Re: [pfSense] How could I block messages trying to pass as from my net?

[Alberto José García Fumero]

El mar, 22-05-2018 a las 20:54 -0400, John Johnstone escribió:
> On 5/18/2018 10:42 AM, Alberto José García Fumero wrote:
> 
> > Im trying to block spam (for instance, from 185.234.217.232).
> > As far as I know, it's trying to pass as a message from my very
> > net:
> > 
> > Transcript of session follows.
> > De: Mail Delivery System  > .co.
> > cu>
> > Para:   Postmaster 
> > Asunto: Postfix SMTP server: errors from
> > unknown[185.234.217.232]
> > Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
> >   Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
> >   In:  EHLO 190.6.79.98
> >   Out: 250-partagas.ettpartagas.co.cu
> >   Out: 250-PIPELINING
> >   Out: 250-SIZE 1524
> >   Out: 250-ETRN
> >   Out: 250-STARTTLS
> >   Out: 250-ENHANCEDSTATUSCODES
> >   Out: 250-8BITMIME
> >   Out: 250 DSN
> >   In:  AUTH LOGIN
> >   Out: 503 5.5.1 Error: authentication not enabled
> > 
> > Session aborted, reason: lost connection
> > 
> > For other details, see the local mail logfile
> > 
> > but the MTA correctly rejects it as a fake.
> 
> It might not be good to describe what happened here as your MTA
> rejected 
> the connection as a fake.  If your MTA is configured to reject a 
> connection because the EHLO contains your IP address (which is 
> unlikely), that isn't what happened here.
> 
> Your MTA returned a 503 error to the sending server because your MTA
> is 
> not configured to accept an AUTH login.  250-AUTH is not part of its 
> response to the EHLO.  Most mail servers accept AUTH only on port 465
> or 
> port 587.

Right.

> 
> > I have created an alias list (rechaza) in the menu
> > Firewall/Aliases,
> > where I put all the addresses known to be spammers, and tried to
> > reject
> > them with the rule in Firewall/Rules/WAN
> > 
> > Action: Block
> > Interface: WAN
> > TCP/IP version: IPV4
> > Protocol: TCP
> > Source: (single hots or alias) rechaza
> > Destination: 190.6.79.98
> > Destination port range: any
> > 
> > but I can not stop the spam right in the WAN interface.
> 
> If you take a look at Status > System Logs > Firewall and notice
> what 
> you see for Source and Destination this can help you understand
> better 
> how filtering and NAT works.  For your WAN interface, Source will be
> the 
> public IP of the origin of the packet.  If there is no port
> forwarding 
> configured for the destination port, no NAT occurs so the
> destination 
> address will be your public IP.  If port forwarding is configured
> for 
> the destination port, then NAT does apply and the destination
> address 
> will be your LAN IP.  It helps to keep this in mind when developing
> rules.

That did the trick. 

My first idea was to take a better look at the order of the
instructions, that is, to see if the NATing occurred **before** the
blocking. But it seems I should consider then as working in different
"contextes".


Thanks a lot to all!
-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How could I block messages trying to pass as from my net?

[John Johnstone]

On 5/18/2018 10:42 AM, Alberto José García Fumero wrote:


Im trying to block spam (for instance, from 185.234.217.232).
As far as I know, it's trying to pass as a message from my very net:

Transcript of session follows.
De: Mail Delivery System 
Para:   Postmaster 
Asunto: Postfix SMTP server: errors from
unknown[185.234.217.232]
Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
  Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
  In:  EHLO 190.6.79.98
  Out: 250-partagas.ettpartagas.co.cu
  Out: 250-PIPELINING
  Out: 250-SIZE 1524
  Out: 250-ETRN
  Out: 250-STARTTLS
  Out: 250-ENHANCEDSTATUSCODES
  Out: 250-8BITMIME
  Out: 250 DSN
  In:  AUTH LOGIN
  Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

For other details, see the local mail logfile

but the MTA correctly rejects it as a fake.


It might not be good to describe what happened here as your MTA rejected 
the connection as a fake.  If your MTA is configured to reject a 
connection because the EHLO contains your IP address (which is 
unlikely), that isn't what happened here.


Your MTA returned a 503 error to the sending server because your MTA is 
not configured to accept an AUTH login.  250-AUTH is not part of its 
response to the EHLO.  Most mail servers accept AUTH only on port 465 or 
port 587.



I have created an alias list (rechaza) in the menu Firewall/Aliases,
where I put all the addresses known to be spammers, and tried to reject
them with the rule in Firewall/Rules/WAN

Action: Block
Interface: WAN
TCP/IP version: IPV4
Protocol: TCP
Source: (single hots or alias) rechaza
Destination: 190.6.79.98
Destination port range: any

but I can not stop the spam right in the WAN interface.


If you take a look at Status > System Logs > Firewall and notice what 
you see for Source and Destination this can help you understand better 
how filtering and NAT works.  For your WAN interface, Source will be the 
public IP of the origin of the packet.  If there is no port forwarding 
configured for the destination port, no NAT occurs so the destination 
address will be your public IP.  If port forwarding is configured for 
the destination port, then NAT does apply and the destination address 
will be your LAN IP.  It helps to keep this in mind when developing rules.


It is a good idea to not be too specific with rules.  Since you are 
running a mail server you must have port 25 forwarded to the mail server 
LAN IP.  Because of NAT for port 25, specifying your public IP 
190.6.79.98 as the destination prevents the rule from matching.  Because 
of NAT, to have a match you would need to have the mail server LAN IP as 
the destination.


You probably want to block the IP from going to any destination though 
regardless of whether the destination port is forwarded or not.  So in 
your rule you want


Destination: any

instead of


Destination: 190.6.79.98


If you were to add another LAN interface to pfSense in the future the 
rule will continue to match then as well.


If you are intending to block all traffic, not just TCP, from the 
source, you want


Protocol: any


On 5/18/2018 12:52 PM, Alberto José García Fumero wrote:


Could I create a rule saying, for instance: "reject packets originating
(apparently!) from the WAN address and directed to my WAN address? (as
they are trying to forge identity)


This is unnecessary.  There is no way for a system on the Internet to 
establish a TCP connection that apparently originates from your WAN address.


If you are running a mail server or anything else that faces the 
Internet, hopefully you are using snort or suricata and are just trying 
to supplement with your own rules.  There is no way you could maintain 
an effective list of addresses to block with just your own rules.  You 
should also be using anti-spam measures on your mail server as well.


-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How could I block messages trying to pass as from my net?

[Alberto José García Fumero]

El vie, 18-05-2018 a las 20:23 +0300, Eero Volotinen escribió:
> You should use postscreen/blacklist to block spam?
> 
> Eero
> 
Currently I'm using reject_rbl_client  + sbnl.spamhaus.org,
cbl.abuseat.org and dul.dnsbl.sorbs.net.

I'll take a look at postscreen.

Thanks!


-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How could I block messages trying to pass as from my net?

[Eero Volotinen]

You should use postscreen/blacklist to block spam?

Eero

pe 18. toukok. 2018 klo 17.43 Alberto José García Fumero <
albe...@ettpartagas.co.cu> kirjoitti:

> Hi all.
>
> I use PfSense 2.2.1. Of course I know it would very convenient to
> upgrade, but right now it isn't possible.
>
> Im trying to block spam (for instance, from 185.234.217.232).
> As far as I know, it's trying to pass as a message from my very net:
>
> Transcript of session follows.
> De: Mail Delivery System  cu>
> Para:   Postmaster 
> Asunto: Postfix SMTP server: errors from
> unknown[185.234.217.232]
> Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
>  Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
>  In:  EHLO 190.6.79.98
>  Out: 250-partagas.ettpartagas.co.cu
>  Out: 250-PIPELINING
>  Out: 250-SIZE 1524
>  Out: 250-ETRN
>  Out: 250-STARTTLS
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  AUTH LOGIN
>  Out: 503 5.5.1 Error: authentication not enabled
>
> Session aborted, reason: lost connection
>
> For other details, see the local mail logfile
>
> but the MTA correctly rejects it as a fake.
>
> I have created an alias list (rechaza) in the menu Firewall/Aliases,
> where I put all the addresses known to be spammers, and tried to reject
> them with the rule in Firewall/Rules/WAN
>
> Action: Block
> Interface: WAN
> TCP/IP version: IPV4
> Protocol: TCP
> Source: (single hots or alias) rechaza
> Destination: 190.6.79.98
> Destination port range: any
>
> but I can not stop the spam right in the WAN interface.
>
> How could I create a convenient rule?
>
> TIA,
>
> Fumero
>
> --
> M.Sc. Alberto García Fumero
> Usuario Linux 97 138, registrado 10/12/1998
> http://interese.cubava.cu
> No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
> que pones en esas horas.
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How could I block messages trying to pass as from my net?

[Steve Yates]

The "EHLO 190.6.79.98" greeting is not looked at by the firewall so that can be 
ignored.

Can you enable logging on the rule allowing port 25, and verify where the 
packets are actually coming from?

In most cases we set our clients up with our spam filter and the inbound port 
25 rule allows connections only from the spam filter server IP ranges...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Alberto José García 
Fumero
Sent: Friday, May 18, 2018 11:52 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] How could I block messages trying to pass as from my net?

El vie, 18-05-2018 a las 16:24 +, Steve Yates escribió:
>   I think your rule should work.  Are you sure there is not
> another rule above that one in the list of rules, that allows the
> inbound connection?  In other words the block rule has to be above
> the rule allowing traffic on port 25 to your mail server.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
That rule is the third in the WAN section, after the one blocking rfc
1918 networks and the one blocking bogon networks.

Could I create a rule saying, for instance: "reject packets originating
(apparently!) from the WAN address and directed to my WAN address? (as
they are trying to forge identity) 

Should that work?
-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How could I block messages trying to pass as from my net?

[Alberto José García Fumero]

El vie, 18-05-2018 a las 16:24 +, Steve Yates escribió:
>   I think your rule should work.  Are you sure there is not
> another rule above that one in the list of rules, that allows the
> inbound connection?  In other words the block rule has to be above
> the rule allowing traffic on port 25 to your mail server.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
That rule is the third in the WAN section, after the one blocking rfc
1918 networks and the one blocking bogon networks.

Could I create a rule saying, for instance: "reject packets originating
(apparently!) from the WAN address and directed to my WAN address? (as
they are trying to forge identity) 

Should that work?
-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How could I block messages trying to pass as from my net?

[Steve Yates]

I think your rule should work.  Are you sure there is not another rule 
above that one in the list of rules, that allows the inbound connection?  In 
other words the block rule has to be above the rule allowing traffic on port 25 
to your mail server.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Alberto José García 
Fumero
Sent: Friday, May 18, 2018 9:42 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] How could I block messages trying to pass as from my net?

Hi all.

I use PfSense 2.2.1. Of course I know it would very convenient to
upgrade, but right now it isn't possible.

Im trying to block spam (for instance, from 185.234.217.232).
As far as I know, it's trying to pass as a message from my very net:

Transcript of session follows.
De: Mail Delivery System <mailer-dae...@partagas.ettpartagas.co.
cu>
Para:   Postmaster <postmas...@ettpartagas.co.cu>
Asunto: Postfix SMTP server: errors from
unknown[185.234.217.232]
Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
 Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
 In:  EHLO 190.6.79.98
 Out: 250-partagas.ettpartagas.co.cu
 Out: 250-PIPELINING
 Out: 250-SIZE 1524
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH LOGIN
 Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

For other details, see the local mail logfile

but the MTA correctly rejects it as a fake.

I have created an alias list (rechaza) in the menu Firewall/Aliases,
where I put all the addresses known to be spammers, and tried to reject
them with the rule in Firewall/Rules/WAN

Action: Block
Interface: WAN
TCP/IP version: IPV4
Protocol: TCP
Source: (single hots or alias) rechaza
Destination: 190.6.79.98
Destination port range: any

but I can not stop the spam right in the WAN interface.

How could I create a convenient rule?

TIA,

Fumero  

-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How could I block messages trying to pass as from my net?

[Alberto José García Fumero]

Hi all.

I use PfSense 2.2.1. Of course I know it would very convenient to
upgrade, but right now it isn't possible.

Im trying to block spam (for instance, from 185.234.217.232).
As far as I know, it's trying to pass as a message from my very net:

Transcript of session follows.
De: Mail Delivery System 
Para:   Postmaster 
Asunto: Postfix SMTP server: errors from
unknown[185.234.217.232]
Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
 Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
 In:  EHLO 190.6.79.98
 Out: 250-partagas.ettpartagas.co.cu
 Out: 250-PIPELINING
 Out: 250-SIZE 1524
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH LOGIN
 Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

For other details, see the local mail logfile

but the MTA correctly rejects it as a fake.

I have created an alias list (rechaza) in the menu Firewall/Aliases,
where I put all the addresses known to be spammers, and tried to reject
them with the rule in Firewall/Rules/WAN

Action: Block
Interface: WAN
TCP/IP version: IPV4
Protocol: TCP
Source: (single hots or alias) rechaza
Destination: 190.6.79.98
Destination port range: any

but I can not stop the spam right in the WAN interface.

How could I create a convenient rule?

TIA,

Fumero  

-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to setup PPPoE Server, doubts.

