Re: [pfSense Support] Incorrect System Log Order/Logging Bug?
2011/7/13 Jim Pingle > On 7/9/2011 9:17 PM, Dimitri Rodis wrote: > > The system is and has been set to -8 (I am Pacific Daylight Time, USA), > and hasn't been re/booted since the first boot on that build--and I have > reported this issue back in RC1 and it still appears to be an issue. It > almost looks as if the check_reload_status (among a couple of others that > haven't shown up in the log yet) specifically always logs with the wrong > timestamp. > > Are you actually using the GMT +/- zone or a named zone such as > America/Los_Angeles? > > http://www.timeanddate.com/worldclock/ ;-) > The GMT+/- zones are often sources of such weirdness, the named Zones > usually work best. > > Jim > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] can't block https://facebook.com via firefox
2011/3/23 Yehuda Katz : > On Wed, Mar 23, 2011 at 5:14 PM, Michael Schuh > wrote: >> >> for a bit fun: >> put *.facebook.com into your dns-masquerader and lead him to the >> internal IP of the firewall >> or to 127.0.0.1 :D (* -> www, or whatever else, i am not aware if the >> dns-forwarder can match wildcards) >> Deny all other DNS beside the access to the firewall. > > Just make sure you block access to other DNS servers at the firewall. > You might not think that so many people have heard of OpenDNS or Google > Public DNS. > - Y the chances to use a open and free DNS Webservice are good and than they will use the IP-address itself. therefore i wrote it not fully serious ;-) on the other hand, who really needs access , will get access and if it must be through another http/s-tunnel or a ssh-tunnel . remember also ssh can misused as socks proxy and as long ppl. can boot machines from different media as from the hard disk, they can cheat nearly everything...nothing is as secure as the death :D you need it really secure? pull the powerplug of the firewalls, computers and all switches... :D just a suggestion do not make it so secure that the security is more a handbrake as a help. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] can't block https://facebook.com via firefox
2011/3/23 Michael Schuh : > 2011/3/23 David Barbero : >> Yehuda Katz ha escrito: >> >>> On Wed, Mar 23, 2011 at 2:56 PM, David Barbero >>> wrote: >>> >>>> Alberto Mijares ha escrito: >>>> >>>>> Squid can not store in cache the content from https traffic; however, >>>>> you are still able to create ACL's to control the access to this >>>>> URI's. >>>>> >>>>> Check out your ACL. >>>>> >>>> >>>> Squid cannot stored and cannot filtering https connetions, when the >>>> client >>>> open a https conection the squid only make a tunnel from client to >>>> server, >>>> don't see anything of content or URL (Only see destination IP), the only >>>> way >>>> to block https connetions is filter by destination ip in pf or acl (I'm >>>> not >>>> sure if this work properly with squid acl), but squid o squidguard can't >>>> filter a SSL connection directly. >>>> >>> >>> That is absolutely wrong, Squid (with SquidGuard) in a TRANSPARENT >>> PROXY configuration can not filter https traffic. >>> If you are using explicit proxy settings in your browser, https (and just >>> about any other protocol) can be filtered. >>> As I said earlier in this thread, I have the exact configuration that the >>> original poster was looking for: >>> - SquidGuard filters according to a third-party blacklist of websites. >>> - All ports that are handled by Squid/SquidGuard, including 80 (http) and >>> 443 (https) are redirected by the pfSense (using a NAT rule) to an error >>> page explaining how to set up a proxy in different browsers. >>> - We are not using Squid for the purpose of caching, only filtering >>> (limited >>> hard drive space, otherwise we might) >>> >>> If anyone wants specific details about how to set up this configuration, I >>> might be able to help you as my time allows. >>> >>> - Yehuda >>> >> >> The thread talk of transparent proxy and I just talked about transparent >> proxy, so it is not wrong, that's right, if we put the direct proxy it would >> be wrong :P >> >> Cheers. >> >> -- >> "Linux is for people who hate Windows, BSD is for people who love UNIX" >> "Social Engineer -> Because there is no patch for human stupidity" >> >> >> This message was sent using IMP, the Internet Messaging Program. >> >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > squid is naturally not a content filter/blocking system, even if you > can block sites/IP's and ports or any combination with him ;-) > squid can block https access to specific sites and generally to the https > ports > > another question in this schema: "how secure would https be, if you > can transparent proxying it and hunt a content filter on it?" :O > > i suggest the extended use of the all knowing oracle "google" > > for a bit fun: > put *.facebook.com into your dns-masquerader and lead him to the > internal IP of the firewall > or to 127.0.0.1 :D (* -> www, or whatever else, i am not aware if the > dns-forwarder can match wildcards) > Deny all other DNS beside the access to the firewall. > > regards > > -- > = = = http://michael-schuh.net/ = = = > Projektmanagement - IT-Consulting - Professional Services IT > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0175/5616453 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > = = = Ust-ID: DE251072318 = = = > another quick idea i still got right yet: use snort and put some fitting rules into it for blocking facebook ( or also other community sites) generally iirc it should be able to get configured to handle this -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] can't block https://facebook.com via firefox
2011/3/23 David Barbero : > Yehuda Katz ha escrito: > >> On Wed, Mar 23, 2011 at 2:56 PM, David Barbero >> wrote: >> >>> Alberto Mijares ha escrito: >>> >>>> Squid can not store in cache the content from https traffic; however, >>>> you are still able to create ACL's to control the access to this >>>> URI's. >>>> >>>> Check out your ACL. >>>> >>> >>> Squid cannot stored and cannot filtering https connetions, when the >>> client >>> open a https conection the squid only make a tunnel from client to >>> server, >>> don't see anything of content or URL (Only see destination IP), the only >>> way >>> to block https connetions is filter by destination ip in pf or acl (I'm >>> not >>> sure if this work properly with squid acl), but squid o squidguard can't >>> filter a SSL connection directly. >>> >> >> That is absolutely wrong, Squid (with SquidGuard) in a TRANSPARENT >> PROXY configuration can not filter https traffic. >> If you are using explicit proxy settings in your browser, https (and just >> about any other protocol) can be filtered. >> As I said earlier in this thread, I have the exact configuration that the >> original poster was looking for: >> - SquidGuard filters according to a third-party blacklist of websites. >> - All ports that are handled by Squid/SquidGuard, including 80 (http) and >> 443 (https) are redirected by the pfSense (using a NAT rule) to an error >> page explaining how to set up a proxy in different browsers. >> - We are not using Squid for the purpose of caching, only filtering >> (limited >> hard drive space, otherwise we might) >> >> If anyone wants specific details about how to set up this configuration, I >> might be able to help you as my time allows. >> >> - Yehuda >> > > The thread talk of transparent proxy and I just talked about transparent > proxy, so it is not wrong, that's right, if we put the direct proxy it would > be wrong :P > > Cheers. > > -- > "Linux is for people who hate Windows, BSD is for people who love UNIX" > "Social Engineer -> Because there is no patch for human stupidity" > > > This message was sent using IMP, the Internet Messaging Program. > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > squid is naturally not a content filter/blocking system, even if you can block sites/IP's and ports or any combination with him ;-) squid can block https access to specific sites and generally to the https ports another question in this schema: "how secure would https be, if you can transparent proxying it and hunt a content filter on it?" :O i suggest the extended use of the all knowing oracle "google" for a bit fun: put *.facebook.com into your dns-masquerader and lead him to the internal IP of the firewall or to 127.0.0.1 :D (* -> www, or whatever else, i am not aware if the dns-forwarder can match wildcards) Deny all other DNS beside the access to the firewall. regards -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] can't block https://facebook.com via firefox
2011/3/23 Carlos Vicente : > Hi, > > have you considered to use squidguard with the URL Blocklist shallalist.de? > I have one deployment with squid (not in transparent mode, using port TCP > 3128), squidguard and HAVP and I can block about all social network traffic. > > Carlos > > On Tue, Mar 22, 2011 at 4:53 PM, Luke Jaeger wrote: >> >> Hello, >> >> I have squid configured as transparent proxy on my network. >> >> Students have figured out that if they use Firefox and set its internal >> network settings to "no proxy", they can get to banned sites such as >> facebook via https. >> >> Firefox is the only browser I know of that lets you override system proxy >> settings, which we keep locked down. >> >> Is there any way to fix this? >> >> thanks - >> >> >> Luke Jaeger | Technology Coordinator >> Pioneer Valley Performing Arts Charter Public School >> www.pvpa.org >> >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> > > > > -- > > * > http://www.sebastiaoguerra.com > http://www.atelierdamoto.com > http://www.blocoa3.com > -- > Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e > destinados, > exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este > e-mail por > erro, por favor, contacte-nos. Obrigado. > This e-mail and any files transmitted with it are confidential and intended > solely for the use of > the individual or entity to whom they are addressed. If you have received > this e-mail in error > please notify us. > > > > Antes de imprimir este e-mail pense se necessita mesmo de o fazer > Hi @list, afaik you can define acls in the squidconfig to block specific sites and ports (nearly anything that is ip/tcp) you can also create blocking lists that could be used with squid only. you can also setup special error pages and messages in the config iirc. a simple example can you find here. http://nixcraft.com/linux-software/544-how-block-sites-squid.html as others have already mentioned, redirect all access to the outside world port 80/443/8080...( not blocking, lead it to the squid) to port 80 of the pfsense box especially to port 3128 and choose the transparent proxy settings, i am sure there will be a howto/tutorial or something to find in the pfsense docs. for using squidguard, keep always in mind that each requests gets validated against a huge list of blacklisted servers. i had a customer that keeped over 26.000.000 blocked sites in his squidguard filter -> each request has to getting validated against 26.000.000 listentries ( not the page load, each part of a page) -> slows down the loading of the page and increases the load of the firewall itself another solution can be dante a socks proxy solution with content filter abilities. i am not sure if dante or another socks content filter is availeable in the packages for pfsense. hope it helps a bit regards m. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
hi, just my simple idea, not sure if it fits perfectly. setup the interface on the firewall to 192.168.0.0/23 p.e. if-address 192.168.0.1 add a second virtual IP (carp) to the Lan IF 192.168.1.1 ( as gateway address for the second /24 ) add certain rules for it if neccessary. TROUBLESHOOTING: for checking if you have trouble with fw rules log in to the shell per ssh, press 8 and type in tcpdump -ni pflog0 ( not 100% sure if i remember right) fits to 192.168.0.0/24 and 192.168.1.0/24 clients can still use /24 as subnetmask use ipcalc for calculating the right numbers where should be fitting to your purposes if i remember well you cannot use 192.168.1.1 as starting net, thats against the subnetting rules of tcp-ip ( masking with a bitmask leads to 192.168.0.0/23) NO GO: DHCP in that interfaces with splitted solution for both /24 speak: dhcpd cannot easy differ to what /24 range he should give asked addresses ( wlan/wired will result in same addressrange than) everything beside that needs more setup e.g. putting mac-addresses in the DHCP-config. hth greetings michael -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2 WAN IP's in the same net.
2010/7/14 Tim Dickson : >> It is posible to make load balancing whit 2 acounts of 30mbps from the same >> ISP? > > For the current release you have to put another device in front of one of the > WANs so that it has a separate gateway. > -tim > What about to put each IP on his own Ethernet-Card and using the loadbalancer? http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing correct me if i am wrong, i thought that this is possible without a new device in front of the pfsense. (with 1.2.3 afaik) thats a very interesting thema. thanks to all and the maintainers for this wonderful product. michael -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Layer 3-7 Switching
2010/2/16 Tim Nelson : > - "Michael Schuh" wrote: >> 2010/2/14 Michael Schuh : >> > Hello at List, >> > >> > i need a Layer 4-7 Switching-Solution like the >> > Linux Virtual Server. >> > Most of the work ist done on the NAT/RDR and Loadbalancer. >> > I like pfsense so much, that i need to build the Layer4-7 switch >> > through pfsense. >> > >> > Now, can anyone tell me if this is possible in the way of >> > linux virtual server ( the endpoint of the way) and/or gave me a >> hint or >> > link where i can found more informations. >> > >> > thank you >> > >> > happy valentines day >> > >> > michael >> >> Sorry for my typo. >> Thanks for all, have found it by my self. >> > > Not sure what typo you're referring to... > > Anyways, do you know how useless it is to first post 'I need help with this > really grand idea etc...' only to come back to the list a day or two later > and say 'I found it' without posting any further details? Would you care to > share the solution you've found? It may be helpful to current or future list > members seeking a similar solution. > > --Tim > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > http://doc.pfsense.org/index.php/Inbound_Load_Balancing -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Layer 3-7 Switching
2010/2/14 Michael Schuh : > Hello at List, > > i need a Layer 4-7 Switching-Solution like the > Linux Virtual Server. > Most of the work ist done on the NAT/RDR and Loadbalancer. > I like pfsense so much, that i need to build the Layer4-7 switch > through pfsense. > > Now, can anyone tell me if this is possible in the way of > linux virtual server ( the endpoint of the way) and/or gave me a hint or > link where i can found more informations. > > thank you > > happy valentines day > > michael Sorry for my typo. Thanks for all, have found it by my self. regards michael -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Layer 3-7 Switching
Hello at List, i need a Layer 4-7 Switching-Solution like the Linux Virtual Server. Most of the work ist done on the NAT/RDR and Loadbalancer. I like pfsense so much, that i need to build the Layer4-7 switch through pfsense. Now, can anyone tell me if this is possible in the way of linux virtual server ( the endpoint of the way) and/or gave me a hint or link where i can found more informations. thank you happy valentines day michael -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking bradcast
2010/2/2 Paul Mansfield : > On 02/02/10 14:41, Zhu Sha Zang wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> I'm receiving a lot of this typo of messages in my wan: >> >> 1. 692357 rule 39/0(match): block in on re0: 0.0.0.0.68 > >> 255.255.255.255.67: BOOTP/DHCP, Request [|bootp] > > stick a rule at the top to quietly drop UDP:67,68 packets with target > broadcast? > > hope you're not using dhcp client on that interface ;-) > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > otherwise the packets can be allowed with a separate rule at the top of rules. in this case dhcp should work and the logs are clean. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Bandwidth monitoring and accounting
2010/1/3 Ugo Bellavance : > On 2010-01-03 16:07, Glenn Kelley wrote: >> >> This should help >> >> http://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage%3F >> >> We measure from the switches themselves vs pfsense. >> This helps a great deal - > > Makes sense, but since almost all of our clients are wireless, I think the > netflow approach would be the best one. Anyone ever configured something > around netflow and pfsense? I have an external server for cacti and nagios > and I can install software on it if needed. > > Thanks, Hi Ugo, then you could use the netflow-package and on your server box any software you like that can handle Netflows datastreams like argus http://www.qosient.com/argus/argusnetflow.htm http://www.qosient.com/argus/index.htm the good things: argus is usable with databases like mysql and supports afaik ciscos netflow diagrambut find out themselves if its good for you... cheers michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] routed / RIP -- No buffer space available?
