Re: [pfSense Support] non-circular syslog / config option disableyslogclog in pfsense 2.0 Beta 4
On 04/08/10 12:49, Stefan Baur wrote: I know that I could log to an external syslog server, however, in my follow the changes I suggested previously on this list, whereby you bind existing syslog to localhost and newsyslogd to LAN and get existing syslog to repeat logging to newsyslogd - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] /boot/loader.conf vs /system_advanced_sysctl.php in 2.0
In 1.2.3 I had very good results adding the following lines to /boot/loader.conf while using the squid package in transparent mode: hint.apic.0.disabled=1 kern.ipc.nmbclusters=32768 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.ip.portrange.last=65535 So far in 2.0 I have not seen that this is necessary, despite that my connection speed has gone up by 400%. I'm not sure what these options do or why they helped performance in 1.2.3, but it raises a couple questions for me. 1. Have changes to 2.0 made the above tweaks superfluous? 2. If I wanted to try setting the above variable, would they still belong in /boot/loader.conf, or is /system_advanced_sysctl.php the place to put those now? Thanks. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] bridge goes down
I'm ignorant to how bridging is suppose to work, but whats happening doesnt seem logical. I've bridged LAN and OPT. When the LAN int goes down - ie my computer is shut off - then my bridge on also goes does. It seems the bridge is dependent on the LAN int to be up. Is that how its supposed to work on 2.0? My opt is running wireless for the network, so if bridging is designed to act like this then i'll have to setup a new subnet and routes for wireless - which just seems more work then is necessary. Nevertheless i'll end up doing that if this is what is recommended. I vaguely remember that on 1.2 I didnt have the same problem. Can someone shed some light and straighten me out? Thanks
[pfSense Support] FW: Issues after update to 1.2.3-RELEASE
I just performed an update on a 1.2.0-RELEASE-FULL firewall last night. Today we started having issues with traffic being denied from IPSEC VPN sites outside of the internal pfsense networks. However, traffic is passing fine from inside pfsense to the external IPSEC VPN sites. I can port scan from a remote site to inside pfsense and show open ports, however nothing can sustain a connection to the remote site. From what I can tell, It appears that Pfsense is not loading all of the rules. I ONLY have a pass any rule for all of the internal networks, but yet traffic is getting denied. The offending rule that generates the log entry is default drop all. Also, The dynamic view for the firewall rules is not functioning either... Any help is mucho appreciated! Austin Smith, A+, NET+, SMBE, MCSA (770) 543-0444 Direct Line
Re: [pfSense Support] bridge goes down
On Thu, Aug 12, 2010 at 2:13 PM, Jonathan Reed jreed...@gmail.com wrote: I'm ignorant to how bridging is suppose to work, but whats happening doesnt seem logical. I've bridged LAN and OPT. When the LAN int goes down - ie my computer is shut off - then my bridge on also goes does. It seems the bridge is dependent on the LAN int to be up. Is that how its supposed to work on 2.0? My opt is running wireless for the network, so if bridging is designed to act like this then i'll have to setup a new subnet and routes for wireless - which just seems more work then is necessary. Nevertheless i'll end up doing that if this is what is recommended. I vaguely remember that on 1.2 I didnt have the same problem. Can someone shed some light and straighten me out? It's always behaved the same - if you have the IP for the bridge on an Ethernet interface and that interface goes down, that IP is no longer reachable. The bridge is fine, you just don't have an IP anymore. Don't put the IP on an interface that will go down, either assign the bridge and put it on the bridge itself, or put it on an interface that won't ever go down. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FW: Issues after update to 1.2.3-RELEASE
