Re: [pfSense] Squid transparent with SSL interception - CA certificate problem
Dear Alex, so there is no solution to the given problem ??? I refer to install a CA private certificate in mobile devices and let them navigate and use applications through a transparent proxy without SSL errors... Regards, 2018-02-06 11:35 GMT-03:00 Alex Threlfall <a...@cyberprog.net>: > They may be hard coded to look at only their own CA to prevent MiM attacks, > or use their own certificate store (for a similar behaviour). > > Alex. > >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto >> Carna >> Sent: 06 February 2018 13:32 >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >> Subject: [pfSense] Squid transparent with SSL interception - CA > certificate >> problem >> >> People, I've setup a transparent Squid proxy for WiFi clients. I'm using > SSL >> interception so I had to generate a CA private certificate (generated from >> pfSense certificate manager tab). >> >> But when I add this CA private certificate to several Android an Iphone >> devices in order to proxify and filter SSL applications, some of the > Android >> devices don't work correctly: Facebook an Instagram don't load the > profiles >> and Mercadolibre doesn't open the menu. In the other Android and Iphone >> devices, everything works OK. >> >> Can this problem be related to the CA certificate (maybe I have to use a > given >> digest algorithm and key lenght) or is this an Android intrinsec problem >> depending of OS version??? >> >> Thanks a lot. >> >> ROBERT >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Squid transparent with SSL interception - CA certificate problem
People, I've setup a transparent Squid proxy for WiFi clients. I'm using SSL interception so I had to generate a CA private certificate (generated from pfSense certificate manager tab). But when I add this CA private certificate to several Android an Iphone devices in order to proxify and filter SSL applications, some of the Android devices don't work correctly: Facebook an Instagram don't load the profiles and Mercadolibre doesn't open the menu. In the other Android and Iphone devices, everything works OK. Can this problem be related to the CA certificate (maybe I have to use a given digest algorithm and key lenght) or is this an Android intrinsec problem depending of OS version??? Thanks a lot. ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Force CA certificate installation as tsueted root CA on WiFi clients
Dear, I have pfSEnse + Squid in transparent mode. I have to filter web sites and content in HTTPS with Squidguard, so I've created a CA self-signed certificate and a server certificate (signed by the CA) in pfSense. After that I defined the CA certificate in the Squid configuration tab from pfSense. In order to let navigate the WiFi clients in a good way through the Squid transparent proxy, filtering everything we want with Squidguard, I have to force the installation of the CA certificate on them. How can I automatically force the CA certificate installation as a trusted Root CA on WiFi clients, taking into account they can be Windows, Linux, Android, Iphone, etc. ??? Thanks in advance. ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Transparent proxy for WiFi users
Dear, I've created a self signed CA Certificate in pfSEnse, in order to use it in the SSL Filtering / Spice All from Squid. This CA certificate is NOT installed in none of the device clients (notebooks, cell phones, etc), because is imposible to ask each WiFi user to install it. Everything works OK, except certains cases, for example: - Facebook app sometimes doesn't load the user profiles, I have to close Facebook and open it again - Mercadolibre is the same, it doesn't load the content and after that I have to close and open the app Why certain apps don't work OK until I close and restart them ??? Thanks a lot again!!! 2018-01-10 3:51 GMT-03:00 WebDawg <webd...@gmail.com>: > Can you just do inspection on this and have it stop acting as a true proxy? > > Splice All: > This configuration is suitable if you want to use the SquidGuard > package for web filtering. > All destinations will be spliced. SquidGuard can do its job of denying > or allowing destinations according its rules, as it does with HTTP. > You do not need to install the CA certificate configured below on clients. > Content filtering (such as Antivirus) will not be available for SSL sites. > > On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> > wrote: >> Interested in what sort of problems you are seeing. >> >> I use the same setup in a small environment let's call it home :) with many >> different devices and have not seen any issues. >> >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer >> Duffner >> Sent: Tuesday, January 02, 2018 10:01 AM >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >> Subject: Re: [pfSense] Transparent proxy for WiFi users >> >> >> >>> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>: >>> >>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 >>> in order to filter HTTP and HTTPS web content for different types of >>> WiFi clients on my company: >>> >>> - Android (different versions) >>> - Notebooks Windows 7/10 >>> - Iphone >>> - Etc. >>> >>> In some cases, depending on the device Operating System, some apps >>> experiment problems, for example Facebook and some others. >>> >> >> >> >> >> Apps that do hardwired Key-Pinning (everything from Apple, Google and >> probably TFB, too) will not work. >> You have to make exemptions, AFAIK. >> >> Same for ebanking and related. >> >> >> >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense and SIP
Special thanks to both of you... With ANY I mean "all TCP and UDP ports". Maybe when the remote peer sends to my PBX the SIP packet with the SIP Options, the response from the PBX is a SIP packet defined as ESTABLISHED trafficand this ESTABLISHED feature is not working or not defined in pfSEnse firewall rules ??? Because the SIP response packet from PBX to the remote peer is not a new traffic, is an established traffic Thanks a lot again, regards!!! 2018-01-09 12:17 GMT-03:00 Giles Coochey <gi...@coochey.net>: > On 09/01/2018 14:34, Roberto Carna wrote: >> >> Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote >> peer out of the pfSense. I connect PBX and Peer in order to establish >> a SIP trunk. >> >> In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all. >> >> So we have generated two firewall rules: >> >> PBX --> SIP Peer with ANY >> SIP Peer --> PBX with ANY > > > When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any? > > Could you elaborate on the exact rules you have set up? > >> >> But often the SIP packets coming from the SIP Peer don't cross the >> pfSEnse to PBX. The packets never reach my PBX. >> >> Is there any feature I have to enable/disable in pfSense in order to >> work with SIP protocol to have established the SIP trunk ??? >> >> The SIP trunk provider tell me that the SIP Options they send me are >> not responded by us. >> >> Thanks a lot, >> >> ROBERT >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfSense and SIP
Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote peer out of the pfSense. I connect PBX and Peer in order to establish a SIP trunk. In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all. So we have generated two firewall rules: PBX --> SIP Peer with ANY SIP Peer --> PBX with ANY But often the SIP packets coming from the SIP Peer don't cross the pfSEnse to PBX. The packets never reach my PBX. Is there any feature I have to enable/disable in pfSense in order to work with SIP protocol to have established the SIP trunk ??? The SIP trunk provider tell me that the SIP Options they send me are not responded by us. Thanks a lot, ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid crash: assertion failed: store_swapout.cc:289: "mem->swapout.sio == self"
OK, thank you very much !!! 2018-01-08 13:59 GMT-03:00 Chris L <c...@viptalk.net>: > > >> On Jan 8, 2018, at 8:39 AM, Eero Volotinen <eero.voloti...@iki.fi> wrote: >> >> try removing squid package from package manager and then reinstalling. >> >> 8.1.2018 18.24 "Roberto Carna" <robertocarn...@gmail.com> kirjoitti: >> >>> Dear Eero, >>> >>> How do I have to remove Squid + config files in a good manner ? >>> >>> Squid I suppose by the package manager from pfSense, but how do I have >>> to remove the config files ??? >>> >>> Thanks a lot, regards !!! > > > The General page in Services > Squid contains a checkbox for that: Keep > Settings/Data. > > Unchecking that and uninstalling/reinstalling should give you a pretty clean > slate. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid crash: assertion failed: store_swapout.cc:289: "mem->swapout.sio == self"
Dear Eero, How do I have to remove Squid + config files in a good manner ? Squid I suppose by the package manager from pfSense, but how do I have to remove the config files ??? Thanks a lot, regards !!! 2018-01-03 13:30 GMT-03:00 Eero Volotinen <eero.voloti...@iki.fi>: > Fix:https://forum.pfsense.org/index.php?topic=110155.0 > > remove squid+config file & reinstall squid.. > > 3.1.2018 17.55 "Roberto Carna" <robertocarn...@gmail.com> kirjoitti: > >> Dear, I have updated Squid on pfSense to 0.4.42_1 version on pfSense >> 2.4.2-RELEASE-p1 (amd64). But after start the service togeteher with >> squidGuard, Squid crashes. >> >> I try running from CLI in debug mode: >> >> # squid -d 10 >> [2.4.2-RELEASE][ad...