Re: [pfSense] malformed packets

2017-10-30 Thread Ryan Rodrigue

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> mad.scientist.at.la...@tutanota.com
> Sent: Monday, October 30, 2017 2:27 PM
> To: pfSense Support and Discussion Mailing List
> Subject: Re: [pfSense] malformed packets
> 
> thank you for your' reply, i'll try your suggestions.  complete newbe to
> pfsense, but do know something about firewalls etc. and can basically
> use wireshark and understand it.  fortunately the problem has become
> much less severe.  Thank you.
> 
> mad.scientist.at.large (a good madscientist)
> --
> "The U.S. intelligence community concluded in a report made public in
> January that the Kremlin sought to disrupt the 2016 election and sway
> the race in Trump's favor."  From "thehill.com".  Only Trump and his
> duplicitous supports try to say it was Clinton who conspired.  Frankly
> Trump is likely guilty of treason, the sooner he's impeached and indited
> the better, along with ALL of his supporters in goverment.
> 
> 
> 30. Oct 2017 09:36 by st...@teamits.com:
> 
> 
> > I saw your question but didn't see an answer...  Have you considered
> Suricata or Snort to see if they can detect and block off the traffic?
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-
> > From: List [> mailto:list-boun...@lists.pfsense.org> ] On Behalf Of >
> mad.scientist.at.la...@tutanota.com
> > Sent: Friday, October 20, 2017 7:24 PM
> > To: pfSense Support and Discussion Mailing List <>
> list@lists.pfsense.org> >
> > Subject: [pfSense] malformed packets
> >
> > is there any way i can block malformed packets and drop them rather
> than being used for a ddos attack?  this is related to LEGAL torrents,
> i.e. copy left etc.  even running deluge there is a storm of malformed
> packets with spoofed ip addrs, which then makes my machine send out
> many, many malformed packets to people who didn't even send them.  Gee,
> i thought doing a ddos on people was illegal, not that it matters in
> most countries.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! > https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold


Can we avoid posting political statements to this list?  You can have whatever 
view you would like, but a router mailing list is hardly the place to post 
them.  Thank you. 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] testing email

2015-04-08 Thread Ryan Rodrigue
 
 Sorry for the noise, should be all good now.
 

Gotta Love Chris!  Thanks for your ongoing support to this project.
Ryan
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] My son is able to bypass my captivate portal

2014-05-14 Thread Ryan Rodrigue
You can set a nat forward on dns port to force all dns request to go to a 
specific address.
FirewallNAT
Interface  LAN (or your internal interface you wish to use) Protocol TCP/UDP
Destination: Any
Destination Port Range: 53
Redirect Target IP:  Where you want it to go, Perhaps OpenDNS address.  I think 
you could put the IP of the router in there.  I never tried it like that.
This may or may not fix the captive portal issue, but should let you use 
opendns for all dns queries.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] help

2013-04-24 Thread Ryan Rodrigue
I am just a big dummy that is coming in late in the game.  Is it possible
that they are sending that IP to a router/modem and the router is doing nat.
If so, is it possible to diable the routing functions and just use this as a
bridge and not a router.  I have seen this before with DSL and some cable
modems.  I have even seen cable modems that have an internal NAT IP, but
also work with the public IP that is assigned to your account. 
Have you called your ISP and asked them how to use your static IP?  
Who is your service provider?  
Is this cable or DSL?
Sorry if you have answered this before.  I am coming in a little late.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] help

2013-04-24 Thread Ryan Rodrigue
 

Please don't top post.  It makes helping difficult.

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of eyobe kebede
Sent: Wednesday, April 24, 2013 9:36 AM
To: pfSense support and discussion
Subject: Re: [pfSense] help

 

we are using dSL and let me give you some information. we were using
10.130.48.72 IP address give by the ISP and for some reason we have
purchased public ip 197.156.75.54. where technicians from  the ISP do not
give us how to use the IP addresses and it become difficult to configure it
on pfsense. this are the solid facts 

wan ip 10.130.51.83 

default gate way 10.130.65.42

public ip 197.156.75.54 our side and 197.156.75.53 ISP side

the we need how to configure this in pfsense?

 

I would try 2 things.

1st I would try to setup the public IP that was given to you (197.156.75.54)
as a static IP in PF and setup the 197.156.75.53 as a default gateway.
(Don't use DHCP)

You will have to setup the DNS servers in the System  General Setup tab. 

2nd If that doesn't work, I would try to move the PPPOE login information to
the PF box and put the DSL modem in bridge mode.

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] help

2013-04-24 Thread Ryan Rodrigue
 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Matthias May
Sent: Wednesday, April 24, 2013 11:02 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] help

 

On 24/04/13 16:36, eyobe kebede wrote:

we are using dSL and let me give you some information. we were using
10.130.48.72 IP address give by the ISP and for some reason we have
purchased public ip 197.156.75.54. where technicians from  the ISP do not
give us how to use the IP addresses and it become difficult to configure it
on pfsense. this are the solid facts  

wan ip 10.130.51.83 

default gate way 10.130.65.42

public ip 197.156.75.54 our side and 197.156.75.53 ISP side

the we need how to configure this in pfsense?


