Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread James 
Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any 
queries returned no records.



On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote:
> Wild guess, but did you try it in 2.4.x?
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List  On Behalf Of Bryan D.
> Sent: Wednesday, April 4, 2018 8:01 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] DNS over TLS config for pfSense 2.2.6
> 
> Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
> ---
> Applying the suggested "Custom Options" to the Unbound/DNS Resolver 
> configuration in pfSense 2.2.6 does not work, with logs indicating that 
> "forward-ssl-upstream" is invalid.
> 
> I tried various incantations using "server:ssl-upstream: yes" 
> with and without "ssl-port: 853" and, although the unbound service would 
> then run, a DNS/host query always indicated that no hosts were found.
> 
> Does anyone know a configuration that will work with pfSense 2.2.6?
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread James 
Yeah, I ran into this as well. It just caused my to not be able to resolve 
anything :(



On Thu, 5 Apr 2018, at 11:01 AM, Bryan D. wrote:
> Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
> ---
> Applying the suggested "Custom Options" to the Unbound/DNS Resolver 
> configuration in pfSense 2.2.6 does not work, with logs indicating that 
> "forward-ssl-upstream" is invalid.
> 
> I tried various incantations using "server:ssl-upstream: yes" 
> with and without "ssl-port: 853" and, although the unbound service would 
> then run, a DNS/host query always indicated that no hosts were found.
> 
> Does anyone know a configuration that will work with pfSense 2.2.6?
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Nat between vlans

2018-03-30 Thread James Ronald 
Yılmaz,

Sorry, but why not attach the Airprint to both VLANs?

- Jim

Regards,

*James Ronald*
Drew Technologies, Inc.
3915 Research Park Dr Ste 10A
Ann Arbor, MI 48108
734-222-5228 x617
www.drewtech.com

On Fri, Mar 30, 2018 at 1:58 PM, Raphaël RIGNIER <r.rign...@leschartreux.net
> wrote:

> Le 30/03/2018 à 19:03, Yılmaz Bilgili a écrit :
>
>> Thank you for your reply. Especially IOS devices can not find others if
>> they are not on the same subnet. This is why I want this way.
>>
>>
> Native Access is difficult, as Airprint uses Bonjour Protocol wich works
> only on the same subnet.
> Bonjour is Multicast protocol. You'll have to play with filter Rules with
> advanded "allow ip options" checked and set IGMP proxy correctly. I have
> never did this on pfsense.
>
> The only success I had with multicast routing is with a Linux box and pimd
> service. It works to deploy Os images via multicast between the server and
> desktop's subnets.
>
> --
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread James Ronald 
What is the default gateway of the destination (is there a route back to
pfSense)?

- Jim

On Mon, Feb 12, 2018 at 1:46 PM, Marco  wrote:

> On Mon, 12 Feb 2018 11:59:09 -0600
> Steven Spencer  wrote:
>
> > On 02/12/2018 11:43 AM, Marco wrote:
> > > On Mon, 12 Feb 2018 10:21:08 -0600
> > > Steven Spencer  wrote:
> > >
> > >> On 02/11/2018 03:29 PM, Marco wrote:
> > >>> On Sun, 11 Feb 2018 20:46:41 +
> > >>> "Joseph L. Casale"  wrote:
> > >>>
> >  -Original Message-
> >  From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> >  Chris L Sent: Sunday, February 11, 2018 1:43 PM
> >  To: pfSense Support and Discussion Mailing List
> >   Subject: Re: [pfSense] Port forwards
> >  don't work on one machine
> > 
> > > What interface is that taken on? Take one on the interface the
> > > destination server is connected to (WLAN?) and test again. While
> > > you’re capturing also do another Diagnostics > Test Port from
> > > the local pfSense itself. Please include the capture of both
> > > events (from outside and using test port.)
> > >
> > > It looks like the server is not responding.
> >  I'd also suggest running a capture on the destination, if it's
> >  actually receiving traffic and/or sending it elsewhere (routing
> >  rule) this will provide some insight.
> > >>> I ran a wireshark on the destination and it received packets when
> > >>> “port testing” from the pfSense, but not when using external
> > >>> access (e.g. canyouseeme.org)
> > >>>
> > >>> Marco
> > >>> ___
> > >>> pfSense mailing list
> > >>> https://lists.pfsense.org/mailman/listinfo/list
> > >>> Support the project with Gold! https://pfsense.org/gold
> > >> Marco,
> > >>
> > >> Just curious, but what is the target machine's OS?
> > > The actual server is FreeBSD, but I run the tests with a Linux
> > > laptop as the behaviour is the same.
> > >
> > > Marco
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> > I know you've stated that you have no firewall on these machines. So
> > iptables -L shows empty on the Linux laptop
>
>   Chain INPUT (policy ACCEPT)
>   target prot opt source   destination
>
>   Chain FORWARD (policy ACCEPT)
>   target prot opt source   destination
>
>   Chain OUTPUT (policy ACCEPT)
>   target prot opt source   destination
>
> > No selinux in play on the Linux
> > laptop
>
> No selinux in use.
>
> > I looked at your screen shots and I can't see anything that leaps
> > out at me. We have a number of PfSense firewalls in use (15)
> > within our organization and I've used port forwarding on every one
> > of them and have never run into a problem-unless the receiving
> > machine refuses the connection.
>
> Same here. Not that I'm a network expert, but I've set up five
> pfSense installations and port forwarding has always been an easy
> task which worked by just configuring the NAT rule.
>
> If the receiving machine refuses the connection, I would not be able
> to successfully "port test" it from the pfSense box and I would see
> incoming packets with wireshark (I believe). Therefore, I suspect an
> issue with the port forwarding.
>
> > I've been bitten by selinux before and more recently, by firewalld.
>
> Not installed and (therefore I hope) not used.
>
> Thanks for the support and confirming that it's not something
> obvious. Will investigate later.
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Recipe to safely allow remote SIP phones to connect a local asterisk PBX?

