[pfSense] confirmation: pfSense 2.0+IPSec Xauth PSK+Android 4.1 works

[Claudio Thomas]

Hi,
in the summary of
"http://doc.pfsense.org/index.php/Android_VPN_Connectivity"; the
connectivity of pfSense 2.0/IPSec Xauth PSK ist marked with "probably"
for Android 4.1 (Jelly Bean)

In the same article there is written that "testing is needed to confirm".

Thats what I whant to do, to confirm :-)

I'm using pfSense 2.0.1 ans 2.0.2. I've already sucessfull connected
pfSense by IPSec Xauth PSK to my 4.1.1/4.1.2 Android phones, so the
http://doc.pfsense.org/index.php/Android_VPN_Connectivity can be
updated. Actual status there is "probably", should be changed to Yes.

I'm using it since a days on my non-rooted device configured like
described in http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0. I
also can confirm, that the use of ahostname (like dyndns.org) also works.

Maybe anyone here can update the wiki.
If more information, logs or so are needed I'm glad to give them :-)

Best regards,
Claudio
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPSec connection without default-route

[Claudio Thomas]

Hi,
actually when connecting via IPSec from Client (A) to pfSense 2.02 (B)
all traffic from A is routed to B.

Actual routing look like:
Client ApfSense BNetwork
10.8.0.5/32 -> 10.8.0.1/24 > 192.168.150.0/24
|   
+--> Internet

But the whiched routing is:
Client ApfSense BNetwork
10.8.0.5/32 -> 10.8.0.1/24 > 192.168.150.0/24
|   
+--> Internet

What must I change on my pfSense Config, so that A only receives a route
to the Network behind B an not a default route (0.0.0.0/0)?

Best regards,
Claudio



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSec connection without default-route

[Claudio Thomas]

Hi,
sorry for my rerequest.
Is there a way to set up an IPsec connection without routing all the
client-traffic thrue the pfSense router?
In my case the client is setting a "route add 0.0.0.0 netmask 0.0.0.0 gw
".
Wished would be that the client only add a route "route add
192.168.150.0 netmask 255.255.255.0 gw ".

Best regards,
Claudio

Am 06.02.2013 11:25, schrieb Claudio Thomas:
> Hi,
> actually when connecting via IPSec from Client (A) to pfSense 2.02 (B)
> all traffic from A is routed to B.
>
> Actual routing look like:
> Client ApfSense BNetwork
> 10.8.0.5/32 -> 10.8.0.1/24 > 192.168.150.0/24
> |   
> +--> Internet
>
> But the whiched routing is:
> Client ApfSense BNetwork
> 10.8.0.5/32 -> 10.8.0.1/24 > 192.168.150.0/24
> |   
> +--> Internet
>
> What must I change on my pfSense Config, so that A only receives a route
> to the Network behind B an not a default route (0.0.0.0/0)?
>
> Best regards,
> Claudio
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSec connection without default-route

[Claudio Thomas]

Thanks for your reply Marian,
That's exactly what I'm searching for (trying to do). Only the pakets
for a specified Subnet should be routed thrue the VPN connection. All
other should go directly to the internet.

Must this be done on client-side or is it possible to configure pfSense
to send a "routing configuration" back to the client after
authentication like it is done by OpenVPN?
In case it must (can) only be done on client, does any one know how can
I set this up on Android (without rooting the device)?
Claudio

Am 01.03.2013 19:41, schrieb OSN|Marian Fischer:
> http://en.wikipedia.org/wiki/Split_tunneling
>
>
> Am 13.02.13 14:30 schrieb "Claudio Thomas" unter :
>
>> Hi,
>> sorry for my rerequest.
>> Is there a way to set up an IPsec connection without routing all the
>> client-traffic thrue the pfSense router?
>> In my case the client is setting a "route add 0.0.0.0 netmask 0.0.0.0 gw
>> ".
>> Wished would be that the client only add a route "route add
>> 192.168.150.0 netmask 255.255.255.0 gw ".
>>
>> Best regards,
>> Claudio
>>
>> Am 06.02.2013 11:25, schrieb Claudio Thomas:
>>> Hi,
>>> actually when connecting via IPSec from Client (A) to pfSense 2.02 (B)
>>> all traffic from A is routed to B.
>>>
>>> Actual routing look like:
>>> Client ApfSense BNetwork
>>> 10.8.0.5/32 -> 10.8.0.1/24 > 192.168.150.0/24
>>> |
>>> +--> Internet
>>>
>>> But the whiched routing is:
>>> Client ApfSense BNetwork
>>> 10.8.0.5/32 -> 10.8.0.1/24 > 192.168.150.0/24
>>> |   
>>> +--> Internet
>>>
>>> What must I change on my pfSense Config, so that A only receives a route
>>> to the Network behind B an not a default route (0.0.0.0/0)?
>>>
>>> Best regards,
>>> Claudio
>>>
>>>
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> http://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] confirmation: pfSense 2.0+IPSec Xauth PSK+Android 4.2.2/4.3 works