On Thu, Aug 12, 2010 at 2:17 PM, Austin G. Smith asm...@neweffectit.com wrote: I just performed an update on a 1.2.0-RELEASE-FULL firewall last night. Today we started having issues with traffic being denied from IPSEC VPN sites outside of the internal pfsense networks. However, traffic is passing fine from inside pfsense to the external IPSEC VPN sites. I can port scan from a remote site to inside pfsense and show open ports, however nothing can sustain a connection to the remote site. Couple possibilities, one somehow you have a PMTUD black hole now that wasn't there before, try changing your WAN MTU to 1400 and see if that changes anything. Second possibility, filtering is stricter on TCP flags in 1.2.3 than in 1.2, if you have asymmetric routing you're going to have problems now where you may not have before. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] /boot/loader.conf vs /system_advanced_sysctl.php in 2.0
On 8/12/2010 1:54 PM, David Burgess wrote: In 1.2.3 I had very good results adding the following lines to /boot/loader.conf while using the squid package in transparent mode: hint.apic.0.disabled=1 kern.ipc.nmbclusters=32768 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.ip.portrange.last=65535 So far in 2.0 I have not seen that this is necessary, despite that my connection speed has gone up by 400%. I'm not sure what these options do or why they helped performance in 1.2.3, but it raises a couple questions for me. 1. Have changes to 2.0 made the above tweaks superfluous? Are you using squid? Usually the nmbclusters only helped in that case. As for the others, it's hard to say. You should try them individually and see which one actually makes the difference. 2. If I wanted to try setting the above variable, would they still belong in /boot/loader.conf, or is /system_advanced_sysctl.php the place to put those now? The answer is it depends - Some values must be tuned in the loader and cannot be changed once the system is booted. Those will still need to be in loader.conf. The others can go in the sysctl page. Unfortunately, the list of which can be tuned where isn't very well documented. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] /boot/loader.conf vs /system_advanced_sysctl.php in 2.0
On Thu, Aug 12, 2010 at 12:43 PM, Jim Pingle li...@pingle.org wrote: Are you using squid? Usually the nmbclusters only helped in that case. As for the others, it's hard to say. You should try them individually and see which one actually makes the difference. Yeah, I'm running squid in transparent mode. I have CPU and RAM to spare; I'm guessing that's what it would cost me to add these options, so I'll try throwing them in loader.conf. Thanks for the info. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] FW: Issues after update to 1.2.3-RELEASE
Thanks for the quick response. I am not doing any asymmetric routing. We only have one provider link in each location, and for the internal boxes that have vpn only access are looking at pfsense for the default gateway. I should have mentioned previously I played with the MTU with no positive result.. Also worth mentioning is when I do a reboot on the firewall, I have to go open a rule on each tab and save it, then apply- after I perform this on each interface I have the firewall log stops logging the dropped packets and the routing ALMOST returns to normal between internal networks. There are still some hosts that are not able to be reached. I have not made any changes, but rather did reboots about the same time for one location and the pfsense firewall and it appears that location came up ? However the 2nd location is still having issues pulling web pages from internal servers over the vpn tunnel. As I stated earlier (this still holds true), I can still port scan from remote to inside pfsense and show the ports open, icmp works and I can pull up the remote locations firewalls via HTTP and HTTPS, however nothing from the remote site to inside pfsense is working.. Is there any debugging I can turn on from pfsense in ssh to gather more info to troubleshoot this more effectively? Thank you, -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Thursday, August 12, 2010 2:38 PM To: support@pfsense.com Subject: Re: [pfSense Support] FW: Issues after update to 1.2.3-RELEASE On Thu, Aug 12, 2010 at 2:17 PM, Austin G. Smith asm...@neweffectit.com wrote: I just performed an update on a 1.2.0-RELEASE-FULL firewall last night. Today we started having issues with traffic being denied from IPSEC VPN sites outside of the internal pfsense networks. However, traffic is passing fine from inside pfsense to the external IPSEC VPN sites. I can port scan from a remote site to inside pfsense and show open ports, however nothing can sustain a connection to the remote site. Couple possibilities, one somehow you have a PMTUD black hole now that wasn't there before, try changing your WAN MTU to 1400 and see if that changes anything. Second possibility, filtering is stricter on TCP flags in 1.2.3 than in 1.2, if you have asymmetric routing you're going to have problems now where you may not have before. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] asterisk behind pfsense+remote sip clients