2015-12-23 Thread James Ronald 
Is anyone aware of a pfSense config/recipe to safely allow remote SIP
phones to connect a local asterisk PBX?

Regards,

*James Ronald*
<http://www.drewtech.com>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Notification about soon-to-expire certificates

2015-06-19 Thread James Records 
This would be useful, I've made a monitoring tool (still unofficial until i
figure out how to get it in the proper package repo) here that I might play
with and see if I can get an alert setup for this by simply loading the
cert page and parsing the expire date.

http://www.reddit.com/r/PFSENSE/comments/2x7gni/monitoring_pfsense_with_monitmmonit/

Jim



On Fri, Jun 19, 2015 at 7:38 AM, Steve Yates st...@teamits.com wrote:

 Philipp Tölke wrote on Thu, Jun 18 2015 at 9:19 am:

  Is there a way for pfSense to warn us by email if a certificate will
  expire soon so that we can replace them before it's too late?

 Our ticketing software tracks items like that and creates a ticket
 for renewal.  Perhaps a recurring appointment in Outlook?

 --

 Steve Yates
 ITS, Inc.

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] polling pfsense status for a combined dashboard

2015-01-27 Thread James Records 
Not sure if this is exactly what your asking but I have a dashboard setup
for pf logs, I made a reddit post about it a while back:

http://www.reddit.com/r/PFSENSE/comments/2rlm8h/pfsense_docker_elk/

I also use nagios (which i was going to try to package in docker as well
when I get around to it) which essentially uses the NRPE plugin to get some
metrics out of pfsense, it does provide some graphing of cpu/memory
utilization.

Also I've been looking into monit lately, someone should make a monit
package for pfSense :)

Thanks,

On Tue, Jan 27, 2015 at 8:55 AM, Wolf Noble w...@wolfspyre.com wrote:

 I'm sure this has been asked, but I've not found anything in the few
 minutes I poked around on the forums/google.

 I'm looking to pull some metrics from my pfSense firewall to display on a
 dashboard. I was wondering what my options are for API-esque access, or
 curl-able graph images with authentication handled by a token conveyed via
 a header.

 What are others doing?
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-10 Thread James Bensley 
Further to what Walter has said - Double NATB!
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Network Traffic Monitoring w/o Webgui

2014-04-08 Thread James Caldwell 
I tried hunting this package down in the webgui this morning and I wasn't able 
to find it.  I ended up going to shell and changing the environment variable 
'PACKAGESITE' using the following command 'setenv PACKAGESITE 
http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`uname 
-m`/packages-8.1-release/Latest/.  Once done, I was able to install iftop no 
problem.  (Credit for the command goes to nooblet.org)

On to the Cacti comment; that's a really good idea Walter.  Having a way to 
manage historical data would be great.  I'm fairly new to the BSD world still, 
how difficult is it to piece together one of these solutions.  I understand 
that the webgui helps quite a bit but initially I've heard monitoring solutions 
can be a bit of a nightmare to get working properly initially.  Is this 
something that could or should be combined with a syslog type solution so that 
we're not only gathering network data but also logs/health from the routers 
themselves?  Any tips here before I dive headlong into this?

Thanks,
James

From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti
Sent: April-07-14 1:04 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Network Traffic Monitoring w/o Webgui

It's been a few years, but a simple windows version...

http://oss.oetiker.ch/mrtg/


From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Walter Parker
Sent: April-07-14 2:06 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Network Traffic Monitoring w/o Webgui

Sorry,

FOSS = Free/Open Source Software (what MRTG, Linux, FreeBSD, pfSense are, as 
different from what Microsoft or HP sell)

Cacti is a web based system, from http://www.cacti.net/, that uses the 
technology that powers MRTG to build a nice web based system that monitors 
network equipment. Unlike MRTG, which has to be configured by hand, Cacti 
allows you to add hosts through the web interface (like how pfSense does all 
the pf stuff through the web rather than requiring you to edit config files). 
It is pretty simple to setup, assuming you have a FreeBSD or Linux systems and 
can install the package or port.

I've used it on networks to monitor all of the traffic on the routers, on the 
servers and even on the switch ports (that requires a switch with SNMP 
counters, usually known as a managed switch).

There are also commercial systems that do the same thing, but they quickly 
become expensive (1000's to 10,000's dollars) as the size of your network grows.


Walter



On Mon, Apr 7, 2014 at 10:47 AM, Brian Caouette 
bri...@dlois.commailto:bri...@dlois.com wrote:
What is Cacti? FOSS?


On 4/7/2014 1:42 PM, Walter Parker wrote:
I'd expect that you should be able to enable SNMP, set a non default password 
(please don't use public) and add a firewall rule to allow UDP on port 161 
to/from your mrtg server. I'd recommend using Cacti as your mrtg server (if you 
want a FOSS solution).


Walter

On Mon, Apr 7, 2014 at 10:23 AM, Brian Caouette 
bri...@dlois.commailto:bri...@dlois.com wrote:
What about using mrtg to graph the various interfaces? Does PF support this?


On 4/7/2014 12:54 PM, Jim Pingle wrote:
On 4/7/2014 12:29 PM, James Caldwell wrote:
Happy Monday list...

Does anyone have a preferred way of monitoring over all traffic throughput for 
various interfaces via shell/putty instead of having to remain logged in to the 
webgui?  I have several alix based appliances that have had their ISP 
connections upgraded and I am trying to remain outside the web interface as 
much as possible due to the load that it puts on the system.

Any thoughts or experience is appreciated.
The iftop package is great for this.

Install it from the GUI and then from the shell run it like so:

iftop -nNpPi vr0

(Serving suggestion, salt to taste)

Jim

___
List mailing list
List@lists.pfsense.orgmailto:List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.orgmailto:List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, 
well-meaning but without understanding.   -- Justice Louis D. Brandeis


___

List mailing list

List@lists.pfsense.orgmailto:List@lists.pfsense.org

https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.orgmailto:List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, 
well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Freezing Entering NAT Rules

2014-02-28 Thread James Caldwell 
Turned out to be bad/dieing hardware.  Replaced the firewall with a new Dell 
server and everything is back to normal.

Thanks,
James

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Chris Buechler
Sent: February-23-14 6:16 PM
To: pfSense support and discussion
Subject: Re: [pfSense] Freezing Entering NAT Rules



On Sunday, February 23, 2014, James Caldwell 
jamescaldw...@hurricanecs.commailto:jamescaldw...@hurricanecs.com wrote:
Has anyone ever experienced the gui hang or get very sluggish entering NAT 
rules and subsequently applying changes afterwards?


Sounds like what would happen if you have a gateway down and state killing 
enabled.



--
Sent from my phone, please excuse any typos or excessive brevity.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Freezing Entering NAT Rules

2014-02-23 Thread James Caldwell 
Has anyone ever experienced the gui hang or get very sluggish entering NAT 
rules and subsequently applying changes afterwards?

James
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Possible MTU/PMTU/MSS issue with HE IPv6 tunnel over PPPoE DSL connection

2014-02-11 Thread James Conner 
Check again. I found that the new servers that google deployed were not
working properly. They would receive the PMTU packet² packet to big² and
would not scale down. They had over 200 servers that had a problem.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] cipher suites and NIST

2013-10-11 Thread James A. Donald 


There is a smoking gun on one of random number generators.

There is strong circumstantial evidence, reason for suspicion, on 
suggested Suite B.


AES and SHA look to be fine, but using them gives the appearance to end 
users that you might be playing footsie with NIST. Cryptographer Jon 
Callas has therefore made Twofish and Skein the default for silent circle.


I recommend that everyone follow Jon Callas on symmetric cryptography, 
and DJ Bernstein on asymmetric cryptography.  The best people are 
putting as much distance as possible between themselves and NIST.


Oh, and about tinfoil hats:

There really is a great big government conspiracy, and they really are 
out to get you.  Tinfoil hats may not be effectual, but Bernstein's 
curve25519 will help.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!

2013-09-15 Thread James Caldwell 
Fantastic job all, keep up the great work!  My team and I are extremely 
appreciative as always.

James

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Chris Buechler
Sent: September-15-13 2:50 AM
To: pfSense support and discussion; d...@lists.pfsense.org
Subject: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!

I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, 
including immediate PDF download to the updated 2.1 book for subscribers!

Check out the announcements on our blog.

http://blog.pfsense.org/?p=712 - 2.1-RELEASE
http://blog.pfsense.org/?p=718 - Gold Subscription

Thanks for your support!

Chris
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense cannot find suitable hard drive to install on

2013-06-11 Thread James Caldwell 
This may be a stupid question but are you looking in the motherboard bios or 
the raid card bios?


Regards,

James

Sent from my BlackBerry

From: pfu...@hushmail.com [mailto:pfu...@hushmail.com]
Sent: Tuesday, June 11, 2013 10:43 PM
To: pfSense support and discussion list@lists.pfsense.org
Subject: Re: [pfSense] pfsense cannot find suitable hard drive to install on

It seems the bios cannot see any hard drives.  At this point I'm honestly not 
sure what to do. I tried with a third drive too, what are the chances i got 3 
bad drives

On 6/11/2013 at 9:21 PM, pfu...@hushmail.com wrote:
Good to know it should work. If onlyi can get it to actually work.  It has 2 
drives which I doubt both are bad so it's got to be some configuration.  I just 
wish I knew what I was doing.

On 6/11/2013 at 9:08 PM, Moshe Katz mo...@ymkatz.net wrote:
On Tue, Jun 11, 2013 at 11:48 PM, pfu...@hushmail.com wrote:
I recently traded some old computer equipment for an HP Proliant DL360 G3. Its 
a nice little rackmount with dual Intel Xeon 2.8GHz processors 3 onboard 
gigabit NIC's and a PCI-X bus and 2 PCI-X expansion slots. Its light on RAM at 
only 512MB but thats easy to add to. So from what I could tell I should be able 
to get good thoughput with this machine running pfsense.

I go to install as all the text flys past on my screen I notice several lines 
say something like

acd0: FAILURE - READ BIG ILLEGAL REQUEST (some number I did not write down, not 
sure if this error message is relevant, I can try to catch the rest of the 
message and write it down if anyone needs it)

I get that for about 4 or 5 lines but then everything continues fine. I select 
the option to install pfsense and I get an error stating I do not have any 
suitable IDE or SCSI drives to install pfsense on. I have two SCSI drives on, 
the only thing I can think is neither is big enough to install pfsense onto as 
they are smaller drives. I could not find hard drive space requirements online 
for pfsense, what does it need? The problem is HP has a warning right on the 
case that you are only supposed to use HP Universal U320 SCSI drives or server 
damage may result, which these are the only compatible drives I have. My second 
guess is maybe since the HP SCSI drives are so special maybe they don't work 
with pfsense.

Any ideas?


If you look around online, you will find the acd0 ... message is referring to 
read errors on the CD drive and that having some of these errors is entirely 
normal (though having too many means that either the disc is bad or the drive 
is bad).  You might try burning a new copy of the CD, perhaps with a different 
brand of blank CD, to see if it helps.

As far as your problem with finding an available hard drive on which to 
install, I doubt that it is a pfSense issue because FreeBSD 8 (on which pfSense 
is based) is known to work on the Proliant DL360 G3.  The hard drives are not 
special at all - they are standard SCSI Ultra320 drives on a fancy HP sled 
(the only purpose of which is to make it easier to swap them).  I would check 
if the machine is doing some kind of werid RAID setup (or has some kind of RAID 
misconfiguration) that is preventing drives from showing up.  I would also 
check if there is some kind of Hard Drive health test (either built in to the 
BIOS or RAID controller, or on a live CD) to make sure that the drives are 
working properly.