[Periko Support]

 Hi guys.

 I had follow videos, web pages to setup and test PPPoE server under
Pfsense 2.4.2-p1(latest), looks very easy.

 But no luck.

 I want to test this setup, this is my network.

 LAN -> 192.168.1.0/24
 WAN -> DHCP

 Here no issue, I can communicate and navigate on Internet.

 I want to share my connection for pppoe users inside my lan with pfsense.

 My BOX has a DHCP(LAN) server 192.168.1.50-80, do I need to disable?

 pppoe server setup, please correct me If I do something wrong, I want to learn.

1) Interface: LAN
2) Server address: 192.168.1.10(free)
3) Subnet: /24
4) Remote address range: 192.168.1.100
5) DNS Servers clear, It will use LAN settings?
6) Radius N/A
7) Create some users with IP
userA:Psw:192.168.100
userB:Psw:192.168.101

Done, this is correct?

Now, I have open the firewall for this interface(I still don't see any
packet coming).

Where I can stop/start the service?

I open a Windows7 and create a new connection, I give
username+password, try to connect but no luck, I don't see any logs in
the system logs ->ppp

If I want to manage Down/Upload I need a Radius Server?

I forget something?

Pfsense 2.4.2 p1

Thanks all for your time, any comment will be appreciated.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to Block Malicious Address by Using Feed Service?

[ibrahim uçar]

Hi all,

I have wrote an article which is about how to block malicious websites by
using pfBlockerng and I wanted to share with you guys. Well, you can access
this article from my blog or slideshare.

Blog :
 http://lifeoverlinux.com/how-to-block-malicious-address-by-using-feed-service/


Slideshare :
https://www.slideshare.net/ibrahimucar39545464/how-to-block-malicious-address-by-using-feed-service


Thank you.


--

*İbrahim UÇAR*

Blogger |  http://lifeoverlinux.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[WebDawg]

You know.  The way the package system is setup now, we should be able to
get bad packages I to pfsense in a better way.  I wonder if we can have a
chroot environment and a manually installed packages part of pfsense.

On May 16, 2017 6:12 PM, "Steve Yates" <st...@teamits.com> wrote:

Supposedly one can just install FreeBSD packages (https://doc.pfsense.org/
index.php/Installing_FreeBSD_Packages ) along with manually installing any
dependencies, but as the page says it "may break the firewall."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sean
Cavanaugh
Sent: Tuesday, May 16, 2017 4:59 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4

Best practice is to run as few services as possible on a firewall to reduce
the possible attack footprint. The more services you run on the firewall,
the more vulnerable it becomes to being broken into.

That is why the recommendation to virtualize the box and at least logically
partition the services away from affecting the firewall.



-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
rai...@ultra-secure.de
Sent: Tuesday, May 16, 2017 8:04 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4


Am 2017-05-16 13:30, schrieb Sean Cavanaugh:
> The only sane way to do this on a single box would be by installing a
> hypervisor on the server ( such as VMware ESXi) and running pfsense as
> a virtual machine within it as well as a second virtual machine to
> host any other non-firewall related applications (MySQL, FreeRADIUS).
>
> There is obviously going to be a performance hit from sharing the
> resources but should be minimal if all you are doing is hosting a user
> database and RADIUS server for pfSense.



While it may not be the most clever idea, technically it should be
possible, right?

I'm not too familiar with the inner workings of pfSense - but I assume
there is a partition or directory in the installation that (provided
pfSense is installed on a HD and not a read-only medium) persists data over
reboots.

One would need to start it with that directory as dbdir.

It's possible to run Snort, haproxy. So, why not MySQL?

OP will have to learn how to create packages, and store the
configuration:
https://doc.pfsense.org/index.php/Developing_Packages
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[Steve Yates]

Supposedly one can just install FreeBSD packages 
(https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages ) along with 
manually installing any dependencies, but as the page says it "may break the 
firewall."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sean Cavanaugh
Sent: Tuesday, May 16, 2017 4:59 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4

Best practice is to run as few services as possible on a firewall to reduce the 
possible attack footprint. The more services you run on the firewall, the more 
vulnerable it becomes to being broken into.

That is why the recommendation to virtualize the box and at least logically 
partition the services away from affecting the firewall.



-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of 
rai...@ultra-secure.de
Sent: Tuesday, May 16, 2017 8:04 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4


Am 2017-05-16 13:30, schrieb Sean Cavanaugh:
> The only sane way to do this on a single box would be by installing a 
> hypervisor on the server ( such as VMware ESXi) and running pfsense as 
> a virtual machine within it as well as a second virtual machine to 
> host any other non-firewall related applications (MySQL, FreeRADIUS).
> 
> There is obviously going to be a performance hit from sharing the 
> resources but should be minimal if all you are doing is hosting a user 
> database and RADIUS server for pfSense.



While it may not be the most clever idea, technically it should be possible, 
right?

I'm not too familiar with the inner workings of pfSense - but I assume there is 
a partition or directory in the installation that (provided pfSense is 
installed on a HD and not a read-only medium) persists data over reboots.

One would need to start it with that directory as dbdir.

It's possible to run Snort, haproxy. So, why not MySQL?

OP will have to learn how to create packages, and store the
configuration:
https://doc.pfsense.org/index.php/Developing_Packages
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[Sean Cavanaugh]

Best practice is to run as few services as possible on a firewall to reduce the 
possible attack footprint. The more services you run on the firewall, the more 
vulnerable it becomes to being broken into.

That is why the recommendation to virtualize the box and at least logically 
partition the services away from affecting the firewall.



-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of 
rai...@ultra-secure.de
Sent: Tuesday, May 16, 2017 8:04 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4


Am 2017-05-16 13:30, schrieb Sean Cavanaugh:
> The only sane way to do this on a single box would be by installing a 
> hypervisor on the server ( such as VMware ESXi) and running pfsense as 
> a virtual machine within it as well as a second virtual machine to 
> host any other non-firewall related applications (MySQL, FreeRADIUS).
> 
> There is obviously going to be a performance hit from sharing the 
> resources but should be minimal if all you are doing is hosting a user 
> database and RADIUS server for pfSense.



While it may not be the most clever idea, technically it should be possible, 
right?

I'm not too familiar with the inner workings of pfSense - but I assume there is 
a partition or directory in the installation that (provided pfSense is 
installed on a HD and not a read-only medium) persists data over reboots.

One would need to start it with that directory as dbdir.

It's possible to run Snort, haproxy. So, why not MySQL?

OP will have to learn how to create packages, and store the
configuration:
https://doc.pfsense.org/index.php/Developing_Packages
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[rainer]

Am 2017-05-16 13:30, schrieb Sean Cavanaugh:

The only sane way to do this on a single box would be by installing a
hypervisor on the server ( such as VMware ESXi) and running pfsense as
a virtual machine within it as well as a second virtual machine to
host any other non-firewall related applications (MySQL, FreeRADIUS).

There is obviously going to be a performance hit from sharing the
resources but should be minimal if all you are doing is hosting a user
database and RADIUS server for pfSense.




While it may not be the most clever idea, technically it should be 
possible, right?


I'm not too familiar with the inner workings of pfSense - but I assume 
there is a partition or directory in the installation that (provided 
pfSense is installed on a HD and not a read-only medium) persists data 
over reboots.


One would need to start it with that directory as dbdir.

It's possible to run Snort, haproxy. So, why not MySQL?

OP will have to learn how to create packages, and store the 
configuration:

https://doc.pfsense.org/index.php/Developing_Packages
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[Sean Cavanaugh]

The only sane way to do this on a single box would be by installing a 
hypervisor on the server ( such as VMware ESXi) and running pfsense as a 
virtual machine within it as well as a second virtual machine to host any other 
non-firewall related applications (MySQL, FreeRADIUS).

There is obviously going to be a performance hit from sharing the resources but 
should be minimal if all you are doing is hosting a user database and RADIUS 
server for pfSense.



-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of mohsen Abbaspour
Sent: Tuesday, May 16, 2017 12:27 AM
To: list@lists.pfsense.org
Subject: [pfSense] How To install MySQL on Pfsense 2.4

Hello  everyone
English is not my first language , excuse me for mistakes

I know that this is a repetitive questioning   " How  to install Mysql  on
pfsense ?"

But , I searched  almost  topic about that , and finally I dont understand what 
is correct solution ? maybe  install Mysql on pfsense 2.4 ?? if the
answer is yes  so How to do that ?  if  the answer is no   what is
alternative  solution ??

integration  freeradius and  mysql is my reason for  Mysql installation
 ,  I  want to grouped my internet  user and   have separated   group
So tnx


-- 




Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/RqFEqH
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[mohsen Abbaspour]

Thanks for your consideration
 unfortunately  My resources  limitation dont allow  me  to run another
 machine , I should  install Mysql   and PFsense on the same machine
Best Regards

On Tue, May 16, 2017 at 9:07 AM, Erik Anderson  wrote:

> pfSense is a purpose-built router distribution, not a general-purpose
> OS. While it may be possible to do what you propose, you *should not*
> do this. Instead, if you require a database server, host it on a
> separate machine.
>
> On Mon, May 15, 2017 at 11:27 PM, mohsen Abbaspour
>  wrote:
> > Hello  everyone
> > English is not my first language , excuse me for mistakes
> >
> > I know that this is a repetitive questioning   " How  to install Mysql
> on
> > pfsense ?"
> >
> > But , I searched  almost  topic about that , and finally I dont
> understand
> > what is correct solution ? maybe  install Mysql on pfsense 2.4 ?? if the
> > answer is yes  so How to do that ?  if  the answer is no   what is
> > alternative  solution ??
> >
> > integration  freeradius and  mysql is my reason for  Mysql installation
> >  ,  I  want to grouped my internet  user and   have separated   group
> > So tnx
> >
> >
> > --
> >
> >
> >
> >
> > Check out my professional profile and connect with me on LinkedIn.
> > http://lnkd.in/RqFEqH
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 




Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/RqFEqH
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[Erik Anderson]

pfSense is a purpose-built router distribution, not a general-purpose
OS. While it may be possible to do what you propose, you *should not*
do this. Instead, if you require a database server, host it on a
separate machine.

On Mon, May 15, 2017 at 11:27 PM, mohsen Abbaspour
 wrote:
> Hello  everyone
> English is not my first language , excuse me for mistakes
>
> I know that this is a repetitive questioning   " How  to install Mysql  on
> pfsense ?"
>
> But , I searched  almost  topic about that , and finally I dont understand
> what is correct solution ? maybe  install Mysql on pfsense 2.4 ?? if the
> answer is yes  so How to do that ?  if  the answer is no   what is
> alternative  solution ??
>
> integration  freeradius and  mysql is my reason for  Mysql installation
>  ,  I  want to grouped my internet  user and   have separated   group
> So tnx
>
>
> --
>
>
>
>
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/RqFEqH
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How To install MySQL on Pfsense 2.4

[mohsen Abbaspour]

Hello  everyone
English is not my first language , excuse me for mistakes

I know that this is a repetitive questioning   " How  to install Mysql  on
pfsense ?"

But , I searched  almost  topic about that , and finally I dont understand
what is correct solution ? maybe  install Mysql on pfsense 2.4 ?? if the
answer is yes  so How to do that ?  if  the answer is no   what is
alternative  solution ??

integration  freeradius and  mysql is my reason for  Mysql installation
 ,  I  want to grouped my internet  user and   have separated   group
So tnx


-- 




Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/RqFEqH
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to ...

[Walter Parker]

One thing to consider with a DNS query to mapping system is the effect of
DNS caching. Many systems now have local caches, so you will only see the
DNS lookup once. For the traffic flows. you might want to look at netflow.
It can be setup to send the data to a collector system and you will be able
to see addresses, bandwidth, protocol types.


Walter

On Wed, Feb 22, 2017 at 6:44 PM, Richard A. Relph 
wrote:

> Hi,
> I have to believe this doable on an SG-2440. But I don’t have the
> expertise to implement it.
> I have configured the software to force all DNS connections through
> the SG-2440 (except for 1 or 2 IoT devices that seem to insist on talking
> to their manufacturer’s DNS servers - bad form, in my opinion.)
> What I’d like to do now is monitor all outgoing traffic and pair the
> IP address it is destined for against the DNS requests.
> I’d further like at least a report - and possibly block - outbound
> traffic that is destined for a “hard-coded” IP address.
> And, naturally, I’d like a report of all DNS requests and how much
> traffic is exchanged with each and when.
> The effort is an attempt to discover software running inside my
> network that might be “undesirable”.
> Any pointers, suggested reading, etc. would be greatly appreciated.
> I’m not incompetent, just uneducated.
> Thanks,
> Richard
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to ...

[Richard A. Relph]

Hi,
I have to believe this doable on an SG-2440. But I don’t have the expertise 
to implement it.
I have configured the software to force all DNS connections through the 
SG-2440 (except for 1 or 2 IoT devices that seem to insist on talking to their 
manufacturer’s DNS servers - bad form, in my opinion.)
What I’d like to do now is monitor all outgoing traffic and pair the IP 
address it is destined for against the DNS requests.
I’d further like at least a report - and possibly block - outbound traffic 
that is destined for a “hard-coded” IP address.
And, naturally, I’d like a report of all DNS requests and how much traffic 
is exchanged with each and when.
The effort is an attempt to discover software running inside my network 
that might be “undesirable”.
Any pointers, suggested reading, etc. would be greatly appreciated. I’m not 
incompetent, just uneducated.
Thanks,
Richard
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsense: how to route all traffic via ipsec?