See the second reply in this thread by jim:

[quote]



Some ISPs that are particularly stingy with IPs and bad at routing have
been doing this.
 
His ISP may have just forgotten to give him the proper gateway. But on
the outside chance they really do expect him to use that 10.x address as
the gateway, it may still be possible.
 
http://redmine.pfsense.org/issues/972
 
Not supported in the GUI yet though.
 
Jim
[/quote]


I don't understand your comment.  He says that the public IP is
197.156.75.53 on the ISP side.  This appears to be a proper gateway.
 





 

On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue radiote...@aaremail.com
wrote:

I am just a big dummy that is coming in late in the game.  Is it possible
that they are sending that IP to a router/modem and the router is doing nat.
If so, is it possible to diable the routing functions and just use this as a
bridge and not a router.  I have seen this before with DSL and some cable
modems.  I have even seen cable modems that have an internal NAT IP, but
also work with the public IP that is assigned to your account.
Have you called your ISP and asked them how to use your static IP?
Who is your service provider?
Is this cable or DSL?
Sorry if you have answered this before.  I am coming in a little late.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

 






___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] General question

2013-03-25 Thread Ryan Rodrigue



 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org] On Behalf Of k_o_l
 Sent: Monday, March 25, 2013 3:53 PM
 To: 'pfSense support and discussion'
 Subject: Re: [pfSense] General question
 
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org]
 On Behalf Of Christoph Hanle
 Sent: Monday, March 25, 2013 2:45 PM
 To: list@lists.pfsense.org
 Subject: Re: [pfSense] General question
 
 On 25.03.2013 19:30 k_o_l wrote:
 
 
  I see the issue even when all browser are shut down.
 
 netstat -ano (Win) or -nlp on the source PC can bring you the solution.
 
 bye
 Christoph
 -Original Message-
 
 Nothing there, wireshark captures http sessions, but not sure what doing
 it since all my browsers are off.
 


Perhaps some windows gadget that is in use.  Does it show what PC you are
having the problems with?  Unplug the network from that PC and see if it
still persist.  It could be any number of apps they have installed.  I have
even seen some of the browsers open http sessions.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] General question

2013-03-25 Thread Ryan Rodrigue





 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue
 Sent: Monday, March 25, 2013 4:18 PM
 To: k_...@hotmail.com; 'pfSense support and discussion'
 Subject: Re: [pfSense] General question
 
 
 
 
  -Original Message-
  From: list-boun...@lists.pfsense.org [mailto:list-
  boun...@lists.pfsense.org] On Behalf Of k_o_l
  Sent: Monday, March 25, 2013 3:53 PM
  To: 'pfSense support and discussion'
  Subject: Re: [pfSense] General question
 
  From: list-boun...@lists.pfsense.org [mailto:list-
  boun...@lists.pfsense.org] On Behalf Of Christoph Hanle
  Sent: Monday, March 25, 2013 2:45 PM
  To: list@lists.pfsense.org
  Subject: Re: [pfSense] General question
 
  On 25.03.2013 19:30 k_o_l wrote:
 
  
   I see the issue even when all browser are shut down.
  
  netstat -ano (Win) or -nlp on the source PC can bring you the solution.
 
  bye
  Christoph
  -Original Message-
 
  Nothing there, wireshark captures http sessions, but not sure what
  doing it since all my browsers are off.
 
 
 
 Perhaps some windows gadget that is in use.  Does it show what PC you are
 having the problems with?  Unplug the network from that PC and see if it
 still persist.  It could be any number of apps they have installed.  I
 have even seen some of the browsers open http sessions.
 
 

Sorry.  I have seen some antiviruses open HTTP sessions.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Blocking Websites

2013-03-04 Thread Ryan Rodrigue
If you know the ip address of the website you want to allow and you know it
will also not change, you could do this with simply firewall rules built in.
If you are trying to block all but a few websites using actually URLs then
you would need something like squid or dansguardian

 



Ryan Rodrigue

 http://www.aarelectronics.com/ Description:
http://email.aaremail.net/AAR.png

P.O. Box 4336


Chief Technical Manager

Houma, LA 70361


A A R Electronics, Inc

Phone (985) 876-4096


510 West Tunnel Blvd

Phone (800) 649-7346


Houma, LA 70360

Fax (985) 853-0134


syst...@aaremail.com

www.aarelectronics.com http://www.aarelectronics.com/ 

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Kevin Hayes
Sent: Friday, March 01, 2013 3:44 PM
To: list@lists.pfsense.org
Subject: [pfSense] Blocking Websites

 

Hello,

 

I am trying something that I thought would be fairly simple but is turning
out to be more confusing than I had hoped.

 

We have several computers that are considered critical and I would like to
block the internet except for a short list of approved websites that may be
accessed from those desktops.  What would be the easiest suggestion on how
to do this.  I've been looking at pfBlocker and it seems by its description
to do what I need, I found where I can block whole countries but not
specific sites on specific ip addresses.

