[pfSense Support] which VPN do you recommended
Im running pfsense version FreeBSD pfSense.local 6.1-RELEASE-p10 being used as a business firewall / VPN machine. Users need to be able to VPN in from thier windows laptops internet and reach a windows machine on the internal network. Which VPN product on the pfsense platform do you recommend ? IPsec , Openvpn ... thank you -- Brent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] which VPN do you recommended
Hello, I have 10 sites with pfsense and openvpn and works very well. On 7/11/07, Brent <[EMAIL PROTECTED]> wrote: Im running pfsense version FreeBSD pfSense.local 6.1-RELEASE-p10 being used as a business firewall / VPN machine. Users need to be able to VPN in from thier windows laptops internet and reach a windows machine on the internal network. Which VPN product on the pfsense platform do you recommend ? IPsec , Openvpn ... thank you -- Brent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- - João Henrique Freitas - joaohf_at_gmail.com Americana-SP-Brasil BSD051283 LPI 1 http://paginas.terra.com.br/informatica/joaohf http://www.livejournal.com/users/joaohf/
Re: [pfSense Support] which VPN do you recommended
OpenVPN works fine - Original Message - From: "Brent" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 11, 2007 1:25 PM Subject: [pfSense Support] which VPN do you recommended Im running pfsense version FreeBSD pfSense.local 6.1-RELEASE-p10 being used as a business firewall / VPN machine. Users need to be able to VPN in from thier windows laptops internet and reach a windows machine on the internal network. Which VPN product on the pfsense platform do you recommend ? IPsec , Openvpn ... thank you -- Brent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.10.2/893 - Release Date: 09/07/2007 17.22 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] FTP and PFsense
I have seen some discussion on this topic in the past and according to what I have read, it is supposed to be resolved. However I cannot get it to work. I know the ftp server is set up just fine because it is fully accessible from within my LAN (using its LAN address). However, no matter how I try and connect from the wan interface, it just times out. According to what I have read, setting up a NAT rule to forward the ftp port (21) from the WAN to the internal server and then letting pfsense create the firewall rules (it created two) and then turning on the ftp helper (un-checking it I believe) should get it done. But no luck. I have even tried creating NAT and firewall rules for the dynamic ports. My WAN IP is public and my ISP is very good at not blocking anything so I am pretty sure it is not my ISP. Any suggestions? As of this morning, I am running the latest stable version of pfsense. - Dan
Re: [pfSense Support] dhcp failover--missing parameter in web interface?
Please note that this may not just be a matter of preference to have the second pfsense box designated as secondary dhcp server. I am also hoping it will resolve the issue I reported earlier of running out of free IPs from the dynamic range even before the stash is exhausted. I have completely abandoned using dynamic dhcp in my setup because of this outstanding issue--did not get resolved even after dhcpd package was updated to the latest version. Thanks. LJ - Original Message From: Scott Ullrich <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Monday, July 9, 2007 5:30:42 PM Subject: Re: [pfSense Support] dhcp failover--missing parameter in web interface? On 7/9/07, LJ Rand <[EMAIL PROTECTED]> wrote: > > I am running 1.2-beta-1 snapshot 05-11-2007 on 2 pfsense firewalls carp'ed > together. > > I configured dhcp server in failover mode for both firewalls, following > instructions. > > I do not see on the web interface how to set the second firewall as secondary > dhcp, so when I check the resultant /var/dhcpd/etc/dhcpd.conf file, both > firewalls consider themselves as primary. > > My preference is for all clients to take their dhcp address & configuration > from the first firewall, and only contact the second firewall when the first > one is down. > > I could manually edit above dhcpd.conf file, but I don't want to keep doing > that everytime I reload the configuration. > > Would someone please look into this issue? Thanks. Woops, I misread this originally. Please ignore me. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Vulnerabities?
Hi, We are comparing the use of PfSense and Cisco pix to do IPSec tunnels, firewalling, and QOS. How does PfSense compares to PIX, on the topic of known vulnerabilities and corrections? Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FTP and PFsense
This is probably not the recommended method, but I have FTP setup using NAT port forwards from our public address to the private one with the FTP helper disabled. I had to setup the FTP server to use a specific range of ports for the dynamic ports and them forwarded that range to the FTP server. Fairly simple and no fancy dynamic rules. The downside is that it does not work well with Mutil WAN and trying to access the same internal FTP server for 2 different public addresses. The FTP server has the limitation that it can only advertise a single public address based on the source address of the ftp client. It is easy to set this up for LAN and a single WAN though. Robert On Wednesday 11 July 2007 09:53, The Wells Family wrote: > I have seen some discussion on this topic in the past and according to what > I have read, it is supposed to be resolved. However I cannot get it to > work. I know the ftp server is set up just fine because it is fully > accessible from within my LAN (using its LAN address). However, no matter > how I try and connect from the wan interface, it just times out. > > > > According to what I have read, setting up a NAT rule to forward the ftp > port (21) from the WAN to the internal server and then letting pfsense > create the firewall rules (it created two) and then turning on the ftp > helper (un-checking it I believe) should get it done. But no luck. I have > even tried creating NAT and firewall rules for the dynamic ports. My WAN > IP is public and my ISP is very good at not blocking anything so I am > pretty sure it is not my ISP. > > > > Any suggestions? As of this morning, I am running the latest stable > version of pfsense. > > > > - Dan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Vulnerabities?
Please clarify. If you are referring to IPS, you get what you pay for (and in the case of PIX, I'm not convinced you actually do get what you paid for). --Bill On 7/11/07, Ugo Bellavance <[EMAIL PROTECTED]> wrote: Hi, We are comparing the use of PfSense and Cisco pix to do IPSec tunnels, firewalling, and QOS. How does PfSense compares to PIX, on the topic of known vulnerabilities and corrections? Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Vulnerabities?
Bill Marquette wrote: Please clarify. If you are referring to IPS, you get what you pay for (and in the case of PIX, I'm not convinced you actually do get what you paid for). Is there an history of security holes in these components of PfSense (PF, IPSec-Tools, QOS)? Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: Vulnerabities?
I know of no official audit of our code. Nor have I ever seen a post to bugtraq, full-disclosure, or anything on secunia. But take that for what it's worth...nothing. --Bill On 7/11/07, Ugo Bellavance <[EMAIL PROTECTED]> wrote: Bill Marquette wrote: > Please clarify. If you are referring to IPS, you get what you pay for > (and in the case of PIX, I'm not convinced you actually do get what > you paid for). Is there an history of security holes in these components of PfSense (PF, IPSec-Tools, QOS)? Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Multiple Atheros Mini-PCI Cards on WRAP Platform with 1.2-BETA-2 ???
Hello! As the title states, I have a WRAP board with two Atheros cards running 1.2-BETA-2. Unfortunately, pfSense is only detecting one of the cards. Monowall is able to detect and use both. Is this a limitation of pfSense or a bug in this version? Here is the bootup log: Dec 31 00:00:52 syslogd: kernel boot file is /boot/kernel/kernel Dec 31 00:00:52 kernel: Copyright (c) 1992-2007 The FreeBSD Project. Dec 31 00:00:52 kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Dec 31 00:00:52 kernel: The Regents of the University of California. All rights reserved. Dec 31 00:00:52 kernel: FreeBSD is a registered trademark of The FreeBSD Foundation. Dec 31 00:00:52 kernel: FreeBSD 6.2-RELEASE-p5 #0: Mon Jul 2 20:37:09 EDT 2007 Dec 31 00:00:52 kernel: [EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/pfSense_wrap.6 Dec 31 00:00:52 kernel: Timecounter "i8254" frequency 1193182 Hz quality 0 Dec 31 00:00:52 kernel: CPU: Geode(TM) Integrated Processor by National Semi (233.32-MHz 586-class CPU) Dec 31 00:00:52 kernel: Origin = "Geode by NSC" Id = 0x540 Stepping = 0 Dec 31 00:00:52 kernel: Features=0x808131 Dec 31 00:00:52 kernel: real memory = 134217728 (128 MB) Dec 31 00:00:52 kernel: avail memory = 121880576 (116 MB) Dec 31 00:00:52 kernel: wlan: mac acl policy registered Dec 31 00:00:52 kernel: ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) Dec 31 00:00:52 kernel: cpu0 on motherboard Dec 31 00:00:52 kernel: pcib0: pcibus 0 on motherboard Dec 31 00:00:52 kernel: pci0: on pcib0 Dec 31 00:00:52 kernel: ath0: mem 0x8000-0x8000 irq 12 at device 13.0 on pci0 Dec 31 00:00:52 kernel: ath0: Ethernet address: 00:02:6f:45:f1:16 Dec 31 00:00:52 kernel: ath0: mac 10.4 phy 6.1 radio 6.3 Dec 31 00:00:52 kernel: sis0: port 0x1000-0x10ff mem 0x8004-0x80040fff irq 10 at device 14.0 on pci0 Dec 31 00:00:52 kernel: sis0: Silicon Revision: DP83816A Dec 31 00:00:52 kernel: miibus0: on sis0 Dec 31 00:00:52 kernel: ukphy0: on miibus0 Dec 31 00:00:52 kernel: ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Dec 31 00:00:52 kernel: sis0: Ethernet address: 00:0d:b9:07:09:8c Dec 31 00:00:52 kernel: Geode GPIO@ = f400 Dec 31 00:00:52 kernel: Geode PC Engines WRAP.2B/2C v1.11 tinyBIOS V1.4a (C)1997-2005 Dec 31 00:00:52 kernel: isab0: port 0xf400-0xf43f,0xf600-0xf63f at device 18.0 on pci0 Dec 31 00:00:52 kernel: isa0: on isab0 Dec 31 00:00:52 kernel: pci0: at device 18.1 (no driver attached) Dec 31 00:00:52 kernel: atapci0: controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 18.2 on pci0 Dec 31 00:00:52 kernel: ata0: on atapci0 Dec 31 00:00:52 kernel: ata1: on atapci0 Dec 31 00:00:52 kernel: pci0: at device 18.3 (no driver attached) Dec 31 00:00:52 kernel: Geode CBA@ 0x9000 Dec 31 00:00:52 kernel: Geode rev: 06 03 Dec 31 00:00:52 kernel: Timecounter "Geode" frequency 2700 Hz quality 1000 Dec 31 00:00:52 kernel: pci0: at device 18.5 (no driver attached) Dec 31 00:00:52 kernel: orm0: at iomem 0xe-0xe7fff on isa0 Dec 31 00:00:52 kernel: ppc0: parallel port not found. Dec 31 00:00:52 kernel: sio0 at port 0x3f8-0x3ff irq 4 flags 0x30 on isa0 Dec 31 00:00:52 kernel: sio0: type 16550A, console Dec 31 00:00:52 kernel: sio1: configured irq 3 not in bitmap of probed irqs 0 Dec 31 00:00:52 kernel: sio1: port may not be enabled Dec 31 00:00:52 kernel: Timecounters tick every 10.000 msec Dec 31 00:00:52 kernel: Fast IPsec: Initialized Security Association Processing. Dec 31 00:00:52 kernel: ad0: 488MB at ata0-master PIO4 Dec 31 00:00:52 kernel: GEOM_LABEL: Label for provider ad0a is ufs/pfSense. Dec 31 00:00:52 kernel: GEOM_LABEL: Label for provider ad0d is ufs/pfSenseCfg. Dec 31 00:00:52 kernel: Trying to mount root from ufs:/dev/ufs/pfSense Dec 31 00:00:52 kernel: sis0: link state changed to UP Thank you!!! -- Tim Nelson Technical Consultant Rockbochs Inc. smime.p7s Description: S/MIME Cryptographic Signature
RE: [pfSense Support] Re: Vulnerabities?
they openly list what versions of what components they use. you would have to reference the individual authors of said components to find their history of vulnerabilities. as for the pfSense people, they have a habit of working and fixing issues with the core of pfSense pretty soon after you notify them of the issue. its not uncommon for the FIRST response to a problem report to be "try the snapshot in 2 hours after the server does its scheduled rebuild" meaning they just incorporated a fix into the code. try and get THAT level of service from cisco. -Sean > To: support@pfsense.com> From: [EMAIL PROTECTED]> Date: Wed, 11 Jul 2007 > 14:42:10 -0400> Subject: [pfSense Support] Re: Vulnerabities?> > Bill > Marquette wrote:> > Please clarify. If you are referring to IPS, you get what > you pay for> > (and in the case of PIX, I'm not convinced you actually do get > what> > you paid for).> > Is there an history of security holes in these > components of PfSense > (PF, IPSec-Tools, QOS)?> > Ugo> > > > -> To > unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: > [EMAIL PROTECTED]> _ Missed the show? Watch videos of the Live Earth Concert on MSN. http://liveearth.msn.com
Re: [pfSense Support] Multiple Atheros Mini-PCI Cards on WRAP Platform with 1.2-BETA-2 ???
Nevermind... please ignore my idiocy... one of my cards is bad... :-( Tim Nelson Technical Consultant Rockbochs Inc. Tim Nelson wrote: Hello! As the title states, I have a WRAP board with two Atheros cards running 1.2-BETA-2. Unfortunately, pfSense is only detecting one of the cards. Monowall is able to detect and use both. Is this a limitation of pfSense or a bug in this version? Here is the bootup log: Dec 31 00:00:52 syslogd: kernel boot file is /boot/kernel/kernel Dec 31 00:00:52 kernel: Copyright (c) 1992-2007 The FreeBSD Project. Dec 31 00:00:52 kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Dec 31 00:00:52 kernel: The Regents of the University of California. All rights reserved. Dec 31 00:00:52 kernel: FreeBSD is a registered trademark of The FreeBSD Foundation. Dec 31 00:00:52 kernel: FreeBSD 6.2-RELEASE-p5 #0: Mon Jul 2 20:37:09 EDT 2007 Dec 31 00:00:52 kernel: [EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/pfSense_wrap.6 Dec 31 00:00:52 kernel: Timecounter "i8254" frequency 1193182 Hz quality 0 Dec 31 00:00:52 kernel: CPU: Geode(TM) Integrated Processor by National Semi (233.32-MHz 586-class CPU) Dec 31 00:00:52 kernel: Origin = "Geode by NSC" Id = 0x540 Stepping = 0 Dec 31 00:00:52 kernel: Features=0x808131 Dec 31 00:00:52 kernel: real memory = 134217728 (128 MB) Dec 31 00:00:52 kernel: avail memory = 121880576 (116 MB) Dec 31 00:00:52 kernel: wlan: mac acl policy registered Dec 31 00:00:52 kernel: ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) Dec 31 00:00:52 kernel: cpu0 on motherboard Dec 31 00:00:52 kernel: pcib0: pcibus 0 on motherboard Dec 31 00:00:52 kernel: pci0: on pcib0 Dec 31 00:00:52 kernel: ath0: mem 0x8000-0x8000 irq 12 at device 13.0 on pci0 Dec 31 00:00:52 kernel: ath0: Ethernet address: 00:02:6f:45:f1:16 Dec 31 00:00:52 kernel: ath0: mac 10.4 phy 6.1 radio 6.3 Dec 31 00:00:52 kernel: sis0: port 0x1000-0x10ff mem 0x8004-0x80040fff irq 10 at device 14.0 on pci0 Dec 31 00:00:52 kernel: sis0: Silicon Revision: DP83816A Dec 31 00:00:52 kernel: miibus0: on sis0 Dec 31 00:00:52 kernel: ukphy0: interface> on miibus0 Dec 31 00:00:52 kernel: ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Dec 31 00:00:52 kernel: sis0: Ethernet address: 00:0d:b9:07:09:8c Dec 31 00:00:52 kernel: Geode GPIO@ = f400 Dec 31 00:00:52 kernel: Geode PC Engines WRAP.2B/2C v1.11 tinyBIOS V1.4a (C)1997-2005 Dec 31 00:00:52 kernel: isab0: port 0xf400-0xf43f,0xf600-0xf63f at device 18.0 on pci0 Dec 31 00:00:52 kernel: isa0: on isab0 Dec 31 00:00:52 kernel: pci0: at device 18.1 (no driver attached) Dec 31 00:00:52 kernel: atapci0: controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 18.2 on pci0 Dec 31 00:00:52 kernel: ata0: on atapci0 Dec 31 00:00:52 kernel: ata1: on atapci0 Dec 31 00:00:52 kernel: pci0: at device 18.3 (no driver attached) Dec 31 00:00:52 kernel: Geode CBA@ 0x9000 Dec 31 00:00:52 kernel: Geode rev: 06 03 Dec 31 00:00:52 kernel: Timecounter "Geode" frequency 2700 Hz quality 1000 Dec 31 00:00:52 kernel: pci0: at device 18.5 (no driver attached) Dec 31 00:00:52 kernel: orm0: at iomem 0xe-0xe7fff on isa0 Dec 31 00:00:52 kernel: ppc0: parallel port not found. Dec 31 00:00:52 kernel: sio0 at port 0x3f8-0x3ff irq 4 flags 0x30 on isa0 Dec 31 00:00:52 kernel: sio0: type 16550A, console Dec 31 00:00:52 kernel: sio1: configured irq 3 not in bitmap of probed irqs 0 Dec 31 00:00:52 kernel: sio1: port may not be enabled Dec 31 00:00:52 kernel: Timecounters tick every 10.000 msec Dec 31 00:00:52 kernel: Fast IPsec: Initialized Security Association Processing. Dec 31 00:00:52 kernel: ad0: 488MB at ata0-master PIO4 Dec 31 00:00:52 kernel: GEOM_LABEL: Label for provider ad0a is ufs/pfSense. Dec 31 00:00:52 kernel: GEOM_LABEL: Label for provider ad0d is ufs/pfSenseCfg. Dec 31 00:00:52 kernel: Trying to mount root from ufs:/dev/ufs/pfSense Dec 31 00:00:52 kernel: sis0: link state changed to UP Thank you!!! smime.p7s Description: S/MIME Cryptographic Signature
Re: [pfSense Support] Re: Vulnerabities?
Am 11.07.2007 um 20:53 schrieb Bill Marquette: I know of no official audit of our code. Nor have I ever seen a post to bugtraq, full-disclosure, or anything on secunia. But take that for what it's worth...nothing. A code audit of the GUI/back-end would be pretty nice. But even if the code was audited, only a specific version (at a specific point in time) would have that certification. For such a fast evolving product like pfSense, that would be about as useful as EAL4-certifying a vanilla-linux-kernel. I think that once you disallow administration from WAN, have a restrictive real-DMZ setup that minimizes direct connections even from the LAN to the firewall (via proxies) and disable DHCP and DNS- forwarding (and most everything else that is useful in small LANs), you should be pretty safe. What's left are vulnerabilities in the FreeBSD-kernel that might lead to DoS-attacks - or worse. These attacks would have to be carried out via pure TCP/IP. It's not impossible (didn't OpenBSD have such a "remote hole" recently?) - but also not very likely to happen very often. The PIX is not much different (OK, in theory only) in this respect - if the FreeBSD core team or Cisco knew of a remote hole in their respective software, they'd fix it (one hopes). It's far more likely that a human misconfiguration occurs than a bug in any of the two systems causes a security-issue. cheers, Rainer -- Rainer Duffner CISSP, LPI, MCSE [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] dhcp failover--missing parameter in web interface?
Also, with all of the money that you can save on technician costs and hardware by implementing something like pfsense, you might be able to afford an additional layer of transparent firewalling or some other security hardware/software or redundancy that you might otherwise be unable to afford. -Vaughn Reid III LJ Rand wrote: Please note that this may not just be a matter of preference to have the second pfsense box designated as secondary dhcp server. I am also hoping it will resolve the issue I reported earlier of running out of free IPs from the dynamic range even before the stash is exhausted. I have completely abandoned using dynamic dhcp in my setup because of this outstanding issue--did not get resolved even after dhcpd package was updated to the latest version. Thanks. LJ - Original Message From: Scott Ullrich <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Monday, July 9, 2007 5:30:42 PM Subject: Re: [pfSense Support] dhcp failover--missing parameter in web interface? On 7/9/07, LJ Rand <[EMAIL PROTECTED]> wrote: I am running 1.2-beta-1 snapshot 05-11-2007 on 2 pfsense firewalls carp'ed together. I configured dhcp server in failover mode for both firewalls, following instructions. I do not see on the web interface how to set the second firewall as secondary dhcp, so when I check the resultant /var/dhcpd/etc/dhcpd.conf file, both firewalls consider themselves as primary. My preference is for all clients to take their dhcp address & configuration from the first firewall, and only contact the second firewall when the first one is down. I could manually edit above dhcpd.conf file, but I don't want to keep doing that everytime I reload the configuration. Would someone please look into this issue? Thanks. Woops, I misread this originally. Please ignore me. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] I hit reply to the wrong post..... oops
Oops!!! I didn't realize I had jumped topics. :( Vaughn Reid III Vaughn L. Reid III wrote: Also, with all of the money that you can save on technician costs and hardware by implementing something like pfsense, you might be able to afford an additional layer of transparent firewalling or some other security hardware/software or redundancy that you might otherwise be unable to afford. -Vaughn Reid III LJ Rand wrote: Please note that this may not just be a matter of preference to have the second pfsense box designated as secondary dhcp server. I am also hoping it will resolve the issue I reported earlier of running out of free IPs from the dynamic range even before the stash is exhausted. I have completely abandoned using dynamic dhcp in my setup because of this outstanding issue--did not get resolved even after dhcpd package was updated to the latest version. Thanks. LJ - Original Message From: Scott Ullrich <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Monday, July 9, 2007 5:30:42 PM Subject: Re: [pfSense Support] dhcp failover--missing parameter in web interface? On 7/9/07, LJ Rand <[EMAIL PROTECTED]> wrote: I am running 1.2-beta-1 snapshot 05-11-2007 on 2 pfsense firewalls carp'ed together. I configured dhcp server in failover mode for both firewalls, following instructions. I do not see on the web interface how to set the second firewall as secondary dhcp, so when I check the resultant /var/dhcpd/etc/dhcpd.conf file, both firewalls consider themselves as primary. My preference is for all clients to take their dhcp address & configuration from the first firewall, and only contact the second firewall when the first one is down. I could manually edit above dhcpd.conf file, but I don't want to keep doing that everytime I reload the configuration. Would someone please look into this issue? Thanks. Woops, I misread this originally. Please ignore me. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: Vulnerabities?
On Wed, 2007-07-11 at 23:38 +0200, Rainer Duffner wrote: > Am 11.07.2007 um 20:53 schrieb Bill Marquette: > > > I know of no official audit of our code. Nor have I ever seen a post > > to bugtraq, full-disclosure, or anything on secunia. But take that > > for what it's worth...nothing. > > > > > A code audit of the GUI/back-end would be pretty nice. But at this point, largely pointless. If you can touch any PHP page now, you have root access (you must first pass HTTP basic auth). We know there are probably issues in a number of the pages, but it doesn't matter. No point in worrying about what someone with root access can do to your system - they, by definition, can do anything. Nobody is going to try to exploit PHP bugs when they have root access already. The things to worry about would be FreeBSD issues, and issues in included components. None of the included components have a bad security track record. Rainer's post contained a number of other good points I won't duplicate. I use PIX firewalls extensively. To compare vulnerabilities based on my memory from the last couple years, the PIX has had quite a few more (though not very many itself). We've actually yet to release a single pfsense version for security reasons, none of the FreeBSD and related vulnerabilities discovered have been applicable to the system at this point (knock on wood). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] spoke and hub ipsec vpn?
if i am site A, and i have an ipsec vpn to site B and site C. right now, i can ping from A-B, and from A-C (and vice versa). is there anyway to set up to allow site B to ping site C, without setting up a tunnel between them (ie, to pass thru site A? just curious, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] spoke and hub ipsec vpn?
I don't think this i possibleit's well posible with openvpn.. -Oorspronkelijk bericht- Van: Jonathan Horne [mailto:[EMAIL PROTECTED] Verzonden: donderdag 12 juli 2007 4:30 Aan: support@pfsense.com Onderwerp: [pfSense Support] spoke and hub ipsec vpn? if i am site A, and i have an ipsec vpn to site B and site C. right now, i can ping from A-B, and from A-C (and vice versa). is there anyway to set up to allow site B to ping site C, without setting up a tunnel between them (ie, to pass thru site A? just curious, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] How to customize the captive portal login page.
Dear All, I am trying to build a commercial Wi-Fi network using pfsense where I need to have a customized login page and I would appreciate your efforts to help me. Please let your answers be after each and every question 1- Can I replace the user login page (the pfsense portal page) with an external one hosted on different server. I mean to redirect the captive portal login page to a different one. 2- If yes, then how to configure pfsense to do that, and what is the essential login page code must be? 3- If no, can I customize the login page that resides inside pfsense?, and where can I find the login page file in pfsense. Best Regards Bassam
Re: [pfSense Support] Re: Vulnerabities?
On 7/12/07, Sean Cavanaugh <[EMAIL PROTECTED]> wrote:
.
.
as for the pfSense people, they have a habit of working and fixing issues
with the core of pfSense pretty soon after you notify them of the issue. its
not uncommon for the FIRST response to a problem report to be "try the
snapshot in 2 hours after the server does its scheduled rebuild" meaning
they just incorporated a fix into the code. try and get THAT level of
service from cisco.
-Sean
Scott seems to have fixed quite a few bugs BEFORE they are reported.
I found a small bug ("ah, finally get to contribute something!") and
the response was that that this was fixed several days ago.
:-(
sai
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
