[pfSense] order of firewall rules
I had my firewall rules ordered from top to bottom with the ACCEPTED aliases at the top Yesterday I noted that some accepted IP addresses were being blocked Went to the admin GUI and noted in the Firewall Rules display that the accepted aliases had moved to the bottom. How would that happen? TIA -- Gerald ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] webConfigurator authentication error
password pfsense On 08/27/2014 08:11 AM, Morten Christensen wrote: I try to setup pfSence for the first time. It is running on a XenServer 6.2, but I don't suspect that to be the problem. I have never succeeded to log in to the web interface. Every time I try with username admin and password pfsence, there a message like this on the console: Message from syslogd@pfSence at Aug 27 12:26:56 ... pfSence php: /index.php: webConfigurator authentification error for 'admin' from 172.17.1.110 I have tried with 2 installs og 2.1.4 and one of 2.2 and reset webConfiguratoor password several times. From console I can go to Shell and change password for root and admin and after that log in with ssh. But that is not giving med GUI-access. Any help ? -- Morten Christensen ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Gerald Waugh Front Street Networks (318) 734-4779 (318) 401-0428 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firebox-X20e
On 01/03/2014 07:41 AM, Anastasios Stefos wrote: Perhaps this could be a starting point https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Supported_Fireboxes specifically --- Anastasios Stefos /´ ??/ On Fri, Jan 3, 2014 at 8:30 AM, Doug Lytle supp...@drdos.info mailto:supp...@drdos.info wrote: I'm looking into replacing my mother's IPTables firewall with pfsense, and am looking into small devices I could do this on. I've found the above device, but am finding very little info on it's specs. ebaY unit I've found: http://www.ebay.com/itm/WatchGuard-Firebox-X20e-Edge-Model-XP2E6-VPN-Firewall-with-Power-Supply-Used/191018310488?_trksid=p2047675.m1850_trkparms=aid%3D222002%26algo%3DSIC.FIT%26ao%3D1%26asc%3D11%26meid%3D3855543207045666091%26pid%3D100011%26prg%3D1005%26rk%3D2%26rkt%3D5%26sd%3D141119694255%26 Has anybody used one of these for pfsense, or does anybody have suggestions of a small profile device that's under $100USD that would be a good fit? Thanks! Doug -- -- Ben Franklin quote: Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Gerald Waugh Front Street Networks (318) 734-4779 (318) 401-0428 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense and Cable Modem Throughput
On 09/12/2013 02:34 PM, Adam Piasecki wrote: It sounds like my issue, i'll have to get the cable provider to change the settings as they won't allow me access into the modem. This is a Motorola SB6580G in bridge mode. Best to get your own cable modem. We had trouble with comcast modem setup, purchased our own modem, and all is well. Plus no modem monthy lease fee. Gerald ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] filterdns: host_dns: failed looking up blocked: hostname nor servname provided, or not known
On 07/21/2013 03:44 PM, Gerald Waugh wrote: I see this error in the system log *filterdns: host_dns: failed looking up blocked: hostname nor servname provided, or not known * I have checked rules and aliases, but see nothing wrong. Is there someplace else to look? TIA Bump; Same Rules running on version 2.0.1-RELEASE run just fine, but get the error on 2.0.2-RELEASE alias nameBlocked/name address ip-address-1 ip-address-n /address descr ![CDATA[ Blocked IPs + Networks ]] /descr typenetwork/type detail ![CDATA[ comment-1 comment-n ]] /detail /alias rule id/ typeblock/type interfacewan/interface tag/ tagged/ max/ max-src-nodes/ max-src-conn/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source addressBlocked/address /source destination any/ /destination log/ descr ![CDATA[ Access Blocked ]] /descr /rule -- Gerald ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Microsoft Outlook Blocked
I have searched the archives, and googled it, but have not found a solution firewall is working great except MS Outlook is being blocked, all other email clients work OK filter.log does not give a clue. no blocking shown for the Outlook users IP Sendmail/Dovecot Server maillog Disconnected: Inactivity (no auth attempts): pfctl -d from cli allows MS Outlook to work OK pfctl -e from cli stops Outlook cleared ports to '*' any TCP/UDP * * * * * none Internet to servers -- Gerald ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Microsoft Outlook Blocked
On 03/17/2013 02:14 PM, Chris Bagnall wrote: On 17/3/13 6:38 pm, Gerald Waugh wrote: thanks for the response, I have ports set for '*' any I moved this rule to the top of the rules list TCP/UDP * * * * * none Internet to servers Out of curiosity, have you tried protocol = * rather than just TCP/UDP? Just an outside chance that your mail configuration is verifying the existence of the target server using ICMP first before connecting - it would be an unusual requirement to say the least, but there's no harm giving it a try... Would also be curious to know if this problem is happening when connecting to *any* mail server from Outlook, or whether it's connecting to a specific server. thanks for the reply, at your suggestion tried '* any for protocol. no help I did have a rule to pass icmp I deleted all rules other than the pass rule for '*' any. Still Outlook does not work, but thunderbird does work if I disable rules with 'pfctl -d' Outlook works fine. so makes me think the email server is OK. with firewall enabled: maillog reads dovecot: pop3-login: Disconnected (no auth attempts): rip lip doesnt give a user name? with firewall disabled: maillog reads dovecot: pop3-login: Login: user=user, method=PLAIN, rip, lip, mpid ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Microsoft Outlook Blocked