 

Any advice would be helpful.

 

Thanks,

 

Kevin Hayes

 

image001.png___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Traffic Graph quite showing IP's

2012-12-11 Thread Ryan Rodrigue
I Fixed it
Just in case anyone wants to know what I did
1   I backed up my config.
2   I went through file and cleaned up some lines in there about old
unused packages
3   Restored config using file I cleaned up.
4   I did a firmware upgrade to the same version

Problem Solved.  Thanks to all who helped.

 


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Traffic Graph quite showing IP's

2012-12-10 Thread Ryan Rodrigue
I have 2 boxes on the same network.  Both are configured almost the same.
One of them shows IP addresses when I go to Status  Traffic Graphs.  One
does not.The one that does not work even looks different.  The one that
does not works also says array.  I am not sure what that means.  I tried
backing up without the package info and restoring this, but it did not seem
to make a difference.  I have attached a screenshot of the one that works
and the one that does not.  Is there a settings  I need to change?  How can
I fix this.?  Thanks

 

attachment: Not there.pngattachment: There.png___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Building Reports and Content Filters

2012-11-20 Thread Ryan Rodrigue



 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org] On Behalf Of James Caldwell
 Sent: Tuesday, November 20, 2012 9:44 AM
 To: pfSense support and discussion
 Subject: Re: [pfSense] Building Reports and Content Filters
 
 https://www.untangle.com/store/policy-manager-conf.html
 https://www.untangle.com/store/reports.html
 
 A couple of links that I came across that prompted the question this
 morning.
 
 

Dansguardian package will give you content filtering capabilities
Sarg will give your reports of usage in dansguardian.

Squid can be used as a proxy and lightsquid as a reporting tool also if you
would like to do it that way.

Both of the above require the user to login to the router to view the
reports AFAIK.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] IPSec client for iPad

2012-10-03 Thread Ryan Rodrigue
 



 

 

 


 

 


 

 


 

 


 

 


 

 

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Luis Carrion
Sent: Wednesday, October 03, 2012 6:30 AM
To: pfSense support and discussion
Subject: Re: [pfSense] IPSec client for iPad

 

Ok,  I am using it now w/o problems but...how can I apply different firewall
rules for different remote users?

 

thanks again!

 

Luis

2012/10/3 Raúl Sampedro raul.sampe...@grupocarreras.com

 

 

 

Set the users to get a static IP and apply rules based on these addresses

 

Ryan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] installing a database server

2012-09-21 Thread Ryan Rodrigue

 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org] On Behalf Of Vieri
 Sent: Friday, September 21, 2012 7:29 AM
 To: list@lists.pfsense.org
 Subject: [pfSense] installing a database server
 
 Hi,
 
 How unstable would it be to install a database server such as MySQL on
 pfSense?
 Why would you not recommend installing MySQL on pfSense, supposing I'd
 want it to do more than firewalling (apart from the possible MySQL
 software security leaks).
 
 Thanks,
 
 Vieri
 
 ___


I Have no clue as to your answer.  As an alternative, have you considered
setting up a hypervisor (such as VMware ESXi) and running PFsense as a
virtual machine.  You could then run whatever other servers you would like
and still have them in one box.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Multiwan

2012-08-08 Thread Ryan Rodrigue
Short answer is no.  So basically every interface on a router must be on a
separate subnet.  It defines this by the network address and subnet mask.
Having 2 internet accesses on the same network range but different
interfaces will not work correctly.  Perhaps you could change one of them to
a different network range?  If not maybe the ISP could do this for you.  A
workaround I do not like, but has worked for some is to add another router
in the mix to change one of the gateway IP's to a different subnet.

 



Ryan Rodrigue

 http://www.aarelectronics.com/ Description:
http://email.aaremail.net/AAR.png

P.O. Box 4336


Chief Technical Manager

Houma, LA 70361


A A R Electronics, Inc

Phone (985) 876-4096


510 West Tunnel Blvd

Phone (800) 649-7346


Houma, LA 70360

Fax (985) 853-0134


syst...@aaremail.com

www.aarelectronics.com http://www.aarelectronics.com/ 

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Andrew @ ATMlogic.ca
Sent: Wednesday, August 08, 2012 11:13 AM
To: 'pfSense support and discussion'
Subject: [pfSense] Multiwan

 

Just wondering a few things about multiwan.  In this case what I am
wondering is can I take multiple Wifi bridges funnel them into pf, and have
one Lan connection that (from what I understand) does some basic round robin
load balancing.  I am aware this will give me some trouble on some websites.

 

However I am also worried. will everything work out if the WAN ports have
the same gateway?  

 

e.g. I will be getting an internal IP of 192.168.0.20, 0.102, 0.87 and then
1.101 for example, however all the 0.'s will have the same 0.1 gateway yet
be totally different connections to the web.  Not sure if that would matter.