2009/12/23 Michael Schuh : > 2009/12/23 Gerald A : >> >> >> On Wed, Dec 23, 2009 at 2:41 PM, Michael Schuh >> wrote: >>> >>> please look here, ind the section Loader Tunables: >>> >>> http://www.freebsd.org/cgi/man.cgi?query=tuning&apropos=0&sektion=0&manpath=FreeBSD+8.0-RELEASE&format=html >> >> First, thanks for the pointer to a great resource on various tunables, and a >> fantastic guide to tweaking things related to mbufs. >> Tim had asked how FreeBSD comes up with this value initially, and there isn't any insight into the initial value on that page, unless I missed something. So, where that is synthesized from remains a mystery, despite having good information on how to tune it for practical use. >> Thanks, >> Gerald > > as far as i know, FreeBSD calculate this in regard of the amount of > Memory in your system > if you has nothing other configured...one of my boxes has 1G RAM and > no settings other than default, > the value of nmbclusters is 6, par example > > for monitoring this value you can use the command netstat -m and see > what's going on > this shows you also the configured values from kernel (you must not use > sysctl). > > greetings > > michael > sorry i've forgotten something: the linked manpage is for FreeBSD Release 8.0 for pfsense freebsd 7 stable is the correct version, if there is a difference and i remember correctly. > > > -- > = = = m i c h a e l - s c h u h . n e t = = = > Projektmanagement - IT-Consulting - Professional Services IT > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0175/5616453 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > = = = Ust-ID: DE251072318 = = = > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] routed / RIP -- No buffer space available?
2009/12/23 Gerald A : > > > On Wed, Dec 23, 2009 at 2:41 PM, Michael Schuh > wrote: >> >> please look here, ind the section Loader Tunables: >> >> http://www.freebsd.org/cgi/man.cgi?query=tuning&apropos=0&sektion=0&manpath=FreeBSD+8.0-RELEASE&format=html > > First, thanks for the pointer to a great resource on various tunables, and a > fantastic guide to tweaking things related to mbufs. > Tim had asked how FreeBSD comes up with this value initially, and there isn't any insight into the initial value on that page, unless I missed something. So, where that is synthesized from remains a mystery, despite having good information on how to tune it for practical use. > Thanks, > Gerald as far as i know, FreeBSD calculate this in regard of the amount of Memory in your system if you has nothing other configured...one of my boxes has 1G RAM and no settings other than default, the value of nmbclusters is 6, par example for monitoring this value you can use the command netstat -m and see what's going on this shows you also the configured values from kernel (you must not use sysctl). greetings michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] routed / RIP -- No buffer space available?
2009/12/23 Gerald A : > Hi Tim, > On Tue, Dec 22, 2009 at 10:29 PM, Tim Nelson wrote: >> >> - "Gerald A" wrote: >> > Hey Tim, >> > Adding RAM won't increase MBUFs, if I remember correctly. It is a kernel >> > param, and can be tweaked by recompiling the kernel. (It may nowadays be >> > possible to massage it by sysctl, or as a boot time param, but I'm not >> > sure). So, you can tweak it without adding RAM. > > After a bit of research, I found that they had made this a sysctl: > sysctl kern.ipc.nmbclusters > The example I found mentioned 65535 as a number, your mileage may vary. > >> > I've seen this when an ipfw rule prevented sending, like for a ping. >> > Could it be a > fw rule that is causing this? (Just grasping at straws). >> >> Right now, it's just functioning as a 'core' router with NAT turned off. >> All interfaces have "Allow any protocol from anywhere to anywhere" rules on >> them. There are no other services enabled, not even dns forwarder or DHCP. >> Just pure routing and RIP. >> >> Looking at my edge firewall, I see MBUF usage like this: 738 /1845 which >> is very odd since that box also has 256MB RAM. The only difference is that >> my edge box has 2x128MB DIMMs and my core (problematic box) has a single >> 256MB DIMM. Are the MBUF values calculated randomly? Where do they come >> from? > > > I tried doing some research on this one, and wasn't as successful. From what > I recall, there is some important constant somewhere in the kernel sources > that sets this up initially. It might now additionally be sized by RAM or > some other magic, and since it's a dynamic tunable, you can tweak it at > boottime (or anytime). > I'd be surprised if it was random. One thing you did mention was that your > "core" box has 5 interfaces -- my off the cuff guess would be that mbufs are > added as the number of interfaces increases. It would make sense, since you > would potentially have more network traffic requiring more resources. > Thanks, > Gerald. please look here, ind the section Loader Tunables: http://www.freebsd.org/cgi/man.cgi?query=tuning&apropos=0&sektion=0&manpath=FreeBSD+8.0-RELEASE&format=html greetings and a merry chrismas michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intentionally slow down traffic on certain ports/ips
2009/12/4 Gabriel - IP Guys : > > >> -Original Message----- >> From: Michael Schuh [mailto:michael.sc...@gmail.com] >> Sent: 04 December 2009 11:23 >> To: support@pfsense.com >> Subject: Re: [pfSense Support] Intentionally slow down traffic on >> certain ports/ips >> >> 2009/12/4 Gabriel - IP Guys : >> > Dear All, >> > >> > >> > >> > Is it possible to slow down packets that come to and from a >> particular IP or >> > alias on a particular port - I have a rsync sessions going on in the >> > background, and I do not want them to ever use more than 5% of the >> total >> > bandwidth - Can this be done? >> > >> > >> > >> > --- >> > >> > Kind Regards, >> > >> > Mr Gabriel >> > >> > >> >> Hi Gabriel, >> >> the bw-limit-switch from rsync doesn't help? >> if so, then you could use the traffic shaper, >> search the wiki for Howtos. ;-) >> >> greetings >> >> michael >> >> > > I've created a new queue called superslowdown (so I can easily identify > it!) > > I've given it 5% bandwidth, and a priority of 1. For scheduler options, > Default queue. I'm not 100% sure what to put into the Service Curve (sc) > boxes, and advice would be appreciated. As for the Parent Queue, I'm not > sure what is required here. Again, any assistance would be appreciated > > I've added the following settings in the traffic shaper queues > > In interface WAN > Out Interface LAN > Protocol TCP > Source Type - Single host, --Address, (internal IP) > Source Port Range (port number ranges lowest, to highest) > Destination Type - Single host/alias Address, > -- Address (alias of IPs) > Destination Port Range (port number ranges lowest, to highest) > > > Will this be a sufficient template to slow down traffic to and from > particular servers on the LAN? (the queue has been configured for both > directions, LAN to WAN, and WAN to LAN) Im not really sure about this in depht, but looks good. if you have used the wizard for creating the rules all should be fine. probably another person could help you more than me. or you search through the mailing-list, if you want. good luck...greetings michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intentionally slow down traffic on certain ports/ips
2009/12/4 Gabriel - IP Guys : > > >> -Original Message----- >> From: Michael Schuh [mailto:michael.sc...@gmail.com] >> Sent: 04 December 2009 11:23 >> To: support@pfsense.com >> Subject: Re: [pfSense Support] Intentionally slow down traffic on >> certain ports/ips >> >> 2009/12/4 Gabriel - IP Guys : >> > Dear All, >> > >> > >> > >> > Is it possible to slow down packets that come to and from a >> particular IP or >> > alias on a particular port - I have a rsync sessions going on in the >> > background, and I do not want them to ever use more than 5% of the >> total >> > bandwidth - Can this be done? >> > >> > >> > >> > --- >> > >> > Kind Regards, >> > >> > Mr Gabriel >> > >> > >> >> Hi Gabriel, >> >> the bw-limit-switch from rsync doesn't help? >> if so, then you could use the traffic shaper, >> search the wiki for Howtos. ;-) >> >> greetings >> >> michael >> > > > I have put the details into the traffic shaper, how would I go about > testing that this works? I go to status:queues, but I'm greeted by a > graph that never appears probably this could help you: http://devwiki.pfsense.org/TrafficShapingGuide imself has not used traffic shaping yet but if you would test it you could use pv with nc and dd or whatever you like under linux to test the max -bw like out of the box... on system A <==pfsensebox==> on system B 10.0.0.2 - 10.0.0.1 172.16.0.1 - 172.16.0.2 nc -l -p 3142|pv >>/dev/null <===> dd if=/dev/zero bs=1M |pv | nc 10.0.0.2 3142 change the ip in the example (10.0.0.2) to your needs hope that helps you... only to be sure: the traffic that should getting shaped _must_ flow trough the pfsense-box and don't forget to reset the states before you test the traffic-shaping... -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intentionally slow down traffic on certain ports/ips
2009/12/4 Gabriel - IP Guys : > Dear All, > > > > Is it possible to slow down packets that come to and from a particular IP or > alias on a particular port – I have a rsync sessions going on in the > background, and I do not want them to ever use more than 5% of the total > bandwidth – Can this be done? > > > > --- > > Kind Regards, > > Mr Gabriel > > Hi Gabriel, the bw-limit-switch from rsync doesn't help? if so, then you could use the traffic shaper, search the wiki for Howtos. ;-) greetings michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Quad NIC's?
2009/9/23 Scott Ullrich : > On Tue, Sep 22, 2009 at 8:26 PM, Luke Jaeger wrote: >> Hello, >> >> Are there any known issues with quad NIC cards on a pfSense box? >> >> I'm looking at a Proliant DL360 G3 with an Intel Pro 1000 GT Quad Port >> adapter >> >> http://www.intel.com/products/server/adapters/pro1000gt-quadport/pro1000gt-quadport-overview.htm > > Should work well. > > Scott > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > I could report, that it works very well. ;-) not only should...it does it's job good. michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Proxy ARP for a block
2009/9/4 Hiren Joshi : > >> - >> > To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> > For additional commands, e-mail: support-h...@pfsense.com >> > >> > Commercial support available - https://portal.pfsense.org >> > >> > >> >> Hello Josh, >> >> i think i understand your problem and your wish, hope so. >> >> you have to setup master and slave with forwading >> an external subnet throug the WAN-If to another If? >> yes? >> if the external subnet is a subnet for a DMZ things getting a >> little bit easier. >> then i can help you to configure a master/slave-setup, if you wish. >> >> are the external IPs a subnet or single IP's from different subnets? > > Close, I have a master/slave setup with 14 IPs (/28 subnet) assigned to us. > > So I have 1 IP for the master, one for the slave and one for the master/slave > carp. The other 11 IPs are setup with carp as virtual IPs on the firewall > which then get Natd to various services. > > Now, our ISP have given us 62 new IPs (/26 subnet), these need to be handled > by our firewall, I hope this is slightly clearer, I'm fairly new to pfsense > so sorry if I've got the terminology wrong. > > Thanks, > Josh. > > >> >> cheers >> >> michael >> >> >> -- >> = = = m i c h a e l - s c h u h . n e t = = = >> Projektmanagement - IT-Consulting - Professional Services IT >> Michael Schuh >> Postfach 10 21 52 >> 66021 Saarbrücken >> phone: 0681/8319664 >> mobil: 0175/5616453 >> @: m i c h a e l . s c h u h @ g m a i l . c o m >> >> = = = Ust-ID: DE251072318 = = = >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > Hell josh, i will write you directly. cheers michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Proxy ARP for a block
2009/9/4 Michael Schuh : > 2009/9/4 Hiren Joshi : >>> > >>> > The alternative (I think) would be for me to setup a second >>> IP address >>> > on each of the servers and carp them as well (this will >>> allow me to carp >>> > the new IP range we have). Would this work? >>> > >>> > >>> I think you misunderstand the whole idea. You can not have >>> two IP ranges >>> on the same interface with CARP IPs from both ranges. As to me it is >>> generally not a good idea to have more than one subnet on a single >>> interface but sometimes ISPs force users to do it. >>> I am very new to pfSense and probably somebody from real gurus will >>> correct me. >> >> This is the problem I'm facing, I have a master and slave setup and my >> ISP has just forced a load of new IPs on a different subnet, can anyone >> offer pointers? >> >> Is this a good idea? >> http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf >> >> Josh. >> >>> Eugene. >>> >>> - >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>> For additional commands, e-mail: support-h...@pfsense.com >>> >>> Commercial support available - https://portal.pfsense.org >>> >>> >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > Hello Josh, > > i think i understand your problem and your wish, hope so. > > you have to setup master and slave with forwading > an external subnet throug the WAN-If to another If? > yes? > if the external subnet is a subnet for a DMZ things getting a little bit > easier. > then i can help you to configure a master/slave-setup, if you wish. > > are the external IPs a subnet or single IP's from different subnets? > > cheers > > michael > > > -- > = = = m i c h a e l - s c h u h . n e t = = = > Projektmanagement - IT-Consulting - Professional Services IT > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0175/5616453 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > = = = Ust-ID: DE251072318 = = = > As first you have to read _and_ understand this: http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Proxy ARP for a block
2009/9/4 Hiren Joshi : >> > >> > The alternative (I think) would be for me to setup a second >> IP address >> > on each of the servers and carp them as well (this will >> allow me to carp >> > the new IP range we have). Would this work? >> > >> > >> I think you misunderstand the whole idea. You can not have >> two IP ranges >> on the same interface with CARP IPs from both ranges. As to me it is >> generally not a good idea to have more than one subnet on a single >> interface but sometimes ISPs force users to do it. >> I am very new to pfSense and probably somebody from real gurus will >> correct me. > > This is the problem I'm facing, I have a master and slave setup and my > ISP has just forced a load of new IPs on a different subnet, can anyone > offer pointers? > > Is this a good idea? > http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf > > Josh. > >> Eugene. >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > Hello Josh, i think i understand your problem and your wish, hope so. you have to setup master and slave with forwading an external subnet throug the WAN-If to another If? yes? if the external subnet is a subnet for a DMZ things getting a little bit easier. then i can help you to configure a master/slave-setup, if you wish. are the external IPs a subnet or single IP's from different subnets? cheers michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
2009/7/31 Paul Mansfield : > Curtis LaMasters wrote: >>> This is a bottom post. >> I actually find that to be annoying to read. However, in the spirit > > > this is why a forum is often best, as it basically forces > bottom-posting, but people can read the replies backwards if they want. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > Hi @all, I believe the best statement at all is from Scott: ... this are the list rules ... (in sense) It is like "Simon say's" , and there is Simon's Castle ;-) but it seems to me, not all the listmembers know about that rules ;-) we have many mature listmembers, from the times that this rules are not spreaded to all members ... is this possible? and now i think it should be clear. Or not? just that what i see. Greetings michael Hint: read Scott's (Simon's) rules -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