[Eero Volotinen]

how to configure this kind of setup to pfsense?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Juan Pablo]

pfblockerng = IPs
squid= http/https
pfblockerng under dnsbl options/settings. thats for DNS. *
bind=DNS. *

* you need to use one of those, and 'block' under the root domain the .cn
etc.





2016-09-30 17:08 GMT-03:00 Benjamin E. Nichols <webmas...@squidblacklist.org
>:

> Forgive me, but, those arent DNS Blacklists, they are just CCID ip
> blacklists.
>
> This thread clearly has absolutely nothing to do with DNS blacklists.
>
>
>
>
> On 9/30/2016 2:23 PM, Steve Yates wrote:
>
>> Basically, but doing it directly would avoid dealing with the
>> package.  I guess it's just down to how often the chosen list is updated.
>> And, if it's just via allocation, aren't they done allocating IPv4 blocks...
>>
>> --
>>
>> Steve Yates
>> ITS, Inc.
>>
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
>> Khera
>> Sent: Friday, September 30, 2016 2:19 PM
>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>> Subject: Re: [pfSense] how does on create a DNS blacklist with aout 1000
>> or so entries?
>>
>> On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle <supp...@drdos.info> wrote:
>>
>>> On 09/30/2016 11:53 AM, Steve Yates wrote:
>>>
>>>> So you could keep your list somewhere else on a web server.
>>>>
>>>
>>> This is what I do.
>>>
>>> And I grab the list from
>>>
>>> http://www.wizcrafts.net/chinese-iptables-blocklist.html
>>>
>>> Once a month
>>>
>>> Isn't this more or less what pfBlockerNG does for you automatically?
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>>
>>
> --
> --
>
> Signed,
>
> Benjamin E. Nichols
> http://www.squidblacklist.org
>
> 1-405-397-1360 - Call Anytime.
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Benjamin E. Nichols]

Forgive me, but, those arent DNS Blacklists, they are just CCID ip 
blacklists.


This thread clearly has absolutely nothing to do with DNS blacklists.



On 9/30/2016 2:23 PM, Steve Yates wrote:

Basically, but doing it directly would avoid dealing with the package.  
I guess it's just down to how often the chosen list is updated.  And, if it's 
just via allocation, aren't they done allocating IPv4 blocks...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick Khera
Sent: Friday, September 30, 2016 2:19 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so 
entries?

On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle <supp...@drdos.info> wrote:

On 09/30/2016 11:53 AM, Steve Yates wrote:

So you could keep your list somewhere else on a web server.


This is what I do.

And I grab the list from

http://www.wizcrafts.net/chinese-iptables-blocklist.html

Once a month


Isn't this more or less what pfBlockerNG does for you automatically?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold




--
--

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org

1-405-397-1360 - Call Anytime.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Steve Yates]

Basically, but doing it directly would avoid dealing with the package.  
I guess it's just down to how often the chosen list is updated.  And, if it's 
just via allocation, aren't they done allocating IPv4 blocks...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick Khera
Sent: Friday, September 30, 2016 2:19 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so 
entries?

On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle <supp...@drdos.info> wrote:
> On 09/30/2016 11:53 AM, Steve Yates wrote:
>>
>> So you could keep your list somewhere else on a web server.
>
>
> This is what I do.
>
> And I grab the list from
>
> http://www.wizcrafts.net/chinese-iptables-blocklist.html
>
> Once a month
>

Isn't this more or less what pfBlockerNG does for you automatically?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Vick Khera]

On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle  wrote:
> On 09/30/2016 11:53 AM, Steve Yates wrote:
>>
>> So you could keep your list somewhere else on a web server.
>
>
> This is what I do.
>
> And I grab the list from
>
> http://www.wizcrafts.net/chinese-iptables-blocklist.html
>
> Once a month
>

Isn't this more or less what pfBlockerNG does for you automatically?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Doug Lytle]

On 09/30/2016 11:53 AM, Steve Yates wrote:

So you could keep your list somewhere else on a web server.


This is what I do.

And I grab the list from

http://www.wizcrafts.net/chinese-iptables-blocklist.html

Once a month

Doug


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Steve Yates]

A package like pfBlockerNG will maintain such a list for you.

An alternative, maybe, is that one can set up a "firewall URL alias" that pulls 
its data from a URL.  For instance pfBlockerNG sets them up on our router and 
then refers to them as 
"https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_Africa_v4.;  So you 
could keep your list somewhere else on a web server.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of qmail
Sent: Friday, September 30, 2016 10:30 AM
To: list@lists.pfsense.org
Subject: [pfSense] how does on create a DNS blacklist with aout 1000 or so 
entries?

i's like to blacklist all of mainland china, russia, korea, ..
i could have done it by creating a DNS with just those entries.
I dont see a way to add in BULK a list of bad boys of the internet.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Todd Russell]

Create an alias for all those IPs under Firewall > Aliases, then use that
alias in your rules.

Peace,
Todd Russell
Director of IT and Webmaster
Saint Joseph Abbey and Seminary College
985-867-2266
985-789-4319

Please consider helping Saint Joseph Abbey and Seminary College recover
from the devastating flood waters that overtook our campus on March 11,
2016.
http://helptheabbey.com

---

http://saintjosephabbey.com

For IT Requests, please submit a ticket at:
https://docs.google.com/forms/d/1e3PCRvnEVNU5-rVFolf9zivA9-m41Nj07eDjjCtFwpI/viewform?usp=send_form#start=invite

On Fri, Sep 30, 2016 at 10:29 AM, qmail  wrote:

> i's like to blacklist all of mainland china, russia, korea, ..
> i could have done it by creating a DNS with just those entries.
> I dont see a way to add in BULK a list of bad boys of the internet.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[qmail]

i's like to blacklist all of mainland china, russia, korea, ..
i could have done it by creating a DNS with just those entries.
I dont see a way to add in BULK a list of bad boys of the internet.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] how to find interface router

[Nenhum_de_Nos]

Hello all,

I am looking into pfsense .inc files to find out how pfSense gets the router 
for a dhcp or pppoe interface. So far I could get to know it stores info for in 
/tmp/IF_router. As I know nothing on php, if anyone has any hint. I found the 
line to write the /tmp/IF_output and I found the line to read the 
/tmp/IF_router, but I miss all in between.

My goal is to take that info and use it on pf route-to script.

thanks,

matheus

-- 
Nenhum_de_Nos 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Bryan D.]

On 2016-Jun-17, at 4:03 PM, Steve Yates  wrote:

> I suspect package compatibility is not maintained on per-pfSense-version 
> basis. Meaning, packages worked on 2.x up until the package changes on 2.3, 
> and probably will work on into the future until the next breaking change.
> 
> https://doc.pfsense.org/index.php/Upgrade_Guide#pfSense_2.3_Upgrade_Guide has 
> text:
> See Package Port List for a list of packages currently available on 2.3.
> Links to -> https://doc.pfsense.org/index.php/Package_Port_List
> 
> Also, from the blog entry on the 2.3.1 release:
> https://doc.pfsense.org/index.php/2.3_Removed_Packages

Thanks.  The "port list" page doesn't agree with the list supplied by compdoc's 
response, which appeared to be from a running and current pfSense.  E.G., nut 
(the one that's a "must" for us) isn't listed

Since this is an item that's critical to many pfSense users, I have submitted a 
feature request (https://redmine.pfsense.org/issues/6500).

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Rainer Duffner]

> Am 18.06.2016 um 01:03 schrieb Steve Yates :
> 
> I suspect package compatibility is not maintained on per-pfSense-version 
> basis.  Meaning, packages worked on 2.x up until the package changes on 2.3, 
> and probably will work on into the future until the next breaking change.
> 
> https://doc.pfsense.org/index.php/Upgrade_Guide#pfSense_2.3_Upgrade_Guide has 
> text:
> See Package Port List for a list of packages currently available on 2.3.
> Links to -> https://doc.pfsense.org/index.php/Package_Port_List
> 
> Also, from the blog entry on the 2.3.1 release:
> https://doc.pfsense.org/index.php/2.3_Removed_Packages



That list is incomplete at best.

I installed bind recently (in a pfSense test-vm). I haven’t tried it, but I 
assume if it’s packaged, it works.

I dare say the current state of the documentation of the project is sub-optimal.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Steve Yates]

I suspect package compatibility is not maintained on per-pfSense-version basis. 
 Meaning, packages worked on 2.x up until the package changes on 2.3, and 
probably will work on into the future until the next breaking change.

https://doc.pfsense.org/index.php/Upgrade_Guide#pfSense_2.3_Upgrade_Guide has 
text:
See Package Port List for a list of packages currently available on 2.3.
Links to -> https://doc.pfsense.org/index.php/Package_Port_List

Also, from the blog entry on the 2.3.1 release:
https://doc.pfsense.org/index.php/2.3_Removed_Packages


--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bryan D.
Sent: Friday, June 17, 2016 5:18 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How to determine supported packages without installing

On 2016-Jun-17, at 2:35 PM, compdoc <comp...@hotrodpc.com> wrote:
> I think this is complete:
> <snip'd>

Thanks.  Looks like I can proceed with an update to 2.3.

Regardless, I still think there should be a way to authoritatively determine 
this info via the pfSense web site -- ideally, for all releases, minimally for 
the current release.  Perhaps the generation of such a page could be added to 
the build/release tools?  Alternatively, porting pfSense's packages pages to 
run on the pfSense site could provide the current-release info.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[compdoc]

I didn't even realize that Nut was back. That's great. 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[compdoc]

I'm sure there's a webpage with the list, but this seemed something I could
do easily while waiting for a proper response. 





-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bryan D.
Sent: Friday, June 17, 2016 4:18 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] How to determine supported packages without
installing

On 2016-Jun-17, at 2:35 PM, compdoc <comp...@hotrodpc.com> wrote:
> I think this is complete:
> <snip'd>

Thanks.  Looks like I can proceed with an update to 2.3.

Regardless, I still think there should be a way to authoritatively determine
this info via the pfSense web site -- ideally, for all releases, minimally
for the current release.  Perhaps the generation of such a page could be
added to the build/release tools?  Alternatively, porting pfSense's packages
pages to run on the pfSense site could provide the current-release info.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Bryan D.]

On 2016-Jun-17, at 2:35 PM, compdoc  wrote:
> I think this is complete:
> 

Thanks.  Looks like I can proceed with an update to 2.3.

Regardless, I still think there should be a way to authoritatively determine 
this info via the pfSense web site -- ideally, for all releases, minimally for 
the current release.  Perhaps the generation of such a page could be added to 
the build/release tools?  Alternatively, porting pfSense's packages pages to 
run on the pfSense site could provide the current-release info.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[compdoc]

I think this is complete:

2.3.1-RELEASE-p5 (amd64) 
 built on Thu Jun 16 12:53:15 CDT 2016 
FreeBSD 10.3-RELEASE-p3


arping  1.2.2_1
AutoConfigBackup1.45
Avahi   1.11_2
Backup  0.4_1
bind9.10_8
blinkled0.4.7_1
Cron0.3.6_2
darkstat3.1.2_1
freeradius2 1.7.3_1
FTP_Client_Proxy0.3_2
gwled   0.2.4_1
haproxy 0.47
haproxy-devel   0.47
iftop   0.17_2
iperf   2.0.5.5_1
LADVD   1.2.1_2
Lightsquid  3.0.4
mailreport  3.0_1
mtr-nox11   0.85.6_1
nmap1.4.4_1
Notes   0.2.9_2
nrpe2.3.1_1
nut 2.3.0
OpenBGPD0.11_4
Open-VM-Tools   1280544.13_2
openvpn-client-export   1.3.8
Quagga_OSPF 0.6.13
routed  1.2.3_2
RRD_Summary 1.3.1_2
Service_Watchdog1.8.3
Shellcmd1.0.2_2
siproxd 1.1.2_2
softflowd   1.2.1_2
squid   0.4.18
squidGuard  1.14_3
sudo0.2.9_2
suricata3.0_7
syslog-ng   1.1.2_3
System_Patches  1.1.4_1
zabbix-agent0.8.9_2
zabbix-proxy0.8.9_2

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Bryan D.]

On 2016-Jun-17, at 2:02 PM, Peder Rovelstad  wrote:
> This help?  https://forum.pfsense.org/index.php?topic=8640.0

Thanks, but I don't see anything there that tells me what the current packages 
are for pfSense 2.3.1 Update 5 (i.e., without having to first install pfSense 
2.3.1 Update 5).

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Peder Rovelstad]

This help?  https://forum.pfsense.org/index.php?topic=8640.0


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bryan D.
Sent: Friday, June 17, 2016 3:23 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] How to determine supported packages without installing

How does one determine the currently supported packages for the current
released version of pfSense without installing pfSense, first.

I did find https://doc.pfsense.org/index.php/Features_List but, since
there's no stated pfSense version associated with the page and since I've
found it to be inaccurate in the past, I wouldn't trust it.

