Re: [pfSense Support] blocking spammers xml
to bring up an old conversation... We literally have seen a drop in spam across the network of about 93% I have redirected the mail coming from those ip ranges to a different server - and pretty much 99% (all but just a few emails_) were actually junk mail. Great stuff. :-) On Sep 23, 2008, at 12:20 AM, Glenn Kelley wrote: I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/ detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11861 USA | - . |-*- Digital Fusion Plugins -*- --
Re: [pfSense Support] ipv6 possibility
Ihsan Dogan wrote: This is true, but cable or DSL providers who provide IPv6 are still very rare. At least here in Switzerland. it's not common, but there are some in UK. One problem is that many ISPs simply resell BT adsl service, so funky things like multicast are also unavailable. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking spammers xml
Glenn Kelley wrote: to bring up an old conversation... We literally have seen a drop in spam across the network of about 93% I have redirected the mail coming from those ip ranges to a different server - and pretty much 99% (all but just a few emails_) were actually junk mail. spammers seem to remember old IPs for a long time, so rehoming your mail server can reduce spam. putting in a deliberately broken backup MX with big number can also screw them up - spammers often inject email into the non-primary MXers because sometimes that sometimes avoids spam being rejected. SPF and other techniques aren't actually that effective, or effective for long IMHO; in fact Postini found that spammers adopted SPF before regular users! lots of useful strategies, but this isn't really the place to deal with it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
Chris Buechler wrote: want to throw at it. There might be one or two developers, since I personally don't have time to be involved I won't give you a number on how much it would take to interest someone. This is a huge amount of work to properly implement in all the services, probably a couple full time months of work, so I would guess you're looking at into 5 figures USD. I can't make an official commitment, but IPv6 support would probably help me get employer to take a support contract. As a startup, budgets are tight, but the prospect of the quality of pfSense along with ipv6 would be a compelling idea! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SSL authentication failing using pfSense 1.2
Hi all, We have an Apache 2 web server in our DMZ. Our network is Cisco based (switches / routers / ...). The Apache web server requires SSL authentication (user x.509 certs) for a page to be displayed. It accepts only certificates from the same CA trust chain. One of our client is using a Linux (Kubuntu) box behind a pfSense 1.2 firewall. When he tries accessing our web server using Firefox (or any other web browser available on Linux), he is prompted to choose a certificate he want to use. After selecting the correct one, the browser status bar changes to 'loading'; however, it never ends. The loading doesn't finish ever. He tried accessing our web server from his home (direct connected DSL line) and he didn't experience any problem. For this reason I suspect there is something wrong with the pfSense firewall. Had any one have a similar problem? Any suggestion? Thanks, Damir Dezeljin
Re: [pfSense Support] ipv6 possibility
On Mon, Sep 29, 2008 at 11:20:20AM +0100, Paul Mansfield wrote: I can't make an official commitment, but IPv6 support would probably help me get employer to take a support contract. As a startup, budgets are tight, but the prospect of the quality of pfSense along with ipv6 would be a compelling idea! Here's a thought: make the default pfsense kernel dual-stack capable but disable the IPv6 part by default, and don't support it anywhere in the PHP/XML config framework. Explicitly mark it as unsupported. Null-route all IPv6 support requests. That way anyone who needs the functionality can hack it manually using stock FreeBSD configuration tools, yet there would be no support load for the developer team. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
technically this can already can be done if you use the developers build. -- From: Eugen Leitl [EMAIL PROTECTED] Sent: Monday, September 29, 2008 7:01 AM To: support@pfsense.com Subject: Re: [pfSense Support] ipv6 possibility On Mon, Sep 29, 2008 at 11:20:20AM +0100, Paul Mansfield wrote: I can't make an official commitment, but IPv6 support would probably help me get employer to take a support contract. As a startup, budgets are tight, but the prospect of the quality of pfSense along with ipv6 would be a compelling idea! Here's a thought: make the default pfsense kernel dual-stack capable but disable the IPv6 part by default, and don't support it anywhere in the PHP/XML config framework. Explicitly mark it as unsupported. Null-route all IPv6 support requests. That way anyone who needs the functionality can hack it manually using stock FreeBSD configuration tools, yet there would be no support load for the developer team. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] SSL authentication failing using pfSense 1.2
It would be helpful to look at the config of this pfSense box. Do his logs show any blocked traffic to/from your web server? Also, is it possible you're using an SSLv2 cert and the problem client is running Firefox 3 which by default has 'issues' with SSLv2? If so, do a quick Google search for firefox about:config security.enable_ssl2 Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - Damir Dezeljin wrote: Hi all, We have an Apache 2 web server in our DMZ. Our network is Cisco based (switches / routers / ...). The Apache web server requires SSL authentication (user x.509 certs) for a page to be displayed. It accepts only certificates from the same CA trust chain. One of our client is using a Linux (Kubuntu) box behind a pfSense 1.2 firewall. When he tries accessing our web server using Firefox (or any other web browser available on Linux), he is prompted to choose a certificate he want to use. After selecting the correct one, the browser status bar changes to 'loading'; however, it never ends. The loading doesn't finish ever. He tried accessing our web server from his home (direct connected DSL line) and he didn't experience any problem. For this reason I suspect there is something wrong with the pfSense firewall. Had any one have a similar problem? Any suggestion? Thanks, Damir Dezeljin
[pfSense Support] (ftp_telnet) FTP command parameters were malformed
In the snort package we are seeing clients blocked due to the following error: (ftp_telnet) FTP command parameters were malformed Strange since we do not have any ftp options chosen to be blocked ... Any ideas ? I know snort is not 100% covered - but thought it would be best to ask... Glenn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Authenticating WAN connection 802.1x
Hello, First, some background information. The setup I have now is as follows: wall ethernet - workstation. I have to authenticate the connection using 802.1x (PEAP) to get an external IP and internet access. Failure to do so results in a local IP and only access to other computers on campus. What I'm trying to do is: wall ethernet - pfSense (auth 802.1x) - wireless router - two workstations with internet. I'm using pfSense 1.2. Is something like this even possible with pfSense? Mvh, Eskil Kvalnes [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PFsense on P4 Hyperthreading
Will PF sense work with a P4 using hypthreading? I know I can disable it in the BIOS, but i was just wondering if I could use it. If I can, in the install, should I tell it I have a single CPU or a multi CPU setup? Thanks for the help, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
On Mon, Sep 29, 2008 at 7:22 AM, Sean Cavanaugh [EMAIL PROTECTED] wrote: technically this can already can be done if you use the developers build. or even 1.2.1 RC. i was pleasantly surprised to see IPv6 info from the network status pages. of course, this was after YetAnotherFailedEmbededUpgrade so I had to re-flash, but that was 99.44% expected to happen by me :-( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
I've not experienced any problems with a few of our setups using HT (albeit on Xeons). You'd want to install the multiprocessor kernel to take advantage of the extra CPU aka thread. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - Ryan Rodrigue [EMAIL PROTECTED] wrote: Will PF sense work with a P4 using hypthreading? I know I can disable it in the BIOS, but i was just wondering if I could use it. If I can, in the install, should I tell it I have a single CPU or a multi CPU setup? Thanks for the help, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 10:58 AM, Ryan Rodrigue [EMAIL PROTECTED] wrote: Will PF sense work with a P4 using hypthreading? I know I can disable it in the BIOS, but i was just wondering if I could use it. If I can, in the install, should I tell it I have a single CPU or a multi CPU setup? Thanks for the help, Ryan FreeBSD treats it as multiple CPUs, so use the SMP kernel. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] PFsense on P4 Hyperthreading
Thanks for the super quick reply. I thought as much, but just wanted to confirm. Is there a limit to the number of processors it supports? Will a dual zeon quad core (8 processors) work? i really don't have a need for that much, but I was just curious while I have you here. -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2008 10:02 AM To: support@pfsense.com Subject: Re: [pfSense Support] PFsense on P4 Hyperthreading On Mon, Sep 29, 2008 at 10:58 AM, Ryan Rodrigue [EMAIL PROTECTED] wrote: Will PF sense work with a P4 using hypthreading? I know I can disable it in the BIOS, but i was just wondering if I could use it. If I can, in the install, should I tell it I have a single CPU or a multi CPU setup? Thanks for the help, Ryan FreeBSD treats it as multiple CPUs, so use the SMP kernel. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ NOD32 3480 (20080929) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Transferring configs
Hi, my WRAP died and I finally managed to order an ALIX from PC-Engines. But I think I can't find a backup of my config - can I just take the config.xml from the old CF card and use the restore-option with that? Or can the WARP-CF just be put into the ALIX? It's 1.2, IIRC. Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transferring configs
On Mon, Sep 29, 2008 at 12:03 PM, Rainer Duffner [EMAIL PROTECTED] wrote: Hi, my WRAP died and I finally managed to order an ALIX from PC-Engines. But I think I can't find a backup of my config - can I just take the config.xml from the old CF card and use the restore-option with that? Or can the WARP-CF just be put into the ALIX? It's 1.2, IIRC. Just plug the CF card into the new box. The software image is identical. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transferring configs
Vivek Khera schrieb: On Mon, Sep 29, 2008 at 12:03 PM, Rainer Duffner [EMAIL PROTECTED] wrote: Hi, my WRAP died and I finally managed to order an ALIX from PC-Engines. But I think I can't find a backup of my config - can I just take the config.xml from the old CF card and use the restore-option with that? Or can the WARP-CF just be put into the ALIX? It's 1.2, IIRC. Just plug the CF card into the new box. The software image is identical. OK, thanks. Hopefully, the order will arrive tomorrow - the now almost eight year old Netgear MR314 shows it's age at my 5000/500 connection... Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transferring configs
On Mon, Sep 29, 2008 at 11:03 AM, Rainer Duffner [EMAIL PROTECTED] wrote: Hi, my WRAP died and I finally managed to order an ALIX from PC-Engines. But I think I can't find a backup of my config - can I just take the config.xml from the old CF card and use the restore-option with that? Or can the WARP-CF just be put into the ALIX? It's 1.2, IIRC. Plug the old CF into the new ALIX - do note that the NICs will have changed between the WRAP and ALIX boards - you might make a backup of your CF (if possible) and/or the config, but entering in the NICs again shouldn't kill any existing config. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 11:15 AM, Ryan Rodrigue [EMAIL PROTECTED] wrote: Thanks for the super quick reply. I thought as much, but just wanted to confirm. Is there a limit to the number of processors it supports? Will a dual zeon quad core (8 processors) work? i really don't have a need for that much, but I was just curious while I have you here. The most I've ever run FreeBSD on is a dual dual-core AMD64 system from Sun. The 4 procs scale nicely, and especially with the AMD enhanced memory bus it really flies. I understand from the mailing lists that 8 cores is about the max to where FreeBSD scales well. This may be old information, though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 10:15 AM, Ryan Rodrigue [EMAIL PROTECTED] wrote: Thanks for the super quick reply. I thought as much, but just wanted to confirm. Is there a limit to the number of processors it supports? Will a dual zeon quad core (8 processors) work? i really don't have a need for that much, but I was just curious while I have you here. *work* - yes. There is a point of diminishing returns since PF (the packet filter we use) is under the Giant lock in FreeBSD. There certainly is a performance boost going past one CPU (not linearly scaled to the number of cores however), not sure if you'll see it with HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly optimized for HTT. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transferring configs
hi Rainer, you can . you have only to edit the interfaces in xml from sisX to vrX grettings Heribert Am Montag, den 29.09.2008, 18:03 +0200 schrieb Rainer Duffner: Hi, my WRAP died and I finally managed to order an ALIX from PC-Engines. But I think I can't find a backup of my config - can I just take the config.xml from the old CF card and use the restore-option with that? Or can the WARP-CF just be put into the ALIX? It's 1.2, IIRC. Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 10:03, Bill Marquette [EMAIL PROTECTED] wrote: HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly optimized for HTT. Did FBSD ever post a 'fix' for the HT cache vuln? I've been under the impression ever since that HT on server systems was a Bad Idea and just disabled HT globally, both for that and the fact that it's just hardware-assisted preemption. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
Scott Ullrich wrote: Chris summed this up quite well but we cannot just half ass implement IPv6. It requires a real testing environment and a lot of work to implement it fully vs. doing it for just most of us needs. I think we all appreciate the quality oriented development. But for me is a tunneled IPv6 not more half ass than a IPv4-wan over PPoE ;-) Even Cisco and Checkpoint are starting seldom with fully implementations of new gadgets But they start... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 2:08 PM, RB [EMAIL PROTECTED] wrote: On Mon, Sep 29, 2008 at 10:03, Bill Marquette [EMAIL PROTECTED] wrote: HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly optimized for HTT. Did FBSD ever post a 'fix' for the HT cache vuln? I've been under the impression ever since that HT on server systems was a Bad Idea and just disabled HT globally, both for that and the fact that it's just hardware-assisted preemption. If you don't have multiple users, that is a non-issue, IIRC. Who logs into your pfsense? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 12:47, Vivek Khera [EMAIL PROTECTED] wrote: If you don't have multiple users, that is a non-issue, IIRC. Who logs into your pfsense? No one. :) Even so, I've found it best to err on the side of caution. As I stated, the only benefit I see from it is hardware-assisted preemption; some workloads benefit from it, but the majority seem not to. Surprisingly enough, John the Ripper is one of those workloads that seems to be able to squeeze an extra percent or three out of an HT processor. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
Leon Strong | Technical Engineertunneling IPv6 would just let you forward traffic in IPv4to an external gateway that translates from IPv4 to IPv6. the developers would rather not do that in favor of just fully implementing support for pfSense to be able to route IPv6 directly without the encapsulation. Personally, I think that if you just want to tap into IPv6 networks, then a tunnel wrapper wouldn't be a bad idea, but as a package only and not part of the base install. From: Leon Strong Sent: Monday, September 29, 2008 9:34 PM To: support@pfsense.com Subject: Re: [pfSense Support] ipv6 possibility I was thinking the same thing, and am still wondering why/how using an ipv6 tunnel would result in a half assed implementation. admittedly, i'm not a pfsense dev, and they can say what they like *shrug*