Re: [pfSense Support] blocking Tor Networks
On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... that's a classic case of having a permit any + deny specific policy. You'll have to turn it round, make it deny all + permit specific, set up an http proxy with same policy and (don't allow CONNECT except under fine control) and don't allow anything else out of your network except that explicitly wanted. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking Tor Networks
On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... TOR relies on nodes to hop on. You block the nodes. The protocol in more to do with annon access than firewall by-passing http://tor.xenobite.eu:81/exported-files/tor_allnodes.csv This site has a handy CSV list of nodes. I suggest you re-direct them to a warming page that sates their IP address has been recorded. A bit of student panic is always funny. There are some p2p TOR like systems that will be harder to stop. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking Tor Networks
On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... Or this block list. http://list.iblocklist.com/?list=tor There are a number - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks
On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... that's a classic case of having a permit any + deny specific policy. You'll have to turn it round, make it deny all + permit specific, set up an http proxy with same policy and (don't allow CONNECT except under fine control) and don't allow anything else out of your network except that explicitly wanted. You are wrong, deny all + permit specific is not enough for blocking TOR. Depends how specific you are - if it looks like web access then it's going to be hard to be specific enough without being too specific - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks
On 06/01/10 16:46, Robert Mortimer wrote: On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... that's a classic case of having a permit any + deny specific policy. You'll have to turn it round, make it deny all + permit specific, set up an http proxy with same policy and (don't allow CONNECT except under fine control) and don't allow anything else out of your network except that explicitly wanted. You are wrong, deny all + permit specific is not enough for blocking TOR. Depends how specific you are - if it looks like web access then it's going to be hard to be specific enough without being too specific well, I did say to use a web proxy, which also has a whitelist of permitted sites, you literally only let your users access very specific services and hosts on the internet, and NOTHING else is allowed. you're now going to say but that's unmanageable, and I have two answers. 1/ security is a moving target and hard work, so if you can't trust your users you'll have to have the resources to manage their access effectively OR 2/ educate your users so that you can trust them and have suitable contracts and measures in place to punish them so that they will follow procedures - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
Thanks for the ideas! It's working with the exception of a traffic shaping problem. What I did to set this up is 1. Bridged the OPT interface with WAN, leaving all other fields blank 2. Created a rule on the tab of the OPT interface to 'pass' 'any' protocol 3. Attached the host to the OPT interface, and assigned the appropriate IP info. I notice that my upstream traffic is shaped (as expected) but that the downstream traffic is not (unexpected). This presents a problem for VoIP (although serendipitously it's the more sensitive upstream shaping that IS working at the moment). My first thought was oh yeah--DUH, the shaping queues are in layer 3, bridging happens in layer 2, but then It occurred to me that the upstream traffic IS actually being shaped. Confused again. The only theory I could come up with is that the upstream traffic is getting shaped BECAUSE the host on the bridged OPT interface routes to the default gateway IP address, and therefore those upstream packets have IP addresses that match directives in the queues. Am I on the right track? Therefore, thinking the shaper needed an IP address to identify the traffic to shape I tried simply putting the public IP address (of the host connected to the bridged optional interface) in the 'penalty box' of the shaper. You probably already know that this didn't work. Is this a the right theory without the right execution? Do I need to tie in a 'Virtual IP' somehow? So close! I would love a nudge in the right direction. Thanks! If this can be made to work it will eliminate the need to buy 4 Juniper routers! -Karl - Original Message - From: Chris Buechler c...