HTTP,
processes the HTML, sees the CSS and JS links to other domains and then
loads the CSS and JS from those domains (servers). Even that is actually
irrelevant, because CSS and JS are severed up just like HTML, as normal
HTTP requests, so if you host those locally, they are just more files.

If you are building reverse proxy for a public website, then you only need
two access rules (HTTP allow all, HTTPS allow all). Then you setup pass
though rules to pass HTTP and HTTPS to the reverse proxy server.

I'd suggest that you see if the Proxy plugin works for your situation. It
does reverse proxy and has mod_security, which has built-in
filtering/security checks for web traffic. If you are trying to do DDOS
protection, then you need to put the router and reverse proxy servers at
data center with lots of bandwidth. Putting the Reverse Proxy server on the
same network feed as the web server will not migrate the bandwidth denial
features of a DDOS attack.

Also, I would suggest that you might think about conceptualizing the
project in term of what you want rather than how would you re-implement a
system using open source to replace one for one the expensive proprietary
tools that exist on the market (Cisco, Juniper, watchguard, F5, Barrcuda).

How you protect a network of web servers is quite different that how you
would protect a network of desktop computers.


Walter



On Mon, Apr 14, 2014 at 12:17 PM, Oğuz Yarımtepe wrote:

>
> The problem with this setup is, what will happen if the website is using
> some css, js files from other domains? Adding a rule for each of these
> domains will be painfull after a while i assume. But on the other hand, i
> will be using this reverse proxy node as the first entry point to my DDoS
> protection network, so not sure whether DPI is a good thing here or not.
>
>
> On Sat, Apr 12, 2014 at 11:40 PM, Walter Parker  wrote:
>
>> How about configuring the firewall to block everything and then then
>> create a rule that forwards/allows only port 80 and 443 to the reverse
>> proxy server. Configure the reverse proxy server to only support HTTP
>> traffic (on port 80 and using SSL on 443). Then you don't need to do DPI.
>> I'd say you don't actually need to filter the traffic to the reverse proxy
>> server if you pick one that that can be configured to only support HTTP
>> traffic.
>>
>>
>>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] High iostat

[Walter Parker]

pfSense has menu options that allow to move/create /tmp and /var in RAM.
These can be found in System>Advanced>Miscellaneous.

Then logging would be written to the RAM disk.

Note that the logs will be lost when the power goes out. You will need to
setup a scheduled job that does backups if you wish to persist the logs
across reboots.

Also note that all file systems slow down as the get full. As flash runs
out of empty write blocks, its performance also suffers. Something you
might try is the replace the existing flash card with something 2x-4x times
larger.

You might try getting the lsof package/tool from a FreeBSD 8.3 machine
(assuming you are running the current version of pfSense) and
installing/copying it to your system.

FreeBSD has two commands that provide many of the features in lsof:

  fstat
  sockstat

pfSense has both of these commands installed.



On Mon, May 12, 2014 at 8:09 PM, Wajih Ahmed  wrote:

> My pfsense laptop with a PATA CF card is disk bound these days.  The disk
> is always busy above 60% and mostly in the 90's.  Futhermore the service
> times are abysmal.  It takes more than a minute just to refresh the
> dashboard.  Initially the system was very quick but then i later i
> intruduced Captive Portal and then Radius (with accounting).  I think all
> of these are writing constantly to the filesystem.
>
> I do have plenty of RAM so i was thinking to place the captive portal and
> other logs on a "ram disk".  Is this possible in pfsense?
>
> BTW it would be very nice to have a tool like lsof to see what files a pid
> has open and writing too.  But pfsense does not have lsof package.
>
> Thanks
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Walter Parker]

The amd64 is for all 64 bit machines (amd64 and Intel EMT64)
The x86 is for all 32 bit machines (Intel and AMD)

According the spec sheet,
http://www.dell.com/downloads/global/products/pedge/en/2850_specs.pdf, that
is a 64 bit machine.

Note, because AMD developed 64 for the x86 first, the BSDs call 64 bit mode
amd64. When Intel licensed it from AMD, they called by a different name
(something without the competitor's name in it). Another common name for
amd64 is x86_64.

The only place where AMD vs. Intel 64 really makes a difference is in VM
servers (such as ESXi and XenServer), where methods for visualizing IO are
different. Most other places, 64 bit is 64 bit and really doesn't matter.


Walter



On Mon, May 19, 2014 at 3:37 PM, Brian Caouette  wrote:

> Just ordered a Poweredge 2850. It has the xeno processor. Do I install the
> Intell version or amd64?
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Walter Parker]

Yea, I forgot about Itanium. For Itanium the initials are IA-64.

There is a Tier-2 supported version of FreeBSD for that processor, but
pfSense does not ship an IA-64 version.


Walter


On Mon, May 19, 2014 at 4:18 PM, Ryan Coleman  wrote:

> Itanium is the only one that’s different from AMD64. I’ve never touched an
> Itanium-driven machine.
>
>
> On May 19, 2014, at 18:06, Walter Parker  wrote:
>
> The amd64 is for all 64 bit machines (amd64 and Intel EMT64)
> The x86 is for all 32 bit machines (Intel and AMD)
>
> According the spec sheet,
> http://www.dell.com/downloads/global/products/pedge/en/2850_specs.pdf,
> that is a 64 bit machine.
>
> Note, because AMD developed 64 for the x86 first, the BSDs call 64 bit
> mode amd64. When Intel licensed it from AMD, they called by a different
> name (something without the competitor's name in it). Another common name
> for amd64 is x86_64.
>
> The only place where AMD vs. Intel 64 really makes a difference is in VM
> servers (such as ESXi and XenServer), where methods for visualizing IO are
> different. Most other places, 64 bit is 64 bit and really doesn't matter.
>
>
> Walter
>
>
>
> On Mon, May 19, 2014 at 3:37 PM, Brian Caouette  wrote:
>
>> Just ordered a Poweredge 2850. It has the xeno processor. Do I install
>> the Intell version or amd64?
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] installing vmtools

[Walter Parker]

Given than pfSense 2.1.3 uses FreeBSD 8.3 as the base OS, wouldn't
http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/perl5/ be
better location to use for packages?


Walter


On Wed, May 21, 2014 at 11:57 AM, Moshe Katz  wrote:

> On Wed, May 21, 2014 at 2:39 PM, Florio, Christopher N <
> flo...@email.unc.edu> wrote:
>
>> Any idea a URL that I could get this package from?  Sounds like a good
>> option.
>
>
> One of these should do it (pick the one appropriate for your architecture)
>
> http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/perl5-5.16.3_6.tbz
>
> http://ftp1.freebsd.org/pub/FreeBSD/ports/i386/packages-9-current/perl5/perl5-5.16.3_6.tbz
>
> I'm not sure if a specific version of Perl is required - there are some
> breaking changes between 5.8 and 5.10, for example.  If 5.16 doesn't work,
> you can look in
> http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/perl5/(or 
> the i386 location) for other versions of 5.12, 5.14, and 5.18
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disk Space

[Walter Parker]

If you wish to learn more about how UNIX operating systems work, there are
a few pages that about what devfs does and means.

http://www.freebsd.org/cgi/man.cgi?query=devfs&sektion=5

http://en.wikipedia.org/wiki/Device_file

A very short summary is that UNIX systems use multiple mount points in the
OS file systems (where Windows usually only uses one [the C drive]).
Second, all devices in UNIX are accessed by using a file name. In the past,
these were actual files stored in a directory named /dev. Given the
explosion of devices in the past 10-15 years, the actual files have been
abstracted to a virtual filesystem, usually known as devfs. It looks and
works like a filesystem, but is not a "real" filesystem in that you can't
create actual files in the directory.


Walter



On Sat, Jun 7, 2014 at 6:01 AM, Brian Caouette  wrote:

> What concerned me is I got a file system full error last night despite
> pfSense telling me I was only using 18% of the drive. This was the only
> thing I could find was the two paths? At 100% full. Being a windows guy
> this has been a learning curve for me but things are finally starting to
> come together.
>
> Sent from my iPad
>
> On Jun 7, 2014, at 6:47 AM, Espen Johansen  wrote:
>
> 1kb size should clue you in. This is however completely normal.
> 7. juni 2014 12:45 skrev "Brian Caouette"  følgende:
>
>> Mounted Filesystems *Type**Partition**Percent Capacity* *Free**Used*
>> *Size*/dev/da0s1a  17% 4.38 GB988.37 MB 5.81 GB/dev/md0  2% 3.26 MB
>> 62.00 KB 3.61 MBdevfs  100% 0.00 KB1.00 KB 1.00 KBdevfs  100% 0.00 KB
>> 1.00 KB 1.00 KB*Totals :  *  17% 4.38 GB988.43 MB 5.81 GB
>>
>> I'm *guessing this isn't good.  How do I fix it?*
>>
>> Sent from my iPad
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Squid3 with https filtering

[Walter Parker]

There is a way to auto configure the proxy settings on modern browsers, so
that you don't have to manually configure them individually

WPAD and Proxy auto-config
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
http://en.wikipedia.org/wiki/Proxy_auto-config


Walter


On Wed, Jun 18, 2014 at 8:14 AM, A Mohan Rao  wrote:

> I m using squid3-dev and squardguard-squid3 with transparent proxy with
> https proxy.
> All works fine but gmail or goole not open. Other sites working good.
> When i try to access google or gmail its given certificate error. i
> checked my level best also many times create or delete certificates then
> also import that certificate on browser but still m having same problem...
> Really very appritiate and lots of thanks in advance if give any positive
> IDEA.
>
> Thanks
> Mohan
> +91 98260 61122
> On Jun 18, 2014 1:02 PM, "Jan"  wrote:
>
>> On 06/17/2014 05:32 PM A Mohan Rao wrote:
>> > actually i need to block https sites like https facebook or https
>> youtube
>> > etc with transparent proxy.
>> >
>> > now pls give any idea...!
>>
>> You may want to try using the CONNECT method in order to filter HTTPS
>> requests. Those happen before a secure connection is being established.
>> This way you can filter
>>
>> I usually run dansguardian which has a quite complex but very effective
>> way
>> of filtering SSL related traffic.
>>
>> From its documentation:
>>
>> "Blanket SSL blocking so you can block SSL anonymous proxies and allow
>> access to legitimate SSL sites such as banking by whitelisting"
>>
>> => http://dansguardian.org/
>>
>> But be aware using CONNECT method based filtering requires the proxy to be
>> explicitly configured on respective devices and therefore won't work with
>> a
>> transparent proxy.
>>
>> Additional information on the CONNECT method:
>>
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>> Cheers
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] https transparent proxy project failed...

[Walter Parker]

HTTPS was designed to cause a transparent proxy to fail (that was one of
the major design goals, no third party [such as squid] could read to the
traffic). As mentioned before, to make this work, you must either drop the
requirement that the proxy be transparent (Note, explicit proxies can be
auto configured, and this is default state of IE and Chrome on Windows.),
or you will need to drop the requirement for a caching proxy (squid) and
just block on IP or DNS name.


Walter


On Thu, Jun 26, 2014 at 7:19 AM, Martin Fuchs  wrote:

> It is also not legal everywhere ;-)
>
> -Ursprüngliche Nachricht-
> Von: List [mailto:list-boun...@lists.pfsense.org] Im Auftrag von Ryan
> Coleman
> Gesendet: Donnerstag, 26. Juni 2014 14:00
> An: pfSense Support and Discussion Mailing List
> Betreff: Re: [pfSense] https transparent proxy project failed...
>
> Typically that would because no one here has experience with it and you
> should try to find another resource.
>
>
> > On Jun 26, 2014, at 2:45, A Mohan Rao  wrote:
> >
> > i think squid3-dev https transparent proxy project failed...
> > still no body gave positive feedback.
> >
> >
> >
> > Thanks
> >
> >  Mohan
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

[Walter Parker]

I think you might have a misconception in your request. Whe you say:

>To resolve this issue I need to "mangle" forwarded IP packets by
>incrementing their TTL by 1.  This would effectively hide the above
>included results.  If anyone knows how to do this either through the web
>interface or through custom configurations then please let me know.

That is how IP normally works. Traceroute uses this feature by sending a
packet with the TTL set to 1, then the TTL set to 2, then the TTL set to 3,
etc. Each router on the chain reduces the value by one. Each time the
packet expires, an ICMP TTL message packet is sent to sender saying that
packet exipred in transit. Those are the messages that traceroute uses to
map the network. The problem with filtering those messages is if you hit a
loop on the Internet (often due to a network with static routes being
down), your packets will loop forever.

My best guess, a custom rule that drops all packets with a TTL < 5 and live
with the fact that some people on the Internet might have issues talking to
you if they are the far perimeter of the Internet. This assumes that there
is a advanced feature in pfSense (and pf) that allows for filtering based
on TTL values.

Personally, I don't see why you need to keep the inside topology secret,
but if do, use a reverse proxy on the outside and not 1 to 1 NAT.  Then the
packets will terminate at the proxy and not internally. If you are worried
about security and secrecy at this level, then you should not be using 1 to
1 NAT, as it exposes to much information and has too high of a risk. You
need to use proxies and other items that intercept and rewrite traffic to
hide the inside equipment, or decide that maybe you don't actually need to
be quite so much of a back box.


Walter


On Thu, Jul 10, 2014 at 7:36 AM, Blake Cornell <
bcorn...@integrissecurity.com> wrote:

> Any thoughts anyone?
>
> --
> Blake Cornell
> CTO, Integris Security LLC
> 501 Franklin Ave, Suite 200
> Garden City, NY 11530 USA
> http://www.integrissecurity.com/
> O: +1(516)750-0478
> M: +1(516)900-2193
> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> Free Tools: https://www.integrissecurity.com/SecurityTools
> Follow us on Twitter: @integrissec
>
> On 07/03/2014 06:15 PM, Blake Cornell wrote:
> > Hello,
> >
> > I have a pfSense network that uses multiple layers of NAT translation.
> > Public IP's are mapped to specific NAT addresses using a 1 to 1 mapping
> > on the edge device.  The packets are then forwarded to another pfSense
> > device using another layer of NAT translation.
> >
> > Ex: public ip -> NAT network 1 -> NAT network 2 -> target machine.
> >
> > The issue lies when using the example IP of 1.1.1.1, on an example open
> > port 80.
> >
> > # tcptraceroute 1.1.1.1 80
> > [removed for brevity]
> >  3  1.1.1.1  29.247 ms  17.670 ms  14.007 ms
> >  4  1.1.1.1  20.142 ms  16.119 ms  16.609 ms
> >  5  1.1.1.1 [open]  21.387 ms  17.176 ms  70.283 ms
> >
> > As you can see, the results show three instances of 1.1.1.1.  This
> > allows an attacker the ability to enumerate the depth of NAT
> > translation.  This is a low risk issue.
> >
> > To resolve this issue I need to "mangle" forwarded IP packets by
> > incrementing their TTL by 1.  This would effectively hide the above
> > included results.  If anyone knows how to do this either through the web
> > interface or through custom configurations then please let me know.
> >
> > EMail me directly for a real world example for your analysis.
> >
> > Thanks in Advance,
> >
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

[Walter Parker]

I disagree that this is a vulnerability/weakness. If this is truly your
only issue with the network, I'd call it good and done if you are not the
DOD/NSA.

If you are, then you need to start again with an even more secure
foundation.


Walter


On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell <
bcorn...@integrissecurity.com> wrote:

> There is a reason for it. It works well except for this ONE issue.
>
> I like setting up 0 vulnerability/weakness networks. This is the only
> one minus presentation/application issues.
>
> Thank you both for your input. I'll touch base when I determine a
> resolution strategy.
>
> --
> Blake Cornell
> CTO, Integris Security LLC
> 501 Franklin Ave, Suite 200
> Garden City, NY 11530 USA
> http://www.integrissecurity.com/
> O: +1(516)750-0478
> M: +1(516)900-2193
> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> Free Tools: https://www.integrissecurity.com/SecurityTools
> Follow us on Twitter: @integrissec
>
> On 07/10/2014 01:49 PM, James Bensley wrote:
> > Further to what Walter has said - Double NATB!
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

[Walter Parker]

Then you stuck with setting up reverse proxies for those services.


Walter


On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell <
bcorn...@integrissecurity.com> wrote:

>  Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
> services.
>
> I would prefer staying within the framework of the interface or nominal
> BSD magic.
>
> --
> Blake Cornell
> CTO, Integris Security LLC
> 501 Franklin Ave, Suite 200
> Garden City, NY 11530 USAhttp://www.integrissecurity.com/
> O: +1(516)750-0478
> M: +1(516)900-2193
> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> Free Tools: https://www.integrissecurity.com/SecurityTools
> Follow us on Twitter: @integrissec
>
> On 07/12/2014 09:54 PM, Chris Buechler wrote:
>
>  I don't see the point. If you don't want people to see the path, don't
> allow traceroute in (or stop it after the first NAT). If you do, what do
> you care if the layers of NAT can be enumerated. If anything even remotely
> useful to an attacker can be done to your network because someone knows how
> many layers of NAT you have, you have a lot bigger problems than showing
> that in a traceroute.
>
>  pf scrub does have a min-ttl option but it's not one that's exposed
> anywhere in the GUI and would require changing the source to use. Not
> something I've ever seen a real need to use.
>
>
> On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell <
> bcorn...@integrissecurity.com> wrote:
>
>>  I would put it on a report as an issue.. further more...  no
>> comment
>>
>> --
>> Blake Cornell
>> CTO, Integris Security LLC
>> 501 Franklin Ave, Suite 200
>> Garden City, NY 11530 USAhttp://www.integrissecurity.com/
>> O: +1(516)750-0478
>> M: +1(516)900-2193
>> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
>> Free Tools: https://www.integrissecurity.com/SecurityTools
>> Follow us on Twitter: @integrissec
>>
>>   On 07/10/2014 05:29 PM, Walter Parker wrote:
>>
>> I disagree that this is a vulnerability/weakness. If this is truly your
>> only issue with the network, I'd call it good and done if you are not the
>> DOD/NSA.
>>
>>  If you are, then you need to start again with an even more secure
>> foundation.
>>
>>
>>  Walter
>>
>>
>>  On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell <
>> bcorn...@integrissecurity.com> wrote:
>>
>>> There is a reason for it. It works well except for this ONE issue.
>>>
>>> I like setting up 0 vulnerability/weakness networks. This is the only
>>> one minus presentation/application issues.
>>>
>>> Thank you both for your input. I'll touch base when I determine a
>>> resolution strategy.
>>>
>>> --
>>> Blake Cornell
>>> CTO, Integris Security LLC
>>> 501 Franklin Ave, Suite 200
>>> Garden City, NY 11530 USA
>>> http://www.integrissecurity.com/
>>> O: +1(516)750-0478
>>> M: +1(516)900-2193
>>> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
>>> Free Tools: https://www.integrissecurity.com/SecurityTools
>>> Follow us on Twitter: @integrissec
>>>
>>>  On 07/10/2014 01:49 PM, James Bensley wrote:
>>> > Further to what Walter has said - Double NATB!
>>> > ___
>>> > List mailing list
>>> > List@lists.pfsense.org
>>> > https://lists.pfsense.org/mailman/listinfo/list
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>>
>>
>>  --
>> The greatest dangers to liberty lurk in insidious encroachment by men of
>> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>>
>>
>> ___
>> List mailing 
>> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Walter Parker]

I see a few things going on here:

>From the Netgate site, the difference between the APU1C and the APU1C4 DIY
kits is 2GB vs 4GB.
The Kits are $179 and $199 and include the board, a case and power plug.

The kit from PCEngines is just the board (I don't see any that says it
comes with a plug or a case). The plugs on PCEngines are not in stock.
Some of the cases are out of stock.

Prior emails on this list have indicated that the older versions of the
case (for the alix) didn't quite fit the APU and therefore had a thermial
problem due to poor contact. The Netgate cases are the new style that
doesn't have the problem.

The assembled systems from Netgate are $299, which means the price
breakdown is:
$179 for the Board, case and plug (PC Engines price for all of this is $150
if you order more than 500 units)
$22 for the flash card
$99 One year of pfSense support

That leaves Netgate with a whole $6 over the price of the DIY kit (which
was <$30 more than PC Engines, but to get PC Engine's price, you have to
buy $75,000 worth of hardware).


I bought my Alix from netgate and it was a good price. This new item is a
good price. You are unlikely to find the hardware for less money once you
include the $99 add on from pfSense support.

I did find Ryan's initial email to be a bit rude. What is it with people
that assume that because a company wants to make a profit that they are
fleecing people? The $6 margin on a $299 product hardly seem like a rip off
(my time is worth a lot more than that).

And you get a tested system with a warranty.

Look at the prices for the Intel systems, they tend to run double once you
include all the features.


And have some class, Jim is one of the good guys, doing great work with
Netgate and pfSense. Ripping on him because he asked that sales types
questions for a vendor product be sent to the vendor is not a bad request
(the pfSense vendors do read this list).




On Tue, Jul 22, 2014 at 7:57 PM, Jim Thompson  wrote:

>
> I am.  I have.
>
> I'm trying to be patient and professional.
>
> > On Jul 22, 2014, at 20:47, Sean Colins  wrote:
> >
> > Who is the list mom and why is he/she not responding to this?
> >
> >> On Jul 22, 2014, at 6:12 PM, Ryan Coleman  wrote:
> >>
> >> Look fuck nut: branded and shipped hardware is 100% on topic. Thank you.
> >>
> >>
> >>> On Jul 22, 2014, at 20:10, Jim Thompson  wrote:
> >>>
> >>> Very little if this thread is related to pfSense.
> >>>
> >>> Please stay on topic.
> >>>
> >>> -- Jim
> >>>
> > On Jul 22, 2014, at 17:32, Chris Bagnall 
> wrote:
> >
> > On 22/7/14 11:17 pm, Nickolai Leschov wrote:
> > I didn't notice this page. So it looks like it's some kind of
> thermal paste
> > allows for adequate thermal conductivity between the CPU/south
> bridge and
> > the aluminum heat spreader, but the heat spreader is in dry contact
> with
> > the case?
> 
>  The one I've just installed here in my home office has 'sticky'
> thermal pads on both sides of the aluminium heat spreader, and sticks to
> both the chips and the base of the chassis.
> 
>  It gets warm in use, but not uncomfortably hot. Ambient temperature
> is about 22C at this time of year.
> 
> > Now, how is the board held in place, inside the enclosure? Is it
> held in
> > place by 'screws and hex nuts'?
> 
>  4 screws in the corners which go into binding posts on the chassis,
> not particularly dissimilar from most PC motherboards into cases.
> 
> > What is the thing in the second-to-last picture near the thumb of the
> > presenter's right hand: is it the SIM card tray? Is it accessible
> from
> > outside, after the installation?
> 
>  There is a SIM card tray, and like the SD card slot, no, it's not
> accessible externally after installation.
> 
>  (as a matter of curiosity, does pfSense support this SIM card slot
> for anything 'interesting'? - one presumes it would need to be used in
> conjunction with a miniPCIe radio card of some persuasion)
> 
>  Kind regards,
> 
>  Chris
>  --
>  This email is made from 100% recycled electrons
>  ___
>  List mailing list
>  List@lists.pfsense.org
> 
> http://cp.mcafee.com/d/1jWVIe6zqb5TbzxNEVpodTdzAQS1PPbVIsCCMqenxMUSejjo7fcK6NOqrZXKf6WvI0lqIv5CVmaYKrJmfyPsH5und_V2XJCn-LPy8VdOXTnKnjhd7b_6zAsUqerEEYJt6OaaJSmul3PWApmU6CQjr9K_8K6zBV55BeXNKVIDeqR4IM-l9QVpSDMF_00s4RtxxYGjB1SK7OFcSvaAOV2Hsbvg57OFeDbeQ-5fU02rvsKMr1vF6y0QJHez7MFVFtd40t9RTU_2TCy0xYP7_0Qg20m2r1EwS21Ew40I4Qh9wSMYr3d8KpF1D
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>>
> http://cp.mcafee.com/d/FZsS921J5yXBNMUQsII6XCNOqr0VVBYSejjod7bMUsr79FI3DCn3oVdd-ZT7ztfS0aJmfyPsH5undSH7NpKlyLbC_YxtSPb_nVN4sCVtXHTbFECzB_zhOesd7dQkumKzp55mXbfaxVZicHs3jqpJATvAn3hOYyyODtUTsSjDdqymovaAWsIXjUk_w0e2qKMM-l9OwXn3VkCrfBipsxlK5LE2zVkDjBDqv2DY01dLKnodwLQzh0qmRDhzUkYQKCy0eAWXYvxrPh0g-

Re: [pfSense] Cannot go to HTTPS sites using WAN interface

[Walter Parker]

Yes, check to make sure that the WebConsole interface (on 443) is not
conflicting with with your other rules.


Check for allow/deny rules in both Squid and pfSense to make sure that you
don't have a conflict.

On Tue, Sep 9, 2014 at 1:34 PM, Satvinder Singh <
satvinder.si...@nc4worldwide.com> wrote:

>  Hi,
>
>  In my setup I am using WAN interface as a DMZ. I have Squid3 and
> SquidGuard3 installed for proxy. When I try to access a https site using
> LAN interface IP as proxy address it works. But if I try to access a HTTPS
> site using DMZ IP (WAN IP) I am not able to access HTTPS sites. The same
> site responds fine in http but not in https. I have Squid servicing the DMZ
> interface, the Rule is in place in the firewall. Anything I am overlooking?
>
>  Thanks
>Satvinder Singh
> Security Systems Engineer
> satvinder.si...@nc4worldwide.com
> 804.744.9630 x273 direct
> 703.989.8030 cell
> www.NC4worldwide.com
>
>  
> Disclaimer: This message is intended only for the use of the individual or
> entity to which it is addressed and may contain information which is
> privileged, confidential, proprietary, or exempt from disclosure under
> applicable law. If you are not the intended recipient or the person
> responsible for delivering the message to the intended recipient, you are
> strictly prohibited from disclosing, distributing, copying, or in any way
> using this message. If you have received this communication in error,
> please notify the sender and destroy and delete any copies you may have
> received.
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Pftop confusion.

[Walter Parker]

To see which client is eating your bandwidth, when using Traffic Graph,
switch from WAN to LAN. Then the dynamic list of hosts will show client IP
addresses and not your link address.

On Wed, Sep 24, 2014 at 7:55 AM, Muhammad Yousuf Khan 
wrote:

> Exactly this is how i learn that my whole link is eaten by someone. now i
> want to check which client is eating all the bandwidth.
> Traffic graph is showing whole link activity. what i want to find is which
> client IP is using most of it.
>
> Thanks,
> MYK
>
>
> On Wed, Sep 24, 2014 at 7:33 PM, Oliver Hansen 
> wrote:
>
>> Status - > Traffic Graph is where I usually look in the GUI.
>> On Sep 24, 2014 7:25 AM, "Muhammad Yousuf Khan"  wrote:
>>
>>> hi guys actually i want to check which IP is using most of the internet
>>> traffic. i see pftop a bit confusing i tried changing sorting via "o"  but
>>> it is still confusing me . can you guys please guide me how can i viiew
>>> live monitoring. what i want to check is which one host is eating up the
>>> whole bandwidth.
>>>
>>> Thanks,
>>> MYK
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Https blocking

[Walter Parker]

A suggestion: Null route all facebook addresses. That usually kills any
traffic. Be aware that it kills all traffic to those addresses (HTTP,
HTTPS, SMTP, POP3, DNS).


FYI, getting snotty to people that are asking for help usually turns them
off of wanting to help you...