[Claudio Thomas]

Hi,
in the summary of "http://doc.pfsense.org/index.php/Android_VPN_Connectivity"; 
the
connectivity for Android 4.2 and 4.3 (Jelly Bean) is missing.
If've already successful tested them:
- pfSense 2.0.03/IPSec Xauth PSK for 4.2.2 => Yes, works
- pfSense 2.0.03/IPSec Xauth PSK for 4.3 => Yes, works
Maybe a crosslink to the following page would be helpful for others, so that 
they don't only know that it works, but also can quickly find how to configure 
pfSense to get a working-connection.

As IPsec server-configuration I've used the same as 4.0 and 4.1, as written in 
https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 

I think It would be helpful it to extend the following phrase, so that there is 
also visible, that is also works for other Android Versions:
"This setup has been tested and working on Android 2.3.3 ..."
Or better to add a crosslink to 
"http://doc.pfsense.org/index.php/Android_VPN_Connectivity";

Maybe anyone here can update the wiki.
If more information, logs or so are needed I'm glad to give them :-)

Best regards,
Claudio

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] confirmation: pfSense 2.0+IPSec Xauth PSK+Android 4.2.2/4.3 works

[Claudio Thomas]

Well, for the fun :-) to more confirmations:
- pfSense 2.0.03/OpenVPN for 4.2.2 => Yes, works
- pfSense 2.0.03/OpenVPN for 4.3 => Yes, works

To test it, I've used a rooted Mobil (CyanogenMod) with OpenVPN 2.2.2
binary and "OpenVPN Settins" as App.
Configuration created by "VPN->OpenVPN->Client Export (Inline
Configurations)"
Please note that for a successfull connection I need add "dev tun" as
configuration line to the exported file.

Claudio

Am 10.09.2013 18:03, schrieb Jim Pingle:
> To add to the fun, I just configured and confirmed that L2TP+IPsec does
> in fact work with Android 4.1.1 against pfSense. I'll work on a write-up
> for the wiki, but it's really not that hard to do.
>
> The key thing that the Android L2TP+IPsec client allows that others do
> not is the ability to set the identifier used by the client. Most others
> assume the IP address and won't let you change it.
>
> Jim
>
> On 9/10/2013 11:26 AM, Adam Thompson wrote:
>> Updated.  Thank you for the confirmation!
>>
>>  
>>
>> -Adam Thompson
>>
>> athom...@athompso.net <mailto:athom...@athompso.net>
>>
>>  
>>
>>  
>>
>> *From:*list-boun...@lists.pfsense.org
>> [mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Claudio Thomas
>> *Sent:* Tuesday, September 10, 2013 7:35 AM
>> *To:* list@lists.pfsense.org
>> *Subject:* [pfSense] confirmation: pfSense 2.0+IPSec Xauth PSK+Android
>> 4.2.2/4.3 works
>>
>>  
>>
>> Hi,
>>
>> in the summary of 
>> "http://doc.pfsense.org/index.php/Android_VPN_Connectivity"; the
>>
>> connectivity for Android 4.2 and 4.3 (Jelly Bean) is missing.
>>
>> If've already successful tested them:
>>
>> - pfSense 2.0.03/IPSec Xauth PSK for 4.2.2 => Yes, works
>>
>> - pfSense 2.0.03/IPSec Xauth PSK for 4.3 => Yes, works
>>
>> Maybe a crosslink to the following page would be helpful for others, so that 
>> they don't only know that it works, but also can quickly find how to 
>> configure pfSense to get a working-connection.
>>
>>  
>>
>> As IPsec server-configuration I've used the same as 4.0 and 4.1, as written 
>> in https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 
>> <http://doc.pfsense.org/index.php/Android_VPN_Connectivity>
>>
>> I think It would be helpful it to extend the following phrase, so that there 
>> is also visible, that is also works for other Android Versions:
>>
>> "This setup has been tested and working on Android 2.3.3 ..."
>>
>> Or better to add a crosslink to 
>> "http://doc.pfsense.org/index.php/Android_VPN_Connectivity";
>>
>>  
>>
>> Maybe anyone here can update the wiki.
>>
>> If more information, logs or so are needed I'm glad to give them :-)
>>
>>  
>>
>> Best regards,
>>
>> Claudio
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
>>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] NAT-port-forwading problem in combination with SIP/RTP/VoIP

