[pfSense] Banana Pi - R1
Hi, I wanted to ask if there is any update concerning the support of the Banana Pi "R1": https://en.wikipedia.org/wiki/Banana_Pi#Banana_Pi_R1 The R1 comes with a Allwinner A20 SoC, that uses an ARM Cortex-A7 CPU. It has 5 Gigabit ports + WLAN and sells for ~80 USD including acryl enclosure, 2 antennas, power supply and free shipping: http://www.aliexpress.com/wholesale?catId=0_id=AS_20150907123912=banana+pi+r1 Seems like a perfect home/SoHo solution to me!? The last state about a year ago was, that it is not supported, since pfsense was based on FreeBSD 8.x back then, which did not support ARM CPUs. In the mean time, pfsense bases on FreeBSD 10.1, which AFAIK introduced support for ARM. So how about running pfSense on the R1; any updates? Cheers Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfSense Book (Buechler / Pingle)
Hi, I own a hard copy of the pfSense book by Chris and Jim and have two questions about it: 1. As a buyer of the hard copy, am I eligible to receive a gratis PDF-version of the book, too? 2. Is there any ETA for the hard copy version of the new edition? Thanks Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense Book (Buechler / Pingle)
Hi Volker, Thank you for your time! On 2014-04-13 14:09, Volker Kuhlmann wrote: On Sun 13 Apr 2014 22:11:41 NZST +1200, Thinker Rix wrote: I own a hard copy of the pfSense book by Chris and Jim and have two questions about it: 1. As a buyer of the hard copy, am I eligible to receive a gratis PDF-version of the book, too? Probably not. I remember the authors saying that they didn't have the rights for the electronic version. Moot point, because... I see. 2. Is there any ETA for the hard copy version of the new edition? You are aware that it's available as an electronic version under the gold program? Yes, but I generally prefer to buy a printed and bonded hard copy as primary reading book which I read from front to back. I generally dislike ebooks for various reasons (such as: desktop screen reading sucks; handheld devices such as tablets, ebook-readers, smartphones are non-liberated; most ebooks are DRM - digital restrictions managed, etc.). The reason that I was asking for a PDF version above was that I am currently somewhere else than my hard copy and just wanted to quickly look up something again that I had already read in my hard copy. Thank you regards Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On 2014-04-05 07:00, Ryan Coleman wrote: And you cannot eliminate three of this with a switch? I don't know any method how a network switch could replace the NICs of my firewall - other than by operating with VLANs. But I do not trust VLANs for this. This is not the correct purpose of VLANS, IMO. Using VLAN for segregating networks that should live in physically different network zones because they have fundamental differing security levels, is like placing your firewall into a VM - You can, but you should not. Sounds like you should look at your design. No, I don't think so. I think you should audit your security policy. Regards Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On 2014-04-02 23:24, Ryan Coleman wrote: Wouldn't a layer-3 switch be a good investment in this situation? Put the load on another device instead of, what is for all intents and (definitely) purpose a /thin, light-weight/ piece of hardware? A switch? Not really, since I would like to have the 4+ NICs configured as separate zones.. (e.g. WAN, LAN, DMZ, WLAN) -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On 2014-04-02 17:35, Eugen Leitl wrote: Apu.1c http://www.heise.de/newsticker/meldung/Embeddded-Mainboard-mit-x86-CPU-und-Coreboot-2160404.html http://www.pcengines.ch/apu1c.htm in stock, €105.13 Unfortunately again only 3 NICs... and Realteks with bad performance. I would love to see such a board one day with at least 4-8 NICs. -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Firewall Aliases: DNS resolving of domains broken
Dear all, Firewall: Aliases: IP = I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases anymore. Has anybody got an idea what the fault could be? Cheers Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Firewall Aliases: DNS resolving of domains broken
Dear all, Firewall: Aliases: IP = I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases automatically anymore. Has anybody got an idea what the fault could be? Cheers Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall Aliases: DNS resolving of domains broken
On 2014-02-14 17:57, Chris Bagnall wrote: On 14/2/14 3:37 pm, Thinker Rix wrote: I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases anymore. Has anybody got an idea what the fault could be? Are you manually specifying the ISP resolvers in your config, and is it possible they're still set to the old ISP's config? Probably a question for the devs: is it possible that lookups for aliases use what's on the general config page rather than anything overridden by PPP/DHCP? Kind regards, Chris Hi Chris, Thank you for your time! Here are some details: - As long I was with the old ISP, I had manually specified the DNS server of this provider in pfsense and deactivated the Allow DNS server list to be overridden by DHCP/PPP on WAN. The reason for this was a bug in 2.0.2 which prevented pfsense to receive the DNS data from the ISP. - At some later point I updated to 2.1 and although it has the bug corrected, I left the manually specified DNS IPs in pfsense - I then changed to a new ISP. DNS was broken then, because the old provider did not leave me use his DNS anymore when not being his customer. I then activated Allow DNS server list to be overridden by DHCP/PPP on WAN which fixed DNS again, since I got the DNS IPs from the new provider, too. But since I still had not erased the 2 old IPs from the list, I now had 4 DNS IPs: 2 old-ISP + 2 new-ISP - Last I went and erased the 2 IPs from the old ISP, so that I now have an empty list and only Allow DNS server list to be overridden by DHCP/PPP on WAN activated. As a result pfsense has only the 2 IPs from the new ISP in the dashboard. - Everything works fine, pfsense can resolve IPs. Examples: The dashboard says that I am on the latest version (=url is resolved), diagnosticsping and diagnosticstraceroute work with domain names. Now: - The only thing that I have found for now that is not working is the automatic resolve of domain names inside Firewall:Aliases. Since these aliases are used in my firewall rules, I can see blocked traffic in the system logs. When I use the button Reverse resolve with DNS on the blocked traffic IP, it resolves the domain names that I have in my aliases. - As a work arround I am currently entering the IP adresses in my aliases instead of a domain name. This makes my rules work again, but is very error prone, since the IP adresses change frequently. So I need to have the domain names work again somehow. Any ideas what could be the problem? Thank you Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall Aliases: DNS resolving of domains broken
On 2014-02-14 18:51, Chris Bagnall wrote: On 14/2/14 4:48 pm, Thinker Rix wrote: Any ideas what could be the problem? Have you tried entering the DNS servers your ISP supplies via PPP or DHCP (look on the Status - Interfaces page, they should be listed on there) manually on the General settings page, then disabling DNS via PPP/DHCP? You might need to restart to force the URLs to be looked up again... Would be interesting to see what effect that has on things. Kind regards, Chris Chris, I went to General Setup DNS Servers and 1. Entered the 2 DNS IPs of my ISP 2. Deactivated Allow DNS server list to be overridden by DHCP/PPP on WAN 3. Rebooted As soon as I delete one of the IPs in the aliases and just leave the domain names, it is broken. So it seems that pfsense still is unable to resolve the IPs of the domains. Best regards Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Motherboard compatibility
