[pfSense Support] strategies for an internet cafe

2008-09-26 Thread lartc 
hi all,

i've got a small internet cafe on a lan behind pfsense (soekris net
4801). works great.

yesterday (not the first time) someone connected up their laptop, that
started spewing spam mail.

is there a suggested config for rate limiting smtp connections, and the
like, for a `public` connection zone? i've got a free port on the
soekris, so i could have a `public dmz` if necessary.

thanks in advance

charles


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] strategies for an internet cafe

2008-09-26 Thread Vivek Khera 
On Fri, Sep 26, 2008 at 8:45 AM, lartc <[EMAIL PROTECTED]> wrote:
> hi all,
>
> i've got a small internet cafe on a lan behind pfsense (soekris net
> 4801). works great.
>
> yesterday (not the first time) someone connected up their laptop, that
> started spewing spam mail.

Just plain disallow direct to port 25 connections.  There's no reason
for it for random client machines.  If they need to use their own ISP
or office mail server, they can use the SMTP submission port, or a
VPN.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] strategies for an internet cafe

2008-09-26 Thread Joe Laffey 

On Fri, 26 Sep 2008, Vivek Khera wrote:


On Fri, Sep 26, 2008 at 8:45 AM, lartc <[EMAIL PROTECTED]> wrote:

hi all,

i've got a small internet cafe on a lan behind pfsense (soekris net
4801). works great.

yesterday (not the first time) someone connected up their laptop, that
started spewing spam mail.


Just plain disallow direct to port 25 connections.  There's no reason
for it for random client machines.  If they need to use their own ISP
or office mail server, they can use the SMTP submission port, or a
VPN.


The problem with this is that most people have no clue how to use a 
submission port or a VPN. So at a cafe blocking port25 will basically be 
tantamount to telling about 90% of your users to go away and not come to 
your cafe. They will go to another cafe where they can send mail without 
trouble.


It's a tough problem because you want to block the spam without driving 
away your customers.


You could try traffic shaping port 25. You could give it 20 seconds of 
high bandwidth followed by shaping down to something really slow.


The bigger problem is that your ips will get blacklisted as spammers.

--
Joe Laffey|   Visual Effects for Film and Video
LAFFEY Computer Imaging   | -
St. Louis, MO |   Show Reel http://LAFFEY.tv/?e11924
USA   | -
. |-*- Digital Fusion Plugins -*-
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] strategies for an internet cafe

2008-09-26 Thread Víctor Pasten 
If you install your own spam-filter??

-Original Message-
From: Joe Laffey <[EMAIL PROTECTED]>
To: support@pfsense.com
Date: Fri, 26 Sep 2008 08:52:07 -0500 (CDT)
Subject: Re: [pfSense Support] strategies for an internet cafe

> On Fri, 26 Sep 2008, Vivek Khera wrote:
> 
> > On Fri, Sep 26, 2008 at 8:45 AM, lartc <[EMAIL PROTECTED]>
> wrote:
> >> hi all,
> >>
> >> i've got a small internet cafe on a lan behind pfsense (soekris net
> >> 4801). works great.
> >>
> >> yesterday (not the first time) someone connected up their laptop,
> that
> >> started spewing spam mail.
> >
> > Just plain disallow direct to port 25 connections.  There's no reason
> > for it for random client machines.  If they need to use their own ISP
> > or office mail server, they can use the SMTP submission port, or a
> > VPN.
> 
> The problem with this is that most people have no clue how to use a 
> submission port or a VPN. So at a cafe blocking port25 will basically
> be 
> tantamount to telling about 90% of your users to go away and not come
> to 
> your cafe. They will go to another cafe where they can send mail
> without 
> trouble.
> 
> It's a tough problem because you want to block the spam without driving
> away your customers.
> 
> You could try traffic shaping port 25. You could give it 20 seconds of 
> high bandwidth followed by shaping down to something really slow.
> 
> The bigger problem is that your ips will get blacklisted as spammers.
> 


If you install your own spam-filter??, checking all traffic on port 25.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] strategies for an internet cafe

2008-09-26 Thread RB 
>> Just plain disallow direct to port 25 connections.  There's no reason
>> for it for random client machines.  If they need to use their own ISP
>> or office mail server, they can use the SMTP submission port, or a
>> VPN.

Ditto; most SMTP service providers recognize that 25 outbound is
disallowed in many places and have both provided alternate ports and
the instructions on how to use them.

> The problem with this is that most people have no clue how to use a
> submission port or a VPN. So at a cafe blocking port25 will basically be
> tantamount to telling about 90% of your users to go away and not come to
> your cafe. They will go to another cafe where they can send mail without
> trouble.

I strongly disagree - I run a pair of pfSense boxes at the head of a
very large public wifi network, outright rejecting all tcp/25 traffic
and have had precisely one complaint: from an internal employee who
was trying to get their personal laptop on and use it for their home
mail.  A short chat later, they learned to use their ISP's
authenticated server and stopped complaining.

> You could try traffic shaping port 25. You could give it 20 seconds of high
> bandwidth followed by shaping down to something really slow.

An alternative would be to set an allow rule with a rate-limit on the
port (allow 1/sec), immediately followed by a deny rule.  This
wouldn't stop some spam, but it would very seriously hinder it.

Although setting up a spam filter would be nice, that's likely more
overhead and headache than you will want to engage.  Especially since
you'd be scanning random end-users' email and dictating whether it is
sufficiently righteous to pass.  Not ground I'd want to encroach.


RB

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] strategies for an internet cafe

2008-09-26 Thread Raylund Lai 
Try the solution from Untangle.  Set it up with spam filtering and as
transparent bridge in between your lan and pfsense.

-Raylund

-Original Message-
From: Joe Laffey [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 26, 2008 9:52 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] strategies for an internet cafe

On Fri, 26 Sep 2008, Vivek Khera wrote:

> On Fri, Sep 26, 2008 at 8:45 AM, lartc <[EMAIL PROTECTED]> wrote:
>> hi all,
>>
>> i've got a small internet cafe on a lan behind pfsense (soekris net
>> 4801). works great.
>>
>> yesterday (not the first time) someone connected up their laptop, that
>> started spewing spam mail.
>
> Just plain disallow direct to port 25 connections.  There's no reason
> for it for random client machines.  If they need to use their own ISP
> or office mail server, they can use the SMTP submission port, or a
> VPN.

The problem with this is that most people have no clue how to use a 
submission port or a VPN. So at a cafe blocking port25 will basically be 
tantamount to telling about 90% of your users to go away and not come to 
your cafe. They will go to another cafe where they can send mail without 
trouble.

It's a tough problem because you want to block the spam without driving 
away your customers.

You could try traffic shaping port 25. You could give it 20 seconds of 
high bandwidth followed by shaping down to something really slow.

The bigger problem is that your ips will get blacklisted as spammers.

--
Joe Laffey|   Visual Effects for Film and Video
LAFFEY Computer Imaging   | -
St. Louis, MO |   Show Reel http://LAFFEY.tv/?e11924
USA   | -
. |-*- Digital Fusion Plugins -*-
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] "rule label too long" and ipsec?

2008-09-26 Thread Rob Terhaar 
I know that the rule label too long bug has been around in varying
degrees for a while... but this one might be unique (?)
We're using 1.2 release.

Here's what happening:

php: : New alert found: There were error(s) loading the rules:
/tmp/rules.debug:289: rule label too long (max 63 chars)
/tmp/rules.debug:290: rule label too long (max 63 chars)
/tmp/rules.debug:291: rule label too long (max 63 chars)
/tmp/rules.debug:292: rule label too long (max 63 chars)
/tmp/rules.debug:293: rule label too long (max 63 chars)
/tmp/rules.debug:294: rule label too long (max 63 chars)
/tmp/rules.debug:295: rule label too long (max 63 chars)
/tmp/rules.debug:296: rule label too long (


289: pass out quick on $wan proto udp from any to xx.xx.xx.52 port =
500 keep state label "IPSEC: RDI ->2nd lan - outbound isakmp"

all of the other lines are also related to IPSEC. I shortened this
ipsec tunnel description and the errors went away, could this be a
bug?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] "rule label too long" and ipsec?

2008-09-26 Thread Paul Mansfield 
Rob Terhaar wrote:
> I know that the rule label too long bug has been around in varying
> 500 keep state label "IPSEC: RDI ->2nd lan - outbound isakmp"

try taking out the '>', I have been bitten by a bug with it not quoting
XML reserved chars before


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] strategies for an internet cafe

2008-09-26 Thread lartc 
hi all,

thanks for all your thoughts ...

this was actually a case of an unsuspecting  microf...ing windblowz user
infected with a fakealert virus -- sending thousands of e-mails.

i'm thinking about creating an `untrusted` subnet on a free pfsense port
and proxying 25 & 465 to a postfix/amavis setup that can rate limit and
reject ...

>Try the solution from Untangle.  Set it up with spam filtering and as
>transparent bridge in between your lan and pfsense.
haven't heard of this, so i'll check it out -- but since i'm running
embedded, my resources are a bit limited.


thanks again

charles






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] importing from multiple iptables ... BOUNTY $100

2008-09-26 Thread RB 
On Tue, Sep 23, 2008 at 10:29, Glenn Kelley <[EMAIL PROTECTED]> wrote:
> sorry - did not mean to sound Ape-ish :-)
>
> I am pretty easy to get along with - or so I hope.

I was a tad harsh; I just think there are better ways to deal with
spam and attackers than blanket deny rules for whole regions.  Some
admins, however, are [forced to be] in emergency mode and don't have
the luxury more esoteric solutions and need a right-now fix, in which
case the approach would be more acceptable.

> I thought snort was in there as a package -but sure enough - its not.
> Seems it dropped out.
My checks concur; maybe it'll re-enter with 1.3.

I think the ideal setup with SnortSAM would be to get a package for it
rolled for pfSense; you then would need 'samtool' (not built by
default when building SnortSAM) on your system that's centrally
collecting the logs, and write a short shell script to use it and the
logs to execute blocks.  None of it really requires Snort anyway, just
the [pretty simple] daemon running on pfSense, maybe a short
configuration screen setting up secrets and what IPs can access it.
For those in a hurry, 'pkg_add -r snortsam' would get you a long way
there.

RB

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] "rule label too long" and ipsec?

2008-09-26 Thread Rob Terhaar 
On Fri, Sep 26, 2008 at 11:14 AM, Paul Mansfield
<[EMAIL PROTECTED]> wrote:
> Rob Terhaar wrote:
>> I know that the rule label too long bug has been around in varying
>> 500 keep state label "IPSEC: RDI ->2nd lan - outbound isakmp"
>
> try taking out the '>', I have been bitten by a bug with it not quoting
> XML reserved chars before

Perhaps this is the bug then? ">" should be sanitized from all fields.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] importing from multiple iptables ... BOUNTY $100

2008-09-26 Thread Glenn Kelley 

RB

RE Snort: its actually back with rc 1.2.1rc

glenn
On Sep 26, 2008, at 1:20 PM, RB wrote:

On Tue, Sep 23, 2008 at 10:29, Glenn Kelley <[EMAIL PROTECTED]>  
wrote:

sorry - did not mean to sound Ape-ish :-)

I am pretty easy to get along with - or so I hope.


I was a tad harsh; I just think there are better ways to deal with
spam and attackers than blanket deny rules for whole regions.  Some
admins, however, are [forced to be] in emergency mode and don't have
the luxury more esoteric solutions and need a right-now fix, in which
case the approach would be more acceptable.


I thought snort was in there as a package -but sure enough - its not.
Seems it dropped out.

My checks concur; maybe it'll re-enter with 1.3.

I think the ideal setup with SnortSAM would be to get a package for it
rolled for pfSense; you then would need 'samtool' (not built by
default when building SnortSAM) on your system that's centrally
collecting the logs, and write a short shell script to use it and the
logs to execute blocks.  None of it really requires Snort anyway, just
the [pretty simple] daemon running on pfSense, maybe a short
configuration screen setting up secrets and what IPs can access it.
For those in a hurry, 'pkg_add -r snortsam' would get you a long way
there.

RB

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] ntop still not installing

2008-09-26 Thread JJB 
There does not seem to be any stuck processes. Also, as I understand it 
the install process seems to use the local web browser to do the 
download and install, if you navigate away from the page the install 
will not complete. Other packages install just fine. Could there be a 
problem with wherever pfsense is downloading the package from? If the 
other packages complete the download and this one doesn't, I would 
imagine it might be related to the site it is being downloaded from. 
Anyone know where that is, and who to contact? On the packages page it 
says: Maintainer: Nobody. Apply  for it! 
Does that affect where it is hosted and who makes sure the download 
server is working?


Thanks

Joel

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] ntop still not installing

2008-09-26 Thread Tim Dickson 
Just my 2cents, but ntop is VERY unstable right now (and not maintained as
you can see)
I would avoid putting it on your box... instead run it on a separate box if
you want to use it.

I've never had it crash my pfSense box, but keeping it(ntop) running is a
whole nother story... you'll be lucky if you can keep it up for more than a
few minutes at a time.
-Tim

-Original Message-
From: JJB [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 26, 2008 1:15 PM
To: support@pfsense.com
Subject: [pfSense Support] ntop still not installing

There does not seem to be any stuck processes. Also, as I understand it 
the install process seems to use the local web browser to do the 
download and install, if you navigate away from the page the install 
will not complete. Other packages install just fine. Could there be a 
problem with wherever pfsense is downloading the package from? If the 
other packages complete the download and this one doesn't, I would 
imagine it might be related to the site it is being downloaded from. 
Anyone know where that is, and who to contact? On the packages page it 
says: Maintainer: Nobody. Apply  for it! 
Does that affect where it is hosted and who makes sure the download 
server is working?

Thanks

Joel

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ntop still not installing

2008-09-26 Thread JJB 

Thanks!

- Joel

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] darkstat - reverse dns lookups?

2008-09-26 Thread JJB 
Since ntop isn't working, I installed darkstat, which seems to pretty 
much do the job that I wanted ntop to do. I set it to track the LAN 
interface. For some reason I'm getting DNS resolution for all the 
external websites, but not for internal ip addresses. Is there any way 
to get dns names for internal workstations as well as external servers? 
That way I could (quickly) figure out which internal machines are eating 
the most bandwidth.  Otherwise, I have to jump through a bunch of hoops 
to get that information.


Thanks

- Joel

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] darkstat - nevermind.

2008-09-26 Thread JJB 

Actually it is working...

My apologies.

Joel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

2008-09-26 Thread Beat Siegenthaler 
RB wrote:

> 
> This question comes back up every few months, and every time I wonder:
> what is the justification case for IPv6?  

Maybe it's the simple argument:
Jump on the Train!!!
Hype or not, IPv6 is coming. Let the "we get out of IP's" yells beside
this time.

It's like talk about that a cellular does not need a camera.
Or that cameras with more than 5Megapixels are never needed.
Or "640k are enough" Take it or leave it as Customer. But: Take it or
dissapear as Manufacturer.

I love pfSense!!

But I play around with IPv6 because I want to have a advance.

If there is suddenly a other project that has IPv6 and it is similar to
pfSense: Bye Bye faithfulness. Many good products made this way...


Last Point:

The energy we put in NAT, overlapping Networks, strange VPN's in legacy
v4 is enormous. Many of this Problems are inexistant with v6.
And a Firewall would  be again what it ever was:
A routing device were I can enforce who, what, when, why can talk to
some other Node


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] DHCP : interface not found

2008-09-26 Thread Alfred Sawaya 
Hello,

I've some troubles with pfsense : I would like to enable the DHCP server
on one of my interface (xl0). I've 3 interfaces : 2 LAN (fxp0 and xl0),
1 WAN (rl0).

I do everything right to enable DHCP but I've this in log :

Sep 27 00:57:04 dhcpd: xl0: not found

Why doesn't it found my interface ? How can I fix it ?

Thanks !

Regards.

-- 


 -- 
|
  .:: Alfred Sawaya ::.
|
  --




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Doesnt work make install Command

2008-09-26 Thread Koray AGAYA 
Hi All;

I installed all freebsd ports collection under  */usr/ports/*.**  But I
didnt use make install command How Can I do work it  ? Please help me

For example,

To install the Nano text editor

$ cd /usr/ports/editors/nano
$ make install


Error :  bash: make: command not found


information

My pfsense is 6.2-RELEASE-p11 FreeBSD

Re: [pfSense Support] Doesnt work make install Command

2008-09-26 Thread Chris Buechler 
On Fri, Sep 26, 2008 at 7:51 PM, Koray AGAYA <[EMAIL PROTECTED]> wrote:
> Hi All;
>
> I installed all freebsd ports collection under  /usr/ports/*.*  But I didnt
> use make install command How Can I do work it  ? Please help me
>

You can't. Use pkg_add.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DHCP : interface not found

2008-09-26 Thread Chris Buechler 
On Fri, Sep 26, 2008 at 7:17 PM, Alfred Sawaya <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I've some troubles with pfsense : I would like to enable the DHCP server
> on one of my interface (xl0). I've 3 interfaces : 2 LAN (fxp0 and xl0),
> 1 WAN (rl0).
>
> I do everything right to enable DHCP but I've this in log :
>
>Sep 27 00:57:04 dhcpd: xl0: not found
>

How do you have it configured? Can you send screenshots, or your
config.xml from status.php.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DHCP : interface not found

2008-09-26 Thread Alfred Sawaya 
Sure :

Config file of my interfaces :



... LAN and WAN ...

xl0
DINIAE

192.168.22.1
24

00:16:d4:a2:3c:da





And my dhcp server config file :





192.168.22.100
192.168.22.150













Thanks for help !

Chris Buechler a écrit :
> On Fri, Sep 26, 2008 at 7:17 PM, Alfred Sawaya <[EMAIL PROTECTED]> wrote:
>   
>> Hello,
>>
>> I've some troubles with pfsense : I would like to enable the DHCP server
>> on one of my interface (xl0). I've 3 interfaces : 2 LAN (fxp0 and xl0),
>> 1 WAN (rl0).
>>
>> I do everything right to enable DHCP but I've this in log :
>>
>>Sep 27 00:57:04 dhcpd: xl0: not found
>>
>> 
>
> How do you have it configured? Can you send screenshots, or your
> config.xml from status.php.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>   


-- 


 -- 
|
  .:: Alfred Sawaya ::.
|
  --




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]