On 03/17/2013 04:47 PM, Ermal Luçi wrote: On Sun, Mar 17, 2013 at 8:57 PM, Gerald Waugh gwa...@frontstreetnetworks.com mailto:gwa...@frontstreetnetworks.com wrote: On 03/17/2013 02:14 PM, Chris Bagnall wrote: On 17/3/13 6:38 pm, Gerald Waugh wrote: thanks for the response, I have ports set for '*' any I moved this rule to the top of the rules list TCP/UDP * * * * * none Internet to servers Out of curiosity, have you tried protocol = * rather than just TCP/UDP? Just an outside chance that your mail configuration is verifying the existence of the target server using ICMP first before connecting - it would be an unusual requirement to say the least, but there's no harm giving it a try... Would also be curious to know if this problem is happening when connecting to *any* mail server from Outlook, or whether it's connecting to a specific server. thanks for the reply, at your suggestion tried '* any for protocol. no help I did have a rule to pass icmp I deleted all rules other than the pass rule for '*' any. Still Outlook does not work, but thunderbird does work if I disable rules with 'pfctl -d' Outlook works fine. so makes me think the email server is OK. with firewall enabled: maillog reads dovecot: pop3-login: Disconnected (no auth attempts): rip lip doesnt give a user name? with firewall disabled: maillog reads dovecot: pop3-login: Login: user=user, method=PLAIN, rip, lip, mpid Try enabling on the rule to allow ip options. It might be that the packets are being dropped due to having ip options in them. where do I set allow ip options? Also enabling loggin g and seeing the reason of the drop would be helpful. and where do I do this? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Microsoft Outlook Blocked
On 03/17/2013 05:36 PM, Chris Buechler wrote: On Sun, Mar 17, 2013 at 4:47 PM, Ermal Luçi e...@pfsense.org wrote: Try enabling on the rule to allow ip options. It might be that the packets are being dropped due to having ip options in them. Outlook shouldn't be using IP options, we'd have had a flood of problem reports if that were the case with any degree of consistency. Without having a packet capture it's hard to say. My guess based on the description is the machine with Outlook has a network misconfiguration of sorts where its traffic isn't hitting the firewall Thanks for the response. It is several Outlook IPs that will not work correctly. the outlook client connects but does not complete and error on server is no auth attempts error on the client: /T//ask 'u...@domain.com - Receiving' reported error (0x8004210A) : 'The operation timed out waiting for a response from the receiving (POP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).'/ ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.1-RELEASE Not blocking
On 02/21/2013 12:06 PM, David Burgess wrote: On Thu, Feb 21, 2013 at 11:03 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: I must be missing something basic. I have setup several pfSense systems, but my latest one in not blocking. I have several firewall rules for the WAN port, and none are working. stupid question Is there some basic thing that would stop all rules from working? /stupid question Check the Floating interface as well as Interface Groups. Rules on these virtual interfaces are processed before rules on simple interfaces and will thus override the latter if they are quick. db thanks for the response but floating rules are non existent and default is 'block' No rules are currently defined for this interface All incoming connections on this interface will be blocked until you add pass rules. -- Gerald ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 1:1 NAT on pfSense 2.0.1
On 12/18/2012 10:06 AM, Marcio Merlone wrote: Greetings, I am trying to make a dead simple 1:1 NAT from one wan address to an internal server. I was assigned the x.x.x.152/29 address for my WAN from my ISP, and designated the ip x.x.x.154 for pfsense while x.x.x.153 is its gateway. I can use pfsense as gateway for internet just fine. Now I want to open my web server to the world. I first created a virtual IP x.x.x.155/29 on the WAN interface as an IP alias, then a 1:1 NAT pointing x.x.x.155 to 10.0.0.215, which is my web server and finally created a respective firewall rule on the wan interface allowing traffic from wan to 10.0.0.215 on port 80. The same as on http://www.youtube.com/watch?v=5lMRA1ntgz8 Is that all? Have I missed something? With this setup x.x.x.155 opens up pfsense login screen and not my web server. Can anybody help me track what's wrong? AFAIK there is no 1:1 NAT We bridge WAN and OPT1 and the servers set on the OPT1 port thus the servers have public IP addresses but are protected by the firewall makes sort of a DMZ with office PCs setting on the LAN PORT -- Gerald ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 1:1 NAT on pfSense 2.0.1
On 12/18/2012 11:56 AM, Marcio Merlone wrote: Em 18-12-2012 15:39, Gerald Waugh escreveu: AFAIK there is no 1:1 NAT There is on 2.0.x. My first description of the problem was the correct setup, I may have missed something and it got working later. Oh, I was thinking 1.2.x What was your problem? Or what did you do to get it working? -- Gerald ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