Hi Vick, On 2013-11-07 15:40, Vick Khera wrote: On Wed, Nov 6, 2013 at 9:24 AM, Paul Mather p...@gromit.dlib.vt.edu mailto:p...@gromit.dlib.vt.edu wrote: If those figures that the hardware producer provided are correct, it would mean that I could run pfSense 2.1 only on the C204 board, since pfSense 2.1 is based on FreeBSD 8.3, and the C222 board is only compatible from FreeBSD 9.1 and upwards, right?! Since hardware producers tend to not edit and update such compatibility lists properly, the information provided there could be wrong. For this reason I would like to double-check. Could maybe someone give me a hint where I could look up, which chipsets FreeBSD supports and from what version on? Generally, if it has an Intel chipset and is fairly modern, it is supported. It may not use every cutting edge feature of the chipset. I have not had any trouble with any hardware on any version of FreeBSD in the last 15+ years, but I only run it on servers. The issue usually comes with running funky hardware on desktop class machines where they cut corners like crazy. So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is older than those technologies and might not fully support the chipset yet (e.g. due to general compatibility with i386-64 CPUs?!)? A good place to look is in the Hardware Notes that accompanies each release. For example, for 8.3 is is at http://www.freebsd.org/releases/8.3R/hardware.html and for 9.1 it is at http://www.freebsd.org/releases/9.1R/hardware.html . Also, if you have a specific piece of hardware in mind, a good place to ask is the freebsd-questi...@freebsd.org mailto:freebsd-questi...@freebsd.org mailing list. (You don't need to subscribe there to post.) There's a good chance that someone who has the hardware or is familiar with it could post whether it works well or not. The list is good, but always out of date. If not found on the list, but somethign similar is on it, then definitely ask. Ok! Thank you Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On 2013-11-06 15:22, Vick Khera wrote: On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix thinke...@rocketmail.com mailto:thinke...@rocketmail.com wrote: Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. As to your question of is it worth the cost, that depends on how much VPN traffic you have. The Xeon will handle a damn lot of traffic all on its own. If you are pushing more than 40Mbps on the VPN, then perhaps consider the extra cost. If it is low, like under 5 or 10Mbps, then I'd probably suggest that it is not worth the cost. As a reference, between my data center and my primary office, I have an IPsec tunnel. The office runs on an old Intel 32-bit Pentium 4 2.4GHz dual core server. The data center runs on Intel Xeon E31220L @ 2.20GHz quad-core. Neither one has any built-in cryptodev supported devices. The IPsec tunnel maxes out at about 20Mbps during large file backups. I don't think it would go any faster with hardware acceleration, and the load on these boxes hovers around 0 still. The data center firewall is also busy pushing over 100Mpbs of regular traffic to hundreds of clients as well. Hi Vick, Thank you for your reference, it is very valuable for me! I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU. What do you think is the reason for your VPN traffic maxing out at 20Mpbs (I assume that your connection is not the traffic bottle neck, right?), although your CPUs are almost idle? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On 2013-11-06 15:29, Jim Thompson wrote: On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote: pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. I'm not aware if any performance testing for AES-NI on pfSense. There are reports that FreeBSD doesn't support AES-NI very well. Thank you for this information, Jim. So I figure, that buying the Xeon just for it's AES functions would (currently) be a waste of money. Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Motherboard compatibility
Hi all! I am planing to set up a new pfSense server with brand new hardware. The motherboards that I am thinking of have socket LGA1155 or LGA1150 and come with Intel C204 and C222 chipsets, respectively. The motherboard producer provides a compatibility list for his boards. He states that the: - C204 board is compatible with FreeBSD 8.1 - C222 board is compatible with FreeBSD 9.1 I know only very little about FreeBSD, but I think that hardware support is quite similar with the Linux kernel: what once has been added to the kernel, stays there forever, istn't it? So if the vendor writes compatible with FreeBSD 8.1 it continues to be compatible with all following versions, such as FreeBSD 8.3, correct? If those figures that the hardware producer provided are correct, it would mean that I could run pfSense 2.1 only on the C204 board, since pfSense 2.1 is based on FreeBSD 8.3, and the C222 board is only compatible from FreeBSD 9.1 and upwards, right?! Since hardware producers tend to not edit and update such compatibility lists properly, the information provided there could be wrong. For this reason I would like to double-check. Could maybe someone give me a hint where I could look up, which chipsets FreeBSD supports and from what version on? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
Hello all, as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports AES new instructions, i.e. hardware-support for AES encyption. Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? The motherboards that I want to buy unfortunately support AES-NI only with Xeons that currently start from approx 170 €. If I would take a CPU without AES-IN, I could go with a dual-Pentium for 40€. What impact would you expect from AES-IN, in regards to the fact tht I will be having traffic from VPN secured WLAN with approx 300-450 Mpbs and VPN to/from the internet, 1-2 users at a time max. Do you think the AES-IN would be worthy the price premium of the Xeon for my case, e.g. because it would reduce VPN latency, etc., or is it just a pure waste of money in my case? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On 2013-10-24 19:30, Thinker Rix wrote: I am planning a new pfSense box and am wondering if the hardware that I want to use will be sufficient. Hardware: 2x Intel PRO/1000 PT Quad Port Gigabit NICs, each directly connected via PCIe-8x to the North Bridge of the CPU 4x on-board Realtek 8111C Gigabit NICs, connected via PCIe-4x internally to the South Bridge of the CPU, which they share with the RAID controller = 12 NICs total Motherboard: Consumer Desktop Motherboard CPU: Intel Core2Duo 2,4 GHz or Core2Quad 2,4 GHz or Core2Quad 2,89GHz PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Config: I will: 1. be bonding 2 Intel NICs for the DMZ and 2 Intel NICs for the LAN zone 2. have Dual-WAN VDSL (50 Mbps downstream, 10 Mbps upstream each) 3. have 3-4 site-to site VPN connections and 1-2 VPN road warriors via the WAN 4. have 1-2 VPN road warriors in my WLAN zone, connected with 450 Mbps WLAN-NICs to a 450Mbps WLAN Access Point that is connected with a gigabit NIC to a Intel NIC of pfSense 5. have 4-5 VLANs Requirements: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) - full 450Mbps between the WLAN and pfsense - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Questions: 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? 2. Is there any other bottle neck that will prevent my performance requirements? 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? Hi all! I will finally go for brand new hardware for this pfSense box. Given the above-mentioned requirements, which of the following CPUs would you advise me to buy: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 € Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 € Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 € Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 € Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Hi Moshe, On 2013-11-06 08:35, Moshe Katz wrote: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 EUR Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 EUR Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 EUR Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 EUR Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix I don't see a Core i5 on that list. See if you can get one of those. It'll be between the i3 and the Xeon in price, but will have the AES-NI instruction set. (It will also have 4 physical cores instead of the i3's dual cores with hyperthreading.) Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. I have another thread going where I discuss motherboard compatiblity with pfSense. Should someone report, that finally I could also use the other of the two boards (the one with the 1150-socket and the C222 chipset), I could use different CPUs: - Pentium - 4th generation core i3 - Xeon E3-1200 v3 In this case I could go for the i3, since it supports AES-NI. But I do not expect that the C222 board will be compatible, so I most likely will have to stick with the CPUs mentioned above. Which one would you pick of those? If you look around online, you will find almost universal agreement that AES-NI significantly improves VPN speed. This also means that even if you aren't maxing out the VPN's capacity, you will still be saving processor cycles for doing the other stuff that the machine needs to do. There is this one thing I want to learn: AES NI helps lowering CPU load for encryption/decryption tasks, sure. But what happens if the CPU is not under full load? Will there still be an advantage then, i.e. because the CPU can perform the de/encryption *faster* when having AES NI support, so that the VPN latency might be reduced, so that e.g. VoIP-over-VPN would improve? Or is it the case that there is no difference, as long as the CPU is not under full load, because all that AES NI does, is allow the CPU to computer with less resources? Thank you for your time! Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
is actually required to achieve higher bandwidths. It's usually not the AP which is the problem, but the client. Some real-world advice (which you probably already know): Use two radios: one 2.4Ghz, one 5Ghz, Ok, my AP is able of using both bands simultaneously and I will be using them. Use a frequency no-one uses if possible ok, there is no other WLAN nearby anyway as far as i figured , allow HT40, allow SGI. what are those and how do I activate them? Minstrel will scale down to HT20 and no SGI when required. Ok. How exactly is ministrel implemented on a linux machine? Is it a kind of add-on that I have to plug in between the wlan0 device and e.g. network manager, or how is the general concept of ministrel? There really isn't much more you can do other than using better hardware which costs remarkably more. Do you have any further ideas on how to improve? E.g. producing more reflection, etc. or something else? Regards Matthias May Thank you!! Kind regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
the gigabit-clients living in the LAN back and forth to the DMZ and yet still have some additional bandwidth for the other traffic not to be jammed. I have not yet implemented QoS with pfSense ever, but my experiences with another perimeter firewall distribution in the past (Endian) with QoS was not 100% satisfactory, since I continued to have e.g. VoIP or browsing latencies when transferring bulk traffic (although much better with QoS than without, but yet never perfect). So my question is: Ok, 2x Gigabit != 2 Gigabit. But do you think that it will yet help to contribute to my objective to add a second channel to a bond so that there will be 2x Gigabit = 1 Gigabit for the user transferring bulk traffic plus additional 0,2-0,4 Gigabit for additional VoIP, browsing, etc., or is it senseless to do that this way? You're already thinking redundancy with the multiple NIC considerations, but in my experience, NICs don't really fail that often - at least not compared to fans, power supplies and other PC components. Consider whether a 2x pfSense cluster in CARP might be more to your needs if redundancy/failover is a critical requirement. The additional redundancy that would come with the bond is something that I see as a nice additional benefit that comes with this plan of increasing the bandwidth to fight VoIP and browsing latencies, but is not necessarily my primary objective. Saying that, I can feedback that I very well had already 2-3 NICs die (within a period of approx. 5 years) in the past on my perimeter firewall - but in all cases it where cheap 10$ PCI Realteks and I hope that the professional Intel cards are of better quality. As for CARP: I surely find this an interesting thing, but unfortunately I have no further budget to by additional hardware, I have to use the one listed above. And additionally CARP adds some level of complexity which I am not able to cope with at this time, since I am not all to experienced with pfSense yet. But maybe the next upgrade after this one will be such a solution, I'll have to see. Looking at your hardware again, you've specced 12 NICs, but from what I can see from your config, you only need 8 (2 VDSL ports, 2 bonded ports for LAN, 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN). That is correct, I will use some additional, non-bonded OPT zones with occasional low traffic, that I did not mention yet. 4x on-board Realtek 8111C Gigabit NICs Personally I'd spec a board that has Intel or Broadcom NICs - the Realtek ones are just rubbish by comparison. There are no shortage of boards with 2 Intel NICs on them these days. look at some of the Intel-manufactured boards rather than third parties - they nearly always have Intel NICs. A few years back I used lots of DG965RY boards (Intel NIC, onboard video, so ideal for server environments). Unfortunately I have to stick with the consumer motherboard that I have at my disposal right now. But I will use the Realteks only for very low / occasional traffic zones PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Given pfSense uses 1GB space, why? A little SSD on the chipset's native SATA controller should be fine (see above, use CARP for redundancy). In general I use hardware RAID in all my servers so to have a BBU - and prefferably also data parity, e.g. by RAID5/6 - so to have the best chances for continued data integrity at all times, no matter what happens to the power supply, due to a crashed OS or due to disk surface errors, i.e. bad sectors. Yet, as far as I have figured, many people use pfSense without such security measures in professional productive systems, so I assume that there might be a reason why they abstain such measures. Is pfSense immune against sudden power losses, system crashes, media surface failures, e.g. because it has read-only file systems or something similar, so that adding RAID, parity, BBU, etc. is never needed? Or is it just a compromise that they do by weighting costs and risk and deciding to take the risk? As I have a RAID controller and disks on stock I could use them without any cost. Kind regards, Chris Thanks for your help! Kind regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-09 19:38, Jim Thompson wrote: So asking the question is stupid On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. On 2013-10-12 01:40, Jim Thompson wrote: Otherwise: get off my lawn. I'm not willing to endure this uninformed Alex Jonesian crapfest. Now that I'm back on US soil, I promise that if the later continues, I will kill the thread. People who hijack threads will be dealt with. Otherwise: STFU. Nor will I endure the besmirching of pfSense's good name and trademark. The only one who is besmirching pfSense here is: you - given that as a co-owner of ESF you are an official representative of pfSense - and your official communication unfortunately shows that you are a vulgarian, plebeian, obscene, scurrilous goon, who insults, threatens, bullys, censors and muzzles other community members, totally lacking control of himself and any professional business manners whatsoever, let alone any constructive discussion culture. To me it feels highly awkward and it is unsettling me a lot, that such an ill-mannered, shady and dubious roughneck like you holds a key position in the project that creates the security product that we use for protecting our networks. I have no idea why highly respected Chris Buechler partnered with you, but it might be good if you would learn a lesson from him concerning his professionalism, seriousness and manners in his official communication. Bye. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Upgrade Guide: Needs update for Auto Update
