Re: [pfSense] pfSense and SIP
On 09-01-2018 15:49, Roberto Carna wrote: Special thanks to both of you... With ANY I mean "all TCP and UDP ports". Maybe when the remote peer sends to my PBX the SIP packet with the SIP Options, the response from the PBX is a SIP packet defined as ESTABLISHED trafficand this ESTABLISHED feature is not working or not defined in pfSEnse firewall rules ??? Because the SIP response packet from PBX to the remote peer is not a new traffic, is an established traffic Well, certainly being able to run a packet capture on the PBX will aid your troubleshooting, at least to see if _any_ packets are being received by the SIP peer... You need to ensure that you _don't_ have siproxd package installed, as this can interfere with your non-NAT set up. Thanks a lot again, regards!!! 2018-01-09 12:17 GMT-03:00 Giles Coochey : On 09/01/2018 14:34, Roberto Carna wrote: Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote peer out of the pfSense. I connect PBX and Peer in order to establish a SIP trunk. In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all. So we have generated two firewall rules: PBX --> SIP Peer with ANY SIP Peer --> PBX with ANY When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any? Could you elaborate on the exact rules you have set up? But often the SIP packets coming from the SIP Peer don't cross the pfSEnse to PBX. The packets never reach my PBX. Is there any feature I have to enable/disable in pfSense in order to work with SIP protocol to have established the SIP trunk ??? The SIP trunk provider tell me that the SIP Options they send me are not responded by us. Thanks a lot, ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense and SIP
On 09/01/2018 14:34, Roberto Carna wrote: Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote peer out of the pfSense. I connect PBX and Peer in order to establish a SIP trunk. In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all. So we have generated two firewall rules: PBX --> SIP Peer with ANY SIP Peer --> PBX with ANY When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any? Could you elaborate on the exact rules you have set up? But often the SIP packets coming from the SIP Peer don't cross the pfSEnse to PBX. The packets never reach my PBX. Is there any feature I have to enable/disable in pfSense in order to work with SIP protocol to have established the SIP trunk ??? The SIP trunk provider tell me that the SIP Options they send me are not responded by us. Thanks a lot, ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.2 (i386) - Soekris 6501-70 - Crashing once a day or so
On 29/01/2015 12:47, Giles Coochey wrote: I was running pfsense 2.1.5 (i386) on my Soekris 6501-70 with an mSata disk drive without any problems. I recently upgraded to pfsense2.2 (i386) and it appears to be crashing once a day or so. Now that I've disabled read-only /var & /tmp it reports upon logging in whether I want to send the crash dumps to the developers - for which I'm saying 'yes' to. Apart from that, I'm at a loss as to what the problem is, I can't read the crashdump lingo, but I wonder if these crash dumps are being received, and whether anyone else is experiencing an issue with Soekris 6501 hardware and pfsense 2.2 (i386)? Well... no response to the mailing lists, one offline response effectively telling me that 2.2 is no good. My Soekris eventually crashed and did not manage to boot up again, so I'm going to revert to 2.1.5. I have tried installing 2.2 i386 onto my mSata drive, but it doesn't even post after the image is put to the mSata drive, so can only assume that 2.2 doesn't support the soekris 6501 hardware, or at least the mSATA ports. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsense 2.2 (i386) - Soekris 6501-70 - Crashing once a day or so
I was running pfsense 2.1.5 (i386) on my Soekris 6501-70 with an mSata disk drive without any problems. I recently upgraded to pfsense2.2 (i386) and it appears to be crashing once a day or so. Now that I've disabled read-only /var & /tmp it reports upon logging in whether I want to send the crash dumps to the developers - for which I'm saying 'yes' to. Apart from that, I'm at a loss as to what the problem is, I can't read the crashdump lingo, but I wonder if these crash dumps are being received, and whether anyone else is experiencing an issue with Soekris 6501 hardware and pfsense 2.2 (i386)? -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NetFlow analysis tools
On 15/01/2015 18:37, Kurt Buff wrote: On Thu, Jan 15, 2015 at 8:08 AM, b...@todoo.biz wrote: Hello, I would like to know which flow-tools you are using in conjunction with pfflowd / netflow I am particularly interested in GUI back-end. If you have any good pointer, that would really be helpful. I'm using NFSEN http://nfsen.sourceforge.net/ -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN
On 10/12/2014 06:36, Chris L wrote: On Dec 9, 2014, at 8:53 PM, Karl Fife wrote: In the wild, I'm seeing a an increasing number of crappy consumer/ISP routers with subnets that conflict with ours (10../8). Comcast appears to be a common offender, curiously allocating the largest private subnet to their smallest customers. Of course this breaks VPN due to address ambiguity/conflicts. That’s actually your fault for using 10/8, not Comcast's. http://tools.ietf.org/html/rfc6598 Even if they were to use something like 10.58.223.0/24 they’d still conflict with your 10/8. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense crash dump
On 13/10/2014 17:09, Aaron C. de Bruyn wrote: To me, it looks like a disk issue: mfi0: 35354 (465709273s/0x0002/info) - Patrol Read corrected medium error on PD 02(e0x20/s2) at 1692f3e4 mfi0: 35355 (465709275s/0x0002/info) - Unexpected sense: PD 02(e0x20/s2) Path 539358c92146, CDB: 2f 00 16 92 f3 e5 00 10 00 00, Sense: 1/00/00 You might want to download something like "The Ultimate Boot CD" and use the manufacturers test tools on your drive. I've seen these "Unexpected sense" on LSI controllers and Seagate SAS drives - it always turned out to be an impending drive failure (drive completely fails within a week or so). I would work to get Physical Disk #2 replaced - if under warranty you might be able to get a replacement shipped now, on the basis of the error message. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] States Issue with Asterisk behind pfSense
