Re: [pfSense] Configs or hardware?

[Ivo Tonev]

Try increasing network buffers via "system tunables".

Em 15 de fev de 2018 12:14, "Michael Munger" 
escreveu:

> TL; DR.
>
> On 1Gbps downloads, our pfSense firewalls are performing poorly with
> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
> hardware (more likely). I do not want to buy a commercial box. For our
> corporate network, we use HP DL360s, so zero problem there.I need
> something that is the size of a router, but can do 1Gbps with pfSense.
>
> Who's got working configs / hardware combos that do 1Gbps easily?
>
> Background.
>
> I've been using Alix boards (APU1D4 as of late). The problem is: these
> boards seem to top out at 400Mbps download. I have several clients who
> have gigabit fiber connections, and they have been complaining to the
> ISP that their service is slow. When they connect to the modem directly,
> they get 1G download. When they go through the pfSense firewall we put
> together using these Alix boards from PC engines, it drops to ~400Mbps.
>
> There are several competing "router boards" (Microtik and the like), but
> I have zero experience with them, I don't know if they will run pfSense
> or if they will do the speed. The Alix + pfSense combo has been GREAT
> for many years. If I change to something else, I don't want to go
> through growing pains since I figure this is a solved problem, and
> someone on this list knows / has a recommendation.
>
> --
> Michael Munger, dCAP, MCPS, MCNPS, MBSS
> High Powered Help, Inc.
> Microsoft Certified Professional
> Microsoft Certified Small Business Specialist
> Digium Certified Asterisk Professional
> mich...@highpoweredhelp.com 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] quagga/bgp

[Ivo Tonev]

I'm using. There is no problems.

Em 17 de nov de 2017 11:30, "Daniel"  escreveu:

> Here this,
>
>
>
> is anyone using quagga with bgpd as a self installed package on pfsense?
>
> I don’t want to use openBGPd and I also don’t want to use FRR because I am
> completely new in FRR.
>
> My idea is to use quagga with bgpd daemon on pfsense.
>
>
>
> Is there any problems?
>
>
>
> Cheers
>
>
>
> Daniel
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 nat

[Ivo Tonev]

You can use NPT

Em 16 de nov de 2017 5:19 PM, "Daniel"  escreveu:

> Hi there,
>
>
>
> i added a privat ipv6 LAN on my pfsense which has to do NAT like on IPv4.
>
>
>
> But it seems that NAT with ipv6 is not possible. Is there anyway or is it
> not possible to NAT IPv6 Connections?
>
>
>
> root@web1:~# traceroute6 heise.de
>
> traceroute to heise.de (2a02:2e0:3fe:1001:302::), 30 hops max, 80 byte
> packets
>
>  1  fd12:38ce:2472:a35e::3 (fd12:38ce:2472:a35e::3)  0.071 ms  0.098 ms
> 0.087 ms
>
>  2  * * *
>
>  3  * * *
>
>
>
> I am not interested to use public IPv6-Addresses in my LAN
>
>
>
> Cheers
>
>
>
> Daniel
>
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Strange packetloss

[Ivo Tonev]

On each interface you have "Block bogon networks".

Is that option active ?

On Fri, Oct 20, 2017 at 2:00 PM, Daniel  wrote:

> Hi Everyone,
>
>
>
> actually i have an any/any rule applied on all my interfaces. This I did
> actually only for debugging issues.
>
> But I can see that packets still get blocked:
>
>
>
> Oct 20 17:48:34 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64553,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:34 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64554,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:35 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,55,37998,0,DF,6,tcp,52,109.44.1.50,212.168.
> 31.112,34675,443,0,FA,1545664688,2414488008,40,,nop;nop;TS
>
> Oct 20 17:48:35 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64555,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:36 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64556,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:38 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64557,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:42 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64558,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
>
>
> Why? Normaly all traffic can pass the interfaces.
>
>
>
> Main problem is that I have 1% packetloss when it pass the Intenet
> connection to my Upstream. I have a second firewall configured identical
> and here is no packetloss.
>
> I Changed all cables and so… I am absolutely without any glue what can
> cause such a problem.
>
>
>
> Could it be a problem that I have serval different networks applied on one
> Interface without vlans?
>
> I Realy don’t know what I can do. This issue is very hard and all thinks I
> already tested doesn’t not help to fix the issue.
>
>
>
> Kernel Messages and logs also looking OK for me.
>
>
>
> Maybe someone can help me out and give me some ideas
>
>
>
> Cheers
>
>
>
> Daniel
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] problems with lagg interfaces?

[Ivo Tonev]

Even if your vlan dont bright up  you can capture traffic on physical
interfaces with tcpdump.
See what you can capture before any other move.

 Do a bottom-up troubleshoot.

Em 17 de out de 2017 12:34, "Eero Volotinen" 
escreveu:

> So, you mean that it is not working?
>
> Eero
>
> 2017-10-17 17:32 GMT+03:00 :
>
> > Am 2017-10-17 16:28, schrieb Eero Volotinen:
> >
> >> It's netgate pfsense SG-4860 running 2.4 final release
> >>
> >
> >
> > So, these are intel nics?
> >
> > Can you look in freebsd-bugzilla if there are bugs open for this
> interface
> > type and lagg(4)?
> >
> > I've had the same problem with bxe(4) (on FreeBSD).
> >
> > I had to switch to ix(4).
> >
> > Might be worth filing a ticket with netgate...
> >
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] High-latency when traffic reaches 80% wirespeed

[Ivo Tonev]

run "top -SH" to find the top cpu consuming tasks


On Thu, Oct 5, 2017 at 8:44 AM, Christoph Haas 
wrote:

> Am Mittwoch, den 04.10.2017, 15:05 -0400 schrieb ED Fochler:
> > I have a similar situation and I solved it with limiters.  I'm also a
> fan of limiters to ensure fair sharing of uplink bandwidth by internal
> users.  I haven't tried changing system tunables though, so that solution
> may be better.
>
> So far the situation was better this morning. But the web interface
> became unresponsive and the OpenVPN daemon died. So I'm still scared.
>
> >
> Nothing is sent through the limiter until you create a rule that catches
> the traffic and routes it through the limiter, so you're not going to
> accidentally slow everything down just by creating a rule.
>
> I will try that.
>
> >
> The behavior you're speaking of sounds like your machine is getting maxed
> out by interrupts or some internal bandwidth.  Setting up a limiter sounds
> like a better solution than pushing the hardware to the point of unrefined
> behavior.
>
> Yes, I suspect something like that, too. The system load is going up
> heavily (Load >=5) sometimes. However the web interface claims that the
> load is around 30%. RAM and state tables look fine, too.
>
> On Linux-based systems I regularly use iptables rules and often go near
> wire speed. But the system load rarely goes up noticably. So I wonder
> what part is really causing that load.
>
> I ran "top" this morning and saw that the "filterlog" process was at
> the top of the list. My firewall rules though do not do any logging at
> the moment. Could that still be a problem?
>
> Thanks for your suggestions so far. I'll try them all.
>
> …Christoph
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] High-latency when traffic reaches 80% wirespeed

[Ivo Tonev]

You can try rise some "System tunables"


net.inet.tcp.recvspace 524288
net.inet.tcp.sendspace 524288
net.raw.recvspace 524288
net.inet.raw.recvspace 524288
net.raw.sendspace 524288
net.inet.raw.maxdgram 524288
net.link.ifqmaxlen 2048
net.inet.tcp.recvbuf_inc 65536
net.inet.udp.recvspace 524288
net.inet.tcp.sendbuf_inc 65536
net.inet.tcp.mssdflt 1460
net.inet.tcp.minmss 536

On Wed, Oct 4, 2017 at 5:08 AM, Christoph Haas 
wrote:

> Dear list,
>
> I have become a huge fan of pfSense and managed to replace our old
> routers at work by two nifty Netgate SG-4860 gateways. They work nearly
> perfectly. I just have a few seperate internal VLANs (e.g. for
> administration, monitoring and backup) that give me a headache. Every
> day at the same time(s) there are spikes in traffic (I can see in the
> dashboard) between two VLANs. Traffic goes up to pretty much 800 Mbps
> for 1-2 minutes.
>
> During that time our monitoring system goes wild. High latencies and
> even ping losses. CPU load of the router is shown at around 50%. Once
> the traffic goes below 800 Mbps all is instantly fine again.
>
> I tried to simplify the firewall rules (e.g. let through all the
> traffic) but that did not help. Is there anything I can do? Any hidden
> switches? Anything to find and fix the situation? Traffic shaping for
> ICMP? Unicorn dust?
>
> Thanks in advance for your hints.
>
> …Christoph
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Ivo Tonev]

Can tou send network diagram? Why 2 switches? How they are connected?

There are any feature like Cisco's arp inspection?

Em 7 de jun de 2017 10:45, "Daniel"  escreveu:

> Both are Physical.
>
> --
> Grüsse
>
> Daniel
>
> Am 07.06.17, 14:34 schrieb "List im Auftrag von Ivo Tonev" <
> list-boun...@lists.pfsense.org im Auftrag von i...@tonev.pro.br>:
>
> Firewalls are virtual or physical servers?
>
> On Wed, Jun 7, 2017 at 9:12 AM, Daniel  wrote:
>
> > Hi,
> >
> > Firewall on the Switch is the latest installed.
> > The Switch is just simple installed. No VLANS actually just IGMP
> disabled.
> > Carp has for sure 3 IPs. 2 Dedicated for each Server and one CARP
> (Virtual
> > Failover per Subnet)
> >
> >
> > --
> > Grüsse
> >
> > Daniel
> >
> > Am 06.06.17, 00:04 schrieb "List im Auftrag von Ugo Bellavance" <
> > list-boun...@lists.pfsense.org im Auftrag von u...@lubik.ca>:
> >
> > On 2017-06-02 08:13 AM, Daniel wrote:
> > > Hi there,
> > >
> > > i run 2 pfsense Firewalls. I tried to use CARP but it will
> turn over
> > every 1-2-3 hours.
> > > Sometimes it is so fast the pf1 is master and pf2 has the
> routes. In
> > this case I need to reboot the both Servers.
> > >
> > > After I tried a lot id ont find any solutions. I took a
> different
> > brand (Sophos UTM) and here is the same behave.
> > > So I think this could be a network problem.
> > >
> > > Is there any important thinks which must be enabled or
> disabled in
> > the Switch?
> > > Or need the Switch some special configurations?
> > >
> > > When I use Linux with Bondig it also switch the NICs very
> often.
> > >
> > > We use 2 Switches from Netgear JGS524Ev2
> > >
> > > Mayme someone has some experience with it?
> >
> > Can you give us more information? You do have 3 IP addresses per
> > interface? How is your switch configured? Any tagged vLANs
> involved? Is
> > the switch's firmware up to date?
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
>
>
>
> --
> Ivo R. Tonev
> +55 61 98409-2642
> i...@tonev.com.br
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Ivo Tonev]

Firewalls are virtual or physical servers?

On Wed, Jun 7, 2017 at 9:12 AM, Daniel  wrote:

> Hi,
>
> Firewall on the Switch is the latest installed.
> The Switch is just simple installed. No VLANS actually just IGMP disabled.
> Carp has for sure 3 IPs. 2 Dedicated for each Server and one CARP (Virtual
> Failover per Subnet)
>
>
> --
> Grüsse
>
> Daniel
>
> Am 06.06.17, 00:04 schrieb "List im Auftrag von Ugo Bellavance" <
> list-boun...@lists.pfsense.org im Auftrag von u...@lubik.ca>:
>
> On 2017-06-02 08:13 AM, Daniel wrote:
> > Hi there,
> >
> > i run 2 pfsense Firewalls. I tried to use CARP but it will turn over
> every 1-2-3 hours.
> > Sometimes it is so fast the pf1 is master and pf2 has the routes. In
> this case I need to reboot the both Servers.
> >
> > After I tried a lot id ont find any solutions. I took a different
> brand (Sophos UTM) and here is the same behave.
> > So I think this could be a network problem.
> >
> > Is there any important thinks which must be enabled or disabled in
> the Switch?
> > Or need the Switch some special configurations?
> >
> > When I use Linux with Bondig it also switch the NICs very often.
> >
> > We use 2 Switches from Netgear JGS524Ev2
> >
> > Mayme someone has some experience with it?
>
> Can you give us more information? You do have 3 IP addresses per
> interface? How is your switch configured? Any tagged vLANs involved? Is
> the switch's firmware up to date?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RRD alternatives

[Ivo Tonev]

zabbix ( via agent package or snmp )
nagios  ( snmp )
http://nfsen.sourceforge.net/ ( softflowd )

On Fri, Feb 17, 2017 at 7:00 PM, Antonio Cortes Alhambra <
antonio.cor...@incatel.cl> wrote:

> http://www.cacti.net/
>
>
> Saludos Cordiales
>
>
>
>
>
> 
>
> 2017-02-17 17:30 GMT-03:00 Cheyenne Deal :
>
> > Is there an alternative to what were the rrd graphs in 2.2?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] BandwithD

[Ivo Tonev]

It was removed. You can use netflow with netflow colector in another server.

Em 16 de fev de 2017 12:20, "Daniel"  escreveu:

> Hi there,
>
> is it possible that bandwithD is removed from the Packages?
> I wanted to install it and i cant see it anymore.
>
> Is there any other way or any other way to track Traffic per IP?
>
> Cheers
>
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] bind rules

[Ivo Tonev]

Action = PASS
Interface = LAN
Address Family = IPv4 + IPv6
Protocol = TCP/UDP
Destination Port Range = DNS

On Thu, Sep 22, 2016 at 7:43 PM, Pol Hallen 
wrote:

> Hi all :-)
>
> I need to create some rules to allow BIND internal server network makes
> recursive queries: I've iptables rules but I've some problem with PF :-(
>
> Can someone "transalte" these rules to pfsense?
>
> for processing DNS queries:
>
> iptables -I INPUT 1 -p tcp -m tcp --dport 53 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -I INPUT 2 -p udp -m udp --dport 53 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> and for sendind responses back to client
>
> iptables -A OUTPUT -p tcp -m tcp --sport 53:65535 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -m udp --sport 53:65535 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
>
> thanks for help!
>
> Pol
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf rule error

[Ivo Tonev]

Check your states table size.

