Re: [pfSense] pfSense and SIP

2018-01-09 Thread Bruce Ferrell 

Roberto,

I run an asterisk behind a pfSense 2.2.6 NAT and to make the scenario you've described work, I have to do port forwarding and I allow the firewall to generate to corresponding 
rules. I fought and fought and finally just let the firewall do it's thing and let go of a degree of control  Works fine, lasts a long time.




On 01/09/2018 07:49 AM, Roberto Carna wrote:

you're describeSpecial thanks to both of you...

With ANY I mean "all TCP and UDP ports".

Maybe when the remote peer sends to my PBX the SIP packet with the SIP
Options, the response from the PBX is a SIP packet defined as
ESTABLISHED trafficand this ESTABLISHED feature is not working or
not defined in pfSEnse firewall rules ??? Because the SIP response
packet from PBX to the remote peer is not a new traffic, is an
established traffic

Thanks a lot again, regards!!!

2018-01-09 12:17 GMT-03:00 Giles Coochey :

On 09/01/2018 14:34, Roberto Carna wrote:

Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
peer out of the pfSense. I connect PBX and Peer in order to establish
a SIP trunk.

In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.

So we have generated two firewall rules:

PBX --> SIP Peer with ANY
SIP Peer --> PBX with ANY


When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any?

Could you elaborate on the exact rules you have set up?


But often the SIP packets coming from the SIP Peer don't cross the
pfSEnse to PBX. The packets never reach my PBX.

Is there any feature I have to enable/disable in pfSense in order to
work with SIP protocol to have established the SIP trunk ???

The SIP trunk provider tell me that the SIP Options they send me are
not responded by us.

Thanks a lot,

ROBERT
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Transparent proxy for WiFi users

2018-01-09 Thread WebDawg 
Can you just do inspection on this and have it stop acting as a true proxy?

Splice All:
This configuration is suitable if you want to use the SquidGuard
package for web filtering.
All destinations will be spliced. SquidGuard can do its job of denying
or allowing destinations according its rules, as it does with HTTP.
You do not need to install the CA certificate configured below on clients.
Content filtering (such as Antivirus) will not be available for SSL sites.

On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage  wrote:
> Interested in what sort of problems you are seeing.
>
> I use the same setup in a small environment let's call it home :) with many
> different devices and have not seen any issues.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer
> Duffner
> Sent: Tuesday, January 02, 2018 10:01 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] Transparent proxy for WiFi users
>
>
>
>> Am 02.01.2018 um 14:46 schrieb Roberto Carna :
>>
>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>> in order to filter HTTP and HTTPS web content for different types of
>> WiFi clients on my company:
>>
>> - Android (different versions)
>> - Notebooks Windows 7/10
>> - Iphone
>> - Etc.
>>
>> In some cases, depending on the device Operating System, some apps
>> experiment problems, for example Facebook and some others.
>>
>
>
>
>
> Apps that do hardwired Key-Pinning (everything from Apple, Google and
> probably TFB, too) will not work.
> You have to make exemptions, AFAIK.
>
> Same for ebanking and related.
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense and SIP

2018-01-09 Thread WebDawg 
I think you need to look into state tracking:

https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

I had an issue like this though with some advanced vpn routing I was
doing and pfsense was killing states when I routed more then once.  Is
that your case?  If pfsense cannot track the entire state I think at
one point it considers it dead and kills it.

I think you want to set State type to "none".  Let us know if it works.

On Tue, Jan 9, 2018 at 11:01 AM, Giles Coochey  wrote:
>
>
> On 09-01-2018 15:49, Roberto Carna wrote:
>>
>> Special thanks to both of you...
>>
>> With ANY I mean "all TCP and UDP ports".
>>
>> Maybe when the remote peer sends to my PBX the SIP packet with the SIP
>> Options, the response from the PBX is a SIP packet defined as
>> ESTABLISHED trafficand this ESTABLISHED feature is not working or
>> not defined in pfSEnse firewall rules ??? Because the SIP response
>> packet from PBX to the remote peer is not a new traffic, is an
>> established traffic
>>
>
> Well, certainly being able to run a packet capture on the PBX will aid your
> troubleshooting, at least to see if _any_ packets are being received by the
> SIP peer...
>
> You need to ensure that you _don't_ have siproxd package installed, as this
> can interfere with your non-NAT set up.
>
>
>
>> Thanks a lot again, regards!!!
>>
>> 2018-01-09 12:17 GMT-03:00 Giles Coochey :
>>>
>>> On 09/01/2018 14:34, Roberto Carna wrote:


 Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
 peer out of the pfSense. I connect PBX and Peer in order to establish
 a SIP trunk.

 In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.

