[pfSense Support] Firewall rules keep failing
Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC's connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, pubkey and phpsysinfo packages are also installed. The box was recently updated from 1.2 to 1.2.2 using its inbuilt update feature. Problem: Following a reboot all this seems to work correctly but as soon as I make any configuration updates all rules between local subnets seem to fail and as far as I can tell there is full access from computers on the workshop interface to all PC's on the LAN interface. I have tried: Enabling logging on rules to try to identify a malfunctioning rule. I ended up with logging enabled on every rule, on all interfaces. Pinging and http between subnets was working but no relevant log entries were logged. A further reboot seems to fix things, again until I have to make a further change. I can't trust a firewall that does this, and I can't reboot every time I make a change. Help! PS: anyone know why the registration system on the pfsense forum won't send activation emails - so I can't register? Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.ukmailto:graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.ukblocked::http://www.kcssolutions.co.uk/ t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents. We believe but do not warrant that this e-mail and any attachments are virus free. You must therefore take full responsibility for virus checking. Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network.
Re: [pfSense Support] Firewall rules keep failing
Might be a silly question... but are you clicking on the Apply changes button, right? Regarding the forums, I had to resend the activation email two times until I got it in my inbox. Regards. On Fri, Apr 17, 2009 at 5:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC’s connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, pubkey and phpsysinfo packages are also installed. The box was recently updated from 1.2 to 1.2.2 using its inbuilt update feature. Problem: Following a reboot all this seems to work correctly but as soon as I make any configuration updates all rules between local subnets seem to fail and as far as I can tell there is full access from computers on the workshop interface to all PC’s on the LAN interface. I have tried: Enabling logging on rules to try to identify a malfunctioning rule. I ended up with logging enabled on every rule, on all interfaces. Pinging and http between subnets was working but no relevant log entries were logged. A further reboot seems to fix things, again until I have to make a further change. I can’t trust a firewall that does this, and I can’t reboot every time I make a change. Help! PS: anyone know why the registration system on the pfsense forum won’t send activation emails – so I can’t register? Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.uk t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents. We believe but do not warrant that this e-mail and any attachments are virus free. You must therefore take full responsibility for virus checking. Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Firewall rules keep failing
Thanks, and yes I am applying changes. It seems to be that action (reloading the firewall rules) that causes the problem. I don't know too much about the BSD internals of PFSense but I have been using it for a while (and m0n0wall for embedded applications) and am reasonably familiar with how it is supposed to work, which is why I'm a little frustrated by this problem. I am thinking of rebuilding the system from fresh and configuring it again, it's not a very complex setup. Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.uk t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents. We believe but do not warrant that this e-mail and any attachments are virus free. You must therefore take full responsibility for virus checking. Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network. -Original Message- From: Jaime Díaz [mailto:jnd...@gmail.com] Sent: 17 April 2009 14:20 To: support@pfsense.com Subject: Re: [pfSense Support] Firewall rules keep failing Might be a silly question... but are you clicking on the Apply changes button, right? Regarding the forums, I had to resend the activation email two times until I got it in my inbox. Regards. On Fri, Apr 17, 2009 at 5:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC's connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, pubkey and phpsysinfo packages are also installed. The box was recently updated from 1.2 to 1.2.2 using its inbuilt update feature. Problem: Following a reboot all this seems to work correctly but as soon as I make any configuration updates all rules between local subnets seem to fail and as far as I can tell there is full access from computers on the workshop interface to all PC's on the LAN interface. I have tried: Enabling logging on rules to try to identify a malfunctioning rule. I ended up with logging enabled on every rule, on all interfaces. Pinging and http between subnets was working but no relevant log entries were logged. A further reboot seems to fix things, again until I have to make a further change. I can't trust a firewall that does this, and I can't reboot every time I make a change. Help! PS: anyone know why the registration system on the pfsense forum won't send activation emails - so I can't register? Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.uk t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd
Re: [pfSense Support] Firewall rules keep failing
On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC’s connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, If you uninstall squid does it change? If traffic isn't getting logged and you have logging on all your firewall rules, squid has to be picking it up. There are a number of potential consequences of the squid packages, this may be one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall rules keep failing
On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: PS: anyone know why the registration system on the pfsense forum won’t send activation emails – so I can’t register? Oh, and I looked for your email address on the forum and it isn't there. If you let me know offlist what you registered under I can manually activate you. Between the mailing lists and forum email, our mail server sends out a ton of mail, we tend to get wrongly blocked as spammers quite a bit. Unfortunately backscatter is an issue, with people trying to spam the mailing list from spoofed addresses which then get the you are not subscribed and cannot post bounce back, which I'm sure contributes to the occasional blocking. There isn't a good alternative. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Firewall rules keep failing
Chris Seems you may be on to something. I have removed Squid and what was a very re-producible issue doesn't _seem_ to be happening. I had thought about that but dismissed it as it was affecting ICMP/Ping, TCP/FTP and other traffic which I didn't think squid would interfere with. However now I have another problem, It's most important to have the security but squid saves us hours of time and gigs of bandwidth a day by caching updates for all the PC's that come through our workshop. Really could do with it installed and still have the intended security. I guess I could have a second PFSense box caching within the workshop segment but it shouldn't be needed. Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.uk t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents. We believe but do not warrant that this e-mail and any attachments are virus free. You must therefore take full responsibility for virus checking. Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: 17 April 2009 15:36 To: support@pfsense.com Subject: Re: [pfSense Support] Firewall rules keep failing On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC's connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, If you uninstall squid does it change? If traffic isn't getting logged and you have logging on all your firewall rules, squid has to be picking it up. There are a number of potential consequences of the squid packages, this may be one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Firewall rules keep failing
Chris, The address I tried to register on the forum is gra...@initi.co.uk Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.uk t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents. We believe but do not warrant that this e-mail and any attachments are virus free. You must therefore take full responsibility for virus checking. Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: 17 April 2009 15:45 To: support@pfsense.com Subject: Re: [pfSense Support] Firewall rules keep failing On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: PS: anyone know why the registration system on the pfsense forum won't send activation emails - so I can't register? Oh, and I looked for your email address on the forum and it isn't there. If you let me know offlist what you registered under I can manually activate you. Between the mailing lists and forum email, our mail server sends out a ton of mail, we tend to get wrongly blocked as spammers quite a bit. Unfortunately backscatter is an issue, with people trying to spam the mailing list from spoofed addresses which then get the you are not subscribed and cannot post bounce back, which I'm sure contributes to the occasional blocking. There isn't a good alternative. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall rules keep failing
You can easily install a dedicated squid box (not a pfSense box running squid) in your network and accomplish the same goals. Graeme Evans wrote: Chris Seems you may be on to something. I have removed Squid and what was a very re-producible issue doesn't _seem_ to be happening. I had thought about that but dismissed it as it was affecting ICMP/Ping, TCP/FTP and other traffic which I didn't think squid would interfere with. However now I have another problem, It's most important to have the security but squid saves us hours of time and gigs of bandwidth a day by caching updates for all the PC's that come through our workshop. Really could do with it installed and still have the intended security. I guess I could have a second PFSense box caching within the workshop segment but it shouldn't be needed. Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.uk t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents. We believe but do not warrant that this e-mail and any attachments are virus free. You must therefore take full responsibility for virus checking. Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: 17 April 2009 15:36 To: support@pfsense.com Subject: Re: [pfSense Support] Firewall rules keep failing On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC's connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, If you uninstall squid does it change? If traffic isn't getting logged and you have logging on all your firewall rules, squid has to be picking it up. There are a number of potential consequences of the squid packages, this may be one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org