Em 9 de ago de 2016 22:47, "Joseph L. Casale" 
escreveu:

> I recently received an error that the pf table was wedged and had been
> reset
> while making changes. A few days later, a vlan stopped passing dhcp traffic
> and filter reload did not resolve it, I actually had to reboot the unit.
>
> Has anyone seen this, are there configurations known to produce this
> behavior
> or would hardware be the first suspect?
>
> Thanks,
> jlc
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] yesterday update to 2.3.2 has not worked - these machines now can not update any more

[Ivo Tonev]

>From the console:

pkg clean
pkg update
pkg upgrade
reboot

Em 27 de jul de 2016 10:54, "WolfSec-Support"  escreveu:

> Hi Jim
>
> Many thanks for your hint.
> Well it is still not working.
>
> See:
>
> >>> Updating repositories metadata...
> Updating pfSense-core repository catalogue...
> pfSense-core repository is up-to-date.
> Updating pfSense repository catalogue...
> Fetching meta.txz: . done
> Fetching packagesite.txz: ... done
> pkg:
> https://pkg.pfsense.org/pfSense_v2_3_2_amd64-pfSense_v2_3_2/packagesite.txz
> :
> Operation timed out
> Unable to update repository pfSense
>
> May something else was broken in update progress ?
>
> Many thanks for your help in advance
>
> Br
> Stephan
>
> Am 27.07.2016 15:43 schrieb "Jim Pingle" :
>
> > On 07/27/2016 12:48 AM, WolfSec-Support wrote:
> > > Any hint to solve the broken upbated-boxes ?
> >
> > Use ssh or the console and either use option 13, or use option 8 and
> > from the shell, execute "pfSense-upgrade -d"
> >
> > Early in the upgrade process, pkg is updated and from that point, the
> > GUI for updates and packages can't interpret the new pkg data format, so
> > the console update is required.
> >
> > Jim
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Errors when attempting upgrade to 2.3.2 from 2.3.1.5

[Ivo Tonev]

Yes.
You can run from console

pkg clean
pkg update
pkg upgrade
reboot

Em 26 de jul de 2016 12:03 PM, "mayak"  escreveu:

> Both on an embedded APU and HP-DL-160 ...
>
> Fetching pfSense-2.3.2.txz: . done
>> pkg:
>> https://pkg.pfsense.org/pfSense_v2_3_2_amd64-pfSense_v2_3_2/All/perl5-5.20.3_13.txz:
>> Authentication error
>> >>> Locking package pfSense-kernel-pfSense... done.
>> Failed
>>
>
> Anyone else experiencing this?
>
> Thanks
>
> M
> --
>
> Markets can remain irrational longer than you can remain solvent.
>
> — John Maynard Keynes
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OSPF help

[Ivo Tonev]

You can setup OpenVPN site-to-site VPN across your sites and run OSPF only
in vpn tunnel.




On Sat, Jul 23, 2016 at 8:55 PM, Francois Roussy 
wrote:

> I will add another thing I tried..
>
> Also, I had tried to create a policy based, using multiple phase 2 with
> all my subnet. It's working, but, some ip's are unreacheable (routers ip of
> my fortigate) and 2 or 3 machines that i can ping, but cant access their
> web sites (all internal)
>
> Any clue?
>
> Thanks
>
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Francois
> Roussy
> Sent: July 23, 2016 10:38 AM
> To: list@lists.pfsense.org
> Subject: [pfSense] OSPF help
>
>
> Good day,
>
> I need some help to figure out how to fix my 'issue'..
>
> Actually, I have a multisite VPN, all using Fortigate 50B. I have 9 of
> them connecting to our main site, using a Fortigate 200D.
> Each site are having their own /24 ip space (192.168.2.0/24,
> 192.168.3.0/24)
>
> I use OSPF.
>
> Now.  My 50B service plan are ending gradually, and want to replace them
> with pfSense.  I know there is a flavor of OSPF into pfSense, but I'm not
> use to it.
>
> Can someone guide me please?
>
> Thanks
>
> Frank
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Snort or Suricata

[Ivo Tonev]

Snort and suricata uses the same rules/signatures.

Enable only that you need, not all.
On Jun 12, 2016 3:57 PM, "Daniel Eschner"  wrote:

> Hi there,
>
> i installed Snort and let it run with snort Community Rules and ET Rules.
> I get ton als Fals positiv alters.
>
> Maybe is suricata better? What are the difference?
>
> It Seems that only the ET rules has no or veryl less fals positivs.
>
> Cheers
>
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy question

[Ivo Tonev]

Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch
port/ip haproxy and openvpn are running. Openvpn don't listen on VIP.
Em 12/12/2015 10:31, "C. R. Oldham"  escreveu:

> Actually I think I characterized this problem the wrong way.
>
> It appears that neither haproxy nor nginx (when used as a proxy) are
> reliable on our pfSense firewall.  They will work for a while, then they
> stop passing traffic for a while, then they work awhile.  Restarting them
> doesn't make them responsive immediately.  I am at a loss to explain this.
> I've confirmed there are no other processes listening on port 443 on any IP
> (virtual or physical).  If anyone has ideas I'd love to hear them.
>
> --cro
>
>
> On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham  wrote:
>
> > Greetings,
> >
> > We've recently replaced both our routers with pfSense.  I am using tinc
> > for site-to-site VPN and OpenVPN for clients to connect.
> >
> > Since some of our support engineers often end up onsite with customers, I
> > want to enable OpenVPN over TCP port 443--we've noticed that many of our
> > customers block outbound UDP, but using the https port works fine.
> >
> > However, we also have haproxy on our firewall proxying for some web
> > applications on port 443. but on a different virtual IP from OpenVPN.
> If I
> > enable OpenVPN on the TCP port, haproxy stops working, even though they
> are
> > listening on different IPs.
> >
> > I have appropriate firewall rules for both virtual IPs in place.
> >
> > Can anyone shed some insight on how I can fix this?
> >
> > Thanks.
> >
> > --cro
> >
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to restrict certain websites for certain computers during certain times of the day?

[Ivo Tonev]

You can use squid+squidguard to create restrictions and time ranges.