Walter

On Wed, Sep 24, 2014 at 10:21 AM, A Mohan Rao  wrote:

> Hello
> If u really a expert so then pls resolve bmy problem. I have do all the
> things but still people can access blocked website in pfsense.
>  On Sep 24, 2014 9:50 PM, "Ryan Coleman"  wrote:
>
>>  You've asked this question many times and we've given many options for
>> resolving it but you keep coming back.
>>
>> https://duckduckgo.com/?q=blocking+torrents+in+pfsense
>> https://duckduckgo.com/?q=blocking+facebook+in+pfsense
>> https://doc.pfsense.org/index.php/Blocking_websites
>> https://forum.pfsense.org/index.php?topic=36274.0
>>
>> A little web searching will go a long way.
>>
>>
>> On 9/24/2014 11:10 AM, A Mohan Rao wrote:
>>
>> Actually due to wasting of time employees... management need to block
>> these sites if have any solutions pls give..
>> I really very appritiate ..
>> On Sep 24, 2014 9:00 PM, "Ryan Coleman"  wrote:
>>
>>>  Block port 443 in the Firewall rules outbound - no need for a
>>> transparent proxy.
>>>
>>> That said - why do you need to block them? Because you're snooping 100%
>>> of the traffic to see what people are reading/sending?
>>>
>>>
>>> On 9/24/2014 10:16 AM, A Mohan Rao wrote:
>>>
>>> How can i completely and properly block https facebook, torrentz, exe
>>> download and proxy sites through transparent proxy.
>>>
>>> Thanks
>>> Mohan
>>>
>>>
>>> ___
>>> List mailing 
>>> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>>>
>>>
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>>
>> ___
>> List mailing 
>> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Reports

[Walter Parker]

First time I would do is make sure that you have added static IP address
reservations for those the MAC addresses using the DHCP server page for
each piece of IP gear that your children have. If you click on All Leases,
it will show you every device that has tried to get an address. You can
take the MAC addresses from this page to make static leases. That way each
device will always have the same IP address and then you can use the
existing IP reports in pfSense to get sense for the traffic flows.

If you can't get the reporting you need, you might look at exporting the
logs and then processing them on separate box using other packages. If you
know a scripting language (perl, python, ruby, etc..) you might whip a
script of your own to generate basic reports of the style that you need.


Walter

On Fri, Sep 26, 2014 at 12:23 PM, Brian Caouette  wrote:

> Is there a way to do a weekly report based on MAC address showing times
> used, total time and date for the period? Trying to prove a point how much
> the kids use and that they are still online after bedtime.
>
> Sent from my iPad
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Install CD - I don't know where to go with this

[Walter Parker]

I use imgburn to burn all of my pfSense CDs (and Windows, Linux and FreeBSD
DVDs). I second the recommendation. If you have picked the correct image,
it should boot unless there is something strange with the HP hardware. The
fact that a Windows disk boots doesn't prove that hardware isn't "strange"
or have some sort of other issue. I'd double check that everything is
correct.


Walter

On Thu, Oct 30, 2014 at 4:19 PM, Harlan Stenn  wrote:

> I use imgburn to put a .iso on a CD.
>
> I use imgburn to burn all of my windows optical media.
>
> H
>
> On 10/30/14 4:01 PM, Mark Hisel wrote:
> >
> > I'm trying to make an install CD but no joy.  Upfront, this is not a
> > pfSense issue but maybe someone can help.  Thanks to those who have
> > already responded.
> >
> > I used WinISO, which lets me fiddle with the boot record, so I burned a
> > CD and then made an ISO from it and the ISO has a boot record.
> >
> > But it won't boot.  I went through the same exercise with Oracle Linux
> > and got the same results.  The same machine boots up a Windows OS just
> > fine.  I'm trying to boot onto a DL380 G3
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> >
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recomend

[Walter Parker]

I'd be a little worried about the SD card and squid, but not the current
ADD solution from Netgate.
On Nov 27, 2014 2:05 PM, "Brian Caouette"  wrote:

> I've been looking at the kit at Netgate for $199 to replace my poweredge
> 2850 for pfSense. My concern is the sd/flash memory and the use of squid
> primarily for content filtering but also limited caching. My understanding
> is the SSD or SD card will have its life limited by the extensive r/w. Can
> anyone with experience with the 2850 and this device comment as to how it
> will compare beyond the obviously smaller sizer and lower power
> consumption. Is there anything I should know consider?
>
> Sent from my iPad
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recomend

[Walter Parker]

If you are getting the Netgate kit, I'd suggest just getting the Intel m525
SSD that they offer. This is a modern SSD with wear leveling that keeps
software like a squid cache from burning out the drive early. It will fit
and work without having to build a custom cable and have to tape a drive to
the case. IIRC, your setup is for a home network, so the amount of data
that is likely to flow will be quite a bit below the SSD's limits. Also, I
think the guys at Netgate picked that specific SSD from Intel because
tested different SSD drives and found that the Intel drive worked well and
has a good reputation for quality and longevity.

Why are you moving to the kit? If it because you want a small, low energy
box that you can put in a corner and then forget about the hardware because
it just works, then get the SSD and buy a backup device (SD card or SSD).
Then in 5-10 years, if the SSD fails, you will have a replacement device on
hand to replace the SSD that went out.

I suggest you get the SSD now. Before the SSD has any issues, Jim's new
drive project will be complete and that one should last for life of the
router.


Walter


On Sun, Nov 30, 2014 at 11:16 AM, Volker Kuhlmann 
wrote:

> On Fri 28 Nov 2014 13:56:32 NZDT +1300, Ryan Coleman wrote:
>
> > Have you considered a small 2.5" SATA HD for the machine? If
> > you're talking APU, of course. You can run it off 5V from the board
> > (I THINK?) I know there are SATA headers there.
>
> There is one SATA header on the board, and you get 5V power from a 2-pin
> header close-by. Butcher a SATA power cable and solder something up
> yourself, or better buy the specially-made short SATA/power cable from
> PC Engines.
>
> A tip from PC Engines was to tape the disk under the lid, so all fits
> into the box. Might pay to check disk temperature afterwards. I noticed
> the latest revision of the APU board has a 2x3 test header missing to
> make more space for a 2.5" disk.
>
> I am about to try an SSD for pfsense and a 2.5" for the squid cache.
> Currently it all runs fine off a 2.5".
>
> I can't comment on the other hardware mentioned by the OP because of
> lack of experience.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recomend

[Walter Parker]

What I mean is that there is project under development that has an SSD
style device with a lifespan of >100 years for writes to the drive. The
lifespan of the SSD in your new firewall will last 5-10 years (assuming
lots of writes). Therefore, the new super long life SSD should hit the
market long before your new SSD will have any end of life issues. I didn't
mean to imply that the SSD had any specific issues other than the base
issue that all SSD drives have (the electron tunneling that allows an SSD
to work results in limited life span as compared to DRAM or spinning rust
drive writes).

If/when I upgrade my firewall, the APU is what I want.


Walter

On Tue, Dec 16, 2014 at 6:41 AM, Brian Caouette  wrote:
>
>  Just tracked my order and its suppose to arrive today. Can't wait! I
> went with the SSD they offer.
>
> What drive project are you referring too? I don't understand your comment
> about get it now before it has any issues.
>
> Brian
>
>
> On 11/30/2014 3:07 PM, Walter Parker wrote:
>
> If you are getting the Netgate kit, I'd suggest just getting the Intel
> m525 SSD that they offer. This is a modern SSD with wear leveling that
> keeps software like a squid cache from burning out the drive early. It will
> fit and work without having to build a custom cable and have to tape a
> drive to the case. IIRC, your setup is for a home network, so the amount of
> data that is likely to flow will be quite a bit below the SSD's limits.
> Also, I think the guys at Netgate picked that specific SSD from Intel
> because tested different SSD drives and found that the Intel drive worked
> well and has a good reputation for quality and longevity.
>
>  Why are you moving to the kit? If it because you want a small, low
> energy box that you can put in a corner and then forget about the hardware
> because it just works, then get the SSD and buy a backup device (SD card or
> SSD). Then in 5-10 years, if the SSD fails, you will have a replacement
> device on hand to replace the SSD that went out.
>
>  I suggest you get the SSD now. Before the SSD has any issues, Jim's new
> drive project will be complete and that one should last for life of the
> router.
>
>
>  Walter
>
>
> On Sun, Nov 30, 2014 at 11:16 AM, Volker Kuhlmann 
> wrote:
>
>> On Fri 28 Nov 2014 13:56:32 NZDT +1300, Ryan Coleman wrote:
>>
>> > Have you considered a small 2.5" SATA HD for the machine? If
>> > you're talking APU, of course. You can run it off 5V from the board
>> > (I THINK?) I know there are SATA headers there.
>>
>> There is one SATA header on the board, and you get 5V power from a 2-pin
>> header close-by. Butcher a SATA power cable and solder something up
>> yourself, or better buy the specially-made short SATA/power cable from
>> PC Engines.
>>
>> A tip from PC Engines was to tape the disk under the lid, so all fits
>> into the box. Might pay to check disk temperature afterwards. I noticed
>> the latest revision of the APU board has a 2x3 test header missing to
>> make more space for a 2.5" disk.
>>
>> I am about to try an SSD for pfsense and a 2.5" for the squid cache.
>> Currently it all runs fine off a 2.5".
>>
>> I can't comment on the other hardware mentioned by the OP because of
>> lack of experience.
>>
>> Volker
>>
>> --
>> Volker Kuhlmann is list0570 with the domain in header.
>> http://volker.top.geek.nz/  Please do not CC list postings to me.
>>  ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
>  --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Today's Infoworld Deep End column

[Walter Parker]

Just thought I'd note that Paul Venezia, who does the Deep End column for
Infoworld, just gave a positive heads up to pfSense and the APU1 DIY kit
from Netgate.

http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfSense 2.2RC resolv.conf settings

[Walter Parker]

Hi,

I just put pfSense 2.2RC on my filewall and I noticed that the PHP code
that generates the resolv.conf file will add the line "options edns0" to
resolv.conf if the the unbound config has the edns option set.

I didn't see any way in the GUI to set this option. I'm I missing
something, or has this not been impletemented yet? How/when will this
option be available?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CVE-2015-0235 - Uncertain if pfSense/OpenBSD is vulnerable?

[Walter Parker]

First, pfSense is from FreeBSD, not OpenBSD. Second xBSD uses libc by
default, not glibc. glibc is a GNU/Linux port of the libc from UNIX
systems. I wouldn't expect to see recent glibc errors in xBSD, as there are
separate code bases at the system level.


Walter

On Tue, Jan 27, 2015 at 10:45 AM, Wolf Noble  wrote:

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
> http://www.openwall.com/lists/oss-security/2015/01/27/9
>
> a glibc bug in gethostbyname allows for a remote execution exploit...
>
> I don't see a mention of exposure, or lack thereof, for openbsd (and thus
> pfSense). Hoping someone on the list might be slightly more knowledgable
> than I?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Firewall Hardware/Setup for Datacenter...

[Walter Parker]

I've used pfSense in a VM on my ESXi application server. This is mostly to
firewall the Windows VMs from the Internet.

If you want fail-over, I'd suggest getting one of the new Netgate (
http://store.netgate.com/NetgateAPU2.aspx or
http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense (
https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an
SSD. Then you can run a full install that supports package installs with a
power budget of ~10-15 Watts for the APU units. Then you have a choice of
getting a second HW unit for an additional $400 to $1000, or setting up
pfSense in a VM (not on a separate VMware server, on an existing VM server).

The higher end HW systems on those pages are 8 core Atom systems built for
run pfSense (of course, the power requirements will be in the 100W range).
With an SSD, these systems should last for a long time with no issues.

How much firewall horsepower do you need? What are your constrains (time,
money, space)?

P.S. You can run packages on embedded in 2.2, you just want to be careful
not to run packages that would trash the SD card with too many writes.


Walter

On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti  wrote:

>  Have been using pfSense for years at our datacenter, very happy with it
> running on old dedicate hardware with failover. The hardware is overdue to
> be retired and I’m wondering what people are doing/recommending for a
> datacenter setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so
> need to keep out option open for the ability to run packages... behind it
> we are running multiple servers and vCenter/ESXI servers.
>
>
>
> What’s the go-to setup for a datacenter these days?
>
>
>
> Do we stick with two dedicated boxes?
> Since we pay for power, nice to have lower power… So do we go as low as
> using embedded hardware? It used to not be recommended for packages… still
> the case I assume?
>
> So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core,
> or 8 core!!??! etc…).
>
>
>
> But then I see so many people running pfSense in VMWare and I wonder if we
> should consider this. Then I think about the hardware needs and VMWare
> Licensing (would like to avoid)… and what else can I run on the hardware
> along side without hurting pfSense from running properly, etc…
>
>
>
> If pfSense is setup to failover, that means the hardware can be cheap…. No
> RAID needed.
>
> If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages…
> can I run it off of USB stick then or do I still need HDD/SSD?
>
>
>
> If setting up new hardware so can run pfSense as Virtual Machines… I would
> need two VM Hosts running pfSense as VM’s so would have the failover...
> What should we consider for the hardware in this case… should I go with
> RAID w/HDD/SSD on ESXI? If pfSense is setup for failover, do I really need
> RAID? But I assume I would need something reliable if I’m going to run
> other non-pfsense VMs on the same hardware… so I would need RAID w/HDD/SSD
> and it would need to be larger… what are other people running in datacenter
> setups along side the pfSense? I don’t want to put it onto our existing
> vCenter infrastructure, licensing/costs and isolation needed. Do I setup
> one hardware as basic, no RAID running ESXI and pfSense, and the other more
> robust setup (RAID, more memory).
>
>
>
> I’m really interested in what people are using in production
> environments/datacenters.
>
>
>
> Regards,
>
> Chuck
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Firewall Hardware/Setup for Datacenter...