I also found https://www.pfsense.org/get-support/supported-packages.html
(though it's "breadcrumb" shows it as being "Home | Support | Supported
Packages", it's not linked on https://www.pfsense.org/get-support/).  I
suspect this may be the current one but, again, there's no associated
pfSense version stated so ... ???

In my case, there's one package I require to be supported before we can
update to 2.3, so this information is a pre-requisite to updating.

BTW, a site-search capability would be nice, on the pfSense home page.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to determine supported packages without installing

[Bryan D .]

How does one determine the currently supported packages for the current 
released version of pfSense without installing pfSense, first.

I did find https://doc.pfsense.org/index.php/Features_List but, since there's 
no stated pfSense version associated with the page and since I've found it to 
be inaccurate in the past, I wouldn't trust it.

I also found https://www.pfsense.org/get-support/supported-packages.html 
(though it's "breadcrumb" shows it as being "Home | Support | Supported 
Packages", it's not linked on https://www.pfsense.org/get-support/).  I suspect 
this may be the current one but, again, there's no associated pfSense version 
stated so ... ???

In my case, there's one package I require to be supported before we can update 
to 2.3, so this information is a pre-requisite to updating.

BTW, a site-search capability would be nice, on the pfSense home page.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to manually update 2.3 onwards?

[WebDawg]

On Wed, May 25, 2016 at 2:00 PM, Chris Buechler  wrote:

> On Tue, May 24, 2016 at 8:08 AM, Pete Boyd 
> wrote:
> > I have a pfSense 2.3.0_1 which has had an issue connecting to
> > pfsense.com to check for updates for years. That's not the issue, as far
> > as I believe. Perhaps its LAN and WAN are mistakenly the wrong way
> > around. It routes between two LANs. Anyway I always update it manually
> > by downloading a tgz file.
> >
> > With 2.3.0_1 it appears to offer no means of manually updating, giving
> > these error messages on the System > Update screen [1].
> > I see the release notes say "Removed "full update" or "full slice"
> > upgrade for systems on 2.3 to later versions" - is this what I am seeing?
> >
> > How do I manually update pfSense now please?
> >
>
> There currently is no means of doing so, the system must be online.
>
> The errors from pkg you posted make it seem like the box is behind a
> captive portal maybe, so it's fetching a portal page rather than the
> pkg files.
> ___
>
>
Is there anyway to clone the pfSense pkg repo?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to manually update 2.3 onwards?

[Wue Bob]

On 25/05/16 22:00, Chris Buechler wrote:
>
>> ...

>> With 2.3.0_1 it appears to offer no means of manually updating, giving
>> these error messages on the System > Update screen [1].
>> I see the release notes say "Removed "full update" or "full slice"
>> upgrade for systems on 2.3 to later versions" - is this what I am seeing?
>>
>> How do I manually update pfSense now please?
>>
> There currently is no means of doing so, the system must be online.

I don't understand then how the upgrade images should or could be used;
they are yet available for 2.3.1.  ...


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to manually update 2.3 onwards?

[Chris Buechler]

On Tue, May 24, 2016 at 8:08 AM, Pete Boyd  wrote:
> I have a pfSense 2.3.0_1 which has had an issue connecting to
> pfsense.com to check for updates for years. That's not the issue, as far
> as I believe. Perhaps its LAN and WAN are mistakenly the wrong way
> around. It routes between two LANs. Anyway I always update it manually
> by downloading a tgz file.
>
> With 2.3.0_1 it appears to offer no means of manually updating, giving
> these error messages on the System > Update screen [1].
> I see the release notes say "Removed "full update" or "full slice"
> upgrade for systems on 2.3 to later versions" - is this what I am seeing?
>
> How do I manually update pfSense now please?
>

There currently is no means of doing so, the system must be online.

The errors from pkg you posted make it seem like the box is behind a
captive portal maybe, so it's fetching a portal page rather than the
pkg files.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to manually update 2.3 onwards?

[Pete Boyd]

I have a pfSense 2.3.0_1 which has had an issue connecting to
pfsense.com to check for updates for years. That's not the issue, as far
as I believe. Perhaps its LAN and WAN are mistakenly the wrong way
around. It routes between two LANs. Anyway I always update it manually
by downloading a tgz file.

With 2.3.0_1 it appears to offer no means of manually updating, giving
these error messages on the System > Update screen [1].
I see the release notes say "Removed "full update" or "full slice"
upgrade for systems on 2.3 to later versions" - is this what I am seeing?

How do I manually update pfSense now please?


[1]
"The following input errors were detected:

ERROR: Error trying to get packages list. Aborting...
pkg: repository meta /var/db/pkg/pfSense-core.meta has wrong version or
wrong format pkg: No signature found pkg: No signature found pkg:
repository meta /var/db/pkg/pfSense.meta has wrong version or wrong
format pkg: No signature found pkg: No signature found pkg: repository
meta /var/db/pkg/pfSense-core.meta has wrong version or wrong format
pkg: Repository pfSense-core cannot be opened. 'pkg update' required
pkg: repository meta /var/db/pkg/pfSense.meta has wrong version or wrong
format pkg: Repository pfSense cannot be opened. 'pkg update' required

ERROR: Error trying to get packages list. Aborting...
pkg: repository meta /var/db/pkg/pfSense-core.meta has wrong version or
wrong format pkg: No signature found pkg: No signature found pkg:
repository meta /var/db/pkg/pfSense.meta has wrong version or wrong
format pkg: No signature found pkg: No signature found pkg: repository
meta /var/db/pkg/pfSense-core.meta has wrong version or wrong format
pkg: Repository pfSense-core cannot be opened. 'pkg update' required
pkg: repository meta /var/db/pkg/pfSense.meta has wrong version or wrong
format pkg: Repository pfSense cannot be opened. 'pkg update' required"

Thanks


-- 
Pete Boyd

Open Plan IT - http://openplanit.co.uk
The Golden Ear - http://thegoldenear.org
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to debug an IPv6 phase2 over IPsec (IKEv2) IPv4 phase1?

[Uğur]

-Uğur

2016-05-04 18:44 GMT+03:00 Olivier Mascia :

> Having switched recently from OpenVPN to IPsec (IKEv2 only) for 3 site to
> site tunnels, I'm still debugging why I can only get it to work for IPv4.
> Phase1 are setup with IPv4. Adding two phase2, one tunnel4 and one tunnel6,
> nothing flows through the tunnel6.
>
> Capturing on IPSEC interface on one side attempting a ping to remote site,
> I see for instance:
>
> 17:33:25.757775 (authentic,confidential): SPI 0xcf5bb1d6: IP6 fd00::1:1 >
> fd01::107: ICMP6, echo request, seq 170, length 40
>
> But I get no replies from the other party.
> What's more, capturing ESP on the other side, I get NO incoming ESP packet
> at all.
>
> If I'm pinging IPv4, I trace the echo requests, I have ESP packets flowing
> on the other site and the echo replies on the sender: all works (can pipe
> any IPv4 traffic with excellent performance).
>
> Only the IPv6 seems stuck.
>
> Capturing the echo requests on the sender IPSEC interface, does this prove
> the packets embark the tunnel (and so that the issue is on the other end)?
> Or not?
>
> --
> Meilleures salutations, Met vriendelijke groeten, Best Regards,
> Olivier Mascia, integral.be/om
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to debug an IPv6 phase2 over IPsec (IKEv2) IPv4 phase1?

[Olivier Mascia]

Having switched recently from OpenVPN to IPsec (IKEv2 only) for 3 site to site 
tunnels, I'm still debugging why I can only get it to work for IPv4. Phase1 are 
setup with IPv4. Adding two phase2, one tunnel4 and one tunnel6, nothing flows 
through the tunnel6.

Capturing on IPSEC interface on one side attempting a ping to remote site, I 
see for instance:

17:33:25.757775 (authentic,confidential): SPI 0xcf5bb1d6: IP6 fd00::1:1 > 
fd01::107: ICMP6, echo request, seq 170, length 40

But I get no replies from the other party.
What's more, capturing ESP on the other side, I get NO incoming ESP packet at 
all.

If I'm pinging IPv4, I trace the echo requests, I have ESP packets flowing on 
the other site and the echo replies on the sender: all works (can pipe any IPv4 
traffic with excellent performance).

Only the IPv6 seems stuck.

Capturing the echo requests on the sender IPSEC interface, does this prove the 
packets embark the tunnel (and so that the issue is on the other end)? Or not?

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to restrict certain websites for certain computers during certain times of the day?

[A Mohan Rao]

But squid+squidguard is filter only http sites not https like facebook. or
yourtube etc...

On Fri, Jul 31, 2015 at 9:24 PM, Ivo Tonev i...@tonev.pro.br wrote:

 You can use squid+squidguard to create restrictions and time ranges.

 Need to create local users in pfsense box and use authentication
 Em 31/07/2015 12:36, Tim Koop t...@timkoop.com escreveu:

  I have installed pfsense and I would like to block certain websites
 during
  certain times of the day for certain computers.  I've looked around
 pfsense
  as well as a plugin or two, and this looks very difficult or impossible
 to
  do.  Anyone have any ideas?
 
  These are the details:
 
  It's installed in my home.  My wife and I want full access to the
 Internet
  all the time.  Using the very nice firewall, I'm currently giving my kids
  access during certain times of the day.  (They connect with DHCP and are
  given IP addresses in a certain range, whereas our computers are given
  static IP addresses based on mac address.)
 
  The main reason I'm blocking my kids' Internet is so they don't watch
  cartoons and play games all day long.  But I wouldn't mind if they had
  access to, say, Wikipedia, or Ubuntu updates server.  So want I want is
  this:
 
  - I want to enter a list of domain names to block, myself, not take it
  from someone else's list somewhere else.
  - I want this to only apply to certain computers (my kids), preferably by
  IP address range.
  - I want to be able to apply it only during certain times of the day.
 
  Does anything like this exist?  Or how close can I get?
 
  Thanks.
 
  --
  Tim K
  ___
  pfSense mailing list
  https://lists.pfsense.org/mailman/listinfo/list
  Support the project with Gold! https://pfsense.org/gold
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to restrict certain websites for certain computers during certain times of the day?

[joseph.rotan]

Sent from Samsung Mobile

 Original message 
From: Brian Caouette bri...@dlois.com 
Date: 01/08/2015  10:55 AM  (GMT+12:00) 
To: pfSense Support and Discussion Mailing List list@lists.pfsense.org 
Subject: Re: [pfSense] How to restrict certain websites for certain
computers during certain times of the day? 
 
Squid lock is the way to go. This is what I use at home. We set the categories 
to block and no one can get to those sites. I've just recently played with 
scheduling so now we can enable or disable categories at will. I no we could 
open it up so mom and dad have full access to the net but honestly I have no 
interest in accessing anything we've blocked. Not to mention is keeps everyone 
safe. Get one infect computer in the house and we're all screwed. Been there 
done that! Not fun because you have to take everyone offline until all pcs are 
clean other wise you keep re infecting yourself.

Sent from my iPad

 On Jul 31, 2015, at 2:13 PM, Wue Bob fa_sec_...@wuergler-consulting.ch 
 wrote:
 
 
 On 31/07/15 17:36, Tim Koop wrote:
 I have installed pfsense and I would like to block certain websites
 during certain times of the day for certain computers.  I've looked
 around pfsense as well as a plugin or two, and this looks very
 difficult or impossible to do.  Anyone have any ideas?
 
 For home use (considering spoofing etc. ...) it might be sufficient to
 try a combination of firewall rule schedules [1] and firewall aliases to
 be used in firewall rules.
 
 One alias might contain IP/FQDN of your computers. You'll use them as
 source in the firewall rule/s allowing full access all the time.
 Similarly, another alias would define your kids' computers. This alias
 will again be the source in two firewall rules blocking some domains or
 limiting times of the day.
 
 Then, in a third alias you would list all domains you want to block.
 Obviously, this alias will be used as destination in another firewall
 rule and the source in this rule will be your kids' alias. In yet
 another firewall rule you would define a pass rule during certain times
 of the day, applying a schedule in this rule (= advanced features). As
 source you'd again apply your kids' alias. (Since your kids connect with
 DHCP and you don't, it should probably be ok to use a LAN range instead
 of a kids' alias as source and placing this firewall rule after the full
 access rule.)
 
 Carefully designing aliases, schedules and rules, and also considering
 firewall rule processing order [2] should probably get you reasonably
 close to what you want ...
 
 Regards,
 Bob
 
 [1] https://doc.pfsense.org/index.php/Firewall_Rule_Schedules
 [2] https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
 
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to restrict certain websites for certain computers during certain times of the day?

[Ivo Tonev]

You can use squid+squidguard to create restrictions and time ranges.

Need to create local users in pfsense box and use authentication
Em 31/07/2015 12:36, Tim Koop t...@timkoop.com escreveu:

 I have installed pfsense and I would like to block certain websites during
 certain times of the day for certain computers.  I've looked around pfsense
 as well as a plugin or two, and this looks very difficult or impossible to
 do.  Anyone have any ideas?

