1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    @jucelio_rosa Squid has been updated upstream were just waiting for it to be merged here. All the issues security concerns etc have been fixed upstream. Per email from Squid community.. "The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-7.3 release! This release is, we believe, stable enough for general production use. We encourage all users of any previous version of Squid to upgrade to it. It can be downloaded from GitHub, at https://github.com/squid-cache/squid/releases/tag/SQUID_7_3 The main change since version 7.2 is the fix for regression bug 5520 "host or domain with leading digits rejected with ERR_INVALID_URL", along with a handful of other improvements and fixes. Please remember to run "squid -k parse" when testing the upgrade to a new version of Squid. It will audit your configuration files and report any identifiable issues the new release will have in your installation before you "press go". If you encounter any issues with this release please file a bug report at https://bugs.squid-cache.org/" This software works so good big tech hates when its used...HATES it it's light a giant flashlight on privacy abuses, it like gives Google a heart attack when its running so I assume it will be updated here eventually

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    F
    @dennypage I tested it with a new UPS and I no longer have the problem. It was the UPS that wasn't working properly. Thanks for your help.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    A
    Hi again @patient0, Sorry to bother, already added but still the same issue. [image: 1762785278179-0c2b7578-b3d2-481e-9804-2c7cd634a2e2-image.png] Laptop can ping the server in the pfsense network but not the Wireguard [image: 1762785316328-f4f57aeb-7c80-407c-a0b4-ba74bffb0714-image.png] [image: 1762785345259-7c6ef05c-9b95-4efb-9537-25772867ad7e-image.png] Also, Server cannot ping the laptop but can ping the wireguard: [image: 1762785528200-ddfceaf9-4883-4190-840d-a3e31e522e47-image.png] Any more suggestions? Thank you,
Log in to post
Load new posts
  • M

    LCDproc

    5
    0 Votes
    5 Posts
    1k Views
    M
    :) Thank you
  • F

    Platform 2.2 & Packages that dose not work

    7
    0 Votes
    7 Posts
    1k Views
    K
    Yeah - I know.  Thats what I told my friend and theat what he told the customers and yet…. They keep whining for it.
  • U

    FreeRadius 2 not working: error code when running test command

    3
    0 Votes
    3 Posts
    2k Views
    U
    It was on an amd64 box. But my friend did some tinkering with it and got it working.
  • T

    Growl in 2.2 rc

    2
    0 Votes
    2 Posts
    750 Views
    T
    Test button works but not seen any alerts from pfsense yet.
  • G

    {SOLVED} Unable to communicate with packages.pfsense.org?

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • P

    Snort adding multiple cron entries which expire blocked IPs too early

    8
    0 Votes
    8 Posts
    1k Views
    B
    Thx, for the fix!  :) Now, let´s wait for the pfSense Team. :-P
  • M

    Snort wont start

    15
    0 Votes
    15 Posts
    2k Views
    bmeeksB
    I posted a Pull Request today that adds some additional validation checks on IP addresses and subnets when creating the HOME_NET and PASS LIST values for Snort.  Hopefully this corrects the issue with only a single forward slash ( "/" ) getting into HOME_NET and/or PASS LISTS. Here is a link to the Pull Request:  https://github.com/pfsense/pfsense-packages/pull/805 Bill
  • T

    Guide to configure squid, squidguard, https?

    38
    0 Votes
    38 Posts
    9k Views
    M
    Some help please :)
  • J

    Pfblocker packets (hits) counter has gone up since 2.2 update (multiplier added)

    21
    0 Votes
    21 Posts
    3k Views
    C
    pfBlocker has been removed, and replaced by pfBlockerNG for 2.2. It's in the package system if you want to install it
  • S

    SNORT not blocking/reporting to Snort widget if

    2
    0 Votes
    2 Posts
    659 Views
    bmeeksB
    @Supermule: Snort is not blocking/reporting to widget if WAN IP REP is enabled. It is started and returning nothing Any idea to why?? Do you have IP REP files downloaded and then assigned on the WAN interface?  The files should show up under the IP LISTS tab (on the top row of tabs).  Then on the WAN tabs (lower tab row) you assign particular files to the interface on the IP REP tab.  Once you make the assignments, Snort will need restarting on that interface. I have the ET-Open rules "emerging-compromised-ips.txt" list assigned to my WAN, and I am getting blocks.  Just had a few in the last couple of hours.  The alert text will this:  (spp_reputation) packets blacklisted and the GID:SID is 136:1. Bill
  • bmeeksB