On 26/09/2014 12:42, Hannes Werner wrote: are you saying that people with dynamic IP shouldn't use pfSense behind an Asterisk service? I've had asterisk running behind Fritz-Box for years without any trouble. I've seen the cheapest router being able to handle this like the speedports. I can't believe pfSense is unable to do this, but it doesn't matter a clear word would solve the problem for all the time and you do not have to worry again about this issue. maybe you guys do better telling those users to change there router? It's not my place, either, to pass comment on what free software you should decide to use, I am also none other than a happy end user (with a PPPoE service on at least one of my pfsense boxes, but with a static IP). Doesn't ensuring that you have Gateway monitoring enabled, and then ensuring that you have, under System --> Advanced --> Miscelleaneous --> "State Killing on Gateway Failure" enabled provide a workaround resolution for you? I'm referring to https://redmine.pfsense.org/issues/3181 which is referenced from #1629. Also it's clear that bug #1629 is pushed out to 2.2, although the latest comment is for it to be addressed, or to push it out to 2.3. It's probably not good news for you, but it looks like there is a schedule for it to be fixed just not very quickly. Do bear in mind that the original PPP software was designed for opportunistic on-demand dial-up connections, and isn't perfectly suited for running server side applications on the client end. PPPoE & PPPoA built on this, I guess, to allow ISPs to continue to use their RADIUS infrastructure for customers authentication as they moved to broadband / cable based connections. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] States Issue with Asterisk behind pfSense
On 26/09/2014 11:58, Chris Bagnall wrote: Worth mentioning here that many of us are using Asterisk behind pfSense without any issue at all. The triggers for this issue seem to be, specifically: - PPPoE WAN interface - dynamic WAN IP - SIP service provider We (one of my $dayjobs is a VoIP service provider) have dozens of clients using Asterisk with PPPoE WAN without any problem, but they're all using static WAN IPs provided by the ISP(s) in question. I can think of many reasons, why running a service such as Asterisk, on an IP address that you have a temporary lease for (thus only have a passing relationship with, before it is passed to someone else), would be pretty bad practice. The bug itself seems to be a genuine problem, the way the bug is put forward doesn't do much for motivating its resolution. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.netsecspec.co.uk giles.cooc...@netsecspec.co.uk -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Https blocking
On 24/09/2014 18:21, A Mohan Rao wrote: Hello If u really a expert so then pls resolve bmy problem. I have do all the things but still people can access blocked website in pfsense. We that kind of attitude, just what on earth do you think is going to make people feel obligated to assist you here? -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Routing between LAN interfaces
On 08/09/2014 16:50, Niklas Fondberg wrote: Hello Giles, I am grateful for your concern regarding my ip-design. We are however content with it and we don’t have any plans to change it. I need VLAN either configured in the switch or in the machine and I prefer to configure it in the machines. All interfaces are VLAN separated in the same switch infrastructure, this is quite common for new fabric switches which are extendable (hence the VLAN1, VLAN2 and VLAN10) The ILO interface is just named ILO, it has nothing to do with integrated lights out from HP other than that we have some servers connected on VLAN1 (default VLAN) which can remotely managed through their ILO. If I read you correctly it seems like the VLANs are creating a problem with the routing in pfSense? If this is the case I guess I can configure the switches instead but I am confused why this should be a problem. Can anyone shed some light on this topic? Kindest regards, Niklas I'm not criticizing your choice configuration, there is absolutely no reason not to use VLANs, however, in your design you appear to have a number of VLANs, but I didn't see that (at the moment) you actually showed a need to be using them (4 interfaces in total, one I assume is a WAN interface, three interfaces remaining, you say you are not using the default VLAN, and you have two VLANs plus an ILO subnet - so you could just use physical interfaces). dot1Q VLAN trunks on your interfaces is a good design, especially if you might want to add later VLANs to the design... VLANs complexify your needed configuration, and might be where other admins could trip up. Might be good to have a look at your routing table, on the diagnostics menu in the Web interface. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Routing between LAN interfaces
On 08/09/2014 14:02, Niklas Fondberg wrote: I have 4 physical interfaces. My setup looks like this: Interface | Network port ———-|--- WAN (static ip/30)| em0 LAN (192.168.1.1/24)| em1 (default VLAN, not used) DMZ (10.0.0.0/24)| VLAN2 on em2 ILO (10.2.0.0/24)| em3 OFFICE (192.168.2.0/24)| VLAN10 on em1 Do you understand now? What is your rationale you using VLANs? It appears that you are only using a single VLAN for any interface and wouldn't need to have VLANs at all. It seems like unnecessary complications to your set up for me. When you mention ILO interface? Is that an interface for a subnet that uses ILO type management cards, or are you trying to use an ILO port on the firewall as a routed interface (which wouldn't work as the ILO is a seperate system on the server). Thanks Giles -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Routing between LAN interfaces
So, how many actual interfaces do you have, and how many subnets are there? I am trying to understand what you mean by "VLAN configured" I have an implementation with 3 different subnets each on their own interface and pfsense routes between the subnets when rules allow for it. On 08/09/2014 13:05, Niklas Fondberg wrote: Hi all, I am struggling with routing between the different LAN interfaces I have set up. I have 3 LAN I/F’s where 2 are VLAN configured. I also have a fourth through OpenVPN. I have FW rules for all of the LANs with PASS Proto: IPv4* Source * Port * Dest * Port * Gateway * Queue none I have added logs to the rules but I don’t see anything in System Logs->Firewall wrt Blocks or Rejects. I thought pfSense would automatically route traffic between the LANs if the FW rules allowed it. What am I missing? Niklas ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PRIVATE WAN CAN NOT PING PRIVATE LOCAL NETWORK
On 04/09/2014 09:58, Enock Halonda wrote: Hello All, Hope your all well. I need some assistance.I have setup my pfsense system as below. WAN IP (IP from ISP) on Pfsense (10.20.5.1/24)-- LOCAL LAN IP on Pfsense (192.168.0.0/22) From the diagnosis on my Pfsense, i can ping from my WAN (10.20.5.2 as source) to LAN Interface. I can not however ping any workstation on the local network for example: 192.168.1.4. I can of course ping the IP: 192.168.1.4 from the LAN interface as the source under my diagnosis. Internet Access is available. I just want to be able to get to the local IP's on the LAN network from the WAN Interface. Has anyone faced this or can anyone advise. Thanks alot. For starters, you would need a rule to allow inbound traffic from your WAN to your LAN, pfsense by its nature, blocks inbound traffic on the WAN interface. Secondly, you will need to uncheck "Block private networks" on your WAN interface. Lastly, I'm assuming that you have disabled NAT already, and that your ISP is doing NAT for both your LAN and WAN subnets. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?