As far as Hard Drive size, pfSense can be installed on drives as small as 1GB 
(though more is recommended as log files grow over time), so the size of your 
drives should not be an issue.

If you do need to get a new drive, the drives for this machine can be found 
very cheaply on eBay, as many companies are now retiring the generation of 
servers that used Ultra320 drives.

Moshe

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Full Backup/Restore for pfSense

2013-05-04 Thread James Records 
I'm experimenting with something like this (from pfsense box):

dd if=/dev/sd0 | gzip | ssh user@host dd of=/tmp/pfsense_bkup.gzip

Technically the box will boot and load the needed packages, but if your
doing many boxes and package installation is slow, there is a decent need
for something like this.

I netboot alix boxes and grab the default pfsense embedded image over ftp
and pipe it to dd to get it on the cf, but it would save me a bunch of
time, if this above method works of package installs, its not that big of
deal when doing 1-2 boxes but now I've got a project that is going to need
~35, so a templatized image is a much better solution for me than normal
configs.

-- 
James Records | Principle Network Engineer

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com



On Sat, May 4, 2013 at 9:32 AM, Odhiambo Washington odhia...@gmail.comwrote:

 What I wanted is not just the config, but everything. Say I have installed
 packages as well and I do not want to go through that again on the next
 pfSense box I am building. I only want to change a few configs like LAN/WAN
 IP/Subnets and the names. I am thinking of a situation where I am to deploy
 a number of boxes which only differ in those aspects but have same
 functions.


 On 4 May 2013 18:59, Ermal Luçi ermal.l...@gmail.com wrote:




 On Sat, May 4, 2013 at 5:17 PM, Odhiambo Washington 
 odhia...@gmail.comwrote:

 Hi Jim,

 Diagnostics - Backup/Restore only handles configuration backup. I am
 talking about the BSD dump/restore for the whole disk - if that elaborates
 my needs.


 What it does not handle when restoring a config backup to a new
 installation?






 On 4 May 2013 17:20, Jim Spaloss jspal...@gmail.com wrote:

 But they are included.

 Look under Diagnostics - Backup/Restore. This feature has been there
 since M0n0wall, although it's functionality has been enhanced in pfSense.
 On May 4, 2013 5:32 AM, Odhiambo Washington odhia...@gmail.com
 wrote:

 Again, at the risk of being so uninformed, I'd like to ask why
 dump/restore are not part of pfSense.
 Would the inclusion increase the distro size beyond expectations?

 I am thinking that I could use dump/restore to create several
 instances/installs of pfSense without necessarily having to go on an
 installation/customization spree for packages.



 --
 Best regards,
 Odhiambo WASHINGTON,
 Nairobi,KE
 +254733744121/+254722743223
 I can't hear you -- I'm using the scrambler.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 --
 Best regards,
 Odhiambo WASHINGTON,
 Nairobi,KE
 +254733744121/+254722743223
 I can't hear you -- I'm using the scrambler.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 --
 Ermal

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 --
 Best regards,
 Odhiambo WASHINGTON,
 Nairobi,KE
 +254733744121/+254722743223
 I can't hear you -- I'm using the scrambler.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Full Backup/Restore for pfSense

2013-05-04 Thread James Records 
Found this:

https://github.com/pfsense/pfsense/blob/master/etc/rc.create_full_backup

https://github.com/pfsense/pfsense/blob/master/etc/rc.restore_full_backup

I'm modifying the create script to send the image to a remote server, but
this might be exactly what I want.  Would be nice to wrap some of this in
the UI, but I'm doing fine with ssh access to these commands for now.


-- 
James Records | Principle Network Engineer

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com



On Sat, May 4, 2013 at 11:18 AM, Mehma Sarja mehmasa...@gmail.com wrote:

 dd is fine unless you have a running database, like with Snort. You'd have
 to employ some sort of a dump and then dd.


 On Sat, May 4, 2013 at 11:15 AM, Mehma Sarja mehmasa...@gmail.com wrote:

 This is the perfect opportunity for *someone* to write one.


 On Sat, May 4, 2013 at 8:17 AM, Odhiambo Washington 
 odhia...@gmail.comwrote:

 Hi Jim,

 Diagnostics - Backup/Restore only handles configuration backup. I am
 talking about the BSD dump/restore for the whole disk - if that elaborates
 my needs.



 On 4 May 2013 17:20, Jim Spaloss jspal...@gmail.com wrote:

 But they are included.

 Look under Diagnostics - Backup/Restore. This feature has been there
 since M0n0wall, although it's functionality has been enhanced in pfSense.
 On May 4, 2013 5:32 AM, Odhiambo Washington odhia...@gmail.com
 wrote:

 Again, at the risk of being so uninformed, I'd like to ask why
 dump/restore are not part of pfSense.
 Would the inclusion increase the distro size beyond expectations?

 I am thinking that I could use dump/restore to create several
 instances/installs of pfSense without necessarily having to go on an
 installation/customization spree for packages.



 --
 Best regards,
 Odhiambo WASHINGTON,
 Nairobi,KE
 +254733744121/+254722743223
 I can't hear you -- I'm using the scrambler.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 --
 Best regards,
 Odhiambo WASHINGTON,
 Nairobi,KE
 +254733744121/+254722743223
 I can't hear you -- I'm using the scrambler.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Packet capture

2013-05-01 Thread James Records 
Jason,

Sorry it took me a bit to get back to you.  Many years ago (and on OpenBSD)
I did something like this to get these logs off the box:

echo -n 'Starting PF Logging...'
ifconfig pflog0 up
( /usr/sbin/tcpdump -l -e -n -t -v -i pflog0 21 | /usr/bin/logger -p
local0.info -t pf) 
echo 'done'


You'll want to modify your tcpdump statement to what you want to collect
and maybe send these to a new (separate) facility, but at that point you
can just point your logs to a remote server and you should be good to go.

I think there is a way to do a rc.local on Pfsense, though I've never done
this, but with some tweaking, you can probably get this to do what you want
without the need for remote ssh access.