    Suricata 2.0.6 update coming soon – but only for pfSense 2.2

    3
    0 Votes
    3 Posts
    1k Views
    bmeeksB
    This update was merged this morning and should appear for pfSense 2.2 users only as mentioned in the release notice above.  Go to System > Packages > Installed Packages and the update should be showing as available. NOTE:  this update and future Suricata updates will only be available for pfSense 2.2 and above due to changes in the Suricata source code that break compiling a package on pfSense 2.1.x. Bill
  • F

    Great pFsense 2.2 and squid3

    1
    0 Votes
    1 Posts
    834 Views
    No one has replied
  • N

    Can't start Clamd antivirus - Squid3

    4
    0 Votes
    4 Posts
    2k Views
    N
    @firefox: i did not see this packages in the packages manger ? clamd c-icap where this from ? it is automaticly installed with squid3
  • A

    Ntopng - regular errors

    6
    0 Votes
    6 Posts
    2k Views
    C
    Thanks!
  • T

    Bandwidth monitor

    1
    0 Votes
    1 Posts
    944 Views
    No one has replied
  • A

    Squid HTTPS/SSL killing Cisco VPN client connection

    11
    0 Votes
    11 Posts
    3k Views
    C
    A couple links on how its works and such… They are different but same concept https://mitmproxy.org/doc/index.html http://docs.diladele.com/faq/squid/index.html
  • ?

    Snort in promiscuous mode does not block automatically

    10
    0 Votes
    10 Posts
    3k Views
    bmeeksB
    @peridian: Doh!  Figured it out. @bmeeks: In this case, the bad IP (the source IP in this alert) was blocked so no further communication can happen there. You would think, however looking at the logs I realised that squid was operating on that interface in transparent mode.  snort was generating the block for the external IP, but squid was returning a cached copy of the content, which made it look to the client like the connection had still worked. @bmeeks: If so, you will need to define a custom PASS LIST, uncheck the option to include local networks, then manually assign the list to the VLAN interface (or the LAN interface) and restart Snort. Excellent, thank you for that, it achieved exactly the result I was looking for.  I don't know how I ever got snort to produce blocks originally if I didn't know to do this, but it is now behaving as expected, and with squid still enabled on the interface. Thank you for all your help, it's very much appreciated. Regards, Rob. Glad you got it figured out.  Unless you are worried about your internal VLAN hosts being a source of and spreading some malware, I don't understand why you want their IP addresses blocked at the firewall as well.  Simply blocking the other end of the offending traffic stream is protection enough for the victim host.  I'm assuming you are running this in a home setup.  As an example, assume your PC browses to a web site and some rogue ad content on the site causes Snort to fire an alert and insert a block.  If you let it block both the bad web site AND your own PC's address, then you can find yourself locked out of the firewall (at least from your PC).  Isn't it sufficient that just the far-end rogue source or destination be blocked? Bill
  • K

    Squid 3.3.x how to install ?

    7
    0 Votes
    7 Posts
    1k Views
    W
    One more question.  How do I add CA certs that I manage to squid itself?
  • T

    Clear out all old config from package

    9
    0 Votes
    9 Posts
    4k Views
    T
    @marcelloc: @Trel: If I edit a backup xml file, and remove the appropriate settings, and then restore it, does anything I removed get wiped off of pfsense or would the package gui config persist still? Will be removed. Keep in mid that full config restore forces a reboot and package reinstall. Ok, this looks like the best option anyway.  I should be good then.
  • J

    Is pfBlocker safe to use with 2.2?

    13
    0 Votes
    13 Posts
    3k Views
    marcellocM
    @j@svg: Got it. So, basically wait for NG…. :( There is a manual install steps on pfblockerng thread but I'll send pull request to remove pfblocker and enable pfblockerng on 2.2
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.