Re: [pfSense Support] NAT Reflection States
I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. Regards, Digger. Dimitri Rodis wrote: the -w param is in seconds according to http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview Any other ideas as to why connections would be dropping/timing out like this? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:52 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT Reflection States
My next scheduled outage is US Sunday night . I'll let you know how it goes after that. Thanks Digger. Scott Ullrich wrote: On Tue, Nov 18, 2008 at 7:10 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: There are a ton of lines that look like this: 19004 stream tcp nowait/0nobody /usr/bin/nc nc -w 20 I guess we found the culprit then? Why is it using 20 as opposed to 2000? It was a mistake / code duplication. Fixed now, please test next snapshot. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenVPN firewall rules
Hi quick question, hopefully an easy one. I have an OpenVPN tunnel between 2 pfsense boxes and I wanted to create some firewall rules to only allow port 80, 443 and 22 down the tunnel and specifically ban samba shares and smtp. For PPTP there is a tab on the firewall rules to set these sorts of things up. Why isn't there a tab for tun0 and how can I achieve these firewall rules? Thanks in advance. Digger. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ?
Its funny you should mention this as I am in the middle of doing exactly the same thing with an ALIX board from http://www.yawarra.com.au/hw-alix2.php I installed the 2GB CF card in a card reader on my PC and booted off the CD and installed pfSense onto the card. I then inserted the card in my very bright new ALIX appliance and everything appeared to go quite well but half way through the boot up it stopped and asked where my root partition was. It appears that /etc/fstab had different device names for my partitions. Instead of /dev/ad0s1a for / I had /dev/da0s1a. A quick edit of fstab and another reboot and everything started perfectly. The end result is I can confirm that the full version does happily run on a CF card and ALIX board. Regards, Digger. Chris Buechler wrote: On Wed, Jul 23, 2008 at 4:23 PM, Michel Servaes [EMAIL PROTECTED] wrote: I want to buy an Alix (or Wrap), and plug in a CF Harddisk. Would it be possible to push a full version (instead of the embedded ?). Yep. You have to use grub (check the box on the boot loader screen) to boot full installs on ALIX boards but they do work. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] SSL VPN
It would be great if there were a clientless SSL VPN product like SSL-Explorer that used a java applet for the client side but had the server written in something like C that would be far less resource intensive on the server and would run on pfsense. Does anyone know of such a beast? Digger Fuchs, Martin wrote: Watchguard also has some SSL-VPN and I know the sales-man entering the boss' office... But pfSense won... We use OpenVPN cause the boss looks at the bucks it costs... and that was the argument :-) Try OpenVPN on pfSense... you'll love it... Only thing with WatchGuard: it uses SSL-VPN via browser... some kind like SSL-Explorer... If your boss likes that, trya the SSL-Exploer Community edition... Regards, MArtin -Ursprüngliche Nachricht- Von: Michel Servaes [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 8. Juli 2008 21:57 An: support@pfsense.com Betreff: Re: [pfSense Support] SSL VPN I totally agree with you, but you know what happens if an external IT man enters your office, and tells your boss that a solution like Juniper is better than anything else... So I am going to use your comments to discourage this kind of use... I still like to have control of what comes in, and what goes out. I haven't enabled OpenVPN on my pfSense... I have no knowledge about OpenVPN. I only use IPSEC for endpoint to endpoint, and PPTP for mobile solutions, or collegues who don't have an out-of-the box VPN capable router at home. Thank you for your response already ;) RB wrote: Does pfSense offer an alternative to the Juniper SSL VPN solutions ? rant It is unfortunate that Juniper seems to have somewhat subverted the meaning of the phrase SSL VPN. IMO, the nomenclature indicates a VPN that uses SSL for its authentication and encryption as opposed to, say, IKE and ESP. It has nothing to do with whether the technology is browser-based or not. OpenVPN is a _very_ good SSL VPN implementation that requires no GUI components whatsoever, even though there are good GUI clients written for it. Furthermore, the clientless VPN solutions reduce the operator's control over the endpoints, degrading the overall security of the system. Some solutions attempt mitigating controls, but you can't change the fact that you're allowing rather arbitrarily secured machines to utilize your resources. Of course, if you don't plan to vet the systems clients will be using (when issuing certificates or the like), that doesn't matter much. /rant That said, pfSense does not offer what you are looking for. Your best bet to implement precisely that would probably be to purchase a solution like SSL Explorer (still cheaper than a Juniper) and run it on a dedicated machine in a DMZ off of pfSense with limited access in out. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]