-- 
James Records | Principle Network Engineer

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com



On Sun, Apr 28, 2013 at 4:16 PM, Jason Pyeron jpye...@pdinc.us wrote:

 **
 Yeah, that is what I quoted. Once you told me about the pflog0 I googled
 it. It seems that it is not just a copy of the headers that get sent to
 that virtual interface, but it is really pflogd that truncates the packets
 when putting them in /var/log/pflog. The page lied :)

 So now I have pflog0 (updated all the rules to log) and the bridge0
 feeding in to the IPS/IDS. I don't think the jitter in the sequence between
 the two pcap streams will matter.

 As a side, do you think I should stream the pcap data by ssh or some other
 means? Would there be a more efficient means from the firewall performance
 point of view?

 -Jason

  --
 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *James Records
 *Sent:* Sunday, April 28, 2013 16:29

 *To:* pfSense support and discussion
 *Subject:* Re: [pfSense] Packet capture

  Jason,

 Take a look at this:

 http://www.openbsd.org/faq/pf/logging.html

 Should help you out a bit.


 --
 James Records | Principle Network Engineer

 M 425.984.4349 E ja...@northshoresoftware.com

 W www.northshoresoftware.com




 On Sun, Apr 28, 2013 at 1:21 PM, Jason Pyeron jpye...@pdinc.us wrote:

 **
 Nice. I did not now about that.

 When a packet is logged by PF, a copy of the packet header is sent to a
 pflog(4)http://www.openbsd.org/cgi-bin/man.cgi?query=pflogsektion=4manpath=OpenBSD+5.2interface
  along with some additional data such as the interface the packet
 was transiting, the action that PF took (pass or block), etc. 

 I will now look for a way to get it to pass the full packet, as I need to
 do deep packet inspections.

 Thanks!

 -Jason


  --
 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *James Records
 *Sent:* Sunday, April 28, 2013 12:58

 *To:* pfSense support and discussion
 *Subject:* Re: [pfSense] Packet capture

  Jason,

 I think what you want is the pflog0 interface.


 --
 James Records | Principle Network Engineer

 M 425.984.4349 E ja...@northshoresoftware.com

 W www.northshoresoftware.com


 On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron jpye...@pdinc.us wrote:

 **
 Yes the interface for packet capture is nice for a interactive quick
 look, but it is not a solution for an automated ingest system for 24x7
 capture.

 regarding the logs:


 {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule
 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags
 [DF], proto UDP (17), length 66)

 {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 
 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38)

 the detail is insufficient. I tried  *Show raw filter logs, but there
 does not seem to be any apprciable difference. I have a backend system (IDS
 type of thing) which ingests pcap data as well as syslog, in this case the
 syslog from the pfSesne is to light weight.*

 *can I sniff the bridge [*BRIDGE0*]?*

 *-Jason*

  --
 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *Trevor Benson
 *Sent:* Sunday, April 28, 2013 10:14
 *To:* pfSense support and discussion
 *Subject:* Re: [pfSense] Packet capture

  Have you tried using the built in packet capture under diagnostics?
 This will clean up your ssh traffic, which is what I assume you mean by
 tcpdump recursice traffic. Plus you can download a pcap to examine more
 closely in wireshark.

 As for traffic denied by the firewall have you tried looking at the
 firewall logs?

 Trevor
 On Apr 28, 2013 5:47 AM, Jason Pyeron jpye...@pdinc.us wrote:

 I am looking to capture all the packets that are traversing and
 attempting to
 traverse the firewall.

 If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN
 then I
 only get the packets that made it past the firewall plus the recursive
 traffic
 of my pcap data leaving the firewall too.

 This is telling me I should be using another port, but still does not
 help me
 separate the pcap data into 2 buckets

Re: [pfSense] Packet capture

2013-04-28 Thread James Records 
Jason,

I think what you want is the pflog0 interface.


-- 
James Records | Principle Network Engineer

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com


On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron jpye...@pdinc.us wrote:

 **
 Yes the interface for packet capture is nice for a interactive quick look,
 but it is not a solution for an automated ingest system for 24x7 capture.

 regarding the logs:


 {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule
 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags
 [DF], proto UDP (17), length 66)

 {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 
 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38)

 the detail is insufficient. I tried  *Show raw filter logs, but there
 does not seem to be any apprciable difference. I have a backend system (IDS
 type of thing) which ingests pcap data as well as syslog, in this case the
 syslog from the pfSesne is to light weight.*

 *can I sniff the bridge [*BRIDGE0*]?*

 *-Jason*

  --
 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *Trevor Benson
 *Sent:* Sunday, April 28, 2013 10:14
 *To:* pfSense support and discussion
 *Subject:* Re: [pfSense] Packet capture

  Have you tried using the built in packet capture under diagnostics? This
 will clean up your ssh traffic, which is what I assume you mean by tcpdump
 recursice traffic. Plus you can download a pcap to examine more closely in
 wireshark.

 As for traffic denied by the firewall have you tried looking at the
 firewall logs?

 Trevor
 On Apr 28, 2013 5:47 AM, Jason Pyeron jpye...@pdinc.us wrote:

 I am looking to capture all the packets that are traversing and
 attempting to
 traverse the firewall.

 If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN
 then I
 only get the packets that made it past the firewall plus the recursive
 traffic
 of my pcap data leaving the firewall too.

 This is telling me I should be using another port, but still does not
 help me
 separate the pcap data into 2 buckets:

 1: blocked
 2: not blocked

 Any suggestions?



 --
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 -   -
 - Jason Pyeron  PD Inc. http://www.pdinc.us -
 - Principal Consultant  10 West 24th Street #100-
 - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
 -   -
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 This message is copyright PD Inc, subject to license 20080407P00.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Packet capture

2013-04-28 Thread James Records 
Jason,

Take a look at this:

http://www.openbsd.org/faq/pf/logging.html

Should help you out a bit.