@fw-pfsense-guest.g-bapro.net]/var/log: >> 2018/01/03 12:46:44 kid1| Starting Squid Cache version 3.5.27 for >> amd64-portbld-freebsd11.1... >> 2018/01/03 12:46:44 kid1| Service Name: squid >> 2018/01/03 12:46:50 kid1| assertion failed: store_swapout.cc:289: >> "mem->swapout.sio == self" >> 2018/01/03 12:46:53 kid1| Starting Squid Cache version 3.5.27 for >> amd64-portbld-freebsd11.1... >> 2018/01/03 12:46:53 kid1| Service Name: squid >> 2018/01/03 12:46:59 kid1| assertion failed: store_swapout.cc:289: >> "mem->swapout.sio == self" >> 2018/01/03 12:47:02 kid1| Starting Squid Cache version 3.5.27 for >> amd64-portbld-freebsd11.1... >> 2018/01/03 12:47:02 kid1| Service Name: squid >> 2018/01/03 12:47:04 kid1| assertion failed: store_swapout.cc:289: >> "mem->swapout.sio == self" >> 2018/01/03 12:47:07 kid1| Starting Squid Cache version 3.5.27 for >> amd64-portbld-freebsd11.1... >> 2018/01/03 12:47:07 kid1| Service Name: squid >> 2018/01/03 12:47:12 kid1| assertion failed: store_swapout.cc:289: >> "mem->swapout.sio == self" >> 2018/01/03 12:47:16 kid1| Starting Squid Cache version 3.5.27 for >> amd64-portbld-freebsd11.1... >> 2018/01/03 12:47:16 kid1| Service Name: squid >> 2018/01/03 12:47:20 kid1| assertion failed: store_swapout.cc:289: >> "mem->swapout.sio == self" >> >> How can I do ??? What's the problem ??? >> >> Thanks a lot. >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Squid 0.4.42_1 crashes in pfSense 2.4.2
Dear, I've moved from pfSEnse 2.4.0 with Squid 0.4.42 to pfSEnse 2.4.42 with Squid 0.4.42_1. After the update, the Squid service crashes and stops. If I run Squid 0.4.42_1 in debug mode, this is the log before the crash: # squid -d 10 [2.4.2-RELEASE][ad...@fw-pfsense-guest.g-bapro.net]/var/log: 2018/01/03 12:46:44 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:46:44 kid1| Service Name: squid 2018/01/03 12:46:50 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:46:53 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:46:53 kid1| Service Name: squid 2018/01/03 12:46:59 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:47:02 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:47:02 kid1| Service Name: squid 2018/01/03 12:47:04 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:47:07 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:47:07 kid1| Service Name: squid 2018/01/03 12:47:12 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:47:16 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:47:16 kid1| Service Name: squid 2018/01/03 12:47:20 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" Is there a solution to this problem ? Do you know if Squid 0.4.42_1 runs OK over pfSEnse 2.4.2 ??? Special thanks!!! Robert ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Squid crash: assertion failed: store_swapout.cc:289: "mem->swapout.sio == self"
Dear, I have updated Squid on pfSense to 0.4.42_1 version on pfSense 2.4.2-RELEASE-p1 (amd64). But after start the service togeteher with squidGuard, Squid crashes. I try running from CLI in debug mode: # squid -d 10 [2.4.2-RELEASE][ad...@fw-pfsense-guest.g-bapro.net]/var/log: 2018/01/03 12:46:44 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:46:44 kid1| Service Name: squid 2018/01/03 12:46:50 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:46:53 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:46:53 kid1| Service Name: squid 2018/01/03 12:46:59 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:47:02 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:47:02 kid1| Service Name: squid 2018/01/03 12:47:04 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:47:07 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:47:07 kid1| Service Name: squid 2018/01/03 12:47:12 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" 2018/01/03 12:47:16 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1... 2018/01/03 12:47:16 kid1| Service Name: squid 2018/01/03 12:47:20 kid1| assertion failed: store_swapout.cc:289: "mem->swapout.sio == self" How can I do ??? What's the problem ??? Thanks a lot. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Transparent proxy for WiFi users
Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4 in order to filter HTTP and HTTPS web content for different types of WiFi clients on my company: - Android (different versions) - Notebooks Windows 7/10 - Iphone - Etc. In some cases, depending on the device Operating System, some apps experiment problems, for example Facebook and some others. Which is the best solution in order to setup a TRANSPARENT proxy service in a heterogeneous scenario with diferenbt types of devices, and running in the best mode with the minimum number of problems??? Or do I have to move to a scenario with a defined proxy in another server, and automatically established in clients with DHCP ??? Thanks a lot, Roberto ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Default pass rules in pfSense