On 10/07/2014 13:34, Stefan Baur wrote: Am 10.07.2014 14:16, schrieb Giles Coochey: On 10/07/2014 13:05, Ryan Coleman wrote: I am not sure that’s how Dyn works? As far as I understand it Dyn gets a request and it looks at the originating IP address, then makes the change. I believe that it is possible to send DynDNS updates to IPs other than that of the originating IP, I recall I have done that in the past with the dyndns client (ddclient ) script. If you don't specify a specific IP, it defaults to the origin source. Yes, but that's not the question. Yes - I know, I wasn't answering your question, I was giving input to someone who had replied to your question. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?
On 10/07/2014 13:05, Ryan Coleman wrote: I am not sure that’s how Dyn works? As far as I understand it Dyn gets a request and it looks at the originating IP address, then makes the change. I believe that it is possible to send DynDNS updates to IPs other than that of the originating IP, I recall I have done that in the past with the dyndns client (ddclient ) script. If you don't specify a specific IP, it defaults to the origin source. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Poweredge 2850
On 20/05/2014 12:28, Ryan Coleman wrote: On May 20, 2014, at 1:59, Giles Coochey wrote: s Not to mention that if I ran a PE 2850 at home there would probably be complaints about the noise!!! Those things *scream* in the audible sense!!! Typically just on the first boot - mine always stopped screaming after about 30 seconds ___ Even after the fan's have kicked out of their max-cooling, max-air-flow mode the server is still way too loud for me in a home environment. Fan-less atom based box for home environment any day... and easily push 40Mbps IPsec. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Poweredge 2850
On 20/05/2014 02:12, Chris Bagnall wrote: Forgive me for saying so, but that's a massive overkill for routing a 15Mbps connection. Granted, it'd be entirely appropriate if you were routing multiple gig transits in a datacentre environment where the power consumption might be justified, but in a home environment, you're just burning through electricity for the sake of it. Of course, if you're going to run pfSense as a VM under a hypervisor with several other VMs, then I take all the above back :-) Kind regards, Chris Not to mention that if I ran a PE 2850 at home there would probably be complaints about the noise!!! Those things *scream* in the audible sense!!! -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] using Pfsense as a router
On 14/05/2014 06:27, Faisal Gillani wrote: Kluas I apologize for this , yes this was a typo error. Local Network information is as below. Local Network IP settings and how can we use (OSPF / BGP) ? Site 1 IP 172.16.0.0 Subnet 255.255.255.0 All clients in Site 1 use 172.16.1.16 (Linux Firewall) as its default gateway it is also connected with MPLS network with above given settings Not possible, clients are 172.16.0.1 - 172.16.0.254 and your default gateway needs to be one of them 172.16.1.16 is outside of that range. I would suggest that you look closely at the configuration, if you've managed typos in describing your problem, then you've probably made them when configuring it! -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 08/04/2014 12:59, b...@todoo.biz wrote: If you have a look at this page : http://heartbleed.com/ You would notice that this bug concerns OpenSSL : • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable If you are on the latest version of pfSense the version is : OpenSSL 0.9.8y 5 Feb 2013 So you are not vulnerable to this heart bleed bug ! For those of us who have held off upgrading just yet, and still run earlier versions of pfsense, are earlier versions vulnerable? -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Polycom doens't work behind Pfsense box
On 21/03/2014 14:34, Felipe Izaguirre wrote: Hi guys, have anyone had a problem with Polycom ViewStation behind a PfSense NAT. I have setup a NAT 1:1 to my Polycom ViewStation and no restrictions in any ports. The problem is that, when I make or receive a call, it enters in the room but the screen gets blue and there is no sound. Testing Polycom conected directly in the router without Pfsense, everything works fine. Any idea about this problem? Page 147 http://support.polycom.com/global/documents/support/setup_maintenance/products/video/viewstation_sp_user_guide.pdf What are your settings? -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] This post on Full-Disclosure
http://seclists.org/fulldisclosure/2014/Jan/187 I'm not connected with the author, or share any opinions. I simply monitor the Full Disclosure list, as well as pfsense and thought it appropriate to make the pfsense list aware. I imagine a lot of what is disclosed in the post represents problems with third party packages, and would mostly be mitigated by not allowing the web interface to be accessible from non-trusted networks / IPs. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual-WAN setup using VLANs + pfsense on virtual machine
On 22/01/2014 13:19, Yannis Milios wrote: >The routing between the VLANs should be done by pfsense.< So that means in my case that all (3) virtual nics should be bridged to the server's (1) physical nic and all vlan routing should be managed by virtual pfsense? When you say "vlan routing" you might mean "vlan tagging"?? This depends on your virtualisation hypervisor software, if possible you might want to split your VLANs into Virtual networks and attach multiple virtual NICs to each virtual network. If that is not possible then pfsense can use VLANs and you can virtually map the virtual interface on pfsense to the physical interface on the machine hosting the virtual machines. Both methods can be done, not sure which would be the best, it would depend on the hypervisor. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual-WAN setup using VLANs + pfsense on virtual machine
On 22/01/2014 13:06, Yannis Milios wrote: Hello friends, I am planning following setup and I would like your opinion if this kind of setup can work: http://i41.tinypic.com/24fzocn.png What I want to achieve is having a pfsense vm on a linux box which will act as router/firewall for lan workstations. There is just one vlan capable switch in the network. There is just one nic interface on this linux box.Pfsense vm should have 3 virtual nics (1 wan1,1 wan2, 1 lan). If this setup is viable, where shoud vlan routing be done? on linux box or in pfsense vm? I am using (https://doc.pfsense.org/index.php/HOWTO_setup_vlans_with_pfSense) as a reference for this setup. I run a virtual pfsense for Virtual Networks, there should be no problem trunking VLANs through to your pfsense VM to cope with a Internal, WAN 1, WAN 2 and other DMZs if necessary. The routing between the VLANs should be done by pfsense. Thank you for your time and sorry for my bad english ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Very slow printing when 2 of pfSense on network
On 23/10/2013 17:03, petes-li...@thegoldenear.org wrote: routers on that subnet> In general, I believe the sound design of a network has the following rules-of-thumb: 1. There should only be one router (or virtual router in HA environments) on a subnet used by end-user systems. 2. If a subnet has more than one router (or virtual router), then it is a transit subnet (i.e. a /30), and should only contain routers and no end-user systems. 3. If a subnet has more than two routers (or virtual routers), then you should really use a dynamic routing protocol (I would still avoid RIP, and use OSPF, or EIGRP (Cisco Proprietary). OSPF has the feature of a designated router (DR) and backup-designated router (BDR) - which essentially virtually creates a router within a broadcast domain to ensure that the routes are calculated as per (2). If you need to break these rules of thumb, then either: (a) Ensure that your routers and hosts understand and process ICMP Redirects, and live with the possible consequences of the security issues these create. (b) Enable a dynamic routing protocol on all your end-user hosts, and live with the possible consequences of the security issues these create. Either way, not following the rules will create a performance issue, which you might be able to move around to other systems on the subnet, but still a performance issue. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
On 10/10/2013 15:04, Chris Bagnall wrote: What made you change from AES to Blowfish, and is there any evidence to suggest that Blowfish is more 'secure' than AES? My understanding is that AES was championed by an agency which has received recent bad-press.;-) Blowfish was a contender to actually become AES wasn't it? I agree that I might see better performance with AES as it is supported in hardware by many chipsets, and when selected all the contenders marked AES as second best (after their own submissions of course...). I'm not saying it is insecure, I'm just weary of the following: 1. AES was championed by that agency 2. General comments heard, (a) "When GCHQ heard what that agency had done it was 'jaw dropping'", (b) The agency pro-actively steered the community towards insecure algorithms. 3. Blowfish only just missed out on AES, didn't it come 2nd or 3rd, or was that a related cipher? 4. I'm a complete novice, and I get the impression that most who choose a cipher do so either on a whim, or on someone elses say so. What about CAST128 ??? 2.1 appears to support that. Is there any plan to support Twofish? Schneier said in 2007 he'd recommend that over Blowfish. Is there any mechanism to insert ciphers into Pfsense that are not currently supported? -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Now people are trying to remove my email from the list from IP 129.2.129.152 (... Fwd: confirm )
Dear Sir, Through participating on the pfsense support and discussion list, someone from an IP address under your control has attempted to unsubscribe me from this list. I see this as an abuse of the mailing list and hope that you take appropriate action. The IP that the request came from was: 129.2.129.152 Regards, Giles NetRange: 129.2.0.0 - 129.2.255.255 CIDR: 129.2.0.0/16 OriginAS: AS27 NetName:UMDNET-2 NetHandle: NET-129-2-0-0-1 Parent: NET-129-0-0-0-0 NetType:Direct Assignment RegDate:1988-03-09 Updated:2011-05-03 Ref:http://whois.arin.net/rest/net/NET-129-2-0-0-1 OrgName:University of Maryland OrgId: UNIVER-262 Address:Office of Information Technology Address:Patuxent Building City: College Park StateProv: MD PostalCode: 20742 Country:US RegDate: Updated:2013-10-01 Ref:http://whois.arin.net/rest/org/UNIVER-262 OrgAbuseHandle: UARA-ARIN OrgAbuseName: UMD Abuse Role Account OrgAbusePhone: +1-301-405-8787 OrgAbuseEmail: ab...@umd.edu OrgAbuseRef:http://whois.arin.net/rest/poc/UARA-ARIN OrgTechHandle: UM-ORG-ARIN OrgTechName: UMD DNS Admin Role Account OrgTechPhone: +1-301-405-3003 OrgTechEmail: dnsad...@noc.net.umd.edu OrgTechRef:http://whois.arin.net/rest/poc/UM-ORG-ARIN RTechHandle: UM-ORG-ARIN RTechName: UMD DNS Admin Role Account RTechPhone: +1-301-405-3003 RTechEmail: dnsad...@noc.net.umd.edu RTechRef:http://whois.arin.net/rest/poc/UM-ORG-ARIN RAbuseHandle: UARA-ARIN RAbuseName: UMD Abuse Role Account RAbusePhone: +1-301-405-8787 RAbuseEmail: ab...@umd.edu RAbuseRef:http://whois.arin.net/rest/poc/UARA-ARIN RNOCHandle: UM-ORG-ARIN RNOCName: UMD DNS Admin Role Account RNOCPhone: +1-301-405-3003 RNOCEmail: dnsad...@noc.net.umd.edu RNOCRef:http://whois.arin.net/rest/poc/UM-ORG-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Original Message Subject:confirm Date: Thu, 10 Oct 2013 09:48:48 -0400 From: list-requ...@lists.pfsense.org Reply-To: list-requ...@lists.pfsense.org To: gi...@coochey.net Mailing list removal confirmation notice for mailing list List We have received a request from 129.2.129.152 for the removal of your email address, "gi...@coochey.net" from the list@lists.pfsense.org mailing list. To confirm that you want to be removed from this mailing list, simply reply to this message, keeping the Subject: header intact. Or visit this web page: http://lists.pfsense.org/mailman/confirm/list/ Or include the following line -- and only the following line -- in a message to list-requ...@lists.pfsense.org: confirm Note that simply sending a `reply' to this message should work from most mail readers, since that usually leaves the Subject: line in the right form (additional "Re:" text in the Subject: is okay). If you do not wish to be removed from this list, please simply disregard this message. If you think you are being maliciously removed from the list, or have any other questions, send them to list-ow...@lists.pfsense.org. smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