-- 
James Records | Principle Network Engineer

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com




On Sun, Apr 28, 2013 at 1:21 PM, Jason Pyeron jpye...@pdinc.us wrote:

 **
 Nice. I did not now about that.

 When a packet is logged by PF, a copy of the packet header is sent to a
 pflog(4)http://www.openbsd.org/cgi-bin/man.cgi?query=pflogsektion=4manpath=OpenBSD+5.2interface
  along with some additional data such as the interface the packet
 was transiting, the action that PF took (pass or block), etc. 

 I will now look for a way to get it to pass the full packet, as I need to
 do deep packet inspections.

 Thanks!

 -Jason


  --
 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *James Records
 *Sent:* Sunday, April 28, 2013 12:58

 *To:* pfSense support and discussion
 *Subject:* Re: [pfSense] Packet capture

  Jason,

 I think what you want is the pflog0 interface.


 --
 James Records | Principle Network Engineer

 M 425.984.4349 E ja...@northshoresoftware.com

 W www.northshoresoftware.com


 On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron jpye...@pdinc.us wrote:

 **
 Yes the interface for packet capture is nice for a interactive quick
 look, but it is not a solution for an automated ingest system for 24x7
 capture.

 regarding the logs:


 {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule
 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags
 [DF], proto UDP (17), length 66)

 {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 
 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38)

 the detail is insufficient. I tried  *Show raw filter logs, but there
 does not seem to be any apprciable difference. I have a backend system (IDS
 type of thing) which ingests pcap data as well as syslog, in this case the
 syslog from the pfSesne is to light weight.*

 *can I sniff the bridge [*BRIDGE0*]?*

 *-Jason*

  --
 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *Trevor Benson
 *Sent:* Sunday, April 28, 2013 10:14
 *To:* pfSense support and discussion
 *Subject:* Re: [pfSense] Packet capture

   Have you tried using the built in packet capture under diagnostics?
 This will clean up your ssh traffic, which is what I assume you mean by
 tcpdump recursice traffic. Plus you can download a pcap to examine more
 closely in wireshark.

 As for traffic denied by the firewall have you tried looking at the
 firewall logs?

 Trevor
 On Apr 28, 2013 5:47 AM, Jason Pyeron jpye...@pdinc.us wrote:

 I am looking to capture all the packets that are traversing and
 attempting to
 traverse the firewall.

 If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN
 then I
 only get the packets that made it past the firewall plus the recursive
 traffic
 of my pcap data leaving the firewall too.

 This is telling me I should be using another port, but still does not
 help me
 separate the pcap data into 2 buckets:

 1: blocked
 2: not blocked

 Any suggestions?


   --
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 -   -
 - Jason Pyeron  PD Inc. http://www.pdinc.us -
 - Principal Consultant  10 West 24th Street #100-
 - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
 -   -
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 This message is copyright PD Inc, subject to license 20080407P00.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

2013-04-15 Thread James Bensley 
On 15 April 2013 15:29, James Bensley jwbens...@gmail.com wrote:
 Although my tests
 aren' proving successful so far.

I meant to say; I am pulling a file via SCP from a host in the LAN to
a host on the WAN. If I disable CARP on the master to force a fail
over to the backup, there is a pause, and then pings to that LAN host
resume and the SCP transfer resumes. If I then enabled CARP on the
master, there is a pause, pings resume and the SCP transfer dies. SCP
will fail-over from master to backup, but not back agfain. Also, SSH
sessions I have to LAN hosts die in both directions.

What does this sound like to you guys, a configuration error on my
part perhaps? Or something else?

Cheers,
James.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

2013-04-13 Thread James Bensley 
Hi all,

I have two pfSense 2.0.2 firewalls using CARP for active / passive
fail-over with virtual IPs. This is working fine; Pinging the WAN or
LAN shared IP and pulling the power plug on the master causes a short
delay, then the ping's resume as the backup firewall has promoted its
self to master.

I have two problems here, firstly:
If I am connect to a LAN host from outside using SSH for example, and
I pull out the master, my SSH sessions stops working. Do the boxes not
sync NAT tables and states etc? I loose any active TCP connections.

Secondly:
When the master boots up for example when I am just pulling the power
from it, it takes over control of the virtual IPs again and causes a
second little outage. Is there a no preempt style option available
to stop this, otherwise any outage on the master device will actually
result in two outages: One when it goes down, and one when it goes up.
(Also, given my first query, all my TCP connections will stop working
again!).

Many thanks,
James.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Open Source WAN Optimization

2013-04-12 Thread James Caldwell 
Has anyone had any kind of success running an open source or commercial 
alternative to riverbed for WAN optimization?  It would be great if some of 
solution like this was available and even better if we could run it inside of 
pfsense.  Cheers.

James
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Open Source WAN Optimization

2013-04-12 Thread James Caldwell 
Hi Jim,

That’s very interesting.  If not directly integrated into pfsense how do you 
envision it might take shape?  What do you think of Glenn Kelley’s comment 
about the very impressive numbers he’s been getting using Traffic Squeezer?

James

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Jim Thompson
Sent: April-12-13 1:32 PM
To: pfSense support and discussion
Cc: pfSense support and discussion
Subject: Re: [pfSense] Open Source WAN Optimization


On Apr 12, 2013, at 12:42 PM, Warren Baker 
war...@decoy.co.zamailto:war...@decoy.co.za wrote:

On Fri, Apr 12, 2013 at 4:50 PM, James Caldwell 
jamescaldw...@hurricanecs.commailto:jamescaldw...@hurricanecs.com wrote:

 Has anyone had any kind of success running an open source or commercial 
 alternative to riverbed for WAN optimization? It would be great if some of 
 solution like this was available and even better if we could run it inside of 
 pfsense. Cheers.


There is WANProxy http://wanproxy.org/ but never used it so can't comment on 
its performance or how well it works.

Chris and I have recently discussed adding WANproxy to the mix.  Maybe not as 
part of pfSense, but certainly in the same mold.

