Re: [pfSense Support] no GUI or ssh access to server
On Tue, 2011-03-22 at 18:37 -0500, Gerald Waugh wrote: Hi, Server fw1 appears to be operating fine as we have many sites that we can access to through the server. GUI and ssh accesses timeout, and tried different locations. We have a backup pfsense server fw2 which is connected via crossover to 3rd port. I can access the backup server with GUI and ssh. I access fw1 by ssh to fw2, then ssh from fw2 to fw1 using the crossover cable port. I did netstat and it is listening on port 443 and ssh I did 11) Restart webConfigurator no joy We rebooted fw1 via ssh, no joy any ideas greatly appreciated As I was able to ssh in through fw2 I executed pfctl -d went in with the GUI, found error in Country Block, fixed pfctl -f /tmp/rules.debug -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] no GUI or ssh access to server
Hi, Server fw1 appears to be operating fine as we have many sites that we can access to through the server. GUI and ssh accesses timeout, and tried different locations. We have a backup pfsense server fw2 which is connected via crossover to 3rd port. I can access the backup server with GUI and ssh. I access fw1 by ssh to fw2, then ssh from fw2 to fw1 using the crossover cable port. I did netstat and it is listening on port 443 and ssh I did 11) Restart webConfigurator no joy We rebooted fw1 via ssh, no joy any ideas greatly appreciated -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Country Block anolalies
Bump! On Sun, 2011-02-06 at 08:29 -0600, Gerald Waugh wrote: Having some foreign to the US country IPs getting through firewall Country Block is running an the countries are enabled for blocking blocking 59817 Networks for example; 203.81.81.253 # MM Myanmar sending snmp packets through the firewall I have had several probes this morning, Brazil, Argentina, Germany -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Country Block anolalies
On Wed, 2011-02-09 at 17:38 +, James Bensley wrote: Maybe its not a complete list of everysingle IP/assigned block in the world? IPv4 exhaustion was only a few days ago, but how recently was that that list updated, and how recently was it updated on your pfSense box! --James. (This email was sent from a mobile device) Thanks for the response, excuse my ignorance but how do I update the list? Thanks -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Country Block anolalies
Having some foreign to the US country IPs getting through firewall Country Block is running an the countries are enabled for blocking blocking 59817 Networks for example; 203.81.81.253 # MM Myanmar sending snmp packets through the firewall I have had several probes this morning, Brazil, Argentina, Germany -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Country Block Not Working on pf 123
On Sat, 2011-01-29 at 09:40 -0800, Mehma Sarja wrote: It does not start. Tried reinstalling the package with the same results. Anybody else has same problem? It may be a little tricky... Make sure you click on Commit let it take then click on Enable at top of page then click on Save/Update Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] carp with bridge
We desire to add carp to our current pfsense firewall Purchased a second server for the slave/secondary Currently bridging the WAN/Opt(Servers) interfaces on the master/primary Using pfsense 1.2.3 Looking for howto links and any other info TIA -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On Thu, 2010-10-28 at 11:43 -0600, David Burgess wrote: On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use bridging as the pfsense machine firewalls servers with public IP addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? Thinking ... Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On Thu, 2010-10-28 at 14:34 -0400, Jim Pingle wrote: On 10/28/2010 1:43 PM, David Burgess wrote: On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use bridging as the pfsense machine firewalls servers with public IP addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? Close. You just need at least a /29 on the WAN side so you have enough IPs for CARP - one for each box and the shared IP. The other subnet is routed to the shared CARP IP. On the internal side, one IP out of your block is for CARP on your LAN/OPT interface, and again one for each box. Items in the internal side use the shared CARP IP as their gateway. Appears to be ongoing expense to have to get another subnet from ISP. We have a /24 now and the servers use this, We use bridging to get them through the pfsense firewall, and works great. Just looking for the redundancy carp provides. Gerald
Re: [pfSense Support] rate and/or limit rules
On Tue, 2010-10-05 at 01:53 -0400, Chris Buechler wrote: On Mon, Oct 4, 2010 at 8:39 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: On Mon, 2010-10-04 at 00:56 -0400, Chris Buechler wrote: On Fri, Oct 1, 2010 at 12:07 PM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use ipt-recent and limit rules in iptables on our servers It's a pain editing rules for each server. You might want to explain what those actually do, most of us are BSD experts and don't work with Linux. We do have a pfsense firewall on the frontend Is there a way to implement rate/limit rules in pfsense? Maybe, see the advanced options on rules, or explain what those iptables options do. the iptables 'recent and limit' rules limit the number of accesses within a set time. Look at the advanced options on each rule. Maximum new connections / per second(s) does that. You may want to use some of the other options there as well. Thank you, this is what I was looking for... BTW, I did buy 2 copies of the book ;) -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] rate and/or limit rules
On Mon, 2010-10-04 at 00:56 -0400, Chris Buechler wrote: On Fri, Oct 1, 2010 at 12:07 PM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use ipt-recent and limit rules in iptables on our servers It's a pain editing rules for each server. You might want to explain what those actually do, most of us are BSD experts and don't work with Linux. We do have a pfsense firewall on the frontend Is there a way to implement rate/limit rules in pfsense? Maybe, see the advanced options on rules, or explain what those iptables options do. the iptables 'recent and limit' rules limit the number of accesses within a set time. i.e. iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP 1st line creates a table SSHSCAN 2nd line defines ssh port 22 with state NEW 3rd line sets up 'recent' with name SSH 4th line 'update' count in SSH, sets a 300 second time, and allows 3 accesses to port 22 from a single IP address If count is 3 or greater (during 300 seconds), further access are blocked -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] rate and/or limit rules
We use ipt-recent and limit rules in iptables on our servers It's a pain editing rules for each server. We do have a pfsense firewall on the frontend Is there a way to implement rate/limit rules in pfsense? -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org