Trying to get this back on-topic, I will change the subject however, to alleviate the issues the anti-tin-foil-hat-brigade have. (ps I am also top-posting on purpose as I believe the conversation below has near to no relevance to my questions, but simply is an argument as to whether these questions should be asked, to which I believe in the affirmative). I have various questions to offer for discussion which have been bothering me since various security related issues that have appeared in the media recently: (see: https://www.schneier.com/crypto-gram-1309.html) Clearly, at the moment, open source security tools ought to have an advantage over closed-source tools. However, peer review of open-source code is not always complete, and there have been questions whether even algorithms have been subverted. 1. The random number generator - As pfSense uses FreeBSD this may well be a FreeBSD specific question, however, are there any ways within pfsense that we can improve the entropy pool that the random number gets its randomness from? Has anyone had any experience of implementing an external entropy source (e.g. http://www.entropykey.co.uk/) in pfsense? 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust the math' don't always mean much to us, given the reports in the media, what is considered a safe cypher? I recently switched from AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800. Could that be considered overkill? What Cipher's are others using? Have any of you, who have been made recently aware of the media coverage recently, also changed your cipher selection? What kind of changes did you make? 3. pfSense - In general do you consider pfsense secure?? As we are apparently told, asking whether the NSA has inserted or influenced the code in any way either in the pfsense code, or the upstream base (FreeBSD) is a question that we can't ask, as if it were the case then the NSA would have instructed someone in the know, to answer in the no. On 10/10/2013 12:33, Rüdiger G. Biernat wrote: This discussion about security/NSA/encryption IS important. Please go on. Von Samsung Mobile gesendet Ursprüngliche Nachricht Von: Giles Coochey Datum:10.10.2013 11:39 (GMT+01:00) An: list@lists.pfsense.org Betreff: Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others? On 10/10/2013 09:38, Thinker Rix wrote: > On 2013-10-10 01:13, Przemys?aw Pawe?czyk wrote: >> On Thu, 10 Oct 2013 00:05:22 +0300 >> Thinker Rix wrote: >> >>> Well, actually I started this thread with a pretty frank, >>> straight-forward and very simple question. >> That's right and they were justified. > > Thank you! > >> BTW, you pushed to the corner the (un)famous American hubris (Obama: US >> is exceptional.), that's the nasty answers from some. > > Yes, I guess I have hit a whole bunch of different nerves with my > question, and I find it to be highly interesting to observe some of > the awkward reactions, socioscientificly and psychologically. > > I have been insulted, I have been bullied, I have been called to > self-censor myself and at the end some users "virtually joined" to > give the illusion of a majority an muzzle me, stating, that my > question has no place at this pfSense mailing list. Really amazing, > partly hilarious reactions, I think. > These reactions say so much about how far the whole surveillance and > mind-suppression has proceeded already and how much it has influenced > the thoughts and behavior of formerly free people by now. Frightening. > >> Thinker Rix, you are not alone at your unease pressing you to ask >> those questions about pfSense and NSA. > > Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. There are many on-topic things to discuss here: 1. Which Ciphers & Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software & configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, gra
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 10/10/2013 13:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis mailto:alexandre.para...@gmail.com>> wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat mailto:rgbier...@rgbiernat.homelinux.org>> wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. I tried to turn this back into a product support discussion in the last thread but sadly my comments were not among those cherry picked. This discussion does not suit the purpose of this list. I see a bunch of hard working people reacting to their product's integrity being continuously questioned despite having all questions answered, and a few entitled consumers who can't be bothered to figure out technology well enough to come to their own conclusion on its integrity.As well as a bunch of people that want this discussion to go someplace more appropriate. The "concerned" parties are not concerned enough to learn how to read code. So you're paranoid, just not paranoid enough to actually learn how to answer your own questions. Unless there is an issue someone is having making a VPN work or getting NAT running right, this is the wrong place to hold this discussion. If you're having an issue with this pfSense, networking protocols, or logical opertaion of the device, great! let's talk about it! I'm actually very good at these things, and I'd like to spend time helping people with network or network security related operational problems. Otherwise, please find the email addresses of all the people who shown an interest in participating in this discussion, and send an email out to that list of people to discuss it among yourselves. *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. The about list on the mailman page states: "pfSense support and discussion list"... This thread is clearly about discussing pfsense, therefore it is on-topic, I could equally take the stance, take your technical discussions to the dev list, however I am not the type of exclusive close-minded minded person that you appear to be. Please stop hijacking this thread. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 10/10/2013 09:38, Thinker Rix wrote: On 2013-10-10 01:13, Przemysław Pawełczyk wrote: On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. Thank you! BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically. I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users "virtually joined" to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. There are many on-topic things to discuss here: 1. Which Ciphers & Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software & configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Remove a single ip from ipsec
On 29/08/2013 14:19, Jochem de Waal wrote: Ok, I think I mispoke. I need to be able to access that remote ip. I just don't want it to go through ipsec. Basically I need that remote host to see my public ip that I'm natting on. When the traffic goes through ipsec, the remote host see's my internal ips. In that case I think you need to define your phase 2 definitions to somehow exclude that IP address. It is possible, don't worry about having subnet network IPs and broadcasts in your definitions, they will still be mapped through. It's not too difficult once you get your head around it. You might want to do some design clean up in the future, to ensure that contiguous ranges of IPs serve the purpose of going through the tunnel. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Pfsense Installation on Virtualbox