[Walter Parker]

If you really want to setup two copies of pfSense, both running on ESXi
hosts, using VMWare replication is a very expensive solution. pfSense
supports router replication using CARP, so you don't need VM level
replication only the data replication in CARP.

If VMWare costs are your big issue, you might think about loading one
system bare (just a simple SSD). If you want mirroring of the drive, use
FreeBSD GEOM mirroring or even BIOS mirroring. Given modern SSDs, the
chance of failure would be very low. Compared to most Windows Servers,
pfSense is tiny and almost stateless (every can be restored using one tiny
XML file). How you setup up the second host depends on what you trust most.
But, then i guess it gets into a case of CYA if solutions other than VMWare
replication are frowned upon.


Walter

On Thu, Feb 5, 2015 at 7:22 PM, Chuck Mariotti  wrote:

>  Thanks… I am leaning that way I think… just trying to wrap my head
> around if it is worth trying to buy more ram + more storage (HW RAID) to
> make them ESXI worthy to run VMs, or if I should just keep it basic… the
> ESXI is tempting since I can at least make the secondary server do other
> stuff instead of just waiting for a failure on primary. Trying to think of
> a useful virtual machines to run that are not mission critical if a machine
> dies (since not raid), don’t have license to real-time replicate it on the
> VMWare side, but that might be useful for datacenter...
>
>
>
>
>
>
>
> *From:* List [mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Jason
> Whitt
> *Sent:* February-05-15 3:23 PM
> *To:* pfSense Support and Discussion Mailing List
> *Subject:* Re: [pfSense] Firewall Hardware/Setup for Datacenter...
>
>
>
> I would add that for "data center" workloads the apu's may not be the best
> choice ... Those 8 core atoms are plenty for multi 1gig feeds and the nic's
> are solid.
>
>
>
>
> Sent from my iPhone
>
>
> On Feb 5, 2015, at 12:38 PM, Jeremy Bennett 
> wrote:
>
>  Jason is correct. Those Supermicro boxes are awesome. Be careful when
> ordering though... they want ECC memory.
>
>
>
> The APUs from Netgate are nice too–the year of bundled support has already
> saved my bacon a number of times. Well worth the cost.
>
>
>
> On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt  wrote:
>
>  Ive ran as vm's using vmxnet3's as well as physical on these
> http://m.newegg.com/Product/index?itemnumber=16-101-837
>
>
>
> Both are viable options.
>
>
>
> Jason
>
> Sent from my iPhone
>
>
> On Feb 5, 2015, at 11:11 AM, Walter Parker  wrote:
>
>  I've used pfSense in a VM on my ESXi application server. This is mostly
> to firewall the Windows VMs from the Internet.
>
>
>
> If you want fail-over, I'd suggest getting one of the new Netgate (
> http://store.netgate.com/NetgateAPU2.aspx or
> http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense (
> https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an
> SSD. Then you can run a full install that supports package installs with a
> power budget of ~10-15 Watts for the APU units. Then you have a choice of
> getting a second HW unit for an additional $400 to $1000, or setting up
> pfSense in a VM (not on a separate VMware server, on an existing VM server).
>
>
>
> The higher end HW systems on those pages are 8 core Atom systems built for
> run pfSense (of course, the power requirements will be in the 100W range).
> With an SSD, these systems should last for a long time with no issues.
>
>
>
> How much firewall horsepower do you need? What are your constrains (time,
> money, space)?
>
>
>
> P.S. You can run packages on embedded in 2.2, you just want to be careful
> not to run packages that would trash the SD card with too many writes.
>
>
>
>
>
> Walter
>
>
>
> On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti 
> wrote:
>
>  Have been using pfSense for years at our datacenter, very happy with it
> running on old dedicate hardware with failover. The hardware is overdue to
> be retired and I’m wondering what people are doing/recommending for a
> datacenter setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so
> need to keep out option open for the ability to run packages... behind it
> we are running multiple servers and vCenter/ESXI servers.
>
>
>
> What’s the go-to setup for a datacenter these days?
>
>
>
> Do we stick with two dedicated boxes?
> Since we pay for power, nice to have lower power… So do we go as low as
> using embedded hardware? It used to not be recommended for packages… still
> the case I assume?
>
> So I’m leaning towards some of the newer SuperMic

Re: [pfSense] Squid not logging traffic

[Walter Parker]

In Realtime, you can use the dashboard app.

For plugins, BandwidthD and Darkstat have some information.

I've used netflow on other systems to get this sort of information, but for
pfSense you would have to setup a second box that ran the netflow
visualizer to see the traffic information from one of the netflow plugins.

On Mon, Feb 16, 2015 at 1:13 PM, Volker Kuhlmann 
wrote:

> On Tue 17 Feb 2015 06:15:46 NZDT +1300, Brian Caouette wrote:
>
> > I also notice it doesn't log torrents. Is there a way to tell it to
> > log everything
>
> I don't know about lightsquid. Squid is a web cache and I'm not sure it
> is even able to deal with anything but http. If you look at its config
> file you see that it only deals with a short list of ports in the first
> place, and is not involved in the rest at all. You are looking for an
> application filter (like squid is for http). pfsense is mainly a packet
> filter, those packages are already add-ons.
>
> > so I can get an accurate picture of what each device on
> > the network is using?
>
> With pfsense, short answer: no. This is my longest standing problem with
> pfsense. It is not able to tell me which LAN device caused how much WAN
> traffic. There may be half a dozen different add-on packages but all are
> of no use here (for different reasons). I'd really like to hear that I
> missed something...
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid not logging traffic

[Walter Parker]

For the real time monitor, if you switch from WAN to LAN, you can see who
is doing spikes. For the other items, you can see how much bandwidth each
internal IP addresses has used in one of those packages. Unless you have
servers in a DMZ outside of the firewall or are doing some sort of traffic
reflection to internal hosts, all traffic to/from a desktop to the firewall
is traffic to the internet.

I might do some screenshots to show what I mean (if I can find the time).

For netflow, I setup a Windows application in a VM (from ManageEngine I
think). It had simple instructions to tell the netflow generator (the
firewall) to send the stats traffic to the Windows box. Then I used the the
reporting features in the application to view how much data each host was
sending/receiving. I was able to tell that one web server had way to much
traffic and that a music streaming server was running 800% of normal. I
understand that there are open source versions of this program that run on
Linux/FreeBSD. Setting one of these up is on my todo list. With a bit of
programming, I'm sure you do this with Cacti/RRD, but then again, I've been
a perl programmer for 20 years, so my idea of a "bit of programming" might
radically differ from yours :)

If I can find the time, I'll see if I can find any notes.


Walter

On Mon, Feb 16, 2015 at 2:58 PM, Volker Kuhlmann 
wrote:

> On Tue 17 Feb 2015 10:33:21 NZDT +1300, Walter Parker wrote:
>
> > In Realtime, you can use the dashboard app.
>
> The pfsense dashboard? I don't think so. traffic going through a
> particular interface is not so interesting.
>
> > For plugins, BandwidthD and Darkstat have some information.
>
> Unfortuntely the info is of no value. I am not interested in any traffic
> volume between LAN, DMZ, WIFI, LAN2, etc. I am only interested in the
> traffic going through WAN, and with which *internal* host. The above
> packages can only tell me which *Internet* sites had how much traffic
> through WAN, but that side of the connection is of no interest to me. I
> want to know which of my clients have created the traffic for which I
> have to pay my ISP, so I can work out which flatmate has to pay for it,
> or fix the computer with a problem that wastes my money.
>
> I realise those in the USA and a few other countries don't have this
> problem, but it sure exists where I live and I'm sure it's not the only
> country. In any case it's good to know what gobbles up resources, even
> if they're free.
>
> > I've used netflow on other systems to get this sort of information, but
> for
> > pfSense you would have to setup a second box that ran the netflow
> > visualizer to see the traffic information from one of the netflow
> plugins.
>
> Copying a file onto another computer to look at its content isn't too
> much of a problem. Do you know of a good tutorial that lists the
> software needed, and basic config for each part?
>
> Thanks,
>
> Volker
>
> --
> Volker Kuhlmann
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid not logging traffic

[Walter Parker]

I'd recommend doing it on a second box (Or turn it into a pfSense package).


On Mon, Feb 16, 2015 at 3:48 PM, Brian Caouette  wrote:

> I looked at cacti a few days ago. It looks real nice but I have no clue
> how to set this up on the pfSense box.
>
> Sent from my iPad
>
> On Feb 16, 2015, at 6:27 PM, Walter Parker  wrote:
>
> For the real time monitor, if you switch from WAN to LAN, you can see who
> is doing spikes. For the other items, you can see how much bandwidth each
> internal IP addresses has used in one of those packages. Unless you have
> servers in a DMZ outside of the firewall or are doing some sort of traffic
> reflection to internal hosts, all traffic to/from a desktop to the firewall
> is traffic to the internet.
>
> I might do some screenshots to show what I mean (if I can find the time).
>
> For netflow, I setup a Windows application in a VM (from ManageEngine I
> think). It had simple instructions to tell the netflow generator (the
> firewall) to send the stats traffic to the Windows box. Then I used the the
> reporting features in the application to view how much data each host was
> sending/receiving. I was able to tell that one web server had way to much
> traffic and that a music streaming server was running 800% of normal. I
> understand that there are open source versions of this program that run on
> Linux/FreeBSD. Setting one of these up is on my todo list. With a bit of
> programming, I'm sure you do this with Cacti/RRD, but then again, I've been
> a perl programmer for 20 years, so my idea of a "bit of programming" might
> radically differ from yours :)
>
> If I can find the time, I'll see if I can find any notes.
>
>
> Walter
>
> On Mon, Feb 16, 2015 at 2:58 PM, Volker Kuhlmann  > wrote:
>
>> On Tue 17 Feb 2015 10:33:21 NZDT +1300, Walter Parker wrote:
>>
>> > In Realtime, you can use the dashboard app.
>>
>> The pfsense dashboard? I don't think so. traffic going through a
>> particular interface is not so interesting.
>>
>> > For plugins, BandwidthD and Darkstat have some information.
>>
>> Unfortuntely the info is of no value. I am not interested in any traffic
>> volume between LAN, DMZ, WIFI, LAN2, etc. I am only interested in the
>> traffic going through WAN, and with which *internal* host. The above
>> packages can only tell me which *Internet* sites had how much traffic
>> through WAN, but that side of the connection is of no interest to me. I
>> want to know which of my clients have created the traffic for which I
>> have to pay my ISP, so I can work out which flatmate has to pay for it,
>> or fix the computer with a problem that wastes my money.
>>
>> I realise those in the USA and a few other countries don't have this
>> problem, but it sure exists where I live and I'm sure it's not the only
>> country. In any case it's good to know what gobbles up resources, even
>> if they're free.
>>
>> > I've used netflow on other systems to get this sort of information, but
>> for
>> > pfSense you would have to setup a second box that ran the netflow
>> > visualizer to see the traffic information from one of the netflow
>> plugins.
>>
>> Copying a file onto another computer to look at its content isn't too
>> much of a problem. Do you know of a good tutorial that lists the
>> software needed, and basic config for each part?
>>
>> Thanks,
>>
>> Volker
>>
>> --
>> Volker Kuhlmann
>> http://volker.top.geek.nz/  Please do not CC list postings to me.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] serial port sadness

[Walter Parker]

I had a problem like this, so I replaced the cheap converted with one
"made" by a California company (it was much nicer, real drivers and
instructions for $5 more). I got no output until I remembered that I might
need a null modem adapter. Once I added that to mix everything worked like
a charm (text started flowing).

Check you setup to see what kind of serial cable you have, as a regular
"modem" cable will not work between a PC and an ALIX box. It needs to be
the other kind (host to host).


Walter

On Mon, Feb 23, 2015 at 4:56 PM, Chris Bagnall 
wrote:

> On 24/2/15 12:08 am, Jeremy Bennett wrote:
>
>> I've got a USB to serial adapter (which has worked in the past), a Windows
>> 7 computer and Teraterm, but whenever I connect everything up I just get
>> the cursor blinking at me.
>>
>
> Agree with others that the most likely culprit here is the USB to serial
> adapter itself. Having said that, I've never had a Prolific one fail, and
> I've a chain of a dozen shops using them extensively (their point of sale
> supplier uses serial connections to open the cash drawers).
>
>  Set the port to 9600, N, 1 as instructions indicate (usb to serial usually
>> is showing up on COM7).
>>
>
> It's worth adding that the ALIX boards use - IIRC - 38400 on their BIOS
> and only bounce to 9600 when pfSense takes over from the BIOS. Though even
> with a speed mismatch, you'd still expect to see junk characters appearing,
> not just a cursor.
>
>  What else can I try?
>>
>
> The ones that come to mind, given you've already tried a different adapter
> are (not in any particular order):
>
> a) different terminal program: on Windows I use PuTTY (which will talk
> serial quite happily); on a Mac I use ZTerm; on Linux I use screen
> (someone's already posted the syntax for that I see)
>
> b) different drivers for the adapter - IIRC there's a Prolific open driver
> project that might be worth a look.
>
> c) different (i.e. non-Windows) OS.
>
> d) try the USB/serial adapter and cable on another serial device and see
> if it works with that - many managed switches have serial ports, for
> example.
>
> Kind regards,
>
> Chris
> --
> This email is made from 100% recycled electrons
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Cannot install 2.2 on Alix board (latest firmware)

[Walter Parker]

I installed it on an ALIX with a 4GB card without issues. I'd suggest
getting a serial cable so that you can see the output from the system as it
boots (make sure you a null modem cable or adapter).