 

---Andrew

ATM Logic

Never memorize something that you can Google

 

image001.png___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Squid package syslog

2012-07-17 Thread Ryan Rodrigue
 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Fuchs, Martin
Sent: Monday, July 16, 2012 9:40 AM
To: pfSense support and discussion
Subject: Re: [pfSense] Squid package syslog

 

Do you perhaps have any idea if it's possible to do this with some
configuration items in the squid-config ?

If there's something in the docs it might be easier.

 

I do not.  I am not a dev.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Squid package syslog

2012-07-16 Thread Ryan Rodrigue
I am trying to setup Cyberoam iView for squid.  It appears it simply is
setup as a destination syslog server.  I cannot find in the squid package
where to setup the syslog server at.  

Is there somewhere special I need to go, or is this function simply not
available?

 

Sorry if I seem a little impatient.  I know this is more of a squid question
and less of a PFsense question.  Who is the dev for squid?Maybe he will
be able to help me.

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Squid package syslog

2012-07-16 Thread Ryan Rodrigue
 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Ryan Rodrigue
Sent: Monday, July 16, 2012 7:27 AM
To: 'pfSense support and discussion'
Subject: Re: [pfSense] Squid package syslog

 

I am trying to setup Cyberoam iView for squid.  It appears it simply is
setup as a destination syslog server.  I cannot find in the squid package
where to setup the syslog server at.  

Is there somewhere special I need to go, or is this function simply not
available?

 

Sorry if I seem a little impatient.  I know this is more of a squid question
and less of a PFsense question.  Who is the dev for squid?Maybe he will
be able to help me.

 

 

 

OK so I solved this myself.  I googled this all day Friday with no positive
results.  Today, I found it.  Proof My brain does work better in the
morning.  I figured I'd post what I found in case anybody else was
interested

 

In the Services  Proxy Server settings of the PFsense GUI, at the bottom of
the General settings there is a Custom Options field.  I added the following

access_log syslog:local:4

I then went to Status  System Logs  Settings

I setup my syslog server and selected portal auth events.  ( I found this by
trial and error. )

Checked my syslog server and everything seems to work fine.

 

Thank you very much everybody for your help.

Ryan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] whiltelist of mac address

2012-06-11 Thread Ryan Rodrigue
This works on PFsense?

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Bill Yuan
Sent: Monday, June 11, 2012 7:59 AM
To: pfSense support and discussion
Subject: [pfSense] whiltelist of mac address

 

hi ,

 

i want to create a whitelist of mac address on my own freebsd gateway, i
want to use the rule like this below,

 

 

1 allow ip from any to any MAC any mac address

2 allow ip from any to any MAC mac address any

3 deny ip from any to any

 

 

i found it works on pfsense, but it doesnt work on my freebsd, 

 

can someome please tell me how to activate the mac filtering on freebsd,
what kind of device need to be activated ? 

i have rebuild my kernel multiple times already , but still not working !

 

thanks,

 

This works on PFsense?

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] can it be that having WAN on RFC1918 space fucks up site to site IPsec tunnel?

2012-06-01 Thread Ryan Rodrigue
Is the vulgarity in the subject really necessary?

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] is pfSense the right choice?

2012-05-03 Thread Ryan Rodrigue

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Chris Buechler
Sent: Thursday, May 03, 2012 1:21 PM
To: pfSense support and discussion
Subject: Re: [pfSense] is pfSense the right choice?

On Thu, May 3, 2012 at 1:55 PM, Noam Birnbaum n...@maccentricsolutions.com
wrote:
 Good call, David --

 They current have dual WAN -- 40/40 WiMAX and 50/10 cable.  I expect that
as they grow these pipes will at least double.

 As for their *expectations* -- they are a web development startup in 
 San Francisco, so… they have very high expectations.  They'll swallow
whatever bandwidth they can get.  They bark when a Youtube video stutters
once.  I need an extremely solid solution for them.  I would go Cisco except
no experience with it.


Another person sold on a name rather than the actual product. :) You won't
get the functionality you're looking for from Cisco. Though you won't get
exactly what you're looking for with pfSense either, specifically provide
bandwidth management and monitoring on a per-user, per-application basis.
The best bet there on Cisco and pfSense is exporting Netflow to a collector.
We have some built in options in packages. Similar on your other QoS point
in that you'll have difficulty differentiating at least the streaming video
part, that just looks like any other HTTP traffic in that regard. VoIP and
video conferencing generally no issue. But no diff there from Cisco, and we
actually make it easier.
___

I hate to through a monkey in this, but the only thing I know of that will
do this would be a Mikrotik router.  I don't mean to drop other routers
names on this list, but I think it may fit the bill.  It isn’t easy to
program though.  I used to tell people that it was written in Greek.  I went
to class and found out it is Latvian.  LOL.  I have routed through a
Mikrotik box at 800+Mbps.  It does have some pretty granular throttling
controls if you can figure them out.  You can setup in the firewall for
certain protocols to use different queues also.  If you go that route I
would defiantly recommend a training class first.  Not cheap.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] [pfsense] dansguardian

2012-04-27 Thread Ryan Rodrigue
 

Ryan, your solution worked just fine, but in addition I added a fw rule to
catch all http (port 80) traffic and had it redirected to 8080, that way you
don't need to change the proxy on the individual hosts

 

 

K_o_l

How and where did you add such a rule?  I would like it to work in
transparent mode.  I am mainly just playing with it right now.  It is not in
production yet.

