[pfSense] order of firewall rules

2014-09-24 Thread Gerald Waugh
I had my firewall rules ordered from top to bottom with the ACCEPTED
aliases at the top
Yesterday I noted that some accepted IP addresses were being blocked

Went to the admin GUI and noted in the Firewall Rules display that the
accepted aliases had moved to the bottom.
How would that happen?

TIA
-- 
Gerald
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] webConfigurator authentication error

2014-08-27 Thread Gerald Waugh

password pfsense

On 08/27/2014 08:11 AM, Morten Christensen wrote:
 I try to setup pfSence for the first time.

 It is running on a XenServer 6.2, but I don't suspect that to be the
 problem.

 I have never succeeded to log in to the web interface. Every time I
 try with username admin and password pfsence, there a message like
 this on the console:
 Message from syslogd@pfSence at Aug 27 12:26:56 ...
 pfSence php: /index.php: webConfigurator authentification error for
 'admin' from 172.17.1.110

 I have tried with 2 installs og 2.1.4 and one of 2.2 and reset
 webConfiguratoor password several times.

 From console I can go to Shell and change password for root and admin
 and after that log in with ssh. But that is not giving med GUI-access.

 Any help ?

 -- 
 Morten Christensen
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



-- 
Gerald Waugh
Front Street Networks
(318) 734-4779
(318) 401-0428
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Firebox-X20e

2014-01-03 Thread Gerald Waugh
On 01/03/2014 07:41 AM, Anastasios Stefos wrote:
 Perhaps this could be a starting point
 https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Supported_Fireboxes
specifically

  
  
 ---
 Anastasios Stefos
 /´ ??/


 On Fri, Jan 3, 2014 at 8:30 AM, Doug Lytle supp...@drdos.info
 mailto:supp...@drdos.info wrote:

 I'm looking into replacing my mother's IPTables firewall with
 pfsense, and am looking into small devices I could do this on.

 I've found the above device, but am finding very little info on
 it's specs.

 ebaY unit I've found:

 
 http://www.ebay.com/itm/WatchGuard-Firebox-X20e-Edge-Model-XP2E6-VPN-Firewall-with-Power-Supply-Used/191018310488?_trksid=p2047675.m1850_trkparms=aid%3D222002%26algo%3DSIC.FIT%26ao%3D1%26asc%3D11%26meid%3D3855543207045666091%26pid%3D100011%26prg%3D1005%26rk%3D2%26rkt%3D5%26sd%3D141119694255%26

 Has anybody used one of these for pfsense, or does anybody have
 suggestions of a small profile device that's under $100USD that
 would be a good fit?

 Thanks!

 Doug


 --

 --
 Ben Franklin quote:

 Those who would give up Essential Liberty to purchase a little
 Temporary Safety, deserve neither Liberty nor Safety.
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


-- 
Gerald Waugh
Front Street Networks
(318) 734-4779
(318) 401-0428
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense and Cable Modem Throughput

2013-09-12 Thread Gerald Waugh
On 09/12/2013 02:34 PM, Adam Piasecki wrote:
 It sounds like my issue, i'll have to get the cable provider to change
 the settings as they won't allow me access into the modem.
 This is a Motorola SB6580G in bridge mode.
Best to get your own cable modem.
We had trouble with comcast modem setup, purchased our own modem, and
all is well. Plus no modem monthy lease fee.

Gerald
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] filterdns: host_dns: failed looking up blocked: hostname nor servname provided, or not known

2013-07-28 Thread Gerald Waugh
On 07/21/2013 03:44 PM, Gerald Waugh wrote:
 I see this error in the system log

 *filterdns: host_dns: failed looking up blocked: hostname nor servname
 provided, or not known
 *
 I have checked rules and aliases, but see nothing wrong.
 Is there someplace else to look?

