[pfSense Support] Allow exe form a site only
Dear all, I have blocked exe using squidguard.Is it possible to allow exes only from microsoft.com??? -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531
[pfSense Support] Can't build Regular ISO either
Since I learned yesterday that the dev ISO is no longer used, I tried to build a regular ISO and the output of doing that is below. I'm trying to build 1.2.3 on 7.2 because this is going into a production environment and based on what I see 2.0 is still beta. I see on the forums http://forum.pfsense.org/index.php?action=post;topic=32678.0;num_replies=5 someone else is having the same problem and hasn't figured it out yet either. I'm guessing part of the problem is that there is a desire for pecl-APC which won't be built with PHP4. When I try to replace PHP4 with PHP5, it fails for other reasons. Looking at the other errors, it's almost like the entire PHP setup is messed up in the source, but since 1.2.3 is supposed to be stable and released, this doesn't make sense. Fetching BSDInstaller using CVSUP... Updating BSDInstaller collection...Done! cp: directory /usr/home/pfsense/tools/builder_scripts/../../installer/installer/ scripts/build does not exist .: Can't open ./pfsense_local.sh: No such file or directory Setting CVSUp host to cvsup17.freebsd.org Removing needed files listed in patches.RELENG_7_2 RELENG_1_2 Obtaining FreeBSD sources RELENG_7_2-supfile...Done! Removing old patch rejects... Applying patches from /usr/home/pfsense/tools/builder_scripts/../builder_scr ipts/patches.RELENG_7_2 please wait...Done! Finding patch rejects... Updating pfSense GIT repo... Cloning http://gitweb.pfsense.org/pfsense/mainline.git / RELENG_1_2...Done! Using GIT to checkout RELENG_1_2 Checking out tag RELENG_1_2...Done! Making sure we are in the right branch... [OK] (RELENG_1_2) Creating tarball of checked out contents...Done! Preparing object directory... Building world and kernels for ISO... 7 RELENG_7_2 ... Building world for i386 architecture... World build started on Tue Feb 1 00:40:16 CST 2011 Rebuilding the temporary build tree stage 1.1: legacy release compatibility shims stage 1.2: bootstrap tools stage 2.2: rebuilding the object tree stage 2.3: build tools stage 3: cross tools stage 4.1: building includes stage 4.2: building libraries stage 4.3: make dependencies stage 4.4: building everything World build completed on Tue Feb 1 01:25:37 CST 2011 Ensuring that the btxld problem does not happen on subsequent runs... Installing world for i386 architecture... Making hierarchy Installing everything Building all extra kernels... 7 RELENG_7_2 ... Building uniprocessor kernel... Not adding D-Trace to Kernel... KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf ARCH:i386 SRC_CONF:src.conf.7 Kernel build for pfSense.7 started on Tue Feb 1 01:27:11 CST 2011 stage 1: configuring the kernel stage 2.2: rebuilding the object tree stage 2.3: build tools stage 3.1: making dependencies stage 3.2: building everything Kernel build for pfSense.7 completed on Tue Feb 1 01:36:55 CST 2011 Installing uniprocessor kernel... Installing kernel Executing cd /tmp/kernels/uniprocessor/boot/kernel Building embedded kernel... Not adding D-Trace to Kernel... KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf ARCH:i386 SRC_CONF:src.conf.7 Kernel build for pfSense_wrap.7.i386 started on Tue Feb 1 01:37:12 CST 2011 stage 1: configuring the kernel stage 2.2: rebuilding the object tree stage 2.3: build tools stage 3.1: making dependencies stage 3.2: building everything Kernel build for pfSense_wrap.7.i386 completed on Tue Feb 1 01:45:41 CST 2011 Installing wrap kernel... Installing kernel Executing cd /tmp/kernels/wrap/boot/kernel Building embedded dev kernel... Not adding D-Trace to Kernel... KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf ARCH:i386 SRC_CONF:src.conf.7 Kernel build for pfSense_wrap_Dev.7.i386 started on Tue Feb 1 01:45:51 CST 2011 stage 1: configuring the kernel stage 2.2: rebuilding the object tree stage 2.3: build tools stage 3.1: making dependencies stage 3.2: building everything Kernel build for pfSense_wrap_Dev.7.i386 completed on Tue Feb 1 01:54:10 CST 2011 Installing wrap Dev kernel... Installing kernel Executing cd /tmp/kernels/wrap_Dev/boot/kernel Building Developers kernel... Not adding D-Trace to Kernel... KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf ARCH:i386 SRC_CONF:src.conf.7 Kernel build for pfSense_Dev.7 started on Tue Feb 1 01:54:20 CST 2011 stage 1: configuring the kernel stage 2.2: rebuilding the object tree stage 2.3: build tools stage 3.1: making dependencies stage 3.2: building everything Kernel build for pfSense_Dev.7 completed on Tue Feb 1 02:03:49 CST 2011 Installing Developers kernel... Installing kernel Executing cd /tmp/kernels/developers/boot/kernel Building SMP kernel... Not adding D-Trace to Kernel... KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf ARCH:i386 SRC_CONF:src.conf.7 Kernel build for pfSense_SMP.7 started on Tue Feb 1 02:04:07 CST 2011 stage 1: configuring
Re: [pfSense Support] Can't build Regular ISO either
On 2/1/2011 7:48 AM, Mark Jones wrote: Since I learned yesterday that the dev ISO is no longer used, I tried to build a regular ISO and the output of doing that is below. I’m trying to build 1.2.3 on 7.2 because this is going into a production environment and based on what I see 2.0 is still beta. I see on the forums http://forum.pfsense.org/index.php?action=post;topic=32678.0;num_replies=5 someone else is having the same problem and hasn’t figured it out yet either. I’m guessing part of the problem is that there is a desire for pecl-APC which won’t be built with PHP4. When I try to replace PHP4 with PHP5, it fails for other reasons. Looking at the other errors, it’s almost like the entire PHP setup is messed up in the source, but since 1.2.3 is supposed to be stable and released, this doesn’t make sense. Did you notice if there were errors during the port build process? (build_pfPorts.sh) Last time I tried a fresh 7.2 build, PHP4 wasn't building properly, which could lead to the errors you are seeing. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Can't build Regular ISO either
They were blocked by the do_not_build_pfPorts, but I removed that file and started the build. I'm seeing things like Building choparp... *** Error code 1 *** Error code 1 Is there some easy way to turn on verbose logging so I get more than just Error code 1? I come from a linux background moreso that FreeBSD -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, February 01, 2011 7:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] Can't build Regular ISO either On 2/1/2011 7:48 AM, Mark Jones wrote: Since I learned yesterday that the dev ISO is no longer used, I tried to build a regular ISO and the output of doing that is below. I'm trying to build 1.2.3 on 7.2 because this is going into a production environment and based on what I see 2.0 is still beta. I see on the forums http://forum.pfsense.org/index.php?action=post;topic=32678.0;num_repli es=5 someone else is having the same problem and hasn't figured it out yet either. I'm guessing part of the problem is that there is a desire for pecl-APC which won't be built with PHP4. When I try to replace PHP4 with PHP5, it fails for other reasons. Looking at the other errors, it's almost like the entire PHP setup is messed up in the source, but since 1.2.3 is supposed to be stable and released, this doesn't make sense. Did you notice if there were errors during the port build process? (build_pfPorts.sh) Last time I tried a fresh 7.2 build, PHP4 wasn't building properly, which could lead to the errors you are seeing. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: RE: [pfSense Support] Can't build Regular ISO either
Another error is a missing dprintf which appears to come from glibc and is found on linux. I did have the installer load the linux binary compatibility, but is there some other port I need to load to make dprintf be present? -Original Message- From: Mark Jones [mailto:mjo...@imagehawk.com] Sent: Tuesday, February 01, 2011 10:31 AM To: support@pfsense.com Subject: RE: [pfSense Support] Can't build Regular ISO either They were blocked by the do_not_build_pfPorts, but I removed that file and started the build. I'm seeing things like Building choparp... *** Error code 1 *** Error code 1 Is there some easy way to turn on verbose logging so I get more than just Error code 1? I come from a linux background moreso that FreeBSD -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, February 01, 2011 7:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] Can't build Regular ISO either On 2/1/2011 7:48 AM, Mark Jones wrote: Since I learned yesterday that the dev ISO is no longer used, I tried to build a regular ISO and the output of doing that is below. I'm trying to build 1.2.3 on 7.2 because this is going into a production environment and based on what I see 2.0 is still beta. I see on the forums http://forum.pfsense.org/index.php?action=post;topic=32678.0;num_repli es=5 someone else is having the same problem and hasn't figured it out yet either. I'm guessing part of the problem is that there is a desire for pecl-APC which won't be built with PHP4. When I try to replace PHP4 with PHP5, it fails for other reasons. Looking at the other errors, it's almost like the entire PHP setup is messed up in the source, but since 1.2.3 is supposed to be stable and released, this doesn't make sense. Did you notice if there were errors during the port build process? (build_pfPorts.sh) Last time I tried a fresh 7.2 build, PHP4 wasn't building properly, which could lead to the errors you are seeing. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] dPrintf, the real story
HISTORY The dprintf() and vdprintf() functions were added in FreeBSD 8.0. So, this means I can't build 1.2.3 on 7.2 any longer! I would assume that setting the version # to 1.2.3 would pull the right branch of the source, but I guess using the menu, I actually just picked RELENG_1_2 or RELENG_7_2 which appears to set: RELENG_7_2) echo Setting builder environment to use RELENG_1.2.3-REL w/ FreeBSD 7.2 ... export FREEBSD_VERSION=7 export FREEBSD_BRANCH=RELENG_7_2 export SUPFILE=${BUILDER_TOOLS}/builder_scripts/${FREEBSD_BRANCH}-supfile export PFSENSE_VERSION=1.2.3 export PFSENSETAG=RELENG_1_2 export PFSPATCHFILE=${BUILDER_TOOLS}/builder_scripts/patches.RELENG_7_2 export CUSTOM_COPY_LIST=${BUILDER_TOOLS}/builder_scripts/copy.list.RELENG_1_2 export PFSPATCHDIR=${BUILDER_TOOLS}/patches/RELENG_7_2 export PFSPORTSFILE=buildports.RELENG_1_2 export EXTRA_DEVICES=${EXTRA_DEVICES:-} set_items ;; What gives here? Is 1.2.3 really broken now under 7.2 or should I have some other branch I should be pulling code from? -Original Message- From: Mark Jones [mailto:mjo...@imagehawk.com] Sent: Tuesday, February 01, 2011 10:36 AM To: support@pfsense.com Subject: RE: RE: [pfSense Support] Can't build Regular ISO either Another error is a missing dprintf which appears to come from glibc and is found on linux. I did have the installer load the linux binary compatibility, but is there some other port I need to load to make dprintf be present? -Original Message- From: Mark Jones [mailto:mjo...@imagehawk.com] Sent: Tuesday, February 01, 2011 10:31 AM To: support@pfsense.com Subject: RE: [pfSense Support] Can't build Regular ISO either They were blocked by the do_not_build_pfPorts, but I removed that file and started the build. I'm seeing things like Building choparp... *** Error code 1 *** Error code 1 Is there some easy way to turn on verbose logging so I get more than just Error code 1? I come from a linux background moreso that FreeBSD -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, February 01, 2011 7:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] Can't build Regular ISO either On 2/1/2011 7:48 AM, Mark Jones wrote: Since I learned yesterday that the dev ISO is no longer used, I tried to build a regular ISO and the output of doing that is below. I'm trying to build 1.2.3 on 7.2 because this is going into a production environment and based on what I see 2.0 is still beta. I see on the forums http://forum.pfsense.org/index.php?action=post;topic=32678.0;num_repli es=5 someone else is having the same problem and hasn't figured it out yet either. I'm guessing part of the problem is that there is a desire for pecl-APC which won't be built with PHP4. When I try to replace PHP4 with PHP5, it fails for other reasons. Looking at the other errors, it's almost like the entire PHP setup is messed up in the source, but since 1.2.3 is supposed to be stable and released, this doesn't make sense. Did you notice if there were errors during the port build process? (build_pfPorts.sh) Last time I tried a fresh 7.2 build, PHP4 wasn't building properly, which could lead to the errors you are seeing. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: RE: [pfSense Support] Can't build Regular ISO either
On Tue, Feb 1, 2011 at 11:36 AM, Mark Jones mjo...@imagehawk.com wrote: Another error is a missing dprintf which appears to come from glibc and is found on linux. I did have the installer load the linux binary compatibility, but is there some other port I need to load to make dprintf be present? What specific software are you trying to compile that requires linux compatibility libraries? The only modern software that I can think of to want to run that doesn't build natively on freebsd is apache qpid. In any case, to build linux binaries, you need to install the full linux build tool set, usually red hat RPMs of those will suffice. You can't use the freebsd build tools to build linux binaries. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Allow exe form a site only
- Original Message - From: Shali K.R. To: support@pfsense.com Sent: Tuesday, February 01, 2011 2:16 PM Subject: [pfSense Support] Allow exe form a site only Dear all, I have blocked exe using squidguard.Is it possible to allow exes only from microsoft.com??? -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531 Hello. Yes, it's possible. You must create the first Destination category, what allow EXE from M$ and allow it as whitelist in the ACL. Also need create the second Destination category for block EXE from any site. Regards Sergey
[pfSense Support] pfsense and DDOS
An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse I think the article is mostly just scare marketing, but it raises the question of how a firewall would best react to a DDOS scenario. I recently read a page in the pfsense docs (can't find it in the wiki or FAQ now), which I believe quoted the pfsense book (don't have it), where cmb states that pfsense is the best open source firewall, and one of the best firewalls at handling DDOS attacks. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. Acknowledging that DDOS is best handled in cooperation with your provider, what can we do at our end? Or are the default firewall settings pretty tight in that regard? Is there anything one might do that would inadvertently expose one's pfsense to DDOS-related troubles? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: pfsense and DDOS
On Tue, Feb 1, 2011 at 12:25 PM, David Burgess apt@gmail.com wrote: I recently read a page in the pfsense docs (can't find it in the wiki or FAQ now), which I believe quoted the pfsense book (don't have it), where cmb states that pfsense is the best open source firewall, and one of the best firewalls at handling DDOS attacks. ok, found it. http://forum.pfsense.org/index.php?topic=10471.msg%msg_id% db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Buttons or menu options
Good afternoon all. When I click on certain buttons or options, I will get the source code instead of results. The latest was http://10.10.10.10/reboot.php. I clicked on the reboot menu option and it gave me source code. Is there a way to stop this? Dwane
Re: [pfSense Support] pfsense and DDOS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 11:25 AM, David Burgess wrote: An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse Firewalls do make DDOS attacks worse in front of a large web farm. The state tables get exhausted very quickly. The various large web farms out there don't have a firewall in front of them. Just run limited ports. Of course they also have load balancers, packet sprayers, CDN etc. Not your typical environment. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. If it's a well executed DDOS, they can take you out with just a few thousand pps. Just gotta know how to flood the session/state tables. Granted with pfsense and an x86 box with lots of ram/cpu you'll probably be fine for quite a while. Do some research into the hardware router/firewall vs software based one (in particular Linux based firewalling/routing) and you'll find all sorts of material. BSD seems more mature. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNSJmmAAoJEMvvG/TyLEAt48kQAKT5vTJLx/Uj8lI7JzqNeWcy oMHnqtKrKLfWPo2XijJ9dgS5eS3Np3HP1CUpEVndmHnlclddXWaJ1CfTVqw6dWkp mS78e99xOHUjnqEvAnQxPNw9qrUa5g5uoT4VnfsrQl4Gf+osALbC3biOBGvn9BNw ZpEO4bP0vZyBEILAMCJty/JhplT1q7fDgESQHVj8bz81x/BrYXzkitvs9OYmy9v3 V6Wa647wHKld1cTO4BVlUC68Pb71vjZNYeveUg8C9tWoggKta/sjCZ1Gesb5pIYF NcOGQ+IR7pLNP0DxvhUO0q7AiGWM/AQ3Uey1QSlep3X8/XOIFf53LCNV2MHSYklz Q/BWKKgKURFodV2Dp1jAEtUkBvguBO8F8gxHM5oVm38i8Ma85rr0g67NvW2z7+jT lSU2V/hpRavUKmsUqHYXEAT3Q9OjvF03S1oqQ4mK5/a4egny8k9mntGTYyjlHBZk YE0wIPXXrARwhTuKwk41rpUqginOtYzDUfbFjMeW5kyABYFY2W3HbmdK4k7Hkvkd vJqMrtm2IMEvzeAdlcVslgbzg8pG3eBP0Cr5zWNEG7pUWrRsV11OfTtfeE81ZgIl qkMqbfpSkL65Y+kj/MThpI7odX1DBgtCN+NJ+PiG5ZKYmuHkDYmMsNOEK/EAodQ1 08VDwOt9knO75hvfLLc8 =Nb1x -END PGP SIGNATURE- - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense and DDOS
On Tue, Feb 1, 2011 at 2:25 PM, David Burgess apt@gmail.com wrote: An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse I think the article is mostly just scare marketing, but it raises the question of how a firewall would best react to a DDOS scenario. The article would be more accurate to say network components that are inadequately sized or configured to handle a DDoS attack make them worse. I've seen DDoS attacks with a packet rate to kill a Cisco router at the edge with as simple of a routing configuration as can possibly exist, but not nearly enough to kill the firewall sitting behind it. For most of us, it matters none, we simply don't have enough bandwidth, unless it's a lame attacker or you have a 10 Gb Internet pipe (even that wouldn't be nearly enough for some attacks). From experience fighting a number of DDoS attacks, what generally happens is they'll throw enough at you to knock you offline, whatever that takes. If you're running with a default 1 state table that doesn't take much. Increase that and the attack gets bigger. At which point you may max out your hardware's ability to handle states. Drop in a box with more RAM and a much bigger state table, PF state timer tweaks that can help when you have very high rates of state insertions and deletions, and the attack gets bigger still - usually at this point exhausting your Internet bandwidth. At which point you're stuck, your ISP has to help you, nothing you put in place is going to relieve the fact that your pipe is full. Usually they'll blackhole route the affected IP so all your other IPs can function normally, and may do other things depending on their infrastructure and the specific attack. That's oversimplified a bit, but they've all followed that same line. If not properly sized and configured to handle a DDoS of the scale you may see in your environment, yes your firewall is probably going to be the first thing to fall over (unless you have an inadequate router in front of it). But it really doesn't matter as if it does stand up, experience at the level that virtually all of us are responsible for (1-2 Gb Internet at most), they're going to kill your connection regardless of what you have behind it. If you're Google, Facebook, Yahoo, etc. yeah, you don't want firewalls in front of your web farm. If you have a few hundred servers or less (varying depending on specifics of the environment), it virtually never matters, make sure you have decent settings in place to handle as much as possible, and have a good relationship with your provider and discuss with them in advance what they will do to help if you're hit with a DDoS, and don't worry about it. Having a firewall as a single ingress and egress point into small to mid sized hosting environments is beneficial for many reasons, and properly sized and configured it's not going to leave you any worse off when under DDoS attack than you're going to be anyway. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Allow exe form a site only
How can i create it??? You must create the first Destination category, what allow EXE from M$ On Tue, Feb 1, 2011 at 10:36 PM, Serg serg.dvorian...@gmail.com wrote: - Original Message - *From:* Shali K.R. sh...@vidyaacademy.ac.in *To:* support@pfsense.com *Sent:* Tuesday, February 01, 2011 2:16 PM *Subject:* [pfSense Support] Allow exe form a site only Dear all, I have blocked exe using squidguard.Is it possible to allow exes only from microsoft.com??? -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531 Hello. Yes, it's possible. You must create the first Destination category, what allow EXE from M$ and allow it as whitelist in the ACL. Also need create the second Destination category for block EXE from any site. Regards Sergey -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531
Re: [pfSense Support] pfsense and DDOS
sorry for top post. Some better ISPs have options for rate limiting your connection in the event of a DDOS, meaning their systems will take the brunt of the hit and not route it to your firewall. this can vary from temporarily offlining you to absorb the packet storm or dropping connection attempts after a set pps level. then again, this is also what right sizing your system load to handle and making proper systems to handle the load. there has to be some set level at which you will just stop trying to stay online and just offline yourself so as not to be absorbing useless traffic. In general I disagree with the idea as some servers/services are harder to recover from DDOS attacks than the firewall filling its state table and slowly dumping them. I've seen webservers going into full kernel panics where a firewall/router taking the hit would have just locked up for a minute or so. In general it should be a multi-staged approach, not a single piece of wondergear doing everything. -Sean -Original Message- From: Charles N Wyble Sent: Tuesday, February 01, 2011 6:39 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfsense and DDOS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 11:25 AM, David Burgess wrote: An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse Firewalls do make DDOS attacks worse in front of a large web farm. The state tables get exhausted very quickly. The various large web farms out there don't have a firewall in front of them. Just run limited ports. Of course they also have load balancers, packet sprayers, CDN etc. Not your typical environment. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. If it's a well executed DDOS, they can take you out with just a few thousand pps. Just gotta know how to flood the session/state tables. Granted with pfsense and an x86 box with lots of ram/cpu you'll probably be fine for quite a while. Do some research into the hardware router/firewall vs software based one (in particular Linux based firewalling/routing) and you'll find all sorts of material. BSD seems more mature. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNSJmmAAoJEMvvG/TyLEAt48kQAKT5vTJLx/Uj8lI7JzqNeWcy oMHnqtKrKLfWPo2XijJ9dgS5eS3Np3HP1CUpEVndmHnlclddXWaJ1CfTVqw6dWkp mS78e99xOHUjnqEvAnQxPNw9qrUa5g5uoT4VnfsrQl4Gf+osALbC3biOBGvn9BNw ZpEO4bP0vZyBEILAMCJty/JhplT1q7fDgESQHVj8bz81x/BrYXzkitvs9OYmy9v3 V6Wa647wHKld1cTO4BVlUC68Pb71vjZNYeveUg8C9tWoggKta/sjCZ1Gesb5pIYF NcOGQ+IR7pLNP0DxvhUO0q7AiGWM/AQ3Uey1QSlep3X8/XOIFf53LCNV2MHSYklz Q/BWKKgKURFodV2Dp1jAEtUkBvguBO8F8gxHM5oVm38i8Ma85rr0g67NvW2z7+jT lSU2V/hpRavUKmsUqHYXEAT3Q9OjvF03S1oqQ4mK5/a4egny8k9mntGTYyjlHBZk YE0wIPXXrARwhTuKwk41rpUqginOtYzDUfbFjMeW5kyABYFY2W3HbmdK4k7Hkvkd vJqMrtm2IMEvzeAdlcVslgbzg8pG3eBP0Cr5zWNEG7pUWrRsV11OfTtfeE81ZgIl qkMqbfpSkL65Y+kj/MThpI7odX1DBgtCN+NJ+PiG5ZKYmuHkDYmMsNOEK/EAodQ1 08VDwOt9knO75hvfLLc8 =Nb1x -END PGP SIGNATURE- - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org