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] [pfsense] dansguardian

2012-04-26 Thread Ryan Rodrigue
Mine is up and running, but I have to manually put the dansguardian port in
the web browser as a proxy server.  I do not have it working for transparent
squid

As you can see, most of the settings are default.

These are the Dansguardian settings. (I hope you can read this).

Daemon

Listening Settings
Enable dansguardian 
I agree with dansguardian Terms and Conditions.
http://dansguardian.org/?page=copyright2  Listen Interface(s) 
Default: LAN/loopback
Select interface(s) that you want to dansguardian listen on. Listen port 
Default: 8080
The port(s) that DansGuardian listens to. Daemon Options 
Daemon Options. Default values are in ( ) Min/Max Children 
Default: 8/120
Sets the minimun and maximum number of processes to spawn to handle the
incoming connections.
Max value usually 250 depending on OS.
On large sites you might want to try 32/180. Min/Max Spare Children 
Default: 4/32
Sets the minimum and maximun number of processes to be kept ready to handle
connections.
On large sites you might want to try 8/64. Prefork Children 
sets the minimum number of processes to spawn when it runs out
On large sites you might want to try 10 Max Age Children 
Default: 500
Sets the maximum age of a child process before it croaks it.
This is the number of connections they handle before exiting.
On large sites you might want to try 1. Max Ips 
Default: 0
Sets the maximum number client IP addresses allowed to connect at once.
Use this to set a hard limit on the number of users allowed to concurrently
browse the web. Set to 0 for no limit, and to disable the IP cache process.
Parent proxy Settings
Proxy IP 
Default: 127.0.0.1
Sets ip address for proxy server(usually squid). Proxy Port 
Default: 3128
Sets port number for proxy serve

 

General

Config Settings
Auth Plugins 
This option handle the extraction of client usernames from various sources,
such as Proxy-Authorisation headers and ident servers, enabling requests to
be handled according to the settings of the user's filter group Scan Options

Scan options. Default values are in ( ) Weighted phrase mode 
IMPORTANT: Note that setting this to 0 turns off all features which
extract phrases from page content, including banned  exception phrases (not
just weighted), search term filtering, and scanning for links to banned
URLs. Lower casing options 
When a document is scanned the uppercase letters are converted to lower case
in order to compare them with the phrases.
However this can break Big5 and other 16-bit texts. If needed preserve the
case. Phrase filter mode 
Smart, Raw and Meta/Title phrase content filtering options
Smart is where the multiple spaces and HTML are removed before phrase
filtering
Raw is where the raw HTML including meta tags are phrase filtered
Meta/Title is where only meta and title tags are phrase filtered (v. quick)
CPU usage can be effectively halved by using setting 0 or 1 compared to 2
Url cache number 
Positive (clean) result caching for URLs Caches good pages so they don't
need to be scanned again.It also works with AV plugins.
0 = off (recommended for ISPs with users with disimilar browsing)
1000 = recommended for most user
5000 = suggested max upper limit
If you're using an AV plugin then use at least 5000. Url cache age 
Age before cache are stale and should be ignored in seconds
900 = 15 mins(recommended)
0 = never  SSL man in the middle Filtering
CA Warning: Invalid argument supplied for foreach() in
/usr/local/www/pkg_edit.php on line 560 
Select Certificate Authority to use when SSL filtering is enabled on Group
options
To create a CA on pfsense, go to system - Cert Manager Cert 
Select Certificate pair to use when SSL filtering is enabled on Group
options
To create a Certificate on pfsense, go to system - Cert Manager  Content
Scanner
Content Scanners (antivirus) 
Content Scanners options. Default values are in ( ) freshclam frequency 
Default:Every day
Select how often pfsense will update clamd virus database Content scanner
timeout 
Default is 60
Some of the content scanners support using a timeout value to stop
processing (eg AV scanning) the file if it takes too long.
If supported this will be used.
The default of 60 seconds is probably reasonable. Content scan exceptions 
If 'on' exception sites, urls, users etc will be scanned.
This is probably not desirable behavour as exceptions are supposed to be
trusted and will increase load.
Correct use of grey lists are a better idea. ICAP URL 
Enter ICAP URL in icap://icapserver:1344/avscan format
Use hostname rather than IP address and Always specify the port  Misc
settings
Misc Options 
Misc options. Default values are in ( )

 

 

 

 

 

In squid from top to bottom I have selected (squid won't paiste for some
reason)

 

Proxy Interface: LAN and Loopback

Allow users = checked

Blank until Enable Logging

Enable logging = checked

Log store = /var/squid/logs

Log rotate = 90

Proxy port = 3128

ICP port = (blank)

Visible hostname = localhost

Anministrator email = 

Re: [pfSense] [pfsense] dansguardian

2012-04-26 Thread Ryan Rodrigue
That's funny.  It deleted all of the values.  I cleaned it up a little and
put the correct values in red

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Ryan Rodrigue
Sent: Thursday, April 26, 2012 5:24 PM
To: 'pfSense support and discussion'
Subject: Re: [pfSense] [pfsense] dansguardian

 

Mine is up and running, but I have to manually put the dansguardian port in
the web browser as a proxy server.  I do not have it working for transparent
squid

As you can see, most of the settings are default.