 These are the details:

 It's installed in my home.  My wife and I want full access to the Internet
 all the time.  Using the very nice firewall, I'm currently giving my kids
 access during certain times of the day.  (They connect with DHCP and are
 given IP addresses in a certain range, whereas our computers are given
 static IP addresses based on mac address.)

 The main reason I'm blocking my kids' Internet is so they don't watch
 cartoons and play games all day long.  But I wouldn't mind if they had
 access to, say, Wikipedia, or Ubuntu updates server.  So want I want is
 this:

 - I want to enter a list of domain names to block, myself, not take it
 from someone else's list somewhere else.
 - I want this to only apply to certain computers (my kids), preferably by
 IP address range.
 - I want to be able to apply it only during certain times of the day.

 Does anything like this exist?  Or how close can I get?

 Thanks.

 --
 Tim K
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to restrict certain websites for certain computers during certain times of the day?

[Tim Koop]

I have installed pfsense and I would like to block certain websites 
during certain times of the day for certain computers.  I've looked 
around pfsense as well as a plugin or two, and this looks very difficult 
or impossible to do.  Anyone have any ideas?


These are the details:

It's installed in my home.  My wife and I want full access to the 
Internet all the time.  Using the very nice firewall, I'm currently 
giving my kids access during certain times of the day.  (They connect 
with DHCP and are given IP addresses in a certain range, whereas our 
computers are given static IP addresses based on mac address.)


The main reason I'm blocking my kids' Internet is so they don't watch 
cartoons and play games all day long.  But I wouldn't mind if they had 
access to, say, Wikipedia, or Ubuntu updates server.  So want I want is 
this:


- I want to enter a list of domain names to block, myself, not take it 
from someone else's list somewhere else.
- I want this to only apply to certain computers (my kids), preferably 
by IP address range.

- I want to be able to apply it only during certain times of the day.

Does anything like this exist?  Or how close can I get?

Thanks.

--
Tim K
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to restrict certain websites for certain computers during certain times of the day?

[Gregory K Shenaut]

If this is browser-based access you are talking about, you might take a look at 
the various browser extensions out there like Waste No Time. They allow you to 
define certain times during which certain sites are accessible via the browser. 
Obviously, this isn't network-level blocking, but perhaps it will be 
sufficient. (But I wouldn't underestimate the ingenuity of rug rats.)

Greg

 On Jul 31, 2015, at 08:36 , Tim Koop t...@timkoop.com wrote:
 
 I have installed pfsense and I would like to block certain websites during 
 certain times of the day for certain computers.  I've looked around pfsense 
 as well as a plugin or two, and this looks very difficult or impossible to 
 do.  Anyone have any ideas?
 
 These are the details:
 
 It's installed in my home.  My wife and I want full access to the Internet 
 all the time.  Using the very nice firewall, I'm currently giving my kids 
 access during certain times of the day.  (They connect with DHCP and are 
 given IP addresses in a certain range, whereas our computers are given static 
 IP addresses based on mac address.)
 
 The main reason I'm blocking my kids' Internet is so they don't watch 
 cartoons and play games all day long.  But I wouldn't mind if they had access 
 to, say, Wikipedia, or Ubuntu updates server.  So want I want is this:
 
 - I want to enter a list of domain names to block, myself, not take it from 
 someone else's list somewhere else.
 - I want this to only apply to certain computers (my kids), preferably by IP 
 address range.
 - I want to be able to apply it only during certain times of the day.
 
 Does anything like this exist?  Or how close can I get?
 
 Thanks.
 
 --
 Tim K
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to restrict certain websites for certain computers during certain times of the day?

[Brian Caouette]

Squid lock is the way to go. This is what I use at home. We set the categories 
to block and no one can get to those sites. I've just recently played with 
scheduling so now we can enable or disable categories at will. I no we could 
open it up so mom and dad have full access to the net but honestly I have no 
interest in accessing anything we've blocked. Not to mention is keeps everyone 
safe. Get one infect computer in the house and we're all screwed. Been there 
done that! Not fun because you have to take everyone offline until all pcs are 
clean other wise you keep re infecting yourself.

Sent from my iPad

 On Jul 31, 2015, at 2:13 PM, Wue Bob fa_sec_...@wuergler-consulting.ch 
 wrote:
 
 
 On 31/07/15 17:36, Tim Koop wrote:
 I have installed pfsense and I would like to block certain websites
 during certain times of the day for certain computers.  I've looked
 around pfsense as well as a plugin or two, and this looks very
 difficult or impossible to do.  Anyone have any ideas?
 
 For home use (considering spoofing etc. ...) it might be sufficient to
 try a combination of firewall rule schedules [1] and firewall aliases to
 be used in firewall rules.
 
 One alias might contain IP/FQDN of your computers. You'll use them as
 source in the firewall rule/s allowing full access all the time.
 Similarly, another alias would define your kids' computers. This alias
 will again be the source in two firewall rules blocking some domains or
 limiting times of the day.
 
 Then, in a third alias you would list all domains you want to block.
 Obviously, this alias will be used as destination in another firewall
 rule and the source in this rule will be your kids' alias. In yet
 another firewall rule you would define a pass rule during certain times
 of the day, applying a schedule in this rule (= advanced features). As
 source you'd again apply your kids' alias. (Since your kids connect with
 DHCP and you don't, it should probably be ok to use a LAN range instead
 of a kids' alias as source and placing this firewall rule after the full
 access rule.)
 
 Carefully designing aliases, schedules and rules, and also considering
 firewall rule processing order [2] should probably get you reasonably
 close to what you want ...
 
 Regards,
 Bob
 
 [1] https://doc.pfsense.org/index.php/Firewall_Rule_Schedules
 [2] https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
 
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz mo...@ymkatz.net wrote:

 Again,  I agree with you that this shouldn't affect your score.  I am
 simply explaining why they do it.


based on this explanation, i agree. there's no reason for them to demand
your certificate also signs any other domain name as long as it signs the
one to which they are connecting and testing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Claudio Thomas]

 
On 29.07.2015 18:02, Vick Khera wrote:
 On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz mo...@ymkatz.net wrote:

 Again,  I agree with you that this shouldn't affect your score.  I am
 simply explaining why they do it.
 based on this explanation, i agree. there's no reason for them to demand
 your certificate also signs any other domain name as long as it signs the
 one to which they are connecting and testing.
Hi, the reason why it affects your score is simple:
1. client makes a request to https://www.example.net
=if it does not redirect to https://example.net the checks stops here.
All ist OK
=if your server responds with a redirect to https://example.net, it
does it with an untrusted certificate. Untrusted, because the server
certificate is not certificated to be used from www.example.net.

So you have 3 options:
1. disable redirection of https://www to https://bare (probably not what
you wish)
2. give your https://www server a valid certificate, so that the
redirect is trust-worthy (as done by https://www.web.de, that points to
https://web.de)
3. if it is the same server, but only a separed config, you probably
should get a certificate with CN:www.example.net and ALT-Names: DNS:
www.example.net and DNS: example.net (example: https://xmodus-systems.de
redirects to https://www.xmodus-systems.de, the cert is valid for both)

Again: the connection to the https://www.example.net is technical not ok
for shure. But this you probably already know.
Now why does qualys check also the www.?: Qualys check this option for
bare domains, because many users worlwide use to prefix www. on every
domain without thinking about (bad habit). If the www. domain does not
belong to you it is a potential risk that your customers think they are
accessing your site but in real it is a possible man-in-the-midle side.
= Security is not only a technical issue, but must also take account of
human bad habits.

Best regards,
Claudio

-- 
Working on OpenWrt CC for Xmodus GSM Router XM1710E
http://www.xmodus-systems.de/openwrt



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Moshe Katz]

On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org wrote:

 On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz
 wrote:

  I have an issue with Qualy’s: They ding my certification because I have
  domain.com
 
  http://domain.com/
 
   on it and not www.domain.com
 
  http://www.domain.com/
 
   (multi-site cert).
 
  That’s not a reason to lower a score on security.
 

 The only way I can make sense of your sentence is that they are dinging you
 for having a certificate that does not match the name of the site you are
 visiting because one has www. and the other does not. That seems to be
 reasonable for them to ding you.


Vick,

Qualys *does* take off points if you have a certificate for your bare
domain name without it having www as an alternate name.  For example, a
certificate for 'example.com' that doesn't work for 'www.example.com' is
penalized, even if it is really only used for 'example.com'.

I believe that the reason they do this is because they assume that people
always have their sites set up so that www redirects to bare, bare
redirects to www, or both bare and www show the same content.  While this
may not always be true, it is an assumption that Qualys and many other
people make, so it is included in the grade.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ryan Coleman]

 On Jul 28, 2015, at 2:50 PM, Moshe Katz mo...@ymkatz.net wrote:
 
 On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org 
 mailto:vi...@khera.org wrote:
 
 On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz
 wrote:
 
 I have an issue with Qualy’s: They ding my certification because I have
 domain.com
 
 http://domain.com/
 
 on it and not www.domain.com
 
 http://www.domain.com/
 
 (multi-site cert).
 
 That’s not a reason to lower a score on security.
 
 
 The only way I can make sense of your sentence is that they are dinging you
 for having a certificate that does not match the name of the site you are
 visiting because one has www. and the other does not. That seems to be
 reasonable for them to ding you.
 
 
 Vick,
 
 Qualys *does* take off points if you have a certificate for your bare
 domain name without it having www as an alternate name.  For example, a
 certificate for 'example.com http://example.com/' that doesn't work for 
 'www.example.com http://www.example.com/' is
 penalized, even if it is really only used for 'example.com 
 http://example.com/'.
 
 I believe that the reason they do this is because they assume that people
 always have their sites set up so that www redirects to bare, bare
 redirects to www, or both bare and www show the same content.  While this
 may not always be true, it is an assumption that Qualys and many other
 people make, so it is included in the grade.

Sure but if you try to load www.domain.com http://www.domain.com/ it sends 
you to the clean domain immediately. I am not testing www.domain.com 
http://www.domain.com/ - I am testing domain.com http://domain.com/ and 
there’s no evidence they’re trying to load www.domain.com 
http://www.domain.com/, only reading the certificate and seeing it doesn’t 
cover it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Moshe Katz]

On Tue, Jul 28, 2015 at 3:54 PM, Ryan Coleman ryan.cole...@cwis.biz wrote:


  On Jul 28, 2015, at 2:50 PM, Moshe Katz mo...@ymkatz.net wrote:
 
  On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org mailto:
 vi...@khera.org wrote:
 
  On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz
  wrote:
 
  I have an issue with Qualy’s: They ding my certification because I have
  domain.com
 
  http://domain.com/
 
  on it and not www.domain.com
 
  http://www.domain.com/
 
  (multi-site cert).
 
  That’s not a reason to lower a score on security.
 
 
  The only way I can make sense of your sentence is that they are dinging
 you
  for having a certificate that does not match the name of the site you
 are
  visiting because one has www. and the other does not. That seems to be
  reasonable for them to ding you.
 
 
  Vick,
 
  Qualys *does* take off points if you have a certificate for your bare
  domain name without it having www as an alternate name.  For example, a
  certificate for 'example.com http://example.com/' that doesn't work
 for 'www.example.com http://www.example.com/' is
  penalized, even if it is really only used for 'example.com 
 http://example.com/'.
 
  I believe that the reason they do this is because they assume that people
  always have their sites set up so that www redirects to bare, bare
  redirects to www, or both bare and www show the same content.  While this
  may not always be true, it is an assumption that Qualys and many other
  people make, so it is included in the grade.

 Sure but if you try to load www.domain.com http://www.domain.com/ it
 sends you to the clean domain immediately. I am not testing www.domain.com
 http://www.domain.com/ - I am testing domain.com http://domain.com/
 and there’s no evidence they’re trying to load www.domain.com 
 http://www.domain.com/, only reading the certificate and seeing it
 doesn’t cover it.



Ryan,

That is *exactly* what I said.  They *don't* check whether you are
redirecting, and they *don't* try to load the www version. They naively
assume that the same certificate *must* cover both of those names because
they assume you are redirecting one to the other.

There is one reason that it matters, even in your case.  Take the following
four URLs:

   - http://domain.com/= redirects to SECURE on SAME DOMAIN
   - http://www.domain.com/   = redirects to SECURE on BARE DOMAIN
   - https://domain.com/ = the actual site
   - https://www.domain.com/  = SHOULD redirect to SECURE on BARE DOMAIN

You have handled the first three of them - but not the fourth one.  Instead
of getting a redirect, you will get a certificate error.

I don't know how you have configured your server - you may not even be
listening for secure connections on the WWW subdomain.  However, Qualys
assumes that you are redirecting in that fourth case *and that you are
using the same certificate to do it*, so they are testing for whether your
certificate covers for it.

Again,  I agree with you that this shouldn't affect your score.  I am
simply explaining why they do it.

Moshe


--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz
wrote:

 I have an issue with Qualy’s: They ding my certification because I have
 domain.com

 http://domain.com/

  on it and not www.domain.com

 http://www.domain.com/

  (multi-site cert).

 That’s not a reason to lower a score on security.