Walter

On Mon, Mar 9, 2015 at 5:11 AM, Kostas Backas  wrote:

> Hello,
>
> I have difficulties installing pfsense 2.2 on Alix board (with the latest
> firmware 0.99) to a 2 GB CF card. I had success install 2.1.5 and upgrade,
> but direct install of 2.2 not working (sequencial blinking lights).
>
> Best regards
>
> Kostas
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense FreeBSD Version

[Walter Parker]

To do this, you will have to grab the sources for pfsense, then grab the
build tools, and then try building a custom version of pfSense using a
snapshot from https://www.freebsd.org/snapshots/ as the base OS rather than
FreeBSD 10.1 as the base OS.

You should also check if the person was suggesting the FreeBSD current HEAD
(FreeBSD 11) or the FreeBSD 10 branch HEAD. Be aware that that there could
be incompatibilities between HEAD and 10.1, so if you find problems, that
might be the cause.


Walter

On Tue, Mar 10, 2015 at 9:53 AM, WebDawg  wrote:

> I have an issue with the version of BSD used in pfSense and my hardware.
> I was given the following advice to fix some hardware I use with pfSense
> and I would like to try it:
>
> Please try a snapshot of HEAD.  It should try to allocate a PCI bus number
> for
> your second device which is currently failing on 10.1.  Note that if a HEAD
> snapshot doesn't work out of the box, please try setting
> 'hw.pci.clear_buses=1'
> in the loader before booting a HEAD kernel.
>
> Can I use this version of FreeBSD with pfSense?  Is the next version going
> to use it?
>
> Where is this tracked.  I remember I used to be able to install the next
> version of pfSense, can I still do this?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setup Question - Routing

[Walter Parker]

Using a chart like
http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf
you
can see the different /28 and /29 subnets that exist on a /24 network.

You would bind the .248/29 network to the WAN interface (use a /29 to leave
a few extra addresses).

Then you would bind an reserved network (10.X, 192,168,X 172.16,X) to the
LAN interface.

Then on your third interface, you would bind multiple networks, .240/29,
.232/29, .224/29, etc to the OPT1/DMZ interface. Then each customer would
use put there equipment directly on that that network. If the customers
have routers themselves, you might want to setup a bunch of /30 networks
(.252/30, .248/30, .244/30, .236/30, .232/30) for your and the customer's
WAN interfaces. Then start down from .224 and assign /29 networks for the
customer's DMZ/OPT1 interfaces. Unless the customer is running without NAT,
then the addresses could be put on the customer's LAN interfaces.

The big trick here is make sure than none of your networks have overlapping
IP address ranges. The chart above is very helpful for tracking different
sizes. This means that you can't put .254 on one interface and .249/29 on a
different interface as those networks overlap.


Walter




On Tue, Mar 24, 2015 at 5:24 PM, Chris L  wrote:

>
> > On Mar 24, 2015, at 5:12 PM, Joseph H  wrote:
> >
> > I have a buddy and he wants to use pfSense as his firewall to protect
> his devices and also provide a gateway for customers.  And he has asked me
> if I know of a good way to set this up, so I decided to ask the list
> >
> > He has gotten a /24 subnet, he wants to use a small section of it for
> his web site and stuff, and then split off subnets to several customers.
> For instance, he was given a gateway of x.x.x.254 by his provider, he will
> use the x.x.x.249/29 for his own use, then wants to pass subnets through to
> his customers in say several /28's or /29's.
> >
> > Does anyone know of an easy way to set this up?  He has a server with 3
> interfaces to use for this.
> >
>
> To make this a LOT easier (or even possible at all without 1:1 NAT) he
> should ask the provider for a /29 or /30 for his WAN interface with the /24
> routed to an IP address on that.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Assign IP Address with /32 Mask on WAN Interface

[Walter Parker]

A /32 net mask is not used for used for regular routing interfaces. It has
a specialized use, usually used for virtual interfaces. On a Cisco router,
it would be used for a loopback interface. It is sometimes used as the
subnet mask for an IP alias address on host systems (where all routing is
done using the primary IP address).

If the WAN interface exists on a network block with another IP address,
what is the subnet of that interface? If it doesn't what does it matter
what the subnet is, as a subnet mask is really only relevant on an actual
network.


Walter

On Sat, Mar 28, 2015 at 8:42 AM, day knight  wrote:

> Hello All:
>
> I see the configuration script doesn't allow you to pick /32 address when
> configuring an interface as my default gateway is not in the same subnet. I
> have limited IPs and run pfsense from vmware. How can i override and assign
> /32 ip address to wan interface.
>
> I have done this in other linux and windows distros but since pfsense is
> customised kernel and i don't want to break any functionality, how would I
> be able to do this. Can I manually assign/configure em0 instead of suing
> the utility without causing any issues?
>
> thanks
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] testing email

[Walter Parker]

After renabling my account, I saw this email (but not the earlier emails
from today).


Walter

On Wed, Apr 8, 2015 at 11:58 AM, Mike Montgomery 
wrote:

> I got the same re-enable email to my gmail account.
>
> On Wed, Apr 8, 2015 at 2:48 PM, WebDawg  wrote:
>
> > Same here,
> >
> > >
> > > Viruses being detected by my ASSP spam filter coming in from the list
> and
> > > denying delivery.  Had to re-enable my account this AM.
> > >
> > > Doug
> > >
> > > --
> > > Ben Franklin quote:
> > >
> > > "Those who would give up Essential Liberty to purchase a little
> Temporary
> > > Safety, deserve neither Liberty nor Safety."
> > >
> > >
> > >
> > I am on gmail and I received an email to follow to re enable my account.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] testing email

[Walter Parker]

Thank you.

On Wed, Apr 8, 2015 at 12:16 PM, Chris Buechler  wrote:

> This should be fixed. mailer-daemon@ ended up as a list member in
> mailman, AFAICT from day one of this list, but in the past few days
> ended up being spoofed to send a couple viruses to the list. Those
> messages bounced for a number of people, and mailman can't
> differentiate between what type of bounce it is.
>
> The bounce counter was reset for everyone, so you can disregard any
> messages you received along those lines.
>
> Mailman was setup to block a number of risky file attachment types
> (exe, scr, etc.), but I hadn't noticed the functionality that actually
> applies that extension block list wasn't enabled. It is now.
>
> Sorry for the noise, should be all good now.
>
>
>
> On Wed, Apr 8, 2015 at 12:42 PM, Jeremy Porter
>  wrote:
> > We are having some problem with apparent bounces, this is a test.  No
> > need to reply.
> > I'll announce when everything is back to normal.
> >
> > Thanks
> > Jeremy Porter
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Using on Fiber

[Walter Parker]

There is a serverfault question about this:
http://serverfault.com/questions/380778/vmware-seems-to-throttle-scp-copies-what-can-be-the-reason?rq=1

SCP does (did) have performance problems. They fall into two groups.
First, over a WAN the internal buffer was a bit too small for high
speed (100 meg) connections with a round trip time of greater than 30
milliseconds. When connections pushed toward 1 gig, it was way too
slow. I think recent copies of OpenSSH have a bigger buffer that
reduces the speed limiting. Second, as described in the above link,
the CPU requirements for the encryption in SCP can hit the host CPU
limiter in ESX and that can limit bandwidth. Check that as well.

I've got an ESX 5 machine and the limiting factor on copies is the 100
meg ethernet switch that I'm plugged into (big ISO copies top out at
12.5MB/sec, which is limit for a 100 meg TCP/IP connection).


Walter






On Fri, Jun 5, 2015 at 8:54 AM, Ryan Coleman  wrote:
> I’m not running this data through the firewalls - this is across the LAN 
> right now. :-\
>
>> On Jun 5, 2015, at 10:46 AM, Espen Johansen  wrote:
>>
>> Any chance you have set something in the shaper that causes it?
>>
>> fre. 5. juni 2015, 17:43 skrev Ryan Coleman :
>>
>>>
 On Jun 5, 2015, at 10:12 AM, Brennan H. McNenly <
>>> bmcne...@singularisit.com> wrote:


> And those of you with VMware experience… if I run the virtual firewall
>>> I would need to have at least a VMware Essentials license to come close to
>>> the throughput, right? Since the IOps are capped at something like 10MB/sec
>>> in the free version.

 There are no IOP or throughput limits on the free version of the ESXi
>>> hypervisor.  The VMWare Essentials license gets you vSphere which can be
>>> used to manage up to three ESXi hosts.  This also lets you setup an HA
>>> cluster with those hosts.

 Otherwise you can run ESXi stand alone for free without vSphere and
>>> without any performance limits.
>>>
>>> Hmm. I wonder why my file transfers never exceed 10MB/sec then… I’ve been
>>> trying to migrate many TB of data via SCP to the datastore but I also have
>>> similar caps when doing FTP over the LAN to a server.
>>>
>>> If there’s someone here that would be interested in giving me a hand with
>>> this off list I’d be most appreciative. Moving 13TB of data at 10MB/sec has
>>> been very challenging.
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold



-- 
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.   -- Justice Louis D.
Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Notification about soon-to-expire certificates

[Walter Parker]

If your network is large enough to have a monitoring package (like
Nagios), some of them support certificate checking.


Walter

On Thu, Jun 18, 2015 at 7:19 AM, Philipp Tölke  wrote:
> Hi all,
>
> we use incoming OpenVPN to access some external installations. Some of those
> installations are in rather hard to reach places.
>
> Is there a way for pfSense to warn us by email if a certificate will expire
> soon so that we can replace them before it's too late?
>
> Cheers,
> --
> Philipp Tölke
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold



-- 
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.   -- Justice Louis D.
Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Notification about soon-to-expire certificates

[Walter Parker]

The application on the nagios server would make a web request to the
https port and would check the exp date when it connected. I suppose
you could use the openssl client to connect to the VPN service if it
uses a different cert with a different date.


Walter

On Fri, Jun 19, 2015 at 1:17 AM, Philipp Tölke  wrote:
> Hi Walter,
>
> thanks for your answer!
>
> On 19.06.2015 01:24, Walter Parker wrote:
>>
>> If your network is large enough to have a monitoring package (like
>> Nagios), some of them support certificate checking.
>
>
> Can nagios access the certificates on the pfSense or would I have to upload
> all interesting certificates?
>
> Regards,
>
> --
> Philipp Tölke
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold



-- 
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.   -- Justice Louis D.
Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Small form factor pfsense box

[Walter Parker]

The Project sells hardware: http://store.pfsense.org/hardware/

I bought small form factor routers from Netgate before and I'm happy.
http://store.netgate.com/Routers-C178.aspx


Walter

On Sun, Aug 2, 2015 at 10:04 PM, Cheyenne Deal 
wrote:

> Does anyone have any recommendations for a small form factor machine for
> pfsense?
> I am looking for dual gb interfaces and able to handle at least a 50mb
> internet connection
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Bandwidth graph

[Walter Parker]

Years ago, there was a package for pfSense that graphed total bandwidth for
the Day, Month, Year using bar charts. It would show the top days with
bandwidth and total usage for the month.

It was not bandwidthD or the RRD graphs. I can't find it anymore. What was
it called and why was it removed?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bandwidth graph

[Walter Parker]

It was vnstat2. In the package list, it said it was a console app. However,
the app does have a web page that shows the graphs that I was remembering.


Walter

On Fri, Oct 16, 2015 at 8:30 AM, Ryan Coleman  wrote:

> Typically packages are removed because they are no longer supported by the
> developer.
>
>
> > On Oct 16, 2015, at 1:11 AM, Walter Parker  wrote:
> >
> > Years ago, there was a package for pfSense that graphed total bandwidth
> for
> > the Day, Month, Year using bar charts. It would show the top days with
> > bandwidth and total usage for the month.
> >
> > It was not bandwidthD or the RRD graphs. I can't find it anymore. What
> was
> > it called and why was it removed?
> >
> >
> > Walter
> >
> > --
> > The greatest dangers to liberty lurk in insidious encroachment by men of
> > zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[Walter Parker]

There is an optimization coming for pfsense. There is a new user space
routing daemon. netmap I think, that can reach line rate on 10G NICs (14.88
Mpps). There was a BSDCon that talked about a future version of pfsense
using this system. It uses ipfw, so there a bit a work to adapt it to
pfsense.


Walter

On Thu, Feb 18, 2016 at 9:26 AM, Giles Davis  wrote:

> Hello PFSense Collective,
>
> At the risk of sounding slightly 'cheap', does anyone (else) on this
> list have experience of 'good combinations' of hardware for PFSense
> appliances that will handle high-traffic levels and comments on
> reasonable max-levels of throughput to expect from it?
>
> We've been using PFSense for quite some time for large events and these
> days are pushing up to 4Gbit/sec to the internet via our PFSense boxes,
> to 2-3k clients - with expectation of bigger events in the reasonably
> near future.
>
> Using Intel E3-1270s and Intel 10G NICs (forget the exact model, but
> they use the BSD ix driver) we start seeing packet loss and a general
> maximum throughput at around 1-1.2Gbit. Our 'solution' so far of just
> adding more appliances and splitting the load really won't scale
> forever, so if anyone has any suggestions of 'better hardware' or BSD
> optimizations that would let us push more through a single appliances,
> i'd love to hear it. We've got a reasonable set of BSD networking tweaks
> and optimizations that certainly help, but we still can't manage to push
> more than our little-over-a-gigabit maximum before things start wobbling.
>
> We're not asking a huge amount of traffic inspection from our
> envrironment (used to do a fair bit of traffic shaping, but have managed
> to provide sufficient bandwidth to meet natural demand for a while now)
> - but historically PFSense has been a great appliance to have in the
> network for firewalling and monitoring.
>
> Thanks in advance for any suggestions and thanks to the maintainers for
> such a great firewall implementation. :)
>
> Cheers,
> Giles.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[Walter Parker]

On Tue, Feb 23, 2016 at 3:19 PM, Giles Davis  wrote:

> On 19/02/2016 17:12, David Burgess wrote:
> > I'm a little surprised at your experience. A few years ago I built a
> > PFSense unit with an Intel motherboard, 1st gen Core i3 CPU, and a
> > single onboard Intel (em) GBE NIC. All routing was done through vlans
> > and it had no trouble reaching wire speed with around 50% CPU usage.
> >
> > I do recommend using the net.inet.ip.fastforwarding=1 tweak if you
> > can. Note that it breaks IPSEC and captive portal.
> >
> > As far as 10G NICs, I was sure I read recently that the FreeNAS people
> > were recommending Chelsio, but I can't find the reference now.
> I imagine it's probably going to be our ridiculous PPS figures that
> start to bottleneck things. There's 2-3 thousand hardcore gamers behind
> these boxes when we run our events all generating shedloads of tiny UDP
> packets, as well as a big demand for normal web browsing, downloading,
> streaming on top of all that. What we used to see was the ix (and before
> the 10G NICs the bge) driver heavily pushing single CPU cores - but at
> about ~1.2Gbit we just start seeing small amounts of packet loss - even
> when there's no obvious single cause. I'm guessing its a combination of
> a few factors, but to be honest we just move traffic off to another box
> - PL for gamers is the end of the world. :(
>
> I don't think we had set fastforwarding yet - so i'll definitely look
> into that. Don't care about IPSec or captive portal at all!
>
> We're also getting pricing for Chelsio NICs now too - so perhaps that'll
> help as well.
>
> Thanks again (and thanks Ed for those stats too).
>
> Cheers,
> Giles.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


Fun fact, Netflix is using FreeBSD and is pushing >30 Gbps from systems
using Chelsio NICs. See
http://www.slideshare.net/facepalmtarbz2/slides-41343025 for details.


Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!

[Walter Parker]

For a list of Packages in 2.3, see
https://doc.pfsense.org/index.php/Package_Port_List

For a list of packages removed from 2.3, see
https://doc.pfsense.org/index.php/2.3_Removed_Packages


Walter

On Wed, Apr 13, 2016 at 3:17 PM, Steve Yates  wrote:

> I should restate/clarify that I was looking at the
> https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes page which
> mentions the package system changed but doesn't specifically mention the
> below, which is on the
> https://doc.pfsense.org/index.php/Upgrade_Guide#Package_System page that
> I mentioned in another message.
>
> The New Features and Changes page is what is linked from
> https://doc.pfsense.org/index.php/Category:Releases (on the doc Main
> Page: "pfSense Release Versions - Change logs and other information for
> past and present releases")
>
> Also by "specific" I meant, say, the bind package the OP asked about,
> which was covered in other messages also.
>
> Steve
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
> Buechler
> Sent: Wednesday, April 13, 2016 5:02 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] 2.3 show stopper - bind package missing -- don't
> install if you need bind!
>
> On Wed, Apr 13, 2016 at 1:48 PM, Steve Yates  wrote:
> > The release notes don't mention specific package compatibility
>
> Yes it does.
>
> "Packages
>
> The list of available packages in pfSense 2.3 has been significantly
> trimmed.  We have removed packages that have been deprecated upstream, no
> longer have an active maintainer, or were never stable. A few have yet to
> be converted for Bootstrap and may return if converted. See the
> 2.3 Removed Packages list for details."
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Upgraded to new pfSense Router, can't find RRD graphs after restore

[Walter Parker]

Hi,

I just upgraded from my old ALIX router that I brought from Netgate several
years ago (which has worked great for the past several years).

The new box is nice, it is much faster. I restored my old 2.2.5 config on
the new system and I have a few questions:

Where are the RRD graphs (I don't see a menu option for the graphs)
How do I remove the vnstat2 menu item (the package was removed during
upgrade because it is not supported in 2.3).


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] USB hard drive on SG-2220

[Walter Parker]

Hi,

I just plugged a small WDC USB 2.0 hard drive into my pfSense firewall as
an external, second drive and everything booted:
da1 at umass-sim1 bus 1 scbus7 target 0 lun 0
da1:  Fixed Direct Access SCSI device
da1: 40.000MB/s transfers
da1: 238475MB (488397168 512 byte sectors)
da1: quirks=0x2

But when I tried to plug in a Seagate 2TB or 4TB drive (USB 3.0), the
system crashes with a power outage and doesn't restart (even after a power
cycle). It appears as if it doesn't post because the network indicators
never start flashing and the console never shows any output.

When plugged into a full sized desktop/server running FreeBSD 10.3, it
shows:

da0 at umass-sim0 bus 0 scbus8 target 0 lun 0
da0:  Fixed Direct Access SPC-4 SCSI device
da0: Serial Number XXX
da0: 400.000MB/s transfers
da0: 3815447MB (7814037167 512 byte sectors)
da0: quirks=0x2

My first guess would be that the first drive takes less power than the
second. My second guess would be that there is some incompatibility between
the USB2.0 on the the Atom board and the USB3.0 on the drive (on the full
FreeBSD machine, the drive is plugged into a USB3.0 outlet).

If I got USB drive with an external power supply, could I use a 4TB drive
on the firewall?


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Strange fe80::1:1 link-local address on LAN interface

[Walter Parker]

In IPv6, Link Local fe80::1:1  is like what IPv4 does when there isn't a
DHCP server (it auto assigns an address from 169.254.0.0/16 ). The IPv6 RFC
documents two ways to generate these link local address. The second method
generates addresses that are not dependent on the MAC address. Unlike the
IPv4 standard, the IPv6 standard requires that this address always exists,
even when a "real" (read globally routable)  IPv6 address exists.



Walter

On Thu, May 26, 2016 at 5:39 AM, Olivier Mascia  wrote:

> By the way, this is on a pfSense/Netgate device and I still have at least
> 2 support incidents available. I'd happily burn at least one of them to
> have someone remotely check this.
>
> I'll be back on site within 2 hours from this post, I'll check the web by
> then for the proper procedure to open a case.
>
> --
> Meilleures salutations, Met vriendelijke groeten,  Best Regards,
> Olivier Mascia (from mobile device), integral.be/om
>
>
> > Le 26 mai 2016 à 13:03, Olivier Mascia  a écrit :
> >
> > LAN Interface (lan, igb0)
> > Statusup
> > MAC Address00:08:a2:09:58:96
> > IPv4 Address10.32.0.1
> > Subnet mask IPv4255.255.0.0
> > IPv6 Link Localfe80::1:1%igb0  (???)
> > IPv6 Address2a02:578:4d07::1
> > Subnet mask IPv664
> > MTU1500
> > Media1000baseT 
> >
> > I do not understand where this fe80:1:1 comes from, it clearly isn't
> derived from the MAC.
> >
> > Indeed workstations on the LAN capture fe80::1:1 for their default
> gateway and even pinging that IP from a workstation doesn't work:
> >
> > ping6 fe80::1:1
> > PING6(56=40+8+8 bytes) fe80::aa20:66ff:fe21:7c8e%en2 --> fe80::1:1
> > ping6: sendmsg: No route to host
> > ping6: wrote fe80::1:1 16 chars, ret=-1
> > ping6: sendmsg: No route to host
> > ping6: wrote fe80::1:1 16 chars, ret=-1
> >
> > Not surprised.
> > The question is where could this fe80::1:1 come from?
> > So I could get rid of it and get there a proper link-local address?
> >
> > Reboot does not help.
> > Downloaded config file, there is no fe80::1:1 anywhere in there.
> >
> > --
> > Meilleures salutations, Met vriendelijke groeten, Best Regards,
> > Olivier Mascia, integral.be/om
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Restoring DHCP table from 2.2.x into 2.3.x

[Walter Parker]

You could try copying the the entries from the old XML and paste it in the
new XML file.


Walter

On Sun, May 29, 2016 at 3:32 PM, Dave Warren  wrote:

> Howdy!
>
> I am looking at replacing my 2.2.something pfSense box with a fresh
> install of 2.3. Is it possible to restore just the DHCP configuration
> (leases, statics, and custom DHCP options)?
>
> Enough of the other stuff is being tossed that a fresh install would seem
> to make sense, but it would be convenient if IP assignments didn't need to
> change as this makes it easier to bring the new firewall up side by side
> with the old one and transfer over relatively seamlessly.
>
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Restoring DHCP table from 2.2.x into 2.3.x

[Walter Parker]

When I moved from 2.2 to 2.3, I had a list of 20+ static leases (all the
phones, tables, printers, laptops and desktops in the household), so I
didn't really want to recreate them.

I uninstalled the packages that don't exist in 2.3 and then backed up the
the config. On the new 2.3 box, I restored from that config and things
worked just fine.


Walter

On Sun, May 29, 2016 at 4:44 PM, Dave Warren  wrote:

> On 2016-05-29 17:35, Walter Parker wrote:
>
>> You could try copying the the entries from the old XML and paste it in the
>> new XML file.
>>
>
> Is the backup/restore mechanism similar and compatible? This would at
> least bring static assignments and configuration across, without restoring
> anything else, which would probably be Good Enough for my purposes, in
> general any machine that is powered on when it's lease expires will tend to
> request the same IP from the new server, although it's a bit of an
> imperfect solution.
>
> I'm more nervous about copying entire sections into the XML right now,
> although if the data appears similar, it may be worth considering.
>
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] enabling authenticated ntp ?

[Walter Parker]

Not that I have seen.

I had an idea for authenticated NTP awhile back, but was waiting until I
had upgraded to 2.3 before I looked at what it would take to add. This
weekend I had the time to build a test environment, so I might try doing it
over the next few months.


Walter

On Mon, May 30, 2016 at 3:46 AM, Valerio Bellizzomi 
wrote:

> Hello, there is a ntp authenticated with public key feature in ntp, does
> pfsense support that?
>
> thanks
>
>
> On Thu, 2016-05-26 at 20:18 +0200, Valerio Bellizzomi wrote:
> > Is it possible to do from the web interface?
> >
> > thanks
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense store router positioning

[Walter Parker]

Hi,

I've be doing a bit of remodeling in the household and I noticed an
interesting issue with the temperature of the the router (an SG-2220). If I
put the router flat, it heated up to 53 Celsius (9AM mid 70's Fahrenheit
room temp). WHen I turned the router in the side, it dropped from 53 to 46
in 20 minutes and if the last experiment holds it should level out at 41).

Have other people send the temp on the router higher when it is flat then
when it is on the side?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 3 hard locks this week... any ideas?

[Walter Parker]

On Thu, Sep 1, 2016 at 3:06 PM, compdoc  wrote:

> >>Coming back tonight to do memtest, SpinRite on the SSD, etc...,
>
> Spinrite on an ssd is a terrible idea. It's an ancient program thats even a
> bad idea to use on hard drives.
>
> It doesn't even work on drives larger than 1TB, because it was written in a
> time when drives were not that big. And there was no such thing as an SSD
> back then. Toss spinrite in the trash.
>
> If you want to know if a drive is failing, you just have to ask it. Just
> read the SMART info recorded in the drive.
>
> Memtest86+ on the other hand is a great idea, but you should let it run as
> many passes as possible. One or two passes is fine for new equipment, but
> with old ram that might be flakey, its best to run overnight or at least 4
> or 5 passes.
>
> If the motherboard is 4 or 5 years old, you might check for swollen
> capacitors, and many of the low cost power supplies go bad in a year or
> two.
>
>
I suggest you update your knowledge base on SpinRite. It has found a new
life in helping SSD drives to fix themselves. FYI, the SMART info is often
different depend on if the drive is under load. SpinRite puts the drive
under load, so you may not errors on the drive unless are running your own
seek application. The size limit is 2TB and the program will have a free
update in the near future to support drives >2TB. Most recommendations are
to use SpinRite in Level 2 mode (read only), but given that modern drives
have wear leveling, even running it read-write will not kill a drive that
does caching and basic wear leveling.

I'd suggest that before you slag programs, you not rely on old, outdated,
biased information. But that is just me...


Walter




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightning strike

[Walter Parker]

On Thu, Oct 13, 2016 at 2:40 PM, Volker Kuhlmann 
wrote:

> On Wed 27 Jul 2016 13:40:16 NZST +1200, Chris Buechler wrote:
>
> > > I find this really really annoying of pfsense! Especially for headless
> > > systems. Hey, why run with only one interface and some functionality
> > > missing when one can run with functionality of zero point zero instead?
> >
> > Because any fall back there is potentially unsafe. Say you have
> > igb0-igb5, and igb2 dies. Now your igb3 is igb2, igb4 is igb3, etc.
> > Any assumptions you make about what's correct are potentially
> > dangerous, and likely to be wrong. We've had discussions around that
> > in greater depth multiple times over the years. Any way you do it has
> > edge case bugs, is dangerous and/or wouldn't be right anyway.
>
> So the root cause of the problem is not to be able to bind pfsense
> interfaces to ports (whether this is the OS's fault or not is not
> something a user cares about).
>
> In my case the USB interface runs the wifi. I can do without that
> easily. But not getting access to pfsense on the LAN port on a headless
> APU-4 because the USB dongle is unplugged, dead, or whatever and
> therefore my wifi may be offline sure does look braindead to me. Sorry.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

Problem is that all of the current OS do this sort of renumbering (I'd have
to check, but I think it could be a hardware/driver issue). IIRC Linux
systems have had this sort of problem in even greater measure than the
BSDs. The plug and play nature of USB has caused issues for most systems
(drive letter changes on Windows, device name changes on Linux, even BSD
has started doing this). The brain dead here is problem that extends to the
PC industry as a whole. PFSense is subject bad decisions that were made
decades ago by other companies without enough vision. The automapping ideas
in hardware were not properly thought out and software didn't think it
though either.


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense default firewall configuration

[Walter Parker]

I moved from IPCop to pfSense years ago. It was good enough then. It is
better now. Without an idea of what you customization are, we can't tell
you how many rules you might need to add to get the same functionality from
a pfSense setup.