On 02/06/2013 09:07, Christoph Hanle wrote: On 01.06.2013 20:04 wisdom Nkosi wrote: I have two ISPs ISP A and ISP B. [...] Is it possible to configure PFSENSE router on VirtualBOX so that all the users computer on the network should go through PFSENSE which is installed on the Virtualbox? Please am looking forward to hear from Hi Wisdom, my two cents: don't do this with virtualbox. I have been running PFsense 2.0.x release under Virtualbox (on a Centos 6.x host) with 1 bridged, 1 openvpn and 3 internal only networks without any issues for the last year. The server runs 24 other virtual hosts, which connect externally through the PFsense virtual machine. You may find some quirky stuff going on if you use a NAT interface for your external access, but otherwise it runs *without any issues*. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Sanity check on Routing with pfSense
On 24/05/2013 21:46, Jeffrey Mealo wrote: 1. First ping is always 3-10ms, subsequent pings are < 1ms.* Does that really affect things? On cisco kit you'll find first ping is actually dropped, because of ARP request... I've run pfsense under virtualbox without issues (no CARP config though). -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Frequent "bge0: watchdog timeout -- resetting" problems
On 13/05/2013 15:07, Paul Mather wrote: bge0: watchdog timeout -- resetting bge0: link state changed to DOWN bge0: link state changed to UP bge0: watchdog timeout -- resetting bge0: link state changed to DOWN bge0: link state changed to UP bge0: watchdog timeout -- resetting bge0: link state changed to DOWN bge0: link state changed to UP bge0: watchdog timeout -- resetting bge0: link state changed to DOWN bge0: link state changed to UP I had something similar, with a VM implementation, it seemed to go away when I increased the memory on the system. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfBlocker
On 29/11/2012 02:52, mikio.ki...@gmail.com wrote: Hi all, I'm interested in pfBlocker. Can it update the ip address database automatically ? I installed it last week. It can be set to update the URL it gets the blocked IP addresses from one every hour (that's the most granular setting). -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Soekris net5501-70 additional PCI network card does not work
On 26/09/2012 12:49, Chris Bagnall wrote: On 26/9/12 12:35 pm, İhsan Doğan wrote: As mentioned, I don't have any issues with built-in Via Rhine interfaces. My problem is, that the Intel card on the PCI slot does not work. You need to ascertain whether it's the card or the slot that's the problem. Try the card in a different machine (even if it's just an ordinary PC) and make sure it works in there. If possible, try another NIC in the Soekris and see if that works. I seem to (vaguely - it's several years since I've used the 5501) recall that the PCI slot doesn't support both 3.3v and 5v. I honestly can't remember which way round it was though... Update: a quick read of its spec sheet indicates it only supports 3.3v: http://soekris.com/products/net5501.html So it might be that your Intel NIC is expecting 5v signalling, especially if it's an old (pre-PCI 2.2) card. This could be a power issue, the soekris boxes are low power and can't run all the peripherals that match the interface's form factor. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense vs JunOS
On 04/07/2012 11:06, Tonix (Antonio Nati) wrote: Il 04/07/2012 11:44, Ermal Luçi ha scritto: On Wed, Jul 4, 2012 at 10:44 AM, Tonix (Antonio Nati) wrote: Il 02/07/2012 15:51, Jim Pingle ha scritto: On 7/2/2012 9:38 AM, Tonix (Antonio Nati) wrote: Too much confusion in keeping filters tables, Switching how the entire firewall operates is also very confusing and not likely to do what people expect -- floating rules would be much easier to understand than you expect (if the list were cleaned up a bit) and no possibility to let a user to manage his/her interface. That's not even possible now, and would be just as difficult/easy to implement on the floating tab as any other. (If a user can only see interface X, only show the rules for interface X, done.) Would it be possible to have a technical answer about using OUTPUT interfaces rules instead of INPUT interfaces rules? What should change dramatically inside pfsense, and there is any real security reason for not doing that? As far as I can see PF filtering, both INPUT and OUTPUT interfaces rules would be evaluated in same place. Definition of same place is not correct here. While its true that all rules are in the same place(data structure), on stateful firewalls they get evaluated only once that is why it is not considered to split them out. Also there are optimizations that make this not a factor at all in evaluation of ruleset. Certainly it is recommended to kill mosquitoes before they come to you :) Though its mostly performance reasons because the packets than will consume to much CPU and open possibility of DoS. Although there is the other reason of buffer overflows and exploits. Wrongly crafted packets might crash your host or even make it vulnerable to exploits while with filtering on inbound you reduce this risk by at least making sure the sanity of network metadata(packet headers, ips, etc). Sorry, but you did not answer my question. Your comments are general security comments but do not answer to the central question. Once you have an incoming connection (first time) to, let's say from INT X to INT Y, dest IP Z, dest port P, will these alternative rules be evaluated in same moment or not? - Evaluate INPUT on INT X, dest IP Z, dest port P - Evaluate OUTPUT on INT Y, dest IP Z, dest port P If the answer is YES, there is no added security risk on preferring filering rules on OUTPUT interface. Both INPUT and OUTPUT have same risks. If the answer is NOT, please explain where and why INPUT and OUPUT are evaluated in different phases. Regards, Tonino My firewall has four interfaces. A packet arrives on one interface At this stage it is impossible for the firewall to apply a rule based on the outbound interface because which interface that is has not been evaluated yet. It is not until the packet is processed that the outbound interface is determined. It is however, able to make a decision on rules applied on the INBOUND interface, because that is a known fact. Simples. As a general rule, best practices state, that if you are going to drop / filter packets on your network, do so as close to the source as possible. This applies within systems as well as on the wire. I'd say NOT - INPUT is evaluated upon Input, OUTPUT is evaluated upon Output - my guess as the reason they decided to call them INPUT and OUTPUT. smime.p7s Description: S/MIME cryptographic signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense vs JunOS
On 02/07/2012 14:37, Tonix (Antonio Nati) wrote: I would be not so sure about that. When I gave an inside look at PF, some years ago, I had the perception filters are evaluated all together in the same place, despite they are ingoing or outgoing. You can even mix incomin and outgoing interfaces in the filter flow you design. As far as I remember PF does let you specify INPUT or OUTPUT interface, but not INPUT and OUTPUT. That would be some feat indeed... the output interface isn't known until the packet has been routed.:-) -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense vs JunOS
On 02/07/2012 13:41, Tonix (Antonio Nati) wrote: I've suggested (both for pfSense and Monowall) to give the possibility to invert the filtering directions. In complex environment, it would be a lot more useful to apply filters to outgoing interfaces (instead of incoming interfaces). In this way you write only one statement and only for the interface which is managing the output zone. If this basic system setting (apply filters to incoming or outgoing interfaces) could be modified, I'm sure all ISP will apply filters to outgoing interfaces. With output filters, interface management could also be allowed per user, as it would not interphere with other interfaces. In some environments this might cause a performance issue and perhaps easier to DoS In an outbound filtering scenario: If you think about it, the firewall looks at the packet, processes it (NATs & routes it appropriately etc...) then when it goes to transmit the packet only then does it check the outbound ruleset and makes the decision to drop the packet - but it already wasted quite a few CPU loops before deciding to drop the packet. In an inbound filtering scenario the packet is dropped or accepted prior to any of routing, NAT etc... and a lot fewer CPU instructions are wasted. Just a thought? -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Block Tor Exit Nodes
On 30/06/2012 00:16, Michael D. Wood wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not sure about a package, but will this help? https://check.torproject.org/cgi-bin/TorBulkExitList.py I am actually using that on a host basis with a script, but was wondering whether it is possible to push it out to the perimeter edge. Note also there is a RBL style DNS zone for Tor IPs as well, which is useful for web page scripting. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Block Tor Exit Nodes
Hi, Is there a package that would allow me to block Tor exit nodes? Thanks -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Encrypt Microwave Link?
On 26/06/2012 21:07, Chris Bagnall wrote: On 26/6/12 8:46 pm, Paul Cockings wrote: 1. (broad question... beat me up if like..) Are microwave links "hackable" and therefore I should consider some type of encryption on that link You should probably let the list have a bit more detail about the type of links you're setting up - specifically which frequency bands and how narrowly 'focused' the signal will be. As a general rule, yes, such links can be intercepted. Having said that, if you're talking a short-range point-to-point link with a very narrow signal (i.e. sub 6 degrees horizontal and vertical), and on a non-public frequency band (i.e. not 2.4Ghz or 5Ghz), then the probability of interception is fairly minimal. By contrast, if you're running a long-range link with a fairly I think he said Microwave not Wireless. Depends on implementation. We ran a couple of STM-1 links over Microwaves, our equipment had some basic encryption, not very strong - about DES standard. Would need line of sight interception for that. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Slightly OT: Accessing pfSense webinterface via reverse proxy
On 18/06/2012 14:32, Gavin Will wrote: Apache does, you need the ProxyPassReverse operative: ProxyPass / http://172.16.45.133/ ProxyPassReverse / http://172.16.45.133/ This is how I have it setup. It works fine if it is top level but doesn't work if I have it as a subdirectory such as ProxyPass /pf/ https://172.16.45.133/ ProxyPassReverse /pf/ https://172.16.45.133/ I also have SSLProxyEngine On since it is using https and not http. As Moshe says I will no doubt need to rewrite the links. A bit of reading into rewrites I think is needed. Many thanks all Have you tried temporarily allows pfsense to run on HTTP instead of HTTPS and seeing if your issues still occur? I'm not sure whether the URL re-write will work when HTTPS is in use. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Slightly OT: Accessing pfSense webinterface via reverse proxy
On 18/06/2012 14:14, Moshe Katz wrote: On Mon, Jun 18, 2012 at 8:59 AM, Gavin Will <mailto:gavin.w...@exterity.com>> wrote: Hi there, I'm sure this is an apache rewrite issue and nothing with PF sense. I am wanting to gain access to PFsense web interface via a apache reverse proxy. It works fine if it is top level. However when I try and set the reverse proxy to https://remotesite.com/pf/ I can only get to the login page and there is no css / styles applied. I tired to add alternate hostname of remotesite.com/pf/ <http://remotesite.com/pf/> but it said it isn't a valid domain which I know is true, I didn't know if it could handle the /pf/ part. Has anyone set this up before? I am aware I can access pfSense on different ports but would prefer to use the reverse proxy route. Cheers Gavin Hello, pfSense uses absolute path URLs (i.e. starting with a slash but without the domain name; view the source of the page to see this), you would need your proxy to rewrite links on the page. Your proxy may or may not support this. Moshe Apache does, you need the ProxyPassReverse operative: ProxyPass / http://172.16.45.133/ ProxyPassReverse / http://172.16.45.133/ -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Block URL