Hello all, I just performed an upgrade to 2.1 via the Auto update feature in the web UI, which worked flawlessly. When studying the Upgrade Guide (https://doc.pfsense.org/index.php/Upgrade_Guide) prior the upgrade I could not find any information about it. Is there a way I can update the guide myself? Otherwise maybe someone with writing rights to the CMS wants to update the manual. Cheers Thinker Rix P.S. Maybe an update to this page would be convenient, too: https://doc.pfsense.org/index.php/Can_I_upgrade_my_pfSense_through_the_web_interface%3F ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 16:37, Seth Mos wrote: On 11-10-2013 11:57, Adrian Zaugg wrote: Dear all After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself conform to US laws upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. ? And which country would that be? There are many countries which would be a possibility . If wiretapping is done there or not is not so relevant. Relevant is, if the authorities can and do inject backdoors into the project by legal force. Pretty much everything we have in pfSense is checked in the version control system. Even in the beginnings (0.83) with CVS. Even our builder scripts are in a RCS system, and it verifies all checksums on external (mostly FreeBSD ports) software we download for the build. I am not an expert, but in the NSA-thread above there have been examples given, how CVS can be circumvented. Also, the gap between the sources and the binaries could possibly be an port of entry for nasty stuff I guess. Again: The real threat by my comprehension is not some guy in the internet trying to place malicious code into the code base, but simply and plainly some NSA officers knock the door an force the project leaders to do it. The way the most intelligence agencies these days perform the wire tapping is by getting a switch mirror port at a internet exchange. Even fiber optics can be tapped without too much problems. Yes, they do that. And much more, because they do not restrict themselves to a single source. They e.g. get the data from the data providers (google, facebook, amazon, etc.) AND wiretap the internet backbones AND program trojan horses to send them to their peoples (see e.g. https://en.wikipedia.org/wiki/Bundestrojaner#Staatstrojaner) AND collect geolocation data from your mobile phone provider AND force your encrypted-email provider to hand out their SSL keys to them AND ... etc. etc. etc. But: With all those methods they can only collect EXTERNAL data. With exception the mentioned trojan horse, they do not as easily get your INTERNAL data, e.g. the data that circulates between the computers of your intranet. By infiltrating a firewall software such as pfSense, they could get a grip onto the most important neuralgic point of the intranet, since much of the internal traffic flows over this box. Think e.g. about all that VPN traffic that flows over the firewall, e.g. because a company connects many branches via VPN... So: Getting a grip onto the firewall would surely be highly interesting for them... In .NL all large ISPs have a mandatory wiretap in place that stores datetime stamped headers of the internet traffic for discovery purposes from the authorities. The best part of this, it is paid for by the customers, since the ISP needs to pay for the system and storage. Yes, but see above. Regards, Seth Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 13:54, Przemysław Pawełczyk wrote: On Fri, 11 Oct 2013 11:57:52 +0200 Adrian Zaugg a...@ente.limmat.ch wrote: (...) mind that pfsense web GUI could declare itself conform to US laws (...) It would be the sign for the users Regards, Adrian. Excellent idea. Really. But that would kill the project probably. I am not sure that I understand what you mean. Is it what you want to say: In the case that the security software that you use gets infiltrated, you would prefer not learning about this fact, but just continue using it? Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 12:57, Adrian Zaugg wrote: After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself conform to US laws upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. I think that your idea is worth further consideration. As I just answered to other postings of this thread, by my comprehension infiltrating firewall software such as pfSense should be highly interesting for NSA, etc. because they would get a grip onto your internal and VPN traffic. So it should be only a matter of time, that they knock the door at ESF and force them to do things they don't like. We all - as a community - should think and act pro-actively to that and take appropriate measures to protect pfSense, ESF and the key people such as Chris Buechler and his partners from this realistic thread in time. Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 16:20, Yehuda Katz wrote: Probably would not work (or would get whoever did that thrown in jail). This is similar to a Warrant Canary, but the USDoJ has indicated that Warrant Canaries would probably be grounds for prosecution of violation of the non-disclosure order. - Y On Friday, October 11, 2013, Adrian Zaugg wrote: Dear all After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself conform to US laws upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. Regards, Adrian. Hi Yehuda, inspired by the keyword you dropped, I researched a little bit and found: https://en.wikipedia.org/wiki/Warrant_canary It seems that you are correct: What Adrian suggests, is called a Warrant canary. In the wikipedia article it says that: The intention is to allow the provider to inform customers of the existence of a subpoena passively, without violating any laws. The legality of this method has not been tested in any court. Is that wrong or in conflict with what you wrote? In the case that it would indeed be prosecuted in the USA, we could consider to host the project in another country. In this case it would be interesting to investigate what needs to be hosted elsewhere: The source code versioning control system? The company behind pfSense (ESF)? I guess that the best solution would be to incorporate pfSense itself and untie it from ESF. Many other free software projects have done so recently. The most prominent example is Libre Office which is now owned by the Document Foundation (https://en.wikipedia.org/wiki/Document_Foundation). The owned refers to e.g. the brand name, since the software itself is free software, it is not owned by anybody. So summarizing: If pfSense would be incorporated as a foundation at some place (many countries would be possible) outside the USA, it could be a solution to this I guess. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 21:20, Walter Parker wrote: Who would you trust more that ESF? Why,specifically, would you trust another group of people to be more trustworthy? The point is not untrusting ESF or anybody else. The point is that ESF is based in the USA, a country where the current government can force you to do things against your community without having any chance to escape from it; they just force you to do so. So the point of the whole idea that we evaluate here is: How can we secure pfSense from this nasty government so that they can not just force ESF or anybody else to comply with them. I admit to have a USA bias, but for the issue in question, I don't there being a much better choice. The UK has less freedoms in this matter. As far as I am informed there are some more countries on the globe than the USA and the UK... But then this is turning into a case of I'm worried about things, here lets have you [The project] spend time and money to fix the problem? Unless, of course, you are willing to contribute time and money to fixing this issue. Otherwise this just an armchair general telling other people how to run the project. Seems like a killer argument to me, which is kind of couterproductive in such an early stage of an idea/proposition, as this is. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [Filters engaged]
On 2013-10-10 01:20, Joe Landman wrote: I just worked out setting up new filters for the recent S/N destroying, high tin-foil-hat content, on gmail. Since people pleading for this to go away hasn't worked, technological measures to restore S/N for my inbox on this list have been engaged. Please folks, take the tin foil hat discussion elsewhere. Please? Joseph, frankly I could not care less than learning about what settings you work out in your web mail account. If you are not interested in this discussion thread, just do not open it. Learn to use a news/mailing list reader properly (how about view threaded mode..) , instead of blaming others to bore you. Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [Filters engaged]
On 2013-10-10 01:27, Robison, Dave wrote: On 10/09/2013 15:20, Joe Landman wrote: I just worked out setting up new filters for the recent S/N destroying, high tin-foil-hat content, on gmail. Since people pleading for this to go away hasn't worked, technological measures to restore S/N for my inbox on this list have been engaged. Please folks, take the tin foil hat discussion elsewhere. Please? Perhaps we can set up a pfNonSense list? Perhaps you should learn how to use a proper mail/news-reader?! ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [MOTION TO END THREAD] NSA: Is pfSense infiltrated by big brother NSA or others?
