Re: [pfSense Support] best way to set up extra blacklist only on certain computers

2011-07-11 Thread Andrew Cotter 
On Mon, Jul 11, 2011 at 12:52 PM, Luke Jaeger  wrote:

> I have a classroom where the teachers want the computers to have access to
> only our google docs domain  docs.pvpa.org
>
> I created an alias 'myhosts' for all the computers in the classroom and an
> alias 'allowedSites' with the IP's of www.google.com and docs.pvpa.org.
>
> Set up firewall rules to block 'myhosts' from any host except
> 'allowedSites'.
>
> It works for www.google.com but not for our Google Apps domain. Any idea
> what's wrong with this picture or is there a better way to go about it?
>
> Luke Jaeger | Technology Coordinator
> Pioneer Valley Performing Arts Charter Public School
> www.pvpa.org
>
>
> Luke,

Did you change the web address for docs in the management portal on Google
Docs under settings, docs, general?  My guess is yes since you are using
that.

We did not modify this in our Google Apps deployment so the URL for us is
docs.google.com/a/domain.com.  I am not sure if the user is really accessing
the docs from your docs.pvpa.org domain or if that is more for vanity and a
redirect is happening.  What shows as a URL after you pull up a doc?

Did you try and add the IP for docs.google.com to your allowedSites list?

Andrew

Re: [pfSense Support] A REALLY Simple Question, Really

2011-04-30 Thread Andrew Cotter 
On Apr 29, 2011 11:32 PM, "Chris Buechler"  wrote:
>
> On Fri, Apr 29, 2011 at 9:00 PM, Bruce B  wrote:
> > Next time, when you change the LAN interface subnet just don't press
APPLY.
> > It actually gives you a RED notice to go ahead and change DHCP server
range
> > as well and then come back and press APPLY.
>
> Still the same.
>

I clicked too fast a number of times without doing the update to the dhcp
range as well.

Another way to regain access.  Set the adapter on your computer to an ip in
the new subnet (static not dhcp).  Once you regain access and update dhcp,
change it back.

Andrew

Re: [pfSense Support] Enclosure recommendations for a Mini ITX Motherboard

2010-10-14 Thread Andrew Cotter 
I was thinking of picking up a couple of these and one thing I have
stumbled across is that one of the newer supermicro atom boards is too
short to be able to use the slot for an extra card in their case.

Can anyone confirm this?

Andrew


On Thu, Oct 14, 2010 at 2:27 PM, Conrad Brown  wrote:
> If you are not set on that particular board you can try
> http://www.supermicro.com/products/system/1U/#Atom.  The 5015A-EHF or the
> 5015A-PHF in particular.
>
> I personally have the 5015A-H and it does the job without any problems.
>
> -Original Message-
> From: Mehma Sarja [mailto:mehmasa...@gmail.com]
> Sent: Thursday, October 14, 2010 2:23 PM
> To: pfsense
> Subject: [pfSense Support] Enclosure recommendations for a Mini ITX
> Motherboard
>
> I've been following the hardware threads comparing embedded versus more
> horsepower systems and came to the conclusion that I'd stick with my
> embedded Alix board because it is stable and low-power. Recently, however, I
> am seeing botnet attempts, reported via OpenDNS, against my home network.
> So, I want to run Snort. And here I'd need horsepower.
>
> I researched an earlier post of "SUPERMICRO MBD-X7SPE-H-O Mini ITX Intel
> Atom" board and it looks like a good option. Albeit a bit expensive. It can
> handle 4 GB RAM. So the question is what kinds of enclosures are good for
> this form-factor? I'll probably go with a laptop drive. The enclosures at my
> local Fry's all look pretty flimsy and crappy.
>
> Mehma
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional
> commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance

2010-10-11 Thread Andrew Cotter 
On Mon, Oct 11, 2010 at 9:44 AM, Andy Graybeal
 wrote:
> On 10/08/2010 03:21 PM, Seth Mos wrote:
>>
>>> I'll have 2 firewalls, and 2 UPS's one for each firewall.
>>
>> As suggested before, cross the power supply cords between the 2 ups's.
>> If you have the option of 2 power feeds in your DC then put each UPS on
>> one specific.
>>
>> Alternatively there are great breaker strips that take 2 feeds and can
>> put it into one plug so that you can still have both ups systems powered
>> on if the A or B feed fails. These are about 150 euro or so.
>>
>>> Each firewall will have:
>>> 1. a hot swap raid array (only two HD's set to RAID 1, mirroring).
>>> 2. two hot swap power supplies.
>>
>> Makes perfect sense, that's what I have.
>>
>>> Now for the networking...
>>> I'll have two dsl modems. I'm going to guess that I should have two
>>> switches, one per modem. 2 connections coming from each switch, one per
>>> firewall.
>>
>> One switch with vlans work, but if you can get 2 seperate ones that
>> works too. I havn't had HP Procurve switches die on me for years. In
>> fact, there is still a 2424M out there servicing after 10 years.
>>
>>> I'll need two IP addresses assigned to each firewall from my providers
>>> (total of 4 ip addresses from providers).
>>
>> These will be the CARP IP addresses so that firewall failover works. You
>> will want to add more for splitting services perhaps. You might want to
>> terminate lan -> internet traffic on a seperate carp ip to prevent nat
>> overloading.
>>
>> You will need 1 extra IP address per WAN connection for each part of the
>> firewall that participates in the CARP. If you have a /29 assigned by
>> the ISP per DSL modem you are safe.
>>
>>> Then I'll need a connection between each firewall for the pfsync.
>>> That is a total of 3 ethernet ports per firewall (2 wan, 1 pfsync) just
>>> for the redundancy; not including LANs.
>>
>> That is correct.
>>
>>> Can the pfsync connection be a simple cross-over cable, to get away from
>>> needing another switch?
>>
>> Yes, some ports have cable length issues but 1meter is safe.
>>
>>> I know CARP is in the equation, I'll get to that after I understand how
>>> I'm gonna hook this stuff up physically.
>>
>> See the book, it's recommended. No. Really.
>>
>> Regards,
>>
>> Seth
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
> Seth,
> Thanks for the line-by-line response on every question.
>
> Reading the book now :)
>
> Thank to everyone for their responses, I'll probably ask more questions when
> I get done with the book.
>
> -Andy
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

One thing that jumps out at me is the two ADSL links.  Sounds like you
are making a pretty good effort to "keep the lights on" with some good
choices.  If we were to do dual DSL lines in our area, the copper is
really the same provider for the last mile.  A different provider type
may give you better reliability over what you can't totally control.
In our case we could go to a cable company and get a business DSL
line, the phone company and get fiber, fiber from a totally
independent provider (or two), or even cell/microwave tower backup.
All depends on what is available in your area and as others stated,
the true need of uptime vs. cost.

Also, along the lines of different UPS providers, what about different
hardware manufactures for the boxes or just the hard drives?

Andrew

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Is it possible?

2010-06-08 Thread Andrew Cotter 
> -Original Message-
> From: Tiago [mailto:tpi...@scenario.ind.br] 
> Sent: Tuesday, June 08, 2010 12:33 PM
> To: support@pfsense.com
> Subject: [pfSense Support] Is it possible?
> 
> Hello guys
> 
> Forgive me for the newbie question...but I couldn't find the 
> solution yet
> 
> How can I block some sites through the IP address?
> 
> For instance: I need to block www.hotmail.com  only for IP 172.16.0.54
> 
> What Do I need to do?
> 
> Thanks
> 

Create a block rule for what is probably your LAN network (may vary
depending on setup).  Make sure your rule is before anything (top of the
list) that would allow like an "allow all" rule.

If you need more of an example let me know.

Andrew


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed

2009-04-24 Thread Andrew Cotter 
 > -Original Message-
> From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On 
> Behalf Of Chris Buechler
> Sent: Friday, April 24, 2009 1:12 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Attention Firebox X Series 
> Users - Testing Needed
> 
> On Fri, Apr 24, 2009 at 10:32 AM, Andrew Cotter 
>  wrote:
> > Is there an update path from 1.2.2 to 1.2.3-RC1 embedded?
> 
> Not a guaranteed reliable one. You can grab an embedded 
> update file off the snapshot server but it may blow up.
> 
> That'll be resolved with the new embedded that's on the way, 
> including a 1.2.x release, though post-1.2.3.
>

Thanks.  I'll fire up one of the extra ones we have to test it.

Andrew



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed

2009-04-24 Thread Andrew Cotter 
Is there an update path from 1.2.2 to 1.2.3-RC1 embedded?  I only see Full
images on the mirrors.  I can do a backup/swap CF/restore, but the box I was
going to test on is 120 miles away.  

I have a pile of the X500 boxes here and would love to deploy them, but the
watchdog timeouts are killing me.  Thanks for working on this!

Thanks,

Andrew



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue

2009-03-20 Thread Andrew Cotter 
>Von: Dimitri Rodis [mailto:dimit...@integritasystems.com] 
>Gesendet: Freitag, 20. März 2009 18:27
>An: support@pfsense.com
>Betreff: [pfSense Support] Firebox X series w/ 1.2 and 1.2.2 issue
>
>
>   So, I have a pair of firebox x700 units that I have put new CF cards
in. I have tried both 1.2-RELEASE and 1.2.2 (both embedded), >and both
behave the same way.
>
>   On the serial console, I will see the following:
>   re4: watchdog timeout
>   re4: watchdog timeout
>   etc
>
>   If I change the LAN interface to re1, the same thing happens, except
on the serial console I will see:
>   re1: watchdog timeout
>   re1: watchdog timeout
>   ...etc




I had a similar issue while I was working on a few X500/700 whatever boxes
last week.  I know people suggest that various low end switches produce this
error, but I had no switch in the mix.

I was going direct to a desktop and was getting it.  It was a home made
looking cable.  As soon as I plugged in one of our prefab cables it went
away.   Try and switch out the ethernet cable. 

Let us know.   I have 5 of these boxes in the corner of my office. 3 of
which I am planning on deploying in the next two weeks.

Andrew



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Block LAN ip from communicating

2009-02-27 Thread Andrew Cotter 
 




From: Chris Flugstad [mailto:ch...@cascadelink.com] 
Sent: Friday, February 27, 2009 1:44 PM
To: support@pfsense.com
Subject: [pfSense Support] Block LAN ip from communicating



This should be simple.  i tried adding firewall rules to block
traffic from that ip, but didnt work.  any help?


Chris Flugstad
Cascadelink
900 1st ave s, suite 201a
seattle, wa 98134
p: 206.774.3660 | f: 206.577.5066
ch...@cascadelink.com   

- To
unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional
commands, e-mail: support-h...@pfsense.com Commercial support available -
https://portal.pfsense.org


Where did you put the rule?  (LAN tab)  and what rules are listed before
it.  (Top to bottom)




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Watchguard X series platform

2007-10-29 Thread Andrew Cotter 

> -Original Message-
> From: Andrew Cotter [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 16, 2007 3:12 PM
> To: support@pfsense.com
> Subject: [pfSense Support] Watchguard X series platform
> 
> Hello,
> 
> I have seen a number of posts both here and on the M0n0wall 
> list about the older Watchguard Firebox I/II series boxes and 
> the ability to use them.
> Does anyone have any experience on the Watchguard Core 
> X500/X700/X1000 series boxes?  
> 
> I am looking for a platform that is a little more powerful 
> than the WRAP/ALIX or Sokeris 5501 systems, but would prefer 
> to stay away from full blown servers.
> 
> Thanks for any input!
> 
> Andrew
> 
> 

Well I got no response so I went out and picked a Watchguard X500 up off of
ebay.  I am happy to report that once you crack the thing open there is a
nice little onboard slot for a CF.  Mine had a 64MB card in it which I
quickly swapped out with a freshly imaged M0n0all CF.  I powered it up,
consoled into it, and it saw all 6 adapters.  Have not tried pfsense yet,
but I will be trying that out sometime over the next week or so.  

For those of you out there that prefer certain cards, the 6 ports are
Realtek chips which may be a drawback.  Needless to say, I am happy a the
gamble I took and will probably be putting this box into full time service
fairly soon.

Andrew   



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Watchguard X series platform

2007-10-16 Thread Andrew Cotter 
Hello,

I have seen a number of posts both here and on the M0n0wall list about the
older Watchguard Firebox I/II series boxes and the ability to use them.
Does anyone have any experience on the Watchguard Core X500/X700/X1000
series boxes?  

I am looking for a platform that is a little more powerful than the
WRAP/ALIX or Sokeris 5501 systems, but would prefer to stay away from full
blown servers.

Thanks for any input!

Andrew



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Support for custom tables

2005-11-28 Thread Andrew Cotter 
I am not a pf wizard, nor have I tried this, but a quick google came up with
this...

http://www.allard.nu/pfw/

Might give you a jump start in pulling something together if you want to.

Andrew

> -Original Message-
> From: Forrest Aldrich [mailto:[EMAIL PROTECTED]
> Sent: Sunday, November 27, 2005 9:11 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Support for custom tables
>
>
> I wonder if there might be a PHP class out there that will deal with PF
> interaction.  That seems to be a reasonable approach.
>
> Though, I must concede that I'm not much of a programmer.
>
> If PFSense could allow tables to be created, say, in different files -
> it could load them into a web-based config.   Might need some utility to
> sync that content with anything that changes in memory (ie: live editing
> of the tables via pfctl).
>
> Anyone else have some useful suggestions?
>
> Thanks.
>
>
>
>
> Scott Ullrich wrote:
> > That is true.  Can you give some suggestions of easily adding custom
> > table support that would work within the paramaters of your scripts?
> > On 11/27/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> >
> >> I have some scripts that need to interact with PF (pfctl) directly to
> >> interact with the tables... I presume this method is available only via
> >> manual entry through the GUI.
> >>
> >>
> >>
> >> Scott Ullrich wrote:
> >>
> >>> Well, our aliases do something similar now.   You can add an alias
> >>> then add multiple ip's, ports or network cidr entries.
> >>>
> >>> Is this what you have in mind?
> >>>
> >>> On 11/27/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> >>>
> >>>
>  Do you not think support for custom tables would be useful?
> 
>  I think it would - especially in the enterprise where you want to
>  selectively block and or do things that require (or benefit
> from) table
>  based entries.
> 
> 
> 
> 
>  Scott Ullrich wrote:
> 
> 
> > We have ALIASES which give somewhat the same functionality.
>   I have a
> > alias import wizard in 1.01.   With that said, there are no
> plans for
> > custom tables in 1.0.
> >
> > Scott
> >
> > On 11/27/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> >> Will there be support for custom tables in PFSense... sometime?
> >>
> >>
> >> Thanks.
> >>
> >>
> >>
> -
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
> >>
> >>
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
> 
> >>> -
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>
> >> -
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Re: Trouble installing to Dell PowerEdge 850

2005-11-01 Thread Andrew Cotter 
If it is any help, I have PE750's with SATA running Linux.  Not sure if it
would show in a similar way, but would a SATA drive show as a SCSI device?
I think it does on my Dell 750s.

Andrew

> -Original Message-
> From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, November 01, 2005 2:18 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Re: Trouble installing to Dell PowerEdge
> 850
>
>
> It appears that FreeBSD is not seeing this drive as attached for some
> reason.   Can you try a FreeBSD RC disk?
>
> On 11/1/05, Lynn A. Roth <[EMAIL PROTECTED]> wrote:
> > Some more info:
> >
> > when I run atacontrol info, it appears that the disk is not attached.  I
> > have booted to Linux and Windows installer and they both see the disk. I
> > believe that the SATA drive should be on ATA channel 2. (According to th
> > e boot messages, which show the ICH7 SATA Controller being detected with
> > 4 channels, 2-5)
> >
> > # atacontrol list
> > ATA channel 0:
> >  Master: acd0  ATA/ATAPI revision 4
> >  Slave:   no device present
> > ATA channel 1:
> >  Master:  no device present
> >  Slave:   no device present
> > ATA channel 2:
> >  Master:  no device present
> >  Slave:   no device present
> > ATA channel 3:
> >  Master:  no device present
> >  Slave:   no device present
> > ATA channel 4:
> >  Master:  no device present
> >  Slave:   no device present
> > ATA channel 5:
> >  Master:  no device present
> >  Slave:   no device present
> >
> >
> >
> > Scott Ullrich wrote:
> > > Please send the contents of /tmp/ after you receive the error message.
> > >   CTRL-C a number of times to break back to the shell and then SCP
> > > then files somewhere.
> > >
> > > Scott
> > >
> > >
> > > On 11/1/05, Lynn A. Roth <[EMAIL PROTECTED]> wrote:
> > >
> > >>I should also note that it has a single SATA drive on the first SATA
> > >>connection.  I get the same issue with both of the two
> identical systems.
> > >>
> > >>Lynn
> > >>
> > >>
> > >>Scott Ullrich wrote:
> > >>
> > >>>What version?
> > >>>
> > >>>On 11/1/05, Lynn A. Roth <[EMAIL PROTECTED]> wrote:
> > >>>
> > >>>
> > I'm having trouble installing pfSense to my new Dell PE 850.
> > 
> > The installer doesn't find a disk.  If I do an lsdev before
> booting, I
> > see the disk and partitions.  The system has a ICH7 chipset, which
> > appears to be problematic at this point in time.  Does
> anyone have any
> > idea how I could get this installed?  Is there a way to
> easily update
> > the kernel in the installer?  Would that even help?
> > 
> > Thanks.
> > 
> > Lynn A. Roth
> > Network Administrator
> > Interactive Financial Solutions, Inc.
> > 
> > 
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > 
> > 
> > >>
> > >>
> > >>-
> > >>To unsubscribe, e-mail: [EMAIL PROTECTED]
> > >>For additional commands, e-mail: [EMAIL PROTECTED]
> > >>
> > >>
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]