Oliver, I ask about the opposite that you explain to me: Everthing going out from WAN to Internet is allowed ??? In accordance with my tests, yes...and if I add an explicit rule it doesn't block a given outgoing traffic. In the affirmative case, how can I disable the default OUTGOING pass rules in WAN interface ??? Thanks a lot again !!! 2017-11-15 12:29 GMT-03:00 Oliver Hansen <oliver.han...@gmail.com>: > By default, everything coming IN on the WAN is blocked but everything > coming IN on the LAN from the LAN network is allowed. You can easily remove > this rule on the LAN interface if you want. > > On Nov 15, 2017 7:20 AM, "Roberto Carna" <robertocarn...@gmail.com> wrote: > > People, I'm new at pfSense and I'm seeing that there are implicit > default pass rules. > > For example, without editing a new user rule in the firewall, I can > send mails from my WAN interface to Internet. I was wrong because I > thought the default behaviour was to deny all the traffic unless I > permit what I want. > > Is it possible to turn the default pass rules off in order to control > all the traffic manually by the user rules ??? > > THanks a lot. > > ROBERT > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Default pass rules in pfSense
People, I'm new at pfSense and I'm seeing that there are implicit default pass rules. For example, without editing a new user rule in the firewall, I can send mails from my WAN interface to Internet. I was wrong because I thought the default behaviour was to deny all the traffic unless I permit what I want. Is it possible to turn the default pass rules off in order to control all the traffic manually by the user rules ??? THanks a lot. ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] (no subject)
OK thank you so much!!! 2017-11-02 11:57 GMT-03:00 Roberto Carna <robertocarn...@gmail.com>: > People, I have pfSEnse 2.4 with Squid and Squidguard. > > I enable HTTP transparent proxy and SSL filtering with Splice All. > > From our Android cell phones, if we use Firefox TO NAVIGATE everything > is OK, but if we use Chrome we can't go to Google and some other HTTPS > sites. > > We reviewed firewall rules, NAT and denied target categories and > everything seems OK. > > What can be the problem with Chrome ??? > > Thanks a lot, > > ROBERTO > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering
OK Jon, thanks for your time and explanation. So a last qustion please: now I put in Squid of pfSense a private CA certificate...is it the same if I put a public CA certificate? Will I experience the same HTTPS behaviour related to Chrome and Firefox? Thanks a lot again. ROBERTO 2017-11-02 20:47 GMT-03:00 Jon Gerdes <gerd...@blueloop.net>: > Roberto > > NFF: Product working as designed > > When you use splice, you are doing a Man In The Middle (MitM) attack on > your own users. Chrome is a Google product and they have enabled https > ://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things to > detect this sort of thing. > > This could be seen as an abuse by Google https://www.troyhunt.com/bypas > sing-browser-security-warnings-with-pseudo-password-fields/ or you > could consider that end users should have an expectation of privacy by > default. For example, what if your users do on line banking through > your proxy? You could easily grab usernames and passwords and other > personal details or worse if you abuse the trust that SSL/TLS should > allow. > > Think very hard about the implications of attempting to break the > contract that SSL/TLS is designed to provide - end to end encryption > with no tampering and guaranteed privacy. > > Cheers > Jon > > > > > On Thu, 2017-11-02 at 12:00 -0300, Roberto Carna wrote: >> People, I have pfSEnse 2.4 with Squid and Squidguard. >> >> I enable HTTP transparent proxy and SSL filtering with Splice All. >> >> From our Android cell phones, if we use Firefox TO NAVIGATE >> everything >> is OK, but if we use Chrome we can't go to Google and some other >> HTTPS >> sites. >> >> We reviewed firewall rules, NAT and denied target categories and >> everything seems OK. >> >> What can be the problem with Chrome ??? >> >> Thanks a lot, >> >> ROBERTO >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering
People, I have pfSEnse 2.4 with Squid and Squidguard. I enable HTTP transparent proxy and SSL filtering with Splice All. >From our Android cell phones, if we use Firefox TO NAVIGATE everything is OK, but if we use Chrome we can't go to Google and some other HTTPS sites. We reviewed firewall rules, NAT and denied target categories and everything seems OK. What can be the problem with Chrome ??? Thanks a lot, ROBERTO ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] (no subject)