The only way I can make sense of your sentence is that they are dinging you
for having a certificate that does not match the name of the site you are
visiting because one has www. and the other does not. That seems to be
reasonable for them to ding you.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris L]

 On Jul 24, 2015, at 5:18 PM, Ted Byers r.ted.by...@gmail.com wrote:
 
 On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote:
 
 On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote:
 This is an external scan.  We forward ports such as 443 and 22 to
 specific
 Ubuntu machines.  But both sshd and apache have been configured to accept
 only TLS1.2
 
 
 In the case of forwarded ports it's the Ubuntu machines that are
 triggering it. That has nothing to do with the firewall.
 
 
 In that case, then, the scan is wrong as all our Ubuntu machines are
 configured to use only TLS1.2

Or you think they are and they’re really not.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

I have checked our installation of our website (a classic protected LAN
with a DMZ formed by two pfsense machines serving as our inner and outer
firewall, and one machine in the DMZ and the rest behind the inner
firewall) using a PCI scanner.

The PCI scan identified two vulnerabilities WRT our pfsense machines.

First, the scanner complains that TLS1 is supported and we need to restrict
it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
that did not make the complaint go away, so is there anything else that
uses TLS that we need to reconfigure to use only TLS1.2?
Second, it appears that ssh-server on pfsense is version 6.6 and it would
be good if we can upgrade that to 6.9 or better (well, if there is better -
the scan only complains the version if earlier than 6.9)

If we can fix these two things, a little over half of the complaints from
the scanner will be resolved.  I have spent a couple days using google,
trying to resolve these, but to no avail (compounded by the fact the signal
to noise ratio in my searches was abysmal).

Thanks

Ted

-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Adam Thompson]

I'm 95% sure the answer is wait for the developers to fix those issues 
and/or become a developer and fix those issues :-).


Configuration of lighttpd is controlled by the pfSense management 
framework, so once you discover the correct invocation, you could 
locally modify the PHP file that generates the configuration.


In theory, all you need to add to /var/etc/lighty-webConfigurator.conf 
would be


|ssl.cipher-list DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
EDH-RSA-DES-CBC3-SHA
AES256-SHA
AES128-SHA
DES-CBC3-SHA
DES-CBC3-MD5
RC4-SHA
RC4-MD5|

but you need to find where in the PHP framework that file gets written.  
I can't find it in under 60 seconds, so you're on your own there.


As to updating sshd, that's replacing a core piece of the system. I'm 
not even going to speculate how or what the impact would be.


-Adam


On 07/24/2015 03:51 PM, Ted Byers wrote:

I have checked our installation of our website (a classic protected LAN
with a DMZ formed by two pfsense machines serving as our inner and outer
firewall, and one machine in the DMZ and the rest behind the inner
firewall) using a PCI scanner.

The PCI scan identified two vulnerabilities WRT our pfsense machines.

First, the scanner complains that TLS1 is supported and we need to restrict
it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
that did not make the complaint go away, so is there anything else that
uses TLS that we need to reconfigure to use only TLS1.2?
Second, it appears that ssh-server on pfsense is version 6.6 and it would
be good if we can upgrade that to 6.9 or better (well, if there is better -
the scan only complains the version if earlier than 6.9)

If we can fix these two things, a little over half of the complaints from
the scanner will be resolved.  I have spent a couple days using google,
trying to resolve these, but to no avail (compounded by the fact the signal
to noise ratio in my searches was abysmal).

Thanks

Ted



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Steve Yates]

Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:

 First, the scanner complains that TLS1 is supported and we need to restrict
 it to TLS1.2.

 Second, it appears that ssh-server on pfsense is version 6.6 

Is this an internal scan or external?  Hopefully those aren't exposed 
externally.  If internal, can access be limited to certain IPs?

This probably isn't the forum to discuss, but the TLS 1.0 one is a fun 
one...that will catch Remote Desktop Services, and Vista and below don't 
support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ 
enabled by default.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Yehuda Katz]

If you are forwarding the ports to other machines, it is those machines
which need and update, not pfSense.
This is the test: get out your ssh client of choice and connect to the port
from outside. If you get something that is not pfSense, then upgrading ssh
on your firewall isn't going to help.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
On Jul 24, 2015 6:20 PM, Ted Byers r.ted.by...@gmail.com wrote:

 This is an external scan.  We forward ports such as 443 and 22 to specific
 Ubuntu machines.  But both sshd and apache have been configured to accept
 only TLS1.2

 Port 443 must be open to support the web server in our DMZ, and we need ssh
 to connect to each machine for administration purposes.  (if there is a
 better way, I do not know what it is or how to do it --I am a programmer
 tasked with setting this up, so network and system administration is new to
 me - I am out of my area of expertise here).

 Thanks

 Ted


 On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates st...@teamits.com wrote:

  Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:
 
   First, the scanner complains that TLS1 is supported and we need to
  restrict
   it to TLS1.2.
 
   Second, it appears that ssh-server on pfsense is version 6.6
 
  Is this an internal scan or external?  Hopefully those aren't
  exposed externally.  If internal, can access be limited to certain IPs?
 
  This probably isn't the forum to discuss, but the TLS 1.0 one is
 a
  fun one...that will catch Remote Desktop Services, and Vista and below
  don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't
  have TLS 1.1+ enabled by default.
 
  --
 
  Steve Yates
  ITS, Inc.
 
 
  ___
  pfSense mailing list
  https://lists.pfsense.org/mailman/listinfo/list
  Support the project with Gold! https://pfsense.org/gold
 



 --
 R.E.(Ted) Byers, Ph.D.,Ed.D.
 t...@merchantservicecorp.com
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

Thanks for this.  I'd hoped it would be as simple as apt-get-update 
apt-get upgrade  apt-get update openssh-server.  That is,whatever the
equivalent of apt-get is on a pfsense machine, I'd hoped it would be a
command invoked from ssh to ask the system to check for updates and apply
any found.

Thanks

Ted

On Fri, Jul 24, 2015 at 5:13 PM, Adam Thompson athom...@athompso.net
wrote:

 I'm 95% sure the answer is wait for the developers to fix those issues
 and/or become a developer and fix those issues :-).

 Configuration of lighttpd is controlled by the pfSense management
 framework, so once you discover the correct invocation, you could locally
 modify the PHP file that generates the configuration.

 In theory, all you need to add to /var/etc/lighty-webConfigurator.conf
 would be

 |ssl.cipher-list DHE-RSA-AES256-SHA
 DHE-RSA-AES128-SHA
 EDH-RSA-DES-CBC3-SHA
 AES256-SHA
 AES128-SHA
 DES-CBC3-SHA
 DES-CBC3-MD5
 RC4-SHA
 RC4-MD5|

 but you need to find where in the PHP framework that file gets written.  I
 can't find it in under 60 seconds, so you're on your own there.

 As to updating sshd, that's replacing a core piece of the system. I'm not
 even going to speculate how or what the impact would be.

 -Adam


 On 07/24/2015 03:51 PM, Ted Byers wrote:

 I have checked our installation of our website (a classic protected LAN
 with a DMZ formed by two pfsense machines serving as our inner and outer
 firewall, and one machine in the DMZ and the rest behind the inner
 firewall) using a PCI scanner.

 The PCI scan identified two vulnerabilities WRT our pfsense machines.

 First, the scanner complains that TLS1 is supported and we need to
 restrict
 it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2,
 but
 that did not make the complaint go away, so is there anything else that
 uses TLS that we need to reconfigure to use only TLS1.2?
 Second, it appears that ssh-server on pfsense is version 6.6 and it would
 be good if we can upgrade that to 6.9 or better (well, if there is better
 -
 the scan only complains the version if earlier than 6.9)

 If we can fix these two things, a little over half of the complaints from
 the scanner will be resolved.  I have spent a couple days using google,
 trying to resolve these, but to no avail (compounded by the fact the
 signal
 to noise ratio in my searches was abysmal).

 Thanks

 Ted


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

This is an external scan.  We forward ports such as 443 and 22 to specific
Ubuntu machines.  But both sshd and apache have been configured to accept
only TLS1.2

Port 443 must be open to support the web server in our DMZ, and we need ssh
to connect to each machine for administration purposes.  (if there is a
better way, I do not know what it is or how to do it --I am a programmer
tasked with setting this up, so network and system administration is new to
me - I am out of my area of expertise here).

Thanks

Ted


On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates st...@teamits.com wrote:

 Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:

  First, the scanner complains that TLS1 is supported and we need to
 restrict
  it to TLS1.2.

  Second, it appears that ssh-server on pfsense is version 6.6

 Is this an internal scan or external?  Hopefully those aren't
 exposed externally.  If internal, can access be limited to certain IPs?

 This probably isn't the forum to discuss, but the TLS 1.0 one is a
 fun one...that will catch Remote Desktop Services, and Vista and below
 don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't
 have TLS 1.1+ enabled by default.

 --

 Steve Yates
 ITS, Inc.


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

Thanks.  I will do this this evening.

Thanks

ted

On Fri, Jul 24, 2015 at 6:18 PM, David Burgess apt@gmail.com wrote:

 On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers r.ted.by...@gmail.com wrote:
  Thanks for this.  I'd hoped it would be as simple as apt-get-update 
  apt-get upgrade  apt-get update openssh-server.  That is,whatever the
  equivalent of apt-get is on a pfsense machine, I'd hoped it would be a
  command invoked from ssh to ask the system to check for updates and apply
  any found.


 PFSense is more like a firmware than an OS. While the possibility of
 updating, replacing, or adding components does exist, it is generally
 discouraged for the typical user. Log into the web UI and navigate to
 System: Firmware: Auto Update and run your upgrade from there.

 db
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

We have version 2.2.2.

What is the easiest way to upgrade on eminor versiion?  On Ubuntu, I'd use
'apr-get update' and/or 'apt-get upgrade', or one of the variants thereof.
But, if I understand correctly, pfsense is built on freeBSD, about which I
know nothing.

Thanks

Ted

On Fri, Jul 24, 2015 at 5:13 PM, Ryan Coleman ryan.cole...@cwis.biz wrote:

 First off you’d upgrade the installation of pfSense - what version do you
 have installed/running? The current version is 2.2.3.


  On Jul 24, 2015, at 3:51 PM, Ted Byers r.ted.by...@gmail.com wrote:
 
  I have checked our installation of our website (a classic protected LAN
  with a DMZ formed by two pfsense machines serving as our inner and outer
  firewall, and one machine in the DMZ and the rest behind the inner
  firewall) using a PCI scanner.
 
  The PCI scan identified two vulnerabilities WRT our pfsense machines.
 
  First, the scanner complains that TLS1 is supported and we need to
 restrict
  it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2,
 but
  that did not make the complaint go away, so is there anything else that
  uses TLS that we need to reconfigure to use only TLS1.2?
  Second, it appears that ssh-server on pfsense is version 6.6 and it would
  be good if we can upgrade that to 6.9 or better (well, if there is
 better -
  the scan only complains the version if earlier than 6.9)
 
  If we can fix these two things, a little over half of the complaints from
  the scanner will be resolved.  I have spent a couple days using google,
  trying to resolve these, but to no avail (compounded by the fact the
 signal
  to noise ratio in my searches was abysmal).
 
  Thanks
 
  Ted
 
  --
  R.E.(Ted) Byers, Ph.D.,Ed.D.
  ___
  pfSense mailing list
  https://lists.pfsense.org/mailman/listinfo/list
  Support the project with Gold! https://pfsense.org/gold

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold




-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[David Burgess]

On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers r.ted.by...@gmail.com wrote:
 Thanks for this.  I'd hoped it would be as simple as apt-get-update 
 apt-get upgrade  apt-get update openssh-server.  That is,whatever the
 equivalent of apt-get is on a pfsense machine, I'd hoped it would be a
 command invoked from ssh to ask the system to check for updates and apply
 any found.


PFSense is more like a firmware than an OS. While the possibility of
updating, replacing, or adding components does exist, it is generally
discouraged for the typical user. Log into the web UI and navigate to
System: Firmware: Auto Update and run your upgrade from there.

db
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris Buechler]

On Fri, Jul 24, 2015 at 3:51 PM, Ted Byers r.ted.by...@gmail.com wrote:
 I have checked our installation of our website (a classic protected LAN
 with a DMZ formed by two pfsense machines serving as our inner and outer
 firewall, and one machine in the DMZ and the rest behind the inner
 firewall) using a PCI scanner.

 The PCI scan identified two vulnerabilities WRT our pfsense machines.

 First, the scanner complains that TLS1 is supported and we need to restrict
 it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
 that did not make the complaint go away, so is there anything else that
 uses TLS that we need to reconfigure to use only TLS1.2?

That's one where maybe you can disregard compatibility concerns and
only allow TLS 1.2. We're a bit more conservative for compatibility
reasons where there isn't a significant security risk (though TLSv1
probably will get disabled in 2.3-REL). Update the code in
/etc/inc/system.inc to generate the lighttpd config as you desire (and
captiveportal.inc if you're using CP).

 Second, it appears that ssh-server on pfsense is version 6.6 and it would
 be good if we can upgrade that to 6.9 or better (well, if there is better -
 the scan only complains the version if earlier than 6.9)


In that case your scanner is stupid, and you can't fix stupid
applies. We use the SSH version used in the base FreeBSD version,
which is 6.6 for 10.1. That's perfectly fine. You can't reasonably
upgrade it, and there is no point at all in trying.

Re: upgrading, which you should do as there are legit security reasons
your scanner is blind to (though best to wait a few hours and you can
go to 2.2.4), details here:
https://doc.pfsense.org/index.php/Upgrade_Guide
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote:

 On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote:
  This is an external scan.  We forward ports such as 443 and 22 to
 specific
  Ubuntu machines.  But both sshd and apache have been configured to accept
  only TLS1.2
 

 In the case of forwarded ports it's the Ubuntu machines that are
 triggering it. That has nothing to do with the firewall.


In that case, then, the scan is wrong as all our Ubuntu machines are
configured to use only TLS1.2

Thanks.

Ted
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ryan Coleman]

 On Jul 24, 2015, at 7:18 PM, Ted Byers r.ted.by...@gmail.com wrote:
 
 On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote:
 
 On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote:
 This is an external scan.  We forward ports such as 443 and 22 to
 specific
 Ubuntu machines.  But both sshd and apache have been configured to accept
 only TLS1.2
 
 
 In the case of forwarded ports it's the Ubuntu machines that are
 triggering it. That has nothing to do with the firewall.
 
 
 In that case, then, the scan is wrong as all our Ubuntu machines are
 configured to use only TLS1.2
 


I am curious as to what tool you were using.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to Install PFSENSE in VM

[putra kurnia Ramadana]

Dear Friends,

I was completed download pfsense on my laptop, so, I want to install
pfsense use my laptop in VM. but why it can't install ?
the format file of pfsense is iso.gz

please help me to install pfsense on my laptop ?

Thank You.

*Sincerely Yours, *


*Putra Kurnia Ramadana*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to Install PFSENSE in VM

[Tiernan OToole]

You need to unzip the file first. 7zip worked for me. 
--Tiernan 

On 30 June 2015 09:32:06 GMT+01:00, putra kurnia Ramadana 
ramadana.sibar...@gmail.com wrote:
Dear Friends,

I was completed download pfsense on my laptop, so, I want to install
pfsense use my laptop in VM. but why it can't install ?
the format file of pfsense is iso.gz

please help me to install pfsense on my laptop ?

Thank You.

*Sincerely Yours, *


*Putra Kurnia Ramadana*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to Install PFSENSE in VM

[putra kurnia Ramadana]

Dear Mr. Tiernan,

I was extract pfsense, so what can I do after unzip ?
I have to burn it of ?
Thank's

*Sincerely Yours, *


*Putra Kurnia Ramadana*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to Install PFSENSE in VM

[putra kurnia Ramadana]

Dear Mr. Tiernan  Mr. Randy,

I use Ms. Windows 7 32 bit, and I use Vmware Workstation 7
it's match for use it ?
Thank You.

*Sincerely Yours, *

*Putra Kurnia Ramadana*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to Install PFSENSE in VM

[Ryan Coleman]

There’s an OVA floating around somewhere still that had 2.0 on it, you could 
upgrade it through to 2.2.3 pretty easily…

I typically, though, use the ISO these days so I can have a little more 
flexibility in my installation. 



 On Jun 30, 2015, at 3:32 AM, putra kurnia Ramadana 
 ramadana.sibar...@gmail.com wrote:
 
 Dear Friends,
 
 I was completed download pfsense on my laptop, so, I want to install
 pfsense use my laptop in VM. but why it can't install ?
 the format file of pfsense is iso.gz
 
 please help me to install pfsense on my laptop ?
 
 Thank You.
 
 *Sincerely Yours, *
 
 
 *Putra Kurnia Ramadana*
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to Install PFSENSE in VM

[Tiernan OToole]

As mentioned by Jostein in another post, it depends on your VM host: VMWare, 
hyper-v, virtual box, all have options to attach an ISO to a VM. Google is your 
friend! 

Good luck! 
--Tiernan 

On 30 June 2015 10:04:21 GMT+01:00, putra kurnia Ramadana 
ramadana.sibar...@gmail.com wrote:
Dear Mr. Tiernan,

I was extract pfsense, so what can I do after unzip ?
I have to burn it of ?
Thank's

*Sincerely Yours, *


*Putra Kurnia Ramadana*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to Install PFSENSE in VM

[Wue Bob]

On 30/06/15 11:21, putra kurnia Ramadana wrote:
 Dear Mr. Tiernan  Mr. Randy,

 I use Ms. Windows 7 32 bit, and I use Vmware Workstation 7
 it's match for use it ?
 Thank You.

Yes.

How about following the Installation Howto?
https://doc.pfsense.org/index.php/Installing_pfSense

It's written in a way we couldn't say it better on this list. Look at
Prepare Installation Media where you find links to even more details
on how to write ISO images or writing disk images, depending on the
media you are going to use.

BTW, if you have a Unix (e. g. Linux) at your disposal, that's arguably
the far easiest - no need to unpack and do complicated things (is it
just me who thinks with Windows it's very complicated?).

Regard,
Bob



 *Sincerely Yours, *

 *Putra Kurnia Ramadana*
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to troubleshoot

[Bryan D .]

I have a v2.2 64-bit config running on a Core2 Duo system.  The config uses a 
number of aliases (including aliases that include other aliases, etc.).  Rules 
are based upon the aliases (du-oh!).

PROBLEM: if I change the name of 1 of the IP aliases, the name of the 
corresponding table doesn't change ... and, if I reboot, there's a complete 
failure in that NO tables get created (should be 100ish tables).

Reload the config without the change and all is OK.

Compare the config...xml files and there's only the expected changes (i.e., no 
structure corruption, only the name and change-management entries change).

The only error message I've seen is one that indicates something like 
ipsec_starter ... routing con (1000) failed and that doesn't appear to be 
consistent.  I've duplicated this failure on a second identical system, so it's 
unlikely to be hardware-related corruption.

None of the alias names are over 30 characters in length and the change that 
breaks things doesn't create a name that's unusual or as long as many others 
(it's simply adding On within the name).

I tried to create a minimal config that would fail in a similar way, but the 
same kind of thing no longer fails when other aliases/rules/whatever are not 
present.  Mr. Google hasn't helped me find anything similar that's been 
discussed (but I just may not have asked Mr. G. correctly).

I can and have made lots of changes to other aliases without issues, including 
additions and other name changes so it shouldn't be any size-limit boundary.

I have also seen some flakey behavior with the tables generated from some of 
the mixed aliases, where the table's reported content (via the GUI) will 
change as other alias name/content changes are made, but I haven't identified a 
pattern to this flakiness

REQUEST: can anyone suggest:

- ways I can troubleshoot this

- anything I should be looking for
  + are there some unstated/unchecked limits/rules w.r.t. aliases
  + can one not freely create aliases that include other aliases
  + can aliases of type hosts not include aliases of networks type

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] how to get to CARP settings in 2.2?

[Vick Khera]

I must be totally blind here, but I cannot get to CARP configuration
settings on my 2.2 install.

I traversed the menus:

 Status - CARP then clicked the + icon, but that takes me to HA sync.

 Firewall - Virtual IPs - CARP Settings, but that also takes me to HA
sync.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how to get to CARP settings in 2.2?

[Chris L]

To set up the actual CARP VIPs you go to Firewall  Virtual IPs then create a 
VIP of type CARP. That’s where you set the freq, skew, etc.

 On Feb 28, 2015, at 7:18 AM, Vick Khera vi...@khera.org wrote:
 
 I must be totally blind here, but I cannot get to CARP configuration settings 
 on my 2.2 install.
 
 I traversed the menus:
 
  Status - CARP then clicked the + icon, but that takes me to HA sync.
 
  Firewall - Virtual IPs - CARP Settings, but that also takes me to HA sync.
 
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I stop noise to logs

[Chris Buechler]

On Mon, Feb 23, 2015 at 10:48 AM, Tim Hogan t...@hoganzoo.com wrote:

 Ed,

 I have version 2.1.46.30093 installed on my NAS which is newer than the
 link below.  I have also discovered burred under the noise being created by
 the NAS that I have one other device also generating the same type of
 traffic, just not as often.  This other device was my Samsung Tablet and I
 found that if I turned off the media discovery service on the table that
 the traffic stopped.  I have disabled media sharing on the NAS but the
 traffic is still being generated.

 My point here is not to fix broken implementations that various vendors
 put in place but instead my feeling that I should be able to have some
 control over the built-in rules and prevent logging if I so desire.


Logging on that rule is controlled by whether you log for the default deny.
StatusSystem logs, Settings tab.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I stop noise to logs

[Edward Servello]

Tim,

One more shot at this before I give up...

I created a sample rule using the GUI. Does your rule look like this one?

~Ed



On 2/23/2015 11:48 AM, Tim Hogan wrote:

Ed,

I have version 2.1.46.30093 installed on my NAS which is newer than 
the link below.  I have also discovered burred under the noise being 
created by the NAS that I have one other device also generating the 
same type of traffic, just not as often.  This other device was my 
Samsung Tablet and I found that if I turned off the media discovery 
service on the table that the traffic stopped.  I have disabled media 
sharing on the NAS but the traffic is still being generated.


My point here is not to fix broken implementations that various 
vendors put in place but instead my feeling that I should be able to 
have some control over the built-in rules and prevent logging if I 
so desire.


Regards,
Tim


On 2/23/2015 8:40 AM, Edward Servello wrote:

Hi again Tim,

Does your NAS device have the most recent firmware applied. I found 
this article with a link to firmware on the Lenovo site.


https://lenovo-na-en.custhelp.com/app/answers/detail/a_id/24661/kw/2.1.38.22294/related/1 



~Ed

On Mon, Feb 23, 2015 at 8:56 AM, Tim Hogan t...@hoganzoo.com 
mailto:t...@hoganzoo.com wrote:


Ed,

I agree that it would be nice to be able to stop this at the
source however, the source is an iOmega ix-200d appliance. I have
manually set the IP address in the GUI but who knows how iOmega
has built this thing.  I have noticed that this traffic does not
start right after a reboot.  It takes a couple of minutes which
makes me think that there is some process that starts up that is
generating this traffic.  But without control at the OS layer I do
not know how to stop it.  So my option it to try and quite the 
noise.


Regards,
Tim



On 2/22/2015 11:20 AM, Edward Servello wrote:

Hello Tim,

The problem appears in pfSense Issue 2073
https://redmine.pfsense.org/issues/2073.

The APIPA address (autoIP 169.254) is not valid on the
interface that's logging the error. That may be blocked and
logged by pfSense before the user-defined rules are applied.
Could the NAS be using the APIPA addresses because it's not
getting a response from DHCP? Did you try assigning a fixed,
valid address on the NAS to stop it from falling back to
169.254? It might be better overall to address the root cause
rather than stopping the logging.

~Ed

On 2/22/2015 9:25 AM, Tim Hogan wrote:

Hello All,

I am using pfSense v2.2 and I have been seeing a bunch of
firewall log entries blocking traffic to the
169.254.0.0/16 http://169.254.0.0/16 netblock.  This
traffic seems to be created by an older NAS that I have
and I really do not want these message in my logs. So, my
thought was that I would create a rule on my LAN to block
that traffic and I would just make sure that the log
traffic option was unchecked.  That did not work. When I
look at the log entry I see the following message.

The rule that triggered this action is:
@8(100102) block drop in log quick inet from any to
169.254.0.0/16 http://169.254.0.0/16 label Block IPv4
link-local

Where on earth is that rule so I can remove the log
option?  Or is there a setting that I missed somewhere?

Thanks,
Tim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I stop noise to logs

[Jim Spaloss]

If you're interested in just silencing the noice from that particular
device, create a block (or reject) rule that matches the source IP with
logging disabled on that rule.

I often do this on my WAN interfaces to keep NetBIOS noise from filling up
my logs.
On Feb 23, 2015 4:35 PM, Chris Buechler c...@pfsense.com wrote:



 On Mon, Feb 23, 2015 at 10:48 AM, Tim Hogan t...@hoganzoo.com wrote:

 Ed,

 I have version 2.1.46.30093 installed on my NAS which is newer than the
 link below.  I have also discovered burred under the noise being created by
 the NAS that I have one other device also generating the same type of
 traffic, just not as often.  This other device was my Samsung Tablet and I
 found that if I turned off the media discovery service on the table that
 the traffic stopped.  I have disabled media sharing on the NAS but the
 traffic is still being generated.

 My point here is not to fix broken implementations that various vendors
 put in place but instead my feeling that I should be able to have some
 control over the built-in rules and prevent logging if I so desire.


 Logging on that rule is controlled by whether you log for the default
 deny. StatusSystem logs, Settings tab.


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How do I stop noise to logs

[Tim Hogan]

Hello All,

I am using pfSense v2.2 and I have been seeing a bunch of firewall log 
entries blocking traffic to the 169.254.0.0/16 netblock.  This traffic 
seems to be created by an older NAS that I have and I really do not want 
these message in my logs.  So, my thought was that I would create a rule 
on my LAN to block that traffic and I would just make sure that the log 
traffic option was unchecked.  That did not work.  When I look at the 
log entry I see the following message.


The rule that triggered this action is:
@8(100102) block drop in log quick inet from any to 169.254.0.0/16 
label Block IPv4 link-local


Where on earth is that rule so I can remove the log option?  Or is there 
a setting that I missed somewhere?