Need to create local users in pfsense box and use authentication
Em 31/07/2015 12:36, "Tim Koop"  escreveu:

> I have installed pfsense and I would like to block certain websites during
> certain times of the day for certain computers.  I've looked around pfsense
> as well as a plugin or two, and this looks very difficult or impossible to
> do.  Anyone have any ideas?
>
> These are the details:
>
> It's installed in my home.  My wife and I want full access to the Internet
> all the time.  Using the very nice firewall, I'm currently giving my kids
> access during certain times of the day.  (They connect with DHCP and are
> given IP addresses in a certain range, whereas our computers are given
> static IP addresses based on mac address.)
>
> The main reason I'm blocking my kids' Internet is so they don't watch
> cartoons and play games all day long.  But I wouldn't mind if they had
> access to, say, Wikipedia, or Ubuntu updates server.  So want I want is
> this:
>
> - I want to enter a list of domain names to block, myself, not take it
> from someone else's list somewhere else.
> - I want this to only apply to certain computers (my kids), preferably by
> IP address range.
> - I want to be able to apply it only during certain times of the day.
>
> Does anything like this exist?  Or how close can I get?
>
> Thanks.
>
> --
> Tim K
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] blocking torrents and web based https proxies

[Ivo Tonev]

You can block torrents with suricata. Works 100%. Install the package and
activate all p2p rules.

For web proxies you can use squid+(squidguard with
http://www.urlblacklist.com/ )  and force everyone to use your proxy.

On Thu, Mar 26, 2015 at 11:44 PM, Sean  wrote:

> Torrent traffic: maybe with a good L7 filter (not tried this myself).
> But HTTPS proxies and SSL VPN's forget about it.
> It's a game of whack-a-mole.  As soon as you squash one, three more will
> pop-up.
> You can't block SSL.  You'd need to get a real web filtering solution and
> by that I mean a service that constantly updates with new content and
> category definitions.
> Barracuda, Iron Port, Websense, to name a few companies.  It's still a
> game of whack-a-mole but you're paying them to do it.  It still won't get
> them all but it will get you hopefully into the 99% range.
>
> There would likely still be outliers, SSH tunnels and people clever enough
> to setup tunnels on non-standard ports and protocols that wouldn't be
> monitored.
>
> I'd be happy to be wrong and welcome a correction from someone who knows
> more about it on this list (there are plenty of them).
>
> On Tue, Mar 24, 2015 at 5:12 AM, Rizwan Saeed 
> wrote:
>
>> Hi Guys,
>>
>>
>>
>> I am managing a 1000+ university network. pfsense is working fine. The
>> only problem I have is that the students bypass all the security with web
>> vpn’s and free https proxies. So I would like to know that if there is an
>> effective way to block https web proxies, web based VPN and encrypted
>> torrent traffic?
>>
>>
>>
>> Regards,
>>
>> Riz
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense

[Ivo Tonev]

[image: Inline image 1]

On Thu, Oct 2, 2014 at 7:01 AM, Stefan Fuhrmann  wrote:

> Hello Ivo,
>
> yes
>
> 2 pfsense nodes as cluster
> 2 loadbalancer
> 3 webserver
>
> need more info?
>
> tia
> Stefan
> ------
>
> *Von: *"Ivo Tonev" 
> *An: *"pfSense Support and Discussion Mailing List" <
> list@lists.pfsense.org>
> *Gesendet: *Montag, 29. September 2014 02:52:26
> *Betreff: *Re: [pfSense] recommandation: snort IDS, web http traffic,
> pfsense
>
> can you send your network layout ?
> how many servers ?
>
> --
> Ivo Tonev
> i...@tonev.pro.br
>
> > On Sep 28, 2014, at 05:58, Stefan Fuhrmann 
> wrote:
> >
> > Hello all,
> >
> > can someone help?
> >
> > tia
> > Stefan
> >
> > Am Freitag, 26. September 2014, 15:11:04 schrieb Stefan Fuhrmann:
> >> Hello all,
> >>
> >> I need a recommandation for following setup:
> >>
> >> pfsense-cluster
> >>
> >> loadbalancers
> >>
> >> webservers
> >>
> >> There are some thousend visits per day and I want to secure with
> pfsense and
> >> snort. Snort runs on lan-site.
> >> I want to be aware which are the false positives and how to handle this
> >> traffic with snort and the snort- gui within pfsense?
> >> Is it now a good idea to enable step by step the categories and doing
> >> whitelisting of rules , where Im the meaning this traffic should go and
> >> block the rest?
> >> Im unsure if there is alot of traffic getting blocked which should
> pass
> >> This should dont be happen...
> >>
> >> In that firm there is the meaning that we should do blacklisting.
> Blocking
> >> only categories where we are secure this is not good traffic.
> >> In the moment there are several thousend alerts per day!
> >>
> >> I would say blocking the alerts and then I do whitelisting via gui.
> >> Problem: at first there is an error state
> >>
> >> Someone can give recommandations how to implement?
> >> Is it a good idea to configure the files directly on pfsense?
> >>
> >> tia
> >> Stefan
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

bridge interface not need IP.
it runs in promisc mode and only forward packages from one side to another.


On Tue, Sep 30, 2014 at 3:26 PM, Jeronimo L. Cabral 
wrote:

> But the bridging interface must have a public IP or do I have to set it up
> as IP-Less ???
>
>
>
> On Tue, Sep 30, 2014 at 3:17 PM, Ivo Tonev  wrote:
>
>> bridge is necessary, without it there is no forward between interfaces.
>>
>>
>> On Tue, Sep 30, 2014 at 3:11 PM, Jeronimo L. Cabral > > wrote:
>>
>>> OK Ivo, that's a great data.I really appreciate this...
>>>
>>> But please tell me this at last:
>>>
>>> So WAN and LAN interfaces have no IP assigned ???
>>> Do I have to create a bridging interface with WAN and LAN interfaces,
>>> and in this case is it possible to have an IP-Less bridging interface ???
>>> Or the bridge it's not necessary and it's enough with WAN and LAN IP-Less
>>> in promiscuous mode ???
>>>
>>> Thanks a lot again !!!
>>>
>>>
>>> On Tue, Sep 30, 2014 at 3:04 PM, Ivo Tonev  wrote:
>>>
>>>> you need to use the management network to download.
>>>>
>>>>
>>>> On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral <
>>>> jelocab...@gmail.com> wrote:
>>>>
>>>>> Dear, I can't understand at allplease be patient with me :(
>>>>>
>>>>> I'll use pFsense with Snort as a IPS because I see is easier than the
>>>>> manually configuration of Snort.
>>>>>
>>>>> I have an ISP router with 200.1.1.1, a corporate firewall with
>>>>> 200.1.1.2 and the condition is that I MUST LET THIS CONFIGURATION AS IT IS
>>>>> NOW.
>>>>>
>>>>> So, I have to locate the pFsense server between the router and the
>>>>> firewall, in "inline" mode.
>>>>>
>>>>> My pFsense server has 3 network interfaces, let's say: WAN connected
>>>>> to router, LAN connected to corporate firewall and OPT1 for management 
>>>>> with
>>>>> IP 192.168.1.1.
>>>>>
>>>>> Now I have the question:
>>>>>
>>>>> How should I have to configure the WAN and LAN interfaces, with IP,
>>>>> IP-less, creating a bridging interface IP-less or with IP  Because if 
>>>>> I
>>>>> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
>>>>> download the signs from Internet...I'm a bit confused.
>>>>>
>>>>> Thanks a lot, regards.
>>>>>
>>>>> JeLo
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>>>>>
>>>>>> Yes. Always use out of band management.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna <
>>>>>> robertocarn...@gmail.com> wrote:
>>>>>>
>>>>>>> Ivo, that's a good ideabut please tell me if I'm correct or not:
>>>>>>>
>>>>>>> WAN, LAN, Bridge interfaces: IP-Less
>>>>>>> OPT1: IP for management in a management network
>>>>>>>
>>>>>>> Tnaks again,
>>>>>>>
>>>>>>> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
>>>>>>> > I recommend you create a management network for OPT1 with private
>>>>>>> IP.
>>>>>>> >
>>>>>>> >
>>>>>>> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
>>>>>>> robertocarn...@gmail.com>
>>>>>>> > wrote:
>>>>>>> >>
>>>>>>> >> I think this is good for us:
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> - Router ISP with IP 200.0.0.1
>>>>>>> >>
>>>>>>> >> - pFsense with the following interfaces:
>>>>>>> >>
>>>>>>> >>   a) WAN IP-Less
>>>>>>> >>   b) LAN IP-Less
>>>>>>> >>   c) OPT1 with IP 200.0.0.2 (management)
>>>>>>> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface
>>>>>>> IP-Less
>>