People, I have pfSEnse 2.4 with Squid and Squidguard. I enable HTTP transparent proxy and SSL filtering with Splice All. >From our Android cell phones, if we use Firefox TO NAVIGATE everything is OK, but if we use Chrome we can't go to Google and some other HTTPS sites. We reviewed firewall rules, NAT and denied target categories and everything seems OK. What can be the problem with Chrome ??? Thanks a lot, ROBERTO ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Squid in transparent mode and Squidguard external redirection
Dear, I'm using pfSense 2.4 with Squid in transparent mode, SSL enabled / Slice All, and Squidguard as HTTP/HTTPS filter. Everything is OK, except when I want web clients to be redirected to an external Apache web server with an error page...they don't get any error defined in the Apache server. Is it possible to have a transparent proxy with external redirection ??? Thanks a lot!!! Roberto ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort as IPS in Pfsense
Ivo, that's a good ideabut please tell me if I'm correct or not: WAN, LAN, Bridge interfaces: IP-Less OPT1: IP for management in a management network Tnaks again, 2014-09-30 9:27 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recommend you create a management network for OPT1 with private IP. On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna robertocarn...@gmail.com wrote: I think this is good for us: - Router ISP with IP 200.0.0.1 - pFsense with the following interfaces: a) WAN IP-Less b) LAN IP-Less c) OPT1 with IP 200.0.0.2 (management) d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less - Corporate firewall with IP 200.0.0.3 - Snort runs in Bridge interface Do you think this is correct ??? Good night !!! Roberto 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com: I can say that I imagine this addresses space: Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / IP 200.1.1.2 OPT1 / IP 200.1.1.3 (management) So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), and the OPT1 interface from pFsense has a public IP as router and firewall. Can I do this in pfsense ??? On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Why Suricata in place of Snort? Please can you tell me shortly the advantages of Suricata over Snort Really thanks Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Mainly bridge to hide the IPS server from Internet, and also if I don't use the bridge mode I have to put a public IP in the WAN interface connected to the router and I have not much more available public IP's. 2014-09-29 16:31 GMT-03:00 Espen Johansen pfse...@gmail.com: Why bridge? Do you want to hide evrything? Its not that hard to fingerprint a pfS bridge. If you have practical reasons, sure go ahead. 29. sep. 2014 21:28 skrev Roberto Carna robertocarn...@gmail.com følgende: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Ok, thanks 2014-09-29 16:58 GMT-03:00 Ivo Tonev i...@tonev.pro.br: On pfsense is clickgo. No need to install everything. :) On Sep 29, 2014 4:46 PM, Espen Johansen pfse...@gmail.com wrote: If all you want is a IPS then i dont undertand what you need pfS for? There are tons of setup guides for a linux flavour of choice to get this setup done. You can even build a hogwash like setup if you like. 29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com følgende: Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
I think this is good for us: - Router ISP with IP 200.0.0.1 - pFsense with the following interfaces: a) WAN IP-Less b) LAN IP-Less c) OPT1 with IP 200.0.0.2 (management) d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less - Corporate firewall with IP 200.0.0.3 - Snort runs in Bridge interface Do you think this is correct ??? Good night !!! Roberto 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com: I can say that I imagine this addresses space: Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less --- Firewall / IP 200.1.1.2 OPT1 / IP 200.1.1.3 (management) So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos mode), and the OPT1 interface from pFsense has a public IP as router and firewall. Can I do this in pfsense ??? On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: OK Ivo, this is very helpful to meSuppose I have: Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2 I have to maintan invariable the addressing of this scenario, so what IP addresses do I have to assign to WAN and LAN pFsense interfaces ??? Thanks a lot, JeLo On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote: In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Ivo R. Tonev +55 61 8409-2642 i...@tonev.com.br ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list