On 18/06/2012 13:14, Pankaj Kumar wrote: Hi I am using PfSense *2.0.1-RELEASE , I want to block facebook, twitter, torrentz download please let me know what packages should i install ? Thank you * Torrents use a protocol that is specifically designed to bypass methods to control it. To be honest, rather than attempt to block individual types of traffic, you would be better off by putting in a policy that blocks all traffic and then allows legitimate traffic. Squid and Dans Guardian would be good starting points for this. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Routing problem pfsense 2.0.1-RELEASE
On 29/05/2012 14:50, Ronald Pérez wrote: Any ideas? thanks! On Wed, May 23, 2012 at 12:36 PM, Ronald Pérez <mailto:ronald.pe...@fon.com>> wrote: Hi All, I'm hitting i really curious problem, let me explain, this is the topology * * *Out_Server(Public side)PFSENSE(Private side)--In_Server* When traffic goes from public to private side we apply a port forwarding and the request reach the "In_Server" perfect, but the reply from this "In_Server" goes through the firewall default gateway in place of the static route already configured, it's like the default gateway overrides the static route. However, if we send traffic from private to public side there is an Outbound NAT, the request reach the firewall and then is send it through the static route correctly, then the reply from "Out_Server" reach the "In_Server" perfect. Maybe i'm missing something but, why pfsense use static route when traffic goes from private to public side, but when it has to reply a request that first comes from public to private side don't. Any idea? You might want to do a packet capture on your Public and Private interfaces to make sure that the NAT is doing what you expect it to. Then you can probably work through the problem yourself. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense on sun v100 server
On 10/05/2012 14:00, Hugo Heykers wrote: Hey, Has anyone an idea if it would be possible to install pfsense on a sun V100 server, which runs Solaris 10? I would like to use this server as my gateway/firewall/router/webserver...and perhaps some other services too. I bought it because of its low power consumption. And now want to use it as "a medium' between my ISP and my home-LAN's. I am totally new to pfsense, but was recommended to it by a student at school (by the way, i am 51yrs) Hope to hear some positive news! My understanding is that pfsense is a FreeBSD variant distribution that is only designed to run on x86 / x86_64 hardware. Do you intend to virtualize it on your UltraSparc IIi processor in a x86 / x86_64 emulator? Thanks -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.cooc...@netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: gi...@coochey.net http://www.netsecspec.co.uk http://www.coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hotel setup $$
My general contract rate for any hands on network work translates to about $80 per hour. You should ballpark a similar figure that as your labour costs. Then add equipment costs / standing charges etc... I think as long as you itemise your invoice and charge your fair rate (assuming it takes you 4 hours because there is 4 hours of work and you're not spending that time trying to work out what to do or how the product you're selling should work) then the price is fair, if you charge less then you're selling yourself short. On 03/05/2012 02:28, Andrew @ ATMlogic.ca wrote: Just wondering if some of you are willing to give me an idea what you charge for a pf setup for hotel wireless (or RV Park etc) I have done a few of them but really... I just charge whatever I think the market will bear ;-)(Sadly, in some cases I spend 4 hours setup, and pocket about $100.oo) In the most common example I am using the Net4801, and a single ubiquiti NanaStation2. End user gets the two units, and an email with a few thousand voucher numbers in CSV format. (often setup in 1hr, 1day, 3day, 1week, 1month) So, in that example hardware costs aside what would you charge including 1 hour training, but no mounting of hardware? I am going to guess they have a maintenance person, and he should be able to figure out how to run wire for a SINGLE unit. ---Andrew ATM Logic Never memorize something that you can Google ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.cooc...@netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: gi...@coochey.net http://www.netsecspec.co.uk http://www.coochey.net -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.cooc...@netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: gi...@coochey.net http://www.netsecspec.co.uk http://www.coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] port forwarding LAN to LAN
On 01/05/2012 15:55, Nelson Serafica wrote: I'm sorry. Where could I find that? Is that under Firewall->NAT ? Actually, looking at this more closely, it probably isn't what you're looking for, but it's in the Advanced firewall or networking tabs. On Tue, May 1, 2012 at 10:44 PM, Giles Coochey wrote: Have you tried toggling the 'Static Route Filtering' option in the Advanced settings? -- -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.cooc...@netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: gi...@coochey.net http://www.netsecspec.co.uk http://www.coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] port forwarding LAN to LAN
On 01/05/2012 15:30, Nelson Serafica wrote: I've pfsense with port forwarding running fine if the rules is WAN to LAN but if the rules is LAN to LAN. It doesn't work. I'm using DSL and if WAN is down, local users cannot access the server because the ip on WAN is not available. To resolve this issue, I use dynamic forwarder and point the domain to the LAN Interface of pfsense and create a NAT rule from the LAN interface redirecting port 587 to Server A port 587. Server A has the same subnet of LAN Interface. e.g. LAN interface is 10.0.1.1. I want to port forward 10.0.1.1 port 587 to 10.0.1.2 port 587. Is this possible? ___ Have you tried toggling the 'Static Route Filtering' option in the Advanced settings? -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.cooc...@netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: gi...@coochey.net http://www.netsecspec.co.uk http://www.coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] THREAD HIJACK
Just a note - When starting a new thread or question can you please not reply to an existing email and modify the subject. Some of us with threaded mail readers might be ignoring the existing thread you hijack, and therefore not see your query and not be able to help you out. If you need to - copy the email address and compose a new message. smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list