- Mensaje original - De: David Burgess apt@gmail.com Para: support@pfsense.com Enviados: Miércoles, 11 de Agosto 2010 15:56:25 Asunto: Re: [pfSense Support] asterisk behind pfsense+remote sip clients On Wed, Aug 11, 2010 at 1:53 PM, Victor Pasten vpas...@connected.cl wrote: Hi Guys, recently I've installed a asterisk server (in my lan, behind pfsense 1.2.3-release), everything it's ok, except for some remote sip extentions (polycom device, and x-lite softphone) that periodically are loosing her registration. Most voip problems with pfsense can be solved here: http://doc.pfsense.org/index.php/VoIP_Configuration - I've followed the instructions, but nothing... Now I'm testing with M0n0 sip+nat bad mix - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] asterisk behind pfsense+remote sip clients
I overcome this issue most of the time by defining your port range w/ asterisk for RTP in the rtp.conf file. Then redirect those ports from the nat device to the asterisk box inside. Make sure you do what needs to be done for nat keepalive if you have states enabled. Also, don’t forget to open 5060 udp on nat to the inside asterisk box. Also note, you can adjust the amount of ports for RTP needed based on how many phones you have. The lower the amount of phones, the lower amount of ports to forward. Mess with port address translation (PAT) or port forwarding, and also try 1:1 nat if you have the public ip's to spare.. HTH, Austin -Original Message- From: Victor Pasten [mailto:vpas...@connected.cl] Sent: Thursday, August 12, 2010 3:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] asterisk behind pfsense+remote sip clients - Mensaje original - De: David Burgess apt@gmail.com Para: support@pfsense.com Enviados: Miércoles, 11 de Agosto 2010 15:56:25 Asunto: Re: [pfSense Support] asterisk behind pfsense+remote sip clients On Wed, Aug 11, 2010 at 1:53 PM, Victor Pasten vpas...@connected.cl wrote: Hi Guys, recently I've installed a asterisk server (in my lan, behind pfsense 1.2.3-release), everything it's ok, except for some remote sip extentions (polycom device, and x-lite softphone) that periodically are loosing her registration. Most voip problems with pfsense can be solved here: http://doc.pfsense.org/index.php/VoIP_Configuration - I've followed the instructions, but nothing... Now I'm testing with M0n0 sip+nat bad mix - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] asterisk behind pfsense+remote sip clients
If your Asterisk is setup correctly, the page David pointed you to has the solutions to all the common issues. The issue you describe is actually more likely to be the firewall/NAT device the phones are behind than the one your server is behind, probably have short UDP timeouts and your keepalive isn't high enough. Agreed. By the by, an easy, if hackish, fix for this tends to be to set the registration interval very low on the phones. This keeps the state established. I have a few environments in homes we service where this is literally the only reliable way to punch through the homeowners' NAT (firewalls they/we can't control, etc). I've seen firewalls that need 60 second intervals, and some that can handle 5 or 10 minute intervals. One of my platforms has a couple thousand SIP registrations from various phone/ATA devices, and the load generated by the registrations is completely nominal. On the server side of things, we're not using NAT, just routing. Still my suspicion is that if you're losing registrations over time, it's a session state issue at the phone's end - especially if the registrations come back when the expire timer runs out (sip show peer xx) and the phone creates a new connection to register itself. Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] asterisk behind pfsense+remote sip clients
- Mensaje original - De: Austin G. Smith asm...@neweffectit.com Para: support@pfsense.com Enviados: Jueves, 12 de Agosto 2010 15:32:55 Asunto: RE: [pfSense Support] asterisk behind pfsense+remote sip clients I overcome this issue most of the time by defining your port range w/ asterisk for RTP in the rtp.conf file. Then redirect those ports from the nat device to the asterisk box inside. Make sure you do what needs to be done for nat keepalive if you have states enabled. Also, don’t forget to open 5060 udp on nat to the inside asterisk box. Also note, you can adjust the amount of ports for RTP needed based on how many phones you have. The lower the amount of phones, the lower amount of ports to forward. Mess with port address translation (PAT) or port forwarding, and also try 1:1 nat if you have the public ip's to spare.. my pat is: 5060 - asterisk(ip_internal) 1-2 - asterisk(ip_internal) 4569 - asterisk(ip_internal) nat 1:1, impossible We've only 1 public ip address - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] asterisk behind pfsense+remote sip clients
Looks like you got it right. IAX works well with NAT to overcome some of the headaches of SIP. As stated from some of the others, it does sound like a keep alive issue at this point - your config checks out.. As previously stated, check the sip registration time and the keep alive timeout.. depending on the phone you use, it could very well have some nat friendly settings too.. -Original Message- From: Victor Pasten [mailto:vpas...@connected.cl] Sent: Thursday, August 12, 2010 4:26 PM To: support@pfsense.com Subject: Re: [pfSense Support] asterisk behind pfsense+remote sip clients - Mensaje original - De: Austin G. Smith asm...@neweffectit.com Para: support@pfsense.com Enviados: Jueves, 12 de Agosto 2010 15:32:55 Asunto: RE: [pfSense Support] asterisk behind pfsense+remote sip clients I overcome this issue most of the time by defining your port range w/ asterisk for RTP in the rtp.conf file. Then redirect those ports from the nat device to the asterisk box inside. Make sure you do what needs to be done for nat keepalive if you have states enabled. Also, don’t forget to open 5060 udp on nat to the inside asterisk box. Also note, you can adjust the amount of ports for RTP needed based on how many phones you have. The lower the amount of phones, the lower amount of ports to forward. Mess with port address translation (PAT) or port forwarding, and also try 1:1 nat if you have the public ip's to spare.. my pat is: 5060 - asterisk(ip_internal) 1-2 - asterisk(ip_internal) 4569 - asterisk(ip_internal) nat 1:1, impossible We've only 1 public ip address - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] asterisk behind pfsense+remote sip clients
- Mensaje original - De: Chris Buechler cbuech...@gmail.com Para: support@pfsense.com Enviados: Jueves, 12 de Agosto 2010 15:33:44 Asunto: Re: [pfSense Support] asterisk behind pfsense+remote sip clients On Wed, Aug 11, 2010 at 3:53 PM, Victor Pasten vpas...@connected.cl wrote: I've investigated, I tried with several tricks, but apparently the management of pfsense with nat+sip+udp is not compliant with asterisk That's not true in the least, there are a number of VoIP providers who deploy nothing but pfsense for their clients, and run it in front of their servers, and use Asterisk. Hundreds of boxes I'm aware of like that just between a handful of our customers in such scenarios, which comprise a tiny percentage of the overall user base. If your Asterisk is setup correctly, the page David pointed you to has the solutions to all the common issues. The issue you describe is actually more likely to be the firewall/NAT device the phones are behind than the one your server is behind, probably have short UDP timeouts and your keepalive isn't high enough. - Maybe... with m0n0wall, the same problem... 320/320186.40.x.xD N A 48776UNREACHABLE my sip_nat.conf: nat=yes externip=201.xx.xx.xx localnet=192.168.0.0/255.255.255.0 localnet=192.168.200.0/255.255.255.0 localnet=172.16.30.0/255.255.255.0 externrefresh=120 rtp.conf: rtpstart=1 rtpend=2 but, what more I must do in my asterisk server?. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] asterisk behind pfsense+remote sip clients
- Victor Pasten vpas...@connected.cl wrote: - Mensaje original - De: Chris Buechler cbuech...@gmail.com Para: support@pfsense.com Enviados: Jueves, 12 de Agosto 2010 15:33:44 Asunto: Re: [pfSense Support] asterisk behind pfsense+remote sip clients On Wed, Aug 11, 2010 at 3:53 PM, Victor Pasten vpas...@connected.cl wrote: I've investigated, I tried with several tricks, but apparently the management of pfsense with nat+sip+udp is not compliant with asterisk That's not true in the least, there are a number of VoIP providers who deploy nothing but pfsense for their clients, and run it in front of their servers, and use Asterisk. Hundreds of boxes I'm aware of like that just between a handful of our customers in such scenarios, which comprise a tiny percentage of the overall user base. If your Asterisk is setup correctly, the page David pointed you to has the solutions to all the common issues. The issue you describe is actually more likely to be the firewall/NAT device the phones are behind than the one your server is behind, probably have short UDP timeouts and your keepalive isn't high enough. - Maybe... with m0n0wall, the same problem... 320/320186.40.x.xD N A 48776 UNREACHABLE my sip_nat.conf: nat=yes externip=201.xx.xx.xx localnet=192.168.0.0/255.255.255.0 localnet=192.168.200.0/255.255.255.0 localnet=172.16.30.0/255.255.255.0 externrefresh=120 rtp.conf: rtpstart=1 rtpend=2 but, what more I must do in my asterisk server?. Set nat=yes for peer 320. --Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] asterisk behind pfsense+remote sip clients
On Thu, Aug 12, 2010 at 4:59 PM, Victor Pasten vpas...@connected.cl wrote: but, what more I must do in my asterisk server?. Probably nothing given the symptoms, see previous comments on the problem being what your phones are behind, not what your server is behind. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] freeswitch help
I am playing around with the freeswitch package a little and am slightly confused. I am trying to make it work with a broadvox sip service that we have. 1. Broadvox is set to go out of a certain ISP that we have on interface opt1. I don't see anywhere in the setting to specify this. 2. I assume I should put the broadvox settings in the gateways tab as a new gateway. Am I correct in this? 3. Broadvox said they don't need a user name or password, just the proper IP address. Is it ok to leave those fields blank? Thanks for your help, Ryan
Re: [pfSense Support] freeswitch help
On Thu, Aug 12, 2010 at 3:35 PM, Ryan L. Rodrigue radiote...@aaremail.com wrote: 1. Broadvox is set to go out of a certain ISP that we have on interface opt1. I don't see anywhere in the setting to specify this. Create a pass rule on the internal interface, selecting OPT1 as the gateway. 2. I assume I should put the broadvox settings in the gateways tab as a new gateway. Am I correct in this? You mean http://pfsense/system_gateways.php? Here you should see the interfaces' gateways, i.e., the ISP next hop. Once it is entered here you can choose it as your gateway when creating a pass rule above. 3. Broadvox said they don't need a user name or password, just the proper IP address. Is it ok to leave those fields blank? Not sure, as I've always used them. You may find the freeswitch support a little better on the pfsense packages forum. I don't know if the maintainer is on this list. Another good place to go is IRC #fusionpbx (similar project, same folks). db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] freeswitch help
On Thu, Aug 12, 2010 at 3:35 PM, Ryan L. Rodrigue radiote...@aaremail.com wrote: 1. Broadvox is set to go out of a certain ISP that we have on interface opt1. I don't see anywhere in the setting to specify this. Create a pass rule on the internal interface, selecting OPT1 as the gateway. So The freswitch binds to the lan interface by default? 2. I assume I should put the broadvox settings in the gateways tab as a new gateway. Am I correct in this? You mean http://pfsense/system_gateways.php? Here you should see the interfaces' gateways, i.e., the ISP next hop. Once it is entered here you can choose it as your gateway when creating a pass rule above. Sorry, Freeswitch gateways tab. I do believe I am correct on this. 3. Broadvox said they don't need a user name or password, just the proper IP address. Is it ok to leave those fields blank? Not sure, as I've always used them. You may find the freeswitch support a little better on the pfsense packages forum. I don't know if the maintainer is on this list. Another good place to go is IRC #fusionpbx (similar project, same folks). db Thank you for your help. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] freeswitch help
On Thu, Aug 12, 2010 at 4:22 PM, Ryan radiote...@aaremail.com wrote: So The freswitch binds to the lan interface by default? Oh, right. Sorry. I forgot one of the reasons I moved my freeswitch install from pfsense to a LAN host is because one of the limitations in 1.2.3 was not being able to create firewall or shaper rules for packets originating on pfsense itself. I'm not sure there's a solution for this. Sorry, Freeswitch gateways tab. I do believe I am correct on this. You are correct. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] question on blocks SSH connections
Hi - suppose the office LAN has one open outbound port - say IMAP on port 143. I go home and configure my Linux desktop to run a SSH server on port 143. Now I return to the office and attempt to connect to my machine at home via port 143. Can pfsense be configured to stop the outbound SSH connection on port 143? Thank you. -- Ken -- We are drowning in information and starving for knowledge. - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 4:29 PM, Cinaed Simson cinaed.sim...@gmail.com wrote: Hi - suppose the office LAN has one open outbound port - say IMAP on port 143. I go home and configure my Linux desktop to run a SSH server on port 143. Now I return to the office and attempt to connect to my machine at home via port 143. Can pfsense be configured to stop the outbound SSH connection on port 143? Just to clarify, pfsense is the office edge firewall and it's only allowing outbound connections to port 143? And you want to continue to allow those outbound connections, but not to some ssh server on the internet that is listening on that port? This is easy enough if you know the IP address or block of that ssh server. Otherwise, you might have to be a little more clever about it. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On 08/12/2010 03:35 PM, David Burgess wrote: On Thu, Aug 12, 2010 at 4:29 PM, Cinaed Simson cinaed.sim...@gmail.com wrote: Hi - suppose the office LAN has one open outbound port - say IMAP on port 143. I go home and configure my Linux desktop to run a SSH server on port 143. Now I return to the office and attempt to connect to my machine at home via port 143. Can pfsense be configured to stop the outbound SSH connection on port 143? Just to clarify, pfsense is the office edge firewall and it's only allowing outbound connections to port 143? And you want to continue to allow those outbound connections, but not to some ssh server on the internet that is listening on that port? Correct. This is easy enough if you know the IP address or block of that ssh server. Otherwise, you might have to be a little more clever about it. I don't know the IP addresses of the SSH servers on the Internet. -- Cinaed -- We are drowning in information and starving for knowledge. - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] question on blocks SSH connections
I don't know the IP addresses of the SSH servers on the Internet. Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs On 2.0 you can block by OS type too...
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 4:44 PM, Tim Dickson tdick...@aubergeresorts.com wrote: Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs A whitelist will work if he knows the IPs that he wants to allow. Otherwise, how does pfsense know whether you're connecting to an imap server on port 143 or an ssh server on port 143? On 2.0 you can block by OS type too... Source OS, but not destination. You could perhaps filter the ssh server as a source OS if you override the rule to allow established states, but does pfsense allow that? Not in the web UI for sure. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 16:29, Cinaed Simson cinaed.sim...@gmail.com wrote: Hi - suppose the office LAN has one open outbound port - say IMAP on port 143. I go home and configure my Linux desktop to run a SSH server on port 143. Now I return to the office and attempt to connect to my machine at home via port 143. Can pfsense be configured to stop the outbound SSH connection on port 143? It's just a war of escalation. You can do layer-7 filtering to pick off basic abuses like this, but what if someone's really determined and writes an IMAP-based transport for their shell? The standard IMAP port supports switching to an encrypted mode post-connection. My personal favorite was the shell that used a custom SMTP transport layer - that one was nasty. Don't forget IP-over-DNS either. :) Pretty much any port you allow out (or even SSL websites) raw will have this problem and you'll never reach 100% closure. You can approximate 100% with application proxies that monitor for and cut off abberrant behavior, but they'll never be perfect. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On 08/12/2010 03:44 PM, Tim Dickson wrote: I don't know the IP addresses of the SSH servers on the Internet. Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs On 2.0 you can block by OS type too... I need to block all outbound SSH client connections to the Internet on all open outbound ports without interfering with the normal function of the those ports. -- Cinaed -- We are drowning in information and starving for knowledge. - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] question on blocks SSH connections
Then you need a deny rule on your LAN interface that says 'DENY SOURCE LANNET DEST PORT 22'. -Original Message- From: Cinaed Simson [mailto:cinaed.sim...@gmail.com] Sent: Thursday, August 12, 2010 5:14 PM To: support@pfsense.com Subject: Re: [pfSense Support] question on blocks SSH connections On 08/12/2010 03:44 PM, Tim Dickson wrote: I don't know the IP addresses of the SSH servers on the Internet. Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs On 2.0 you can block by OS type too... I need to block all outbound SSH client connections to the Internet on all open outbound ports without interfering with the normal function of the those ports. -- Cinaed -- We are drowning in information and starving for knowledge. - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 8:13 PM, Cinaed Simson cinaed.sim...@gmail.com wrote: On 08/12/2010 03:44 PM, Tim Dickson wrote: I don't know the IP addresses of the SSH servers on the Internet. Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs On 2.0 you can block by OS type too... I need to block all outbound SSH client connections to the Internet on all open outbound ports without interfering with the normal function of the those ports. Then you either need to start working with the L7 bits in 2.0 (offhand not sure what kind of shape that's in at the moment) for protocol detection, or force all outbound traffic to go through a proxy server that enforces protocols. There is nothing in 1.2.x that can differentiate between IMAP on 143 and SSH on 143. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On 08/12/2010 03:51 PM, RB wrote: On Thu, Aug 12, 2010 at 16:29, Cinaed Simson cinaed.sim...@gmail.com wrote: Hi - suppose the office LAN has one open outbound port - say IMAP on port 143. I go home and configure my Linux desktop to run a SSH server on port 143. Now I return to the office and attempt to connect to my machine at home via port 143. Can pfsense be configured to stop the outbound SSH connection on port 143? It's just a war of escalation. You can do layer-7 filtering to pick off basic abuses like this, but what if someone's really determined and writes an IMAP-based transport for their shell? The standard IMAP port supports switching to an encrypted mode post-connection. My personal favorite was the shell that used a custom SMTP transport layer - that one was nasty. Don't forget IP-over-DNS either. :) Pretty much any port you allow out (or even SSL websites) raw will have this problem and you'll never reach 100% closure. You can approximate 100% with application proxies that monitor for and cut off abberrant behavior, but they'll never be perfect. Thanks for the comments. I agree and we do have a Squid proxy but we use SSH internally on all the machines. And we trained everyone to use SSH to access the office from home. We're replacing SSH with Oracle's Secure Global Desktop using HTTPS. fwsnort appears to have a solution but it only runs under iptables on Linux - I was hopping to avoid iptables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- We are drowning in information and starving for knowledge. - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FW: Issues after update to 1.2.3-RELEASE
Hi, Do you have a firewall rule that allows traffic on the IPsec interface under firewall rules? Regards, Seth Op 12 aug 2010, om 20:17 heeft Austin G. Smith het volgende geschreven: I just performed an update on a 1.2.0-RELEASE-FULL firewall last night. Today we started having issues with traffic being denied from IPSEC VPN sites outside of the internal pfsense networks. However, traffic is passing fine from inside pfsense to the external IPSEC VPN sites. I can port scan from a remote site to inside pfsense and show open ports, however nothing can sustain a connection to the remote site. From what I can tell, It appears that Pfsense is not loading all of the rules. I ONLY have a pass any rule for all of the internal networks, but yet traffic is getting denied. The offending rule that generates the log entry is “default drop all”. Also, The dynamic view for the firewall rules is not functioning either… Any help is mucho appreciated! Austin Smith, A+, NET+, SMBE, MCSA (770) 543-0444 Direct Line