On Tue, Nov 15, 2016 at 8:19 AM, Ryan Coleman  wrote:

> I would add that it is “good enough” to start from and do what you need
> after that.
>
>
> > On Nov 15, 2016, at 7:46 AM, Vick Khera  wrote:
> >
> > On Tue, Nov 15, 2016 at 3:17 AM, user49b  wrote:
> >> I have heavily modified my IPcop configuration and just wanted to know
> if
> >> pfSesnse's default firewall configuration is good enough.
> >
> > The default is deny everything inbound, and allow everything outbound.
> > Nobody can say what's "good enough" for you without knowing your
> > requirements.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to ...

[Walter Parker]

One thing to consider with a DNS query to mapping system is the effect of
DNS caching. Many systems now have local caches, so you will only see the
DNS lookup once. For the traffic flows. you might want to look at netflow.
It can be setup to send the data to a collector system and you will be able
to see addresses, bandwidth, protocol types.


Walter

On Wed, Feb 22, 2017 at 6:44 PM, Richard A. Relph 
wrote:

> Hi,
> I have to believe this doable on an SG-2440. But I don’t have the
> expertise to implement it.
> I have configured the software to force all DNS connections through
> the SG-2440 (except for 1 or 2 IoT devices that seem to insist on talking
> to their manufacturer’s DNS servers - bad form, in my opinion.)
> What I’d like to do now is monitor all outgoing traffic and pair the
> IP address it is destined for against the DNS requests.
> I’d further like at least a report - and possibly block - outbound
> traffic that is destined for a “hard-coded” IP address.
> And, naturally, I’d like a report of all DNS requests and how much
> traffic is exchanged with each and when.
> The effort is an attempt to discover software running inside my
> network that might be “undesirable”.
> Any pointers, suggested reading, etc. would be greatly appreciated.
> I’m not incompetent, just uneducated.
> Thanks,
> Richard
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Acme client - DNS server setup/dns client secret issue.

[Walter Parker]

I think I'm missing something simple with my Acme Client setup in pfsense.
I followed the following steps and I'm get a TSIG error (note NSUPDATE
worked when run by hand).


   - dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
   - Copy secret from Kfw.sample.com.*.key (note this secret has a space in
   the middle)
   - Added the following to named.conf and then restarted name
  - key "fw.sample.com." {
 - algorithm HMAC-MD5;
 - secret "<>";
  - };
  - zone "sample.com" {
 - type master;
 - file "dynamic/sample.com";
 - allow-update key fw.sample.com; };
  - };
   - I then setup a Acme account
   - I configured the Domain SAN List like this:
  - Domainname = fw.landsraad.org
  - Method = DNS-NSUpdate
  - Server = DNSServer hostname
  - Key Type = HOST
  - Key Algorith = HMAC-MS5
  - Key = "<>"
   - I click on issue/renew
   - I get the follow error in the DNS server logs:
  - client x.y.z.t#11498: request has invalid signature: TSIG _
  acme-challenge.fw.sample.com: tsig verify failure (BADKEY)

What piece did I miss, do wrong? If I copy both of the Kfw.sample.com
records to a different server, I can run nsupdate by hand and it works.


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Walter Parker]

I replaced the secret with the one that didn't have a space in it. It
continues to fail.

[Sun Aug 6 18:13:10 PDT 2017] adding _acme-challenge.fw.sample.com. 60 in
txt "Ovv8F-OwpeprtA2ZhICx9ct3pWlcGViHvPpTtgFkR8A"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

I have found another issue. When I ran nsupdate by hand, I was using  'zone
sample.com' and then  'update add _acme-challenge.fw.sample.com <>' as the new RR. That works fine. If I run nsupdate and set the zone to
fw.sample.com, it fails with an auth error. This is because named is
configured to allow updates for the zone sample.com, and not a zone named
fw.sample.com (but will save RRs in the fw.sample.com domain).

So I tried to change the Domainname in pfSense to sample.com (that is the
domain that I want to update) and it would not take sample.com (I don't
have an A record for sample.com, just for hosts in sample.com).

How do I  get the Acme package to let me update the sample.com zone, to add
the host for _acme-challenge.fw.sample.com? I think I missed a step. This
is for a firewall that I don't want to setup external web access on.


Walter

On Sun, Aug 6, 2017 at 5:48 PM, Jim Pingle  wrote:

> On 8/6/2017 8:03 PM, Walter Parker wrote:
> > I think I'm missing something simple with my Acme Client setup in
> pfsense.
> > I followed the following steps and I'm get a TSIG error (note NSUPDATE
> > worked when run by hand).
> >
> >
> >- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
> >- Copy secret from Kfw.sample.com.*.key (note this secret has a space
> in
> >the middle)
>
> Use the copy of the key from the .private file. It shouldn't have a
> space in it.
>
> Jim P.
>
>


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Walter Parker]

Thank you,

To document how I did it for others:

Create your key using dnssec-keygen (use a keysize of 256 to prevent
wrapping/spacing issues)
Note, you most define you key with the exact name that pfSense will use. If
the firewall is named fw.sample.com, the named.conf must look like
something below. Note that one of leads for BIND's named was also a lead
for sendmail. so this has many of the same issues (I think they were doing
lots of dope in Berkeley when they designed it and have not changed for
compatibility reasons). The names of the keys must match the names of the
zones for this to work. After creating the you will need to create NS
records in the fw.sample.com zone so that _acme-challenge.fw.sample.com can
be found. Use rndc freeze fw.sample.com or nsupdate to add these records.



key _acme-challenge.fw.sample.com. {

algorithm HMAC-MD5;

secret "<>";

};
zone "_acme-challenge.fw.sample.com" {

type master;

file "dynamic/_acme-challenge.fw.sample.com";

allow-update { key _acme-challenge.fw.sample.com.; };

notify yes;

};

key fw.sample.com. {

algorithm HMAC-MD5;

secret "<>";

};

zone "fw.sample.com" {

type master;

file "dynamic/fw.sample.com";

allow_update { key fw.sample.com; };

notify yes;

};

key sample.com. {

algorithm HMAC-MD5;

secret "<>";

};

zone "sample.com" {


type master;
file "dynamic/sample.com";
allow_update { key sample.com; };
notify yes;

};











On Sun, Aug 6, 2017 at 7:05 PM, Jim Pingle  wrote:

>
> On 8/6/2017 9:47 PM, Walter Parker wrote:
> > How do I  get the Acme package to let me update the sample.com
> > <http://sample.com> zone, to add the host for
> > _acme-challenge.fw.sample.com <http://acme-challenge.fw.sample.com>? I
> > think I missed a step. This is for a firewall that I don't want to setup
> > external web access on.
>
> At the moment it only supports host keys, not zone keys. It will need to
> have a key made for that host specifically.
>
> Also, make sure the update-policy for the dynamic zone grants the
> ability to update TXT records specifically, or ANY.
>
> Jim P.
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense virtualisation

[Walter Parker]

On Tue, Oct 10, 2017 at 12:57 PM, Doug Lytle  wrote:

> >>> Or do you think I am absolutely crazy? Or maybe Just one Hardware and
> one virtual?
>
> Quite a few of my firewalls are virtualized using ESXI and have done so
> for a few years now.
>
> Doug
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

I run my ESXi boxes with pfSense as the firewall. It has worked well for
years. I'd recommend that over standalone HW firewalls.


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] acme package: DNS-nsupdate configurable update zone

[Walter Parker]

On Thu, Nov 16, 2017 at 4:22 AM, Brian Candler  wrote:

> On 16/11/2017 10:30, Brian Candler wrote:
>
>> Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure
>> this.
>>
>> I would like either:
>>
>> - an extra setting for "dynamic update zone", which is appended to the
>> nsupdate name
>> - an override for the whole name (i.e. can replace _
>> acme-challenge.www.foo.com with an arbitrary nsupdate target)
>>
>> Does this sound reasonable?
>>
>
> FYI, I was able to make it work by manually hacking
> /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
>
> +NSUPDATE_SUFFIX=acme.example.net.
>
> -  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
> +  _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt
> \"${txtvalue}\""
>
> -update add ${fulldomain}. 60 in txt "${txtvalue}"
> +update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}"
>
> -  _info "removing ${fulldomain}. txt"
> +  _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt"
>
> -update delete ${fulldomain}. txt
> +update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt
>
> Of course, this will probably be overwritten by some future update :-(
>
> In addition, I had to change the generation of the key name in
> acme_inc.sh, to match the key name on the DNS server, otherwise I got TSIG
> error "NOTAUTH(BADKEY)".
>
> In my case, the key name on the server is "acme-update", so I changed this
> line:
>
> file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key",
> "*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");
>
> Being able to override the key name via the GUI would also be helpful.
>
> Cheers,
>
>
> Brian.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


IIRC, when I setup the dynamic DNS for the challenage, I setup just the
hostname itself for dynamic DNS.
You can configure just www.foo.com as zone for dynamic DNS, you don't need
the whole of foo.com to be dynamic DNS. This can make the logistics
simpler.


Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Moving traffic between LAN & OPT1

[Walter Parker]

On Fri, Dec 22, 2017 at 8:25 PM, Antonio  wrote:

> Hi,
>
> I'm not sure how you move traffic between the above interfaces. I was
> under the impression that all you needed was a "Default allow LAN to any
> rule" and job done. Yet i'm struggling to get devices of different
> interfaces to communicate. What am I missing?
>
> That rule allows the LAN to move traffic. Traffic on OPT1 is a different
network. You will have addition rules to allow it talk to LAN. You will
need to add two sets of rules (or floating rules) depending on how you wish
to design your network.


Walter



>
> Thanks
>
>
>
> --
>
>
> Respect your privacy and that of others, don't give your data to big
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your
> messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

[Walter Parker]

On Wed, Jan 3, 2018 at 2:25 PM, Steve Yates  wrote:

> I'm not a developer but I would think it's dependent on FreeBSD releasing
> the update, plus testing by pfSense/Netgate.  However, I would think
> there's not much concern with PCs running pfSense, since raw code would not
> normally be running on the pfSense box...?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Wednesday, January 3, 2018 10:47 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] 'Kernel memory leaking' Intel processor design flaw
> forces Linux, Windows redesign • The Register - patch to pfsense?
>
> https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>
> is there patch soon available on pfsense kernel?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

From the FreeBSD mailing list:

With respect to
https://newsroom.intel.com/news/intel-responds-to-
security-research-findings/

The FreeBSD Security Team recently learned of the details of these
issues that affect certain CPUs. Details could not be discussed
publicly, but mitigation work is in progress.

Work is ongoing to develop and commit these mitigations to the FreeBSD
repository as soon as possible, with updates for releases to follow.



Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

[Walter Parker]

Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...

How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.

Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for most
users.

The only place where the AES-NI instructions are not found is in a small
number of embedded/dev boards using older Celeron processors.


Walter

On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek  wrote:

> This is silly. I shouldn't have to replace my hardware to support a
> feature I will not use...
>
> I shame Netgate for such an artificial limitation...
>
> Thank you for the information.
>
> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> > Well:
> >
> > https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> talking
> > about 2.5 not 3.x ?
> >
> > "While we’re not revealing the extent of our plans, we do want to give
> > early notice that, in order to support the increased cryptographic loads
> > that we see as part of pfSense verison 2.5, pfSense Community Edition
> > version 2.5 will include a requirement that the CPU supports AES-NI. On
> > ARM-based systems, the additional load from AES operations will be
> > offloaded to on-die cryptographic accelerators, such as the one found on
> > our SG-1000 . ARM v8 CPUs
> > include instructions like AES-NI
> >  that can be
> > used to increase performance of the AES algorithm on these platforms."
> >
> >
> > Eero
> >
> > On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers  wrote:
> >
> >> I believe I read somewhere that the new version that requires aes-ni
> will
> >> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
> will be
> >> a major rewrite
> >>
> >>
> >> -Ed
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Thursday, February 15, 2018 12:14 PM
> >> To: Kyle Marek 
> >> Cc: pfSense Support and Discussion Mailing List  >
> >> Subject: Re: [pfSense] Configs or hardware?
> >>
> >> Well. Next version of pfsense (2.5) will not install into hardware that
> >> does not support AES-NI, so buying such hardware is not wise ?
> >>
> >> Eero
> >>
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

[Walter Parker]

y to improve throughput of applications utilizing AES. I had
> previously not been presented with anything to indicate that it helps
> with any security issues such as the timing attacks discussed here.
>
> However, to address the question in some way, I do agree that features
> like this should be taken advantage of as much as possible. However,
> unlike other advances such as x86 to x86_64, AES-NI does not create any
> new functionality that did not already exist. Until the security
> benefits have been presented, I did not see any use case where AES-NI
> would be necessary over the software implementation.
>
> I would like to point out that AES-NI is not "in everything" since 2008
> as previously indicated. While I understand these may not fall under the
> "all major x64 processors" category, Intel has launched CPUs without
> AES-NI within the past couple of years.
>
> See:
> https://ark.intel.com/Search/FeatureFilter?productType=
> processors&AESTech=false&BornOnDate=Q4%2716
>
> > And, finally, Mr. Volotinen called it exactly.   We announced this in
> May last year, so that those buying hardware in the now would know about
> the future requirements.  Anyone buying hardware now can make an informed
> decision as to if they want to buy or otherwise obtain a platform for
> pfSense that supports AES-NI, or not.  Either will work as long as they are
> running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
> includes support until, at least, 2020.
>
> This is acceptable. It just also just sucks, and I understand it must be
> faced.
>
> This is, however, beyond just replacing some networking equipment, as I
> have to replace my primary VM host due to CPU replacements supporting
> AES-NI not existing. Before knowing that the AES-NI requirement was to
> address the timing attack, I felt as if I have to pay for new hardware
> due to Netgate not "wanting" non-AES-NI AES implementations being
> utilized. Until this, I have not exactly had software support issues
> with even this aging hardware.
>
> I understand that a lot of people are effectively threatening to switch
> to OpnSense due to this, but I fear that I will *have to* if I can't
> replace my hardware by the time support for software AES ends entirely.
>
> See:
> https://ark.intel.com/Search/FeatureFilter?productType=
> processors&SocketsSupported=LGA771&AESTech=true
>
>
> I thank you for addressing this with me. I appreciate your conduct with
> me despite my comment.
>
> > Jim
> >
> >> On Feb 15, 2018, at 2:11 PM, Kyle Marek  wrote:
> >>
> >> I think you're missing the point that software support exists; pfSense
> >> supports software AES *now*, and this is being removed. New technology
> >> is cool; things not working anymore is not.
> >>
> >> Anyway, what are are other projects such as the TLS libraries doing
> >> about this? Is hardware acceleration really the only solution?
> >>
> >> On 02/15/2018 01:39 PM, Walter Parker wrote:
> >>> Well, both Intel and AMD starting shipping the AES-NI instructions 8
> years
> >>> ago...
> >>>
> >>> How long does a project need to wait before it can require a feature
> found
> >>> on all major x64 processors? Waiting 8-9 years seems reasonable to me.
> >>>
> >>> Given the fact that the project is only supporting 64-bit and suggests
> >>> using a modern processor this requirement should be a non issue for
> most
> >>> users.
> >>>
> >>> The only place where the AES-NI instructions are not found is in a
> small
> >>> number of embedded/dev boards using older Celeron processors.
> >>>
> >>>
> >>> Walter
> >>>
> >>> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek 
> wrote:
> >>>
> >>>> This is silly. I shouldn't have to replace my hardware to support a
> >>>> feature I will not use...
> >>>>
> >>>> I shame Netgate for such an artificial limitation...
> >>>>
> >>>> Thank you for the information.
> >>>>
> >>>> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> >>>>> Well:
> >>>>>
> >>>>> https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> >>>> talking
> >>>>> about 2.5 not 3.x ?
> >>>>>
> >>>>> "While we’re not revealing the extent of our plans, we do want to
> give
> >>>>> early notice that,

Re: [pfSense] Configs or hardware?

