Re: [pfSense Support] KMS dns entry question...
On Wed, 2010-02-24 at 18:16 -0800, Tim Dressel wrote: Hi folks, I have been interconnecting several schools into one big network via a MAN over fiber, but in the end I'm going to have a couple of schools that I can't afford to hook up and/or just don't have the service available. We are pushing out Windows 7 which via volume activation requires either MAK or KMS. I would prefer to not give out MAK keys because they inevitably get divulged either accidentally or on purpose. I have a KMS host activated and its successfully activating everything behind my pfsense box with no problems. I have been following this link: http://technet.microsoft.com/en-us/library/dd772269.aspx Which details which ports to open, and which DNS settings are required to find the KMS host. Does anyone know how to use pfsense either out of the box or with an existing reasonably stable plugin to hand out the SRV record? So what I would like to do is config a remote school to resolve DNS (handing out by DHCP) to the firewall, and then have the firewall resolve against OpenDNS (to block porn and what not). But I would like to have the firewall respond to a SRV resource record request just for the _VLMCS service and pointed appropriately to my site back on the back-bone. I've looked at tinydns, but it does not have the ability to add an SRV record type. Check http://cr.yp.to/djbdns/tinydns-data.html There seems to be a way to add SRV records through a generic record syntax. See also http://cr.yp.to/djbdns/knowles.html I haven't done this yet. Let us know how it goes. I could do this with a site to site vpn, and have the remote schools using our DNS, but we don't use OpenDNS in the mother ship, so I would need a way to block sites essentially coming from a different subnet. Would appreciate any assistance! Thanks... Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] client requirement and a Q
Hiya I got this question from a client Q The Firewall should work in the Bridge-Mode and XYZ server behind the firewall requires Direct PUBLIC/STATIC IP Address. /Q Is that the same as from (Under Network Address Translation (NAT) ): http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 1:1 NAT for individual IPs or entire subnets. Also I would like to ask. Can I block an iprange? If someone could help me understand this, it would be appreciated. Kind Regards Brent Clark - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] client requirement and a Q
On Thu, Feb 25, 2010 at 8:46 AM, Brent Clark brentgclarkl...@gmail.com wrote: Is that the same as from (Under Network Address Translation (NAT) ): http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 1:1 NAT for individual IPs or entire subnets. Effectively similar, but not entirely. With 1:1, your internal host(s) have a private IP address (such as 192.168.x.x), which correlates directly with a publicly routable IP address. In a bridged setup, the client owns the publicly routable IP address directly. I personally haven't figured out why I would want to use 1:1 when I can just bridge, except that some platforms won't let you use Captive Portal when you have a bridged interface. (This was true of m0n0wall, but I'm not sure about pfsense.) Also I would like to ask. Can I block an iprange? The firewall lets you block CIDR networks. If your range doesn't fit neatly into a standard subnet then you have the choice of blocking the encapsulating subnet, or creating multiple rules to neatly cover the desired range. Hope that helps. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] client requirement and a Q
Also I would like to ask. Can I block an iprange? The firewall lets you block CIDR networks. If your range doesn't fit neatly into a standard subnet then you have the choice of blocking the encapsulating subnet, or creating multiple rules to neatly cover the desired range. Hope that helps. db You can also use aliases to specify the list of IPs or Subnets or combination of the two you would like to use in your rules. This can simplify the rules some and make adding an ip or subnet very simple. Very efficient if you are using multiple rules or want to block on multiple interfaces. Good Luck. __ Information from ESET NOD32 Antivirus, version of virus signature database 4895 (20100225) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] client requirement and a Q
On Thu, Feb 25, 2010 at 10:04:44AM -0600, Ryan wrote: You can also use aliases to specify the list of IPs or Subnets or combination of the two you would like to use in your rules. This can simplify the rules some and make adding an ip or subnet very simple. Very efficient if you are using multiple rules or want to block on multiple interfaces. Is there a way to QoS throttle shady network neighborhoods (say, from RBLs) into oblivion, or is snort with rule subscription (does this work out of the box on pfSense snort package) the way to go? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] port 53 problem
Can Burak Cilingir wrote: * [lan ip 155] assigned statically (eth1) * [lip 156] assigned statically (eth1:1) * [lip 157] assigned statically (eth1:2) * (eth0 is down) *snip* The problem when I try to resolve a domain name from outside with host www.mydomain.com [wip156] I cannot get an answer, but, host www.mydomain.com [wip155] is working. *snip troubleshooting steps* Does resolution work from inside the LAN? It sounds like pdns doesn't like the names given to the virtual interfaces (eth1:$FOO). pdns responds on 155 (eth1), but not 156 (eth1:1), traffic passes on the port = pfsense is passing traffic, but pdns does not like the aliased interface names and will only bind to 'standard' interface names. (Quick google returns this, might help you: http://mailman.powerdns.com/pipermail/pdns-users/2006-December/004053.html) At least that's my take. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] port 53 problem
On Friday 26,February,2010 01:14 PM, Justin The Cynical wrote: Can Burak Cilingir wrote: * [lan ip 155] assigned statically (eth1) * [lip 156] assigned statically (eth1:1) * [lip 157] assigned statically (eth1:2) * (eth0 is down) *snip* The problem when I try to resolve a domain name from outside with host www.mydomain.com [wip156] I cannot get an answer, but, host www.mydomain.com [wip155] is working. *snip troubleshooting steps* Does resolution work from inside the LAN? It sounds like pdns doesn't like the names given to the virtual interfaces (eth1:$FOO). if there is no pfsense involved, it works. As i do not have any other machine in the lan, i just can test by qurying the lips from the machine itself: /sbin/ifconfig | grep Mask inet addr:172.17.1.155 Bcast:172.17.255.255 Mask:255.255.0.0 inet addr:172.17.1.156 Bcast:172.17.255.255 Mask:255.255.0.0 inet addr:172.17.1.157 Bcast:172.17.255.255 Mask:255.255.0.0 inet addr:127.0.0.1 Mask:255.0.0.0 netstat -tulnp | grep :53 tcp0 0 0.0.0.0:53 0.0.0.0:* LISTEN 13142/pdns_server-i udp0 0 0.0.0.0:53 0.0.0.0:* 13142/pdns_server-i host localhost 172.17.1.155 Using domain server: Name: 172.17.1.155 Address: 172.17.1.155#53 Aliases: localhost.x has address 127.0.0.1 one:~# host localhost 172.17.1.156 Using domain server: Name: 172.17.1.156 Address: 172.17.1.156#53 Aliases: localhost.x has address 127.0.0.1 one:~# host localhost 172.17.1.157 Using domain server: Name: 172.17.1.157 Address: 172.17.1.157#53 Aliases: localhost.x has address 127.0.0.1 pdns responds on 155 (eth1), but not 156 (eth1:1), traffic passes on the port = pfsense is passing traffic, but pdns does not like the aliased interface names and will only bind to 'standard' interface names. (Quick google returns this, might help you: http://mailman.powerdns.com/pipermail/pdns-users/2006-December/004053.html) At least that's my take. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org