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.0.2 release now available

2012-12-21 Thread James Caldwell 
Awesome work guys, looking forward to 2.1!


Regards,

James

Sent from my BlackBerry

- Original Message -
From: Chris Buechler [mailto:c...@pfsense.org]
Sent: Friday, December 21, 2012 08:39 AM
To: pfSense support and discussion list@lists.pfsense.org
Subject: [pfSense] 2.0.2 release now available

info here:
http://blog.pfsense.org/?p=676
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
 

__ Information from ESET NOD32 Antivirus, version of virus signature 
database 6699 (20111210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.0.2 release now available

2012-12-21 Thread James Caldwell 
I'm always a little leary of the 'beta' term.  Once you guys stamp it as a 
release quality build I'll move up to it no problem.

James

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Eugen Leitl
Sent: December-21-12 9:37 AM
To: pfSense support and discussion
Subject: Re: [pfSense] 2.0.2 release now available

On Fri, Dec 21, 2012 at 08:44:29AM -0700, James Caldwell wrote:
 Awesome work guys, looking forward to 2.1!

2.1BETA1 has been working quite well for me (at home, at least).
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 6699 (20111210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__ Information from ESET NOD32 Antivirus, version of virus signature 
database 6699 (20111210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.0.2 release now available

2012-12-21 Thread James Caldwell 
That's great to know it's been thoroughly tested out in the wild already and 
still considered in beta.  If it's already stable enough to run as your primary 
version, what's left before 2.1 goes release?

James


-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Chris Buechler
Sent: December-21-12 6:37 PM
To: pfSense support and discussion
Subject: Re: [pfSense] 2.0.2 release now available

On Fri, Dec 21, 2012 at 6:27 PM, Jim Thompson j...@netgate.com wrote:

 We dogfood 2.1 at BSD Perimeter as well.  :-)


Indeed, everywhere. We don't have any production 2.0.x installs, our office, 
all our colo facilities, and all our home systems are running 2.1.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 6699 (20111210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Building Reports and Content Filters

2012-11-20 Thread James Caldwell 
Morning Everyone,

Trying to figure out a good solution for monitoring users and building reports 
to try and enforce acceptable use policies and procedures but I would really 
like to avoid using any solution other than pfSense.  Having asked around and 
checked the forums I've seen a handful of people that will use Untangle behind 
a perimeter pfSense machine but this is certainly not an ideal way to go, 
especially in more complex network environments.  I've also recently seen lots 
of advertisements from vendors such as SonicWALL and WatchGuard about 'Next 
Generation Firewalls' and their ability to better manage your network traffic.  
I'd hate to think that they have anything the open source community has not 
already had for some time :).  Regardless, any insight would be really 
appreciated.  Thanks guys!

James
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Building Reports and Content Filters

2012-11-20 Thread James Caldwell 
Basically the management at the particular client in question has asked if I 
can pull usage reports for a handful of users and wanted to get a rough idea 
how much personal browsing is taking place on company machines.  I'm certainly 
not trying to stick my neck out into a potentially bad situation, merely trying 
to provide an intelligent response to someone else's inquiry.  The second bit I 
was looking to see is a breakdown of where the traffic is coming from, such as 
HTTP, P2P, etc, and what IP ranges are the primary culprits as they have 
several VLANS.  Cheers.

James



-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Chris Bagnall
Sent: November-20-12 8:01 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Building Reports and Content Filters

On 20/11/12 2:53 pm, James Caldwell wrote:
 Trying to figure out a good solution for monitoring users and building 
 reports to try and enforce acceptable use policies and procedures but I would 
 really like to avoid using any solution other than pfSense.  Having asked 
 around and checked the forums I've seen a handful of people that will use 
 Untangle behind a perimeter pfSense machine but this is certainly not an 
 ideal way to go, especially in more complex network environments.  I've also 
 recently seen lots of advertisements from vendors such as SonicWALL and 
 WatchGuard about 'Next Generation Firewalls' and their ability to better 
 manage your network traffic.  I'd hate to think that they have anything the 
 open source community has not already had for some time :).  Regardless, any 
 insight would be really appreciated.  Thanks guys!

You should probably be a little more specific about precisely what sort of 
acceptable use policies and procedures you are trying to enforce.

I'd also caution against looking for a technical solution to a social or HR 
percieved 'problem'. It nearly always seems to end in tears, recriminations, 
and other unpleasantness :-)

Kind regards,

Chris
--
This email is made from 100% recycled electrons 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure

2012-07-31 Thread James Caldwell 
How difficult would it be to replace PPTP implementations with OpenVPN for 
mobile users?

James


-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Jim Pingle
Sent: July-31-12 7:20 AM
To: pfSense support and discussion
Subject: Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure

On 7/31/2012 8:13 AM, Ugo Bellavance wrote:
 http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807

We were just talking about that here.

WPA2 Enterprise is also broken as a result, if it's configured to use MS-CHAPv2.

Somehow I doubt it will stop people from using PPTP, even though it should. 
PPTP was already considered quite insecure, and that didn't hold very many 
people back from it.

OpenVPN FTW. :-)

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IP Alias and IPSec

2012-07-31 Thread James Bland 
Hi Gavin,

I've 2 IPSec tunnels and both of the other ends are Cisco ASA devices so 
OpenVPN wouldn't be an option. It is working fine with how I've configured it 
now, not using PPPoE.

Must just be that it's not possible with PPPoE currently with multiple IP's.

Cheers,
James

On 31 Jul 2012, at 09:27, Gavin Will gavin.w...@exterity.com wrote:

 I use BT Business also as a 2nd ISP.
 
 I was in the same boat as you, the wan ip on the ppoe connection would change 
 so creating a ipsec VPN was a pain. Eventually I just went to using openvpn 
 and the BT connection as a client and the other static connection being the 
 server.
 
 Works fine,however I am assuming you have PFsense at the remote end also.
 