These are the Dansguardian settings. (I hope you can read this).

Daemon

Listening Settings
Enable dansguardian 
I agree with dansguardian Terms and Conditions.
http://dansguardian.org/?page=copyright2   - Checked

 

Listen Interface(s) 
LAN/loopback 

 


Listen port 
8080

 



Daemon Options.  softrestart

 

 

Min/Max Children 
8/120

 

 


Min/Max Spare Children 
4/32

 

Prefork Children 

8

 

Max Age Children

500


Max Ips 
 0
Parent proxy Settings

 


Proxy IP 
127.0.0.1

 


Proxy Port 
3128



 

General

Config Settings
Auth Plugins 

Proxy-Basic

 


Scan Options 

All with on in ()

 


Weighted phrase mode 

Singular = each weighted phrase found only counts once on a page


Lower casing options 

Force lover case

 


Phrase filter mode 

Use both


Url cache number 

blank

 


Url cache age 

blank


SSL man in the middle Filtering
CA 

none

 

Cert 
webconfigurator default

 

Content Scanner


Content Scanners (antivirus) 

None


freshclam frequency 
Every day

 


Content scanner timeout 
60

 


Content scan exceptions 
No Check


ICAP URL 
Blank

 


Misc Options 
Misc options. 

None

 

 

 

 

 

In squid from top to bottom I have selected (squid won't paiste for some
reason)

 

Proxy Interface: LAN and Loopback

Allow users = checked

Blank until Enable Logging

Enable logging = checked

Log store = /var/squid/logs

Log rotate = 90

Proxy port = 3128

ICP port = (blank)

Visible hostname = localhost

Anministrator email = admin@localhost

Language = English

X-Forward = no check

Disable Via = no check

Strip

The rest is blank

 

 

Upstream Proxy is totally blank and I am using no authentication for now.

 

 

This may not be the best settings.  If anyone has any suggestion, please let
me know.  I always look for ways to do things better.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] [pfsense] dansguardian

2012-04-26 Thread Ryan Rodrigue
 

 

This is excellent Ryan, how about the nat/firewall rules?

 

 

 

 

Nothing special.  Like I said.  It really just works.

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] THREAD HIJACK

2012-04-25 Thread Ryan Rodrigue

-Original Message-
From: list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] On Behalf Of Giles Coochey
Sent: Wednesday, April 25, 2012 8:26 AM
To: list@lists.pfsense.org
Subject: [pfSense] THREAD HIJACK

Just a note -

When starting a new thread or question can you please not reply to an
existing email and modify the subject.

Some of us with threaded mail readers might be ignoring the existing thread
you hijack, and therefore not see your query and not be able to help you
out.

If you need to - copy the email address and compose a new message.



My apologies.  I never realized it made a difference.  I always do exactly
what you are saying.  I will smite myself now and stop future hijacks.
Ryan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] State timeout ?

2012-04-18 Thread Ryan Rodrigue

Thank you, Jim 

That was the info I was looking for :-)
Unfortunately there is no 1800 (30m) there ! Are you aware of anything else
in the firewall that repeats, times-out, whatever after 30m ?

Claus



I had the same issue with broadvox and asterisk (separate box) going through
PFsense with Siproxy.  The problem was ultimately on broadvoxes end.  I was
switched to the new fusion platform and the problem went away.  I have also
since switched from asterisk to freeswitch.

Ryan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Running into some very basic problems: can't seem to get port forwarding working ...

2012-04-16 Thread Ryan Rodrigue
OK.  Stupid solution here, but put a static route in either the host using
IP route if it is windows, or put a static route in the default gateway of
that host.  I have had some issues in the past and also put a static gateway
in the first router as well.

Internet  Router 1  Router 2 ( on same subnet as router 1)  Host  and the
reply goes as follows

Host  Router 2  Router 1  Internet

 This only works if you know the IP address or addresses you want the SSH
traffic to come in on.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] firewall delay response

2012-04-13 Thread Ryan Rodrigue
 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of mayank bhagat
Sent: Friday, April 13, 2012 7:33 AM
To: list@lists.pfsense.org
Subject: [pfSense] firewall delay response

 

Hello,

 

I want to use pfsense as router, I have configured it as below

Wan: 2**.**.***.***

Lan: 10.*.**.*** 

With gateway, also I have configured NAT, problem is internet is working
slowly due to firewall delay response if I disable it from system advance
Disable all packets filtering then internet working properly but NAT is not
working. 

 

Please update me for the same.

 

Regards,

Mayank

 

Actually doing what you did only turns off firewall and nat features.  It is
still a router.  I can tell you that I along with a lot of other people use
PFsense as a Router and Natting Firewall everyday.  I notice no measurable
impact in speed doing so.  Maybe we could help if you gave more information

 

What hardware are you running on?

