Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
I think this may be related, or another 1.2.2 upgrade woe to add to your list: I have 2 firewalls that were running 1.2, carped together with fw1 (master) syncing to fw2. Before upgrading fw1 to 1.2.2, I backed up the config files on both firewalls. I have verified that the rules section are identical on both firewalls. I upgraded fw1 to 1.2.2 and left fw2 at 1.2 just in case I ran into problems. I did (run into problems): I have an old mailserver outside the firewall relaying mail to new mailserver behind firewall. After the 1.2.2 upgrade, fw1 continues to relay okay, until someone sends a large-ish attachment that needs to be relayed between the two mailservers (xxx.xxx.51.1 is mailserver outside the firewall and yyy.yyy.209.2 is mailserver inside firewall). fw1 (1.2.2) reports: Jan 30 08:11:10 fw1/fw1 pf: 15. 670556 rule 1581/0(match): block in on em1: (tos 0x0, ttl 63, id 23650, offset 0, flags [none],proto TCP (6), length 1500) xxx.xxx.51.1.63475 yyy.yyy.209.2.25: . 0:1460(1460) ack 1 win 49498 relevant fw1 rules: @264 pass in quick on em1 reply-to (em1 yyy.yyy.203.142) inet from xxx.xxx.51.1 to yyy.yyy.209.2 flags S/SA keep state label USER_RULE: MTA @265 pass in quick on carp11 reply-to (em1 yyy.yyy.203.142) inet from xxx.xxx.51.1 to yyy.yyy.209.2 flags S/SA keep state label USER_RULE: MTA ... @1581 block drop in log quick all label Default deny rule As soon as I shutdown fw1 and leave fw2 as master, I send the same email message again this time successfully. fw2 reports (I enabled rule logging on fw2): Jan 30 09:17:13 fw2/fw2 pf: 288961 rule 255/0(match): pass in on em1: (tos 0x0, ttl 63, id 41857, offset 0, flags [none], proto: TCP (6), length: 48) xxx.xxx.51.1.33879 yyy.yyy.209.2.25: S, cksum 0xc441 (correct), 951133206:951133206(0) win 49640 mss 1460,nop,nop,sackOK Jan 30 09:17:43 fw2/fw2 pf: 1. 324892 rule 255/0(match): pass in on em1: (tos 0x0, ttl 63, id 35233, offset 0, flags [none], proto: TCP (6), length: 48) xxx.xxx.51.1.33890 yyy.yyy.209.2.25: S, cksum 0x93fb (correct), 959337428:959337428(0) win 49640 mss 1460,nop,nop,sackOK fw2 rules: @255 pass in quick on em1 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state label USER_RULE: MTA @256 pass in quick on carp11 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state label USER_RULE: MTA I don't want to downgrade given that there are security fixes between 1.2 and 1.2.2. Your help always appreciated! -Julie
Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
I think my problem may be related, or may be another 1.2.2 upgrade woe to add to your list: I have 2 firewalls that were running 1.2, carped together with fw1 (master) syncing to fw2. Before upgrading fw1 to 1.2.2, I backed up the config files on both firewalls. I have verified that the rules section are identical on both firewalls. I upgraded fw1 to 1.2.2 and left fw2 at 1.2 just in case I ran into problems. I did (run into problems): I have an old mailserver xxx.xxx.51.1 outside the firewall forwarding mail to a new mailserver yyy.yyy.209.2 behind firewall. After the 1.2.2 upgrade, fw1 continues to allow these packets okay, until someone sends a large-ish attachment that needs to be relayed between the two mailservers. fw1 (1.2.2) reports: Jan 30 08:11:10 fw1/fw1 pf: 15. 670556 rule 1581/0(match): block in on em1: (tos 0x0, ttl 63, id 23650, offset 0, flags [none],proto TCP (6), length 1500) xxx.xxx.51.1.63475 yyy.yyy.209.2.25: . 0:1460(1460) ack 1 win 49498 relevant fw1 rules: @264 pass in quick on em1 reply-to (em1 yyy.yyy.203.142) inet from xxx.xxx.51.1 to yyy.yyy.209.2 flags S/SA keep state label USER_RULE: MTA @265 pass in quick on carp11 reply-to (em1 yyy.yyy.203.142) inet from xxx.xxx.51.1 to yyy.yyy.209.2 flags S/SA keep state label USER_RULE: MTA ... @1581 block drop in log quick all label Default deny rule As soon as I shutdown fw1 and let fw2 take over, the problem goes away. I send the same email message again, no problem. fw2 reports (I enabled rule logging on fw2): Jan 30 09:17:13 fw2/fw2 pf: 288961 rule 255/0(match): pass in on em1: (tos 0x0, ttl 63, id 41857, offset 0, flags [none], proto: TCP (6), length: 48) xxx.xxx.51.1.33879 yyy.yyy.209.2.25: S, cksum 0xc441 (correct), 951133206:951133206(0) win 49640 mss 1460,nop,nop,sackOK Jan 30 09:17:43 fw2/fw2 pf: 1. 324892 rule 255/0(match): pass in on em1: (tos 0x0, ttl 63, id 35233, offset 0, flags [none], proto: TCP (6), length: 48) xxx.xxx.51.1.33890 yyy.yyy.209.2.25: S, cksum 0x93fb (correct), 959337428:959337428(0) win 49640 mss 1460,nop,nop,sackOK fw2 rules: @255 pass in quick on em1 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state label USER_RULE: MTA @256 pass in quick on carp11 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state label USER_RULE: MTA I don't want to downgrade given that there are security fixes between 1.2 and 1.2.2. Your help always appreciated! LJR - Original Message From: Chris Buechler c...@pfsense.org To: support@pfsense.com Sent: Thursday, January 29, 2009 10:13:19 PM Subject: Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions) On Thu, Jan 29, 2009 at 11:45 PM, Curtis LaMasters curtislamast...@gmail.com wrote: At my company we host a large number of dotnet sites and have now been plagued with an issue in our hosting environment. Nearly all of our sites are now report periodic disconnects where users viewing the sites who have sessions on the servers (portals, forms, etc) get disconnected from the session and brought right back to the home page. To ME, this does not sound like a firewall issue, however, our first 3 reports of this happened the day after I upgraded from 1.2-RELEASE to 1.2.2. Any ideas? I'll upgrade to 1.2.3 during the next downtime but I don't want to do too much at a time. Coincidence. I wouldn't upgrade to 1.2.3 yet, that's not necessarily stable as it was just recently switched to FreeBSD 7.1. If it were a firewall problem, it would be pages not loading at all, or page loads not completing, things of that nature - network connectivity problems. Getting kicked out of a session on a web server isn't a network connectivity problem. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dhcp failover--missing parameter in web interface?
Please note that this may not just be a matter of preference to have the second pfsense box designated as secondary dhcp server. I am also hoping it will resolve the issue I reported earlier of running out of free IPs from the dynamic range even before the stash is exhausted. I have completely abandoned using dynamic dhcp in my setup because of this outstanding issue--did not get resolved even after dhcpd package was updated to the latest version. Thanks. LJ - Original Message From: Scott Ullrich [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, July 9, 2007 5:30:42 PM Subject: Re: [pfSense Support] dhcp failover--missing parameter in web interface? On 7/9/07, LJ Rand [EMAIL PROTECTED] wrote: I am running 1.2-beta-1 snapshot 05-11-2007 on 2 pfsense firewalls carp'ed together. I configured dhcp server in failover mode for both firewalls, following instructions. I do not see on the web interface how to set the second firewall as secondary dhcp, so when I check the resultant /var/dhcpd/etc/dhcpd.conf file, both firewalls consider themselves as primary. My preference is for all clients to take their dhcp address configuration from the first firewall, and only contact the second firewall when the first one is down. I could manually edit above dhcpd.conf file, but I don't want to keep doing that everytime I reload the configuration. Would someone please look into this issue? Thanks. Woops, I misread this originally. Please ignore me. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] dhcp failover--missing parameter in web interface?
I am running 1.2-beta-1 snapshot 05-11-2007 on 2 pfsense firewalls carp'ed together. I configured dhcp server in failover mode for both firewalls, following instructions. I do not see on the web interface how to set the second firewall as secondary dhcp, so when I check the resultant /var/dhcpd/etc/dhcpd.conf file, both firewalls consider themselves as primary. My preference is for all clients to take their dhcp address configuration from the first firewall, and only contact the second firewall when the first one is down. I could manually edit above dhcpd.conf file, but I don't want to keep doing that everytime I reload the configuration. Would someone please look into this issue? Thanks. JR Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DST 2007-ready?
What you want to see, regardless of your timezone, is when it switches from ?ST to ?DT. So for 2007, more precisely, you want: # date -r 1173607199 Sun Mar 11 01:59:59 PST 2007 # date -r 1173607200 Sun Mar 11 03:00:00 PDT 2007 - Original Message From: stephan peterson [EMAIL PROTECTED] To: support@pfsense.com Sent: Thursday, March 1, 2007 8:03:37 PM Subject: Re: [pfSense Support] DST 2007-ready? Vivek, Here are my results: # date -r 1175386460 ; date -r 1175486460 Sat Mar 31 19:14:20 CDT 2007 Sun Apr 1 23:01:00 CDT 2007 Mine are off an hour, but I'm in a different time zone so does that account for the difference? I wish I could have done this little test before doing the upgrade. :-) Thanks, Stephan On Mar 1, 2007, at 10:06 AM, Vivek Khera wrote: On Feb 28, 2007, at 11:44 PM, stephan peterson wrote: What can I do to make sure the new zoneinfo file(s) are being used? I'm not sure from LJ's message what to look for. in the USA, run this command line: date -r 1175386460 ; date -r 1175486460 you should get something like this on a corrected system: Sat Mar 31 20:14:20 EDT 2007 Mon Apr 2 00:01:00 EDT 2007 Whereas on an incorrect (ie, older zone file) system you would get: Sat Mar 31 19:14:20 EST 2007 Mon Apr 2 00:01:00 EDT 2007 If you have any other freebsd system, you can simply copy a working /etc/localtime file onto the one on your pfsense box. my understanding is that any unix system using the same zone info compiler (pretty much any unix in existence) should produce working zone files. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DST 2007-ready?
That worked. Thanks, Scott! - Original Message From: Scott Ullrich [EMAIL PROTECTED] To: support@pfsense.com Sent: Tuesday, February 27, 2007 9:43:32 AM Subject: Re: [pfSense Support] DST 2007-ready? Anyone wanting to update their TZ can issue the following commands: fetch -o /usr/share/ http://www.pfsense.com/~sullrich/zoneinfo.tgz Reboot the firewall and you should be set. Scott On 2/26/07, LJ Rand [EMAIL PROTECTED] wrote: I've downloaded and rebooted to latest snapshot (2-21-2007), firewall rebooted, /etc/localtime already updated. But when I ran: # date -r 1173693660 Mon Mar 12 02:01:00 PST 2007 That seems to tell me that PDT won't kick in as expected. As opposed to: # date -r 1175486460 Sun Apr 1 21:01:00 PDT 2007 # date -r 1175386460 Sat Mar 31 16:14:20 PST 2007 So it still looks like my system won't switch to PDT until the first Sunday in April? - Original Message From: Scott Ullrich [EMAIL PROTECTED] To: support@pfsense.com Sent: Friday, February 23, 2007 1:33:10 PM Subject: Re: [pfSense Support] DST 2007-ready? Both FreeBSD 6.1 and 6.2 are already ready for this change IIRC. If you are in doubt, update to this months snapshot which is based on 6.2 and definitely has support for congresses half-brained decision. Scott On 2/23/07, LJ Rand [EMAIL PROTECTED] wrote: Hi, How can I tell that my pfsense firewalls are DST 2007-ready? What to do if not? I am running 1.0.1-SNAPSHOT-01-19-2007. JR Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DST 2007-ready?