 So we have generated two firewall rules:

 PBX --> SIP Peer with ANY
 SIP Peer --> PBX with ANY
>>>
>>>
>>>
>>> When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any?
>>>
>>> Could you elaborate on the exact rules you have set up?
>>>

 But often the SIP packets coming from the SIP Peer don't cross the
 pfSEnse to PBX. The packets never reach my PBX.

 Is there any feature I have to enable/disable in pfSense in order to
 work with SIP protocol to have established the SIP trunk ???

 The SIP trunk provider tell me that the SIP Options they send me are
 not responded by us.

 Thanks a lot,

 ROBERT
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
>>>
>>>
>>>
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

2018-01-09 Thread Rainer Duffner 


> Am 10.01.2018 um 00:14 schrieb Kyle Marek :
> 
> This contradicts the majority of the purpose of virtualization.


Interesting that you bring it up….

I give you Theo de Raadt in late 2007:


https://marc.info/?l=openbsd-misc&m=119318909016582 



;-)



Meanwhile, Netgate has published an updated statement:

https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html 





___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

2018-01-09 Thread Kyle Marek 
On 01/09/2018 05:58 PM, Gé Weijers wrote:
> On Wed, Jan 3, 2018 at 2:32 PM, Walter Parker  wrote:
>
>> On Wed, Jan 3, 2018 at 2:25 PM, Steve Yates  wrote:
>>
>>> I'm not a developer but I would think it's dependent on FreeBSD releasing
>>> the update, plus testing by pfSense/Netgate.  However, I would think
>>> there's not much concern with PCs running pfSense, since raw code would
>> not
>>> normally be running on the pfSense box...?
> Agreed, if someone manages to run malicious code on your pfSense box you
> have bigger problems.
I disagree. The fact that user processes can gain kernel-level access
*is* the bigger problem. A buffer overflow affecting a process running
as _dhcp would not otherwise result in such a severe issue.
> HOWEVER: running pfSense as a virtual machine may not be the best idea if
> you do not have full control over the other VMs running on the same
> hardware.

This contradicts the majority of the purpose of virtualization.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

2018-01-09 Thread Gé Weijers 
On Wed, Jan 3, 2018 at 2:32 PM, Walter Parker  wrote:

> On Wed, Jan 3, 2018 at 2:25 PM, Steve Yates  wrote:
>
> > I'm not a developer but I would think it's dependent on FreeBSD releasing
> > the update, plus testing by pfSense/Netgate.  However, I would think
> > there's not much concern with PCs running pfSense, since raw code would
> not
> > normally be running on the pfSense box...?
>

Agreed, if someone manages to run malicious code on your pfSense box you
have bigger problems.

HOWEVER: running pfSense as a virtual machine may not be the best idea if
you do not have full control over the other VMs running on the same
hardware.


-- 
--
Gé
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense and SIP

2018-01-09 Thread Giles Coochey 



On 09-01-2018 15:49, Roberto Carna wrote:

Special thanks to both of you...

With ANY I mean "all TCP and UDP ports".

Maybe when the remote peer sends to my PBX the SIP packet with the SIP
Options, the response from the PBX is a SIP packet defined as
ESTABLISHED trafficand this ESTABLISHED feature is not working or
not defined in pfSEnse firewall rules ??? Because the SIP response
packet from PBX to the remote peer is not a new traffic, is an
established traffic



Well, certainly being able to run a packet capture on the PBX will aid 
your troubleshooting, at least to see if _any_ packets are being 
received by the SIP peer...


You need to ensure that you _don't_ have siproxd package installed, as 
this can interfere with your non-NAT set up.




Thanks a lot again, regards!!!

2018-01-09 12:17 GMT-03:00 Giles Coochey :

On 09/01/2018 14:34, Roberto Carna wrote:


Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
peer out of the pfSense. I connect PBX and Peer in order to establish
a SIP trunk.

In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at 
all.


So we have generated two firewall rules:

PBX --> SIP Peer with ANY
SIP Peer --> PBX with ANY



When you say any, is it a bit unclear, Protocol any? or TCP any, UDP 
any?


Could you elaborate on the exact rules you have set up?



But often the SIP packets coming from the SIP Peer don't cross the
pfSEnse to PBX. The packets never reach my PBX.

Is there any feature I have to enable/disable in pfSense in order to
work with SIP protocol to have established the SIP trunk ???

The SIP trunk provider tell me that the SIP Options they send me are
not responded by us.

Thanks a lot,

ROBERT
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense and SIP

2018-01-09 Thread Roberto Carna 
Special thanks to both of you...

With ANY I mean "all TCP and UDP ports".

Maybe when the remote peer sends to my PBX the SIP packet with the SIP
Options, the response from the PBX is a SIP packet defined as
ESTABLISHED trafficand this ESTABLISHED feature is not working or
not defined in pfSEnse firewall rules ??? Because the SIP response
packet from PBX to the remote peer is not a new traffic, is an
established traffic

Thanks a lot again, regards!!!

