[pfSense] Banana Pi - R1
Hi, I wanted to ask if there is any update concerning the support of the Banana Pi "R1": https://en.wikipedia.org/wiki/Banana_Pi#Banana_Pi_R1 The R1 comes with a Allwinner A20 SoC, that uses an ARM Cortex-A7 CPU. It has 5 Gigabit ports + WLAN and sells for ~80 USD including acryl enclosure, 2 antennas, power supply and free shipping: http://www.aliexpress.com/wholesale?catId=0&initiative_id=AS_20150907123912&SearchText=banana+pi+r1 Seems like a perfect home/SoHo solution to me!? The last state about a year ago was, that it is not supported, since pfsense was based on FreeBSD 8.x back then, which did not support ARM CPUs. In the mean time, pfsense bases on FreeBSD 10.1, which AFAIK introduced support for ARM. So how about running pfSense on the R1; any updates? Cheers Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense Book (Buechler / Pingle)
Hi Volker, Thank you for your time! On 2014-04-13 14:09, Volker Kuhlmann wrote: On Sun 13 Apr 2014 22:11:41 NZST +1200, Thinker Rix wrote: I own a hard copy of the pfSense book by Chris and Jim and have two questions about it: 1. As a buyer of the hard copy, am I eligible to receive a gratis PDF-version of the book, too? Probably not. I remember the authors saying that they didn't have the rights for the electronic version. Moot point, because... I see. 2. Is there any ETA for the hard copy version of the new edition? You are aware that it's available as an electronic version under the gold program? Yes, but I generally prefer to buy a printed and bonded hard copy as "primary reading book" which I read from "front to back". I generally dislike ebooks for various reasons (such as: desktop screen reading sucks; handheld devices such as tablets, ebook-readers, smartphones are non-liberated; most ebooks are "DRM - digital restrictions managed", etc.). The reason that I was asking for a PDF version above was that I am currently somewhere else than my hard copy and just wanted to quickly look up something again that I had already read in my hard copy. Thank you & regards Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense Book (Buechler / Pingle)
Hi, I own a hard copy of the pfSense book by Chris and Jim and have two questions about it: 1. As a buyer of the hard copy, am I eligible to receive a gratis PDF-version of the book, too? 2. Is there any ETA for the hard copy version of the new edition? Thanks Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
Hi Jim On 2014-04-05 20:32, Jim Thompson wrote: On Apr 5, 2014, at 8:53 AM, Thinker Rix <mailto:thinke...@rocketmail.com>> wrote: On 2014-04-05 07:00, Ryan Coleman wrote: And you cannot eliminate three of this with a switch? I don't know any method how a network switch could replace the NICs of my firewall - other than by operating with VLANs. But I do not trust VLANs for this. This is not the correct purpose of VLANS, IMO. Using VLAN for segregating networks that should live in physically different network zones because they have fundamental differing security levels, is like placing your firewall into a VM - You can, but you should not. Sounds like you should look at your design. No, I don't think so. I think you should audit your security policy. Regards Thinker Rix 'Rix', why do you do this? Please don't be rude. Your message contains only non-informed opinion backed by hostile invective, and such is not welcome on the list. "hostile invective" in my posting? Interesting. Could not find anything of that in my posting, though. Oh, no! Now I remember: Jim Thompson! Once again in his starring role: "the bully of the pfsense list", threatening, ridiculing, insulting and bullying other users who ask questions he does not like (e.g. about if NSA or others have approached pfSense (yet)) or who have another opinion as he has... If you don't trust VLANs, don't use them. Thank you, for the approval. a common strategy that many propagandists use to avert suspicion and the same strategy that you used the other time when I asked unconmfortable questions about NSA and pfsense> But VLANs have their place. Yes, in networks of homogeneous security level. They do not have their place when it comes to segment networks with vastly diverging security level, IMO. It is the same discussion as about virtualizing a firewall. Some do it claiming that virtualization is rock solid, others avoid it, because they won't risk it just to save some bucks on hardware. But everyone can decide that for himself. I don't ridicule you for deciding differently. But you try to ridicule me, once again. Why? They're used a lot in security applications. Not for very high-security applications (military networks, financial trading networks, etc), but they are effective enough for the network segmentation requirements of PCI DSS. This SANS paper has a description of the common attacks against a VLAN segmentation architecture, as well as countermeasures to same. It includes code to demonstrate several of the attacks. https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090 IMO the greatest weakness of VLAN is user error such as misconfiguration, bugs in software/firmware, etc. Cheers Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On 2014-04-05 07:00, Ryan Coleman wrote: And you cannot eliminate three of this with a switch? I don't know any method how a network switch could replace the NICs of my firewall - other than by operating with VLANs. But I do not trust VLANs for this. This is not the correct purpose of VLANS, IMO. Using VLAN for segregating networks that should live in physically different network zones because they have fundamental differing security levels, is like placing your firewall into a VM - You can, but you should not. Sounds like you should look at your design. No, I don't think so. I think you should audit your security policy. Regards Thinker Rix -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On 2014-04-02 23:24, Ryan Coleman wrote: Wouldn't a layer-3 switch be a good investment in this situation? Put the load on another device instead of, what is for all intents and (definitely) purpose a /thin, light-weight/ piece of hardware? A switch? Not really, since I would like to have the 4+ NICs configured as separate zones.. (e.g. WAN, LAN, DMZ, WLAN) -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On 2014-04-02 17:35, Eugen Leitl wrote: Apu.1c http://www.heise.de/newsticker/meldung/Embeddded-Mainboard-mit-x86-CPU-und-Coreboot-2160404.html http://www.pcengines.ch/apu1c.htm in stock, €105.13 Unfortunately again only 3 NICs... and Realteks with bad performance. I would love to see such a board one day with at least 4-8 NICs. -- *Thinker Rix*, an internet user. Please avoid TOFU in newsgroups and mailing lists (https://en.wikipedia.org/wiki/Posting_style#Top-posting) Bitte vermeidet TOFU in Newsgroups und Mailing-Listen (https://de.wikipedia.org/wiki/TOFU) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall > Aliases: DNS resolving of domains broken
On 2014-02-14 18:51, Chris Bagnall wrote: On 14/2/14 4:48 pm, Thinker Rix wrote: Any ideas what could be the problem? Have you tried entering the DNS servers your ISP supplies via PPP or DHCP (look on the Status -> Interfaces page, they should be listed on there) manually on the General settings page, then disabling DNS via PPP/DHCP? You might need to restart to force the URLs to be looked up again... Would be interesting to see what effect that has on things. Kind regards, Chris Chris, I went to General Setup > DNS Servers and 1. Entered the 2 DNS IPs of my ISP 2. Deactivated "Allow DNS server list to be overridden by DHCP/PPP on WAN" 3. Rebooted As soon as I delete one of the IPs in the aliases and just leave the domain names, it is broken. So it seems that pfsense still is unable to resolve the IPs of the domains. Best regards Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall > Aliases: DNS resolving of domains broken
On 2014-02-14 17:57, Chris Bagnall wrote: On 14/2/14 3:37 pm, Thinker Rix wrote: I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases anymore. Has anybody got an idea what the fault could be? Are you manually specifying the ISP resolvers in your config, and is it possible they're still set to the old ISP's config? Probably a question for the devs: is it possible that lookups for aliases use what's on the general config page rather than anything overridden by PPP/DHCP? Kind regards, Chris Hi Chris, Thank you for your time! Here are some details: - As long I was with the old ISP, I had manually specified the DNS server of this provider in pfsense and deactivated the "Allow DNS server list to be overridden by DHCP/PPP on WAN". The reason for this was a bug in 2.0.2 which prevented pfsense to receive the DNS data from the ISP. - At some later point I updated to 2.1 and although it has the bug corrected, I left the manually specified DNS IPs in pfsense - I then changed to a new ISP. DNS was broken then, because the old provider did not leave me use his DNS anymore when not being his customer. I then activated "Allow DNS server list to be overridden by DHCP/PPP on WAN" which fixed DNS again, since I got the DNS IPs from the new provider, too. But since I still had not erased the 2 old IPs from the list, I now had 4 DNS IPs: 2 old-ISP + 2 new-ISP - Last I went and erased the 2 IPs from the old ISP, so that I now have an empty list and only ""Allow DNS server list to be overridden by DHCP/PPP on WAN" activated. As a result pfsense has only the 2 IPs from the new ISP in the dashboard. - Everything works fine, pfsense can resolve IPs. Examples: The dashboard says that I am on the latest version (=url is resolved), diagnostics>ping and diagnostics>traceroute work with domain names. Now: - The only thing that I have found for now that is not working is the automatic resolve of domain names inside Firewall:Aliases. Since these aliases are used in my firewall rules, I can see blocked traffic in the system logs. When I use the button "Reverse resolve with DNS" on the blocked traffic IP, it resolves the domain names that I have in my aliases. - As a work arround I am currently entering the IP adresses in my aliases instead of a domain name. This makes my rules work again, but is very error prone, since the IP adresses change frequently. So I need to have the domain names work again somehow. Any ideas what could be the problem? Thank you Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Firewall > Aliases: DNS resolving of domains broken
Dear all, Firewall: Aliases: IP = I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases automatically anymore. Has anybody got an idea what the fault could be? Cheers Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Firewall > Aliases: DNS resolving of domains broken
Dear all, Firewall: Aliases: IP = I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases anymore. Has anybody got an idea what the fault could be? Cheers Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
Hi all, On 2013-11-06 07:53, Thinker Rix wrote: as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports "AES new instructions", i.e. hardware-support for AES encyption. As I learned in this thread (big thanks to everybody participating), AES-NI is adding no value to pfSense currently, at all. So currently the only solution is to throw GHz at the problem. Searching myself through the web to learn what CPU speed I would need to achieve my desired 450 MBit/s VPN (or come at least somewhat close to this theoretical max), I found this: http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/ I copied those measurements found there into a spreadsheet so to analyze those values. If anybody is interested in this spreadsheet (.ods), I can send it to him via private mail (I guess binaries are not allowed in the mailing list). Just drop me a message. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Motherboard compatibility
On 2013-11-07 17:38, Vick Khera wrote: On Thu, Nov 7, 2013 at 10:05 AM, Thinker Rix <mailto:thinke...@rocketmail.com>> wrote: So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is older than those technologies and might not fully support the chipset yet (e.g. due to general compatibility with i386-64 CPUs?!)? Yes. Intel is pretty good about keeping backward compatibility so the newer chipsets work with older software for the most part. I personally have never had issues with this other than a missing driver for a specific LSI RAID-on-motherboard chipset that Sun used in the old X4100 servers. It was supported only on newer FreeBSD. I do not care all to much about on-board disk controllers or NICs, since I use own hardware for that (3ware RAID & Intel 1000/Pro Quad). The only thing that I really worried about, was that the motherboard chipset/CPU-kit would not be supported, thus rendering the whole system useless. But thanks to your answer, I know now that I was worrying for no reason. Vick, I this information is of great value to me, thank you very much! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Motherboard compatibility
Hi Vick, On 2013-11-07 15:40, Vick Khera wrote: On Wed, Nov 6, 2013 at 9:24 AM, Paul Mather <mailto:p...@gromit.dlib.vt.edu>> wrote: > If those figures that the hardware producer provided are correct, it would mean that I could run pfSense 2.1 only on the C204 board, since pfSense 2.1 is based on FreeBSD 8.3, and the C222 board is only compatible from FreeBSD 9.1 and upwards, right?! > > Since hardware producers tend to not edit and update such compatibility lists properly, the information provided there could be wrong. For this reason I would like to double-check. Could maybe someone give me a hint where I could look up, which chipsets FreeBSD supports and from what version on? Generally, if it has an Intel chipset and is fairly modern, it is supported. It may not use every cutting edge feature of the chipset. I have not had any trouble with any hardware on any version of FreeBSD in the last 15+ years, but I only run it on servers. The issue usually comes with running funky hardware on desktop class machines where they cut corners like crazy. So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is older than those technologies and might not fully support the chipset yet (e.g. due to general compatibility with i386-64 CPUs?!)? A good place to look is in the "Hardware Notes" that accompanies each release. For example, for 8.3 is is at http://www.freebsd.org/releases/8.3R/hardware.html and for 9.1 it is at http://www.freebsd.org/releases/9.1R/hardware.html . Also, if you have a specific piece of hardware in mind, a good place to ask is the freebsd-questi...@freebsd.org <mailto:freebsd-questi...@freebsd.org> mailing list. (You don't need to subscribe there to post.) There's a good chance that someone who has the hardware or is familiar with it could post whether it works well or not. The list is good, but always out of date. If not found on the list, but somethign similar is on it, then definitely ask. Ok! Thank you Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Hi Michael, On 2013-11-06 11:37, Michael Schuh wrote: i have serval different Systems running, including an old 3GHz Intel Pentium D-CPU with 2GBytes ECC Memory: 4 Nic, throughput max (so far): 115 MBytes/s at 20k irqs (no polling enabled, no special tweaking) 1 Nic is Broadcom, 1 Nic is Intel Pro1000 Desktop Adapter, the other two Nic are an Intel Pro 1000 Dual Port Server Adapter. Memory is a bit short in this system, but it runs fine. Thank you for this interesting insight with the Pentium-D. As far as I figure, you are having full gigabit throughput between two interfaces with it?! That is exactly what I want to have, too and I am happy to learn that it is possible even with "older" dual cores. others Systems p.e. run with Core2Duo 2,66GHz (E7300) another one with a Pentium 2,9GHz (G2020) the last one i wouldn't recommend for high throughput and low latency. the reaction times and the latency rises up fast if the throughput rises or if i add some VPN-Tunnels( AES-256). Your comment about the G2020 is interesting, cince A) that is the CPU that I was planning to go for (due to it's ECC support) and B) I can't understand why it performs worse, than the other CPUs, especially the much older Pentium D. Here is the comparison: http://ark.intel.com/compare/71070,36463,27518,27517 Could that performance ditch / latency sensivity be due to it's https://en.wikipedia.org/wiki/Smart_Cache ? I do not see any other difference than that. so i would recommend also the Corei5, the core i3 IMO comes close to a Pentium CPU. imself keep the Celeron CPU's far away from me. except for small embedded systems in the lower range. Corei7 or Xeon is a way to much for my taste and feeling. Since I can't go for the i5 with the Supermicro X9/X10 series motherboards that I want to buy, I will either go for the Xeon - or buy the Pentium now and upgrade to the Xeon later on, if performance should turn out to be not enough. hth. Yes, thank you for your help so far! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Hi Chris, On 2013-11-06 12:31, Chris Bagnall wrote: On 6/11/13 7:11 am, Thinker Rix wrote: Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. - Pentium - 4th generation core i3 - Xeon E3-1200 v3 If your board supports a Core i3, it is *very* unlikely that it won't also support the i5 of the same generation (i.e. socket 1155, Sandy/Ivy Bridge cores) - given that i3 -> i5 -> i7 is an easy performance differentiator for system integrators, who will likely be using the same board across their range. The motherboard manufacturer (SuperMicro) lists with the boards that interest me (UP Xeon Servers with Intel C204 chipset for the 1155 socket and C222 chipset for the 1150 socket) the following CPUs as compatible: 1. For the Socket 1155 UP Xeon boards: Celeron Pentium 2nd gen Core i3 3rd gen Core i3 Xeon E3-1200 Xeon E3-1200 v2 2. For the Socket 1150 UP Xeon boards: Pentium 4th gen. Core i3 Xeon E3-1200 v3 I called Supermicro today and asked about the i5 and why it should not be compatible. What they told me is that it is a chipset limitation that does not allow the Core i5. I don't know much more about it than that what they told me. What I would guess is that Intel disabled support for the i5 in this (server) chipset, so not to cannibalize on their Xeon. But I might be wrong. Out of interest, any reason you're not looking at the newer Haswell core chips (i.e. socket 1150) - from what I've read their power consumption is a fair bit lower than previous Sandy/Ivy Bridge cores? I am highly interested in socket 1150, but the motherboard manufacturer lists those boards with C222 chipset to be compatible to FreeBSD as of 9.1, which would be too new for pfSense 2.1, since it runs FreeBSD 8.3. I would be delighted if anybody proves me wrong in that, since I would love to go with the new 1150 boards/CPUs, since they are available for exactly the same amount of money. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On 2013-11-06 15:29, Jim Thompson wrote: On Nov 6, 2013, at 7:22, Vick Khera wrote: pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. I'm not aware if any performance testing for AES-NI on pfSense. There are reports that FreeBSD doesn't support AES-NI very well. Thank you for this information, Jim. So I figure, that buying the Xeon just for it's AES functions would (currently) be a waste of money. Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On 2013-11-06 15:22, Vick Khera wrote: On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix <mailto:thinke...@rocketmail.com>> wrote: Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. As to your question of is it worth the cost, that depends on how much VPN traffic you have. The Xeon will handle a damn lot of traffic all on its own. If you are pushing more than 40Mbps on the VPN, then perhaps consider the extra cost. If it is low, like under 5 or 10Mbps, then I'd probably suggest that it is not worth the cost. As a reference, between my data center and my primary office, I have an IPsec tunnel. The office runs on an old Intel 32-bit Pentium 4 2.4GHz dual core server. The data center runs on Intel Xeon E31220L @ 2.20GHz quad-core. Neither one has any built-in cryptodev supported devices. The IPsec tunnel maxes out at about 20Mbps during large file backups. I don't think it would go any faster with hardware acceleration, and the load on these boxes hovers around 0 still. The data center firewall is also busy pushing over 100Mpbs of regular traffic to hundreds of clients as well. Hi Vick, Thank you for your reference, it is very valuable for me! I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU. What do you think is the reason for your VPN traffic maxing out at 20Mpbs (I assume that your connection is not the traffic bottle neck, right?), although your CPUs are almost idle? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Hi Moshe, On 2013-11-06 08:35, Moshe Katz wrote: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 EUR Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 EUR Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 EUR Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 EUR Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix I don't see a Core i5 on that list. See if you can get one of those. It'll be between the i3 and the Xeon in price, but will have the AES-NI instruction set. (It will also have 4 physical cores instead of the i3's dual cores with hyperthreading.) Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. I have another thread going where I discuss motherboard compatiblity with pfSense. Should someone report, that finally I could also use the other of the two boards (the one with the 1150-socket and the C222 chipset), I could use different CPUs: - Pentium - 4th generation core i3 - Xeon E3-1200 v3 In this case I could go for the i3, since it supports AES-NI. But I do not expect that the C222 board will be compatible, so I most likely will have to stick with the CPUs mentioned above. Which one would you pick of those? If you look around online, you will find almost universal agreement that AES-NI significantly improves VPN speed. This also means that even if you aren't maxing out the VPN's capacity, you will still be saving processor cycles for doing the other stuff that the machine needs to do. There is this one thing I want to learn: AES NI helps lowering CPU load for encryption/decryption tasks, sure. But what happens if the CPU is not under full load? Will there still be an advantage then, i.e. because the CPU can perform the de/encryption *faster* when having AES NI support, so that the VPN latency might be reduced, so that e.g. VoIP-over-VPN would improve? Or is it the case that there is no difference, as long as the CPU is not under full load, because all that AES NI does, is allow the CPU to computer with less resources? Thank you for your time! Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On 2013-10-24 19:30, Thinker Rix wrote: I am planning a new pfSense box and am wondering if the hardware that I want to use will be sufficient. Hardware: 2x Intel PRO/1000 PT Quad Port Gigabit NICs, each directly connected via PCIe-8x to the North Bridge of the CPU 4x on-board Realtek 8111C Gigabit NICs, connected via PCIe-4x internally to the South Bridge of the CPU, which they share with the RAID controller = 12 NICs total Motherboard: Consumer Desktop Motherboard CPU: Intel Core2Duo 2,4 GHz or Core2Quad 2,4 GHz or Core2Quad 2,89GHz PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Config: I will: 1. be bonding 2 Intel NICs for the DMZ and 2 Intel NICs for the LAN zone 2. have Dual-WAN VDSL (50 Mbps downstream, 10 Mbps upstream each) 3. have 3-4 site-to site VPN connections and 1-2 VPN road warriors via the WAN 4. have 1-2 VPN road warriors in my WLAN zone, connected with 450 Mbps WLAN-NICs to a 450Mbps WLAN Access Point that is connected with a gigabit NIC to a Intel NIC of pfSense 5. have 4-5 VLANs Requirements: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) - full 450Mbps between the WLAN and pfsense - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Questions: 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? 2. Is there any other bottle neck that will prevent my performance requirements? 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? Hi all! I will finally go for brand new hardware for this pfSense box. Given the above-mentioned requirements, which of the following CPUs would you advise me to buy: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 € Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 € Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 € Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 € Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
Hello all, as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports "AES new instructions", i.e. hardware-support for AES encyption. Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? The motherboards that I want to buy unfortunately support AES-NI only with Xeons that currently start from approx 170 €. If I would take a CPU without AES-IN, I could go with a dual-Pentium for 40€. What impact would you expect from AES-IN, in regards to the fact tht I will be having traffic from VPN secured WLAN with approx 300-450 Mpbs and VPN to/from the internet, 1-2 users at a time max. Do you think the AES-IN would be worthy the price premium of the Xeon for my case, e.g. because it would reduce VPN latency, etc., or is it just a pure waste of money in my case? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Motherboard compatibility
Hi all! I am planing to set up a new pfSense server with brand new hardware. The motherboards that I am thinking of have socket LGA1155 or LGA1150 and come with Intel C204 and C222 chipsets, respectively. The motherboard producer provides a compatibility list for his boards. He states that the: - C204 board is compatible with FreeBSD 8.1 - C222 board is compatible with FreeBSD 9.1 I know only very little about FreeBSD, but I think that hardware support is quite similar with the Linux kernel: what once has been added to the kernel, stays there "forever", istn't it? So if the vendor writes "compatible with FreeBSD 8.1" it continues to be compatible with all following versions, such as FreeBSD 8.3, correct? If those figures that the hardware producer provided are correct, it would mean that I could run pfSense 2.1 only on the C204 board, since pfSense 2.1 is based on FreeBSD 8.3, and the C222 board is only compatible from FreeBSD 9.1 and upwards, right?! Since hardware producers tend to not edit and update such compatibility lists properly, the information provided there could be wrong. For this reason I would like to double-check. Could maybe someone give me a hint where I could look up, which chipsets FreeBSD supports and from what version on? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
they usually aren't a limitation of the hardware/software, but simply of a misunderstanding what is actually required to achieve higher bandwidths. It's usually not the AP which is the problem, but the client. Some real-world advice (which you probably already know): Use two radios: one 2.4Ghz, one 5Ghz, Ok, my AP is able of using both bands simultaneously and I will be using them. Use a frequency no-one uses if possible ok, there is no other WLAN nearby anyway as far as i figured , allow HT40, allow SGI. what are those and how do I activate them? Minstrel will scale down to HT20 and no SGI when required. Ok. How exactly is ministrel implemented on a linux machine? Is it a kind of add-on that I have to plug in between the wlan0 device and e.g. network manager, or how is the general concept of ministrel? There really isn't much more you can do other than using better hardware which costs remarkably more. Do you have any further ideas on how to improve? E.g. producing more reflection, etc. or something else? Regards Matthias May Thank you!! Kind regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
nd LAN. So to summarize: What I want to achieve is to be able to copy files from the gigabit-clients living in the LAN back and forth to the DMZ and yet still have some additional bandwidth for the other traffic not to be jammed. I have not yet implemented QoS with pfSense ever, but my experiences with another perimeter firewall distribution in the past (Endian) with QoS was not 100% satisfactory, since I continued to have e.g. VoIP or browsing latencies when transferring bulk traffic (although much better with QoS than without, but yet never perfect). So my question is: Ok, 2x Gigabit != 2 Gigabit. But do you think that it will yet help to contribute to my objective to add a second channel to a bond so that there will be 2x Gigabit = 1 Gigabit for the user transferring bulk traffic plus additional 0,2-0,4 Gigabit for additional VoIP, browsing, etc., or is it senseless to do that this way? You're already thinking redundancy with the multiple NIC considerations, but in my experience, NICs don't really fail that often - at least not compared to fans, power supplies and other PC components. Consider whether a 2x pfSense cluster in CARP might be more to your needs if redundancy/failover is a critical requirement. The additional redundancy that would come with the bond is something that I see as a nice additional benefit that comes with this plan of increasing the bandwidth to fight VoIP and browsing latencies, but is not necessarily my primary objective. Saying that, I can feedback that I very well had already 2-3 NICs die (within a period of approx. 5 years) in the past on my perimeter firewall - but in all cases it where cheap 10$ PCI Realteks and I hope that the professional Intel cards are of better quality. As for CARP: I surely find this an interesting thing, but unfortunately I have no further budget to by additional hardware, I have to use the one listed above. And additionally CARP adds some level of complexity which I am not able to cope with at this time, since I am not all to experienced with pfSense yet. But maybe the next upgrade after this one will be such a solution, I'll have to see. Looking at your hardware again, you've specced 12 NICs, but from what I can see from your config, you only need 8 (2 VDSL ports, 2 bonded ports for LAN, 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN). That is correct, I will use some additional, non-bonded OPT zones with occasional low traffic, that I did not mention yet. 4x on-board Realtek 8111C Gigabit NICs Personally I'd spec a board that has Intel or Broadcom NICs - the Realtek ones are just rubbish by comparison. There are no shortage of boards with 2 Intel NICs on them these days. look at some of the Intel-manufactured boards rather than third parties - they nearly always have Intel NICs. A few years back I used lots of DG965RY boards (Intel NIC, onboard video, so ideal for server environments). Unfortunately I have to stick with the consumer motherboard that I have at my disposal right now. But I will use the Realteks only for very low / occasional traffic zones PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Given pfSense uses <1GB space, why? A little SSD on the chipset's native SATA controller should be fine (see above, use CARP for redundancy). In general I use hardware RAID in all my servers so to have a BBU - and prefferably also data parity, e.g. by RAID5/6 - so to have the best chances for continued data integrity at all times, no matter what happens to the power supply, due to a crashed OS or due to disk surface errors, i.e. bad sectors. Yet, as far as I have figured, many people use pfSense without such security measures in professional productive systems, so I assume that there might be a reason why they abstain such measures. Is pfSense immune against sudden power losses, system crashes, media surface failures, e.g. because it has read-only file systems or something similar, so that adding RAID, parity, BBU, etc. is never needed? Or is it just a compromise that they do by weighting costs and risk and deciding to take the risk? As I have a RAID controller and disks on stock I could use them without any cost. Kind regards, Chris Thanks for your help! Kind regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Hardware requirements for gigabit wirespead
Hi all, I am planning a new pfSense box and am wondering if the hardware that I want to use will be sufficient. Hardware: 2x Intel PRO/1000 PT Quad Port Gigabit NICs, each directly connected via PCIe-8x to the North Bridge of the CPU 4x on-board Realtek 8111C Gigabit NICs, connected via PCIe-4x internally to the South Bridge of the CPU, which they share with the RAID controller = 12 NICs total Motherboard: Consumer Desktop Motherboard CPU: Intel Core2Duo 2,4 GHz or Core2Quad 2,4 GHz or Core2Quad 2,89GHz PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Config: I will: 1. be bonding 2 Intel NICs for the DMZ and 2 Intel NICs for the LAN zone 2. have Dual-WAN VDSL (50 Mbps downstream, 10 Mbps upstream each) 3. have 3-4 site-to site VPN connections and 1-2 VPN road warriors via the WAN 4. have 1-2 VPN road warriors in my WLAN zone, connected with 450 Mbps WLAN-NICs to a 450Mbps WLAN Access Point that is connected with a gigabit NIC to a Intel NIC of pfSense 5. have 4-5 VLANs Requirements: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) - full 450Mbps between the WLAN and pfsense - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Questions: 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? 2. Is there any other bottle neck that will prevent my performance requirements? 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? Thank you for any hint/advice/feedback! Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Upgrade Guide: Needs update for Auto Update
Hello all, I just performed an upgrade to 2.1 via the "Auto update" feature in the web UI, which worked flawlessly. When studying the Upgrade Guide (https://doc.pfsense.org/index.php/Upgrade_Guide) prior the upgrade I could not find any information about it. Is there a way I can update the guide myself? Otherwise maybe someone with writing rights to the CMS wants to update the manual. Cheers Thinker Rix P.S. Maybe an update to this page would be convenient, too: https://doc.pfsense.org/index.php/Can_I_upgrade_my_pfSense_through_the_web_interface%3F ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
ountry where surveillance in place on it's own people, etc. the subject here is another! The point here is to find a country, where the government is not forcing companies to place backdoors into their software, as it is happening currently in the USA (example: Skype). And most other countries outside the USA do not do that currently since the civil rights are still valid there to a certain extent. So incorporating in a country where the government can not as easily inject back doors eliminates this threat and *that* is what we are talking about here. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-09 19:38, Jim Thompson wrote: So asking the question is stupid On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. On 2013-10-12 01:40, Jim Thompson wrote: Otherwise: get off my lawn. I'm not willing to endure this uninformed Alex Jonesian crapfest. Now that I'm back on US soil, I promise that if the later continues, I will kill the thread. People who hijack threads will be dealt with. Otherwise: STFU. Nor will I endure the besmirching of pfSense's good name and trademark. The only one who is besmirching pfSense here is: you - given that as a co-owner of ESF you are an official representative of pfSense - and your official communication unfortunately shows that you are a vulgarian, plebeian, obscene, scurrilous goon, who insults, threatens, bullys, censors and muzzles other community members, totally lacking control of himself and any professional business manners whatsoever, let alone any constructive discussion culture. To me it feels highly awkward and it is unsettling me a lot, that such an ill-mannered, shady and dubious roughneck like you holds a key position in the project that creates the security product that we use for protecting our networks. I have no idea why highly respected Chris Buechler partnered with you, but it might be good if you would learn a lesson from him concerning his professionalism, seriousness and manners in his official communication. Bye. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 21:20, Walter Parker wrote: Who would you trust more that ESF? Why,specifically, would you trust another group of people to be more trustworthy? The point is not untrusting ESF or anybody else. The point is that ESF is based in the USA, a country where the current government can force you to do things against your community without having any chance to escape from it; they just force you to do so. So the point of the whole idea that we evaluate here is: How can we secure pfSense from this nasty government so that they can not just force ESF or anybody else to comply with them. I admit to have a USA bias, but for the issue in question, I don't there being a much better choice. The UK has less freedoms in this matter. As far as I am informed there are some more countries on the globe than the USA and the UK... But then this is turning into a case of "I'm worried about things, here lets have you [The project] spend time and money to fix the problem?" Unless, of course, you are willing to contribute time and money to fixing this issue. Otherwise this just an armchair general telling other people how to run the project. Seems like a killer argument to me, which is kind of couterproductive in such an early stage of an idea/proposition, as this is. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 16:20, Yehuda Katz wrote: Probably would not work (or would get whoever did that thrown in jail). This is similar to a Warrant Canary, but the USDoJ has indicated that Warrant Canaries would probably be grounds for prosecution of violation of the non-disclosure order. - Y On Friday, October 11, 2013, Adrian Zaugg wrote: Dear all After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself "conform to US laws" upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. Regards, Adrian. Hi Yehuda, inspired by the keyword you dropped, I researched a little bit and found: https://en.wikipedia.org/wiki/Warrant_canary It seems that you are correct: What Adrian suggests, is called a Warrant canary. In the wikipedia article it says that: "The intention is to allow the provider to inform customers of the existence of a subpoena passively, without violating any laws. The legality of this method has not been tested in any court." Is that wrong or in conflict with what you wrote? In the case that it would indeed be prosecuted in the USA, we could consider to host the project in another country. In this case it would be interesting to investigate what needs to be hosted elsewhere: The source code versioning control system? The company behind pfSense (ESF)? I guess that the best solution would be to incorporate pfSense itself and untie it from ESF. Many other free software projects have done so recently. The most prominent example is Libre Office which is now "owned" by the Document Foundation (https://en.wikipedia.org/wiki/Document_Foundation). The "owned" refers to e.g. the brand name, since the software itself is free software, it is not owned by anybody. So summarizing: If pfSense would be incorporated as a foundation at some place (many countries would be possible) outside the USA, it could be a solution to this I guess. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 12:57, Adrian Zaugg wrote: After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself "conform to US laws" upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. I think that your idea is worth further consideration. As I just answered to other postings of this thread, by my comprehension infiltrating firewall software such as pfSense should be highly interesting for NSA, etc. because they would get a grip onto your internal and VPN traffic. So it should be only a matter of time, that they knock the door at ESF and force them to do things they don't like. We all - as a community - should think and act pro-actively to that and take appropriate measures to protect pfSense, ESF and the key people such as Chris Buechler and his partners from this realistic thread in time. Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 13:54, Przemysław Pawełczyk wrote: On Fri, 11 Oct 2013 11:57:52 +0200 Adrian Zaugg wrote: (...) mind that pfsense web GUI could declare itself "conform to US laws" (...) It would be the sign for the users Regards, Adrian. Excellent idea. Really. But that would kill the project probably. I am not sure that I understand what you mean. Is it what you want to say: In the case that the security software that you use gets infiltrated, you would prefer not learning about this fact, but just continue using it? Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 2013-10-11 16:37, Seth Mos wrote: On 11-10-2013 11:57, Adrian Zaugg wrote: Dear all After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself "conform to US laws" upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. ? And which country would that be? There are many countries which would be a possibility . If wiretapping is done there or not is not so relevant. Relevant is, if the authorities can and do inject backdoors into the project by legal force. Pretty much everything we have in pfSense is checked in the version control system. Even in the beginnings (0.83) with CVS. Even our builder scripts are in a RCS system, and it verifies all checksums on external (mostly FreeBSD ports) software we download for the build. I am not an expert, but in the NSA-thread above there have been examples given, how CVS can be circumvented. Also, the gap between the sources and the binaries could possibly be an port of entry for nasty stuff I guess. Again: The real threat by my comprehension is not some "guy in the internet" trying to place malicious code into the code base, but simply and plainly some NSA officers knock the door an force the project leaders to do it. The way the most intelligence agencies these days perform the wire tapping is by getting a switch mirror port at a internet exchange. Even fiber optics can be tapped without too much problems. Yes, they do that. And much more, because they do not restrict themselves to a single source. They e.g. get the data from the data providers (google, facebook, amazon, etc.) AND wiretap the internet backbones AND program trojan horses to send them to their peoples (see e.g. https://en.wikipedia.org/wiki/Bundestrojaner#Staatstrojaner) AND collect geolocation data from your mobile phone provider AND force your encrypted-email provider to hand out their SSL keys to them AND ... etc. etc. etc. But: With all those methods they can only collect EXTERNAL data. With exception the mentioned trojan horse, they do not as easily get your INTERNAL data, e.g. the data that circulates between the computers of your intranet. By infiltrating a firewall software such as pfSense, they could get a grip onto the most important neuralgic point of the intranet, since much of the internal traffic flows over this box. Think e.g. about all that VPN traffic that flows over the firewall, e.g. because a company connects many branches via VPN... So: Getting a grip onto the firewall would surely be highly interesting for them... In .NL all large ISPs have a mandatory wiretap in place that stores datetime stamped headers of the internet traffic for discovery purposes from the authorities. The best part of this, it is paid for by the customers, since the ISP needs to pay for the system and storage. Yes, but see above. Regards, Seth Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
On 2013-10-10 19:25, Jim Pingle wrote: Thank you very much, Jim! Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hi Paul. On 2013-10-10 18:42, Paul Mather wrote: Thank you for the valuable information about how to use mailing lists. You are welcome! ;-) I first started using mailing lists back in the mid/late 1980s, on the JANET network (British academic network)---back when the Internet was made up of networks like ARPA, BITNET, UUCP, and the likes and (in my case) you needed to know the gateway machines that would let you reach those networks and had to incorporate that routing into the recipients e-mail address. I love it when users try to show off with what internet dinosaurs their are, as soon as someone tries to teach them how to do something better.. Well, I am an Internet Dinosaur, too, with quite a comparable track record as you, so I am not all to impressed ;-) I suspect "those people" you mention above actually know how to use a mailing list properly. I know I do. Well, as it seems, most readers here *may know* how it should be done, but yet *don't do* it correctly, since it has shown that most users do just read all incoming mail unsorted and not threaded. While anybody has the right to do so - no one has the right to complain afterwards about drowning in mail that does not concern him. But awkwardly enough many users did complain. And I will not accept them blaming me for not using their mail readers correctly. I also know the value of good S/N ratio on technically-focused mailing lists. Every user will consider different things to be noise. I do not consider this thread to be noise - at all. You do. Just read another thread that appeals you more? Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. You can switch *right at this very moment* to a discussion thread that is of more interest for you and there you go! Of course, you're right, and that is wise counsel It would have been a wise sentence, if it would have stopped here ;-) because it reminds me of one of the golden rules of mailing lists: unwelcome threads persist only so long as people reply to them. (This is sometimes better known by the more insulting adage: "Please don't feed the trolls!" I'm loathe to employ that, though.) I thought I was making a reasonable point, but it seems as far as I'm concerned, this thread has passed the point of reasonableness. FACK! The only difference is, that you consider me to be the troll (maybe because I backtalk without hesitation to those who try to muzzle and censor me?) - while I consider those to be the trolls, who do not contribute anything of value to the discussion but plainly interfere in this thread and bully the others to stop discussing about the topic, because they claim that it bores them - instead of just walking away. I'll leave it to you and your fellow concerned list members to continue mulling it over, and, in your case, to continue teaching your grandma to suck eggs when it comes to Netiquette. :-) Thanks so much ;-) As far as Netiquette is concerned, I am surprised how many of those "computer geeks" that participate at this mailing list are clueless about Netiquette, and the basic usage of mail readers, etc. Take for an example how many postings are not quoting correctly, but have "text on top - full quote below" which is a no-go in newsgroups and mailing lists... Cheers, Paul. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
On 2013-10-10 18:54, Jim Pingle wrote: On 10/10/2013 11:35 AM, Thinker Rix wrote: Is there someone who knows wich version of FreeBSD 2.1 is based on? 8.3-RELEASE-p11 It was going to be 8.3 the TBD part was for the patchlevel. It ended up being -p11 by the time 2.1 was released. Thank you for the information, Jim! Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
Hi Warren, thank you for your quick reply! On 2013-10-10 18:39, Warren Baker wrote: On 10 Oct 2013 17:36, "Thinker Rix" <mailto:thinke...@rocketmail.com>> wrote: > Hi all! > I want to upgrade from 2.0.1 to 2.1 and am wondering which FreeBSD-version 2.1 is based on, since I am using some packages from there. > The table found here https://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions has not been updated yet, it says only "TBD, at least 8.3". > > Is there someone who knows wich version of FreeBSD 2.1 is based on? It is 8.3. Ok! Can you / someone please confirm that the following is the correct repository for me to use, when installing packages of FreeBSD on pfSense 2.1: http://ftp-archive.freebsd.org/pub/FreeBSD/releases/i386/8.3-RELEASE/packages/All/ ? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
Hi Giles, On 2013-10-10 16:50, Giles Coochey wrote: Trying to get this back on-topic, I will change the subject however Giles, please note that Jim Pingle has already started a new thread for this purpose that he named "[pfSense] Crypto/RNG Suggestions" today. It seems to be beneficial to add your posting to his thread, not to have 2 concurrent threads - und thus concurrent discussions - about the same topic. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense 2.1: which FreeBSD version?
Hi all! I want to upgrade from 2.0.1 to 2.1 and am wondering which FreeBSD-version 2.1 is based on, since I am using some packages from there. The table found here https://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions has not been updated yet, it says only "TBD, at least 8.3". Is there someone who knows wich version of FreeBSD 2.1 is based on? Thanks & regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Now people are trying to remove my email from the list from IP 129.2.129.152 (... Fwd: confirm )
On 2013-10-10 17:25, Alexandre Paradis wrote: same ip for me tried to remove me from the mailing list. Mine, too, *roflcopter*. What a noob. Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-10 16:52, Paul Mather wrote: On Oct 10, 2013, at 9:08 AM, Giles Coochey <mailto:gi...@coochey.net>> wrote: *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. Some people value the S/N ratio of mailing lists. I believe the people asking for the discussion to be moved elsewhere are motivated by that. Those people should just learn how to use a mailing list properly, before using one. A mailing list is *not* just "I enter my daily use email address somewhere and receive emails". For participating properly at a mailing list you need a proper mail reader that is able to sort mail into conversation threads (https://en.wikipedia.org/wiki/Conversation_threading). Then you go and pick the threads that interest you and read them. And you ignore those, who do not interest you. Additionally it is advised to use an email address only for reading mailing lists. Of course anyone can use a mailing list as he desires, e.g. by just subscribing to a mailing list with his daily use email address and then get his daily use email inbox spammed with tons of unsorted and un-threaded email about all sorts of discussion topics that are of no interest to him. Everyone's own choice! But please: Those people should not complain about receiving tons of email that do not interest them. And of course they can't tell others to talk only about topics that are of their own interest, that is ridiculous. Full stop. The original poster in this thread asked for a direct answer to a straightforward question and he got it, yet still he continues to pursue this thread. To what end? E, as long as a wish?! There is no quota on how long any member of this list is allowed to discuss a topic, is there? If you are not interested, just do not read this THREAD. You don't use a conversation threaded email reader to participate to a mailing list? Not my problem, sorry. Go use one. See above. People are outraged at the NSA revelations, but the pfSense mailing list is not the appropriate place to be outraged at that. Sorry, this is not up to you to judge. I think that my question is very well related to pfSense and thus the mailing lists of pfSense is the right place to do so. And again: If you are not interested in this thread, DO NOT READ it. So simple actually?! Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. You can switch *right at this very moment* to a discussion thread that is of more interest for you and there you go! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-10 16:08, Giles Coochey wrote: On 10/10/2013 13:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis mailto:alexandre.para...@gmail.com>> wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat mailto:rgbier...@rgbiernat.homelinux.org>> wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. I tried to turn this back into a product support discussion in the last thread but sadly my comments were not among those cherry picked. This discussion does not suit the purpose of this list. I see a bunch of hard working people reacting to their product's integrity being continuously questioned despite having all questions answered, and a few entitled consumers who can't be bothered to figure out technology well enough to come to their own conclusion on its integrity.As well as a bunch of people that want this discussion to go someplace more appropriate. The "concerned" parties are not concerned enough to learn how to read code. So you're paranoid, just not paranoid enough to actually learn how to answer your own questions. Unless there is an issue someone is having making a VPN work or getting NAT running right, this is the wrong place to hold this discussion. If you're having an issue with this pfSense, networking protocols, or logical opertaion of the device, great! let's talk about it! I'm actually very good at these things, and I'd like to spend time helping people with network or network security related operational problems. Otherwise, please find the email addresses of all the people who shown an interest in participating in this discussion, and send an email out to that list of people to discuss it among yourselves. *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. This is *exactly* the way I feel about this whole sensation that we are witnessing here! Some reactions are truly incredible! The about list on the mailman page states: "pfSense support and discussion list"... Correct! But I guess those who waste our time by telling us we should shut up and walk away would like to rename the list to e.g. "Happy shallow chatting of pfSense fan boys who never dare to ask any critical question about their beloved firewall-distro that they take to bed each night" or something similar. Self-censorship in a security software forum when it comes to discuss the security level of the security software! It's absolutely crazy!! This thread is clearly about discussing pfsense, therefore it is on-topic, I could equally take the stance, take your technical discussions to the dev list, however I am not the type of exclusive close-minded minded person that you appear to be. Please stop hijacking this thread. FACK!! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-10 15:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis mailto:alexandre.para...@gmail.com>> wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat mailto:rgbier...@rgbiernat.homelinux.org>> wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. Ian, that is *your* opinion. As you can see, others here have a quite different opinion and they find this topic to be highly relevant for pfSense. Luckily this is an open mailing list, where everyone can pick the topics to read that interest him, so why you don't just walk away from this discussion instead of losing any time in telling others how uninteresting you find *their* discussion? And you even dare to tell us to go elsewhere... Who do you think you are? You are either a kind of sadomasochist - reading all day all kinds of discussions that do not interest you and telling the participants of that discussion that they should go elsewhere because they do not discuss what you find interesting and relevant - or you simply do not know how to use a mailing list properly. I suggest you go learn how to use a proper news/mailing-list reader. Hint: Threaded mode. Cheers Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hi Giles On 2013-10-10 12:39, Giles Coochey wrote: On 10/10/2013 09:38, Thinker Rix wrote: On 2013-10-10 01:13, Przemysław Pawełczyk wrote: On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. Thank you! BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically. I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users "virtually joined" to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. Exactly. The firewall is the neuralgic point of each of the networks that we administer. Thinking - and talking - about it's integrity is the most natural and most important thing on earth, IMO. There are many on-topic things to discuss here: 1. Which Ciphers & Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software & configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. You made some highly relevant and interesting suggestions here, and I sincerely hope that a fruitful discussion will develop upon this so that we all can benefit of it! This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy. This echoes my sentiments exactly! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [MOTION TO END THREAD] NSA: Is pfSense infiltrated by "big brother" NSA or others?
*I think I speak for everyone who was a member of this list before 10:20 AM EST today when I say that this discussion does not belong here and we would all like it to stop.* I guess it is wise to just speak for yourself, instead of using this cheap rhetorical trick to pretend being a majority. And by the way, I am a member of this list for quite a while. *This list is NOT a place where anyone is welcome to barge in and tell people "the proper way" of using it.* Exactly. How about you follow your own advice? Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [Filters engaged]
On 2013-10-10 01:27, Robison, Dave wrote: On 10/09/2013 15:20, Joe Landman wrote: I just worked out setting up new filters for the recent S/N destroying, high tin-foil-hat content, on gmail. Since people pleading for this to go away hasn't worked, technological measures to restore S/N for my inbox on this list have been engaged. Please folks, take the tin foil hat discussion elsewhere. Please? Perhaps we can set up a pfNonSense list? Perhaps you should learn how to use a proper mail/news-reader?! ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [Filters engaged]
On 2013-10-10 01:20, Joe Landman wrote: I just worked out setting up new filters for the recent S/N destroying, high tin-foil-hat content, on gmail. Since people pleading for this to go away hasn't worked, technological measures to restore S/N for my inbox on this list have been engaged. Please folks, take the tin foil hat discussion elsewhere. Please? Joseph, frankly I could not care less than learning about what settings you work out in your web mail account. If you are not interested in this discussion thread, just do not open it. Learn to use a news/mailing list reader properly (how about "view > threaded mode"..) , instead of blaming others to bore you. Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hello Chris, Thank you for your unemotional, factual statement! On 2013-10-10 03:17, Chris Buechler wrote: On Wed, Oct 9, 2013 at 9:20 AM, Thinker Rix wrote: today I posted the following on your blog at http://blog.pfsense.org/?p=712 “Worried User Says: Your comment is awaiting moderation. October 9th, 2013 at 7:55 am Hi guys, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Thank you Worried User” Some minutes later I could see that my entry was not released to the public - but deleted by the moderator, without any further comment. Not true, the comment was moderator approved. The only reason we have moderation at all is because spam significantly outnumbers legit comments and we don't want any spam on any of our sites, there isn't some vast conspiracy going on. I see. Well, it was pending moderator approval for an hour or so and then suddenly appeared to me as being removed. Maybe it was just because of some browser issue over here, i don't know. Today I see the posting being published and also your answer to it. Thank you for that! No, we have not been approached by anyone to backdoor or otherwise compromise security of the project, at any point during our 9 year history. Thank you for this unambiguous, precise answer. That is the kind of answer, that I was hoping for. I have indeed met with the NSA in person related to the product of one of our rebrand customers a couple years back, one of their groups was interested in evaluating the product. It survived their security analysis quite well (at least from what they declassified and released), and better than most things that come into their lab from what I understand. At no point did any discussion happen related to back doors or other means of compromising security for them. I wasn't under NDA nor do I have a security clearance. Thank you for this additional, very valuable information, too. It is effectively a moot question to ask, given if we were, there's no way we could disclose that. Well, sometimes you get the most interesting information out of simple, straightforward questions. By my comprehension this whole thread is a vivid proof for that. And given that you where bound to a nondisclosure-dictate by your government; you would have only three choices: a) "We don't want to say" b) or awkward answer c) Lying a) and b) are a clear "yes" and given that not everybody is comfortable lying, chances exist that you might feel it. Evidence suggests a number of huge tech companies have complied. There hasn't been any evidence to date that any open source projects were approached. Well, there is some evidence to suggest that Linus/Linux has been approached. http://linux.slashdot.org/story/13/09/19/0227238/linus-torvalds-admits-hes-been-asked-to-insert-backdoor-into-linux http://www.theregister.co.uk/2013/09/19/linux_backdoor_intrigue/ A number of widely-respected security people have come out and said that open source solutions are better in the aftermath of the recent revelations. One example: "My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software." -Bruce Schneier https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html Well yes, the publication of the source code allows others to review it, and given that the code is being maintained in a public revision control repository increases chances, that malicious changes are identified quickly. These are advantages that cloused source projects do not have a priori, I agree. But in practice open source projects are no universal remedy to malicious influences. Take for example the transition from the publicly revised source code to the binary versions. Chances are extremely high that no one will ever notice any last-minute changes to the local source code, such as adding some surveillance "features", prior compiling the binaries out of it and releasing them to the public, or am I mistaking? So at the end everything stands or falls with the trust that you have in a project, i.e. the key people of the project. So what was more obvious than just asking them directly and see what they have to say about that topic.. So, since we cleared that out, please allow me to ask some continuative questions: Has the project pfSense (i.e. it's leaders) ever thought about what it/they would do if the day should come where those NSA-people (or others) knock the doo
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-10 01:13, Przemysław Pawełczyk wrote: On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. Thank you! BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically. I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users "virtually joined" to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Thank you for showing your support openly! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 23:43, Pim van Stam wrote: All, Can this flame be put to an end or continued via private mail? This endless discussion would be reason for me to unsubscribe and that's not the goal of the list i guess. Regards, Pim Hi Pim, first of all: Generally - sorry for disturbing you. But: Interpreting your message, I guess you are participating at this mailing list with a mail reader that just pours all incoming mail into one folder - which is not "the proper way" to read mailing lists. Please let me inform you that it is highly advisable to participate at mailing lists only with a mail reader that allows you to view incoming mail in "threaded mode". This way you only get to read messages that interest you, instead of being flooded by all messages of all users with all subjects. Not using such a threaded-capable reader but telling others what to write and what not because you are bored about what they discuss is not really a solution :-) A reader that is capable of threaded view mode is e.g. Mozilla Thunderbird (View > Sort by > Threaded) Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 21:42, Jim Thompson wrote: On Oct 9, 2013, at 7:41 PM, Thinker Rix wrote: We all know that the governments currently force on a daily base one company after the other to comply to their New World Order-Orwellian-global-surveillance phantasies and make them compromise their software or service. So I find it absolutely NECESSARY to clear out if pfSense has fallen (already) to them, or not. Network security is THE major reason for using pfSense. So it should be the most important question for all of us, isn't it? By my comprehension, everyone who says that this is a silly question or that it is some unimportant thought no one should further bother thinking about in detail, is either confused, or trying to conceal something. You just want to have a discussion. Well, actually I started this thread with a pretty frank, straight-forward and very simple question. But instead of a simple and clear answer, I got some pretty aggressive, snappish and awkward reactions (mainly from you, by the way), and some other users additionally threw in many other aspects so that yes - subsequently a discussion evolved. Perhaps it makes you feel important, I don’t know. Your Alex Jonesian “New World Odor” rhetoric is tiring. I guess you simply cant talk without offending and dispraising your partner, do you? Your NECESSARY discussion is not, because in the end analysis the discussion you want to have is orthogonal to the subject. You should instead only depend on you and your tools to ensure your security. Asking me (or Chris, or Jamie) to answer the question puts everyone in a position where nothing can be learned, so it is useless, rather than NECESSARY. Oh yes, a lot can be learned. I asked a very simple question: "I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so." Possible answers could have been e.g.: 1. "No, fortunately we have not been approached by anyone yet" 2. "Yes, we have been approached but we withstood. The current situation is XY" 3. "We are not allowed to answer that" 4. 5. etc., etc., etc. Especially answer no. 1 should have been a no-brainer in the case that it is true. You, me and everyone else her would just be happy about that no one has harassed you (yet) and it should not have been any problem whatsoever to talk about it, shouldn't it? But strangely, instead of just saying "no, fortunately no one has approached us yet!", I got plenty of negative and sometimes even quite aggressive feedback for "daring to ask" such a "naive question". Like if there is a kind of taboo on that... This is something that clearly confounds me. As David Burgess stated above: Sometimes by asking a question, you receive a lot of information between the lines. Frankly, I am still unsure about how to interpret the result of this whole thread. Are you barking and biting so much, because you have something to hide, finally? Is that the reason why you bully me so much for posing a simple question that should be the most natural question to ask such a kind of project? Or is there another reason? I don't know. But to me it seems like if I have hit a hornet's nest with my question. Until you understand and accept this, your messages are mere platitudes. Thanks once again (see all other answers of you, too) for being so "polite" to me. Being an project leader and thus a representative of the project, by talking so rude to your users, you are casting quite a negative light onto the project. Maybe you want to think about it some other time.. Look, The integrity and bravery Ladar Levison has shown in his fight is impressive. He has definitely earned enough "cred" to restart his business outside the US and be very successful, but my hope is that he does not. We should celebrate Ladar for making the decision to put himself at risk in order to protect his users, but I think we should be careful not to forget that Ladar was forced to make that decision because the security of Lavabit was all a complete and total hand wave. There are already technologies such as PGP, S/MIME, smart cards, and the dozens of other ways we can have secure email without relying on a trusted third party such as Lavabit. Lavabit could respond to a demand for plaintext, if Ladar were willing to do so (and in the end, he was, for a particular user); on the other hand, Google cannot give anyone access to the plaintexts of S/MIME encrypted messages that I send through their servers because of technical barriers. That is the point of doing your encryption locally, and that is why security and privacy are not, and never will be, a service.(*) This wasn't untested water, either. The exact same thing
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hi Walter, On 2013-10-09 21:53, Walter Parker wrote: To answer your question about throwing the first stone. Your question reads a bit like the "Are you a criminal/commie?" questions. Many people would object to the question at the start because it implies that the people being asked the question has done something wrong. Watching the reactions to political debates shows that asking the question can be enough to get a sizable amount of the audience to think the answer is yes, even when no proof is ever given that something happened. Interesting what all kinds of different things you do interpret into my question. By my comprehension I just asked simple but important question and did this quite straight-forwardly. Then when the question was deleted, you demanded that pfSense take a stand on it. Yes. Censorship always raises questions. Let me show you what it looks like from the other side: Have you planned to overthrow the government? When will you show that you are not plotting to kill your fellow country men? It is a simple question, when will we here something from you? I just ask because I want to be sure that you are not trying to kill me. Well, your example neglects one important aspect: pfSense is a kind of security software project. Asking it about it's level of security and integrity is a question that such a project must stand, IMHO. It is like asking a bank how safe my money is. Or asking Microsoft how good "Word" is for writing letters; while asking me about if I plan to overthrow some government or kill other people refers to nothing. For the tool in question, pfSense, once you start questioning it, there is no way to get the bottom without eithering trusting the pfSense people (which means that the question is pointless because if you trust them, asking them if they have violated your trust means that you don't trust them) or getting an external validation (trusting another group of people or doing the work yourself). I guess for anybody related to computer security it is a must to question anything anytime and take nothing for granted. You should question everything any time and any player in this domain should accept any questions any time, IMHO. FYI, there is a long history on the Internet of people asking simple "innocent " question, not to get actually answers, but to cause trouble by causing the effect described at the beginning of my email (these are called trolls). What trouble do you refer to? I only read some aggressive/ snappy answers which - frankly - I find pretty awkward reactions to my simple question. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 22:11, Ian Bowers wrote: You got your answer of "no" a while back. But you're still talking. What are you going to do with the answer now that you have it? What's YOUR plan? -Ian - Well, actually it was not s long ago that I got a clear answer - Commonly I talk as much as i like to - I still don't know what to do with the answer - I have no plan Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 20:16, Gé Weijers wrote: I think it's unlikely that ESF was even asked to cooperate, but I don't believe a denial is all that useful under the circumstances, and asking for it again and again is obnoxious. Having thought about it again and again, I would like to feedback to you that your act of calling it "obnoxious" to pose as simple question about if a security software project is still secure or has been undermined by the government already, seems to be a clear indication of self-censorship... Self-censorship is what you get, when you suppress peoples by surveillance.. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 19:42, Adam Thompson wrote: Argh. Anyone who answered "Yes" to your question (correctly, mind you) would immediately be committing a federal crime. Considering the consequences, no-one in their right mind would ever confirm that they had been approached or received a NSL. Well, some people do, because they have principles and values and prefer to not bow to any suppressors; for example Ladar Levison of Lavabit (https://en.wikipedia.org/wiki/Lavabit). He could just had have complied and he would still run his company today - offering encrypted email to his customers, that in reality is not really encrypted anymore; but he chose to stand up and blow the whistle. Great guy. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 20:18, Jim Thompson wrote: On Oct 9, 2013, at 7:03 PM, Thinker Rix wrote: Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn’t approached us about pfSense, or adding a “back door”, or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the "official" answer of the company to my question? There are three individuals that own ESF, and can speak for the company. Chris Buechler Jamie Thompson (my wife) Me. Thank you for this information. how official do you want an answer to be? Since you are a co-owner of ESF who is entitled to speak for the company, as you say, I believe that your answer is as official as it gets and I am thankful for this clear statement of yours! Thank you very much. I only wonder what the aggression was needed for. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 19:49, Christian Borchert wrote: Linus Torvalds was asked the same question in a Q&A session about linux. He said 'no' while nodding his head up and down. Sent via BlackBerry from T-Mobile Exactly. Frightening, isn't it? Awkwardly the audience started laughing about that... Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 20:22, Jim Thompson wrote: On Oct 9, 2013, at 7:13 PM, Thinker Rix wrote: Hello Jim! On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. This is already the second time that you insult me indirectly. It’s amusing that you don’t understand that you threw the first stone here. This is correct. I do not understand where I am supposed to have thrown any stones or insult anybody, indeed. If you would like to show me, I would really be thankful. May I ask again if you are an staff member of Electric Sheep Fencing LLC? Staff members get paid. I’m a co-owner, and have never taken a dime from ESF (or BSDP). jim Thank you for the info. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 20:16, Gé Weijers wrote: Some people in this discussion assume that the principals of ESF could not be forced to lie by the US government, under threat of lawsuits, financial ruin, incarceration and not seeing their children grow up. Gee, quite a frightening regime. Someone should tell the USA to send some of their troops in there to remove this suppressing regime and free those poor devils over there by spreading some of their "democracy", as they do all over the planet.. Ops, I think I got something wrong here ;-) I find this assumption awfully naive Do you thinks so? Me, not, though it might seem so at first sight. I think it's unlikely that ESF was even asked to cooperate, Interesting thought, may I ask you why you think so? but I don't believe a denial is all that useful under the circumstances What do you mean? It would not be "useful" not to comply, but better to just compromise that what you do so that you are left in peace? and asking for it again and again Actually I only asked once is obnoxious. Since when can a naive question, as you called it, be obnoxious? And why do you think asking a security software project if it is secure is obnoxious? I think it is the most important question of all. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 17:20, Thinker Rix wrote: Dear pfsense-team, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Hello all! Thank you for all your reactions so far! Reading the whole thread, I can't help but feel two things: 1. Quite a bit of aggression of some users. Why? Because I asked a simple and "naively" straight-forward question? Strange, isn't it? 2. A "nothing to worry here, just continue walking" attitude of some others I think this is strange. And by the way: It is not only "some" question, but *the* question, actually, if someone remembers what we are talking about here! We are talking about a network security software - so what on earth is more normal than asking if this software *is* secure!? Should we all just look away and continue our business as usual, as if nothing has happened the last year out there on the globe? We all know that the governments currently force on a daily base one company after the other to comply to their New World Order-Orwellian-global-surveillance phantasies and make them compromise their software or service. So I find it absolutely NECESSARY to clear out if pfSense has fallen (already) to them, or not. Network security is THE major reason for using pfSense. So it should be the most important question for all of us, isn't it? By my comprehension, everyone who says that this is a silly question or that it is some unimportant thought no one should further bother thinking about in detail, is either confused, or trying to conceal something. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 20:04, Walter Parker wrote: About that made in the USA thing, the NSA has deals with overseas companies as well... Plus, the GCHQ and several other foreign spy agency's have done similar things, so if you starting asking, you discover that the major governments are trying to do this and have succeed more often than we would like. Yes, it is horrifying. Also, the whole "We have to ask to ask the question to get the denial on record" only matters for the government or people with lots of money. The Government can sue you/arrest you for a lie, but do "you" have enough money to pay for lawsuits against a company? Most lawyers want money upfront unless you have clear suit against a company with lots of money. When was the last (or even first time) that a company was sued and lost to a private party for something like this, outside of class action lawsuits I do not want to sue or otherwise harm anybody. I only asked a very simple question and now read the answers. Very interesting answers, I think. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hi Adam, On 2013-10-09 19:42, Adam Thompson wrote: Which makes asking the question quite irrelevant. I do not think so. Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hello Jim! On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. This is already the second time that you insult me indirectly. May I ask again if you are an staff member of Electric Sheep Fencing LLC? Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn't approached us about pfSense, or adding a "back door", or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the "official" answer of the company to my question? Thank you Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hi Jim, thank you for your quick reply! On 2013-10-09 18:59, Jim Pingle wrote: On 10/9/2013 11:20 AM, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? As far as I'm aware, nobody has contacted us, but if they did I may not know. They aren't really interested in end-user firewalls, they want infrastructure routers. Do you think that there might be a chance to get an "official statement" of ESF, maybe without any "ifs and buts"? This would really help in this uncertain times that we all have to suffer currently. Thank you, Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 19:22, Walter Parker wrote: The big problem with asking the question "Has the NSA required you to add a back door?" is that no small company that wants to say in business can or will say yes (If they do, no one will trust/use the product unless forced themselves). The company will agree/be forced to say no. How does one tell that no from an authentic no? Exactly. But sometimes you can get the most interesting results out of "silly straight forward" questions. E.g. by carefully analyzing the reactions, or the words that are said - or not said. Additionally as far as I have figured, the criminal authorities even forbid those companies to talk about things. So the most common official answer is: "We are not allowed to talk about it" (=Yes, we are held hostages by the criminal authorities). If this should be the case, we - the community - could find a solution all together, e.g. by re-incorporating the project in a free country (= not the USA!). Therefore, once trust is question, the only way to be sure is to do the self review suggested earlier... Well, yes. But who does? Do you? Me not. Who does then? However, from my perspective, the code in pfSense is more like to be secure than any commercial, closed source solution. See prior threads about FreeBSD security. I *hope* that, too. But do I *know*? No. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Hi Peter, On 2013-10-09 18:20, Peter van Arkel wrote: I also understand your point though, since the software is OSS, it should be fairly easy to check for backdoors :) besides the following 3 facts: 1. that I (and i guess 95% of all other users) can hardly read ANY serious code 2. that it should not be "fairly easy" for anyone to read the entire code base of such a huge project such as pfSense 3. that generally *in reality* nobody bothers to review any code because everyone thinks that "the huge user base of this open source project" surely does .. please also keep in mind, that even reading and understanding code in some cases might not be sufficient, because of https://en.wikipedia.org/wiki/Obfuscation_%28software%29 By my opinion the often proclaimed higher security of open source due to "everyone can 'just' read the code and check himself" is nothing more than a myth... Yes, you *could* check. But does anybody? Check the *entire* code and get the big picture? I guess in 99% of smaller projects no one has EVER checked any serious amount of code - let alone the the entire code base - besides the developer himself... But again back to my main question: My main question was not if the code includes bad things, but if the company behind pfSense has been approached (yet) by authorities to comply with their Orwellian global police state phantasy. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 19:03, Jim Thompson wrote: (TIC mode: on) Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any "TIC-modes".. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 19:03, Jim Thompson wrote: (TIC mode: on) Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any "TIC-modes".. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 18:20, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response Exactly, Paul, you got my point! although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? @your doubts about the NSA/FBI/surveillance institution here> bothering with smaller companies such as Electric Sheep Fencing LLC (formerly BSD perimeter) and their niche product pfSense: Please take these 2 things into account: 1. Recently they forced the small encrypted-email-service "Lavabit" to comply with them (hand out their SSL-masterkeys & install a "black-box" at their premises). Lavabit did not agree - and they shut him down. https://en.wikipedia.org/wiki/Lavabit. Officially they wanted to force Lavabit to just hand out Edward Snowden's emails (bad enough), but in reality they wanted to gain access to all emails of Lavabit by receiving the SSL masterkeys and by placing the blackbox at their premises, which rendered the whole service useless. 2. Routers/Gateways/Firewalls are highly interesting for big brother. Read e.g. this article "NSA Laughs at PCs, Prefers Hacking Routers and Switches" (https://mailman.stanford.edu/pipermail/liberationtech/2013-September/011287.html) So, combining those 2 facts - the fact that the NSA/FBI/etc. prefer to infiltrate routers with the fact that they very well bother knocking the doors of small businesses with niche products, I guess my question is quite legitimate! Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 2013-10-09 18:14, Mehma Sarja wrote: Dear Worried user, Since pfSense is opensource, please check the code and report back if there are any backdoors or nasty stuff in there. Thanks for being a conscientious user and not wanting to shift work onto others. Mehma @all: Please don't feed the troll. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
Dear pfsense-team, today I posted the following on your blog at http://blog.pfsense.org/?p=712 "Worried User Says: Your comment is awaiting moderation. October 9th, 2013 at 7:55 am Hi guys, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Thank you Worried User" Some minutes later I could see that my entry was not released to the public - but deleted by the moderator, without any further comment. Please take a stand to this. Regards ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.2: Bug in Backup/Restore makes it impossible to restore encrypted backup file
On 2013-02-23 09:42, Chris Buechler wrote: On Fri, Feb 22, 2013 at 6:18 PM, Thinker Rix wrote: Hello, there is a bug in the backup/restore function of pfSense 2.0.2 which makes it impossible to restore encrypted backups, rendering those backups useless. Thanks, opened: https://redmine.pfsense.org/issues/2836 Hi Chris, Thank you for filing this bug for me. Could you by any chance help me out with my two questions, too (see the second to last section in my posting)? Is it safe for me to proceed and use the backup file to restore a productive system, which I manually trimmed (as I described it in step No.6: deleting everything in the encrypted backup file that comes after " END config.xml "). Or should I rather dump the whole thing and start from scratch (losing almost a week worth of work). This information would be of great help to me, because at the moment I am puzzled on how to proceed with this first pfSense roll-out of mine. Cheers thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2.0.2: Bug in Backup/Restore makes it impossible to restore encrypted backup file
Hello, there is a bug in the backup/restore function of pfSense 2.0.2 which makes it impossible to restore encrypted backups, rendering those backups useless. == You can easily reproduce the bug by making a backup with the following settings: - Backup area: ALL - Do not backup package information: YES/NO (irrelevant) - Encrypt configuration file: YES - Do not backup RRD data: NO (= Yes, backup RRD data!) The combination of encryption and RRD data inside the backup file corrupts the file: - When trying to restore via Pre-Flight Installer (USB-stick), pfSense states that the password is wrong. - When trying to restore via Web GUI, it states: "You have selected to restore the full configuration but we could not locate a pfsense tag." == Since the file is not encrypted as a whole, but only sections of it are encrypted, I could open the file with a text editor and analyze it: As it seems, the backup xml and the RRD are two sections which are clearly separated of each other: 1. In an UNENCRYPTED backup file WITHOUT RRD date, the file structure is: ## ... then the contens of the config.xml ... ... at the end some certificate data 2. In an UNENCRYPTED backup file WITH RRD data, the file structure is: ## ... then the contens of the config.xml ... ... at the end some certificate data .. then multiple RRD data blocks in the following format... some name some encrypted/hashed (?) RRD data ... and at the end of the file 3. In an ENCRYPTED backup file WITHOUT RRD data, the file structure is: ## BEGIN config.xml ... encrypted data END config.xml 4. In an ENCRYPTED backup file WITH RRD data (= the corrupted file which won't restore!), the file structure is: ## BEGIN config.xml ... encrypted data END config.xml .. then multiple RRD data blocks in the following format... some name some encrypted/hashed (?) RRD data ... and at the end of the file Reminder: when trying to restore this file, the error message said: "..we could not locate a pfsense tag". Analyzing the file, I noticed that indeed the start tag "" is missing, since after " END config.xml " it continues straight away with "". So i tried to fix the file by manually inserting the missing start tag, leading to the following result: 5. FIX ATTEMPT 1: ENCRYPTED backup file WITH RRD data (= the corrupted file which won't restore!), with missing start tag inserted: ## BEGIN config.xml ... encrypted data END config.xml .. then multiple RRD data blocks in the following format... some name some encrypted/hashed (?) RRD data ... and at the end of the file When trying to restore this file, I receive a new error message: "The configuration could not be restored." So obviously I either fixed the wrong thing, or there is something else wrong, too. 6. As a last resort I went over and cut off all RRD data: I deleted everything that came after " END config.xml ": ## BEGIN config.xml ... encrypted data END config.xml This is similar to the way the file looks like in Nr. 3, i.e. the way it would look like if you don't select any RRD data to be saved in the backup. Result: The backup is accepted by pfSense and it restores the system == Questions: 1. I did this backup-restore-action because I wanted to go sure, that my backup works fine, prior going productive with the system, as is suggested to do so in the book. Obviously a good advice, since I don't even want to imagine the stress I would have now in a recovery situation of a productive system. Nevertheless, I have worked quite some days on this configuration setup and really do not want to loose all the work and start from scratch. So can someone please tell me if it is safe for me to proceed with my "trimmed" backup file, fixed in the way I described in point no. 6.? Did I really just cut of the RRD data, when I cut off everything after " END config.xml ", or did I damage the backup file in a way not obvious to me which could lead to a misconfigured/instable/insecure pfSense system in the future??? 2. What encryption algorithm is used for the backup? Is there any way I could decrypt it manually? Thank you very much for any help/hint/information!! Cheers thinkerix == P.S. 1. A similar error had been reported by another fellow community member in 2011-05-07, who run 2.0RC3, so it seems that the bug is already existing since a while, see: http://forum.pfsense.org/index.php?topic=38762.0;prev_next=next 2. I first tri