What are you calling the internet working slowly (Internet was 100kbps down
and is not 95kbps, or the internet was 10GBps down and is not 5KBps)

How are you measuring internet speeds?

Are you running any packages or traffic shaping?



__ Information from ESET NOD32 Antivirus, version of virus signature
database 7052 (20120413) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


__ Information from ESET NOD32 Antivirus, version of virus signature
database 7052 (20120413) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__ Information from ESET NOD32 Antivirus, version of virus signature
database 7052 (20120413) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] error when installing pfsense 2.1 developement on my pc

2012-04-09 Thread Ryan Rodrigue
 

hi all,

i am trying to install the pfsense 2.1 development version on my pc,  but
met lots of problems,  

my pc using a ASUS P5LD2  motherboard,  with Core E4700 , Hard Disk :
hitachi HDT725032vlat80   320G

in the beginning , it sucks at 38% when i am trying to install it ,  after i
cancel the multiple processing on bios cpu setting. it can be installed ,
but after i reboot

it cannot boot up ,with error message below,

F1 pfsense

F6 PXE
Boot: F1
error 1 lba 368072559
error 1 lba 368072559
No /boot/loader

FreeBSD/x86 boot
Default : 0:ad(0,a)/boot/kernel/kernel
boot:
error 1 lba 368072559
not /boot/kernel/kernel



please help  thanks in advance.

best regards
bycn


You may try changing the sata mode in the bios to legacy

 

Ryan



__ Information from ESET NOD32 Antivirus, version of virus signature
database 7039 (20120409) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] error when installing pfsense 2.1 developement on my pc

2012-04-09 Thread Ryan Rodrigue
 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Bill Yuan
Sent: Monday, April 09, 2012 10:00 AM
To: pfSense support and discussion
Subject: Re: [pfSense] error when installing pfsense 2.1 developement on my
pc

 

hi , thanks for you quick response.

but i am sorry i am not quite familiar with what you said,   so i just
google about this, 

and on the bios of my pc, there is a IDE Configuration  

Onboard IDE Operate Mode  [Compatible Mode]
Combined Mode Option  [Primary P-ATA+S-ATA]

this is my configuration , and i did not find any legacy mode

can you please give me more detail about how to change the sata mode ?

thanks very much,   



Yep.  That would be it.  Try it at least.

 



__ Information from ESET NOD32 Antivirus, version of virus signature
database 7039 (20120409) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense help with creating rules

2012-02-10 Thread Ryan Rodrigue
 

- Original Message -
 From: Nathan Eisenberg nat...@atlasnetworks.us
 To: athom...@athompso.net, pfSense support and discussion
 list@lists.pfsense.org
 Sent: Friday, February 10, 2012 2:56:36 AM
 Subject: Re: [pfSense] pfSense help with creating rules
  I think the entire ISP operation I partly run has... three routers
  that support it, AFAIK. So for all practical intents and purposes,
  that doesn't exist for me.
 
  It would be nice, most definitely, if it were supported by more
  equipment, but it's just not (in my corner of the world, anyway).
 
  So yes, for equipment that supports it, you're right - a /31 is the
  smallest IPv4-over-ethernet subnet.
 
  (There's also a philosophical point of whether Ethernet can ever
  truly be a PtP media even when physically connected PtP...)

 My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine
 (philosophy aside, it *works* over ethernet, even in a test case when
 'PtP' really meant 'these are the only two ports in the VLAN').
 Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general
 embedded hardware) in it, and my PFsense boxen, don't support it at
 all. Very sad - some days, it almost makes me want to roll a bunch of
 iptables boxes and reclaim a ton of usable IP space. Almost. :)

 Anyways, didn't mean to hijack the OP! Interested to see if Comcast is
 actually handing him a /29, or just 5 IPs out of a bigger subnet, and
 if they'll route that /29 to him.

 Nathan Eisenberg

Comcast allocated a /30 for my WAN interface and a /28 for my network use.
They are in different class C address spaces.

Gordon Russell
Clarke County IT


 I understand what you are trying to accomplish I think.  Just as a stupid
thought, could you simply setup virtual IP's for the addresses you are
trying to use and setup 1:1 Nat and forward them to the internal servers.  I
understand this means you will have to use nat.  You may be trying to avoid
this, but it seems like a much easier solution.  It also seems more
flexible.

Hope this helps,
Ryan



__ Information from ESET NOD32 Antivirus, version of virus signature
database 6874 (20120210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense help with creating rules

2012-02-10 Thread Ryan Rodrigue
 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Jason T. Slack-Moehrle
Sent: Friday, February 10, 2012 10:00 AM
To: pfSense support and discussion
Subject: Re: [pfSense] pfSense help with creating rules

 

Hi Nathan,

 Anyways, didn't mean to hijack the OP! Interested to see if Comcast is
actually handing him a /29, or just 5 IPs out of a bigger subnet, and if
they'll route that /29 to him.
I am a little confused at how I would know if they are handing me a /29 or
just 5 IP's?

range: 75.xx.xx.25 - .29
subnet: 255.255.255.248 (which is /29, IIRC)
GW: 75.xx.xx.30

I have trouble ticket in as well as an e-mail to my sales rep who works
directly for their head of Operations, so I am hoping brining in the big
brass will help me get this going today.