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

bridge is necessary, without it there is no forward between interfaces.


On Tue, Sep 30, 2014 at 3:11 PM, Jeronimo L. Cabral 
wrote:

> OK Ivo, that's a great data.I really appreciate this...
>
> But please tell me this at last:
>
> So WAN and LAN interfaces have no IP assigned ???
> Do I have to create a bridging interface with WAN and LAN interfaces, and
> in this case is it possible to have an IP-Less bridging interface ??? Or
> the bridge it's not necessary and it's enough with WAN and LAN IP-Less in
> promiscuous mode ???
>
> Thanks a lot again !!!
>
>
> On Tue, Sep 30, 2014 at 3:04 PM, Ivo Tonev  wrote:
>
>> you need to use the management network to download.
>>
>>
>> On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral > > wrote:
>>
>>> Dear, I can't understand at allplease be patient with me :(
>>>
>>> I'll use pFsense with Snort as a IPS because I see is easier than the
>>> manually configuration of Snort.
>>>
>>> I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2
>>> and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW.
>>>
>>> So, I have to locate the pFsense server between the router and the
>>> firewall, in "inline" mode.
>>>
>>> My pFsense server has 3 network interfaces, let's say: WAN connected to
>>> router, LAN connected to corporate firewall and OPT1 for management with IP
>>> 192.168.1.1.
>>>
>>> Now I have the question:
>>>
>>> How should I have to configure the WAN and LAN interfaces, with IP,
>>> IP-less, creating a bridging interface IP-less or with IP  Because if I
>>> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
>>> download the signs from Internet...I'm a bit confused.
>>>
>>> Thanks a lot, regards.
>>>
>>> JeLo
>>>
>>>
>>>
>>> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>>>
>>>> Yes. Always use out of band management.
>>>>
>>>>
>>>>
>>>> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna <
>>>> robertocarn...@gmail.com> wrote:
>>>>
>>>>> Ivo, that's a good ideabut please tell me if I'm correct or not:
>>>>>
>>>>> WAN, LAN, Bridge interfaces: IP-Less
>>>>> OPT1: IP for management in a management network
>>>>>
>>>>> Tnaks again,
>>>>>
>>>>> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
>>>>> > I recommend you create a management network for OPT1 with private IP.
>>>>> >
>>>>> >
>>>>> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
>>>>> robertocarn...@gmail.com>
>>>>> > wrote:
>>>>> >>
>>>>> >> I think this is good for us:
>>>>> >>
>>>>> >>
>>>>> >> - Router ISP with IP 200.0.0.1
>>>>> >>
>>>>> >> - pFsense with the following interfaces:
>>>>> >>
>>>>> >>   a) WAN IP-Less
>>>>> >>   b) LAN IP-Less
>>>>> >>   c) OPT1 with IP 200.0.0.2 (management)
>>>>> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface
>>>>> IP-Less
>>>>> >>
>>>>> >> - Corporate firewall with IP 200.0.0.3
>>>>> >>
>>>>> >> - Snort runs in Bridge interface
>>>>> >>
>>>>> >> Do you think this is correct ???
>>>>> >>
>>>>> >> Good night !!!
>>>>> >>
>>>>> >> Roberto
>>>>> >>
>>>>> >>
>>>>> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral >>>> >:
>>>>> >> > I can say that I imagine this addresses space:
>>>>> >> >
>>>>> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
>>>>> >> > Firewall /
>>>>> >> > IP 200.1.1.2
>>>>> >> >OPT1 /
>>>>> IP
>>>>> >> > 200.1.1.3
>>>>> >> >
>>>>>  (management)
>>>>> >> >
>>>>> >> &

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

you need to use the management network to download.


On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral 
wrote:

> Dear, I can't understand at allplease be patient with me :(
>
> I'll use pFsense with Snort as a IPS because I see is easier than the
> manually configuration of Snort.
>
> I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2
> and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW.
>
> So, I have to locate the pFsense server between the router and the
> firewall, in "inline" mode.
>
> My pFsense server has 3 network interfaces, let's say: WAN connected to
> router, LAN connected to corporate firewall and OPT1 for management with IP
> 192.168.1.1.
>
> Now I have the question:
>
> How should I have to configure the WAN and LAN interfaces, with IP,
> IP-less, creating a bridging interface IP-less or with IP  Because if I
> create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
> download the signs from Internet...I'm a bit confused.
>
> Thanks a lot, regards.
>
> JeLo
>
>
>
> On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev  wrote:
>
>> Yes. Always use out of band management.
>>
>>
>>
>> On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna > > wrote:
>>
>>> Ivo, that's a good ideabut please tell me if I'm correct or not:
>>>
>>> WAN, LAN, Bridge interfaces: IP-Less
>>> OPT1: IP for management in a management network
>>>
>>> Tnaks again,
>>>
>>> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
>>> > I recommend you create a management network for OPT1 with private IP.
>>> >
>>> >
>>> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
>>> robertocarn...@gmail.com>
>>> > wrote:
>>> >>
>>> >> I think this is good for us:
>>> >>
>>> >>
>>> >> - Router ISP with IP 200.0.0.1
>>> >>
>>> >> - pFsense with the following interfaces:
>>> >>
>>> >>   a) WAN IP-Less
>>> >>   b) LAN IP-Less
>>> >>   c) OPT1 with IP 200.0.0.2 (management)
>>> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>>> >>
>>> >> - Corporate firewall with IP 200.0.0.3
>>> >>
>>> >> - Snort runs in Bridge interface
>>> >>
>>> >> Do you think this is correct ???
>>> >>
>>> >> Good night !!!
>>> >>
>>> >> Roberto
>>> >>
>>> >>
>>> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
>>> >> > I can say that I imagine this addresses space:
>>> >> >
>>> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
>>> >> > Firewall /
>>> >> > IP 200.1.1.2
>>> >> >OPT1 / IP
>>> >> > 200.1.1.3
>>> >> >
>>>  (management)
>>> >> >
>>> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
>>> >> > mode),
>>> >> > and the OPT1 interface from pFsense has a public IP as router and
>>> >> > firewall.
>>> >> >
>>> >> > Can I do this in pfsense ???
>>> >> >
>>> >> >
>>> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
>>> >> > 
>>> >> > wrote:
>>> >> >>
>>> >> >> OK Ivo, this is very helpful to meSuppose I have:
>>> >> >>
>>> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
>>> 200.1.1.2
>>> >> >>
>>> >> >> I have to maintan invariable the addressing of this scenario, so
>>> what
>>> >> >> IP
>>> >> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
>>> >> >>
>>> >> >> Thanks a lot,
>>> >> >>
>>> >> >> JeLo
>>> >> >>
>>> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev 
>>> wrote:
>>> >> >>>
>>> >> >>> In production environment you need 3 interfaces - one for WAN,
>>> one for
>>> >> >>> LAN and o