Thanks,
Tim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to change driver for NIC

[compdoc]

 It is only pfSense 2.2, that has this not usuable speed from other VM's 
in the Xenserver.

I installed xenserver with a pfSense guest on a machine, and had the same
problem. Traffic from hosts on the lan through the pfSense guest to the wan
is nice and fast, but traffic from other guests through pfSense drops to a
crawl. 

From what I can gather, this is a problem with the freebsd 10 drivers, and
not really related to pfSense. 

And unfortunately, you can't change the NIC emulation in xenserver for
guests. I tried in several ways. Freebsd 10 senses the xen environment and
installs the xen NIC drivers and there seems no way to change this. 

There are enough people with freebsd having this problem that I'm sure this
will be fixed before long.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How to change driver for NIC

[Morten Christensen]

As mentioned in another thread, pfSense 2.2 is not usable on a XenServer.

In the forum
https://forum.pfsense.org/index.php?topic=85797.0
it was mentioned, that I could try to change the driver away from xn, 
but I can not find a way to change the NIC driver on my virtualised 
pfSense 2.2.


Can anyone give me a description of, how to change driver ?

--
Morten Christensen
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to change driver for NIC

[compdoc]

 Can anyone give me a description of, how to change driver ?

Well, you would need to change the NIC itself. I haven't tried this, but the
following url explains the problem and might help fix the problem. 

http://www.netservers.co.uk/articles/open-source-howtos/citrix_e1000_gigabit

I switched to KVM because of the limitations of XenServer's networking.



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to change driver for NIC

[Morten Christensen]

Den 04-01-2015 kl. 15:55 skrev compdoc:

Can anyone give me a description of, how to change driver ?

Well, you would need to change the NIC itself. I haven't tried this, but the
following url explains the problem and might help fix the problem.

http://www.netservers.co.uk/articles/open-source-howtos/citrix_e1000_gigabit

I switched to KVM because of the limitations of XenServer's networking.


Thanks for your answer.

Are you saying that I can only try to change driver in XenServer.

Is it impossible to try to improve on pfSense 2.2's problem in pfSense ?

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to change driver for NIC

[compdoc]

 Is it impossible to try to improve on pfSense 2.2's problem in pfSense

You might not be the only person having the problem, but I haven't
researched to know for sure. 

Sometimes, it's possible to do the work and discover the problem yourself.
There are a few areas of experimentation that might lead to the problem, or
to the solution...

First of all, it's possible that there is a problem with that version of
pfSense. Something that may be fixed before or after its release. 

Or, its possible there is a problem with the drivers for the virtual nics in
that version of freebsd. Guess that would be either the 100baseT Realtek NIC
emulation, or the xenserver NIC drivers if you have managed to install
those. 

You can see if a better or newer driver exists. I have compiled realtek's
newest freebsd drivers myself and used them, for example.

If you were to try the e1000 emulation as suggested in the url I posted and
saw no improvement, that knowledge might be a great help to the community.  

Finally, there's the actual server hardware itself. Its takes a certain
speed and type cpu to host virtual machine firewalls. Also, certain brands
of network cards perform better than others. Maybe you can describe these...

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to change driver for NIC

[Morten Christensen]

Den 04-01-2015 kl. 18:57 skrev compdoc:

Is it impossible to try to improve on pfSense 2.2's problem in pfSense

You might not be the only person having the problem, but I haven't
researched to know for sure.

Sometimes, it's possible to do the work and discover the problem yourself.
There are a few areas of experimentation that might lead to the problem, or
to the solution...

First of all, it's possible that there is a problem with that version of
pfSense. Something that may be fixed before or after its release.

Or, its possible there is a problem with the drivers for the virtual nics in
that version of freebsd. Guess that would be either the 100baseT Realtek NIC
emulation, or the xenserver NIC drivers if you have managed to install
those.

You can see if a better or newer driver exists. I have compiled realtek's
newest freebsd drivers myself and used them, for example.

If I could find drivers, I have no idea, how to install them on pfSense.

If you were to try the e1000 emulation as suggested in the url I posted and
saw no improvement, that knowledge might be a great help to the community.
I tried to make the cange from your link in the xenserver, and installed 
a new pfSense 2.2.
The pfSenses nic's ware called xn like before, so I have no idea, if it 
had any effect.


The iperf network speed from another VM on the same Xenserver through 
pfSense was 1,4 Kbits/sec. As unusable as before with pfSense 2.2.




Finally, there's the actual server hardware itself. Its takes a certain
speed and type cpu to host virtual machine firewalls. Also, certain brands
of network cards perform better than others. Maybe you can describe these...

It don't think it is the hardware.
On the same hardware and the same Xenserver-install both pfSense 2.1, 
IPCop and Zentyal is acting normal.
It is only pfSense 2.2, that has this not usuable speed from other VM's 
in the Xenserver.



As said in the other thread. Speed from behind the xenserver is normal.

--
Morten Christensen
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to change driver for NIC

[Chris L]

 On Jan 4, 2015, at 1:42 PM, Morten Christensen mc-m...@g.mc.cx wrote:
 
 
 Den 04-01-2015 kl. 18:57 skrev compdoc:
 Is it impossible to try to improve on pfSense 2.2's problem in pfSense
 You might not be the only person having the problem, but I haven't
 researched to know for sure.
 
 Sometimes, it's possible to do the work and discover the problem yourself.
 There are a few areas of experimentation that might lead to the problem, or
 to the solution...
 
 First of all, it's possible that there is a problem with that version of
 pfSense. Something that may be fixed before or after its release.
 
 Or, its possible there is a problem with the drivers for the virtual nics in
 that version of freebsd. Guess that would be either the 100baseT Realtek NIC
 emulation, or the xenserver NIC drivers if you have managed to install
 those.
 
 You can see if a better or newer driver exists. I have compiled realtek's
 newest freebsd drivers myself and used them, for example.
 If I could find drivers, I have no idea, how to install them on pfSense.
 If you were to try the e1000 emulation as suggested in the url I posted and
 saw no improvement, that knowledge might be a great help to the community.
 I tried to make the cange from your link in the xenserver, and installed a 
 new pfSense 2.2.
 The pfSenses nic's ware called xn like before, so I have no idea, if it had 
 any effect.
 
 The iperf network speed from another VM on the same Xenserver through pfSense 
 was 1,4 Kbits/sec. As unusable as before with pfSense 2.2.
 
 
 Finally, there's the actual server hardware itself. Its takes a certain
 speed and type cpu to host virtual machine firewalls. Also, certain brands
 of network cards perform better than others. Maybe you can describe these...
 It don't think it is the hardware.
 On the same hardware and the same Xenserver-install both pfSense 2.1, IPCop 
 and Zentyal is acting normal.
 It is only pfSense 2.2, that has this not usuable speed from other VM's in 
 the Xenserver.
 
 
 As said in the other thread. Speed from behind the xenserver is normal.


There is definitely something wrong with 2.2 under XenServer 6.2.  I’m seeing 
exactly the same thing as Morten.  To pfSense is fine.  Through pfSense is 
horrible.

2.1.5 is fine but represents re adapters, not xn.  I have not tried from 
pfSense to a VM on the same vswitch yet.  Only through pfSense 2.2 to the WAN.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[Brian Caouette]

The price was right but yes it consumes some power. Its loud and warms 
the room. Should be good in another month or so when we turn the furnace 
on. As for the nics I have no idea if their intel or not. Don't recall 
that detail. I'll try your suggestion and change the time and see what 
happens.


On 9/3/2014 3:40 PM, compdoc wrote:


I have tried the alternate IP. No change. Not sure what the other 
two do?


Some connections might be slow to respond occasionally, or not handle 
constant pings well. You can send fewer pings, (every 3 seconds for 
instance) and wait a longer period of time before declaring the link 
is down.  (like 30 seconds or so)


 The hardware is a dell 2850, i have a 15x1 cable connection.

If you have nothing better to do with the PowerEdge, might as well use 
it. They look like they might consume some watts, though. Yours has 
only Intel nics?




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[Bob Gustafson]

What version pfsense?

On 09/03/2014 12:30 PM, Brian Caouette wrote:

Sep 3 09:00:58  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:59:55 	apinger: alarm canceled: dlois(192.254.233.145) *** 
delay ***
Sep 3 08:59:47 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:43  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:31 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:29  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:59:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:18  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:04  apinger: ALARM: dlois(192.254.233.145) *** delay ***
Sep 3 08:37:19  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:36:07 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:36:07 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:35:50  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:20:18  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:19:06 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:19:06 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:18:47  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:02:31  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:01:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:01:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:01:02  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 07:38:57  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 07:37:46 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 07:37:46 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 07:37:29  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 07:22:20  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 07:21:09 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 07:21:09 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 07:20:51  apinger: ALARM: dlois(192.254.233.145) *** down ***



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[Brian Caouette]

2.1.4 Just one version behind. I haven't updated to the announced a few 
days ago.


On 9/3/2014 2:14 PM, Bob Gustafson wrote:

What version pfsense?

On 09/03/2014 12:30 PM, Brian Caouette wrote:

Sep 3 09:00:58  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:59:55 	apinger: alarm canceled: dlois(192.254.233.145) *** 
delay ***
Sep 3 08:59:47 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:43  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:31 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:29  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:59:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:18  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:04  apinger: ALARM: dlois(192.254.233.145) *** delay ***
Sep 3 08:37:19  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:36:07 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:36:07 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:35:50  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:20:18  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:19:06 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:19:06 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:18:47  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:02:31  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:01:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:01:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:01:02  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 07:38:57  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 07:37:46 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 07:37:46 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 07:37:29  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 07:22:20  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 07:21:09 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 07:21:09 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 07:20:51  apinger: ALARM: dlois(192.254.233.145) *** down ***



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[Brian Caouette]

This problem has been here since I began using pfsense. Even on another 
hardware box. Not sure its a version problem but I will be upgrading 
soon as I always stay current.


On 9/3/2014 2:30 PM, Bob Gustafson wrote:

Why not try the upgrade. Maybe the problem will go away..

On 09/03/2014 01:20 PM, Brian Caouette wrote:
2.1.4 Just one version behind. I haven't updated to the announced a 
few days ago.


On 9/3/2014 2:14 PM, Bob Gustafson wrote:

What version pfsense?

On 09/03/2014 12:30 PM, Brian Caouette wrote:

Sep 3 09:00:58  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:59:55 	apinger: alarm canceled: dlois(192.254.233.145) *** 
delay ***
Sep 3 08:59:47 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:43  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:31 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:29  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:59:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:59:18  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:59:04  apinger: ALARM: dlois(192.254.233.145) *** delay ***
Sep 3 08:37:19  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:36:07 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:36:07 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:35:50  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:20:18  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:19:06 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:19:06 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:18:47  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 08:02:31  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 08:01:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 08:01:19 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 08:01:02  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 07:38:57  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 07:37:46 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 07:37:46 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 07:37:29  apinger: ALARM: dlois(192.254.233.145) *** down ***
Sep 3 07:22:20  apinger: ALARM: dlois(192.254.233.145) *** loss ***
Sep 3 07:21:09 	apinger: alarm canceled: dlois(192.254.233.145) *** 
loss ***
Sep 3 07:21:09 	apinger: alarm canceled: dlois(192.254.233.145) *** 
down ***

Sep 3 07:20:51  apinger: ALARM: dlois(192.254.233.145) *** down ***



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[compdoc]

 Why not try the upgrade. Maybe the problem will go away..

 

There are also three settings for apinger that can be useful: Alternative
monitor IP, Probe Interval, and Down

 

Is this a new install, or a machine that recently developed a problem?

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[Brian Caouette]

On 9/3/2014 3:01 PM, compdoc wrote:


 Why not try the upgrade. Maybe the problem will go away..

There are also three settings for apinger that can be useful: 
Alternative monitor IP, Probe Interval, and Down


Is this a new install, or a machine that recently developed a problem?



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
It's always been like this just never got around to asking anyone about 
it. The hardware is a dell 2850, i have a 15x1 cable connection. We have 
6 people in the house. Should be over kill for us. Not sure why I would 
be seeing packet loss. Watching the graph on the dashboard i've only hit 
the 15 meg once. We typically average about half with everyone online. 
Youtube, Netflix, Growtopia and Mindcraft, Facebook, etc...
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[Brian Caouette]

On 9/3/2014 3:01 PM, compdoc wrote:


 Why not try the upgrade. Maybe the problem will go away..

There are also three settings for apinger that can be useful: 
Alternative monitor IP, Probe Interval, and Down


Is this a new install, or a machine that recently developed a problem?



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

I have tried the alternate IP. No change. Not sure what the other two do?
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

[compdoc]

I have tried the alternate IP. No change. Not sure what the other two do?

 

Some connections might be slow to respond occasionally, or not handle
constant pings well. You can send fewer pings, (every 3 seconds for
instance) and wait a longer period of time before declaring the link is
down.  (like 30 seconds or so)

 

 The hardware is a dell 2850, i have a 15x1 cable connection.

 

If you have nothing better to do with the PowerEdge, might as well use it.
They look like they might consume some watts, though. Yours has only Intel
nics?

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list