I think that top-posting is better or simpler top-posting is more natural, everything in the nature that is newer is on the top ... this is what we as first see on the other hand we are more trained to read from top to bottom, the newest words in a message are on the bottom... we write from top to bottom... just my 20ct greetings michael 2009/7/30 Veiko Kukk : > This is a good example, why bottom-posting sucks... > Why do i need to scroll past all previous teks i read just few seconds ago, > following that thread? > If i need to read it, then i could scroll down, but rarely there is need for > that. > > -- > Veiko > > iggd...@gmail.com wrote: >> >> >> On Wed, Jul 29, 2009 at 1:33 PM, Curtis LaMasters >> mailto:curtislamast...@gmail.com>> wrote: >> >> And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS >> TOP POSTED. Ok, I committed my internet crime of YELLING in caps for >> the day. In Gmail, is there a proper way to not top post? >> >> Curtis LaMasters >> http://www.curtis-lamasters.com >> http://www.builtnetworks.com >> >> >> >> On Wed, Jul 29, 2009 at 12:28 PM, David Burgess> <mailto:apt@gmail.com>> wrote: >> > On Wed, Jul 29, 2009 at 11:25 AM, Curtis >> > LaMasters> <mailto:curtislamast...@gmail.com>> wrote: >> >> Thanks Scott. I know what top posting is...I just don't know why >> you >> >> think I did. I hit reply, type my message and go forth. Didn't >> think >> >> it needed to be any harder than that. >> > >> > It can be a lot harder than that. It's effectively illustrated in >> the >> > links that Scott provided. A little effort in replying can save a >> lot >> > of wasted effort in trying to bring oneself up to speed or refresh >> > one's memory on a long thread. >> > >> > db >> > >> > >> - >> > To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> <mailto:support-unsubscr...@pfsense.com> >> > For additional commands, e-mail: support-h...@pfsense.com >> <mailto:support-h...@pfsense.com> >> > >> > Commercial support available - https://portal.pfsense.org >> > >> > >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> <mailto:support-unsubscr...@pfsense.com> >> For additional commands, e-mail: support-h...@pfsense.com >> <mailto:support-h...@pfsense.com> >> >> Commercial support available - https://portal.pfsense.org >> >> >> flick the scroll wheel to get to the bottom of the post basically. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/22 Nathan Eisenberg : > I do feel that changing the port may not truly constitute an increase in > security. It makes you less visible, perhaps. But this particular firewall > is already subjected to port scans across the entire range, including > highports (it has some very high traffic web sites behind it), so the > alternate port would be detected relatively quickly anyways. > > Thank You, > Nathan Eisenberg > Sr. Systems Administrator > Atlas Networks, LLC > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > in such cases i use also snort with oinkmaster-rulesets there could detecting also portscans and bans such IP's for a while completely from your Firewall and your net. This prevents also other services like ftp. Our ftp-Service is also getting often compromised by Crackers w/ brute-force-attacks... regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/22 Jeppe Øland : >>>>>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a >>>>>> package like fail2ban out there which could automatically blacklist >>>>>> IPs after x >>>>> Request: It would be really nice if pfsense could limit the >>>>> connection-rate *per IP*. >>>> IIRC it is possible to set this per source-IP ;-) >>> Maybe I missed an option then? >>> How do you configure it? >> This is configured through the Advanced options in each Filter-Rule. >> Ich you set 5 Connection see attached picture ;-) > > The way I read these options are: > * Simultaneous client connection limit > The number of simultaneous connections each client can have. > * Maximum new connections / per second > Global maximum connection limits. also related per Source-IP, so far as i understand the lines in XML-Backup-File right the pf-filter itself supports it in this way, and i think pfsense use it in this way... as you can see... snip===8<= pass wan 5 keep state 5 60 tcp mcip 22 limited ssh access to max 5 conn/host 5 conn/minute =>8=snap= > The first option will limit how many concurrent SSH sessions I can run from > any one IP. > The second option will limit how many connections can be attempted per > interval. > As far as I know, setting a client connection limit will *not* prevent the > connection/time limit from killing you in case somebody starts hammering the > server. it does you prevent, because its related to each own source-ipif i was right... > Am I not reading these options right? > (Some documentation would be nice too *G*) >> Yes, only using SSH-Keys is an very good option, but not useful if you >> are on the Way or you have your keys not by hand. ;-) > > Indeed everything is a compromise. > Changing the port also has issues since some admins won't allow all ports > outbound (of course they might not allow SSH out either). :-D you could set it to allowed common port, ok ok , this brings propably other issues. using port 80 or 443 or 25 is not really nice > Regards, > -Jeppe regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/21 Jeppe Øland : >>>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a >>>> package >>>> like fail2ban out there which could automatically blacklist IPs after x >>> Request: It would be really nice if pfsense could limit the >>> connection-rate >>> *per IP*. >> IIRC it is possible to set this per source-IP ;-) > > Maybe I missed an option then? > How do you configure it? This is configured through the Advanced options in each Filter-Rule. Ich you set 5 Connection see attached picture ;-) >> Why leave you ssh service exposed to the world? Lock it down to a range >> of ip's >> (or subnet of your isp), or if you don't have static ip's try setting up >> openvpn >> IMO its best to expose as little as possible. > > Sometimes you have to expose it. > I can't install OpenVPN on all PCs that I might need access to servers from, > and on mergency cellphone access to the servers it just might not be > possible. > Best compromise I've found so far has been to require certificates to log in > to the SSH server. > Hammering doesn't stop, but the risk of compromising the server is massively > reduced. > And with lockdown after X connection attempts in Y seconds, the risk is all > but gone. > (For the vast majority of servers at least ... maybe not if you run a bank > or some such) > Regards, > -Jeppe Yes, only using SSH-Keys is an very good option, but not useful if you are on the Way or you have your keys not by hand. ;-) regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = <>- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/21 Jeppe Øland : >>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a package >>> like fail2ban out there which could automatically blacklist IPs after x >>> bad >>> logins? >> b) limit the connection-rate to a preferred useful value in the >> filter-rules > > This works reasonably well. > Unfortunately, the entire rule gets locked down when the rate is exceeded, > so you may lock yourself out too. (It automatically unlocks when the > hammering stops and your rate interval expires, and most hammer scripts move > on to a new IP when it stops responding, so it's not the end of the world). > Request: It would be really nice if pfsense could limit the connection-rate > *per IP*. > Regards, > -Jeppe IIRC it is possible to set this per source-IP ;-) -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/21 Michael Schuh : > 2009/7/21 Nathan Eisenberg : >> Some of my pfsense boxes get a lot of SSH bruteforces; is there a package >> like fail2ban out there which could automatically blacklist IPs after x bad >> logins? >> >> >> >> Best Regards >> >> Nathan Eisenberg >> >> Sr. Systems Administrator >> >> Atlas Networks, LLC >> >> supp...@atlasnetworks.us >> >> http://support.atlasnetworks.us/portal >> >> > Hello Nathan, > > a simple solution w/o an extra pakage is > a) change the ssh-port to something other like 666 > b) limit the connection-rate to a preferred useful value in the filter-rules > c) both a) and b) forgotten, sorry d) the pf-filter supports your wished blacklist-feature, but i'm not shure if pfsense also supports this functionality? > > regards > > michael > -- > = = = m i c h a e l - s c h u h . n e t = = = > Projektmanagement - IT-Consulting - Professional Services IT > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0175/5616453 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > = = = Ust-ID: DE251072318 = = = > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/21 Nathan Eisenberg : > Some of my pfsense boxes get a lot of SSH bruteforces; is there a package > like fail2ban out there which could automatically blacklist IPs after x bad > logins? > > > > Best Regards > > Nathan Eisenberg > > Sr. Systems Administrator > > Atlas Networks, LLC > > supp...@atlasnetworks.us > > http://support.atlasnetworks.us/portal > > Hello Nathan, a simple solution w/o an extra pakage is a) change the ssh-port to something other like 666 b) limit the connection-rate to a preferred useful value in the filter-rules c) both a) and b) regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openVPN to OPT1 interface
2009/6/30 Curtis Maurand : > [snip] > > yes, exactly this way, > 2 identical tunnels with different local/remote subnets... > Other settings are identical > > > a really impotant thing is, that the remote nets are different from > the liocal nets. > otherwise it get routing problems > > > Why do I need parallel tunnels when all I need is one? I need a tunnel from > 10.201.17.0/28 --> 66.241.41.0/24. That's it. Its a Cisco at the other > end. The 10.0.1.0/24 is the general LAN and only needs to get out to the > internet. That works fine and has been for over a month. Worse, I'm not > even talking about the VPN, yet. I can't even communicate with the OPT1 > interface reliably. The tunnel is not the problem. When I go to the webgui > and ping machines on the subnet at the other end of the tunnel sourcing it > to the OPT1 interface, the tunnel comes up in a split second and it passes > traffic quite well with minimal latencies. > > Curtis > > > you need only 2 tunnels for passing 2 subnets from one side to the other -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openVPN to OPT1 interface
2009/6/30 Michael Schuh : > 2009/6/30 Scott Ullrich : >> On Tue, Jun 30, 2009 at 11:46 AM, Curtis Maurand wrote: >>> It works OK in 1.2.X. It works even better in 2.0. >> >> It really does work in 1.2.X using parallel tunnels. >> >> Scott >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > yes, exactly this way, > 2 identical tunnels with different local/remote subnets... > Other settings are identical a really impotant thing is, that the remote nets are different from the liocal nets. otherwise it get routing problems -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openVPN to OPT1 interface
2009/6/30 Scott Ullrich : > On Tue, Jun 30, 2009 at 11:46 AM, Curtis Maurand wrote: >> It works OK in 1.2.X. It works even better in 2.0. > > It really does work in 1.2.X using parallel tunnels. > > Scott > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > yes, exactly this way, 2 identical tunnels with different local/remote subnets... Other settings are identical -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openVPN to OPT1 interface
2009/6/30 Curtis Maurand : > > Interesting. I had wished I could make that scenario work w/ipsec. Alas, no > joy. I had to set up a vyatta to do it and it worked flawlessly out of the > box. I didn't need a third NIC port to do it, either. My thinking is that > BSD doesn't handle virtual interfaces very well. *sigh* I like pfsense > better, otherwise. > > Curtis > > > jose thomas wrote: > > Thank you Scott, it solves my problem with routing. > > Thanks again for your time > -Jose > > On Sat, Jun 27, 2009 at 10:14 PM, Scott Ullrich wrote: >> >> On Sat, Jun 27, 2009 at 6:22 AM, jose thomas wrote: >> > Hi there, >> > >> > In our data center, we have two pfsense 1.2.2 boxes with two subnets >> > behind >> > the NAT. >> > The OPT1 interfaces are been using for the inter communication between >> > the >> > two lan >> > subnets owned by the two pfsense boxes. We have a configured openVPN for >> > the >> > two >> > WAN interfaces. >> > >> > The problem is that from outside anybody connects to one of the pfsense >> > box >> > thgough >> > openVPN, they are not able to access the other subnet which is under the >> > other >> > pfsense box which is connected through the OPT1 interfaces between. >> > >> > How can I add specific rule set (or any other config change) to instruct >> > that the other >> > subnet address destinations coming from openVPN clients has to pass >> > though >> > the OPT1 interface instead of the LAN interface of pfsense? Or >> > inotherwords, >> > how to >> > add one more network and gateway to the openVPN connection? >> > >> > I ran out of ideas how to solve this. Really appreatiate any help in >> > this >> > regard >> >> If memory serves me correctly you need to tell openvpn to push the >> routes. Google openvpn push routes. >> >> Scott >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> > > > > -- > Mobile: +971-50-9943477 > Office: +971-4-4370703 x 402 > Residence: +971-4-2232044 > > > I have configured 2 IPSEC-VPN-Tunnels between 2 Boxes for such a scenario. Works like a charm. michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Multi IP WAN with NAT
Hello, sorry my error, i have overread the "IP" in the Subject. You could use a second IP called virtual IP for the WAN-Interface. Then you could make portforwarding and NAT for the second IP. You must not have a second interface for this. greetings michael 2009/6/9 Rolf Kutz > Hello, > > On 09/06/09 18:37 +0200, Michael Schuh wrote: > >> probably this >> http://forums.techwatch.com.au/viewtopic.php?t=4802 >> > > thanks, but this is for multiple upstreams, but I > have only one upstream with mutiple IPs (/29 > subnet). So both outside IPs are on the same > Interface. > > regards, Rolf > > -- > Vorgang zu schwer zu erklären. > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Re: Multi IP WAN with NAT
Hello, this is not Multi-Wan, this ist WAN with more than one IP's or WAN with carp-IP. what dou you would have as solution or endpoint? 2 NICS on WAN-PORT and security-option for NIC-Defect? Or simply incoming portforwarding on an different IP? regards michael 2009/6/9 Rolf Kutz > Hello, > > On 09/06/09 18:37 +0200, Michael Schuh wrote: > >> probably this >> http://forums.techwatch.com.au/viewtopic.php?t=4802 >> > > thanks, but this is for multiple upstreams, but I > have only one upstream with mutiple IPs (/29 > subnet). So both outside IPs are on the same > Interface. > > regards, Rolf > > -- > Vorgang zu schwer zu erklären. > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Multi IP WAN with NAT
Hello, probably this http://forums.techwatch.com.au/viewtopic.php?t=4802 greetings michael 2009/6/9 Rolf Kutz > Hello, > > I have a /29 subnet at my WAN. I would like to NAT > two IPs to different hosts with private IP > adresses on my OPT Interface. I followed this > advice using parp: > > http://www.mail-archive.com/support@pfsense.com/msg08354.html > > The portforwarding of the interface-IP is working, > the other not. Surfing from the LAN-Network is > also working. What did I miss? > > regards, Rolf > > -- > ... Vanity asks the question, 'Is it popular?' ... > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] MSFTP Server - forward problem
Hi Carlos, look in the mailinglistarchive this question was answered many times. You have to open and redirect the high ports from outside. greetings michael 2009/5/18 Carlos Anderson Jardim > Hi All, > > I have an FTP server on a local network, and setup PFSense to the routing > of > the external port 21 to port 21 inside the ftp server. > > Used as an example the tips of the wiki, but still got error on access. > > My structure is: > > 192.168.0.1 (21) - Micro$oft FTP Server > PFSense Forward 21 to 192.168.0.1 - disable FTP Helper (not checked) > > What can I do more work for the FTP? > > Thanks!! > > Carlos Jardim > > > __ Information from ESET Smart Security, version of virus signature > database 4083 (20090518) __ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Filtering by URL or regexp
look at squid acl-rules par example you can also generate lists to load in squid für deny or allow... 2009/3/31 luismi > Is possible to create rules to match URLs or regext expression? > I would like to provide access just to *.foobar.com but I don't know the > IPs used for that domain :-/ > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?
:-D don't forget: Via-Chipsets (for some people very ugly) Realtek NICS (in most cases) cheers michael 2009/2/13 Rainer Duffner > Michael Schuh schrieb: > > Cool we learn every day. :-D > > > > > > > > The Alix can do what? Close to 50 MBps, IIRC. > > So, for 5 MPs, a used WRAP could do as well. > I've got 5000/500 here and the WRAP was never the problem. > I swapped it out for an Alix, though. > > To bad that the pound lost so much, or you could get two used WRAPs for > that amount of money ;-) > > > cheers, > Rainer > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?
Cool we learn every day. :-D 2009/2/13 Eugen Leitl > On Fri, Feb 13, 2009 at 11:37:46AM +, Gavin Spurgeon wrote: > > Hi Michael, > > > > >can you be a little bit more specific? > > >How many NICs, how many traffic? > > > > 2 NICs minimum @ 10/100 minimum > > This box will be the firewall on a 5Mbps CDR Ethernet connection in > > a Data Centre in London... current average throughput is only ~1.3Mbps > > > > >What about extensions/packages would you install? > > > > Only extension would probably be the traffic graphing for all network > > hosts. > > I would go with ALIX. > > -- > Eugen* Leitl http://leitl.org";>leitl http://leitl.org > __ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?