2018-01-09 12:17 GMT-03:00 Giles Coochey :
> On 09/01/2018 14:34, Roberto Carna wrote:
>>
>> Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
>> peer out of the pfSense. I connect PBX and Peer in order to establish
>> a SIP trunk.
>>
>> In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.
>>
>> So we have generated two firewall rules:
>>
>> PBX --> SIP Peer with ANY
>> SIP Peer --> PBX with ANY
>
>
> When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any?
>
> Could you elaborate on the exact rules you have set up?
>
>>
>> But often the SIP packets coming from the SIP Peer don't cross the
>> pfSEnse to PBX. The packets never reach my PBX.
>>
>> Is there any feature I have to enable/disable in pfSense in order to
>> work with SIP protocol to have established the SIP trunk ???
>>
>> The SIP trunk provider tell me that the SIP Options they send me are
>> not responded by us.
>>
>> Thanks a lot,
>>
>> ROBERT
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense and SIP

2018-01-09 Thread Giles Coochey 

On 09/01/2018 14:34, Roberto Carna wrote:

Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
peer out of the pfSense. I connect PBX and Peer in order to establish
a SIP trunk.

In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.

So we have generated two firewall rules:

PBX --> SIP Peer with ANY
SIP Peer --> PBX with ANY


When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any?

Could you elaborate on the exact rules you have set up?



But often the SIP packets coming from the SIP Peer don't cross the
pfSEnse to PBX. The packets never reach my PBX.

Is there any feature I have to enable/disable in pfSense in order to
work with SIP protocol to have established the SIP trunk ???

The SIP trunk provider tell me that the SIP Options they send me are
not responded by us.

Thanks a lot,

ROBERT
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense and SIP

2018-01-09 Thread Lars Wuerfel 
Sorry, Robert, I checked too late "there is no NAT at all", so ignore my 
answer please.


Regards
Lars

On 01/09/2018 03:34 PM, Roberto Carna wrote:

[...]
In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.
[...]

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense and SIP

2018-01-09 Thread Lars Wuerfel 

Robert,

I have the same constellation, and I had to enable "Static Port" for 
outgoing packets from the PBX box.


Documentation here:
  https://doc.pfsense.org/index.php/Static_Port

My settings:

"Firewall" -> "NAT" -> "Outbound":

- Outbound NAT Mode:
  - "Hybrid Outbound NAT"

- Mapping:
  - Protocol: UDP
  - Source: Your PBX
  - Destination: Any
  - Address: Interface Address
  - Port Range:  **check "Static Port"**

HTH

Regards

Lars


On 01/09/2018 03:34 PM, Roberto Carna wrote:

Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
peer out of the pfSense. I connect PBX and Peer in order to establish
a SIP trunk.

In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.

So we have generated two firewall rules:

PBX --> SIP Peer with ANY
SIP Peer --> PBX with ANY

But often the SIP packets coming from the SIP Peer don't cross the
pfSEnse to PBX. The packets never reach my PBX.

Is there any feature I have to enable/disable in pfSense in order to
work with SIP protocol to have established the SIP trunk ???

The SIP trunk provider tell me that the SIP Options they send me are
not responded by us.

Thanks a lot,

ROBERT

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense and SIP

2018-01-09 Thread Roberto Carna 
Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
peer out of the pfSense. I connect PBX and Peer in order to establish
a SIP trunk.

In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.

So we have generated two firewall rules:

PBX --> SIP Peer with ANY
SIP Peer --> PBX with ANY

But often the SIP packets coming from the SIP Peer don't cross the
pfSEnse to PBX. The packets never reach my PBX.

Is there any feature I have to enable/disable in pfSense in order to
work with SIP protocol to have established the SIP trunk ???

The SIP trunk provider tell me that the SIP Options they send me are
not responded by us.

Thanks a lot,

ROBERT
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid crash: assertion failed: store_swapout.cc:289: "mem->swapout.sio == self"

2018-01-09 Thread Roberto Carna 
OK, thank you very much !!!

2018-01-08 13:59 GMT-03:00 Chris L :
>
>
>> On Jan 8, 2018, at 8:39 AM, Eero Volotinen  wrote:
>>
>> try removing squid package from package manager and then reinstalling.
>>
>> 8.1.2018 18.24 "Roberto Carna"  kirjoitti:
>>
>>> Dear Eero,
>>>
>>> How do I have to remove Squid + config files in a good manner ?
>>>
>>> Squid I suppose by the package manager from pfSense, but how do I have
>>> to remove the config files ???
>>>
>>> Thanks a lot, regards !!!
>
>
> The General page in Services > Squid contains a checkbox for that: Keep 
> Settings/Data.
>
> Unchecking that and uninstalling/reinstalling should give you a pretty clean 
> slate.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold