Re: [pfSense] Shutdown Interface?
Not at All Doug I just do not see the need for Strawberry's either and I hope there is a deep frost soon. Robert > On Dec 11, 2015, at 3:33 PM, Doug Lytlewrote: > > It would appear you're just interested in being confrontational. I have you > have a nice day. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Shutdown Interface?
On Fri, Dec 11, 2015 at 9:03 AM, Robert Obrinskywrote: > I am sorry to hear of the distributed responsibilities for the network, and > that only makes your job harder. > > Any possibility of using a protocol analyzer (Wireshark) to see what is > going out and where it is going? If you have managed switches with port > mirroring capabilities, you can strategically place the protocol analyzer to > see what kind of traffic (i.e. - services) is leaving your network, and also > see what kind of traffic is coming in. > > I don't think pfSense has live logs (I am still fairly new to this product), > but I have used other firewall products that do have this feature. The live > logs have been very useful in determining what IP addresses are being > contacted, what services are being requested, and who is attempting to do > reconnaissance (port scanning) on your network from outside. Other than > that, you will need to analyze the existing logs - not a task I ever look > forward to. This is also one reason I like protocol analyzers, but for some > reason, most IT departments won't spend the time to learn them and use them. > > At some point, you may need to consider hardware. It is possible that the > WAN interface is defective and just shuts down under moderate to heavy > traffic.Have you been able to assess the packets/second hitting your WAN on > this interface during the attacks? There are many on the forums who maintain > that Intel and Broadcom NICs are robust and perform best in pfSense, and > that Realtek NICs are problematic at best. I cannot confirm those opinions > and just don't have the setup to make a definitive test. I use Realtek NICs > in my firewalls, but my office is unlikely to see the variety and > utilization that your networks do. > > pfSense can do tcpdumps on any interface. I get that ddos attacks are meant to shut a WAN connection down, my biggest thing about this issue was that the firewall was freezing. Is not that one of the parts about getting the correct hardware and configuring a firewall correctly? I would go with the cronjob suggestion that was posted a while back if you are looking to shutdown the interface overall. I think it is a good idea to check what is doing it though (causing the freeze), it is nothing to get some bandwidth anymore to do these attacks and while your WAN connection will not work, a firewall should not freeze. It makes me want to ddos my own boxes. Wireshark is just the tip of the iceburg anymore, they have entire web based suites that are dedicated to protocol inspection. Even live stuff. In your firewall rule sets, are you droping or rejecting? I only reject when I know systems need that reject back. Like when some software waits and waits and waits for a timeout because the automatic update for specific software cannot connect to home. Even then, this is on the LAN side. This is just basic stuff. It sounds like you have a nice pipe coming into your pfSense box. It would help this list if you could say what type of attack it is, and what traffic they are sending your way. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Shutdown Interface?
On Fri, Dec 11, 2015 at 3:33 PM, Doug Lytlewrote: > It would appear you're just interested in being confrontational. I have you > have a nice day. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold You guys just need to relax. I too hate the fact that everyone pushes google on people now too. This is a support list for pfSense stuff and not your ideals though. Everyone is entitled to post anything they think would help. Is not that the reason this list exists? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Lost limiter config after upgrade
Hi, We upgraded from 2.0.1-RELEASE to 2.2.4-RELEASE and the limiter that worked on 2.0.1 stopped working. This limiter (and sub-limiters) is located on an inside interface and its role is to limit the traffic that can come in. This firewall is at a remote site and we replicate backups there. We use this limiter because the bandwidth at the remote site is higher than at our main site. Using this limiter avoids saturating our main site's WAN link and cause slowdowns. Looking at the config diffs, it looks like the tags have changed during the upgrade. It looked like ?1 and ?2 and now it looks like labels. Also, the tag seem to include more stuff now. It was 28 and now it looks like 28 Mb none Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Best automated configuration backup options for 2.1.5?
It looks like most are for 1.x. Thanks, Brian ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
Thanks Chris and Ivo for your responses. I was unaware that our topology for the network was a little unusual and in fact there is another service outside the firewall listening on the IP I wanted to use. This (unsurprisingly) was making anything trying to use that IP very unreliable. --cro On Sat, Dec 12, 2015 at 5:38 AM, Ivo Tonevwrote: > Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch > port/ip haproxy and openvpn are running. Openvpn don't listen on VIP. > Em 12/12/2015 10:31, "C. R. Oldham" escreveu: > > > Actually I think I characterized this problem the wrong way. > > > > It appears that neither haproxy nor nginx (when used as a proxy) are > > reliable on our pfSense firewall. They will work for a while, then they > > stop passing traffic for a while, then they work awhile. Restarting them > > doesn't make them responsive immediately. I am at a loss to explain > this. > > I've confirmed there are no other processes listening on port 443 on any > IP > > (virtual or physical). If anyone has ideas I'd love to hear them. > > > > --cro > > > > > > On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham wrote: > > > > > Greetings, > > > > > > We've recently replaced both our routers with pfSense. I am using tinc > > > for site-to-site VPN and OpenVPN for clients to connect. > > > > > > Since some of our support engineers often end up onsite with > customers, I > > > want to enable OpenVPN over TCP port 443--we've noticed that many of > our > > > customers block outbound UDP, but using the https port works fine. > > > > > > However, we also have haproxy on our firewall proxying for some web > > > applications on port 443. but on a different virtual IP from OpenVPN. > > If I > > > enable OpenVPN on the TCP port, haproxy stops working, even though they > > are > > > listening on different IPs. > > > > > > I have appropriate firewall rules for both virtual IPs in place. > > > > > > Can anyone shed some insight on how I can fix this? > > > > > > Thanks. > > > > > > --cro > > > > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
On Sat, Dec 12, 2015 at 7:38 AM, Kostas Backaswrote: > Do you have Snort in your setup? I've seen IPS causing this behavior. > > Good suggestion. We don't have it installed however. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DHCP/Local DNS ping host name
On Sat, Dec 12, 2015 at 8:29 AM, Ryan Colemanwrote: > I’m totally having a brain far weekend on this… but there’s a way (or so I > think) to link the DNS and DHCP hostnames… How do I do that? > > Services->DNS Resolver, DHCP Registration and Static DHCP checkboxes. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold