[pfSense] Question on WiFi frequency change
Hi there I've an ALIX board still doing its daily routing job on pfSense 2.2.4 where a MiniPCI card serves as simple AP. I recently swapped out the Atheros 802.11abg card for an AR9220-based Compex WLM200NX while I was upgrading to a faster CF card. Almost all settings from the previous card were imported properly (almost) all I had to select was the channel/frequency. What happened was, that the card came up on the selected 5GHz channel, but since I had a (single) 2.4GHz client I had to switch back to 2.4Ghz for now. Now I realized that the card, even after applying the (several different) frequency settings, it stayed on the first 5GHz channel when checking ifconfig's output. The channel switching got applied after I had rebooted pfSense. Could anyone with a miniPCI(e) card confirm this behaviour? - Get a console on your pfSense box and get the output of ifconfig where for athX_wlanX you can see the current channel. - In the UI switch to another frequency (maybe 2.4 - 5 like myself) and apply the settings - Check the output of ifconfig again I'd be interested to know what you're seeing. Thanks, Mat ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org wrote: On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. Vick, Qualys *does* take off points if you have a certificate for your bare domain name without it having www as an alternate name. For example, a certificate for 'example.com' that doesn't work for 'www.example.com' is penalized, even if it is really only used for 'example.com'. I believe that the reason they do this is because they assume that people always have their sites set up so that www redirects to bare, bare redirects to www, or both bare and www show the same content. While this may not always be true, it is an assumption that Qualys and many other people make, so it is included in the grade. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Jul 28, 2015, at 2:50 PM, Moshe Katz mo...@ymkatz.net wrote: On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org mailto:vi...@khera.org wrote: On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. Vick, Qualys *does* take off points if you have a certificate for your bare domain name without it having www as an alternate name. For example, a certificate for 'example.com http://example.com/' that doesn't work for 'www.example.com http://www.example.com/' is penalized, even if it is really only used for 'example.com http://example.com/'. I believe that the reason they do this is because they assume that people always have their sites set up so that www redirects to bare, bare redirects to www, or both bare and www show the same content. While this may not always be true, it is an assumption that Qualys and many other people make, so it is included in the grade. Sure but if you try to load www.domain.com http://www.domain.com/ it sends you to the clean domain immediately. I am not testing www.domain.com http://www.domain.com/ - I am testing domain.com http://domain.com/ and there’s no evidence they’re trying to load www.domain.com http://www.domain.com/, only reading the certificate and seeing it doesn’t cover it. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Tue, Jul 28, 2015 at 3:54 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: On Jul 28, 2015, at 2:50 PM, Moshe Katz mo...@ymkatz.net wrote: On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org mailto: vi...@khera.org wrote: On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. Vick, Qualys *does* take off points if you have a certificate for your bare domain name without it having www as an alternate name. For example, a certificate for 'example.com http://example.com/' that doesn't work for 'www.example.com http://www.example.com/' is penalized, even if it is really only used for 'example.com http://example.com/'. I believe that the reason they do this is because they assume that people always have their sites set up so that www redirects to bare, bare redirects to www, or both bare and www show the same content. While this may not always be true, it is an assumption that Qualys and many other people make, so it is included in the grade. Sure but if you try to load www.domain.com http://www.domain.com/ it sends you to the clean domain immediately. I am not testing www.domain.com http://www.domain.com/ - I am testing domain.com http://domain.com/ and there’s no evidence they’re trying to load www.domain.com http://www.domain.com/, only reading the certificate and seeing it doesn’t cover it. Ryan, That is *exactly* what I said. They *don't* check whether you are redirecting, and they *don't* try to load the www version. They naively assume that the same certificate *must* cover both of those names because they assume you are redirecting one to the other. There is one reason that it matters, even in your case. Take the following four URLs: - http://domain.com/= redirects to SECURE on SAME DOMAIN - http://www.domain.com/ = redirects to SECURE on BARE DOMAIN - https://domain.com/ = the actual site - https://www.domain.com/ = SHOULD redirect to SECURE on BARE DOMAIN You have handled the first three of them - but not the fourth one. Instead of getting a redirect, you will get a certificate error. I don't know how you have configured your server - you may not even be listening for secure connections on the WWW subdomain. However, Qualys assumes that you are redirecting in that fourth case *and that you are using the same certificate to do it*, so they are testing for whether your certificate covers for it. Again, I agree with you that this shouldn't affect your score. I am simply explaining why they do it. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Interface Assignment Change - Requires Bridge Save?
Greetings- I've run into what appears to be a bug in pfSense. When changing interface assignments, if those interfaces are part of a bridge, the bridge will not be updated. Instead a reboot is required, or going to each bridge affecting and re-saving it's parameters. A specific case I've expericed moments ago: -A bridge exists with two members PRIVATEWIRELESS(em2_vlan5) and LANS(em1) -I updated the interface assignment for PRIVATEWIRELESS to be untagged (em2) -No traffic passes between em2 and em1 as bridge still has table of em2_vlan5/em1 as members -Open bridge details, edit bridge, click 'Save' -Traffic now flows Keep in mind this scenario occurs both with and without VLAN's being involved, and across a variety of NICs. Most recent experience of this issue is on pfSense 2.2.2-RELEASE amd64 (full install). --Tim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold