Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7

[Ahmed Abdallah]

Is there no way of building pfSense now ? I need to do that urgently, so plz
if anyone knows how to build it in this state advice me ?

Gary, This is the same post I saw before so we're on the same tune now :)

On Mon, Jun 30, 2008 at 6:37 PM, Gary Buckmaster <[EMAIL PROTECTED]>
wrote:

> Check out the 6/23 email from Chris Buechler entitled: build_iso.sh Error
> during compiling.
>
>
>
> Ahmed Abdallah wrote:
>
>> Thanks Gary,and I surely read the mailing list, and found some stuff
>> talking about that but not in the past "few" days, but I also found some
>> guys talking about being able to build it successfully, so I didn't know if
>> the building process is still broken or not. Anyway, thanks for the reply
>>
>>
>> --
>> Ahmed Abdalla
>> --Systems Engineer
>> Linux-Plus Information Systems L.L.C
>> Tel : +20 2 2527 6616
>> EXT : 806
>> Fax : +20 2 2526 1055
>> Mobile : +20 10 688 9009
>> email : [EMAIL PROTECTED] 
>> website : http://www.linux-plus.com
>>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
Ahmed Abdalla
--Systems Engineer
Linux-Plus Information Systems L.L.C
Tel : +20 2 2527 6616
EXT : 806
Fax : +20 2 2526 1055
Mobile : +20 10 688 9009
email : [EMAIL PROTECTED]
website : http://www.linux-plus.com

Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7

[Paul Mansfield]

Ahmed Abdallah wrote:
Is there no way of building pfSense now ? I need to do that urgently, 
so plz if anyone knows how to build it in this state advice me ?





what is it you're lookign for?
you can still find working mirrors of freebsd6.2 if you need packages to
add.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7

[Ahmed Abdallah]

On Tue, Jul 1, 2008 at 12:41 PM, Paul Mansfield <[EMAIL PROTECTED]>
wrote:

> what is it you're lookign for?
>
I want to add some customization in the web interface,so I guess I need to
build pfSense

> Is there no way of building pfSense now ? I need to do that urgently, so
> plz if anyone knows how to build it in this state advice me ?
>
 You mean to be able to build it using the DevIso ?


On Tue, Jul 1, 2008 at 12:41 PM, Paul Mansfield <[EMAIL PROTECTED]>
wrote:

> Ahmed Abdallah wrote:
>>
>>> Is there no way of building pfSense now ? I need to do that urgently, so
>>> plz if anyone knows how to build it in this state advice me ?
>>>
>>>
>>  what is it you're lookign for?
> you can still find working mirrors of freebsd6.2 if you need packages to
> add.
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
Ahmed Abdalla
--Systems Engineer
Linux-Plus Information Systems L.L.C
Tel : +20 2 2527 6616
EXT : 806
Fax : +20 2 2526 1055
Mobile : +20 10 688 9009
email : [EMAIL PROTECTED]
website : http://www.linux-plus.com

Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7

[Bill Marquette]

On Tue, Jul 1, 2008 at 4:02 AM, Ahmed Abdallah <[EMAIL PROTECTED]> wrote:
> Is there no way of building pfSense now ? I need to do that urgently, so plz
> if anyone knows how to build it in this state advice me ?

Did you bother to try the document I pointed you at?

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7

[Gary Buckmaster]

If you want to customize the web interface, you can do that on the 
working system, you don't need to build a new ISO for that.  Simply edit 
the php.  If you're trying to make a pfSense clone with your 
customizations, that's another thing entirely and then yes, you would 
need to be able to build.  The link that Bill provided you should be 
everything you need. 


Ahmed Abdallah wrote:


I want to add some customization in the web interface,so I guess I 
need to build pfSense



Ahmed Abdalla
--Systems Engineer
Linux-Plus Information Systems L.L.C
Tel : +20 2 2527 6616
EXT : 806
Fax : +20 2 2526 1055
Mobile : +20 10 688 9009
email : [EMAIL PROTECTED] 
website : http://www.linux-plus.com 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Disable SSH to the private side interface

[Atkins, Dwane P]

Is there a way that I can disable SSH from my private side address to
the default gateway or in this case, the LAN address?  Can I do it via a
Linux command?

 

In other words, if my LAN interface is 10.6.5.8 and my DHCP (private
side) addresses are 10.6.5.10 - .100. I want to ensure that those
addresses cannot SSH into the private side address.

 

Thank you

 

Dwane Atkins

210-567-0158

[EMAIL PROTECTED]

 

Re: [pfSense Support] Disable SSH to the private side interface

[Ron Blanchett]

Just add a reject or drop rule on the lan interface
Specify a source range and make the  destination address your lan
interface address and the port 22.

Simple as that.

-Ron


On Tue, Jul 1, 2008 at 2:07 PM, Atkins, Dwane P <[EMAIL PROTECTED]> wrote:
> Is there a way that I can disable SSH from my private side address to the
> default gateway or in this case, the LAN address?  Can I do it via a Linux
> command?
>
>
>
> In other words, if my LAN interface is 10.6.5.8 and my DHCP (private side)
> addresses are 10.6.5.10 - .100. I want to ensure that those addresses cannot
> SSH into the private side address.
>
>
>
> Thank you
>
>
>
> Dwane Atkins
>
> 210-567-0158
>
> [EMAIL PROTECTED]
>
>



-- 
Ronald Reagan  - "Recession is when a neighbour loses his job.
Depression is when you lose yours."

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Disable SSH to the private side interface

[Atkins, Dwane P]

Ron,

Thanks for the quick answer.  

I have a LAN rule that I assumed stated deny tcp any Lan Interface eq
ssh.  

If the DHCP address and the lan gateway are in the same subnet, it
doesn't appear to work.  

Another question about Firewall Rules are do they read for top to
bottom?  I have put these denies above the permit ip any any statement
in the Lan rules.

Am I doing something wrong?

Dwane

-Original Message-
From: Ron Blanchett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 01, 2008 1:17 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Disable SSH to the private side interface

Just add a reject or drop rule on the lan interface
Specify a source range and make the  destination address your lan
interface address and the port 22.

Simple as that.

-Ron


On Tue, Jul 1, 2008 at 2:07 PM, Atkins, Dwane P <[EMAIL PROTECTED]>
wrote:
> Is there a way that I can disable SSH from my private side address to
the
> default gateway or in this case, the LAN address?  Can I do it via a
Linux
> command?
>
>
>
> In other words, if my LAN interface is 10.6.5.8 and my DHCP (private
side)
> addresses are 10.6.5.10 - .100. I want to ensure that those addresses
cannot
> SSH into the private side address.
>
>
>
> Thank you
>
>
>
> Dwane Atkins
>
> 210-567-0158
>
> [EMAIL PROTECTED]
>
>



-- 
Ronald Reagan  - "Recession is when a neighbour loses his job.
Depression is when you lose yours."

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[RB]

> If the DHCP address and the lan gateway are in the same subnet, it
> doesn't appear to work.
Because it's not that simple, pfSense has an anti-lockout rule by
default.  To disable, check:

Advanced -> Misc -> "webGUI anti-lockout"

> Another question about Firewall Rules are do they read for top to
> bottom?  I have put these denies above the permit ip any any statement
> in the Lan rules.

Yes, they read as the English language would, top to bottom.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[Ron Blanchett]

Yes rules reas top to bottom.

Please attach a copy of your rule as it is displayed in on the Lan fw
tab. this will help in finding the problem with the rule.

-Ron

On Tue, Jul 1, 2008 at 2:20 PM, Atkins, Dwane P <[EMAIL PROTECTED]> wrote:
> Ron,
>
> Thanks for the quick answer.
>
> I have a LAN rule that I assumed stated deny tcp any Lan Interface eq
> ssh.
>
> If the DHCP address and the lan gateway are in the same subnet, it
> doesn't appear to work.
>
> Another question about Firewall Rules are do they read for top to
> bottom?  I have put these denies above the permit ip any any statement
> in the Lan rules.
>
> Am I doing something wrong?
>
> Dwane
>
> -Original Message-
> From: Ron Blanchett [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 01, 2008 1:17 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Disable SSH to the private side interface
>
> Just add a reject or drop rule on the lan interface
> Specify a source range and make the  destination address your lan
> interface address and the port 22.
>
> Simple as that.
>
> -Ron
>
>
> On Tue, Jul 1, 2008 at 2:07 PM, Atkins, Dwane P <[EMAIL PROTECTED]>
> wrote:
>> Is there a way that I can disable SSH from my private side address to
> the
>> default gateway or in this case, the LAN address?  Can I do it via a
> Linux
>> command?
>>
>>
>>
>> In other words, if my LAN interface is 10.6.5.8 and my DHCP (private
> side)
>> addresses are 10.6.5.10 - .100. I want to ensure that those addresses
> cannot
>> SSH into the private side address.
>>
>>
>>
>> Thank you
>>
>>
>>
>> Dwane Atkins
>>
>> 210-567-0158
>>
>> [EMAIL PROTECTED]
>>
>>
>
>
>
> --
> Ronald Reagan  - "Recession is when a neighbour loses his job.
> Depression is when you lose yours."
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Steven Wright  - "A lot of people are afraid of heights. Not me, I'm
afraid of widths."

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Disable SSH to the private side interface

[Atkins, Dwane P]

 

Proto

Source

Port

Destination

Port

Gateway

Schedule

Description



   



   
 

TCP 

* 

* 

LAN address 

22 (SSH) 

* 

  

No SSH from inside to Lan address  



   

   

  



  


TCP 

* 

* 

WAN address 

22 (SSH) 

* 

  

Disallow SSH to Wan route  



  

  

  



   

* 

LAN net 

* 

* 

* 

* 

  

Default LAN -> any 

 

 

 

-Original Message-
From: Ron Blanchett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 01, 2008 1:27 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Disable SSH to the private side interface

 

Yes rules reas top to bottom.

 

Please attach a copy of your rule as it is displayed in on the Lan fw

tab. this will help in finding the problem with the rule.

 

-Ron

 

On Tue, Jul 1, 2008 at 2:20 PM, Atkins, Dwane P <[EMAIL PROTECTED]>
wrote:

> Ron,

> 

> Thanks for the quick answer.

> 

> I have a LAN rule that I assumed stated deny tcp any Lan Interface eq

> ssh.

> 

> If the DHCP address and the lan gateway are in the same subnet, it

> doesn't appear to work.

> 

> Another question about Firewall Rules are do they read for top to

> bottom?  I have put these denies above the permit ip any any statement

> in the Lan rules.

> 

> Am I doing something wrong?

> 

> Dwane

> 

> -Original Message-

> From: Ron Blanchett [mailto:[EMAIL PROTECTED]

> Sent: Tuesday, July 01, 2008 1:17 PM

> To: support@pfsense.com

> Subject: Re: [pfSense Support] Disable SSH to the private side
interface

> 

> Just add a reject or drop rule on the lan interface

> Specify a source range and make the  destination address your lan

> interface address and the port 22.

> 

> Simple as that.

> 

> -Ron

> 

> 

> On Tue, Jul 1, 2008 at 2:07 PM, Atkins, Dwane P <[EMAIL PROTECTED]>

> wrote:

>> Is there a way that I can disable SSH from my private side address to

> the

>> default gateway or in this case, the LAN address?  Can I do it via a

> Linux

>> command?

>> 

>> 

>> 

>> In other words, if my LAN interface is 10.6.5.8 and my DHCP (private

> side)

>> addresses are 10.6.5.10 - .100. I want to ensure that those addresses

> cannot

>> SSH into the private side address.

>> 

>> 

>> 

>> Thank you

>> 

>> 

>> 

>> Dwane Atkins

>> 

>> 210-567-0158

>> 

>> [EMAIL PROTECTED]

>> 

>> 

> 

> 

> 

> --

> Ronald Reagan  - "Recession is when a neighbour loses his job.

> Depression is when you lose yours."

> 

> -

> To unsubscribe, e-mail: [EMAIL PROTECTED]

> For additional commands, e-mail: [EMAIL PROTECTED]

> 

> 

> -

> To unsubscribe, e-mail: [EMAIL PROTECTED]

> For additional commands, e-mail: [EMAIL PROTECTED]

> 

> 

 

 

 

-- 

Steven Wright  - "A lot of people are afraid of heights. Not me, I'm

afraid of widths."

 

-

To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED]

 

<><><><><><>

Re: [pfSense Support] Disable SSH to the private side interface

[Ron Blanchett]

I think we would be looking more for
Advanced -> Misc -> Bypass firewall rules for traffic on the same interface.

it should be disabled in this case since he is looking to create rules
that apply to the LAN interface and not the GUI.

-Ron

On Tue, Jul 1, 2008 at 2:26 PM, RB <[EMAIL PROTECTED]> wrote:
>> If the DHCP address and the lan gateway are in the same subnet, it
>> doesn't appear to work.
> Because it's not that simple, pfSense has an anti-lockout rule by
> default.  To disable, check:
>
> Advanced -> Misc -> "webGUI anti-lockout"
>
>> Another question about Firewall Rules are do they read for top to
>> bottom?  I have put these denies above the permit ip any any statement
>> in the Lan rules.
>
> Yes, they read as the English language would, top to bottom.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Diogenes  - "What I like to drink most is wine that belongs to others."

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[Ron Blanchett]

your rule is right just disable 'Advanced -> Misc -> Bypass firewall
rules for traffic on the same interface' and it should work.

-Ron

On Tue, Jul 1, 2008 at 2:29 PM, Atkins, Dwane P <[EMAIL PROTECTED]> wrote:
>
>
> Proto
>
> Source
>
> Port
>
> Destination
>
> Port
>
> Gateway
>
> Schedule
>
> Description
>
> TCP
>
> *
>
> *
>
> LAN address
>
> 22 (SSH)
>
> *
>
>
>
> No SSH from inside to Lan address
>
> TCP
>
> *
>
> *
>
> WAN address
>
> 22 (SSH)
>
> *
>
>
>
> Disallow SSH to Wan route
>
> *
>
> LAN net
>
> *
>
> *
>
> *
>
> *
>
>
>
> Default LAN -> any
>
>
>
>
>
>
>
> -Original Message-
> From: Ron Blanchett [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 01, 2008 1:27 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Disable SSH to the private side interface
>
>
>
> Yes rules reas top to bottom.
>
>
>
> Please attach a copy of your rule as it is displayed in on the Lan fw
>
> tab. this will help in finding the problem with the rule.
>
>
>
> -Ron
>
>
>
> On Tue, Jul 1, 2008 at 2:20 PM, Atkins, Dwane P <[EMAIL PROTECTED]> wrote:
>
>> Ron,
>
>>
>
>> Thanks for the quick answer.
>
>>
>
>> I have a LAN rule that I assumed stated deny tcp any Lan Interface eq
>
>> ssh.
>
>>
>
>> If the DHCP address and the lan gateway are in the same subnet, it
>
>> doesn't appear to work.
>
>>
>
>> Another question about Firewall Rules are do they read for top to
>
>> bottom?  I have put these denies above the permit ip any any statement
>
>> in the Lan rules.
>
>>
>
>> Am I doing something wrong?
>
>>
>
>> Dwane
>
>>
>
>> -Original Message-
>
>> From: Ron Blanchett [mailto:[EMAIL PROTECTED]
>
>> Sent: Tuesday, July 01, 2008 1:17 PM
>
>> To: support@pfsense.com
>
>> Subject: Re: [pfSense Support] Disable SSH to the private side interface
>
>>
>
>> Just add a reject or drop rule on the lan interface
>
>> Specify a source range and make the  destination address your lan
>
>> interface address and the port 22.
>
>>
>
>> Simple as that.
>
>>
>
>> -Ron
>
>>
>
>>
>
>> On Tue, Jul 1, 2008 at 2:07 PM, Atkins, Dwane P <[EMAIL PROTECTED]>
>
>> wrote:
>
>>> Is there a way that I can disable SSH from my private side address to
>
>> the
>
>>> default gateway or in this case, the LAN address?  Can I do it via a
>
>> Linux
>
>>> command?
>
>>>
>
>>>
>
>>>
>
>>> In other words, if my LAN interface is 10.6.5.8 and my DHCP (private
>
>> side)
>
>>> addresses are 10.6.5.10 - .100. I want to ensure that those addresses
>
>> cannot
>
>>> SSH into the private side address.
>
>>>
>
>>>
>
>>>
>
>>> Thank you
>
>>>
>
>>>
>
>>>
>
>>> Dwane Atkins
>
>>>
>
>>> 210-567-0158
>
>>>
>
>>> [EMAIL PROTECTED]
>
>>>
>
>>>
>
>>
>
>>
>
>>
>
>> --
>
>> Ronald Reagan  - "Recession is when a neighbour loses his job.
>
>> Depression is when you lose yours."
>
>>
>
>> -
>
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>
>> For additional commands, e-mail: [EMAIL PROTECTED]
>
>>
>
>>
>
>> -
>
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>
>> For additional commands, e-mail: [EMAIL PROTECTED]
>
>>
>
>>
>
>
>
>
>
>
>
> --
>
> Steven Wright  - "A lot of people are afraid of heights. Not me, I'm
>
> afraid of widths."
>
>
>
> -
>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Will Rogers  - "I don't make jokes. I just watch the government and
report the facts."

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[RB]

> I think we would be looking more for
> Advanced -> Misc -> Bypass firewall rules for traffic on the same interface.

I am far from a pf wizard, but the following is the rule created
without that checkbox:

pass in quick on fxp0 inet from any to 192.168.1.1 keep state label
"anti-lockout web rule"

Unless I'm way off-base, that says "allow anything from the LAN
interface to the router's IP".  It's not port-based.

Furthermore, the comment before the implementation of option you
espouse (in /etc/inc/filter.inc) reads thus:

/* pass traffic between statically routed subnets and the subnet on the
   interface in question to avoid problems with complicated routing
   topologies */

I do not think that means what you think it means.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[Chris Buechler]

Ron Blanchett wrote:

I think we would be looking more for
Advanced -> Misc -> Bypass firewall rules for traffic on the same interface.
  


No, that's for use with static routes because of the asymmetric routing 
you tend to end up with in those situations breaks stateful filtering.


Disabling the anti-lockout rule is necessary to block access to the LAN 
IP from internal networks.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[Ron Blanchett]

I stand twice corrected, thank you for correcting my misunderstanding
of this option.

On Tue, Jul 1, 2008 at 3:00 PM, Chris Buechler <[EMAIL PROTECTED]> wrote:
> Ron Blanchett wrote:
>>
>> I think we would be looking more for
>> Advanced -> Misc -> Bypass firewall rules for traffic on the same
>> interface.
>>
>
> No, that's for use with static routes because of the asymmetric routing you
> tend to end up with in those situations breaks stateful filtering.
>
> Disabling the anti-lockout rule is necessary to block access to the LAN IP
> from internal networks.
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Diogenes  - "What I like to drink most is wine that belongs to others."

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Disable SSH to the private side interface

[Atkins, Dwane P]

My question to all would be that since the DHCP address range and the
Lan interface are on the same subnet, would using rules to deny SSH do
us any good?  Would the layer 2 access allow connection to the interface
and basically bypass the firewall rules or do rules get checked prior to
allowing access?  

Does this make sense?  

If in fact the Lan Rule does not apply, is there a way that I can stop
users from being able to ssh to the Lan or Wan interface?

Thanks

Dwane

-Original Message-
From: Ron Blanchett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 01, 2008 2:26 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Disable SSH to the private side interface

I stand twice corrected, thank you for correcting my misunderstanding
of this option.

On Tue, Jul 1, 2008 at 3:00 PM, Chris Buechler <[EMAIL PROTECTED]> wrote:
> Ron Blanchett wrote:
>>
>> I think we would be looking more for
>> Advanced -> Misc -> Bypass firewall rules for traffic on the same
>> interface.
>>
>
> No, that's for use with static routes because of the asymmetric
routing you
> tend to end up with in those situations breaks stateful filtering.
>
> Disabling the anti-lockout rule is necessary to block access to the
LAN IP
> from internal networks.
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Diogenes  - "What I like to drink most is wine that belongs to others."

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[Chris Buechler]

Atkins, Dwane P wrote:

My question to all would be that since the DHCP address range and the
Lan interface are on the same subnet, would using rules to deny SSH do
us any good?  

Yes.


Would the layer 2 access allow connection to the interface
and basically bypass the firewall rules or do rules get checked prior to
allowing access?  
  
It won't block any layer 2 access to the firewall, but you can't access 
any services with just layer 2 (and can't block L2 if you need the 
firewall to be able to pass anything at all). If you block this on the 
LAN interface for any source, and have disabled the antilockout, you're 
in good shape.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Disable SSH to the private side interface

[RB]

> My question to all would be that since the DHCP address range and the
> Lan interface are on the same subnet, would using rules to deny SSH do
> us any good?  Would the layer 2 access allow connection to the interface
> and basically bypass the firewall rules or do rules get checked prior to
> allowing access?

If you check the "Disable webGUI anti-lockout rule" checkbox I
outlined earlier, your LAN will be treated as another default-deny
interface (like OPT interfaces) and will require rules to allow
clients connectivity*.  Unless configured to bridge (and act as a
filtering bridge) pfSense generally operates at layer 3.  This means
that although clients may be able to ARP your LAN interface or pass it
various bits of L2 traffic, they cannot bypass the layer-3
restrictions set up by the firewall.  The "Bypass firewall rules for
traffic on the same interface" bit was a red herring and should be
disregarded at this point.

> If in fact the Lan Rule does not apply, is there a way that I can stop
> users from being able to ssh to the Lan or Wan interface?

See above.  Since the interface will be default-deny you'd actually
have to set up a rule to allow clients to SSH.  Even further, you're
also probably going to have to set up rules to allow clients to reach
DNS on the pfSense box and any other services (like captive portal) it
may be providing.  Including getting out to the internet.  See the
following (rather paranoid) set of rules:
http://imagebin.ca/view/jI-5sz.html


* - There is one caveat: pfSense always has a rule to allow DHCP
traffic on the LAN interface, regardless of disabling the anti-lockout
rule.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] In IPSec, phase 1 auth mode rsa signature generates errors

[Chuck Benson]

racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 
'peers_certfile x509 "peer1-signed.pem";' instead
racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This 
directive without certtype will be removed!


Also, it appears that the peer identifier gets set to address, even when 
you have fqdn for my_identifier and want to make things symmetric.


Am I missing something, or must I use just what is used in the example 
to get this to work?


Chuck Benson


smime.p7s
Description: S/MIME Cryptographic Signature