Hi Gavin, i have forgotten to speak about the factors price vs importance of the required system if the required system and the connection through this device is important, how important is it? How much money loose you if the device (connection) is dead? In this case is a lowend-box really cheap? Or make it more sense (huh pf-sense) to spend 200 or 300Ł more for a good reliable, stable Hardware? another point of view regards michael 2009/2/13 Michael Schuh > Hi Gavin, > > hmmm i see no other chance to get this price with this features > as take the cheapest PC w Athlon/intel-cpu put 2 or 3 Intel NIC > on it. > Or take used Hardware..any old pc should do this job > good with enough memory. (except 8086/80286/80386/80486 *grin*) > > Embedded PC's are more expensive : > http://www.tl-electronic.com/en/industrie-pc/embedded-pc_embeddedline.html > par example > or the soekris(on the pfsense-Homepage you can find links for such HW) > > > just my 20ct > > hope it helps > > cheers > > michael > > 2009/2/13 Gavin Spurgeon > >> Hi Michael, >> >> >> can you be a little bit more specific? >>> How many NICs, how many traffic? >>> >> >> 2 NICs minimum @ 10/100 minimum >> This box will be the firewall on a 5Mbps CDR Ethernet connection in >> a Data Centre in London... current average throughput is only ~1.3Mbps >> >> What about extensions/packages would you install? >>> >> >> Only extension would probably be the traffic graphing for all network >> hosts. >> >> >> -- >> >> -- >> "The happiest of people don't necessarily have the best of everything, >> they just make the most of everything that comes along their way.." >> Gavin Spurgeon. >> AKA Da Geek >> >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > > -- > = = = m i c h a e l - s c h u h . n e t = = = > Projektmanagement - IT-Consulting - Professional Services IT > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0177/9738644 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > = = = Ust-ID: DE251072318 = = = > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?
Hi Gavin, hmmm i see no other chance to get this price with this features as take the cheapest PC w Athlon/intel-cpu put 2 or 3 Intel NIC on it. Or take used Hardware..any old pc should do this job good with enough memory. (except 8086/80286/80386/80486 *grin*) Embedded PC's are more expensive : http://www.tl-electronic.com/en/industrie-pc/embedded-pc_embeddedline.html par example or the soekris(on the pfsense-Homepage you can find links for such HW) just my 20ct hope it helps cheers michael 2009/2/13 Gavin Spurgeon > Hi Michael, > > can you be a little bit more specific? >> How many NICs, how many traffic? >> > > 2 NICs minimum @ 10/100 minimum > This box will be the firewall on a 5Mbps CDR Ethernet connection in > a Data Centre in London... current average throughput is only ~1.3Mbps > > What about extensions/packages would you install? >> > > Only extension would probably be the traffic graphing for all network > hosts. > > > -- > > -- > "The happiest of people don't necessarily have the best of everything, > they just make the most of everything that comes along their way.." > Gavin Spurgeon. > AKA Da Geek > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?
Hi Gavin, can you be a little bit more specific? How many NICs, how many traffic? What about extensions/packages would you install? cheers michael 2009/2/13 Gavin Spurgeon > > Hi List, > > Quick Question... > > As the subject says, I'm looking for any hardware suggestions in the > UK that are around the £100 mark... > > The unit does not need 2 be the biggest, most powerful (CPU wise) thing > in the world, but I would like it to be a low power (Electricity wise) > as possible... > > Any suggestions on or off list welcome... > > Thank You... > > -- > > -- > "The happiest of people don't necessarily have the best of everything, > they just make the most of everything that comes along their way.." > Gavin Spurgeon. > AKA Da Geek > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
Re: [pfSense Support] ftp server(s), behind pfsense 1.2.3
Hi Michel, we had same discussion last month... open the highports.for connecting back from the client to the ftp-server. for more informations look at the mailing-list last month. read the manpages from ftp-server for the reqired ports... greetings michael 2009/2/2 Michel Servaes > Hi, > > I'm having some troubles with our default ftp-server behind pfsense. > It is capable of doing passive ftp, and I gave it the WAN ip address to be > connected, but I cannot connect to it with every site I go to... most of the > time, I'm have "ls" problems, dataconnected, and then it sits there waiting. > I've played a bit with the ftp helper at both sides (WAN and LAN), but > still no solid ftp connection at every site... > > The sites I visited are using different brands of firewalls/routers, and > when opening the ports at their side, it goes right through (which makes me > suspect the client side is trying to run in active mode only, however I am a > bit puzzled, since all sites are behind a NAT router, and some of them just > work fine). > > Can it be, that some firewall's and/or routers are smart enough, to make > Active FTP work, hence they are behind this router ? > > > > I also tried to add FreeNAS as an FTP server, but I am experiencing the > same problem. > > > Mind you, that I have setup our ftp-servers in my NAT as well, behind the > pfsense box... which brings me to my next questions : > > > - Can I have 2 ftp servers, assuming that I have a range of WAN-IP's (not > suffisiant to give every workstation a 1:1 relation !!) > - Should I put my ftp servers in a DMZ zone, and if so, should I add > another firewall to my FreeNAS (or use the firewall solution FreeNAS is > offering these days ?) > - If our application is truely expecting an Active FTP (instead of passive) > can I prove this using the state-table of pfsense ? > > > Kind regards, > Michel Servaes > > > - To > unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional > commands, e-mail: support-h...@pfsense.com Commercial support available - > https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] FTP Server in Routed DMZ
:-D my pleasure :-D Have fun 2009/1/21 Fuchs, Martin > :-) > > For the usernames and passwords, there are no users, it's just me to > configure the accounts so I hope it's a bit more secure ;-) thanks a lot for > your help... > > -Ursprüngliche Nachricht- > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > Gesendet: Dienstag, 20. Januar 2009 01:18 > An: support@pfsense.com > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > :-D > > Any objections against active FTP data ? > No. Not really (i think so), ftp-protocol is ftp-protocol regardless > of the used ports > > But objections against some ftp-Server-software *grin* > like proftpd or some others with sporadic but serious bugs. > every time hold an open eye on Bug-Lists and Security Certs ... > > in my own experience, most servers getting defaced > through an buggy ftp-server.first target for hackers, > because many ftp-servers allow anonymous ftp-login or have > weak user accounts or passwords, this in combination with an > buggy ftp-server is really dangerous > > but this is eventually off topic.for this list > > 2009/1/20 Fuchs, Martin : > > Hi ! > > > > I opened up port 20 for active FTP data from the DMZ now and the upper > ports defined in the server for passive FTP data from WAN to DMZ... > > > > I works... > > > > Any objections against active FTP data ? > > > > Regards, > > > > martin > > > > -Ursprüngliche Nachricht- > > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > > Gesendet: Dienstag, 20. Januar 2009 00:41 > > An: support@pfsense.com > > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > > > Hmm, > > hi martin, > > > > i has made such a config, and i have for me realized, that > > i have 2 options > > a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in > XML-Config > > also result is : i can't use the ftp-proxy on lan interface > > I be not 100% sure but i believe i remember me that the activation of > > ftp-proxy on WAN > > is not possible from Browser-User-Interface, > > > > b) open ftp-highrange-ports from wan to ftp-server and you can use > > ftp-proxy for users > > from lan.if you like to do so > > > > i have used option b) because it is no security risk if no other > > services listen on such a port > > on the ftp-server-system, the port on the ftp-servers system is only > opened if > > a ftp-user made a transferthis behavior underlays the > > ftp-protocols features of > > PASV switching. Other words active ftp-transfer or passive. this is > > handled by the ftp-protocol > > between server and each individual client. > > with option b) you are on the secure side that every User ( if it has > > experiences or not) > > can make transfers from and to the ftp-server, regardless of > transfer-mode. > > Works all the time. > > > > Special attention is only needed if another Service listen on the ports > > that you must open for ftp-server ( in almost cases not given). > > > > cheers > > > > michael > > > > 2009/1/20 Fuchs, Martin : > >> No problem ;-) > >> > >> Thats the answer i expected... > >> > >> So there is really no way to accomplish this with some kind of > FTP-helper used in pfSense to open up just a few ports... ? > >> I really need the whole portrange for FTP to be opened as defined in the > FTP-server ? > >> > >> Thanks so far for your help ;-) > >> > >> Regards, > >> > >> martin > >> > >> -Ursprüngliche Nachricht- > >> Von: Michael Schuh [mailto:michael.sc...@gmail.com] > >> Gesendet: Dienstag, 20. Januar 2009 00:27 > >> An: support@pfsense.com > >> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > >> > >> Hi, > >> > >> in my possible solution NO, because you use the ftp-server w/o > >> Proxy. Communication goes directly to your ftp-server. > >> Please checkout also the portranges from your ftp-server > >> if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ > >> from the ports that i have described. (sorry i have forgotten to say, > >> that my tips are related to this ftpd). > >> > >> The proxy is needed for the users in your holy internal LAN. > >> > >> 2009/1/20 Fuchs, Martin : > >>> Should the FTP-helper service be activated or deactivated on the > WAN-Inte
Re: [pfSense Support] FTP Server in Routed DMZ
:-D > Any objections against active FTP data ? No. Not really (i think so), ftp-protocol is ftp-protocol regardless of the used ports But objections against some ftp-Server-software *grin* like proftpd or some others with sporadic but serious bugs. every time hold an open eye on Bug-Lists and Security Certs ... in my own experience, most servers getting defaced through an buggy ftp-server.first target for hackers, because many ftp-servers allow anonymous ftp-login or have weak user accounts or passwords, this in combination with an buggy ftp-server is really dangerous but this is eventually off topic.for this list 2009/1/20 Fuchs, Martin : > Hi ! > > I opened up port 20 for active FTP data from the DMZ now and the upper ports > defined in the server for passive FTP data from WAN to DMZ... > > I works... > > Any objections against active FTP data ? > > Regards, > > martin > > -----Ursprüngliche Nachricht- > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > Gesendet: Dienstag, 20. Januar 2009 00:41 > An: support@pfsense.com > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > Hmm, > hi martin, > > i has made such a config, and i have for me realized, that > i have 2 options > a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config > also result is : i can't use the ftp-proxy on lan interface > I be not 100% sure but i believe i remember me that the activation of > ftp-proxy on WAN > is not possible from Browser-User-Interface, > > b) open ftp-highrange-ports from wan to ftp-server and you can use > ftp-proxy for users > from lan.if you like to do so > > i have used option b) because it is no security risk if no other > services listen on such a port > on the ftp-server-system, the port on the ftp-servers system is only opened if > a ftp-user made a transferthis behavior underlays the > ftp-protocols features of > PASV switching. Other words active ftp-transfer or passive. this is > handled by the ftp-protocol > between server and each individual client. > with option b) you are on the secure side that every User ( if it has > experiences or not) > can make transfers from and to the ftp-server, regardless of transfer-mode. > Works all the time. > > Special attention is only needed if another Service listen on the ports > that you must open for ftp-server ( in almost cases not given). > > cheers > > michael > > 2009/1/20 Fuchs, Martin : >> No problem ;-) >> >> Thats the answer i expected... >> >> So there is really no way to accomplish this with some kind of FTP-helper >> used in pfSense to open up just a few ports... ? >> I really need the whole portrange for FTP to be opened as defined in the >> FTP-server ? >> >> Thanks so far for your help ;-) >> >> Regards, >> >> martin >> >> -Ursprüngliche Nachricht- >> Von: Michael Schuh [mailto:michael.sc...@gmail.com] >> Gesendet: Dienstag, 20. Januar 2009 00:27 >> An: support@pfsense.com >> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ >> >> Hi, >> >> in my possible solution NO, because you use the ftp-server w/o >> Proxy. Communication goes directly to your ftp-server. >> Please checkout also the portranges from your ftp-server >> if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ >> from the ports that i have described. (sorry i have forgotten to say, >> that my tips are related to this ftpd). >> >> The proxy is needed for the users in your holy internal LAN. >> >> 2009/1/20 Fuchs, Martin : >>> Should the FTP-helper service be activated or deactivated on the >>> WAN-Interface ? >>> >>> -Ursprüngliche Nachricht- >>> Von: Michael Schuh [mailto:michael.sc...@gmail.com] >>> Gesendet: Dienstag, 20. Januar 2009 00:14 >>> An: support@pfsense.com >>> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ >>> >>> Hi, >>> >>> solution: >>> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH >>> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange >>> like: >>> net.inet.ip.portrange.hilast: 65535 >>> net.inet.ip.portrange.hifirst: 49152 >>> net.inet.ip.portrange.last: 65535 >>> net.inet.ip.portrange.first: 49152 >>> >>> from WAN to your FTP server and all gets fine. >>> >>> regards >>> >>> michael. >>> >>> >>> >>> 2009/1/20 Fuchs, Martin : >>>> Hi ! >>>> >>>> I have set
Re: [pfSense Support] installing pfSense via pxeboot and nfs
HI, is it possible that you not have installed the bootloader to the mbr? I do not know if the boot0cfg is included in the pfsense distribution, but here is a link to the man-page: http://www.freebsd.org/cgi/man.cgi?query=boot0cfg&apropos=0&sektion=0&manpath=FreeBSD+7.1-RELEASE&format=html good luck michael 2009/1/20 Stefan Lambrev : > Greetings, > I'm trying to install pfSense embeded using only network and serial console > on soekris net5501. > I'm following the steps from this document > - http://devwiki.pfsense.org/wikka.php?wakka=NetBootSoekrisEmbedded > Unfortunately I'm unable to finish the installation because the boot process > stops at: > Trying to mount root from nfs:10.1.1.1:/usr/local/tftpboot/4801-60 > vr0: link state changed to UP > NFS ROOT: 10.1.1.1:/usr/local/tftpboot/4801-60/ > I tried and with the iso/livecd but with it I cannot even see the kernel > booting (dmesg) nor the welcome menu. > Is it possible at all to install pfSense using pxeboot,tfpt and nfs over > serial console? > -- > Best Wishes, > Stefan Lambrev > ICQ# 24134177 > > > > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP Server in Routed DMZ
Hmm, hi martin, i has made such a config, and i have for me realized, that i have 2 options a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config also result is : i can't use the ftp-proxy on lan interface I be not 100% sure but i believe i remember me that the activation of ftp-proxy on WAN is not possible from Browser-User-Interface, b) open ftp-highrange-ports from wan to ftp-server and you can use ftp-proxy for users from lan.if you like to do so i have used option b) because it is no security risk if no other services listen on such a port on the ftp-server-system, the port on the ftp-servers system is only opened if a ftp-user made a transferthis behavior underlays the ftp-protocols features of PASV switching. Other words active ftp-transfer or passive. this is handled by the ftp-protocol between server and each individual client. with option b) you are on the secure side that every User ( if it has experiences or not) can make transfers from and to the ftp-server, regardless of transfer-mode. Works all the time. Special attention is only needed if another Service listen on the ports that you must open for ftp-server ( in almost cases not given). cheers michael 2009/1/20 Fuchs, Martin : > No problem ;-) > > Thats the answer i expected... > > So there is really no way to accomplish this with some kind of FTP-helper > used in pfSense to open up just a few ports... ? > I really need the whole portrange for FTP to be opened as defined in the > FTP-server ? > > Thanks so far for your help ;-) > > Regards, > > martin > > -Ursprüngliche Nachricht- > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > Gesendet: Dienstag, 20. Januar 2009 00:27 > An: support@pfsense.com > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > Hi, > > in my possible solution NO, because you use the ftp-server w/o > Proxy. Communication goes directly to your ftp-server. > Please checkout also the portranges from your ftp-server > if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ > from the ports that i have described. (sorry i have forgotten to say, > that my tips are related to this ftpd). > > The proxy is needed for the users in your holy internal LAN. > > 2009/1/20 Fuchs, Martin : >> Should the FTP-helper service be activated or deactivated on the >> WAN-Interface ? >> >> -Ursprüngliche Nachricht- >> Von: Michael Schuh [mailto:michael.sc...@gmail.com] >> Gesendet: Dienstag, 20. Januar 2009 00:14 >> An: support@pfsense.com >> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ >> >> Hi, >> >> solution: >> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH >> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange >> like: >> net.inet.ip.portrange.hilast: 65535 >> net.inet.ip.portrange.hifirst: 49152 >> net.inet.ip.portrange.last: 65535 >> net.inet.ip.portrange.first: 49152 >> >> from WAN to your FTP server and all gets fine. >> >> regards >> >> michael. >> >> >> >> 2009/1/20 Fuchs, Martin : >>> Hi ! >>> >>> I have set up a FTP server in my DMZ with an official IP address. >>> From WAN -> DMZ the IPs are routed (no NAT). >>> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer >>> any files. >>> It seems to require some more ports, so I thought the FTP-helper on the >>> WAN-side could be helpful, but this also does not work... >>> >>> Does anyone have any idea how to set this up without opening this ton of >>> ports FTP requires ? >>> >>> I know FTP is not the preferred way, but we need this :-( >>> >>> I'd be thankful for every hint... >>> >>> Active FTP is not really an option because most FTP-clients live behind NAT >>> devices so there's the problem of the data-connection again... >>> >>> Regards, >>> >>> Martin >>> >>> - >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>> For additional commands, e-mail: support-h...@pfsense.com >>> >>> Commercial support available - https://portal.pfsense.org >>> >>> >> >> >> >> -- >> === m i c h a e l - s c h u h . n e t === >> Michael Schuh >> Postfach 10 21 52 >> 66021 Saarbrücken >> phone: 0681/8319664 >> mobil: 0177/9738644 >> @: m i c h a e l . s c h u h @ g m a i l . c o m >> >> === Ust-ID: DE251072318 === >> >>
