Re: [pfSense] malformed packets
> -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > mad.scientist.at.la...@tutanota.com > Sent: Monday, October 30, 2017 2:27 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] malformed packets > > thank you for your' reply, i'll try your suggestions. complete newbe to > pfsense, but do know something about firewalls etc. and can basically > use wireshark and understand it. fortunately the problem has become > much less severe. Thank you. > > mad.scientist.at.large (a good madscientist) > -- > "The U.S. intelligence community concluded in a report made public in > January that the Kremlin sought to disrupt the 2016 election and sway > the race in Trump's favor." From "thehill.com". Only Trump and his > duplicitous supports try to say it was Clinton who conspired. Frankly > Trump is likely guilty of treason, the sooner he's impeached and indited > the better, along with ALL of his supporters in goverment. > > > 30. Oct 2017 09:36 by st...@teamits.com: > > > > I saw your question but didn't see an answer... Have you considered > Suricata or Snort to see if they can detect and block off the traffic? > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -Original Message- > > From: List [> mailto:list-boun...@lists.pfsense.org> ] On Behalf Of > > mad.scientist.at.la...@tutanota.com > > Sent: Friday, October 20, 2017 7:24 PM > > To: pfSense Support and Discussion Mailing List <> > list@lists.pfsense.org> > > > Subject: [pfSense] malformed packets > > > > is there any way i can block malformed packets and drop them rather > than being used for a ddos attack? this is related to LEGAL torrents, > i.e. copy left etc. even running deluge there is a storm of malformed > packets with spoofed ip addrs, which then makes my machine send out > many, many malformed packets to people who didn't even send them. Gee, > i thought doing a ddos on people was illegal, not that it matters in > most countries. > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! > https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold Can we avoid posting political statements to this list? You can have whatever view you would like, but a router mailing list is hardly the place to post them. Thank you. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] testing email
Sorry for the noise, should be all good now. Gotta Love Chris! Thanks for your ongoing support to this project. Ryan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] My son is able to bypass my captivate portal
You can set a nat forward on dns port to force all dns request to go to a specific address. FirewallNAT Interface LAN (or your internal interface you wish to use) Protocol TCP/UDP Destination: Any Destination Port Range: 53 Redirect Target IP: Where you want it to go, Perhaps OpenDNS address. I think you could put the IP of the router in there. I never tried it like that. This may or may not fix the captive portal issue, but should let you use opendns for all dns queries. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
I am just a big dummy that is coming in late in the game. Is it possible that they are sending that IP to a router/modem and the router is doing nat. If so, is it possible to diable the routing functions and just use this as a bridge and not a router. I have seen this before with DSL and some cable modems. I have even seen cable modems that have an internal NAT IP, but also work with the public IP that is assigned to your account. Have you called your ISP and asked them how to use your static IP? Who is your service provider? Is this cable or DSL? Sorry if you have answered this before. I am coming in a little late. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
Please don't top post. It makes helping difficult. From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of eyobe kebede Sent: Wednesday, April 24, 2013 9:36 AM To: pfSense support and discussion Subject: Re: [pfSense] help we are using dSL and let me give you some information. we were using 10.130.48.72 IP address give by the ISP and for some reason we have purchased public ip 197.156.75.54. where technicians from the ISP do not give us how to use the IP addresses and it become difficult to configure it on pfsense. this are the solid facts wan ip 10.130.51.83 default gate way 10.130.65.42 public ip 197.156.75.54 our side and 197.156.75.53 ISP side the we need how to configure this in pfsense? I would try 2 things. 1st I would try to setup the public IP that was given to you (197.156.75.54) as a static IP in PF and setup the 197.156.75.53 as a default gateway. (Don't use DHCP) You will have to setup the DNS servers in the System General Setup tab. 2nd If that doesn't work, I would try to move the PPPOE login information to the PF box and put the DSL modem in bridge mode. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Matthias May Sent: Wednesday, April 24, 2013 11:02 AM To: list@lists.pfsense.org Subject: Re: [pfSense] help On 24/04/13 16:36, eyobe kebede wrote: we are using dSL and let me give you some information. we were using 10.130.48.72 IP address give by the ISP and for some reason we have purchased public ip 197.156.75.54. where technicians from the ISP do not give us how to use the IP addresses and it become difficult to configure it on pfsense. this are the solid facts wan ip 10.130.51.83 default gate way 10.130.65.42 public ip 197.156.75.54 our side and 197.156.75.53 ISP side the we need how to configure this in pfsense? See the second reply in this thread by jim: [quote] Some ISPs that are particularly stingy with IPs and bad at routing have been doing this. His ISP may have just forgotten to give him the proper gateway. But on the outside chance they really do expect him to use that 10.x address as the gateway, it may still be possible. http://redmine.pfsense.org/issues/972 Not supported in the GUI yet though. Jim [/quote] I don't understand your comment. He says that the public IP is 197.156.75.53 on the ISP side. This appears to be a proper gateway. On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue radiote...@aaremail.com wrote: I am just a big dummy that is coming in late in the game. Is it possible that they are sending that IP to a router/modem and the router is doing nat. If so, is it possible to diable the routing functions and just use this as a bridge and not a router. I have seen this before with DSL and some cable modems. I have even seen cable modems that have an internal NAT IP, but also work with the public IP that is assigned to your account. Have you called your ISP and asked them how to use your static IP? Who is your service provider? Is this cable or DSL? Sorry if you have answered this before. I am coming in a little late. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of k_o_l Sent: Monday, March 25, 2013 3:53 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] General question From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Christoph Hanle Sent: Monday, March 25, 2013 2:45 PM To: list@lists.pfsense.org Subject: Re: [pfSense] General question On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph -Original Message- Nothing there, wireshark captures http sessions, but not sure what doing it since all my browsers are off. Perhaps some windows gadget that is in use. Does it show what PC you are having the problems with? Unplug the network from that PC and see if it still persist. It could be any number of apps they have installed. I have even seen some of the browsers open http sessions. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Monday, March 25, 2013 4:18 PM To: k_...@hotmail.com; 'pfSense support and discussion' Subject: Re: [pfSense] General question -Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of k_o_l Sent: Monday, March 25, 2013 3:53 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] General question From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Christoph Hanle Sent: Monday, March 25, 2013 2:45 PM To: list@lists.pfsense.org Subject: Re: [pfSense] General question On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph -Original Message- Nothing there, wireshark captures http sessions, but not sure what doing it since all my browsers are off. Perhaps some windows gadget that is in use. Does it show what PC you are having the problems with? Unplug the network from that PC and see if it still persist. It could be any number of apps they have installed. I have even seen some of the browsers open http sessions. Sorry. I have seen some antiviruses open HTTP sessions. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Blocking Websites
If you know the ip address of the website you want to allow and you know it will also not change, you could do this with simply firewall rules built in. If you are trying to block all but a few websites using actually URLs then you would need something like squid or dansguardian Ryan Rodrigue http://www.aarelectronics.com/ Description: http://email.aaremail.net/AAR.png P.O. Box 4336 Chief Technical Manager Houma, LA 70361 A A R Electronics, Inc Phone (985) 876-4096 510 West Tunnel Blvd Phone (800) 649-7346 Houma, LA 70360 Fax (985) 853-0134 syst...@aaremail.com www.aarelectronics.com http://www.aarelectronics.com/ From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kevin Hayes Sent: Friday, March 01, 2013 3:44 PM To: list@lists.pfsense.org Subject: [pfSense] Blocking Websites Hello, I am trying something that I thought would be fairly simple but is turning out to be more confusing than I had hoped. We have several computers that are considered critical and I would like to block the internet except for a short list of approved websites that may be accessed from those desktops. What would be the easiest suggestion on how to do this. I've been looking at pfBlocker and it seems by its description to do what I need, I found where I can block whole countries but not specific sites on specific ip addresses. Any advice would be helpful. Thanks, Kevin Hayes image001.png___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Traffic Graph quite showing IP's