 TIA
Bump;

Same Rules running on version 2.0.1-RELEASE run just fine, but get the
error on 2.0.2-RELEASE

alias
nameBlocked/name
address
ip-address-1 ip-address-n
/address
descr
![CDATA[ Blocked IPs + Networks ]]
/descr
typenetwork/type
detail
![CDATA[
comment-1 comment-n
]]
/detail
/alias

rule
id/
typeblock/type
interfacewan/interface
tag/
tagged/
max/
max-src-nodes/
max-src-conn/
max-src-states/
statetimeout/
statetypekeep state/statetype
os/
source
addressBlocked/address
/source
destination
any/
/destination
log/
descr
![CDATA[ Access Blocked ]]
/descr
/rule
-- 
Gerald
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Microsoft Outlook Blocked

2013-03-17 Thread Gerald Waugh

I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all other 
email clients work OK


filter.log does not give a clue. no blocking shown for the Outlook users IP

Sendmail/Dovecot Server maillog Disconnected: Inactivity (no auth 
attempts):


pfctl -d from cli allows MS Outlook to work OK
pfctl -e from cli stops Outlook

cleared ports to '*' any
TCP/UDP *   *   *   *   *   none
Internet to servers



--
Gerald

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Microsoft Outlook Blocked

2013-03-17 Thread Gerald Waugh

On 03/17/2013 02:14 PM, Chris Bagnall wrote:

On 17/3/13 6:38 pm, Gerald Waugh wrote:

thanks for the response, I have ports set for '*' any
I moved this rule to the top of the rules list
TCP/UDP * * * * * none Internet to 
servers


Out of curiosity, have you tried protocol = * rather than just TCP/UDP?

Just an outside chance that your mail configuration is verifying the 
existence of the target server using ICMP first before connecting - it 
would be an unusual requirement to say the least, but there's no harm 
giving it a try...


Would also be curious to know if this problem is happening when 
connecting to *any* mail server from Outlook, or whether it's 
connecting to a specific server.



thanks for the reply, at your suggestion tried '* any for protocol. no help
I did have a rule to pass icmp
I deleted all rules other than the pass rule for '*' any. Still Outlook 
does not work, but thunderbird does work
if I disable rules with 'pfctl -d' Outlook works fine. so makes me think 
the email server is OK.


with firewall enabled: maillog reads dovecot: pop3-login: Disconnected 
(no auth attempts): rip lip

doesnt give a user name?
with firewall disabled: maillog reads dovecot: pop3-login: Login: 
user=user, method=PLAIN, rip, lip, mpid





___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Microsoft Outlook Blocked

2013-03-17 Thread Gerald Waugh

On 03/17/2013 04:47 PM, Ermal Luçi wrote:




On Sun, Mar 17, 2013 at 8:57 PM, Gerald Waugh 
gwa...@frontstreetnetworks.com 
mailto:gwa...@frontstreetnetworks.com wrote:


On 03/17/2013 02:14 PM, Chris Bagnall wrote:

On 17/3/13 6:38 pm, Gerald Waugh wrote:

thanks for the response, I have ports set for '*' any
I moved this rule to the top of the rules list
TCP/UDP * * * * * none   Internet
to servers


Out of curiosity, have you tried protocol = * rather than just
TCP/UDP?

Just an outside chance that your mail configuration is
verifying the existence of the target server using ICMP first
before connecting - it would be an unusual requirement to say
the least, but there's no harm giving it a try...

Would also be curious to know if this problem is happening
when connecting to *any* mail server from Outlook, or whether
it's connecting to a specific server.

thanks for the reply, at your suggestion tried '* any for
protocol. no help
I did have a rule to pass icmp
I deleted all rules other than the pass rule for '*' any. Still
Outlook does not work, but thunderbird does work
if I disable rules with 'pfctl -d' Outlook works fine. so makes me
think the email server is OK.

with firewall enabled: maillog reads dovecot: pop3-login:
Disconnected (no auth attempts): rip lip
doesnt give a user name?
with firewall disabled: maillog reads dovecot: pop3-login: Login:
user=user, method=PLAIN, rip, lip, mpid



Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip 
options in them.




where do I set allow ip options?