Re: [pfSense Support] FTP Server in Routed DMZ
Hi, in my possible solution NO, because you use the ftp-server w/o Proxy. Communication goes directly to your ftp-server. Please checkout also the portranges from your ftp-server if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ from the ports that i have described. (sorry i have forgotten to say, that my tips are related to this ftpd). The proxy is needed for the users in your holy internal LAN. 2009/1/20 Fuchs, Martin : > Should the FTP-helper service be activated or deactivated on the > WAN-Interface ? > > -Ursprüngliche Nachricht- > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > Gesendet: Dienstag, 20. Januar 2009 00:14 > An: support@pfsense.com > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > Hi, > > solution: > Open the Ports described in man 4 ip IP_PORTRANGE_HIGH > referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange > like: > net.inet.ip.portrange.hilast: 65535 > net.inet.ip.portrange.hifirst: 49152 > net.inet.ip.portrange.last: 65535 > net.inet.ip.portrange.first: 49152 > > from WAN to your FTP server and all gets fine. > > regards > > michael. > > > > 2009/1/20 Fuchs, Martin : >> Hi ! >> >> I have set up a FTP server in my DMZ with an official IP address. >> From WAN -> DMZ the IPs are routed (no NAT). >> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer >> any files. >> It seems to require some more ports, so I thought the FTP-helper on the >> WAN-side could be helpful, but this also does not work... >> >> Does anyone have any idea how to set this up without opening this ton of >> ports FTP requires ? >> >> I know FTP is not the preferred way, but we need this :-( >> >> I'd be thankful for every hint... >> >> Active FTP is not really an option because most FTP-clients live behind NAT >> devices so there's the problem of the data-connection again... >> >> Regards, >> >> Martin >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > > > -- > === m i c h a e l - s c h u h . n e t === > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0177/9738644 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > === Ust-ID: DE251072318 === > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP Server in Routed DMZ
Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin : > Hi ! > > I have set up a FTP server in my DMZ with an official IP address. > From WAN -> DMZ the IPs are routed (no NAT). > I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer > any files. > It seems to require some more ports, so I thought the FTP-helper on the > WAN-side could be helpful, but this also does not work... > > Does anyone have any idea how to set this up without opening this ton of > ports FTP requires ? > > I know FTP is not the preferred way, but we need this :-( > > I'd be thankful for every hint... > > Active FTP is not really an option because most FTP-clients live behind NAT > devices so there's the problem of the data-connection again... > > Regards, > > Martin > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ntop Crashing after a day or two
1788] Jan 2 14:06:41 ntop[1788]: THREADMGMT[t683680256]: > NPS(1): Started thread for network packet sniffing [fxp0] Jan 2 14:06:41 > ntop[1788]: > THREADMGMT[t683680256]: NPS(1): Started thread for network packet sniffing > [fxp0] Jan 2 14:06:41 ntop[1788]: THREADMGMT[t683675904]: ntop RUNSTATE: > RUN(4) Jan 2 14:06:41 ntop[1788]: THREADMGMT[t683675904]: ntop RUNSTATE: > RUN(4) Jan 2 14:06:41 ntop[1788]: Note: Reporting device initally set to > 0 [fxp0] Jan 2 14:06:41 ntop[1788]: Note: Reporting device initally set > to 0 [fxp0] Jan 2 14:06:41 ntop[1788]: Now running as requested user > 'root' (0:0) Jan 2 14:06:41 ntop[1788]: Now running as requested user > 'root' (0:0) Jan 2 14:06:41 ntop[1788]: INIT: Created pid file > (/var/run/ntop.pid) Jan 2 14:06:41 ntop[1788]: INIT: Created pid file > (/var/run/ntop.pid) Jan 2 14:06:41 ntop[1788]: SFLOW: no devices to > initialize Jan 2 14:06:41 ntop[1788]: SFLOW: no devices to initialize Jan > 2 14:06:41 ntop[1788]: THREADMGMT: RRD: Started thread (t68368) for > data collection Jan 2 14:06:41 ntop[1788]: THREADMGMT: RRD: Started > thread (t68368) for data collection Jan 2 14:06:41 ntop[1788]: > RRD_DEBUG: DirPerms 0700 Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: DirPerms > 0700 Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: umask 0066 Jan 2 14:06:41 > ntop[1788]: > RRD_DEBUG: umask 0066 Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: rrdPath > /var/db/ntop/rrd [dynamic/volatile] Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: > rrdPath /var/db/ntop/rrd [dynamic/volatile] Jan 2 14:06:41 ntop[1788]: > RRD_DEBUG: rrdPath /var/db/ntop/rrd [normal] Jan 2 14:06:41 ntop[1788]: > RRD_DEBUG: rrdPath /var/db/ntop/rrd [normal] Jan 2 14:06:41 ntop[1788]: > RRD_DEBUG: hostsFilter Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: hostsFilter Jan > 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpDetail medium Jan 2 14:06:41 > ntop[1788]: > RRD_DEBUG: dumpDetail medium Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: > dumpMatrix no Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpMatrix no Jan 2 > 14:06:41 ntop[1788]: RRD_DEBUG: dumpASs no Jan 2 14:06:41 ntop[1788]: > RRD_DEBUG: dumpASs no Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: > dumpInterfaces yes Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpInterfaces > yes Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpHosts no Jan 2 14:06:41 > ntop[1788]: > RRD_DEBUG: dumpHosts no Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpSubnets > no Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpSubnets no Jan 2 14:06:41 > ntop[1788]: > RRD_DEBUG: dumpFlows no Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpFlows > no Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpDomains no Jan 2 14:06:41 > ntop[1788]: > RRD_DEBUG: dumpDomains no Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: > dumpMonths 36 months by day Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: > dumpMonths 36 months by day Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: > dumpDays 90 days by hour Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpDays > 90 days by hour Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpHours 72 hours > by 300 seconds Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpHours 72 hours > by 300 seconds Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpShortInterval 10 > seconds Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpShortInterval 10 > seconds Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpInterval 300 seconds Jan > 2 14:06:41 ntop[1788]: RRD_DEBUG: dumpInterval 300 seconds Jan 2 14:06:41 > ntop[1788]: > RRD_DEBUG: Parameters: Jan 2 14:06:41 ntop[1788]: RRD_DEBUG: Parameters: Jan > 2 14:06:41 ntop[1788]: RRD: Mask for new files is 0066 > > - To > unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional > commands, e-mail: support-h...@pfsense.com Commercial support available - > https://portal.pfsense.org > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Can't get more than 15kpps.
2008/12/21 Chris Buechler > On Sun, Dec 21, 2008 at 1:21 PM, Lenny wrote: > > > > I know for sure that my ISP routed the network. Should I not bother with > the > > proxyarp solution? > > > > Don't touch proxy ARP, the chances of that causing a performance > problem are virtually nil, and if the network is being routed to you > it won't do anything. In nearly all cases, missing proxy ARP when you > require it will make your network not function at all. Some routers > may behave slightly differently and cache ARP based on IP frames > received, which could cause strange things to happen, including > performance problems amongst other possibilities. That's very, very > unusual though. Normally if an IP doesn't answer on ARP when it's > needed, nothing at all will work. this may be, but in my case it was definely proxyarp! And it wasn't a thing that have to go or not to go! Blinking effects are happenedin my case And i have no performance issues. And i think proxy arp should never get a perfomance issue, probabliy a security issue, but not at performance This is what i know for sure! And you say it "normally".in my case it wasn't normal. :-D again for finding such errors don't trust them all..test all or nothing.step by step ok, most relevant, possible firstor most easiest first and for good overview make a checklist for tested things, also with combinations, so i have also found hardware incompatibilities, that underlies no rules. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Can't get more than 15kpps.
another idea is to monitor everything whats going on on the firewall with sa(r) and accounting, but i don't know if sa and accounting is shipped with the pfsense.. 2008/12/21 Michael Schuh > > > 2008/12/21 RB > >> On Sun, Dec 21, 2008 at 10:34, Michael Schuh >> wrote: >> > Oh not to understand as "its limit the packets per second", but you get >> not >> > all the time answers from the isps-gateway, because it need proxyarp. >> >> So your particular ISP expected to see the L2 addresses for your >> public IPs - they didn't route your subnet to you. You probably never > > > hmm, it is a little more complicated in my case, and it have in my case > nott really to do with the ISP's routing, more with active components > between the router (ISP) and my firewall. This component routes/bridges > only traffic that have valid arp-adresses. For me, in my case it shows > like a config-issue or an bug in this components. > > >> saw unsolicited inbound L3 traffic, but if return packets came back >> before their ARP cache associating the L3 address to your pfSense's L2 >> address timed out, you'd see the packets. Add TCP retries on top of >> that, and you see intermittent but slow traffic. > > > Not only, that have maked it hard for me to find the problem. > and we not only have TCP-Traffic.. > > >> >> It's possible Lenny is seeing this, but since he's seeing as much >> traffic as he is (15kpps), I find it less probable. Plausible, but >> individual streams would likely be much less than the 170Mbps he's >> quoting. It's easily checked for - a packet capture on the test >> clients looking for high retransmits will either prove or disprove the >> issue. > > > Thought. That could be, but we do nothing know about the configuration and > components > behind the scenes (on ISP Side from lenny). > In other words nothing is impossibleand this could be a simple try and > error, > thats fast made, also why not spend the 5 Mins to test ist? > It is then clear if it is it or not. to be or not to be :-D know or not to > know.. > > ok they more information we get so the possibility of proxyarp issue get > from very small to null > > On such suspect errors, believe on nothing, double check all the > possibilities.. > my rules :-D > > Another thing is, are the servers and clients ready to deliver such a > spreaded (many conects?) > bandwith? > > Lenny: is your limitation limited to TCP or to TCP/UDP/ICMP > whats going on with GRE-Tunnels par example? or speech it is protocol > related? > > My guess yes and no. My guess with udp/icmp you could get more traffic > > Another idea > allow icmp to the server from your second machine in the internet > make a ping -f -s 15000 from this machine to the servers, whats going on > on the firewall and the server..warnin: this could shot you in your > foot if > the server or the firewall could not really handle this. > (ping -f sends very much packets, i believe 1000 in parallel, to the > target, and you must be root to do so > in my example with araoung 15k workload, on linux machines it could be that > 15000 is to high...) > > >> >> >> RB >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > > -- > === m i c h a e l - s c h u h . n e t === > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0177/9738644 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > === Ust-ID: DE251072318 === > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Can't get more than 15kpps.
2008/12/21 RB > On Sun, Dec 21, 2008 at 10:34, Michael Schuh > wrote: > > Oh not to understand as "its limit the packets per second", but you get > not > > all the time answers from the isps-gateway, because it need proxyarp. > > So your particular ISP expected to see the L2 addresses for your > public IPs - they didn't route your subnet to you. You probably never hmm, it is a little more complicated in my case, and it have in my case nott really to do with the ISP's routing, more with active components between the router (ISP) and my firewall. This component routes/bridges only traffic that have valid arp-adresses. For me, in my case it shows like a config-issue or an bug in this components. > saw unsolicited inbound L3 traffic, but if return packets came back > before their ARP cache associating the L3 address to your pfSense's L2 > address timed out, you'd see the packets. Add TCP retries on top of > that, and you see intermittent but slow traffic. Not only, that have maked it hard for me to find the problem. and we not only have TCP-Traffic.. > > It's possible Lenny is seeing this, but since he's seeing as much > traffic as he is (15kpps), I find it less probable. Plausible, but > individual streams would likely be much less than the 170Mbps he's > quoting. It's easily checked for - a packet capture on the test > clients looking for high retransmits will either prove or disprove the > issue. Thought. That could be, but we do nothing know about the configuration and components behind the scenes (on ISP Side from lenny). In other words nothing is impossibleand this could be a simple try and error, thats fast made, also why not spend the 5 Mins to test ist? It is then clear if it is it or not. to be or not to be :-D know or not to know.. ok they more information we get so the possibility of proxyarp issue get from very small to null On such suspect errors, believe on nothing, double check all the possibilities.. my rules :-D Another thing is, are the servers and clients ready to deliver such a spreaded (many conects?) bandwith? Lenny: is your limitation limited to TCP or to TCP/UDP/ICMP whats going on with GRE-Tunnels par example? or speech it is protocol related? My guess yes and no. My guess with udp/icmp you could get more traffic Another idea allow icmp to the server from your second machine in the internet make a ping -f -s 15000 from this machine to the servers, whats going on on the firewall and the server..warnin: this could shot you in your foot if the server or the firewall could not really handle this. (ping -f sends very much packets, i believe 1000 in parallel, to the target, and you must be root to do so in my example with araoung 15k workload, on linux machines it could be that 15000 is to high...) > > > RB > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Can't get more than 15kpps.
Hi, > > I can't speak to the proxy-arp bit, but don't see how that particular > configuration (or lack thereof) would so steeply limit PPS. > Oh not to understand as "its limit the packets per second", but you get not all the time answers from the isps-gateway, because it need proxyarp. In my configuration i have connected Servers through an DMZ Interface with official IP's. Case: w/o proxyarp: we are connected, but very small amount of traffic goes through the ISP's gate. w/ proxyarp: all things go fine after a call to the ISP we have cleared, that the equipement from the ISP needs proxyarp for all the machines are connected with public ip's and he have no chance to change it (so says ISP's suporter regardless if it really true). the resulted behavior w/o proxyarp was the described in the original post. In my Case(!). ACK rrd-graphs have nothing to do with this behaviour. greetings michael -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Can't get more than 15kpps.
Hi, the proxy-arp is nothing to see on your box, may be the equipement of your provider could need it. see if it is enabled with the sysctl-utility. Afaik it is no way to configure it in the web-frontend. You hava to made following config in your xml-config: sysctl -w net.link.ether.inet.proxyall=1 For testing purposeses you can configure it at runtime (i think it works direktly). Like in the Webfrontend in the diagnostics-menu under command, or on the shell. If i remember correctly, so you can make this for single interfaces too, except for all. This command works for all interfaces, not on specific. The behavior that you describe is exactly the same as mine, as before i made the proxyarp-entry. Another signifikant behavior for proxyarp needings is that the traffic from the firewall itself is always at a fine speed, for natted boxes also, but not for routed Servers (because the provider needs proxyarp, in my case). good luck ;-) greetings michael 2008/12/21 Lenny > Michael Schuh wrote: > > Hi, >> >> do you use nat? no? >> my guess it could be proxyarp. >> It is par default disabled. >> >> One of the connection of my customers need proxyarp to properly connect >> an route the requests to the Servers in the DMZ. >> >> Don't forget ( if it was it, to enable proxy-arp in loader.conf and >> firewall-xml-config. >> Using the Backup-/Restore-feature. >> >> greetings >> >> michael >> >> 2008/12/20 Lenny > five2one.le...@gmail.com>> >> >> >>Hi, >> >> >>I'm kind of desperate here, so please try to help me. >> >>Here's my problem: >> >>I have a setup in production (a very dynamic website). >> >>It consists of pfsense-->Alteon Load Balancer-->IBM >>Bladecenter(with a Squids cluster on it). >> >>pfsense is installed on IBM x335 with 2 Xeon 2.4GHz, 2GB RAM, and >>Dual Intel NIC PCI-X 1Gb. >> >>I'm connected with 1Gb to the ISP. >> >>The problem is that no matter what I do, I can't get more than 15kpps. >> >>After that I start to get a lot of packet loss. >> >>At first I was sure that the ISP has me on QoS, because I never >>saw traffic going over a 100Mb/s, >> >>but then to convince me they downloaded some large files from my >>servers and came up as high as 170Mb/s. >> >>So that one was out. >> >> >>Next I changed the NICs (I used the onboard Broadcom at first) and >>it did save me from the need to >> >>do Device Polling, and I have no more interrupt using half the >>CPU, but not more than that. >> >>So I upgraded to 1.2.1 RC3. And still - the most I saw was 14kpps >>and 102 Mb/s. >> >>I have 70 states entered, while I never saw it going over >>25 in reality. >> >>The files transfered are rather small, 600KB being the largest. >> >>As for the Alteon, at first it was connected via another Broadcom >>fibre NIC (Alteon only has 1 fibre uplink that's 1Gb), >> >>but now that I use an Intel Dual - I connected it to a Cisco Gbic >>and from there to the Alteon by another fibre Gbic (don't judge me >>- I don't have a giga switch). I know it's another possible trap, >>but right now I don't have any other choice. >> >> >>99% of the traffic is port 80. >> >>I don't use NAT. All the IPs are public. >> >>WAN is static. LAN is not used. OPT1 is and also static. >> >>WAN and OPT1 are on different subnets of course. With additional >>static route (the squids cluster is on the third subnet). >> >>CPU doesn't go over 30%. RAM is about 20-30. I'm talking peaks now. >> >>sysctl net.inet.ip.intr_queue_drops shows 0. >> >>I have no more than 15 rules while the first one should take care >>of most of the traffic. >> >>I tried Aggressive mode with 1.2 and it didn't help. With the >>current version I'm using the Normal mode. >> >>The biggest problem with our website is that people are starting >>to hit refresh when the site is not functioning >> >>properly and it's kind of killing our web servers. Plus it adds >>traffic to the firewall, thus loading it even more. >> >> >>Another weird thing I noticed is that when looking at RRD graphs I >>suddenly see a blank space, like this: >> >>-- -- ---
Re: [pfSense Support] Can't get more than 15kpps.
Hi, do you use nat? no? my guess it could be proxyarp. It is par default disabled. One of the connection of my customers need proxyarp to properly connect an route the requests to the Servers in the DMZ. Don't forget ( if it was it, to enable proxy-arp in loader.conf and firewall-xml-config. Using the Backup-/Restore-feature. greetings michael 2008/12/20 Lenny > Hi, > > > I'm kind of desperate here, so please try to help me. > > Here's my problem: > > I have a setup in production (a very dynamic website). > > It consists of pfsense-->Alteon Load Balancer-->IBM Bladecenter(with a > Squids cluster on it). > > pfsense is installed on IBM x335 with 2 Xeon 2.4GHz, 2GB RAM, and Dual > Intel NIC PCI-X 1Gb. > > I'm connected with 1Gb to the ISP. > > The problem is that no matter what I do, I can't get more than 15kpps. > > After that I start to get a lot of packet loss. > > At first I was sure that the ISP has me on QoS, because I never saw traffic > going over a 100Mb/s, > > but then to convince me they downloaded some large files from my servers > and came up as high as 170Mb/s. > > So that one was out. > > > Next I changed the NICs (I used the onboard Broadcom at first) and it did > save me from the need to > > do Device Polling, and I have no more interrupt using half the CPU, but not > more than that. > > So I upgraded to 1.2.1 RC3. And still - the most I saw was 14kpps and 102 > Mb/s. > > I have 70 states entered, while I never saw it going over 25 in > reality. > > The files transfered are rather small, 600KB being the largest. > > As for the Alteon, at first it was connected via another Broadcom fibre NIC > (Alteon only has 1 fibre uplink that's 1Gb), > > but now that I use an Intel Dual - I connected it to a Cisco Gbic and from > there to the Alteon by another fibre Gbic (don't judge me - I don't have a > giga switch). I know it's another possible trap, but right now I don't have > any other choice. > > > 99% of the traffic is port 80. > > I don't use NAT. All the IPs are public. > > WAN is static. LAN is not used. OPT1 is and also static. > > WAN and OPT1 are on different subnets of course. With additional static > route (the squids cluster is on the third subnet). > > CPU doesn't go over 30%. RAM is about 20-30. I'm talking peaks now. > > sysctl net.inet.ip.intr_queue_drops shows 0. > > I have no more than 15 rules while the first one should take care of most > of the traffic. > > I tried Aggressive mode with 1.2 and it didn't help. With the current > version I'm using the Normal mode. > > The biggest problem with our website is that people are starting to hit > refresh when the site is not functioning > > properly and it's kind of killing our web servers. Plus it adds traffic to > the firewall, thus loading it even more. > > > Another weird thing I noticed is that when looking at RRD graphs I suddenly > see a blank space, like this: > > -- -- . And it shows on all the graphs at the same time. > > I've also noticed that it's about the same time as the load kills the > website. Must be related. > > Quality graphs are not showing. They did in the 1.2 version. > > SNMP is not enabled. DHCP is (it was on by default and I just left it > there). > > > With version 1.2 I had ACPI disabled(long boot), now I have it > enabled(seems to work fine with 1.2.1), although I should mention that I > never checked the ACPI at BIOS (I saw a post by someone who had this > problem). > > > I've read hundreds of topics here and on the forum and I saw that with my > setup I can handle a lot more than I do now. > > So what could be wrong? > > > Please help! > > > Thanks, > > Lenny. > > > P.S. Sorry for the size of this mail, but I figured I'd rather tell you all > the details ahead. > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] FreeBSD SA-08:11 and pfSense
who wants to boot? *grin* 2008/12/17 Chris Buechler > On Wed, Dec 17, 2008 at 10:52 AM, a800 wrote: > > Hello, > > > > I would like to know how the last FreeBSD security advisory > > http://security.freebsd.org/advisories/FreeBSD-SA-08:11.arc4random.asc > > affects pfSense. I understand it is not fixed in 1.2.1-RC4. > > > > It's been fixed in every 1.2.1 snapshot since that was released, > including the RC2, 3 and 4 releases. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] multipe remote desktop connections/nat
If you can use different ports your chances are good. say User A Connects to ExternalIP:3389 -> forwarded to Host A:3389 say User B Connects to ExternalIP:13389 -> forwarded to Host B:3389 Ist possible through the port-forward tab in NAT Rules cheers michael 2008/10/8 BSD Wiz <[EMAIL PROTECTED]> > Damn, I was afraid of that. > > -Phil G > > > > > > On Oct 8, 2008, at 2:36 PM, RB <[EMAIL PROTECTED]> wrote: > > so user A can connect to host A behind pfsense box via port 3389 and user >>> B >>> can connect to host B via port 3389 behind the pfsense firewall and so on >>> and so forth. >>> >>> what should be my approach? >>> >> >> Install a Terminal Services Gateway. pfSense does not do policy-NAT, >> i.e. port-forwarding based on external source address. >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > ----- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Re: random lock up -> Now with high CPU usage
Hello, have you tryed to boot w/o acpi? I have had some Problems with msi-boxes there have an strange interrupt-configuration. this looks exactly like this problem, or search through the bios for issues. greetings michael 2008/9/25 Matias Surdi <[EMAIL PROTECTED]> > Chris Buechler escribió: > >> On Wed, Sep 24, 2008 at 1:43 PM, Matias Surdi <[EMAIL PROTECTED]> >> wrote: >> >>> Finally, we've migrated to 1.2.1 RC1 and seems to be working, at least >>> for >>> now. >>> >>> But, we are seeing that the CPU keeps on 50% use, and a top shows that >>> it's >>> being used by "interrupt". >>> >>> >> That's indicative of a maxed out box. What is your CPU and how much >> throughput are you pushing? >> > > > We have reinstalled again on another machine with the exact same hardwarem > and the problem persists. > > The troughput is about 300 ~ 500 kbps and the process that is consuming all > the CPU resources is: (from top -S) > > 15 root1 -44- 0K 8K CPU1 0 960:31 100.00% swi1: net > > > > > > --------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Re: random lock up
yes, it works also over releases in some cases for me it has worked from 1.0 RELEASE to 1.2 RELEASE 2008/9/24 Matias Surdi <[EMAIL PROTECTED]> > Should this backup/restore procedure work backing up from 1.2 Release and > restoring on 1.2.1 ? > > > Thanks. > > > Michael Schuh escribió: > >> Hi Matias, >> >> have you cleaned up the filesystem after such a reboot? As mentoided? >> >> second it seems to me it could be a lockup during a hot spot?? >> >> 30.000 state should be possible with enough ram. >> I have a box configured with 1.000.000 states but 2 G RAM!! >> >> such a behavior w/o errormessages could be an temperature problem of the >> CPU or Harddrive or RAM >> -> very fast lockup if it is hot >> >> Checkup the ram with memtest86+. >> Checkup cooling and cpu-cooler/fan. >> often the cooler isnt correct placed on the cpu or moved during the >> transport >> of the system. >> >> If it not helps try a newer version of pfsense, >> other peles reports such problems with 1.2 RELEASE but not with 1.2.1 on >> the >> same Hardware.. >> >> you can backup your config through diagnostics menu, reinstall and restore >> your config and erverything is fine, >> as you has it configered before. >> >> >> hope this helps.. >> >> regards >> >> michael >> >> >> >> 2008/9/24 Matias Surdi <[EMAIL PROTECTED] > [EMAIL PROTECTED]>> >> >>The console is absolutely frozen.Can't do anything. >> >> I've the logs on a remote syslog server, but I don't see any error >>message that could give me a clue, just DHCP and blocked packets >>information. >> >>Also, the contents of all log files in /var/log (after rebooting) >>isn't usefull. >> >> >>Help please. >> >> >>Michael Schuh escribió: >> >>Hello Matias, >> >>can you see any error messages on the Console from the box? >>thia are to less informations for identifying the source(s) of >>this error behavior. >> >>regards >> >>michael >> >>2008/9/24 Matias Surdi >><[EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]> >><mailto:[EMAIL PROTECTED] >> >><mailto:[EMAIL PROTECTED]>>> >> >> >> Hi, >> >> I'm experiencing random crashed with 1.2, sometimes happens when >> saving a rule, other times when saving advanced settings.No >> reply >> from the pfSense box, no ping replies.nothing.Completly dead. >> >> Any idea what could be happenning here? >> >> Thanks a lot. >> >> >> >> - >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]> >> <mailto:[EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]>> >> >> For additional commands, e-mail: >> [EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]> >> <mailto:[EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]>> >> >> >> >> >> >>--=== m i c h a e l - s c h u h . n e t === >>Michael Schuh >>Postfach 10 21 52 >>66021 Saarbrücken >>phone: 0681/8319664 >>mobil: 0177/9738644 >>@: m i c h a e l . s c h u h @ g m a i l . c o m >> >>=== Ust-ID: DE251072318 === >> >> >> >>- >>To unsubscribe, e-mail: >>[EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: >>[EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]> >> >> >> >> >> -- >> === m i c h a e l - s c h u h . n e t === >> Michael Schuh >> Postfach 10 21 52 >> 66021 Saarbrücken >> phone: 0681/8319664 >> mobil: 0177/9738644 >> @: m i c h a e l . s c h u h @ g m a i l . c o m >> >> === Ust-ID: DE251072318 === >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Re: random lock up
Hi Matias, have you cleaned up the filesystem after such a reboot? As mentoided? second it seems to me it could be a lockup during a hot spot?? 30.000 state should be possible with enough ram. I have a box configured with 1.000.000 states but 2 G RAM!! such a behavior w/o errormessages could be an temperature problem of the CPU or Harddrive or RAM -> very fast lockup if it is hot Checkup the ram with memtest86+. Checkup cooling and cpu-cooler/fan. often the cooler isnt correct placed on the cpu or moved during the transport of the system. If it not helps try a newer version of pfsense, other peles reports such problems with 1.2 RELEASE but not with 1.2.1 on the same Hardware.. you can backup your config through diagnostics menu, reinstall and restore your config and erverything is fine, as you has it configered before. hope this helps.. regards michael 2008/9/24 Matias Surdi <[EMAIL PROTECTED]> > The console is absolutely frozen.Can't do anything. > > I've the logs on a remote syslog server, but I don't see any error message > that could give me a clue, just DHCP and blocked packets information. > > Also, the contents of all log files in /var/log (after rebooting) isn't > usefull. > > > Help please. > > > Michael Schuh escribió: > >> Hello Matias, >> >> can you see any error messages on the Console from the box? >> thia are to less informations for identifying the source(s) of this error >> behavior. >> >> regards >> >> michael >> >> 2008/9/24 Matias Surdi <[EMAIL PROTECTED] > [EMAIL PROTECTED]>> >> >>Hi, >> >>I'm experiencing random crashed with 1.2, sometimes happens when >>saving a rule, other times when saving advanced settings.No reply >>from the pfSense box, no ping replies.nothing.Completly dead. >> >>Any idea what could be happenning here? >> >>Thanks a lot. >> >> >>- >>To unsubscribe, e-mail: >>[EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: >>[EMAIL PROTECTED] >><mailto:[EMAIL PROTECTED]> >> >> >> >> >> -- >> === m i c h a e l - s c h u h . n e t === >> Michael Schuh >> Postfach 10 21 52 >> 66021 Saarbrücken >> phone: 0681/8319664 >> mobil: 0177/9738644 >> @: m i c h a e l . s c h u h @ g m a i l . c o m >> >> === Ust-ID: DE251072318 === >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] random lock up