[Walter Parker]

> for AES-CBC-128 HMAC-SHA1 and 4.65 gbps for AES-GCM-128 ICV16.
>
> Net-net, it’s probably faster than that, since we’re obviously hitting the
> Amazon-imposed bandwidth limit.  Between a pair of i7-6950s (so Broadwell
> cores) we see 13.7 gbps (single-stream) AES-GCM-128 and 7.42 gbps
> AES-GCM-128 + HMAC-SHA1 (again, single-stream).  Adding our CPIC QAT card
> gets us to 32.68/32.73 gbps respectively.
>
> > I cannot counter the attack possibility, but I would like to ask: is
> this unsolvable without hardware acceleration?
>
> It has a lot to do with what one might consider “acceptable” performance
> of the web gui.
>
> >
> >> I side with Mr. Parker here.  How long does a project have to wait
> before demanding certain features for future revisions, assuming it gives
> adequate warning to the existing and future users of that project?  I’ll
> note that you didn’t answer his question.
> >
> > I never answered the question because I did not think the answer or the
> > question was relevant. Until today, it was my understanding that AES-NI
> > was simply to improve throughput of applications utilizing AES. I had
> > previously not been presented with anything to indicate that it helps
> > with any security issues such as the timing attacks discussed here.
>
> OK, but I did point these out in the blog posts of last May.  Quoting:
>
> "With AES you either design, test, and verify a bitslice software
> implementation, (giving up a lot of performance in the process), leverage
> hardware offloads, or leave the resulting system open to several known
> attacks. We have selected the “leverage hardware offloads” path. The other
> two options are either unthinkable, or involve a lot of effort for
> diminishing returns.”
>
> I’ve listed the performance of the various implementations in OpenSSL
> above.
>
> > However, to address the question in some way, I do agree that features
> > like this should be taken advantage of as much as possible. However,
> > unlike other advances such as x86 to x86_64, AES-NI does not create any
> > new functionality that did not already exist. Until the security
> > benefits have been presented, I did not see any use case where AES-NI
> > would be necessary over the software implementation.
> >
> > I would like to point out that AES-NI is not "in everything" since 2008
> > as previously indicated. While I understand these may not fall under the
> > "all major x64 processors" category, Intel has launched CPUs without
> > AES-NI within the past couple of years.
>
> It’s true that not everything Intel and AMD have released in the last
> decade has AES-NI.
>
> >
> > See:
> > https://ark.intel.com/Search/FeatureFilter?productType=
> processors&AESTech=false&BornOnDate=Q4%2716
> >
> >> And, finally, Mr. Volotinen called it exactly.   We announced this in
> May last year, so that those buying hardware in the now would know about
> the future requirements.  Anyone buying hardware now can make an informed
> decision as to if they want to buy or otherwise obtain a platform for
> pfSense that supports AES-NI, or not.  Either will work as long as they are
> running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
> includes support until, at least, 2020.
> >
> > This is acceptable. It just also just sucks, and I understand it must be
> > faced.
> >
> > This is, however, beyond just replacing some networking equipment, as I
> > have to replace my primary VM host due to CPU replacements supporting
> > AES-NI not existing. Before knowing that the AES-NI requirement was to
> > address the timing attack, I felt as if I have to pay for new hardware
> > due to Netgate not "wanting" non-AES-NI AES implementations being
> > utilized. Until this, I have not exactly had software support issues
> > with even this aging hardware.
>
> Nor do you now.  It’s only (at least) a year after the release of 2.5 that
> we’ll stop supporting 2.4, and then it’s a matter of when a security issue
> or other bug that is important enough to you switch gets addressed in 2.5
> but not in 2.4 might occur (gosh that’s an awful sentence, Jim).
>
> > I understand that a lot of people are effectively threatening to switch
> > to OpnSense due to this, but I fear that I will *have to* if I can't
> > replace my hardware by the time support for software AES ends entirely.
>
> People should run what suits their purpose best.  Perhaps someone else
> will fork pfSense and continue the 2.4 train on a different track.  That’s
> the beauty of open source software.
>
>
> > See:
> > 

[pfSense] ZFS on 2.4.2

[Walter Parker]

Hi,

I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just bought
a 6TB powered USB drive from Costco and it works great (the drive has its
own power supply and a USB hub). I want to use it take ZFS backups from my
home server.

I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on boot
and created a pool and a file system. That worked, but the memory ran low
so I restricted the ARC cache to 1G to keep a bit more memory free and
rebooted. When the system rebooted it did not remount the pool (and
therefore the file system) because the pool what marked as in use by
another system (itself). That means that the pool was not properly
exported/umounted at shutdown.

Taking a quick look a rc.shutdown, I notice that it calls a customized
pfsense shutdown script at the beginning and then exits. Is there a good
place in the configuration where I can put/call the proper zfs shutdown
script so that the pool is properly stopped/exported so that it imports
correctly on boot?


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Walter Parker]

Forgot to CC the list.

On Wed, Feb 28, 2018 at 10:13 PM, Walter Parker  wrote:

> Thank you for the backup script.
>
> By my calculations, 2G should be enough. If I limit the ARC cache to 1G,
> that leaves 1G for applications & kernel memory. As I'm not serving the 6TB
> drive up as a file server, but using it for one specific task (to receive
> the backups from one host) I figure that I don't need lots of memory. ZFS
> as a quick file server or busy server needs lots of memory to be quick.
> I've seen testing showing ZFS doing fast file copies on as little as 768M
> total system after proper memory tuning.
>
> I need ZFS because it is the only file system that can receive incremental
> ZFS snapshots and apply them. I have not setup the ZFS backup software yes,
> so I'm just using rsnapshot. First time it ran, it filled all 1G of the
> cache. I rebooted the firewall afterwards and now ZFS with 60-100M of usage
> (the amount of data that rsync updates on a daily basis is pretty small).
> Right now, the data from the other server is ~8.8G, compressed to 1.7G with
> lz4.
>
> When I get the full backup running, I will be ~1.5TB in size. ZFS
> snapshots should be pretty small and quick (as it can send just the data
> that was updated without having to walk the entire filesystem). An rsync
> backup would have to walk the whole system to find all of the changes. Most
> of the data on the system doesn't change (as it is a media library).
>
> I'll post back more results if people are interested, after I get the
> backup software working (I'm thinking about using ZapZend).
>
>
> Walter
>
>
>
> On Wed, Feb 28, 2018 at 8:54 PM, ED Fochler 
> wrote:
>
>> I feel like I'm late in responding to this, but I have to say that 2GB of
>> RAM doesn't seem like nearly enough for a 6TB zfs volume.  ZFS is great in
>> a lot of ways, but is a RAM consuming monster.  For something RAM limited
>> like the 2220 I'd use a different, simpler file format.  Then I'd use rsync
>> based snapshots.
>>
>> Here's my personal backup script.  :-)  I haven't tried it FROM pfsense,
>> but I've used it to back up pfsense.
>>
>> ED.
>>
>>
>>
>>
>>
>> > On 2018, Feb 21, at 12:23 PM, Walter Parker  wrote:
>> >
>> > Hi,
>> >
>> > I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just
>> bought
>> > a 6TB powered USB drive from Costco and it works great (the drive has
>> its
>> > own power supply and a USB hub). I want to use it take ZFS backups from
>> my
>> > home server.
>> >
>> > I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on
>> boot
>> > and created a pool and a file system. That worked, but the memory ran
>> low
>> > so I restricted the ARC cache to 1G to keep a bit more memory free and
>> > rebooted. When the system rebooted it did not remount the pool (and
>> > therefore the file system) because the pool what marked as in use by
>> > another system (itself). That means that the pool was not properly
>> > exported/umounted at shutdown.
>> >
>> > Taking a quick look a rc.shutdown, I notice that it calls a customized
>> > pfsense shutdown script at the beginning and then exits. Is there a good
>> > place in the configuration where I can put/call the proper zfs shutdown
>> > script so that the pool is properly stopped/exported so that it imports
>> > correctly on boot?
>> >
>> >
>> > Walter
>> >
>> > --
>> > The greatest dangers to liberty lurk in insidious encroachment by men of
>> > zeal, well-meaning but without understanding.   -- Justice Louis D.
>> Brandeis
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>>
>>
>>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Walter Parker]

On Mon, Mar 5, 2018 at 6:38 PM, Curtis Maurand  wrote:

> ZFS is a memory hog.   you need 1 GB of RAM for each TB of disk.


Curtis, can you provide some more details? I have been testing this for the
last couple of weeks and ZFS doesn't require 1G for each TB to function
(which is the standard meaning of need).
>From my direct testing and experience 1G per TB is a rule of thumb for
suggested memory sizing on general purpose servers. Do you have specific
information that violating this rule of thumb will cause functional issues?

To be more blunt, was this a case of drive by nerd sniping or do you know
something that will cause my specific use case to fail at some point in the
future?


Walter



> On 3/1/2018 1:49 AM, Walter Parker wrote:
>
>> Forgot to CC the list.
>>
>> On Wed, Feb 28, 2018 at 10:13 PM, Walter Parker 
>> wrote:
>>
>> Thank you for the backup script.
>>>
>>> By my calculations, 2G should be enough. If I limit the ARC cache to 1G,
>>> that leaves 1G for applications & kernel memory. As I'm not serving the
>>> 6TB
>>> drive up as a file server, but using it for one specific task (to receive
>>> the backups from one host) I figure that I don't need lots of memory. ZFS
>>> as a quick file server or busy server needs lots of memory to be quick.
>>> I've seen testing showing ZFS doing fast file copies on as little as 768M
>>> total system after proper memory tuning.
>>>
>>> I need ZFS because it is the only file system that can receive
>>> incremental
>>> ZFS snapshots and apply them. I have not setup the ZFS backup software
>>> yes,
>>> so I'm just using rsnapshot. First time it ran, it filled all 1G of the
>>> cache. I rebooted the firewall afterwards and now ZFS with 60-100M of
>>> usage
>>> (the amount of data that rsync updates on a daily basis is pretty small).
>>> Right now, the data from the other server is ~8.8G, compressed to 1.7G
>>> with
>>> lz4.
>>>
>>> When I get the full backup running, I will be ~1.5TB in size. ZFS
>>> snapshots should be pretty small and quick (as it can send just the data
>>> that was updated without having to walk the entire filesystem). An rsync
>>> backup would have to walk the whole system to find all of the changes.
>>> Most
>>> of the data on the system doesn't change (as it is a media library).
>>>
>>> I'll post back more results if people are interested, after I get the
>>> backup software working (I'm thinking about using ZapZend).
>>>
>>>
>>> Walter
>>>
>>>
>>>
>>> On Wed, Feb 28, 2018 at 8:54 PM, ED Fochler 
>>> wrote:
>>>
>>> I feel like I'm late in responding to this, but I have to say that 2GB of
>>>> RAM doesn't seem like nearly enough for a 6TB zfs volume.  ZFS is great
>>>> in
>>>> a lot of ways, but is a RAM consuming monster.  For something RAM
>>>> limited
>>>> like the 2220 I'd use a different, simpler file format.  Then I'd use
>>>> rsync
>>>> based snapshots.
>>>>
>>>> Here's my personal backup script.  :-)  I haven't tried it FROM pfsense,
>>>> but I've used it to back up pfsense.
>>>>
>>>>  ED.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 2018, Feb 21, at 12:23 PM, Walter Parker  wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just
>>>>>
>>>> bought
>>>>
>>>>> a 6TB powered USB drive from Costco and it works great (the drive has
>>>>>
>>>> its
>>>>
>>>>> own power supply and a USB hub). I want to use it take ZFS backups from
>>>>>
>>>> my
>>>>
>>>>> home server.
>>>>>
>>>>> I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on
>>>>>
>>>> boot
>>>>
>>>>> and created a pool and a file system. That worked, but the memory ran
>>>>>
>>>> low
>>>>
>>>>> so I restricted the ARC cache to 1G to keep a bit more memory free and
>>>>> rebooted. When the system rebooted it did not remount the pool (and
>>>>> therefore the file system) because the pool what marked as in use by
>>>>&g