Thanks for fixing that up for the next guy..  But I only have ntp listening on my lan..  But yeah that looks like a better setup for someone might have opened it up to the public internet sort of thing.

@kdemaria:

This did not work for me.  However, setting it to Tripplite AVR USB with Auto USB solved the problem completely, and seemed to also solve the stale data issue as well.

NUT is now reporting correct Model, Status, Load, Charge, Voltages and Runtime.

+metoo for a CyberPower 1000 model CP1000AVRLCD
pfSense 2.1.5-RELEASE (amd64) and nut 2.6.5_1 pkg 2.0.2

This is an annoying bug. According to http://www.networkupstools.org/stable-hcl.html This model CyberPower should be using "powerpanel". But I'm not sure if that's correct for USB rather than serial connected models. The CyberPower CP1000AVDLCD has both USB and serial ports but ships with a USB cable.

I made it smarter - see this pull request for 2.2: https://github.com/pfsense/pfsense/pull/1359
We will see if the project managers think this is a reasonable idea…

Edit: Pull request has been committed, so in 2.2 when the package server cannot be reached the version column will display something like:

Latest: N/A
Installed: 4.5.6

and put it all in red so it is obvious that something is not quite right.

This is a weird problem.

I looked at "diag_tables.php" and the problem is on the code block"

If I remove it it works ok. But I cant seem to understand way. Because in other alias it works ok.

With SO, it all depends on how many Rules you enable and how much Traffic the sensors will see. But you are starting with some decent hardware. Download the ISO and try it out…

Here are the Hardware Requirements -
    https://code.google.com/p/security-onion/wiki/Hardware

Google Group Forum -
    https://groups.google.com/forum/#!forum/security-onion

Done :) it solved my problem.

Thank You
Best Regards

Snort puts the interface into promiscuous mode and thus will see all traffic hitting that physical interface including VLAN's, PPPoE etc.

@wcrowder:

Squid3-dev is at Squid ver. 3.3.13, Squid is at ver. 3.4.9 about to go to 3.5?

Thanks for your reply.

Are you sure about that for Squid3-dev? Where are you finding these version numbers for Squid3-dev? Remember, I'm using pfsense 2.1.5, and that is still running on FreeBSD 8.

When I look at the package info, pfSense seems to indicate that I'm on the most recent version (production version, not beta) and package. There is no option to upgrade when I look at the available packages via pfSense.

Do you know the location of an official squid3-dev repository? I haven't been able to find one, so I've got to go with whatever I see in pfSense packages.

Separate box or VM? Port forward? wpad?

Dedicated box. No port forwarding. I don't know what a 'wpad' is.

Diladele looks cool, and looks like it's actively developed, going to look at it. Thanks.

(Edited to add the last line.)

No problemo. It seemed like the best option as it allows SSL filtering and some decent ad removal features. I believe there is a 60-day  free trial period. After that you have to pay, but for personal use it's cheap ($1 / month).

Solved.

Yes you can, the config option "start_tls" is used, independent of the protocol type.

No you do not, however there is some "faf" you have to go through to get FreeRadius to operate with only the CA cert, see here: https://forum.pfsense.org/index.php?topic=84564.0

No rules appear to be required, the router services have access onto the VLAN without explicit rules.

Regards,
Rob.

In the alerts page, find the policy and click the suppress icon to add a suppress rule to the interface.

You can find the surpress rule in the Services, Snort, Suppress tab, where you will see one or more entries like so
wansuppress_5437e6139435f
lansuppress_544229bb9e947

In side the suppress rule you will see something like
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419

This is your basic suppress rule which will not block any Windows PE file. PE is just the name given to the format of the windows exe and dll's.  http://en.wikipedia.org/wiki/Portable_Executable

You can also tweak the rules a bit to suit your needs better.

These threads might be useful.
https://forum.pfsense.org/index.php?topic=61018.msg339645#msg339645
https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417

YouTube is tunneling the traffic in mobile mode. I just found a TEMPORARY SOLUTION, in mobile YouTube is redirected to "m.youtube.com". I f you block "m.youtube.com" and change the browser setting website preference in the smartphones/tablets to desktop mode then YouTube is redirected to "www.youtube.com/education" and it works fine. If you type "m.youtube.com" then the page is blocked. But this is just a temporary solution.

@Derelict:

The only way to get "in the middle" of an HTTPS conversation is to coerce your users to install a trusted root CA and generate certificates on-the-fly using that CA for every site they visit.  Or throw a certificate error for every site because you're generating certificates on-the-fly and your users don't have a trusted root for you installed.  That's the nature of HTTPS.  No magic pill.

I'm fine with throwing cert errors, as long as I can achieve the blocking.

I have an idea.  Put that guest network on a separate interface.
Create a limiter to limit the damage the "guests"can do to your bandwidth.
If they just can't behave themselves, kill their access every time they do things you have told them not to.

Is there a way to use the limiter to completely block traffic instead of just limiting it?

to clarify, I am a student in Information Assurance and have never actually worked with RADIUS or pfSense before this semester.
I eventually want to use a mySQL database for credential verification, but would like to ensure authentication can occur properly before taking that next step.

[SOLVED]

Clean your test browser's cache, cookies, history.
Restart browser and "voila"It's working as it should.

@bmeeks:

@firewalluser:

Dont know where to post this, but running 2.2 Beta with Snort and Suricata.

First Q.

Is it ok to run snort and suricata side by side on the same machine?
I've experimented with both installed, running and with snort interfaces disabled but cant seem to get any alerts or blocks from suricata. I have not uninstalled snort yet.

I'm getting lots of these error messages in the system log FWIW.
suricata[59742]: 24/11/2014 – 22:54:01 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap

When I see "unimplemented", I wonder how far along suricata is, but also, where does it fit with snort?
Is snort still superior to suricata or vice versa? It just snort has a few rules/options available which suggests more control with Snort, but I could be wrong?

TIA</error>

You must be running PPPoE on your WAN.  Suricata does not support PPPoE connections on FreeBSD.  Snort does.  The limitation is within the Suricata binary itself and not something caused by the GUI package on pfSense.  If you must use PPPoE, then use Snort instead of Suricata (or else don't try to run Suricata on the PPPoE interface).

As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them).

Bill

You must be running PPPoE on your WAN.

Yes I am, didnt know about the pppoe restriction.

As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them).

Thanks for that info, it explains a lot. I think for my uses, snort on wan and suricata and/or snort on lan is the way to go although I doubt my lan traffic will ever reach the rates that give suricata a chance to show off its capabilities over snort.

@atrocity:

well, but we can't wait, because we have to filter out most of the world to some specific network equipements … :(

Firewall: Aliases: Edit.
Create two alias's Allowed IP's and Blocked IP's and link them to two txt files located on one of your internal webservers, then create all your rules you want and you dont need pfblocker then, but you do have more control with this approach.

For example, you might have an alias for Allowed Email IP's where a txt file contains the ip address blocks you will accept email from (smtp/25) as you may do business abroad in that country, even your supplier might have their own ip address block reducing the constant updates which will invariable take place as IP's blocks get moved around.

You could also have another alias file that contain ip address blocks for countries staff might have to visit including stop overs for connecting flights in other foreign countries, then you can have a rule to allow their iphone/android/windows phone communications with their imap/exchange servers for example. Maybe also allow some encrypted VOIP comms to avoid calls being listened into from foreign govt's when using their public telecoms infrastructure, or if you really want to be "silent", just have a vpn connection like openvpn, tunnel all traffic from your phones/laptops through the vpn and hide even more info from foreign govt's when abroad.

Thanks for the explanation.  I'll look at it, but no promises …