Hello Matias, can you see any error messages on the Console from the box? thia are to less informations for identifying the source(s) of this error behavior. regards michael 2008/9/24 Matias Surdi <[EMAIL PROTECTED]> > Hi, > > I'm experiencing random crashed with 1.2, sometimes happens when saving a > rule, other times when saving advanced settings.No reply from the pfSense > box, no ping replies.nothing.Completly dead. > > Any idea what could be happenning here? > > Thanks a lot. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] kernel: vr1: rx packet lost
this could come from ugly via-rhine cards :-D i had haved same Problem, after change my adapters to Intel the errors gone away 2008/7/21 Alexandre Guimaraes <[EMAIL PROTECTED]>: > Can one try to xplain this problem(kernel: vr1: rx packet lost) to me, > and how to resolve? > > I´ve made several research about this, maybe a FreBSD problem, maybe > autosense net cards problem, maybe not! > > Can one iluminate me with a conclusive solution? > > > Thanks Folks! > > Alexandre > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] Access to webGUI from multiple interface
Hi, afaik simpy set up a rule that allows incomiong (preferably) https connectione for the required interfaces in firewall rules, and set preferably in general setup the GUI port to https and create a certificate if it's get not automagically created. cheers michael 2007/6/16, Alexandre Blardone <[EMAIL PROTECTED]>: Hello, How can i setup pfsense so that it will accept connections to it's GUI from multiple interfaces (ie interfaces other than LAN) ? Alex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === michael-schuh.net === Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED] === Ust-ID: DE251072318 ===
Re: [pfSense Support] Need to limit webaccess to all bout 15 websites
Hi if i understand right you would give Clients on the lan access to only 15 Sites and nothing more? so you have two options, a) create allow rules for dns, smtp pop3,imap, or what else is required, create also pass rules that aloow access to this 15 sites hint this sites can be hacked in an alias so you should only define one rule caveats: the ipadress ist required, and if this addresses changes the site could not be accessed b) my preferred solution install squid, enable transparent proxying, create access rules in the squid-configuration that allows access to the sites that are required and deny acces to any other, optionally you can create black- and whitle lists that are loaded by squid. The acls and lists can contain regular expression on all subcomponents of a request. if you need samples, contact me i can you give a full configuration that are a perfect example for this techniques. optionally you can create local users on the firewall for limiting access to authenticated users, or user an radius server to authenticate ( i think pfSense suppirt this). hope this helps you cheers michael 2007/3/15, Sloan Miller <[EMAIL PROTECTED]>: I need to limit http access to all sites but 15 on the internet. Is this possible? If so how would I do this. thanks -- === michael-schuh.net === Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED] === Ust-ID: DE251072318 ===
Re: [pfSense Support] Native VLAN Question
Hello Eugen, as mentoided tip/cu or for linux appended code, i have it found in the net, an it seems to me as an rewrite of cu from BSD. cheers michael 2007/3/1, Eugen Leitl <[EMAIL PROTECTED]>: On Thu, Mar 01, 2007 at 12:07:32PM -0600, Bill Marquette wrote: > Will the switch send vlan 1 tagged or untagged? If it's tagged, just > create vlan1 on the pfsense box. If it's going to send it untagged Stupid question: if I have two switches (a HP ProCurve 2650 and a Netgear GS724T to be precise, which are both quite reasonable products for the price tag, especially if you reflash the Netgear firmware, which is buggy out of the box), which are both vlan-capable (it's supposedly standartized, whatever little that means in this business), can I make tagged vlans which span across two or more switches? > (most switches will for "native" vlans), then you'll need an IP on the > physical interface (I'm not entirely sure if we support that setup). Apropos of nothing, I managed to down my hoster's network segment by an inadvertent ARP storm, made with pfSense (it's a great dual-use product, doubles as a nuclear weapon in a pinch). I had a firewall with two interfaces (two firewalls, in fact) on the same switch. While playing around with the port-based vlans (I tried to not have two interfaces on the same VLAN, thinking that Something Bad might happen, and was proven right) I managed to actually put two interfaces on the same (main) VLAN, which took everything offline (and my entire subnet banned because of a DoS) in a mere few seconds. It required a manual intervention (switching off the firewalls by power button), disabling the switch ports, and unbanning the network to get me back in business. The firewalls were still unaccessible (I almost triggered another ARP storm by trying to get back to them, but this time fortunately managed to disable the port in time), but fortunately I had a crossover serial to a Linux machine in the rack, and a PDU which allowed me to remotely power-cycle the firewalls, so I could reconfigure the firewalls via the serial console (I used minicom, which is in the Debian depository -- anyone knows anything more basic?). The other firewall, unfortunately, lacked such a crossover serial, so it's dead until a physical visit, or at least until I pay for a pair of remote hands, and a crossover cable. Well, this means that I have to try a filtered bridge next, and think later about pfsync/carp cluster failover. Moral: networking is unsuitable for dumb people. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFF5yn4dbAkQ4sp9r4RAuemAKCQFcoNkWlRw2h0WFmJ6KBsclEveACfbyT0 KDfnrHMP/k26PhLbN4qMuiU= =X0Nv -END PGP SIGNATURE- -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED] com Description: Binary data com.c Description: Binary data - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPPOE Connection / Packages are getting lost
Hi, i be not sure what pppd is used on pfsense, but if it is the originally pppd from FreeBSD so don't set the mru and the pppd handles out the mtu ans mru over an handshake with his peer called mru-handshake if this doesnt work for you, you can see the handled mtu/mru in the logging from pppd, and set the size around 100 bytes smaller sometimes an extra load for extra tunneling is required, the more providers are between your connection and the real carrier, the more byteload you must pay for tunneling...like pppoe->ethernet-->atm and so on. most times i have set this to the minimum, and let the pppd and the kernel do the rest of the work for me. here an piece from manpage of pppd http://www.freebsd.org/cgi/man.cgi?query=pppd&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html ---%<--snip--%<--- mru n Set the MRU [Maximum Receive Unit] value to n. Pppd will ask the peer to send packets of no more than n bytes. The minimum MRU value is 128. The default MRU value is 1500. A value of 296 is recommended for slow links (40 bytes for TCP/IP header + 256 bytes of data). mtu n Set the MTU [Maximum Transmit Unit] value to n. Unless the peer requests a smaller value via MRU negotiation, pppd will request that the kernel networking code send data packets of no more than n bytes through the PPP network interface. --->%--snap-->%-- 2007/2/16, Scott Ullrich <[EMAIL PROTECTED]>: Start with a MTU of 500 and work your way up. 1400 might not be low enough. On 2/16/07, Richard <[EMAIL PROTECTED]> wrote: > Hello Team / Supporters, > > i have a very wired problem with pfsense. > Please take some time to read the complete mail. > > Infrastructure > > 4Mbit ADSL Connection / ADSL Modem / no other Internet Infrastructure > > Problem description: > === > 30% of the Internet seams to be not available. Part of this 30% are for > example snort.org / download.freenet.de / sf.net. Users who are trying > to access one of these sites must have to wait endless. No connection > seams to be possible. So far so good: > > Troubleshooting: > === > > Software > == > Restarting DSL-Modem / Firewall / DNS Server - no effect > Reseting the Firewall to default value - no effect > Changing Firewall rule's / Nat - no effect > Changing MTU size in shell/web 1492 / 1456 / 1400 / 1500 - no effect > With or withoug DNS Pasthrough - no effect > > Hardware > == > Reinstalling the Firewall - no effect > -Switching to our old Firewall (Watchguard) - *everything working fine* > Trying different NIC - no effect > Installing pfsense on a completly different hardware - no effect > Trying pfsense dev build - no effect. > > > > As i mention before, with our old Watchguard, everything is working fine > using PPoE Connections. I'm absoluty out of ideas. I'm actually > expecting no answers to that email ;-), but the hope dies at last. > PFsense is exactly what i'm looking for, i'm really said that we can't > use at the moment. > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED]
Re: [pfSense Support] Updating from 1.0 -> 1.0.2
Ahhh, i be out of date :-) thank you cu michael 2007/2/13, Scott Ullrich <[EMAIL PROTECTED]>: On 2/13/07, Michael Schuh <[EMAIL PROTECTED]> wrote: > Hi Scott, > > ok i will try that next days. > Is there an other (newer) place for actual snapshots then > www.pfsense.com/~sullrich ?or exists only the main Updates from > the update-section in Downloadpage. > I remember me that i have prior downloaded snapshots > from the link above. > > or we talk from snapshot and mean update (tgz) ? Latest snapshots are built hourly @ http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED]
Re: [pfSense Support] Updating from 1.0 -> 1.0.2
Hi Scott, ok i will try that next days. Is there an other (newer) place for actual snapshots then www.pfsense.com/~sullrich ?or exists only the main Updates from the update-section in Downloadpage. I remember me that i have prior downloaded snapshots from the link above. or we talk from snapshot and mean update (tgz) ? thank you regards michael 2007/2/13, Scott Ullrich <[EMAIL PROTECTED]>: On 2/13/07, Michael Schuh <[EMAIL PROTECTED]> wrote: > Hello, > > i have a question about updating. > One of my Firewalls run's with 1.0-SNAPSHOT-x, > is there any Problem with upgrading this, using > the update-tgz for Version 1.0.1. or better next days 1.0.2? > > Or should i better backup and reinstall > this Firewall? You should be fine in upgrading from 1.0.1 to a recent snapshot. Scott PS: just so nobody is confused, 1.0.2 is not out yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED]
[pfSense Support] Updating from 1.0 -> 1.0.2
Hello, i have a question about updating. One of my Firewalls run's with 1.0-SNAPSHOT-x, is there any Problem with upgrading this, using the update-tgz for Version 1.0.1. or better next days 1.0.2? Or should i better backup and reinstall this Firewall? Thanks regards michael -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED]
Re: [pfSense Support] Looking for hardware
Hi, which high you would 1HE? so you could look to msi-rackboxes or supermicro-boxes, there have 3 onboard NIC's, and let you put an QFE/OGB(quattro-fastethernet/gigabit)-Card in an standard pci-slot. so you can got 7 NIC's. But these are bigger,louder and consumes more power, also produces more heat. alternatively you buy an 3 or 4 HE-box with 6 PCI slots and put 6 QFE-Cadrd in in and simulate an Switch/HUB an friend of mine, have do it so :-D cheers michael 2007/1/31, Alexandre Blardone <[EMAIL PROTECTED]>: Hello I currently run pfsense on a LinITX FX5620 which has 6 NICs and works nicely. I am looking to upgrade to a rack mountable hardware with 6 gigabit NICs and a beefier processor since I now have 100Mbps WAN. None of pfsense's recommended vendors offer a solution with 6 Gig NICs (or 4 with an accessible PCI slot) I got the NSA 1046 from Nexcom (you can add a PCI card in it) but pfsense did not recognize the built in PCI express NICs :( Can anyone help me with either making pfsense work on the NSA 1046 (can i install drivers?) or find new hardware that would fit my requirements? Is anyone running pfsense on a box with 6+ gigabit NICs ? Thanks for any replies Alex -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] questions/wishes
Hi Scott, Hi Holger, i have some questions over the xmlrpc functionality. First: is it possible to configure or to extend pfsene in an way, so that the xmlrpc-function sync the rules to many other slaves? Concret now pfsense's xmlrpc work in one to one mode, one master and one slave, so that it is only possible to define an chain to sync like pfsense01 sync to-> pfsense02 sync to -> pfsense03 sync to pfsense04 setting pfsense04 up to sync with pfsense01 can get many fun :-) and a never ending story :-) just kidding but not -> pfsense02 pfsense01 sync to -> pfsense03 -> pfsense04 Second is based on the first: is it possible to extend the prevention from xmlrpc, so that rules that gaves maked on the Slave prevented from deletion by the xmlrpc-sync? Or to make an extra Flag that prevents deletion. third is also based on the first two : is it possible to extend pfSense to mark such rules (prevented from xmlrpc, or from deletion) with an extra icon in the rules overview. like the block/reject/pass and info-icons? forth: it is possible to toggle the info flag like the block/pass/reject-Flag, to toggle logging temporary? The reason for this questiions wishes, is to manage Large Networks from one Master-Firewall ( commonly only a Confugiration backend) and sync common rules for every other Firewall to all Firewalls that we have to manage, but gaves us the possibility to define local rules that are prepended to the global rules or other configrations and prevented by deletion. I think you understand what the target in my mind is. Sorry for my bad english :-) thank you regards michael -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Where is the squid package?
Hello, i have installed a New pfsense-Firewall with CD-Release-1.0, after Installation i have updated to the last full update (@monday). I would install the squid-package from packages, but the packages-pages doesn't show me this package. can this result through an connectionproblem to wiki.pfsense.com? at the moment is this site blocked (proably by the isp or carrier). or give it some other way to install this package? thanks regards michael -- michael-schuh.net Michael Schuh Preußenstr. 13 66111 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] there is an typo in the squid-config
Ahh, thanks. 2006/9/29, Scott Ullrich <[EMAIL PROTECTED]>: No, you need to look at the shellcmd. On 9/29/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > Hi Scott, > > > Thanks for the patch. > > > > In terms of the command that you need to run on bootup, take a look at > > http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=10&id=38&artlang=en > thank you for the hint, but the syntax i don't understand right > > . > . > > > 213.135.2.224/27 > > > . > . > > > but i get an xml-error in line 902 (last line in xmlfile) > must there be an in proxyarp...? > > thanks > > cheers > > michael > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] there is an typo in the squid-config
Hi Scott, Thanks for the patch. In terms of the command that you need to run on bootup, take a look at http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=10&id=38&artlang=en thank you for the hint, but the syntax i don't understand right . . 213.135.2.224/27 . . but i get an xml-error in line 902 (last line in xmlfile) must there be an in proxyarp...? thanks cheers michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] there is an typo in the squid-config
Hi Scott, a little bit late but better then never. Here are the two patches for the squid config's. Back to my other question about proxyarp net.link.ether.inet.proxyall=1 now i know put this setting in /etc/sysctl.conf makes it not permanent, i have now putted in /boot/loader.conf, hope so that this is permanent, and getting loaded from boot on. Otherwise is it possible to make an switch in advanced settings per default disabled? Our Internet link does not forward packets from other interfaces, there arp-address he does not know. so i must every reboot, set the setting new, otherwise our Servers in DMZ are not reachable from internet. Thanks for all. cheers michael 2006/9/28, Scott Ullrich <[EMAIL PROTECTED]>: Yes, that should be correct. On 9/28/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > Hi Scott, > > 2006/9/27, Scott Ullrich <[EMAIL PROTECTED]>: > > Please provide a patch in duff -rub format. > Hmm... see attachment *giggles* > > Yes i must first upgrade to new configuration or copy my configfiles > i have no backup made before i have made the changes. > just for be sure > > diff -rub > > is this correct? > > thanks > > cheer michael :-D > > > > Thanks! > > > > On 9/27/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > i have found typo's in squid's config files: > > > /usr/local/pkg/squid.inc > > > /usr/local/pkg/squid_cache.xml > > > > > > in the config ist GSDF written, should be GDSF, > > > so get the entry for heap magement in squid.conf > > > false... > > > > > > the binary /usr/local/libexec/squid/pinger has wrong permissions > > > so that we get an: > > > > > > == output from faq=== > > > pingerOpen: icmp_sock: (13) Permission denied > > > > > > This means your pinger program does not have root priveleges. You > > > should either do this: > > > % su > > > # make install-pinger > > > or > > > # chown root /usr/local/squid/bin/pinger > > > # chmod 4755 /usr/local/squid/bin/pinger > > > ===end output from faq.=== > > > > > > setting the > > > chmod 4755 /usr/local/libexec/squid/pinger > > > > > > get the right behavior. > > > > > > i think this interets you possibily.. > > > > > > thanks > > > > > > best regards > > > > > > michael > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] patches_squid_config_pfsense.tgz Description: GNU Zip compressed data - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Configuration with Public IP DMZ
Hi, 2006/9/28, Holger Bauer <[EMAIL PROTECTED]>: As the ftp server has a routed public IP disable the ftp-helper at WAN (or keep it disabled, it is by default). Then all you need is firewallrules permitting tcp traffic from source any to destination port 21 and additional to that the portrange range that the ftp server uses. You don't need to portforward or nat. Yes this is configured, except the other ports. and yes the other ports are my problem. but im not sure what ports are to openi have found an hint to 9500 to , the config say not much about this ...oh i have found it 49152-65535 on FBSD, if i be rigth there... Additionally I suggest enabling advanced outbound NAT. It will create a default NAT rule for your LAN subnet only. So NAT for the DMZ Interface is shut down by this (which you don't need in your setup). This way it should work with the above described firewallrules. i have this also checked, and no automagically created nat rule. i vahe made a NO NAT rule for the DMZ-Target, and an outbound NAT rule for the whole internal private net except the DMZ-Subnet. Here im not sure if the exception should cover the complete public ip-range here 213.135.2.224/27 thanks for your help cheers michael Holger > -Original Message----- > From: Michael Schuh [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 28, 2006 4:02 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] Configuration with Public IP DMZ > > > Hi, > > first thanks for your work and hints, but > i have seen the entrys in forum and faq, but this covers not > my problem. > I think you have not really understand what i would, or better i have > not clearly enough described my problem. > > Our ftp-server is on an public ip-address (our complete dmz). > so that i have to make no nat on DMZ interfaces/addresses. > The soulution that you have described is only really valid on > private addresses on DMZ like 192.168.1.24 or so (i think) > > WAN DMZ LAN > 213.135.2.225/28---213.135.2.240/28--192.168.1.0 > > And therfore i can not change our public ip addresses > (on the servers) like change it to private to opreate with the known > configuration as described by you and the entrys in the forum. > > possibly i think to strange for configuration > (this may results from iptables and other config strategies). > > i would only redirect connects incoming on the WAN/LAN-Interface for > DMZ-IP 247 port = ftp > but not all connects on the WAN-IP to port = ftp ! this is > important because > we would later run a second ftp-server or soand with the > described solution > this is impossible, or i must eventually spend a second virtual ip > from my WAN-NET. > > i hope so you and the others understand what i like to get. > > > thanks for all > > regards > > michael > > 2006/9/28, Holger Bauer <[EMAIL PROTECTED]>: > > This is extensively covered at the forum and there even is > a faq entry at faq.pfsense.com (I think). > > > > However, quick guide: > > - Delete all NAT/firewallrules you created for the > ftpserver (most likely wrong as it doesn't work) to start over. > > - at interfaces>wan enable ftp helper > > - at firewall>nat, portforward create a portforward: > interface WAN, interfaceadress, port 21, destination > , port 21 > > - save (nothe te text in the apply message that it created > a rule for the ftp-helper > > - apply > > > > That's it > > > > Holger > > > > -Ursprüngliche Nachricht- > > Von: Michael Schuh [mailto:[EMAIL PROTECTED] > > Gesendet: Do 28.09.2006 12:28 > > An: support@pfsense.com > > Cc: > > Betreff: [pfSense Support] Configuration with Public IP DMZ > > > > > > > > Hi, > > > > i have pfsense taked yesterday in production use > > (SNAPSHOT from 2006-09-26). > > My configuration is > > wan public.226/28 > > DMZ public.241/28 > > lan privateip/24 > > > > now i have the Problem my config for ftp-proxying > our ftp-server > > is probably wrong. i can connect to the ftp, but it > passed only > > one type of ftp-connect's (active or passive, be not sure). > > > > i say our ftp.server is on public.247 so i must redirect all > > ftp connects to the ftp-proxy-helper, but i be not sure how. > > > > i have diabled the automatic nat rules, and need > also the right > > rules for outboud ftp sessions. > > at t
Re: [pfSense Support] Configuration with Public IP DMZ
Hi, first thanks for your work and hints, but i have seen the entrys in forum and faq, but this covers not my problem. I think you have not really understand what i would, or better i have not clearly enough described my problem. Our ftp-server is on an public ip-address (our complete dmz). so that i have to make no nat on DMZ interfaces/addresses. The soulution that you have described is only really valid on private addresses on DMZ like 192.168.1.24 or so (i think) WAN DMZ LAN 213.135.2.225/28---213.135.2.240/28--192.168.1.0 And therfore i can not change our public ip addresses (on the servers) like change it to private to opreate with the known configuration as described by you and the entrys in the forum. possibly i think to strange for configuration (this may results from iptables and other config strategies). i would only redirect connects incoming on the WAN/LAN-Interface for DMZ-IP 247 port = ftp but not all connects on the WAN-IP to port = ftp ! this is important because we would later run a second ftp-server or soand with the described solution this is impossible, or i must eventually spend a second virtual ip from my WAN-NET. i hope so you and the others understand what i like to get. thanks for all regards michael 2006/9/28, Holger Bauer <[EMAIL PROTECTED]>: This is extensively covered at the forum and there even is a faq entry at faq.pfsense.com (I think). However, quick guide: - Delete all NAT/firewallrules you created for the ftpserver (most likely wrong as it doesn't work) to start over. - at interfaces>wan enable ftp helper - at firewall>nat, portforward create a portforward: interface WAN, interfaceadress, port 21, destination , port 21 - save (nothe te text in the apply message that it created a rule for the ftp-helper - apply That's it Holger -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:[EMAIL PROTECTED] Gesendet: Do 28.09.2006 12:28 An: support@pfsense.com Cc: Betreff: [pfSense Support] Configuration with Public IP DMZ Hi, i have pfsense taked yesterday in production use (SNAPSHOT from 2006-09-26). My configuration is wan public.226/28 DMZ public.241/28 lan privateip/24 now i have the Problem my config for ftp-proxying our ftp-server is probably wrong. i can connect to the ftp, but it passed only one type of ftp-connect's (active or passive, be not sure). i say our ftp.server is on public.247 so i must redirect all ftp connects to the ftp-proxy-helper, but i be not sure how. i have diabled the automatic nat rules, and need also the right rules for outboud ftp sessions. at the time i have configured outbound nat only for our privatenet except the DMZ-NET. Another question is abount /etc/sysctl.conf. I have made an entry for proxyarp, while out interconnect disconnects the dmz-nt if they get no arp addresses (for me this is bullshit, security-leak) but he doesn't work otherwise. Get the /etc/sysctl mangled or changes by an update? if so, if there another possibility to change net.link.ether.inet.proxyall to 1 ? (default 0 ). thank a lot regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Configuration with Public IP DMZ
Hi, i have pfsense taked yesterday in production use (SNAPSHOT from 2006-09-26). My configuration is wan public.226/28 DMZ public.241/28 lan privateip/24 now i have the Problem my config for ftp-proxying our ftp-server is probably wrong. i can connect to the ftp, but it passed only one type of ftp-connect's (active or passive, be not sure). i say our ftp.server is on public.247 so i must redirect all ftp connects to the ftp-proxy-helper, but i be not sure how. i have diabled the automatic nat rules, and need also the right rules for outboud ftp sessions. at the time i have configured outbound nat only for our privatenet except the DMZ-NET. Another question is abount /etc/sysctl.conf. I have made an entry for proxyarp, while out interconnect disconnects the dmz-nt if they get no arp addresses (for me this is bullshit, security-leak) but he doesn't work otherwise. Get the /etc/sysctl mangled or changes by an update? if so, if there another possibility to change net.link.ether.inet.proxyall to 1 ? (default 0 ). thank a lot regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] there is an typo in the squid-config
Hi Scott, 2006/9/27, Scott Ullrich <[EMAIL PROTECTED]>: Please provide a patch in duff -rub format. Hmm... see attachment *giggles* Yes i must first upgrade to new configuration or copy my configfiles i have no backup made before i have made the changes. just for be sure diff -rub is this correct? thanks cheer michael :-D Thanks! On 9/27/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > Hi, > > i have found typo's in squid's config files: > /usr/local/pkg/squid.inc > /usr/local/pkg/squid_cache.xml > > in the config ist GSDF written, should be GDSF, > so get the entry for heap magement in squid.conf > false... > > the binary /usr/local/libexec/squid/pinger has wrong permissions > so that we get an: > > == output from faq=== > pingerOpen: icmp_sock: (13) Permission denied > > This means your pinger program does not have root priveleges. You > should either do this: > % su > # make install-pinger > or > # chown root /usr/local/squid/bin/pinger > # chmod 4755 /usr/local/squid/bin/pinger > ===end output from faq.=== > > setting the > chmod 4755 /usr/local/libexec/squid/pinger > > get the right behavior. > > i think this interets you possibily.. > > thanks > > best regards > > michael > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: Solved :howt to remove access Controls from squid?
I think he has forgotten to change the Subject :-) 2006/9/27, Bill Marquette <[EMAIL PROTECTED]>: What does that have to do with the topic of this thread? --Bill On 9/27/06, Augusto Jobim Badaraco <[EMAIL PROTECTED]> wrote: > Hi ... > How can i use the spamassassin solution of Pfsense with my actual Postfix > Server? > > > Thanks > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] there is an typo in the squid-config
Hi, i have found typo's in squid's config files: /usr/local/pkg/squid.inc /usr/local/pkg/squid_cache.xml in the config ist GSDF written, should be GDSF, so get the entry for heap magement in squid.conf false... the binary /usr/local/libexec/squid/pinger has wrong permissions so that we get an: == output from faq=== pingerOpen: icmp_sock: (13) Permission denied This means your pinger program does not have root priveleges. You should either do this: % su # make install-pinger or # chown root /usr/local/squid/bin/pinger # chmod 4755 /usr/local/squid/bin/pinger ===end output from faq.=== setting the chmod 4755 /usr/local/libexec/squid/pinger get the right behavior. i think this interets you possibily.. thanks best regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Solved :howt to remove access Controls from squid?
i have found the entrys... thanks 2006/9/27, Michael Schuh <[EMAIL PROTECTED]>: Hi everyone, i had configured the squid access controls to second network, now i want remove then entry. After removing the entrys i get an error message: The following input errors were detected: * '' is not a valid CIDR range is there an config file in the system that allows me to remove the entry's? removing the entry's in squid.conf is not the solution?! thanks for helping me regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] howt to remove access Controls from squid?
Hi everyone, i had configured the squid access controls to second network, now i want remove then entry. After removing the entrys i get an error message: The following input errors were detected: * '' is not a valid CIDR range is there an config file in the system that allows me to remove the entry's? removing the entry's in squid.conf is not the solution?! thanks for helping me regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Does portforwarding not use aliases?
Hi Scott, my update is in progress. thank you for the hint. have i tell you that pfsense is great? No? now i have it :-) very great! cheers michael 2006/9/26, Michael Schuh <[EMAIL PROTECTED]>: Hi Scott, i have found the propüerty that causes this error, it was the local port field, if this field is empty the descibed error messeage appears thank you cheers michael 2006/9/26, Scott Ullrich <[EMAIL PROTECTED]>: > On 9/26/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > > Hi, > > > > i would configure portforwarding with an aliased Host-Address. > > The aliased ports shows me to work, but the aliased host ip doesnt work. > > the interface get me the correct completition, but if i press save i > > get the error > > message in the attachment. > > You are running an older version. Please update to the latest snapshot. > > http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-22-06/ > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Does portforwarding not use aliases?
Hi Scott, i have found the propüerty that causes this error, it was the local port field, if this field is empty the descibed error messeage appears thank you cheers michael 2006/9/26, Scott Ullrich <[EMAIL PROTECTED]>: On 9/26/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > Hi, > > i would configure portforwarding with an aliased Host-Address. > The aliased ports shows me to work, but the aliased host ip doesnt work. > the interface get me the correct completition, but if i press save i > get the error > message in the attachment. You are running an older version. Please update to the latest snapshot. http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-22-06/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] UpperCase Letters won't work in Aliases w/ RC2
Hi, i have solved this Problem by an reboot, now i can't get the error message again...it was an error message from gettext () function call i hav forgot to tell you that my network-setup wasn't correct at the time that i get the error. the error comes also if your network setup is wrong because you would install and configure pfsense in the internal network for replacing the old firewall i will inform you if i get the message again thank you for your responsivity regards michael 2006/9/26, Holger Bauer <[EMAIL PROTECTED]>: Can you paste the complete error you get? Also please try with the latest snap to reproduce this: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-22-06/ Holger > -Original Message----- > From: Michael Schuh [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 26, 2006 2:50 PM > To: support@pfsense.com > Subject: [pfSense Support] UpperCase Letters won't work in Aliases w/ > RC2 > > > Hi, > > i try pfsense for the first time. And i find it great. > I have made a typo in alias names, so that i have > typed only uppercase-letters like DMZ, after save > i get an gettext error message. > > I hope this is interested for you. > > thanks > > best regards > > michael > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] UpperCase Letters won't work in Aliases w/ RC2
Hi, i try pfsense for the first time. And i find it great. I have made a typo in alias names, so that i have typed only uppercase-letters like DMZ, after save i get an gettext error message. I hope this is interested for you. thanks best regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Correct rules for DMZ? opt1
hi, i again. could this causes if the interface has no carrier? i configure the firewall offline, preconfiguring an hot spare for replacing the old fw. thanks regards michael 2006/9/26, Michael Schuh <[EMAIL PROTECTED]>: Hi Bill, yes an address is assigned. yes this curiousity wonders me also. that was the reason for this posting cheers michael 2006/9/26, Bill Marquette <[EMAIL PROTECTED]>: > Does your DMZ interface actually have an address? The destination > field is curiously empty in your screenshot. > > --Bill > > On 9/26/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > > Hi, > > > > i again, now i have an complete other error, if it is an. > > i configure the rules for DMZ interface (opt1) so that > > the DMZ-Subnet is allowed to access the DMZ-Address > > any ports, the result show me the image in attachement. > > > > an equivalent config for lan does the rightlan_image... > > > > thanks for your help. > > > > regards > > > > > > michael > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Correct rules for DMZ? opt1
Hi Bill, yes an address is assigned. yes this curiousity wonders me also. that was the reason for this posting cheers michael 2006/9/26, Bill Marquette <[EMAIL PROTECTED]>: Does your DMZ interface actually have an address? The destination field is curiously empty in your screenshot. --Bill On 9/26/06, Michael Schuh <[EMAIL PROTECTED]> wrote: > Hi, > > i again, now i have an complete other error, if it is an. > i configure the rules for DMZ interface (opt1) so that > the DMZ-Subnet is allowed to access the DMZ-Address > any ports, the result show me the image in attachement. > > an equivalent config for lan does the rightlan_image... > > thanks for your help. > > regards > > > michael > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