I Fixed it Just in case anyone wants to know what I did 1 I backed up my config. 2 I went through file and cleaned up some lines in there about old unused packages 3 Restored config using file I cleaned up. 4 I did a firmware upgrade to the same version Problem Solved. Thanks to all who helped. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Traffic Graph quite showing IP's
I have 2 boxes on the same network. Both are configured almost the same. One of them shows IP addresses when I go to Status Traffic Graphs. One does not.The one that does not work even looks different. The one that does not works also says array. I am not sure what that means. I tried backing up without the package info and restoring this, but it did not seem to make a difference. I have attached a screenshot of the one that works and the one that does not. Is there a settings I need to change? How can I fix this.? Thanks attachment: Not there.pngattachment: There.png___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Building Reports and Content Filters
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of James Caldwell Sent: Tuesday, November 20, 2012 9:44 AM To: pfSense support and discussion Subject: Re: [pfSense] Building Reports and Content Filters https://www.untangle.com/store/policy-manager-conf.html https://www.untangle.com/store/reports.html A couple of links that I came across that prompted the question this morning. Dansguardian package will give you content filtering capabilities Sarg will give your reports of usage in dansguardian. Squid can be used as a proxy and lightsquid as a reporting tool also if you would like to do it that way. Both of the above require the user to login to the router to view the reports AFAIK. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPSec client for iPad
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luis Carrion Sent: Wednesday, October 03, 2012 6:30 AM To: pfSense support and discussion Subject: Re: [pfSense] IPSec client for iPad Ok, I am using it now w/o problems but...how can I apply different firewall rules for different remote users? thanks again! Luis 2012/10/3 Raúl Sampedro raul.sampe...@grupocarreras.com Set the users to get a static IP and apply rules based on these addresses Ryan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] installing a database server
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Vieri Sent: Friday, September 21, 2012 7:29 AM To: list@lists.pfsense.org Subject: [pfSense] installing a database server Hi, How unstable would it be to install a database server such as MySQL on pfSense? Why would you not recommend installing MySQL on pfSense, supposing I'd want it to do more than firewalling (apart from the possible MySQL software security leaks). Thanks, Vieri ___ I Have no clue as to your answer. As an alternative, have you considered setting up a hypervisor (such as VMware ESXi) and running PFsense as a virtual machine. You could then run whatever other servers you would like and still have them in one box. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multiwan
Short answer is no. So basically every interface on a router must be on a separate subnet. It defines this by the network address and subnet mask. Having 2 internet accesses on the same network range but different interfaces will not work correctly. Perhaps you could change one of them to a different network range? If not maybe the ISP could do this for you. A workaround I do not like, but has worked for some is to add another router in the mix to change one of the gateway IP's to a different subnet. Ryan Rodrigue http://www.aarelectronics.com/ Description: http://email.aaremail.net/AAR.png P.O. Box 4336 Chief Technical Manager Houma, LA 70361 A A R Electronics, Inc Phone (985) 876-4096 510 West Tunnel Blvd Phone (800) 649-7346 Houma, LA 70360 Fax (985) 853-0134 syst...@aaremail.com www.aarelectronics.com http://www.aarelectronics.com/ From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Andrew @ ATMlogic.ca Sent: Wednesday, August 08, 2012 11:13 AM To: 'pfSense support and discussion' Subject: [pfSense] Multiwan Just wondering a few things about multiwan. In this case what I am wondering is can I take multiple Wifi bridges funnel them into pf, and have one Lan connection that (from what I understand) does some basic round robin load balancing. I am aware this will give me some trouble on some websites. However I am also worried. will everything work out if the WAN ports have the same gateway? e.g. I will be getting an internal IP of 192.168.0.20, 0.102, 0.87 and then 1.101 for example, however all the 0.'s will have the same 0.1 gateway yet be totally different connections to the web. Not sure if that would matter. ---Andrew ATM Logic Never memorize something that you can Google image001.png___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid package syslog