[Claudio Thomas]

Hi,
im working with a pfSense 2.1(i386) release and I'm trying to connect my
asterisk to sipgate.
The following parts already run:
- register asterisk to sipgate and qualify (trunk marked as online at
sipgate)
- outgoing calls from asterisk to POTs over sipgate (signaling and audio
-> outgoing SIP/RTP works)
But what not runs are incomming calls.
I see the SIP pakets comming on WAN with tcpdump (tcpdump -i xl0 -A -s 0
'port 5060'), but nothing goes out to LAN (tcpdump -i re1 -A -s 0 'port
5060').

So my guess is that NAT+Portforwarding is not working correctly. Can
anyone help?

Thanks, Claudio

PS: annexed some details...

asterisk <-> siproxd 0.8.0_2/pfSense 2.1(i386) <-> sipgate
10.150.0.14 <-> 10.150.0.158/(pub-ip censored) <-> 217.10.68.150

siproxd-config:
Enabled siproxd: enable
Inbound Interface: LAN
Outbound Interface: WAN
Enable RTP proxy: enable
RTP port range: 7070 - 7080
Outbound proxy hostname: sipconnect.sipgate.de
Debug Level: Everything
(missing options are empty/not checked)

1.NAT-Port-Forward-Rules:
Interface: WAN
Protocol: TCP/UDP
Destination: WAN address
Destination port range: SIP - SIP
Redirect target IP: 10.150.0.14
Redirect target port: SIP
Description: "SIP-protocol Weiterleitung an PBX"
NAT reflection: Enable (NAT + Proxy)
Filter rule association: "Rule NAT SIP-protocol Weiterleitung an PBX"

2.NAT-Port-Forward-Rules:
Interface: WAN
Protocol: TCP/UDP
Destination: WAN address
Destination port range: 1 - 2
Redirect target IP: 10.150.0.14
Redirect target port: 1
Description: "RTP-protocol Weiterleitung an PBX"
NAT reflection: Enable (NAT + Proxy)
Filter rule association: "Rule NAT RTP-protocol Weiterleitung an PBX"

pbx2*CLI> sip show peers
Name/username  HostDyn Nat ACL Port
Status Realtime
gw_25_sipgate/216t0217.10.68.150   5060 OK (14 ms)
pbx2*CLI> sip show registry
Host   dnsmgr Username   Refresh
StateReg.Time
10.150.0.158:5060  N  216t0@si   130
Registered   Tue, 15 Oct 2013 13:44:11

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NAT-port-forwading problem in combination with SIP/RTP/VoIP

[Claudio Thomas]

Thanks for the fast reaction.
1. siproxd removed
2. Sipgate needs an "outboundproxy" equal to the "host". Here was one
problem with GS3.1 because it automatically removed this in case both
were equal.
The rest stays as it was:
- incoming NAT+forward rules unchanged
- no outbound NAT rules added (like Static-port)
- firewall rule exist, so that asterisk (10.150.0.14) is allowed to pass
firewall (outgoing)
- /etc/asterisk/sip.conf: no "externhost" set

Way It doesn't run with siproxd is not cleared, but for me is it good
enough that it runs (anyway) now :-)
It runs for incoming and outgoing calls, both are routed.