On the other hand, I explored Sonic.net and they are willing to run a
3/3Mbps symmetrical ethernet service with free setup and a free Cisco 2600,
16 IP's and they said yes to a routed subnet /30 no problem, no additional
charge.

But I am confused. Can anyone explain to me which is really a better deal?
Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo

I get that Comcast is faster, but it is shared traffic, right? Where this
3/3mbps would be all dedicated to me? I still dont understand a real world
speed comparison though. Can anyone explain a bit about measuring traffic?

We are an NPO, we create datasets and allow users to crawl the web for
topics of interest and we work that data for them. We are going live here
soon. If anyone wants more details about what we do and how we are going to
do it and the hardware we are thinking about, ask. I'd love to chat.

-Jason

Comcast is faster, but is not dedicated.  You should always get the same
speeds (or reasonable close) with Snnic.  You may also have an SLA with
Snnic.  I am sure you don't have that with Comcast.  That said,  all use
ISP's are shared traffic.  It is either shared via the same wire, or with
DLS shared at the DSLAM or in all cases shared at the head office.  It is
very difficult for an ISP with say 1,000 customers at 10megs each to pay for
a 10G so they can all have dedicated traffic.  This gets worse as the number
goes up.  ISP's understand that not all users will use the bandwidth at the
same time so they have way less than they sell.  For instance one service
provider here locally has a single OS3 (45Meg) link and offers a 6 meg
internet connection.  They have a couple of hundred users.  200 x 6 = 1.2
Gigs.  Way less than what they have.  However, the 45Meg link is very rarely
saturated.  The better business oriented ISP's will prioritize business
customers over residential customers and have a lower ration of what's sold
to what's available.  I can tell you that Comcast Business in South
Louisiana has a very good service and I have never measured less than 10
down and 4 up.  This beats your 3/3 hands down.  The same may not be able to
true in your area as every area is different.  Comcast does not however
offer to have a routed subnet as you are asking.  The provide 5 ip addresses
that you can access directly on their modem.  You can get 14 address and
subnet yourself, but that really waist a lot of IP addresses.  You could
also setup to Bridge the DMZ and WAN and run a filtered bridge setup.



__ Information from ESET NOD32 Antivirus, version of virus signature
database 6874 (20120210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Odd circumstances

2011-11-29 Thread Ryan Rodrigue


-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Mehma Sarja
Sent: Tuesday, November 29, 2011 8:39 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Odd circumstances

On 11/29/11 5:49 AM, Ryan Rodrigue wrote:
 What is the IP for the WAN interface on the PFsense box?  Is it in the 
 same subnet for the LAN?  If it is, change the lan subnet to something
else.
 Routers route based on subnets.  If both of its interfaces are the 
 same, it doesn't know how to route.

I also thought that might be the problem - i.e. the LAN addresses and
WAN/gateway IP's are being addressed as one network. But the /24 only covers
the last octet of the IP address - i.e. 255.255.255.0 netmask.

LAN 192.168.100.100/24-WAN 192.168.15.10/24=192.168.15.1 gateway
(The /24 WAN netmask is to include the gateway IP in the default gateway
selection for DNS server. A /32 was problematic)

Going to simplify the network by
LAN 192.168.100.100/24-WAN DHCP=modem gateway

Mehma



You are correct that these are on different subnets.  Your method of double
nattng should work, but isn't the bast way to do things.  Double natting
usually causes problems.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Direct purchase of pfSense book pdf

2011-09-30 Thread Ryan Rodrigue


Yes - it's easy for the media (and idiots like the BSA) to talk about
popular media and software, since that gives them huge figures, especially
by making the assumption that everyone who downloaded an unauthorised copy
of something would otherwise have bought it at full price.  But for a
specialised book like this, unauthorised copies can make a much bigger
proportional difference to the authors.  Part of this is that it is more
realistic to assume that a higher proportion of downloaded copies really are
lost sales - people would only bother getting hold of a copy of the PfSense
book if they actually needed it, unlike a song, movie or computer game.

The challenge for Chris is to find a way to let honest users pay suitably
for a pdf that they can use freely (no Kindle nonsense or other DRM locks),
while discouraging the accidental or intentional spread of the file.
Watermarking with the purchaser's name and company is one way to achieve
this, at least amongst professional users.  Maybe if the watermark included
the purchasers credit card number, people would be careful about sharing the
file!

A while back there was talk of a monkey in PFsense that would jump out and
do the dishes for us.  Maybe the monkey could bit people who steel the PDF.
On a more serious note, a PDF that is searchable would be very helpful to
have.  Even if it did have DRM.  It's a shame, but it is the world we live
in.  People who would never shoplift at wallmart have no problem at all
steeling music, videos, books, etc.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list