  
 
 Gavin
 
 
  
 From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] 
 On Behalf Of Moshe Katz
 Sent: 30 July 2012 19:17
 To: pfSense support and discussion
 Subject: Re: [pfSense] IP Alias and IPSec
  
 On Sat, Jul 28, 2012 at 1:20 PM, James Bland fastlan...@mac.com wrote:
 Hi all,
 
 I've got BT Business Broadband with a block of 5 IP's. I'm connecting to this 
 using PPPoE to a router in bridge mode rather than a 2wire router. I've also 
 got a second ISP so I'm running MultiWAN here.
 
 So the static IP's are in a different subnet than the dynamic IP.
 
 So the PPPoE interface connects with a dynamic IP. I then add my public IP's 
 as IP Aliases in the Virtual IP section. I've tested port forwarding off one 
 of the IP's and that works, I've tried Outbound NAT and that also works.
 
 If I tried to ping any of the statics I was getting TTL timeout issues 
 however if say I add a 1:1 NAT on an entry with firewall rules to allow 
 traffic ping then works fine.
 
 My issue is with IPSec off one of these IP Aliases. If I put IPSec on the WAN 
 interface it'll try to connect to the remote site (But fail as its not coming 
 off the IP it expects).
 
 If I change it to the virtual IP I just get racoon: ERROR: phase1 
 negotiation failed due to send error.
 
 So as far as I can see it just doesn't send any data out at all. I've tried 
 turning DEBUG mode on but I'm getting no more info.
 
 I guess I'm missing some rule somewhere that I might need but I've tried 
 fiddling and come up empty.
 
 Can anyone give me some advice on this?
 
 Cheers,
 James
  
 I don't know the full details, but I do know that certain Virtual Address 
 types support/do-not-support certain features.
  
 I use ProxyARP Virtual Addresses on my systems (though I don't currently use 
 IPSec so I don't know if switching will help you).
  
 Moshe
 
 --
 Moshe Katz
 -- mo...@ymkatz.net
 -- +1(301)867-3732
  
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure

2012-07-31 Thread James Caldwell 
What would this look like connecting from a windows xp/7 client.  Would it 
still use the PPTP protocol or would it be setup differently?

James



-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Jim Pingle
Sent: July-31-12 9:31 AM
To: pfSense support and discussion
Subject: Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure


For Windows/Mac/Linux users, and Android 4.0 and above, very easy.

For older Android and iOS, it requires rooting/jailbreaking to use OpenVPN.

On 7/31/2012 11:11 AM, James Caldwell wrote:
 How difficult would it be to replace PPTP implementations with OpenVPN for 
 mobile users?
 
 James
 
 
 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] 
 On Behalf Of Jim Pingle
 Sent: July-31-12 7:20 AM
 To: pfSense support and discussion
 Subject: Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally 
 insecure
 
 On 7/31/2012 8:13 AM, Ugo Bellavance wrote:
 http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807
 
 We were just talking about that here.
 
 WPA2 Enterprise is also broken as a result, if it's configured to use 
 MS-CHAPv2.
 
 Somehow I doubt it will stop people from using PPTP, even though it should. 
 PPTP was already considered quite insecure, and that didn't hold very many 
 people back from it.
 
 OpenVPN FTW. :-)
 
 Jim
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IP Alias and IPSec

2012-07-30 Thread James Bland 
Hi Moshe,

I got it to work in the end by changing from PPPoE to a Static IP and No NAT 
Config on the router. This is working with the IP Aliases just fine on IPSec 
now.

So it would seem that Virtual IP's and IP Aliases doesn't work for local 
services if PPPoE is in use on that interface.

I'm happy with the config as I have it now but maybe this is a bug or it cannot 
work and the documentation might want to mention this?

Cheers,
James

On 30 Jul 2012, at 19:17, Moshe Katz mo...@ymkatz.net wrote:

 Moshe
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense vs JunOS

2012-07-03 Thread James Caldwell 
Absolutely, some of the best support I've had for a software solution to date.

James



-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of bsd
Sent: July-03-12 3:24 PM
To: pfSense support and discussion
Subject: Re: [pfSense] pfSense vs JunOS

Le 3 juil. 2012 à 21:59, Vick Khera a écrit :

 On Sun, Jul 1, 2012 at 3:33 PM, Chris Buechler c...@pfsense.org wrote:
 The level of service we provide is on par or better than commercial 
 vendors. For most of our customers, much better, because commercial 
 vendors will rule out the firewall and tell you to have a nice day
 
 I'll confirm that their support is excellent, and they stick with you until 
 you have a solution or figure out that there is no solution *at all*.
 
 I'd recommend buying it even if you don't plan to use it as a way to support 
 the project.

I confirm this : support is awesome !  

Live support is fast and efficient, supporting dev project is fun and useful 
for the community, It is great and I wish pfSense team all the best ! 


--
- Grégory Bernard Director -
--- www.osnet.eu ---
-- Your provider of OpenSource appliances --
--
OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [pfsense] dansguardian

2012-04-26 Thread James Caldwell 
I've been part of the pfsense lists for months but have never really spoken up 
about anything.  I tried to implement dansguardian in v2.0.1 but failed aswell. 
 Has anyone found a reliable best practice or guide for this?

James


From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of k_o_l
Sent: April-26-12 2:51 PM
To: list@lists.pfsense.org
Subject: [pfSense] [pfsense] dansguardian

I've installed squid and dansguardian in the hopes to get some filtering going, 
I even followed instructions highlighted below, however; my syslog keep showing 
  dansguardian: Error connecting to proxy ,  I would appreciate it if anyone 
has any pointers for me.

http://forum.pfsense.org/index.php?topic=42664.0

Sam
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Carp locking up routers.

2012-01-06 Thread JASON JAMES 
Jason James is no longer with the School District of Milton.  If you need
to email the Technology Department please correct your contact list to
hol...@mail.milton.k12.wi.us

If you need to contact Jason James directly his contact email is
jja...@janesville.k12.wi.us

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list