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

Yes. Always use out of band management.



On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna 
wrote:

> Ivo, that's a good ideabut please tell me if I'm correct or not:
>
> WAN, LAN, Bridge interfaces: IP-Less
> OPT1: IP for management in a management network
>
> Tnaks again,
>
> 2014-09-30 9:27 GMT-03:00 Ivo Tonev :
> > I recommend you create a management network for OPT1 with private IP.
> >
> >
> > On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna <
> robertocarn...@gmail.com>
> > wrote:
> >>
> >> I think this is good for us:
> >>
> >>
> >> - Router ISP with IP 200.0.0.1
> >>
> >> - pFsense with the following interfaces:
> >>
> >>   a) WAN IP-Less
> >>   b) LAN IP-Less
> >>   c) OPT1 with IP 200.0.0.2 (management)
> >>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
> >>
> >> - Corporate firewall with IP 200.0.0.3
> >>
> >> - Snort runs in Bridge interface
> >>
> >> Do you think this is correct ???
> >>
> >> Good night !!!
> >>
> >> Roberto
> >>
> >>
> >> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
> >> > I can say that I imagine this addresses space:
> >> >
> >> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
> >> > Firewall /
> >> > IP 200.1.1.2
> >> >OPT1 / IP
> >> > 200.1.1.3
> >> >
>  (management)
> >> >
> >> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
> >> > mode),
> >> > and the OPT1 interface from pFsense has a public IP as router and
> >> > firewall.
> >> >
> >> > Can I do this in pfsense ???
> >> >
> >> >
> >> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
> >> > 
> >> > wrote:
> >> >>
> >> >> OK Ivo, this is very helpful to meSuppose I have:
> >> >>
> >> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
> >> >>
> >> >> I have to maintan invariable the addressing of this scenario, so what
> >> >> IP
> >> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
> >> >>
> >> >> Thanks a lot,
> >> >>
> >> >> JeLo
> >> >>
> >> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
> >> >>>
> >> >>> In production environment you need 3 interfaces - one for WAN, one
> for
> >> >>> LAN and one for management.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
> >> >>>
> >> >>>
> >> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc 
> wrote:
> >> >>>>
> >> >>>> > But you say: one interface for WAN, a second for
> >> >>>>
> >> >>>> >LAN...and which interface is for managing ???
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> You manage with a browser from LAN, and optional also from the WAN
> >> >>>> port.
> >> >>>> And with ssh from the LAN.
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> ___
> >> >>>> List mailing list
> >> >>>> List@lists.pfsense.org
> >> >>>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Ivo R. Tonev
> >> >>> +55 61 8409-2642
> >> >>> i...@tonev.com.br
> >> >>>
> >> >>> ___
> >> >>> List mailing list
> >> >>> List@lists.pfsense.org
> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>
> >> >>
> >> >
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> >
> >
> > --
> > Ivo R. Tonev
> > +55 61 8409-2642
> > i...@tonev.com.br
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I recommend you create a management network for OPT1 with private IP.


On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna 
wrote:

> I think this is good for us:
>
>
> - Router ISP with IP 200.0.0.1
>
> - pFsense with the following interfaces:
>
>   a) WAN IP-Less
>   b) LAN IP-Less
>   c) OPT1 with IP 200.0.0.2 (management)
>   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
>
> - Corporate firewall with IP 200.0.0.3
>
> - Snort runs in Bridge interface
>
> Do you think this is correct ???
>
> Good night !!!
>
> Roberto
>
>
> 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral :
> > I can say that I imagine this addresses space:
> >
> > Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
> Firewall /
> > IP 200.1.1.2
> >OPT1 / IP
> > 200.1.1.3
> > (management)
> >
> > So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
> mode),
> > and the OPT1 interface from pFsense has a public IP as router and
> firewall.
> >
> > Can I do this in pfsense ???
> >
> >
> > On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral <
> jelocab...@gmail.com>
> > wrote:
> >>
> >> OK Ivo, this is very helpful to meSuppose I have:
> >>
> >> Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
> >>
> >> I have to maintan invariable the addressing of this scenario, so what IP
> >> addresses do I have to assign to WAN and LAN pFsense interfaces ???
> >>
> >> Thanks a lot,
> >>
> >> JeLo
> >>
> >> On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev  wrote:
> >>>
> >>> In production environment you need 3 interfaces - one for WAN, one for
> >>> LAN and one for management.
> >>>
> >>>
> >>>
> http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
> >>>
> >>>
> >>> On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:
> >>>>
> >>>> > But you say: one interface for WAN, a second for
> >>>>
> >>>> >LAN...and which interface is for managing ???
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> You manage with a browser from LAN, and optional also from the WAN
> port.
> >>>> And with ssh from the LAN.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> ___
> >>>> List mailing list
> >>>> List@lists.pfsense.org
> >>>> https://lists.pfsense.org/mailman/listinfo/list
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Ivo R. Tonev
> >>> +55 61 8409-2642
> >>> i...@tonev.com.br
> >>>
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>
> >>
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

In production environment you need 3 interfaces - one for WAN, one for LAN
and one for management.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg
.html


On Mon, Sep 29, 2014 at 9:24 PM, compdoc  wrote:

> > But you say: one interface for WAN, a second for
>
> >LAN...and which interface is for managing ???
>
>
>
>
>
> You manage with a browser from LAN, and optional also from the WAN port.
> And with ssh from the LAN.
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
Ivo R. Tonev
+55 61 8409-2642
i...@tonev.com.br
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I don't like the bridge approach because if you have many vlans it become
very complicated.

I always use the router approach because I can configure the IDS for one
interface and IPS for another.