*I think I speak for everyone who was a member of this list before 10:20 AM EST today when I say that this discussion does not belong here and we would all like it to stop.* I guess it is wise to just speak for yourself, instead of using this cheap rhetorical trick to pretend being a majority. And by the way, I am a member of this list for quite a while. *This list is NOT a place where anyone is welcome to barge in and tell people the proper way of using it.* Exactly. How about you follow your own advice? Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Giles On 2013-10-10 12:39, Giles Coochey wrote: On 10/10/2013 09:38, Thinker Rix wrote: On 2013-10-10 01:13, Przemysław Pawełczyk wrote: On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix thinke...@rocketmail.com wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. Thank you! BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically. I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users virtually joined to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. Exactly. The firewall is the neuralgic point of each of the networks that we administer. Thinking - and talking - about it's integrity is the most natural and most important thing on earth, IMO. There are many on-topic things to discuss here: 1. Which Ciphers Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. You made some highly relevant and interesting suggestions here, and I sincerely hope that a fruitful discussion will develop upon this so that we all can benefit of it! This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy. This echoes my sentiments exactly! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-10 15:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com mailto:alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org mailto:rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. Ian, that is *your* opinion. As you can see, others here have a quite different opinion and they find this topic to be highly relevant for pfSense. Luckily this is an open mailing list, where everyone can pick the topics to read that interest him, so why you don't just walk away from this discussion instead of losing any time in telling others how uninteresting you find *their* discussion? And you even dare to tell us to go elsewhere... Who do you think you are? You are either a kind of sadomasochist - reading all day all kinds of discussions that do not interest you and telling the participants of that discussion that they should go elsewhere because they do not discuss what you find interesting and relevant - or you simply do not know how to use a mailing list properly. I suggest you go learn how to use a proper news/mailing-list reader. Hint: Threaded mode. Cheers Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-10 16:08, Giles Coochey wrote: On 10/10/2013 13:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com mailto:alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org mailto:rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. I tried to turn this back into a product support discussion in the last thread but sadly my comments were not among those cherry picked. This discussion does not suit the purpose of this list. I see a bunch of hard working people reacting to their product's integrity being continuously questioned despite having all questions answered, and a few entitled consumers who can't be bothered to figure out technology well enough to come to their own conclusion on its integrity.As well as a bunch of people that want this discussion to go someplace more appropriate. The concerned parties are not concerned enough to learn how to read code. So you're paranoid, just not paranoid enough to actually learn how to answer your own questions. Unless there is an issue someone is having making a VPN work or getting NAT running right, this is the wrong place to hold this discussion. If you're having an issue with this pfSense, networking protocols, or logical opertaion of the device, great! let's talk about it! I'm actually very good at these things, and I'd like to spend time helping people with network or network security related operational problems. Otherwise, please find the email addresses of all the people who shown an interest in participating in this discussion, and send an email out to that list of people to discuss it among yourselves. *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. This is *exactly* the way I feel about this whole sensation that we are witnessing here! Some reactions are truly incredible! The about list on the mailman page states: pfSense support and discussion list... Correct! But I guess those who waste our time by telling us we should shut up and walk away would like to rename the list to e.g. Happy shallow chatting of pfSense fan boys who never dare to ask any critical question about their beloved firewall-distro that they take to bed each night or something similar. Self-censorship in a security software forum when it comes to discuss the security level of the security software! It's absolutely crazy!! This thread is clearly about discussing pfsense, therefore it is on-topic, I could equally take the stance, take your technical discussions to the dev list, however I am not the type of exclusive close-minded minded person that you appear to be. Please stop hijacking this thread. FACK!! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-10 16:52, Paul Mather wrote: On Oct 10, 2013, at 9:08 AM, Giles Coochey gi...@coochey.net mailto:gi...@coochey.net wrote: *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. Some people value the S/N ratio of mailing lists. I believe the people asking for the discussion to be moved elsewhere are motivated by that. Those people should just learn how to use a mailing list properly, before using one. A mailing list is *not* just I enter my daily use email address somewhere and receive emails. For participating properly at a mailing list you need a proper mail reader that is able to sort mail into conversation threads (https://en.wikipedia.org/wiki/Conversation_threading). Then you go and pick the threads that interest you and read them. And you ignore those, who do not interest you. Additionally it is advised to use an email address only for reading mailing lists. Of course anyone can use a mailing list as he desires, e.g. by just subscribing to a mailing list with his daily use email address and then get his daily use email inbox spammed with tons of unsorted and un-threaded email about all sorts of discussion topics that are of no interest to him. Everyone's own choice! But please: Those people should not complain about receiving tons of email that do not interest them. And of course they can't tell others to talk only about topics that are of their own interest, that is ridiculous. Full stop. The original poster in this thread asked for a direct answer to a straightforward question and he got it, yet still he continues to pursue this thread. To what end? E, as long as a wish?! There is no quota on how long any member of this list is allowed to discuss a topic, is there? If you are not interested, just do not read this THREAD. You don't use a conversation threaded email reader to participate to a mailing list? Not my problem, sorry. Go use one. See above. People are outraged at the NSA revelations, but the pfSense mailing list is not the appropriate place to be outraged at that. Sorry, this is not up to you to judge. I think that my question is very well related to pfSense and thus the mailing lists of pfSense is the right place to do so. And again: If you are not interested in this thread, DO NOT READ it. So simple actually?! Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. You can switch *right at this very moment* to a discussion thread that is of more interest for you and there you go! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
Hi Giles, On 2013-10-10 16:50, Giles Coochey wrote: Trying to get this back on-topic, I will change the subject however Giles, please note that Jim Pingle has already started a new thread for this purpose that he named [pfSense] Crypto/RNG Suggestions today. It seems to be beneficial to add your posting to his thread, not to have 2 concurrent threads - und thus concurrent discussions - about the same topic. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
Hi Warren, thank you for your quick reply! On 2013-10-10 18:39, Warren Baker wrote: On 10 Oct 2013 17:36, Thinker Rix thinke...@rocketmail.com mailto:thinke...@rocketmail.com wrote: Hi all! I want to upgrade from 2.0.1 to 2.1 and am wondering which FreeBSD-version 2.1 is based on, since I am using some packages from there. The table found here https://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions has not been updated yet, it says only TBD, at least 8.3. Is there someone who knows wich version of FreeBSD 2.1 is based on? It is 8.3. Ok! Can you / someone please confirm that the following is the correct repository for me to use, when installing packages of FreeBSD on pfSense 2.1: http://ftp-archive.freebsd.org/pub/FreeBSD/releases/i386/8.3-RELEASE/packages/All/ ? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
On 2013-10-10 18:54, Jim Pingle wrote: On 10/10/2013 11:35 AM, Thinker Rix wrote: Is there someone who knows wich version of FreeBSD 2.1 is based on? 8.3-RELEASE-p11 It was going to be 8.3 the TBD part was for the patchlevel. It ended up being -p11 by the time 2.1 was released. Thank you for the information, Jim! Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Paul. On 2013-10-10 18:42, Paul Mather wrote: Thank you for the valuable information about how to use mailing lists. You are welcome! ;-) I first started using mailing lists back in the mid/late 1980s, on the JANET network (British academic network)---back when the Internet was made up of networks like ARPA, BITNET, UUCP, and the likes and (in my case) you needed to know the gateway machines that would let you reach those networks and had to incorporate that routing into the recipients e-mail address. I love it when users try to show off with what internet dinosaurs their are, as soon as someone tries to teach them how to do something better.. Well, I am an Internet Dinosaur, too, with quite a comparable track record as you, so I am not all to impressed ;-) I suspect those people you mention above actually know how to use a mailing list properly. I know I do. Well, as it seems, most readers here *may know* how it should be done, but yet *don't do* it correctly, since it has shown that most users do just read all incoming mail unsorted and not threaded. While anybody has the right to do so - no one has the right to complain afterwards about drowning in mail that does not concern him. But awkwardly enough many users did complain. And I will not accept them blaming me for not using their mail readers correctly. I also know the value of good S/N ratio on technically-focused mailing lists. Every user will consider different things to be noise. I do not consider this thread to be noise - at all. You do. Just read another thread that appeals you more? Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. You can switch *right at this very moment* to a discussion thread that is of more interest for you and there you go! Of course, you're right, and that is wise counsel It would have been a wise sentence, if it would have stopped here ;-) because it reminds me of one of the golden rules of mailing lists: unwelcome threads persist only so long as people reply to them. (This is sometimes better known by the more insulting adage: Please don't feed the trolls! I'm loathe to employ that, though.) I thought I was making a reasonable point, but it seems as far as I'm concerned, this thread has passed the point of reasonableness. FACK! The only difference is, that you consider me to be the troll (maybe because I backtalk without hesitation to those who try to muzzle and censor me?) - while I consider those to be the trolls, who do not contribute anything of value to the discussion but plainly interfere in this thread and bully the others to stop discussing about the topic, because they claim that it bores them - instead of just walking away. I'll leave it to you and your fellow concerned list members to continue mulling it over, and, in your case, to continue teaching your grandma to suck eggs when it comes to Netiquette. :-) Thanks so much ;-) As far as Netiquette is concerned, I am surprised how many of those computer geeks that participate at this mailing list are clueless about Netiquette, and the basic usage of mail readers, etc. Take for an example how many postings are not quoting correctly, but have text on top - full quote below which is a no-go in newsgroups and mailing lists... Cheers, Paul. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
On 2013-10-10 19:25, Jim Pingle wrote: comprehensive explanation help Thank you very much, Jim! Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Dear pfsense-team, today I posted the following on your blog at http://blog.pfsense.org/?p=712 Worried User Says: Your comment is awaiting moderation. October 9th, 2013 at 7:55 am Hi guys, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Thank you Worried User Some minutes later I could see that my entry was not released to the public - but deleted by the moderator, without any further comment. Please take a stand to this. Regards ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 18:20, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response Exactly, Paul, you got my point! although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? @your doubts about the NSA/FBI/put the name of your government's surveillance institution here bothering with smaller companies such as Electric Sheep Fencing LLC (formerly BSD perimeter) and their niche product pfSense: Please take these 2 things into account: 1. Recently they forced the small encrypted-email-service Lavabit to comply with them (hand out their SSL-masterkeys install a black-box at their premises). Lavabit did not agree - and they shut him down. https://en.wikipedia.org/wiki/Lavabit. Officially they wanted to force Lavabit to just hand out Edward Snowden's emails (bad enough), but in reality they wanted to gain access to all emails of Lavabit by receiving the SSL masterkeys and by placing the blackbox at their premises, which rendered the whole service useless. 2. Routers/Gateways/Firewalls are highly interesting for big brother. Read e.g. this article NSA Laughs at PCs, Prefers Hacking Routers and Switches (https://mailman.stanford.edu/pipermail/liberationtech/2013-September/011287.html) So, combining those 2 facts - the fact that the NSA/FBI/etc. prefer to infiltrate routers with the fact that they very well bother knocking the doors of small businesses with niche products, I guess my question is quite legitimate! Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:03, Jim Thompson wrote: (TIC mode: on) Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any TIC-modes.. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:03, Jim Thompson wrote: (TIC mode: on) Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any TIC-modes.. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Jim, thank you for your quick reply! On 2013-10-09 18:59, Jim Pingle wrote: On 10/9/2013 11:20 AM, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? As far as I'm aware, nobody has contacted us, but if they did I may not know. They aren't really interested in end-user firewalls, they want infrastructure routers. Do you think that there might be a chance to get an official statement of ESF, maybe without any ifs and buts? This would really help in this uncertain times that we all have to suffer currently. Thank you, Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn't approached us about pfSense, or adding a back door, or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the official answer of the company to my question? Thank you Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Adam, On 2013-10-09 19:42, Adam Thompson wrote: Which makes asking the question quite irrelevant. I do not think so. Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:04, Walter Parker wrote: About that made in the USA thing, the NSA has deals with overseas companies as well... Plus, the GCHQ and several other foreign spy agency's have done similar things, so if you starting asking, you discover that the major governments are trying to do this and have succeed more often than we would like. Yes, it is horrifying. Also, the whole We have to ask to ask the question to get the denial on record only matters for the government or people with lots of money. The Government can sue you/arrest you for a lie, but do you have enough money to pay for lawsuits against a company? Most lawyers want money upfront unless you have clear suit against a company with lots of money. When was the last (or even first time) that a company was sued and lost to a private party for something like this, outside of class action lawsuits I do not want to sue or otherwise harm anybody. I only asked a very simple question and now read the answers. Very interesting answers, I think. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 17:20, Thinker Rix wrote: Dear pfsense-team, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Hello all! Thank you for all your reactions so far! Reading the whole thread, I can't help but feel two things: 1. Quite a bit of aggression of some users. Why? Because I asked a simple and naively straight-forward question? Strange, isn't it? 2. A nothing to worry here, just continue walking attitude of some others I think this is strange. And by the way: It is not only some question, but *the* question, actually, if someone remembers what we are talking about here! We are talking about a network security software - so what on earth is more normal than asking if this software *is* secure!? Should we all just look away and continue our business as usual, as if nothing has happened the last year out there on the globe? We all know that the governments currently force on a daily base one company after the other to comply to their New World Order-Orwellian-global-surveillance phantasies and make them compromise their software or service. So I find it absolutely NECESSARY to clear out if pfSense has fallen (already) to them, or not. Network security is THE major reason for using pfSense. So it should be the most important question for all of us, isn't it? By my comprehension, everyone who says that this is a silly question or that it is some unimportant thought no one should further bother thinking about in detail, is either confused, or trying to conceal something. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:16, Gé Weijers wrote: Some people in this discussion assume that the principals of ESF could not be forced to lie by the US government, under threat of lawsuits, financial ruin, incarceration and not seeing their children grow up. Gee, quite a frightening regime. Someone should tell the USA to send some of their troops in there to remove this suppressing regime and free those poor devils over there by spreading some of their democracy, as they do all over the planet.. Ops, I think I got something wrong here ;-) I find this assumption awfully naive Do you thinks so? Me, not, though it might seem so at first sight. I think it's unlikely that ESF was even asked to cooperate, Interesting thought, may I ask you why you think so? but I don't believe a denial is all that useful under the circumstances What do you mean? It would not be useful not to comply, but better to just compromise that what you do so that you are left in peace? and asking for it again and again Actually I only asked once is obnoxious. Since when can a naive question, as you called it, be obnoxious? And why do you think asking a security software project if it is secure is obnoxious? I think it is the most important question of all. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:22, Jim Thompson wrote: On Oct 9, 2013, at 7:13 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. This is already the second time that you insult me indirectly. It’s amusing that you don’t understand that you threw the first stone here. This is correct. I do not understand where I am supposed to have thrown any stones or insult anybody, indeed. If you would like to show me, I would really be thankful. May I ask again if you are an staff member of Electric Sheep Fencing LLC? Staff members get paid. I’m a co-owner, and have never taken a dime from ESF (or BSDP). jim Thank you for the info. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:49, Christian Borchert wrote: Linus Torvalds was asked the same question in a QA session about linux. He said 'no' while nodding his head up and down. Sent via BlackBerry from T-Mobile Exactly. Frightening, isn't it? Awkwardly the audience started laughing about that... Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:18, Jim Thompson wrote: On Oct 9, 2013, at 7:03 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn’t approached us about pfSense, or adding a “back door”, or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the official answer of the company to my question? There are three individuals that own ESF, and can speak for the company. Chris Buechler Jamie Thompson (my wife) Me. Thank you for this information. how official do you want an answer to be? Since you are a co-owner of ESF who is entitled to speak for the company, as you say, I believe that your answer is as official as it gets and I am thankful for this clear statement of yours! Thank you very much. I only wonder what the aggression was needed for. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:42, Adam Thompson wrote: Argh. Anyone who answered Yes to your question (correctly, mind you) would immediately be committing a federal crime. Considering the consequences, no-one in their right mind would ever confirm that they had been approached or received a NSL. Well, some people do, because they have principles and values and prefer to not bow to any suppressors; for example Ladar Levison of Lavabit (https://en.wikipedia.org/wiki/Lavabit). He could just had have complied and he would still run his company today - offering encrypted email to his customers, that in reality is not really encrypted anymore; but he chose to stand up and blow the whistle. Great guy. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:16, Gé Weijers wrote: I think it's unlikely that ESF was even asked to cooperate, but I don't believe a denial is all that useful under the circumstances, and asking for it again and again is obnoxious. Having thought about it again and again, I would like to feedback to you that your act of calling it obnoxious to pose as simple question about if a security software project is still secure or has been undermined by the government already, seems to be a clear indication of self-censorship... Self-censorship is what you get, when you suppress peoples by surveillance.. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 22:11, Ian Bowers wrote: You got your answer of no a while back. But you're still talking. What are you going to do with the answer now that you have it? What's YOUR plan? -Ian - Well, actually it was not s long ago that I got a clear answer - Commonly I talk as much as i like to - I still don't know what to do with the answer - I have no plan Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Walter, On 2013-10-09 21:53, Walter Parker wrote: To answer your question about throwing the first stone. Your question reads a bit like the Are you a criminal/commie? questions. Many people would object to the question at the start because it implies that the people being asked the question has done something wrong. Watching the reactions to political debates shows that asking the question can be enough to get a sizable amount of the audience to think the answer is yes, even when no proof is ever given that something happened. Interesting what all kinds of different things you do interpret into my question. By my comprehension I just asked simple but important question and did this quite straight-forwardly. Then when the question was deleted, you demanded that pfSense take a stand on it. Yes. Censorship always raises questions. Let me show you what it looks like from the other side: Have you planned to overthrow the government? When will you show that you are not plotting to kill your fellow country men? It is a simple question, when will we here something from you? I just ask because I want to be sure that you are not trying to kill me. Well, your example neglects one important aspect: pfSense is a kind of security software project. Asking it about it's level of security and integrity is a question that such a project must stand, IMHO. It is like asking a bank how safe my money is. Or asking Microsoft how good Word is for writing letters; while asking me about if I plan to overthrow some government or kill other people refers to nothing. For the tool in question, pfSense, once you start questioning it, there is no way to get the bottom without eithering trusting the pfSense people (which means that the question is pointless because if you trust them, asking them if they have violated your trust means that you don't trust them) or getting an external validation (trusting another group of people or doing the work yourself). I guess for anybody related to computer security it is a must to question anything anytime and take nothing for granted. You should question everything any time and any player in this domain should accept any questions any time, IMHO. FYI, there is a long history on the Internet of people asking simple innocent question, not to get actually answers, but to cause trouble by causing the effect described at the beginning of my email (these are called trolls). What trouble do you refer to? I only read some aggressive/ snappy answers which - frankly - I find pretty awkward reactions to my simple question. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 23:43, Pim van Stam wrote: All, Can this flame be put to an end or continued via private mail? This endless discussion would be reason for me to unsubscribe and that's not the goal of the list i guess. Regards, Pim Hi Pim, first of all: Generally - sorry for disturbing you. But: Interpreting your message, I guess you are participating at this mailing list with a mail reader that just pours all incoming mail into one folder - which is not the proper way to read mailing lists. Please let me inform you that it is highly advisable to participate at mailing lists only with a mail reader that allows you to view incoming mail in threaded mode. This way you only get to read messages that interest you, instead of being flooded by all messages of all users with all subjects. Not using such a threaded-capable reader but telling others what to write and what not because you are bored about what they discuss is not really a solution :-) A reader that is capable of threaded view mode is e.g. Mozilla Thunderbird (View Sort by Threaded) Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.2: Bug in Backup/Restore makes it impossible to restore encrypted backup file
On 2013-02-23 09:42, Chris Buechler wrote: On Fri, Feb 22, 2013 at 6:18 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello, there is a bug in the backup/restore function of pfSense 2.0.2 which makes it impossible to restore encrypted backups, rendering those backups useless. Thanks, opened: https://redmine.pfsense.org/issues/2836 Hi Chris, Thank you for filing this bug for me. Could you by any chance help me out with my two questions, too (see the second to last section in my posting)? Is it safe for me to proceed and use the backup file to restore a productive system, which I manually trimmed (as I described it in step No.6: deleting everything in the encrypted backup file that comes after END config.xml ). Or should I rather dump the whole thing and start from scratch (losing almost a week worth of work). This information would be of great help to me, because at the moment I am puzzled on how to proceed with this first pfSense roll-out of mine. Cheers thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2.0.2: Bug in Backup/Restore makes it impossible to restore encrypted backup file
Hello, there is a bug in the backup/restore function of pfSense 2.0.2 which makes it impossible to restore encrypted backups, rendering those backups useless. == You can easily reproduce the bug by making a backup with the following settings: - Backup area: ALL - Do not backup package information: YES/NO (irrelevant) - Encrypt configuration file: YES - Do not backup RRD data: NO (= Yes, backup RRD data!) The combination of encryption and RRD data inside the backup file corrupts the file: - When trying to restore via Pre-Flight Installer (USB-stick), pfSense states that the password is wrong. - When trying to restore via Web GUI, it states: You have selected to restore the full configuration but we could not locate a pfsense tag. == Since the file is not encrypted as a whole, but only sections of it are encrypted, I could open the file with a text editor and analyze it: As it seems, the backup xml and the RRD are two sections which are clearly separated of each other: 1. In an UNENCRYPTED backup file WITHOUT RRD date, the file structure is: ## ?xml version=1.0? pfsense ... then the contens of the config.xml ... ... at the end some certificate data /cert /pfsense 2. In an UNENCRYPTED backup file WITH RRD data, the file structure is: ## ?xml version=1.0? pfsense ... then the contens of the config.xml ... ... at the end some certificate data /cert rrddata .. then multiple RRD data blocks in the following format... rrddatafile filenamesome name/filename datasome encrypted/hashed (?) RRD data/data /rrddatafile ... and at the end of the file /rrddata /pfsense 3. In an ENCRYPTED backup file WITHOUT RRD data, the file structure is: ## BEGIN config.xml ... encrypted data END config.xml 4. In an ENCRYPTED backup file WITH RRD data (= the corrupted file which won't restore!), the file structure is: ## BEGIN config.xml ... encrypted data END config.xml .. then multiple RRD data blocks in the following format... rrddatafile filenamesome name/filename datasome encrypted/hashed (?) RRD data/data /rrddatafile ... and at the end of the file /rrddata /pfsense Reminder: when trying to restore this file, the error message said: ..we could not locate a pfsense tag. Analyzing the file, I noticed that indeed the start tag rrddata is missing, since after END config.xml it continues straight away with rrddatafile. So i tried to fix the file by manually inserting the missing start tag, leading to the following result: 5. FIX ATTEMPT 1: ENCRYPTED backup file WITH RRD data (= the corrupted file which won't restore!), with missing rrddata start tag inserted: ## BEGIN config.xml ... encrypted data END config.xml rrddata .. then multiple RRD data blocks in the following format... rrddatafile filenamesome name/filename datasome encrypted/hashed (?) RRD data/data /rrddatafile ... and at the end of the file /rrddata /pfsense When trying to restore this file, I receive a new error message: The configuration could not be restored. So obviously I either fixed the wrong thing, or there is something else wrong, too. 6. As a last resort I went over and cut off all RRD data: I deleted everything that came after END config.xml : ## BEGIN config.xml ... encrypted data END config.xml This is similar to the way the file looks like in Nr. 3, i.e. the way it would look like if you don't select any RRD data to be saved in the backup. Result: The backup is accepted by pfSense and it restores the system == Questions: 1. I did this backup-restore-action because I wanted to go sure, that my backup works fine, prior going productive with the system, as is suggested to do so in the book. Obviously a good advice, since I don't even want to imagine the stress I would have now in a recovery situation of a productive system. Nevertheless, I have worked quite some days on this configuration setup and really do not want to loose all the work and start from scratch. So can someone please tell me if it is safe for me to proceed with my trimmed backup file, fixed in the way I described in point no. 6.? Did I really just cut of the RRD data, when I cut off everything after END config.xml , or did I damage the backup file in a way not obvious to me which could lead to a misconfigured/instable/insecure pfSense system in the future??? 2. What encryption algorithm is used for the backup? Is there any way I could decrypt it manually? Thank you very much for any help/hint/information!! Cheers thinkerix