@pfsense.org To: support@pfsense.com Sent: Thursday, December 31, 2009 1:19 PM Subject: Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface? On Thu, Dec 31, 2009 at 9:52 AM, Karl Fife karlf...@gmail.com wrote: Like many, I use 1:1 NAT to give one of my public IP address to an internal host. This works great for certain applicatons where the host (such as Asterisk) is 'smart' and can be made aware of the fact that the IP address bound to its own network interface differs from the one the outside world sees and should direct traffic to. In the case of Asterisk which must know its external IP to properly write SDP headers, Asterisk will look to the configured external IP address instead of the one it actually sees bound to its own NIC. No problems! The problem arises when you've got a 'dumber' host that needs to function EXACTLY like it has an actual external IP address, but where the traffic needs to flow through pfSense (for shaping, policies, IDS/IPS). I sometimes also wish that certain hosts with external addresses NOT have an internal address in the event that they become compromised/rooted etc. Naturally It would be ideal to bind the external IP address directly to an optional interface. My understanding (possibly wrong) is that this was not possible (at least) with embedded 1.2-release. Has anything changed in the 1.2.1 or .2 or .3 release that would make this possible? That's always been possible. Exactly how depends on how many public IPs you have. Nathan's suggestion will work where you want it on your LAN, though that violates the NOT have an internal address noted above. You can either add a public IP subnet on an OPT interface, or bridge OPT to WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks
What about updating the DNS settings to OpenDNS which has its own free filter control - that allows you to deselect Proxy/Anonymizer On Wed, Jan 6, 2010 at 6:05 PM, Paul Mansfield it-admin-pfse...@taptu.comwrote: On 06/01/10 16:46, Robert Mortimer wrote: On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... that's a classic case of having a permit any + deny specific policy. You'll have to turn it round, make it deny all + permit specific, set up an http proxy with same policy and (don't allow CONNECT except under fine control) and don't allow anything else out of your network except that explicitly wanted. You are wrong, deny all + permit specific is not enough for blocking TOR. Depends how specific you are - if it looks like web access then it's going to be hard to be specific enough without being too specific well, I did say to use a web proxy, which also has a whitelist of permitted sites, you literally only let your users access very specific services and hosts on the internet, and NOTHING else is allowed. you're now going to say but that's unmanageable, and I have two answers. 1/ security is a moving target and hard work, so if you can't trust your users you'll have to have the resources to manage their access effectively OR 2/ educate your users so that you can trust them and have suitable contracts and measures in place to punish them so that they will follow procedures - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks
-Original Message- From: Paul Mansfield it-admin-pfse...@taptu.com To: support@pfsense.com Date: Wed, 06 Jan 2010 18:05:45 + Subject: Re: Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks On 06/01/10 16:46, Robert Mortimer wrote: On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... that's a classic case of having a permit any + deny specific policy. You'll have to turn it round, make it deny all + permit specific, set up an http proxy with same policy and (don't allow CONNECT except under fine control) and don't allow anything else out of your network except that explicitly wanted. You are wrong, deny all + permit specific is not enough for blocking TOR. Depends how specific you are - if it looks like web access then it's going to be hard to be specific enough without being too specific well, I did say to use a web proxy, which also has a whitelist of permitted sites, you literally only let your users access very specific services and hosts on the internet, and NOTHING else is allowed. you're now going to say but that's unmanageable, and I have two answers. 1/ security is a moving target and hard work, so if you can't trust your users you'll have to have the resources to manage their access effectively OR 2/ educate your users so that you can trust them and have suitable contracts and measures in place to punish them so that they will follow procedures A proxy server (squid, or another webfilter) cannot stop it (TOR clients), because it's unable to analyze TOR traffic (encrypted traffic). I dont say that is impossible block it, but is not easy. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking Tor Networks
Thanks Victor! If you have any thoughts on how to do it, I'll try it ... Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org On Jan 6, 2010, at 2:19 PM, Víctor Pasten wrote: -Original Message- From: Paul Mansfield it-admin-pfse...@taptu.com To: support@pfsense.com Date: Wed, 06 Jan 2010 18:05:45 + Subject: Re: Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks On 06/01/10 16:46, Robert Mortimer wrote: On 05/01/10 16:11, Luke Jaeger wrote: Has anyone had any success blocking Tor thru pfsense/squidguard? Some of our savvier students are starting to use it to get around the content filters ... that's a classic case of having a permit any + deny specific policy. You'll have to turn it round, make it deny all + permit specific, set up an http proxy with same policy and (don't allow CONNECT except under fine control) and don't allow anything else out of your network except that explicitly wanted. You are wrong, deny all + permit specific is not enough for blocking TOR. Depends how specific you are - if it looks like web access then it's going to be hard to be specific enough without being too specific well, I did say to use a web proxy, which also has a whitelist of permitted sites, you literally only let your users access very specific services and hosts on the internet, and NOTHING else is allowed. you're now going to say but that's unmanageable, and I have two answers. 1/ security is a moving target and hard work, so if you can't trust your users you'll have to have the resources to manage their access effectively OR 2/ educate your users so that you can trust them and have suitable contracts and measures in place to punish them so that they will follow procedures A proxy server (squid, or another webfilter) cannot stop it (TOR clients), because it's unable to analyze TOR traffic (encrypted traffic). I dont say that is impossible block it, but is not easy. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Fwd: Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks
In message worldclient-f201001061619.aa19060...@connected.cl Víctor Pasten vpas...@connected.cl was claimed to have wrote: A proxy server (squid, or another webfilter) cannot stop it (TOR clients), because it's unable to analyze TOR traffic (encrypted traffic). You don't need to analyze to block. In fact, if you can't analyze something, and it's not on a trusted-by-IP whitelist, block it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How to read rrd quality graphs
On Tue, Jan 5, 2010 at 9:49 PM, mehma sarja mehmasa...@gmail.com wrote: PROBLEM On most evenings around 9 pm, I get service dropouts and accompanying packet loss. I literally see chopping in traffic graphs. Some nights, we just give up and go to bed. Tonight it is fine. It is probably Verizon's DSL card getting too much use. However, this highlights my inability to fully understand the rrd quality graphs. HELP Please clear somethings up for me: a. High spikes are not good cuz the higher the tower, the more latency (milliseconds) (yes/no)?_ b. If the spikes persist, we get packet loss (yes / no)? ___ c. If spikes do not correlate to packet loss, what causes packet loss? _ d. On the y coordinate, what does the % symbol mean? ___ Mehma a: Yes, higher latency usually lowers perceived speed of the connection b: Spikes are simply increased latency, not necessarily packet loss. c: If its a DSL line, anything from line noise to your upstream provider having issues to a problem with your house wiring. d: %packet loss, negative values on the graph in red mean packet loss in percent, and there will be nothing in the positive range. Hope that helps
[pfSense Support] Disabling Services
How do I correctly set the default state for a service of an installed package like ntop or pfflowd to stopped? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Disabling Services
On Wed, Jan 6, 2010 at 5:59 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: How do I correctly set the default state for a service of an installed package like ntop or pfflowd to stopped? Varies by package. Many can be disabled in their configuration. Some may have to be uninstalled. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Disabling Services
On Wed, Jan 6, 2010 at 14:59, Joseph L. Casale jcas...@activenetwerx.com wrote: How do I correctly set the default state for a service of an installed package like ntop or pfflowd to stopped? Thanks! jlc If there's a line in /etc/rc.conf like this: ntop_enable=YES either comment it out, or delete the line. I suppose you could change it to: ntop_enable=NO as well, but I'm not well versed in what effect that has when issuing something like: zrouter# /usr/local/etc/rc.d/ntop start Kurt - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How to read rrd quality graphs
Daniel, That does help - thanks. The ms/% thing threw me on the Y axis. I'll look into what a 1 or 2 second latency means. Mehma === On Wed, Jan 6, 2010 at 2:20 PM, Daniel Lloyd spoons...@gmail.com wrote: On Tue, Jan 5, 2010 at 9:49 PM, mehma sarja mehmasa...@gmail.com wrote: PROBLEM On most evenings around 9 pm, I get service dropouts and accompanying packet loss. I literally see chopping in traffic graphs. Some nights, we just give up and go to bed. Tonight it is fine. It is probably Verizon's DSL card getting too much use. However, this highlights my inability to fully understand the rrd quality graphs. HELP Please clear somethings up for me: a. High spikes are not good cuz the higher the tower, the more latency (milliseconds) (yes/no)?_ b. If the spikes persist, we get packet loss (yes / no)? ___ c. If spikes do not correlate to packet loss, what causes packet loss? _ d. On the y coordinate, what does the % symbol mean? ___ Mehma a: Yes, higher latency usually lowers perceived speed of the connection b: Spikes are simply increased latency, not necessarily packet loss. c: If its a DSL line, anything from line noise to your upstream provider having issues to a problem with your house wiring. d: %packet loss, negative values on the graph in red mean packet loss in percent, and there will be nothing in the positive range. Hope that helps
Re: [pfSense Support] Disabling Services
On Wed, Jan 6, 2010 at 6:26 PM, Kurt Buff kurt.b...@gmail.com wrote: On Wed, Jan 6, 2010 at 14:59, Joseph L. Casale jcas...@activenetwerx.com wrote: How do I correctly set the default state for a service of an installed package like ntop or pfflowd to stopped? Thanks! jlc If there's a line in /etc/rc.conf like this: ntop_enable=YES either comment it out, or delete the line. I suppose you could change it to: ntop_enable=NO pfSense doesn't use rc.conf. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Wed, Jan 6, 2010 at 1:26 PM, Karl Fife karlf...@gmail.com wrote: Thanks for the ideas! It's working with the exception of a traffic shaping problem. What I did to set this up is 1. Bridged the OPT interface with WAN, leaving all other fields blank 2. Created a rule on the tab of the OPT interface to 'pass' 'any' protocol 3. Attached the host to the OPT interface, and assigned the appropriate IP info. I notice that my upstream traffic is shaped (as expected) but that the downstream traffic is not (unexpected). This presents a problem for VoIP (although serendipitously it's the more sensitive upstream shaping that IS working at the moment). My first thought was oh yeah--DUH, the shaping queues are in layer 3, bridging happens in layer 2, but then It occurred to me that the upstream traffic IS actually being shaped. Confused again. The rules and queues process the same whether it's L2 or 3. How do you have the shaper configured? With OPT bridged to WAN, I presume you have a LAN as well, and I'm guessing the shaper is configured for LAN and WAN? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] DHCP custom options?
In our school, we are currently using the ISC dhcp server on a CentOS server, with the BIND DNS server running on the same server. We give the computers in the school static addresses handed out over DHCP, and unknown computers get addresses in a different range. I would like to migrate both DHCP and DNS over to pfsense as it is far easier to administer than my current python-foo scripts, but I've hit a wall with dhcpd.conf. All of our computers are set to netboot gpxe from our tftp server and then use gpxe to load files from our web server (if you want to know why, see http://cedarandthistle.wordpress.com/2009/10/09/pxe-and-gpxe). The problem is that this requires an if-statement in dhcpd.conf. I can add that using the Edit File menu option in pfsense, but if I add a new computer using the web interface, the if-statement gets wiped. Is there any way to add the following if-statement directly into the web interface in such a way that it won't get removed? if exists user-class and option user-class = gPXE { filename http://lesson.lesbg.com/netboot/pxelinux.0;; } else { if binary-to-ascii(16, 8, :, substring(hardware, 1, 6)) = 0:19:d1:9a:fe:4b or binary-to-ascii(16, 8, :, substring(hardware, 1, 6)) = 0:1e:ec:69:3d:1e or binary-to-ascii(16, 8, :, substring(hardware, 1, 6)) = 0:1d:72:9e:9f:e or binary-to-ascii(16, 8, :, substring(hardware, 1, 6)) = 0:19:d1:9a:ff:29 { filename /linux-install/undi.pxe; } else { filename /linux-install/gpxe.pxe; } } Thanks, Jonathan signature.asc Description: This is a digitally signed message part