I've downloaded and rebooted to latest snapshot (2-21-2007), firewall rebooted, /etc/localtime already updated. But when I ran: # date -r 1173693660 Mon Mar 12 02:01:00 PST 2007 That seems to tell me that PDT won't kick in as expected. As opposed to: # date -r 1175486460 Sun Apr 1 21:01:00 PDT 2007 # date -r 1175386460 Sat Mar 31 16:14:20 PST 2007 So it still looks like my system won't switch to PDT until the first Sunday in April? - Original Message From: Scott Ullrich [EMAIL PROTECTED] To: support@pfsense.com Sent: Friday, February 23, 2007 1:33:10 PM Subject: Re: [pfSense Support] DST 2007-ready? Both FreeBSD 6.1 and 6.2 are already ready for this change IIRC. If you are in doubt, update to this months snapshot which is based on 6.2 and definitely has support for congresses half-brained decision. Scott On 2/23/07, LJ Rand [EMAIL PROTECTED] wrote: Hi, How can I tell that my pfsense firewalls are DST 2007-ready? What to do if not? I am running 1.0.1-SNAPSHOT-01-19-2007. JR Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DST 2007-ready?
Hi, How can I tell that my pfsense firewalls are DST 2007-ready? What to do if not? I am running 1.0.1-SNAPSHOT-01-19-2007. JR Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] update to dhcp package
I am running into problems with my failover dhcp peer configuration: peer holds all free leases appears in the logs as several clients can't get a dhcp lease, even when there is lots of room in the dynamic pool. The package that comes with pfsense 1.0.1 is still version 3.0.4. I am hoping ISC's version 3.0.5 addresses the issue. Would this new package make it to pfsense's next release, please? Thanks. JR Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CARP bug?
I have 2 pfsense firewalls (both running 1.0-SNAPSHOT-09-14-06) CARP'ed together and supporting several VLANs. They also provide DHCP service, and I specify the failover peer IP of the other pfsense firewall in order to keep the DHCP leases in sync. (Minor issue: why is the box for this item a tad too small to display the entire IP address?) First thing I notice in the logs was that the port 519/520 dhcp updates were being blocked by the firewall, except on the LAN subnet. So I put in a firewall rule on every VLAN to allow this traffic from the master firewall to the backup, even though both interfaces are on the same VLAN. Since the rule specifies the IP address of the opposite pfsense box, it should not be sync'ed, so I tick the NO XMLRPC SYNC box to make sure this rule does not sync from the master firewall to the backup. I make a similar entry in the backup firewall, as well, but specifying port 520 on the master firewall's IP. The problem: this rule keeps disappearing on the backup firewall. I suppose this happens whenever the firewall rules are sync'ed up. I've put in the rule twice now, and it has disappeared both times. The master firewall is okay. So methinks it's an undesirable CARP feature, aka, bug. Thanks for your attention on this matter. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] static ARP entries
I am running the latest snapshot: 1.0-SNAPSHOT-09-14-06 Whenever I tick the Enable Static Arp Entries box on the DHCP server I get the following complaint in my logs: dhcpd: failover peer dhcp6: invalid argument I've tried to search the support archives, as well as check dhcp man pages, but didn't find anything useful. TIA. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] plain text paswords in config.xml
I have updated to RELENG_1_SNAPSHOT_03. I am concerned about having plain text passwords in the config.xml file, especially the one used by pfsync to get to the webgui interface of the second pfsense box. What extra precautions can be taken to avoid this, or to at least mitigate the risk? JR __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] plain text paswords in config.xml
Thanks, all those suggestions help and have been observed. But I still worry about some remote attacker tricking the firewall into somehow sending or exposing the contents of the config.xml file. It kind of feels like having an /etc/passwd or /etc/shadow file where the password fields are plain text. Is it not possible to have the webgui account to be a more limited firewall administrator account, or something along those lines, using sudo, etc.? Also, I notice that even after the upgrade to latest snapshot, my latest /conf/backup/conf*.xml files still switch to world read permissions, even though my /conf/config.xml is just rw by owner only. As a precaution, I do have permissions on the directories themselves restricted to 700, but I don't think this is the default. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] permissions on config.xml
New user so bear with me. I've installed on 2 boxes, gotten pfsync/carp working with VLANs and all, thanks for this great piece of work. However, I am wondering why the permissions on config.xml file are so open (world-read, and the backup/config*xml files are world-writable!). Given that they contain passwords in plain text, I worry. What should permissions properly be, and why does it not come that way to begin with? JR __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]