Also enabling loggin g and seeing the reason of the drop would be helpful.


and where do I do this?

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Microsoft Outlook Blocked

2013-03-17 Thread Gerald Waugh

On 03/17/2013 05:36 PM, Chris Buechler wrote:

On Sun, Mar 17, 2013 at 4:47 PM, Ermal Luçi e...@pfsense.org wrote:

Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip options in
them.


Outlook shouldn't be using IP options, we'd have had a flood of
problem reports if that were the case with any degree of consistency.

Without having a packet capture it's hard to say. My guess based on
the description is the machine with Outlook has a network
misconfiguration of sorts where its traffic isn't hitting the firewall

Thanks for the response.
It is several Outlook IPs that will not work correctly.
the outlook client connects but does not complete and error on server is 
no auth attempts

error on the client:
/T//ask 'u...@domain.com - Receiving' reported error (0x8004210A) : 'The 
operation timed out waiting for a response from the receiving (POP) 
server. If you continue to receive this message, contact your server 
administrator or Internet service provider (ISP).'/


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 2.0.1-RELEASE Not blocking

2013-02-21 Thread Gerald Waugh

On 02/21/2013 12:06 PM, David Burgess wrote:

On Thu, Feb 21, 2013 at 11:03 AM, Gerald Waugh
gwa...@frontstreetnetworks.com  wrote:

I must be missing something basic.
I have setup several pfSense systems, but my latest one in not blocking.
I have several firewall rules for the WAN port, and none are working.

stupid question
Is there some basic thing that would stop all rules from working?
/stupid question

Check the Floating interface as well as Interface Groups. Rules on
these virtual interfaces are processed before rules on simple
interfaces and will thus override the latter if they are quick.

db
thanks for the response but floating rules are non existent and default 
is 'block'

 No rules are currently defined for this interface
All incoming connections on this interface will be blocked until you add 
pass rules.



--
Gerald
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 1:1 NAT on pfSense 2.0.1

2012-12-18 Thread Gerald Waugh

On 12/18/2012 10:06 AM, Marcio Merlone wrote:

Greetings,

I am trying to make a dead simple 1:1 NAT from one wan address to an 
internal server. I was assigned the x.x.x.152/29 address for my WAN 
from my ISP, and designated the ip x.x.x.154 for pfsense while 
x.x.x.153 is its gateway. I can use pfsense as gateway for internet 
just fine. Now I want to open my web server to the world. I first 
created a virtual IP x.x.x.155/29 on the WAN interface as an IP alias, 
then a 1:1 NAT pointing x.x.x.155 to 10.0.0.215, which is my web 
server and finally created a respective firewall rule on the wan 
interface allowing traffic from wan to 10.0.0.215 on port 80. The same 
as on http://www.youtube.com/watch?v=5lMRA1ntgz8


Is that all? Have I missed something? With this setup x.x.x.155 opens 
up pfsense login screen and not my web server. Can anybody help me 
track what's wrong?




AFAIK there is no 1:1 NAT
We bridge WAN and OPT1 and the servers set on the OPT1 port
thus the servers have public IP addresses but are protected by the firewall
makes sort of a DMZ
with office PCs setting on the LAN PORT

--
Gerald
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 1:1 NAT on pfSense 2.0.1

2012-12-18 Thread Gerald Waugh

On 12/18/2012 11:56 AM, Marcio Merlone wrote:

Em 18-12-2012 15:39, Gerald Waugh escreveu:

AFAIK there is no 1:1 NAT

There is on 2.0.x.

My first description of the problem was the correct setup, I may have 
missed something and it got working later.



Oh, I was thinking 1.2.x
What was your problem? Or what did you do to get it working?


--
Gerald
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list