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Fuchs, Martin Sent: Monday, July 16, 2012 9:40 AM To: pfSense support and discussion Subject: Re: [pfSense] Squid package syslog Do you perhaps have any idea if it's possible to do this with some configuration items in the squid-config ? If there's something in the docs it might be easier. I do not. I am not a dev. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid package syslog
I am trying to setup Cyberoam iView for squid. It appears it simply is setup as a destination syslog server. I cannot find in the squid package where to setup the syslog server at. Is there somewhere special I need to go, or is this function simply not available? Sorry if I seem a little impatient. I know this is more of a squid question and less of a PFsense question. Who is the dev for squid?Maybe he will be able to help me. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid package syslog
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Monday, July 16, 2012 7:27 AM To: 'pfSense support and discussion' Subject: Re: [pfSense] Squid package syslog I am trying to setup Cyberoam iView for squid. It appears it simply is setup as a destination syslog server. I cannot find in the squid package where to setup the syslog server at. Is there somewhere special I need to go, or is this function simply not available? Sorry if I seem a little impatient. I know this is more of a squid question and less of a PFsense question. Who is the dev for squid?Maybe he will be able to help me. OK so I solved this myself. I googled this all day Friday with no positive results. Today, I found it. Proof My brain does work better in the morning. I figured I'd post what I found in case anybody else was interested In the Services Proxy Server settings of the PFsense GUI, at the bottom of the General settings there is a Custom Options field. I added the following access_log syslog:local:4 I then went to Status System Logs Settings I setup my syslog server and selected portal auth events. ( I found this by trial and error. ) Checked my syslog server and everything seems to work fine. Thank you very much everybody for your help. Ryan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] whiltelist of mac address
This works on PFsense? From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bill Yuan Sent: Monday, June 11, 2012 7:59 AM To: pfSense support and discussion Subject: [pfSense] whiltelist of mac address hi , i want to create a whitelist of mac address on my own freebsd gateway, i want to use the rule like this below, 1 allow ip from any to any MAC any mac address 2 allow ip from any to any MAC mac address any 3 deny ip from any to any i found it works on pfsense, but it doesnt work on my freebsd, can someome please tell me how to activate the mac filtering on freebsd, what kind of device need to be activated ? i have rebuild my kernel multiple times already , but still not working ! thanks, This works on PFsense? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] can it be that having WAN on RFC1918 space fucks up site to site IPsec tunnel?
Is the vulgarity in the subject really necessary? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] is pfSense the right choice?
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Thursday, May 03, 2012 1:21 PM To: pfSense support and discussion Subject: Re: [pfSense] is pfSense the right choice? On Thu, May 3, 2012 at 1:55 PM, Noam Birnbaum n...@maccentricsolutions.com wrote: Good call, David -- They current have dual WAN -- 40/40 WiMAX and 50/10 cable. I expect that as they grow these pipes will at least double. As for their *expectations* -- they are a web development startup in San Francisco, so they have very high expectations. They'll swallow whatever bandwidth they can get. They bark when a Youtube video stutters once. I need an extremely solid solution for them. I would go Cisco except no experience with it. Another person sold on a name rather than the actual product. :) You won't get the functionality you're looking for from Cisco. Though you won't get exactly what you're looking for with pfSense either, specifically provide bandwidth management and monitoring on a per-user, per-application basis. The best bet there on Cisco and pfSense is exporting Netflow to a collector. We have some built in options in packages. Similar on your other QoS point in that you'll have difficulty differentiating at least the streaming video part, that just looks like any other HTTP traffic in that regard. VoIP and video conferencing generally no issue. But no diff there from Cisco, and we actually make it easier. ___ I hate to through a monkey in this, but the only thing I know of that will do this would be a Mikrotik router. I don't mean to drop other routers names on this list, but I think it may fit the bill. It isnt easy to program though. I used to tell people that it was written in Greek. I went to class and found out it is Latvian. LOL. I have routed through a Mikrotik box at 800+Mbps. It does have some pretty granular throttling controls if you can figure them out. You can setup in the firewall for certain protocols to use different queues also. If you go that route I would defiantly recommend a training class first. Not cheap. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
Ryan, your solution worked just fine, but in addition I added a fw rule to catch all http (port 80) traffic and had it redirected to 8080, that way you don't need to change the proxy on the individual hosts K_o_l How and where did you add such a rule? I would like it to work in transparent mode. I am mainly just playing with it right now. It is not in production yet. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
Mine is up and running, but I have to manually put the dansguardian port in the web browser as a proxy server. I do not have it working for transparent squid As you can see, most of the settings are default. These are the Dansguardian settings. (I hope you can read this). Daemon Listening Settings Enable dansguardian I agree with dansguardian Terms and Conditions. http://dansguardian.org/?page=copyright2 Listen Interface(s) Default: LAN/loopback Select interface(s) that you want to dansguardian listen on. Listen port Default: 8080 The port(s) that DansGuardian listens to. Daemon Options Daemon Options. Default values are in ( ) Min/Max Children Default: 8/120 Sets the minimun and maximum number of processes to spawn to handle the incoming connections. Max value usually 250 depending on OS. On large sites you might want to try 32/180. Min/Max Spare Children Default: 4/32 Sets the minimum and maximun number of processes to be kept ready to handle connections. On large sites you might want to try 8/64. Prefork Children sets the minimum number of processes to spawn when it runs out On large sites you might want to try 10 Max Age Children Default: 500 Sets the maximum age of a child process before it croaks it. This is the number of connections they handle before exiting. On large sites you might want to try 1. Max Ips Default: 0 Sets the maximum number client IP addresses allowed to connect at once. Use this to set a hard limit on the number of users allowed to concurrently browse the web. Set to 0 for no limit, and to disable the IP cache process. Parent proxy Settings Proxy IP Default: 127.0.0.1 Sets ip address for proxy server(usually squid). Proxy Port Default: 3128 Sets port number for proxy serve General Config Settings Auth Plugins This option handle the extraction of client usernames from various sources, such as Proxy-Authorisation headers and ident servers, enabling requests to be handled according to the settings of the user's filter group Scan Options Scan options. Default values are in ( ) Weighted phrase mode IMPORTANT: Note that setting this to 0 turns off all features which extract phrases from page content, including banned exception phrases (not just weighted), search term filtering, and scanning for links to banned URLs. Lower casing options When a document is scanned the uppercase letters are converted to lower case in order to compare them with the phrases. However this can break Big5 and other 16-bit texts. If needed preserve the case. Phrase filter mode Smart, Raw and Meta/Title phrase content filtering options Smart is where the multiple spaces and HTML are removed before phrase filtering Raw is where the raw HTML including meta tags are phrase filtered Meta/Title is where only meta and title tags are phrase filtered (v. quick) CPU usage can be effectively halved by using setting 0 or 1 compared to 2 Url cache number Positive (clean) result caching for URLs Caches good pages so they don't need to be scanned again.It also works with AV plugins. 0 = off (recommended for ISPs with users with disimilar browsing) 1000 = recommended for most user 5000 = suggested max upper limit If you're using an AV plugin then use at least 5000. Url cache age Age before cache are stale and should be ignored in seconds 900 = 15 mins(recommended) 0 = never SSL man in the middle Filtering CA Warning: Invalid argument supplied for foreach() in /usr/local/www/pkg_edit.php on line 560 Select Certificate Authority to use when SSL filtering is enabled on Group options To create a CA on pfsense, go to system - Cert Manager Cert Select Certificate pair to use when SSL filtering is enabled on Group options To create a Certificate on pfsense, go to system - Cert Manager Content Scanner Content Scanners (antivirus) Content Scanners options. Default values are in ( ) freshclam frequency Default:Every day Select how often pfsense will update clamd virus database Content scanner timeout Default is 60 Some of the content scanners support using a timeout value to stop processing (eg AV scanning) the file if it takes too long. If supported this will be used. The default of 60 seconds is probably reasonable. Content scan exceptions If 'on' exception sites, urls, users etc will be scanned. This is probably not desirable behavour as exceptions are supposed to be trusted and will increase load. Correct use of grey lists are a better idea. ICAP URL Enter ICAP URL in icap://icapserver:1344/avscan format Use hostname rather than IP address and Always specify the port Misc settings Misc Options Misc options. Default values are in ( ) In squid from top to bottom I have selected (squid won't paiste for some reason) Proxy Interface: LAN and Loopback Allow users = checked Blank until Enable Logging Enable logging = checked Log store = /var/squid/logs Log rotate = 90 Proxy port = 3128 ICP port = (blank) Visible hostname = localhost Anministrator email =
Re: [pfSense] [pfsense] dansguardian
That's funny. It deleted all of the values. I cleaned it up a little and put the correct values in red From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Thursday, April 26, 2012 5:24 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] [pfsense] dansguardian Mine is up and running, but I have to manually put the dansguardian port in the web browser as a proxy server. I do not have it working for transparent squid As you can see, most of the settings are default. These are the Dansguardian settings. (I hope you can read this). Daemon Listening Settings Enable dansguardian I agree with dansguardian Terms and Conditions. http://dansguardian.org/?page=copyright2 - Checked Listen Interface(s) LAN/loopback Listen port 8080 Daemon Options. softrestart Min/Max Children 8/120 Min/Max Spare Children 4/32 Prefork Children 8 Max Age Children 500 Max Ips 0 Parent proxy Settings Proxy IP 127.0.0.1 Proxy Port 3128 General Config Settings Auth Plugins Proxy-Basic Scan Options All with on in () Weighted phrase mode Singular = each weighted phrase found only counts once on a page Lower casing options Force lover case Phrase filter mode Use both Url cache number blank Url cache age blank SSL man in the middle Filtering CA none Cert webconfigurator default Content Scanner Content Scanners (antivirus) None freshclam frequency Every day Content scanner timeout 60 Content scan exceptions No Check ICAP URL Blank Misc Options Misc options. None In squid from top to bottom I have selected (squid won't paiste for some reason) Proxy Interface: LAN and Loopback Allow users = checked Blank until Enable Logging Enable logging = checked Log store = /var/squid/logs Log rotate = 90 Proxy port = 3128 ICP port = (blank) Visible hostname = localhost Anministrator email = admin@localhost Language = English X-Forward = no check Disable Via = no check Strip The rest is blank Upstream Proxy is totally blank and I am using no authentication for now. This may not be the best settings. If anyone has any suggestion, please let me know. I always look for ways to do things better. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
This is excellent Ryan, how about the nat/firewall rules? Nothing special. Like I said. It really just works. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] THREAD HIJACK
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Giles Coochey Sent: Wednesday, April 25, 2012 8:26 AM To: list@lists.pfsense.org Subject: [pfSense] THREAD HIJACK Just a note - When starting a new thread or question can you please not reply to an existing email and modify the subject. Some of us with threaded mail readers might be ignoring the existing thread you hijack, and therefore not see your query and not be able to help you out. If you need to - copy the email address and compose a new message. My apologies. I never realized it made a difference. I always do exactly what you are saying. I will smite myself now and stop future hijacks. Ryan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] State timeout ?
Thank you, Jim That was the info I was looking for :-) Unfortunately there is no 1800 (30m) there ! Are you aware of anything else in the firewall that repeats, times-out, whatever after 30m ? Claus I had the same issue with broadvox and asterisk (separate box) going through PFsense with Siproxy. The problem was ultimately on broadvoxes end. I was switched to the new fusion platform and the problem went away. I have also since switched from asterisk to freeswitch. Ryan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Running into some very basic problems: can't seem to get port forwarding working ...
OK. Stupid solution here, but put a static route in either the host using IP route if it is windows, or put a static route in the default gateway of that host. I have had some issues in the past and also put a static gateway in the first router as well. Internet Router 1 Router 2 ( on same subnet as router 1) Host and the reply goes as follows Host Router 2 Router 1 Internet This only works if you know the IP address or addresses you want the SSH traffic to come in on. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] firewall delay response
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of mayank bhagat Sent: Friday, April 13, 2012 7:33 AM To: list@lists.pfsense.org Subject: [pfSense] firewall delay response Hello, I want to use pfsense as router, I have configured it as below Wan: 2**.**.***.*** Lan: 10.*.**.*** With gateway, also I have configured NAT, problem is internet is working slowly due to firewall delay response if I disable it from system advance Disable all packets filtering then internet working properly but NAT is not working. Please update me for the same. Regards, Mayank Actually doing what you did only turns off firewall and nat features. It is still a router. I can tell you that I along with a lot of other people use PFsense as a Router and Natting Firewall everyday. I notice no measurable impact in speed doing so. Maybe we could help if you gave more information What hardware are you running on? What are you calling the internet working slowly (Internet was 100kbps down and is not 95kbps, or the internet was 10GBps down and is not 5KBps) How are you measuring internet speeds? Are you running any packages or traffic shaping? __ Information from ESET NOD32 Antivirus, version of virus signature database 7052 (20120413) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 7052 (20120413) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 7052 (20120413) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] error when installing pfsense 2.1 developement on my pc
hi all, i am trying to install the pfsense 2.1 development version on my pc, but met lots of problems, my pc using a ASUS P5LD2 motherboard, with Core E4700 , Hard Disk : hitachi HDT725032vlat80 320G in the beginning , it sucks at 38% when i am trying to install it , after i cancel the multiple processing on bios cpu setting. it can be installed , but after i reboot it cannot boot up ,with error message below, F1 pfsense F6 PXE Boot: F1 error 1 lba 368072559 error 1 lba 368072559 No /boot/loader FreeBSD/x86 boot Default : 0:ad(0,a)/boot/kernel/kernel boot: error 1 lba 368072559 not /boot/kernel/kernel please help thanks in advance. best regards bycn You may try changing the sata mode in the bios to legacy Ryan __ Information from ESET NOD32 Antivirus, version of virus signature database 7039 (20120409) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] error when installing pfsense 2.1 developement on my pc
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bill Yuan Sent: Monday, April 09, 2012 10:00 AM To: pfSense support and discussion Subject: Re: [pfSense] error when installing pfsense 2.1 developement on my pc hi , thanks for you quick response. but i am sorry i am not quite familiar with what you said, so i just google about this, and on the bios of my pc, there is a IDE Configuration Onboard IDE Operate Mode [Compatible Mode] Combined Mode Option [Primary P-ATA+S-ATA] this is my configuration , and i did not find any legacy mode can you please give me more detail about how to change the sata mode ? thanks very much, Yep. That would be it. Try it at least. __ Information from ESET NOD32 Antivirus, version of virus signature database 7039 (20120409) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: athom...@athompso.net, pfSense support and discussion list@lists.pfsense.org Sent: Friday, February 10, 2012 2:56:36 AM Subject: Re: [pfSense] pfSense help with creating rules I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy aside, it *works* over ethernet, even in a test case when 'PtP' really meant 'these are the only two ports in the VLAN'). Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, don't support it at all. Very sad - some days, it almost makes me want to roll a bunch of iptables boxes and reclaim a ton of usable IP space. Almost. :) Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. Nathan Eisenberg Comcast allocated a /30 for my WAN interface and a /28 for my network use. They are in different class C address spaces. Gordon Russell Clarke County IT I understand what you are trying to accomplish I think. Just as a stupid thought, could you simply setup virtual IP's for the addresses you are trying to use and setup 1:1 Nat and forward them to the internal servers. I understand this means you will have to use nat. You may be trying to avoid this, but it seems like a much easier solution. It also seems more flexible. Hope this helps, Ryan __ Information from ESET NOD32 Antivirus, version of virus signature database 6874 (20120210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle Sent: Friday, February 10, 2012 10:00 AM To: pfSense support and discussion Subject: Re: [pfSense] pfSense help with creating rules Hi Nathan, Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 I have trouble ticket in as well as an e-mail to my sales rep who works directly for their head of Operations, so I am hoping brining in the big brass will help me get this going today. On the other hand, I explored Sonic.net and they are willing to run a 3/3Mbps symmetrical ethernet service with free setup and a free Cisco 2600, 16 IP's and they said yes to a routed subnet /30 no problem, no additional charge. But I am confused. Can anyone explain to me which is really a better deal? Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo I get that Comcast is faster, but it is shared traffic, right? Where this 3/3mbps would be all dedicated to me? I still dont understand a real world speed comparison though. Can anyone explain a bit about measuring traffic? We are an NPO, we create datasets and allow users to crawl the web for topics of interest and we work that data for them. We are going live here soon. If anyone wants more details about what we do and how we are going to do it and the hardware we are thinking about, ask. I'd love to chat. -Jason Comcast is faster, but is not dedicated. You should always get the same speeds (or reasonable close) with Snnic. You may also have an SLA with Snnic. I am sure you don't have that with Comcast. That said, all use ISP's are shared traffic. It is either shared via the same wire, or with DLS shared at the DSLAM or in all cases shared at the head office. It is very difficult for an ISP with say 1,000 customers at 10megs each to pay for a 10G so they can all have dedicated traffic. This gets worse as the number goes up. ISP's understand that not all users will use the bandwidth at the same time so they have way less than they sell. For instance one service provider here locally has a single OS3 (45Meg) link and offers a 6 meg internet connection. They have a couple of hundred users. 200 x 6 = 1.2 Gigs. Way less than what they have. However, the 45Meg link is very rarely saturated. The better business oriented ISP's will prioritize business customers over residential customers and have a lower ration of what's sold to what's available. I can tell you that Comcast Business in South Louisiana has a very good service and I have never measured less than 10 down and 4 up. This beats your 3/3 hands down. The same may not be able to true in your area as every area is different. Comcast does not however offer to have a routed subnet as you are asking. The provide 5 ip addresses that you can access directly on their modem. You can get 14 address and subnet yourself, but that really waist a lot of IP addresses. You could also setup to Bridge the DMZ and WAN and run a filtered bridge setup. __ Information from ESET NOD32 Antivirus, version of virus signature database 6874 (20120210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Odd circumstances
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Mehma Sarja Sent: Tuesday, November 29, 2011 8:39 AM To: list@lists.pfsense.org Subject: Re: [pfSense] Odd circumstances On 11/29/11 5:49 AM, Ryan Rodrigue wrote: What is the IP for the WAN interface on the PFsense box? Is it in the same subnet for the LAN? If it is, change the lan subnet to something else. Routers route based on subnets. If both of its interfaces are the same, it doesn't know how to route. I also thought that might be the problem - i.e. the LAN addresses and WAN/gateway IP's are being addressed as one network. But the /24 only covers the last octet of the IP address - i.e. 255.255.255.0 netmask. LAN 192.168.100.100/24-WAN 192.168.15.10/24=192.168.15.1 gateway (The /24 WAN netmask is to include the gateway IP in the default gateway selection for DNS server. A /32 was problematic) Going to simplify the network by LAN 192.168.100.100/24-WAN DHCP=modem gateway Mehma You are correct that these are on different subnets. Your method of double nattng should work, but isn't the bast way to do things. Double natting usually causes problems. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Direct purchase of pfSense book pdf
Yes - it's easy for the media (and idiots like the BSA) to talk about popular media and software, since that gives them huge figures, especially by making the assumption that everyone who downloaded an unauthorised copy of something would otherwise have bought it at full price. But for a specialised book like this, unauthorised copies can make a much bigger proportional difference to the authors. Part of this is that it is more realistic to assume that a higher proportion of downloaded copies really are lost sales - people would only bother getting hold of a copy of the PfSense book if they actually needed it, unlike a song, movie or computer game. The challenge for Chris is to find a way to let honest users pay suitably for a pdf that they can use freely (no Kindle nonsense or other DRM locks), while discouraging the accidental or intentional spread of the file. Watermarking with the purchaser's name and company is one way to achieve this, at least amongst professional users. Maybe if the watermark included the purchasers credit card number, people would be careful about sharing the file! A while back there was talk of a monkey in PFsense that would jump out and do the dishes for us. Maybe the monkey could bit people who steel the PDF. On a more serious note, a PDF that is searchable would be very helpful to have. Even if it did have DRM. It's a shame, but it is the world we live in. People who would never shoplift at wallmart have no problem at all steeling music, videos, books, etc. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