Thanks for the report how you have done.
Claudio

BTW: What do you mean with "client" and not "peer"? Allowed sip-types
are peer, user or friend
(http://www.voip-info.org/wiki/view/Asterisk+sip+type)

Am 15.10.2013 14:27, schrieb Vick Khera:
>
> On Tue, Oct 15, 2013 at 7:48 AM, Claudio Thomas  <mailto:claudio.tho...@ezi.de>> wrote:
>
> So my guess is that NAT+Portforwarding is not working correctly. Can
> anyone help?
>
> Thanks, Claudio
>
> PS: annexed some details...
>
> asterisk <-> siproxd 0.8.0_2/pfSense 2.1(i386) <-> sipgate
> 10.150.0.14 <-> 10.150.0.158/(pub-ip
> <http://10.150.0.158/%28pub-ip> censored) <-> 217.10.68.150
>
>
> Our asterisk server is connected as a client to both Vitelity and
> Skype for Business. Calls work both ways just fine. No siproxyd
> involved at all.
>
> I do not connect as a peer.
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfSense 2.2 upgrade experiences

[Claudio Thomas]

Hi,
at first: thanks for the great work!

1) After trying to update my pfSense 2.1.5 (i386) to 2.2 over
web-interface it reboots as expected... But this was all. The firewall
was not working anymore. After a while inspecting the problem I fixed
the config, so that it seems to run again. Now I've tried to update by
console... so that I could finally find the problem. My disk was full
and the update seems to stop somewhere in between :-(
I wiped out the harddisk at all to reinstall it and use the config-backup.
This is ok for me, but probably not for every one. Maybe it would be a
good practise to check the free disk space before starting the upgrade.
Even better would be if the installer check it, so that fools like me
don't stumble on such an evident error-case :-)

2) I have 2 Phase 1 entries. One for a AVM Fritzbox (still working) an a
second for android road warriors.
Since the upgrade my android clients can connect anymore. Phase 1 and
Phase 2 configurations was not changed since the upgrade. Was anything
changed on the IPsec environment?

Thanks,
Claudio

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2 upgrade experiences

[Claudio Thomas]

On 09.02.2015 10:20, J. Echter wrote:
> Am 09.02.2015 um 09:53 schrieb Claudio Thomas:
>> Hi,
>> at first: thanks for the great work!
>>
>> 1) After trying to update my pfSense 2.1.5 (i386) to 2.2 over
>> web-interface it reboots as expected... But this was all. The firewall
>> was not working anymore. After a while inspecting the problem I fixed
>> the config, so that it seems to run again. Now I've tried to update by
>> console... so that I could finally find the problem. My disk was full
>> and the update seems to stop somewhere in between :-(
>> I wiped out the harddisk at all to reinstall it and use the config-backup.
>> This is ok for me, but probably not for every one. Maybe it would be a
>> good practise to check the free disk space before starting the upgrade.
>> Even better would be if the installer check it, so that fools like me
>> don't stumble on such an evident error-case :-)
>>
>> 2) I have 2 Phase 1 entries. One for a AVM Fritzbox (still working) an a
>> second for android road warriors.
>> Since the upgrade my android clients can connect anymore. Phase 1 and
>> Phase 2 configurations was not changed since the upgrade. Was anything
>> changed on the IPsec environment?
>>
>> Thanks,
>> Claudio
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> Hi,
>
> did you read
> https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes already?
Hi,
yes...
the iPsec config for android is exactly as described in the HowTo
<https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To>.
Because of this I've assumed, that my configuration is not a "unusual
configuration". To the other points in the upgrade guide:
- I also have only one phase 2 entry for each Phase 1 entry.
- Prefer old IPsec SAs is disabled.
- I've checked both phase 1 modes (main/aggressive) without any
difference, so I let it on aggressive mode as described in HowTo.
- glxsb Crypto: Encryption is AES 128 only, so this should not be a
reason to fail.
- My mobile client does not need to use ipsec for main internet traffic.
- pfSense has a public IP and ist connected directly to the internet. My
Identifier is "My IP address", but also tested "IP address" with any
changes. The peer identifier is a "user destinguishes name", because
peers may have a private IP address. Both exactly as described in the HowTo.

I've rechecked the HowTo to see if something has changed over the years:
- Phase 1: "Policy Generation: Unique" and "Proposal Checking: Strict"
are missing in actual Configurations Options.
- On Android: I've no option to set " Pre-Shared Key Type: text". I can
only set the IPsec Pre-shared Key directly (android 4.4.2). I don't have
an option "Identity Type: User FQDN". I don't have the option " Internal
Subnet IP". But all used devices has run without this 3 options at all,
so I would wonder is this is the problem.

I've annexed a log of a connection test. I've tried a connection with a
Samsung tabled 4.4.2 (with private ip 10.x.x.x) to the WAN IP of the
pfSense Computer. The visible IP address is translated NAT-IP of the
mobile device.

summarising: I can not find an error. I've checked the HowTo and the
Upgrade Guide. Any suggestion which IP Sec debug-level I could increase
to search for the problem?

Thanks,
Claudio

Feb 9 11:17:57	charon: 12[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Feb 9 11:17:57	charon: 12[IKE] <23> received FRAGMENTATION vendor ID
Feb 9 11:17:57	charon: 12[IKE] received FRAGMENTATION vendor ID
Feb 9 11:17:57	charon: 12[IKE] <23> received NAT-T (RFC 3947) vendor ID
Feb 9 11:17:57	charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Feb 9 11:17:57	charon: 12[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 9 11:17:57	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 9 11:17:57	charon: 12[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 9 11:17:57	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 9 11:17:57	charon: 12[IKE] <23> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 9 11:17:57	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 9 11:17:57	charon: 12[IKE] <23> received XAuth vendor ID
Feb 9 11:17:57	charon: 12[IKE] received XAuth vendor ID
Feb 9 11:17:57	charon: 12[IKE] <23> received Cisco Unity vendor ID
Feb 9 11:17:57	charon: 12[IKE] received Cisco Unity vendor ID
Feb 9 11:17:57	charon: 12[IKE] <23> received DPD vendor ID
Feb 9 11:17:57	charon: 12[IKE] received DPD v

Re: [pfSense] FW: Virus Detected

[Claudio Thomas]

hi all,
that's true, every one should have an virus-scanner... I don't receive 
such emails too, so I've not noticed the Problem.
But the other point is, it is simple to block ip and domain-name 
spoofing on the mailserver...


A simple (incomplete) example from postfix:
smtpd_helo_restrictions  =
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

For sure, to prevent SPAM and virus this is not enough and more could be 
done, check RFC conformity, reject RBL clients, like install/use 
antispamd, use a simple and free virus scanner (like clamav),...


But preventing spoofing could already catch a lot of trash...

I'm not familiar with mailing list programs, but in case you use postfix 
and need help feel free to contact me off-list.


Best regards,
Claudio

--
Working on OpenWrt CC for Xmodus GSM Router XM1710E 




On 25.03.2015 10:52, Mikey van der Worp wrote:


To follow up,

True that, just a heads up for the people who do not have any virus 
scanners in their network. J


Mikey

*Van:*List [mailto:list-boun...@lists.pfsense.org] *Namens *Moshe Katz
*Verzonden:* dinsdag 24 maart 2015 16:57
*Aan:* pfSense Support and Discussion Mailing List
*Onderwerp:* Re: [pfSense] FW: Virus Detected

It looks like someone spoofed a message that it claims came from the 
server itself (though it actually came from another server in Denmark 
(87.104.0.8)).


Someone who has access to the mailing list server could likely pull 
out the original message's full headers and file an abuse report with 
the ISP, but I doubt that it'll make any difference. Just ignore the 
message. Your virus scanner did catch it, after all.


Moshe


--
Moshe Katz
-- mo...@ymkatz.net 
-- +1(301)867-3732

On Tue, Mar 24, 2015 at 6:09 AM, Mikey van der Worp 
mailto:mvdw...@utelisys.com>> wrote:


Em?

Why is this list sending me viruses?

Please be advised for e-mail with the following headers below...

Mikey

-Oorspronkelijk bericht-
Van: MailScanner [mailto:postmas...@mail.utelisys.nl 
]

Verzonden: dinsdag 24 maart 2015 11:08
Aan: postmas...@mail.utelisys.nl 
Onderwerp: Virus Detected

The following e-mails were found to have: Virus Detected

Sender: list-boun...@lists.pfsense.org 
 IP Address: 208.123.73.78

 Recipient: mvdw...@utelisys.com 
   Subject: [pfSense] Message could not be delivered
 MessageID: 17C4E62EF0.ACDCC
Quarantine:
Report: Clamd:  message was infected: Worm.Mydoom.M-unp
Report: Clamd: message.com  was infected: 
Worm.Mydoom.M-unp


Full headers are:

 Received: from lists.pfsense.org  
(lists.pfsense.org  [208.123.73.78])
by mail.utelisys.nl  (Postfix) with 
ESMTP id 17C4E62EF0
for mailto:mvdw...@utelisys.com>>; Tue, 
24 Mar 2015 11:08:28 +0100 (CET)

 Received: from localhost.my.domain (localhost [127.0.0.1])
by lists.pfsense.org  (Postfix) with 
ESMTP id BF73AEB2E7;

Tue, 24 Mar 2015 05:11:22 -0500 (CDT)
 Received: from lists.pfsense.org  
(exchange.kajmadsen.dk  [87.104.0.8])
  by lists.pfsense.org  (Postfix) with ESMTP 
id 93503EB2E2
  for mailto:list@lists.pfsense.org>>; Tue, 
24 Mar 2015 05:11:17 -0500 (CDT)
 From: "MAILER-DAEMON" >

 To: list@lists.pfsense.org 
 Date: Tue, 24 Mar 2015 11:08:15 +0100
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
  boundary="=_NextPart_000_0003_E64740E7.04F4C9BF"
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.
 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.
 Subject: [pfSense] Message could not be delivered
 X-BeenThere: list@lists.pfsense.org 
 X-Mailman-Version: 2.1.17
 Precedence: list
 Reply-To: pfSense Support and Discussion Mailing List 
mailto:list@lists.pfsense.org>>
 List-Id: pfSense Support and Discussion Mailing List 
http://list.lists.pfsense.org>>

 List-Unsubscribe: ,
  ?subject=unsubscribe>

 List-Archive: 
 List-Post: >
 List-Help: ?subject=help>

 List-Subscribe: ,
  ?subject=subscribe>
 Errors-To: list-boun...@lists.pfsense.org 

 Send

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Claudio Thomas]

 
On 29.07.2015 18:02, Vick Khera wrote:
> On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz  wrote:
>
>> Again,  I agree with you that this shouldn't affect your score.  I am
>> simply explaining why they do it.
> based on this explanation, i agree. there's no reason for them to demand
> your certificate also signs any other domain name as long as it signs the
> one to which they are connecting and testing.
Hi, the reason why it affects your score is simple:
1. client makes a request to https://www.example.net
=>if it does not redirect to https://example.net the checks stops here.
All ist OK
=>if your server responds with a redirect to https://example.net, it
does it with an untrusted certificate. Untrusted, because the server
certificate is not certificated to be used from www.example.net.

So you have 3 options:
1. disable redirection of https://www to https://bare (probably not what
you wish)
2. give your https://www server a valid certificate, so that the
redirect is trust-worthy (as done by https://www.web.de, that points to
https://web.de)
3. if it is the same server, but only a separed config, you probably
should get a certificate with CN:www.example.net and ALT-Names: DNS:
www.example.net and DNS: example.net (example: https://xmodus-systems.de
redirects to https://www.xmodus-systems.de, the cert is valid for both)

Again: the connection to the https://www.example.net is technical not ok
for shure. But this you probably already know.
Now "why does qualys check also the www.?": Qualys check this option for
bare domains, because many users worlwide use to prefix www. on every
domain without thinking about (bad habit). If the www. domain does not
belong to you it is a potential risk that your customers think they are
accessing your site but in real it is a possible "man-in-the-midle" side.
=> Security is not only a technical issue, but must also take account of
human bad habits.

Best regards,
Claudio

-- 
Working on OpenWrt CC for Xmodus GSM Router XM1710E




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

[Claudio Thomas]

 
On 19.08.2015 23:37, Rainer Duffner wrote:
> Maybe pfSense is smart enough to figure out that maybe my aging ALIX
> board is just too slow for this?
> [2.2.4-RELEASE][r...@pfsense.example.org
> <http://pfsense.example.org/>]/tmp: time openssl dhparam -out
> dhparams.pem 2048 Generating DH parameters, 2048 bit long safe prime,
> generator 2 This is going to take a long time
> ..+..+..++..+..+..++.+.+..+...+.+...+++*++*
> unable to write 'random state' 844.901u 0.105s 15:05.79 93.2% 613+197k
> 0+2io 13pf+0w I also can’t find any security-advisory on this.
> ___ pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list Support the project
> with Gold! https://pfsense.org/gold 
Hi Rainer,

you can generate the dhparams.pem on another (faster) system and then
copy the file to the pfsense host. The once generated DH parameters (in
the file) will than be simply used on the pfsense host.

Best regards,

Claudio Thomas

-- 
Working on OpenWrt CC for Xmodus GSM Router XM1710E
<http://www.xmodus-systems.de/openwrt>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold