Re: [pfSense Support] 1U Case Reco
Curtis, Thanks for recommending this, that looks like a nice system to use for pfSense. How about having a doc.pfsense.org page with recommendations like this. Maybe it could be called unofficial recommendations, or community recommendations. I have been to all of the sites on the main recommended vendors page in the past week, and ended up buying a couple of Alix systems from Netgate. (Which shipped within 4 hours of me faxing in the PO BTW.) I wouldn't want the community recommendation page to take away from the prime placement that the companies that have supported the project get, but it would be nice to have a list of suggestions such as this one from Curtis. Josh Curtis LaMasters wrote: I don't know if it meets all of your requirements but I do quite a few installs on http://www.ironsystems.com AR230. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jul 21, 2009 at 7:46 PM, Joseph L. Casalejcas...@activenetwerx.com wrote: Anyone know who makes a decent 1u case with the eth and peripheral slot open in the front and that also redirects the leds up front for a Soekris 5501? If need be, I am open to a different mobo suggestion as well, I just need ~4 eth ports and an embedded design resilient to any potential power outages at this location. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] strategies for an internet cafe
I would like to second the idea of just rate limiting all port 25 connections instead of blocking. I have a rule setup at 30 sites that only allows 4 simultaneous client connections, and limits new connections to 3 every 60 seconds. (Just create an allow rule for SMTP and look at the advanced options) This allows the occasional user to send email (most use webmail clients anyway), but limits the damage that an infected machine can do. The downside is the DOS aspects of this, one infected client shuts down the ability for everyone else to send port 25 mail. Customers are not usually there for more than a couple hours, so it hasn't been an issue yet. It would be fun to monitor the firewall logs for blocked smtp connections, and trigger a strobe light when an infected client connects. Then you could throw the nerf ball of virus infection(or does that sound bad) at the most recent customer to connect, for the shaming effect. That might limit some repeat business though. Or you could just sell/give them some virus/spyware removal software. Josh lartc wrote: hi all, thanks for all your thoughts ... this was actually a case of an unsuspecting microf...ing windblowz user infected with a fakealert virus -- sending thousands of e-mails. i'm thinking about creating an `untrusted` subnet on a free pfsense port and proxying 25 465 to a postfix/amavis setup that can rate limit and reject ... Try the solution from Untangle. Set it up with spam filtering and as transparent bridge in between your lan and pfsense. haven't heard of this, so i'll check it out -- but since i'm running embedded, my resources are a bit limited. thanks again charles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Cell 218.790.2110 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Installing pfflowd
There are instructions on how to remount the flash drive into RW mode in the FAQ. http://faq.pfsense.org/index.php?action=artikelcat=11id=171artlang=en There's the rope, I hope it is enough. pfflowd shouldn't be writing when in use, so this should be safe to use. Remount to RW mode, install pfflowd, then remount to RO mode and run. But I'm no expert. I think the searching in the FAQ might be broken, it wasn't working for me. Can anyone confirm. Josh Karl von Muller wrote: Thanks Holger. How can I get pfflowd on my WRAP then? Re-flash then manually put the package on? On 3/9/07, *Holger Bauer* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Embedded builds don't support packages (and we hide this option therefor from the menu and you shouldn't use it). The filesystem is mounted readonly to not let your cfcard wear out due to limited write cycle lifetime for embedded builds. This is normal and by design. Holger Von: Karl von Muller [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 8. März 2007 14:56 An: support@pfsense.com mailto:support@pfsense.com Betreff: [pfSense Support] Installing pfflowd Hi all, Have just started using pfSense and its great :) Running 1.01 on a WRAP 1. Seems that because I'm using compact flash the filesystem is mounted read only. Not sure if this is the default or how it came (I purchased the WRAP from a company in Aus with CF card and image pre-installed), but it seems to be stopping me from installing any packages (see below). Is there any way to remount the filesystem RW or do I need to grab a new image? Thanks, Karl Error while trying to install - Installation of pfflowd FAILED! Downloading package configuration file... failed! Installation aborted. Installation halted. Warning: fopen(/usr/local/pkg/pfflowd.xml): failed to open stream: Read-only file system in /etc/inc/pkg- utils.inc on line 321 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/pkg- utils.inc on line 370 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/pkg-utils.inc on line 370 Warning: fwrite(): supplied argument is not a valid stream resource in /etc/inc/pkg-utils.inc on line 370 Warning: fclose(): supplied argument is not a valid stream resource in /etc/inc/pkg-utils.inc on line 336 - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Cell 218.790.2110
[pfSense Support] Freeze FX5620 High Load, ping flood
I have a couple FX5620's that have Realtek 8139 nics. I know that those nics have problems and are not the best, but I am invested in the FX5620's an cannot just throw them away. And I also know that it isn't freebsd's or pfsense's fault that those nics have a problem. I'm running embedded pfsense (1.0.1 and todays snapshot 2/14/07) clean install with no configuration changes. I have noticed that I can lock up the machines withing 5 seconds to 5 minutes by running a ping flood from the firewall to a laptop attached to the lan (rl0) port with a cross over cable. ping -s 3 -f 192.168.1.254 The machines lock up hard, no errors on the serial console or on the video console. From the windows task manager, (networking) the fastethernet connection is 90% utilized when the lockup happens. I wonder if the lockup has something to do with fragmentation since i'm trying to send out 30k icmp packets and the (mtu is 1500), which get split up and it is just too much to handle? Could all the packet reassembly be the problem? Generating too many interrupts? When I turn on polling the lockup problem disappears and the utilization goes down to 25% no matter how much data I try to push. Does that mean that it is an interrupt problem? This fixes the problem as far as I am concerned since the most traffic these boxes will need to deal with is 5Mbps. Is this a known and beat to death issue? Thanks Josh -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Cell 218.790.2110 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] UDP port forward for WOL to LAN broadcast address
I think I figured out my problem, please correct me if I am wrong. What I am trying to do is considered a directed broadcast, which is a bad practice, so bad that freebsd doesn't even offer the option to turn it on anymore. I found a reference that said the command sysctl net.inet.ip.directed-broadcast = 1 works in openbsd, but that OID isn't available in freebsd. I don't really see the danger in having directed broadcasts routed on a firewall that is using Nat and doesn't allow incoming connections, except for those setup with port forwarding. It's isn't like someone could send a packet to the lan broadcast ip without there being a rule allowing it. Could someone explain what the danger is? Is my only option to use some sort of proxy program that would accept the packet, then send it out again, or a tunnel? Or would using the web interface with a script be the best thing? I want machines behind 20 different pfsense firewalls to be started a 3AM every morning, or by various IT staff at different times, and those staff shouldn't have access to the pfsense firewalls. While looking for an answer I took a look at netstat and that gave me the clue I needed. I think the WOL packets are being recorded as not forwardable. netstat -s -p ip 82 packets not forwardable Thanks Josh Josh Stompro wrote: I have been attempting to setup a udp port forward so I can send the WOL magic packet from an outside location to the broadcast address of a Lan network behind a pfsense box. I haven't had any luck though, the packet reaches the wan interface, and is passed by the firewall rule on the Wan setup to allow it, and that also shows that the packet has been NATed. But no packet is send out to the broadcast address of the LAN. I have been trying to figure out if there is some firewall rule that is trying to protect me from myself by blocking broadcast traffic, but nothing is logged about that packet being blocked. I have searched the listserv/forms/tickes/faq to the best of my ability and haven't found anything related to this. Please let me know if this is a known issue that I just couldn't find. I have quite a few working TCP port forwards, no problems with those, and the WOL from the firewall works fine. My Configuration. pfSense 1.0-RC1a-embedded (I know, old, but I can't upgrade easily, it's at a remote location) hardware FX5620 lan = { rl0 } wan = { rl1 } Nat rdr on rl1 proto udp from any to 1.2.3.4 port { 40 } - 192.168.208.255 port 40 Firewall rule pass in log quick on $wan proto udp from { 4.5.6.7/28 } to { 192.168.208.255 } port = 40 keep state queue (qwandef, qwanacks) label USER_RULE: NAT Wake On Lan Forward Firewall rule log Sep 29 10:47:46 fertile pf: 505939 rule 235/0(match): pass in on rl1: (tos 0x0, ttl 52, id 3, offset 0, flags [DF], proto: UDP (17), length: 130) 4.5.6.7.58894 192.168.208.255.40: UDP, length 102 TCPDUMP on WAN (tcpdump -i rl1 port 40) listening on rl1, link-type EN10MB (Ethernet), capture size 96 bytes 10:49:07.851234 IP mail.example.org.58895 wanip.example.com.40: UDP, length 102 TCPDUMP on LAN (tcpdump -i rl0 port 40) listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes (Crickets Chirping, Arg, where be thee packet, arg) Command used to send WOL packets wakeonlan -i 1.2.3.4 -p 40 00:06:5B:C1:78:BA Sending magic packet to 1.2.3.4:40 with 00:06:5B:C1:78:BA Does anyone have any suggestions? The firewall was restarted. How can I debug this? Thanks Josh -- -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Mobile 701.371.3857 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] UDP port forward for WOL to LAN broadcast address
I have been attempting to setup a udp port forward so I can send the WOL magic packet from an outside location to the broadcast address of a Lan network behind a pfsense box. I haven't had any luck though, the packet reaches the wan interface, and is passed by the firewall rule on the Wan setup to allow it, and that also shows that the packet has been NATed. But no packet is send out to the broadcast address of the LAN. I have been trying to figure out if there is some firewall rule that is trying to protect me from myself by blocking broadcast traffic, but nothing is logged about that packet being blocked. I have searched the listserv/forms/tickes/faq to the best of my ability and haven't found anything related to this. Please let me know if this is a known issue that I just couldn't find. I have quite a few working TCP port forwards, no problems with those, and the WOL from the firewall works fine. My Configuration. pfSense 1.0-RC1a-embedded (I know, old, but I can't upgrade easily, it's at a remote location) hardware FX5620 lan = { rl0 } wan = { rl1 } Nat rdr on rl1 proto udp from any to 1.2.3.4 port { 40 } - 192.168.208.255 port 40 Firewall rule pass in log quick on $wan proto udp from { 4.5.6.7/28 } to { 192.168.208.255 } port = 40 keep state queue (qwandef, qwanacks) label USER_RULE: NAT Wake On Lan Forward Firewall rule log Sep 29 10:47:46 fertile pf: 505939 rule 235/0(match): pass in on rl1: (tos 0x0, ttl 52, id 3, offset 0, flags [DF], proto: UDP (17), length: 130) 4.5.6.7.58894 192.168.208.255.40: UDP, length 102 TCPDUMP on WAN (tcpdump -i rl1 port 40) listening on rl1, link-type EN10MB (Ethernet), capture size 96 bytes 10:49:07.851234 IP mail.example.org.58895 wanip.example.com.40: UDP, length 102 TCPDUMP on LAN (tcpdump -i rl0 port 40) listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes (Crickets Chirping, Arg, where be thee packet, arg) Command used to send WOL packets wakeonlan -i 1.2.3.4 -p 40 00:06:5B:C1:78:BA Sending magic packet to 1.2.3.4:40 with 00:06:5B:C1:78:BA Does anyone have any suggestions? The firewall was restarted. How can I debug this? Thanks Josh -- -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Mobile 701.371.3857 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] USB Cdrom install is not working
I have attempted to do the install these 2 different ways now. I have a Lex light system that has 2 ide controlers, one with a 44 pin header, and one with a 40 pin. I can hook up both a cdrom (that I have in an external enclosure that provides power) and the laptop hard drive. I ran the install and then moved the hard drive over to the FX5620 and tried to boot it. Because of the differences in hard drive controller names, it couldn't mound the root drive, I spent a couple hours trying to find a kernel switch like root=/dev/ad0 or something like that, but I think the problem must be with the fstab file, which I will try editing next. I also ordered a 44 pin master slave cable, and then realized I would have no way of hooking that up to my 40 pin cdrom. So I ordered a 40 to 44 pin cable, plus a Male to Male 44 pin adapter so I could hook everything together. So the 44 pin master/slave cable is plugged into the FX5620, and I tried plugging in the 44 to 40 pin into each of it's female connectors, and then into the cdrom, but neither has worked. No ide devices are detected. Just using the 44 pin to 40 pin adapter to plug the cdrom in works just fine. I don't know what I am missing here. Anyone else had any luck with something like this. Is there a certain cable setup that works? Josh Holger Bauer wrote: Either use the embedded image with a cf-card or install the hdd in a different system and move it over. A third option would be to use the device with a master slave cable and install from a temporarily connected cdrom. However I guess you have to power the cdrom from a different system then. Also the different IDE cable types might make problems. Not sure as I unfortunately haven't seen such a system yet. Holger -Original Message- From: Josh Stompro [mailto:[EMAIL PROTECTED] Sent: Monday, July 17, 2006 11:05 PM To: support@pfsense.com Subject: Re: [pfSense Support] USB Cdrom install is not working Scott, how do you do a hard drive install on an FX5620? I am a little stumped since USB cdrom's don't work and the system only has one IDE header? Do I have to install with a 2nd system and then move the hard drive over? Thanks Josh Scott Ullrich wrote: Well, I always have to do this... Its part of maintaing a system. Lots of things are a PITA, this is computers. Welcome. On 3/23/06, Roy Walker [EMAIL PROTECTED] wrote: For units like the Lex Light system or the little firewall unit you were talking about on http://pfsense.blogspot.com/ the USB CDrom is a much easier route then having to crack the unit open and plug in a IDE cdrom since you have to power the cdrom off another system's power supply. Really is a pain in the A$$. Roy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] USB Cdrom install is not working
Scott, how do you do a hard drive install on an FX5620? I am a little stumped since USB cdrom's don't work and the system only has one IDE header? Do I have to install with a 2nd system and then move the hard drive over? Thanks Josh Scott Ullrich wrote: Well, I always have to do this... Its part of maintaing a system. Lots of things are a PITA, this is computers. Welcome. On 3/23/06, Roy Walker [EMAIL PROTECTED] wrote: For units like the Lex Light system or the little firewall unit you were talking about on http://pfsense.blogspot.com/ the USB CDrom is a much easier route then having to crack the unit open and plug in a IDE cdrom since you have to power the cdrom off another system's power supply. Really is a pain in the A$$. Roy -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 23, 2006 11:12 AM To: support@pfsense.com Subject: Re: [pfSense Support] USB Cdrom install is not working In addition, I am pretty sure option 7 will whipe out what we do to make the keyboards work We worked around this option. On 3/23/06, Holger Bauer [EMAIL PROTECTED] wrote: unplug the keyboard and replug it when asked to assign vlans. it's hot swappable. Holger -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 23, 2006 6:04 PM To: support@pfsense.com Subject: Re: [pfSense Support] USB Cdrom install is not working You do not need to enable the keyboard. We do this automatically with the new keyboard mux code. Don't know about the USB CDROM... Use a real one. On 3/23/06, Roy Walker [EMAIL PROTECTED] wrote: Installing from a USB Cdrom is not working. This was fixed once before, but tried it yesterday with Beta2 ISO and no go. Also if you boot off an IDE cdrom and select option 7 to enable USB keyboard support, the keyboard was detected, but it did not work. Roy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Startup sound on FX5620 in slow-mo
When I boot up a FX5620 with 1.0-RC1a embedded on a compact flash card, the startup chimes are played in slow motion and take about 10 seconds to play. When I installed it on a regular PC a while back the startup sound was much quicker. Can anyone else with an FX5620 confirm that they see this? It in no way impact the usability of the system, this is just an oddity that I thought I would make note of. Josh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] port forwarding
Volker, I read this and started to panic a little bit. What, I cannot restrict which hosts can use a port forward? I started thinking, oh no, I have to look for a different firewall distribution. Then I tried it out. I added a port forward Wan TCP 5900 192.168.1.199 (ext: 192.168.40.129) 5900 VNC And I changed the wan rule from TCP, Any source ip , Any source Port, Dest 192.168.1.199, Dest port 5900, NAT VNC To TCP, source 192.168.40.5, Any source Port, Dest 192.168.1.199, Dest port 5900, NAT VNC And now only 192.168.40.5 can use that port forward. Am I misunderstanding what you were saying? I understand how it isn't possible to restrict based on the original destination port (if it is different, else it doesn't matter) but I don't understand what you are saying about the source ip. Thanks Josh Volker Kuhlmann wrote: I seem to be having difficulty adding a port forward :( from WAN -lan(192.168.1.3) port 80 The macmini can get to the outside world is there any other debugging I can look at? I had some trouble to, coming from Linux. The thing to keep in mind is that the port forwarding happens before(!) the firewall rules are applied. So, apart from wanting a port forward/NAT rule WAN port X - lan(192.168.1.3) port 80 You also need to insert a firewall rule WAN any - LAN port 80 In this context it is impossible to restrict access to the port forwarding depending on e.g. source IP, because the port forwarding applies unconditionally to everything, and with the firewall rules you have to match against LAN port 80, and can no longer use the WAN port the packet was originally addressed to. Lousy IMHO, but that's how it is. HTH, Volker -- -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Mobile 701.371.3857
[pfSense Support] Dhcp lease order
Can anyone explain how to setup dhcpd to hand out leases in increasing order rather than decreasing. I find that handing them out in increasing order is easier to deal with in some cases. Is there a good argument for doing them in descending order, or is it just someones personal preference? Thanks Josh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] LEX Light system
I have had luck getting my Lex box to work with 1.0-BETA1-TESTING-SNAPSHOT-2-19-06/pfSense.iso.gz. I booted with an ide cdrom drive. While installing to a hard drive the installer stopped with several errors having to do with fdisk and the number of cylinders. I can provide the install log if this isn't a known problem. I just skipped the errors and was able to install just fine. I was able to upgrade to http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-20-06/pfSense-Full-Update-TESTING-SNAPSHOT-02-20-06.tgz via the firmware upgrade method. Everything appears ok so far. Josh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LEX Light system, USB Boot
I apologize for not checking the FAQ before I asked this, is see that there is an entry for it. It does say to post to the list if someone has success or failure so I guess I wasn't totally off. Bao, could you point me to documentation on how to enable USB in the Kernel. These LEX machines have an internal compact flash slot so I will probably be trying that avenue also. Thanks Josh Bao C. Ha wrote: Hi Josh, It does not work because, by default, pfSense does not have USB support enabled in the kernel. I have enabled USB so I can boot pfSense on Hacom's systems from USB flash drives, as well as to be able to use USB keyboard and mouse. Bao On Tue, February 21, 2006 5:50 pm, Josh Stompro wrote: I haven't been able to get my LEX Light mini pc to boot with a USB cd-rom drive. It is the CV860A-3R53 model, 533Mhz, with 3 RealTek NIC's. I have tried LiveCD-1.0BETA1 and 1.0-BETA1-TESTING-SNAPSHOT-2-19-06 and they both get to this point and lock up. FreeBSD/i386 bootstrap loader, Revision 1.1 ([EMAIL PROTECTED], Sun Feb 19 19:28:43 UTC 2006) | I am not totally sunk yet, I can still use the onboard ide connector to boot, but this would be much more convenient. Knoppix will boot via the USB drive, so I believe the hardware is sound. Thanks Josh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Coordinator | Mobile 701.371.3857
[pfSense Support] LEX Light system, USB Boot
I haven't been able to get my LEX Light mini pc to boot with a USB cd-rom drive. It is the CV860A-3R53 model, 533Mhz, with 3 RealTek NIC's. I have tried LiveCD-1.0BETA1 and 1.0-BETA1-TESTING-SNAPSHOT-2-19-06 and they both get to this point and lock up. FreeBSD/i386 bootstrap loader, Revision 1.1 ([EMAIL PROTECTED], Sun Feb 19 19:28:43 UTC 2006) | I am not totally sunk yet, I can still use the onboard ide connector to boot, but this would be much more convenient. Knoppix will boot via the USB drive, so I believe the hardware is sound. Thanks Josh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Disabling interface via cron command
Thank you Scott. A few questions. I cannot find cron.php on my pfsense box. I'm running 1.0-PREBETA2-BUG-VALIDATION-EDITION2. I have tried just using crontab -e to edit roots crontab, but cron doesn't seem to be using that. Do cron events get logged anywhere. Should I use /etc/crontab. I am guessing that /etc/crontab would get overwritten in an upgrade, so that might not be the best choice. I added #!/usr/local/bin/php to your script, it runs fine from the command line now, if I can just figure out how cron is setup on pfsense I should be set. Josh Scott Ullrich wrote: On 1/12/06, Scott Ullrich [EMAIL PROTECTED] wrote: This PHP script may be helpful. Simply duplicate it once for up and down and call them from cron.php. Note that I commented the command to down the interface out so that there is no foot shooting until you're absolutely ready. Woops, here it is: ?php require("functions.inc"); require("config.inc"); /* to get the wan interface, use this: */ $if = get_real_wan_interface(); /* *OR* to get the LAN interface, use this: $if = convert_friendly_interface_to_real_interface_name("LAN"); /* echo out the interface that we found for this assignment */ echo $if; /* or you could do something like this: exec("/sbin/ifconfig {$if} down"); */ ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Coordinator | Mobile 701.371.3857
Re: [pfSense Support] Disabling interface via cron command
When I run --- #!/usr/local/bin/php ?php require("functions.inc"); require("config.inc"); /* *OR* to get the LAN interface, use this: $if = convert_friendly_interface_to_real_interface_name("LAN"); /* echo out the interface that we found for this assignment */ echo "Interface is $if \n"; echo "Direct read of \$config is ".$config['interfaces']['lan']['if']."\n"; ? --- The output is # ./landown.php Content-type: text/html X-Powered-By: PHP/4.4.0 Interface is Direct read of $config is xl1 For some reason $if is not getting the value assigned to it. doing echo convert_friendly_interface_to_real_interface_name("LAN"); prints out the correct value. What am I missing? Josh Scott Ullrich wrote: On 1/12/06, Scott Ullrich [EMAIL PROTECTED] wrote: This PHP script may be helpful. Simply duplicate it once for up and down and call them from cron.php. Note that I commented the command to down the interface out so that there is no foot shooting until you're absolutely ready. Woops, here it is: ?php require("functions.inc"); require("config.inc"); /* to get the wan interface, use this: */ $if = get_real_wan_interface(); /* *OR* to get the LAN interface, use this: $if = convert_friendly_interface_to_real_interface_name("LAN"); /* echo out the interface that we found for this assignment */ echo $if; /* or you could do something like this: exec("/sbin/ifconfig {$if} down"); */ ? ----- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Coordinator | Mobile 701.371.3857
Re: [pfSense Support] Disabling interface via cron command
Ah, so embarrassed. I'm so used to using # comments that i didn't even think about that open /* tag. Thanks much. Josh Scott Ullrich wrote: Try uncommenting /* *OR* to get the LAN interface, use this: :) On 1/13/06, Josh Stompro [EMAIL PROTECTED] wrote: When I run --- #!/usr/local/bin/php ?php require("functions.inc"); require("config.inc"); /* *OR* to get the LAN interface, use this: $if = convert_friendly_interface_to_real_interface_name("LAN"); /* echo out the interface that we found for this assignment */ echo "Interface is $if \n"; echo "Direct read of \$config is ".$config['interfaces']['lan']['if']."\n"; ? --- The output is # ./landown.php Content-type: text/html X-Powered-By: PHP/4.4.0 Interface is Direct read of $config is xl1 For some reason $if is not getting the value assigned to it. doing echo convert_friendly_interface_to_real_interface_name("LAN"); prints out the correct value. What am I missing? Josh Scott Ullrich wrote: On 1/12/06, Scott Ullrich [EMAIL PROTECTED] wrote: This PHP script may be helpful. Simply duplicate it once for up and down and call them from cron.php. Note that I commented the command to down the interface out so that there is no foot shooting until you're absolutely ready. Woops, here it is: ?php require("functions.inc"); require("config.inc"); /* to get the wan interface, use this: */ $if = get_real_wan_interface(); /* *OR* to get the LAN interface, use this: $if = convert_friendly_interface_to_real_interface_name("LAN"); /* echo out the interface that we found for this assignment */ echo $if; /* or you could do something like this: exec("/sbin/ifconfig {$if} down"); */ ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Coordinator | Mobile 701.371.3857 ----- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Coordinator | Mobile 701.371.3857
[pfSense Support] Disabling interface via cron command
I would like to use cron to disable the LAN interface at a certain time each night and enable it again in the morning. The purpose is to close off network access overnight. Would something as simple as ifconfig xl1 down ifconfig xl1 up set to run at the correct time do the job? Does anyone know of any bugs or fallout this would create? Would a better strategy be to enter and delete a firewall rule that blocks all traffic at a certain time? Is there a standard way to load an environment variable for $LAN and $WAN that reflects how the system is currently setup. So I could do something like ifconfig $LAN down ifconfig $LAN up Thanks Josh -- -- Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Coordinator | Mobile 701.371.3857 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]