If you don't have enough IP addresses, you can use invalid IP on firewall
WAN and create a route on your router to reach your range.
On Sep 29, 2014 7:31 PM, "Jeronimo L. Cabral"  wrote:

> Dear, do I have to have 3 network interfaces or 2 interfaces are enough to
> implement the IPS??? Because I think I'll have 1 promiscuos WAN, 1
> promiscuos LAN and 1 management.
>
> The Pfsense firewall has to be setup as BRIDGE if  want to put it between
> the router and the corporate firewall ???
>
> Special thanks,
>
> JeLo
>
> On Mon, Sep 29, 2014 at 5:35 PM, compdoc  wrote:
>
>> > Here is a good place to start regarding Suricata or Snort.
>> >
>> >
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>>
>>
>> Is the free to use version of Snort going away? I scanned the page
>> mentioned above but it seems unclear.
>>
>>
>>
>> Suricata sounds like an excellent replacement given the advanced
>> features, but I have to say Snort is doing a fine job for us.
>>
>>
>>
>> I use the free Registered User rules and the free Emerging Threats rules,
>> and Snort is busy blocking port scans and all kinds of activity, while not
>> bothering/blocking our user's activity.
>>
>>
>>
>> Not that we rely solely on Snort - no unnecessary ports are listening to
>> the web. No management ports like 22 are open.
>>
>>
>>
>> Anyway, Snort doesn’t use much cpu time for our 30 user office, and
>> pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I
>> think its fine.
>>
>>
>>
>> By the way, if you have a decent speed quad-core server with at least 8GB
>> ram, you can easily run pfSense, Suricata, and whatever else side by side
>> in virtual machines.
>>
>>
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

On pfsense is click&go. No need to install everything. :)
On Sep 29, 2014 4:46 PM, "Espen Johansen"  wrote:

> If all you want is a IPS then i dont undertand what you need pfS for?
> There are tons of setup guides for a linux flavour of choice to get this
> setup done. You can even build a hogwash like setup if you like.
> 29. sep. 2014 21:38 skrev "Roberto Carna" 
> følgende:
>
>> Ivo, I want to locate the IPS between the router and the corporative
>> firewall, so I think to use bridge mode....is correct???
>>
>> 2014-09-29 16:34 GMT-03:00 Ivo Tonev :
>> > I recomend to use in "router mode".
>> >
>> > On Sep 29, 2014 4:29 PM, "Roberto Carna" 
>> wrote:
>> >>
>> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
>> >> in bridge mode with firewall rules enabled ???
>> >>
>> >> Really thanks,
>> >>
>> >> Roberto
>> >>
>> >>
>> >>
>> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
>> >> > Depends on what you want. A splitt design is normaly better and safer
>> >> > then a
>> >> > all in one box. If you want suricata +snorby and barnyard its not
>> >> > recommended to run it all on pfsense. There are many deps. that will
>> >> > cause a
>> >> > security nightmare and you will probably run out of hw resources as
>> >> > well.
>> >> >
>> >> > OK, thanks, the last please:
>> >> >
>> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
>> >> > ??? Because we have VMweare for all our servers.
>> >> >
>> >> > Regards,
>> >> >
>> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
>> >> > :
>> >> >> Roberto
>> >> >>
>> >> >> Here is a good place to start regarding Suricata or Snort.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
>> >> >>
>> >> >>
>> >> >>
>> >> >> ---
>> >> >> Anastasios Stefos
>> >> >> ´αίέν άριστεύειν
>> >> >>
>> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
>> >> >> 
>> >> >> wrote:
>> >> >>>
>> >> >>> Dear Ivo and people, just three short questions:
>> >> >>>
>> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
>> ???
>> >> >>>
>> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>> >> >>>
>> >> >>> 3) The only way to view the IPS blocking events is from into
>> Pfsense
>> >> >>> or can I use Snorby ???
>> >> >>>
>> >> >>> Thanks again,
>> >> >>>
>> >> >>> Roberto
>> >> >>>
>> >> >>> Thanks again,
>> >> >>>
>> >> >>> Roberto
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
>> >> >>> > Use suricata
>> >> >>> >
>> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
>> robertocarn...@gmail.com>
>> >> >>> > wrote:
>> >> >>> >>
>> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with
>> Snort
>> >> >>> >> to
>> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
>> is
>> >> >>> >> the
>> >> >>> >> graphical interface used to view events and dropped traffic.
>> >> >>> >>
>> >> >>> >> Thanks a lot,
>> >> >>> >>
>> >> >>> >> Roberto
>> >> >>> >> ___
>> >> >>> >> List mailing list
>> >> >>> >> List@lists.pfsense.org
>> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >> >>> >
>> >> >>> >
>> >> >>> > ___
>> >> >>> > List mailing list
>> >> >>> > List@lists.pfsense.org
>> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
>> >> >>> ___
>> >> >>> List mailing list
>> >> >>> List@lists.pfsense.org
>> >> >>> https://lists.pfsense.org/mailman/listinfo/list
>> >> >>
>> >> >>
>> >> >>
>> >> >> ___
>> >> >> List mailing list
>> >> >> List@lists.pfsense.org
>> >> >> https://lists.pfsense.org/mailman/listinfo/list
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > https://lists.pfsense.org/mailman/listinfo/list
>> >> >
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > https://lists.pfsense.org/mailman/listinfo/list
>> >> ___
>> >> List mailing list
>> >> List@lists.pfsense.org
>> >> https://lists.pfsense.org/mailman/listinfo/list
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

You can use invalid IP on wan interface. This way is no way to avoid the
firewall.
On Sep 29, 2014 4:37 PM, "Roberto Carna"  wrote:

> Mainly bridge to hide the IPS server from Internet, and also if I
> don't use the bridge mode I have to put a public IP in the WAN
> interface connected to the router and I have not much more available
> public IP's.
>
> 2014-09-29 16:31 GMT-03:00 Espen Johansen :
> > Why bridge? Do you want to hide evrything? Its not that hard to
> fingerprint
> > a pfS bridge. If you have practical reasons, sure go ahead.
> >
> > 29. sep. 2014 21:28 skrev "Roberto Carna" 
> > følgende:
> >
> >> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> >> in bridge mode with firewall rules enabled ???
> >>
> >> Really thanks,
> >>
> >> Roberto
> >>
> >>
> >>
> >> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> >> > Depends on what you want. A splitt design is normaly better and safer
> >> > then a
> >> > all in one box. If you want suricata +snorby and barnyard its not
> >> > recommended to run it all on pfsense. There are many deps. that will
> >> > cause a
> >> > security nightmare and you will probably run out of hw resources as
> >> > well.
> >> >
> >> > OK, thanks, the last please:
> >> >
> >> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> >> > ??? Because we have VMweare for all our servers.
> >> >
> >> > Regards,
> >> >
> >> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos
> >> > :
> >> >> Roberto
> >> >>
> >> >> Here is a good place to start regarding Suricata or Snort.
> >> >>
> >> >>
> >> >>
> >> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >> >>
> >> >>
> >> >>
> >> >> ---
> >> >> Anastasios Stefos
> >> >> ´αίέν άριστεύειν
> >> >>
> >> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
> >> >> 
> >> >> wrote:
> >> >>>
> >> >>> Dear Ivo and people, just three short questions:
> >> >>>
> >> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort
> ???
> >> >>>
> >> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >> >>>
> >> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >> >>> or can I use Snorby ???
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>> Thanks again,
> >> >>>
> >> >>> Roberto
> >> >>>
> >> >>>
> >> >>>
> >> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >> >>> > Use suricata
> >> >>> >
> >> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" <
> robertocarn...@gmail.com>
> >> >>> > wrote:
> >> >>> >>
> >> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort
> >> >>> >> to
> >> >>> >> get an IPS (Intrusion Prevention System), and in this case what
> is
> >> >>> >> the
> >> >>> >> graphical interface used to view events and dropped traffic.
> >> >>> >>
> >> >>> >> Thanks a lot,
> >> >>> >>
> >> >>> >> Roberto
> >> >>> >> ___
> >> >>> >> List mailing list
> >> >>> >> List@lists.pfsense.org
> >> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >> >>> >
> >> >>> >
> >> >>> > ___
> >> >>> > List mailing list
> >> >>> > List@lists.pfsense.org
> >> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >> >>> ___
> >> >>> List mailing list
> >> >>> List@lists.pfsense.org
> >> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> >>
> >> >>
> >> >>
> >> >> ___
> >> >> List mailing list
> >> >> List@lists.pfsense.org
> >> >> https://lists.pfsense.org/mailman/listinfo/list
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

You can use as many interfacez you want.

You can use the web gui or tail -f the file on
/var/log/suricata/(interface)/*
:)
On Sep 29, 2014 3:34 PM, "Roberto Carna"  wrote:

> Dear Ivo and people, just three short questions:
>
> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
>
> 2) In IPS mode, do I have to have 3 interfaces in my server ???
>
> 3) The only way to view the IPS blocking events is from into Pfsense
> or can I use Snorby ???
>
> Thanks again,
>
> Roberto
>
> Thanks again,
>
> Roberto
>
>
>
> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> > Use suricata
> >
> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> wrote:
> >>
> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >> get an IPS (Intrusion Prevention System), and in this case what is the
> >> graphical interface used to view events and dropped traffic.
> >>
> >> Thanks a lot,
> >>
> >> Roberto
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

I recomend to use in "router mode".
On Sep 29, 2014 4:29 PM, "Roberto Carna"  wrote:

> Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
> in bridge mode with firewall rules enabled ???
>
> Really thanks,
>
> Roberto
>
>
>
> 2014-09-29 16:15 GMT-03:00 Espen Johansen :
> > Depends on what you want. A splitt design is normaly better and safer
> then a
> > all in one box. If you want suricata +snorby and barnyard its not
> > recommended to run it all on pfsense. There are many deps. that will
> cause a
> > security nightmare and you will probably run out of hw resources as well.
> >
> > OK, thanks, the last please:
> >
> > Do you recommend to install an IPS in a Virtual Machine like Vmware
> > ??? Because we have VMweare for all our servers.
> >
> > Regards,
> >
> > 2014-09-29 15:39 GMT-03:00 Anastasios Stefos <
> anastasios.ste...@gmail.com>:
> >> Roberto
> >>
> >> Here is a good place to start regarding Suricata or Snort.
> >>
> >>
> >>
> http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
> >>
> >>
> >>
> >> ---
> >> Anastasios Stefos
> >> ´αίέν άριστεύειν
> >>
> >> On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna <
> robertocarn...@gmail.com>
> >> wrote:
> >>>
> >>> Dear Ivo and people, just three short questions:
> >>>
> >>> 1) Using Suricata, can I enable the IPS mode as I can using Snort ???
> >>>
> >>> 2) In IPS mode, do I have to have 3 interfaces in my server ???
> >>>
> >>> 3) The only way to view the IPS blocking events is from into Pfsense
> >>> or can I use Snorby ???
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>> Thanks again,
> >>>
> >>> Roberto
> >>>
> >>>
> >>>
> >>> 2014-09-29 14:37 GMT-03:00 Ivo Tonev :
> >>> > Use suricata
> >>> >
> >>> > On Sep 29, 2014 2:27 PM, "Roberto Carna" 
> >>> > wrote:
> >>> >>
> >>> >> Dear, I need to know if it's possible to setup Pfsense with Snort to
> >>> >> get an IPS (Intrusion Prevention System), and in this case what is
> the
> >>> >> graphical interface used to view events and dropped traffic.
> >>> >>
> >>> >> Thanks a lot,
> >>> >>
> >>> >> Roberto
> >>> >> ___
> >>> >> List mailing list
> >>> >> List@lists.pfsense.org
> >>> >> https://lists.pfsense.org/mailman/listinfo/list
> >>> >
> >>> >
> >>> > ___
> >>> > List mailing list
> >>> > List@lists.pfsense.org
> >>> > https://lists.pfsense.org/mailman/listinfo/list
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>
> >>
> >>
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Ivo Tonev]

Use suricata
On Sep 29, 2014 2:27 PM, "Roberto Carna"  wrote:

> Dear, I need to know if it's possible to setup Pfsense with Snort to
> get an IPS (Intrusion Prevention System), and in this case what is the
> graphical interface used to view events and dropped traffic.
>
> Thanks a lot,
>
> Roberto
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense

[Ivo Tonev]

can you send your network layout ?
how many servers ?

--
Ivo Tonev
i...@tonev.pro.br

> On Sep 28, 2014, at 05:58, Stefan Fuhrmann  
> wrote:
> 
> Hello all,
> 
> can someone help?
> 
> tia
> Stefan
> 
> Am Freitag, 26. September 2014, 15:11:04 schrieb Stefan Fuhrmann:
>> Hello all,
>> 
>> I need a recommandation for following setup:
>> 
>> pfsense-cluster
>> 
>> loadbalancers
>> 
>> webservers
>> 
>> There are some thousend visits per day and I want to secure with pfsense and
>> snort. Snort runs on lan-site.
>> I want to be aware which are the false positives and how to handle this
>> traffic with snort and the snort- gui within pfsense?
>> Is it now a good idea to enable step by step the categories and doing
>> whitelisting of rules , where Im the meaning this traffic should go and
>> block the rest?
>> Im unsure if there is alot of traffic getting blocked which should pass
>> This should dont be happen...
>> 
>> In that firm there is the meaning that we should do blacklisting. Blocking
>> only categories where we are secure this is not good traffic.
>> In the moment there are several thousend alerts per day!
>> 
>> I would say blocking the alerts and then I do whitelisting via gui.
>> Problem: at first there is an error state
>> 
>> Someone can give recommandations how to implement?
>> Is it a good idea to configure the files directly on pfsense?
>> 
>> tia
>> Stefan
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> 
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list