Did you see this thread: https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084 "FreeBSD is moved them to ftp-archive since the release is no longer officially supported upstream."

@zerodamage: I am trying to figure out why my Snort will not work on the LAN interface. I originally had it running on the WAN interface and it worked fine. I noticed some alerts with regards to Trojan but the source IP was my WAN interface, not the culprit within my network. So I made a LAN interface and used the same IPS policy (connectivity) and rules (I have a Snort subscription) and I get no alerts. The interface goes active without any issues but I do not receive any alerts at all.  This is my home network so it isn't the end of the world but I would like for it to work. This is how my network is laid out: LAN => WAP / Switch => pfSense / Snort => Internet There may simply be nothing too nefarious happening in your LAN.  I get maybe one or two alerts per week on my LAN.  I get a ton on my WAN, but that's because I run some IP Reputation rules there and known spammer and other malicious IPs make connection attempts.  Also remember that Snort puts the interface it runs on in promiscuous mode, so that would mean the WAN sees a lot of extra stuff, for example. If you want to test Snort on your LAN, install a tool like nmap on a host and scan your firewall.  That should trigger some alerts. Bill

While the packet can't be dropped, any open states in the firewall can be killed. I hope the devs implement those changes.

Unless your PC is actually listening for a connection from anywhere on port 21, then nmap won't see that as "open". To nmap, "open" means that a service is waiting for inbound connections and accepts them (listening on a port), such as a web server or FTP server on the IP being scanned. If your client has a connection "open" to a remote server, that isn't something nmap can see as it's a fundamentally different concept.

See the following thread: https://forum.pfsense.org/index.php?topic=79918.0#lastPost

@KOM: Enable Squid3-dev Transparent Proxy then disable SquidGuard3.  Does it work now?  Squid by itself doesn't do any blocking, only caching.  SquidGuard does the blocking. I have disabled the SquidGuard, Set the proxy interface as LAN in squid and enabled Transparent mode, No SSL filtering. It still gives the same error i.e TCP_MISS 403 @KOM: Here's the thing about SSL filtering.  To do it, you will need to do one of the following: install a certificate on every client, or set the proxy server on every client You have to touch the client one way or the other, so you may as well use Squid2 which is stable.  Block off outgoing port 80 so that only the proxy has web access, set the proxy server for all your static IP clients and then set up WPAD for DHCP clients. I believe that HTTPS bypasses Squid unless you have it manually set to be your proxy or you're running transparently with a cert installed.  Same reason why setting a domain block in SquidGuard doesn't work for HTTPS.  HTTPS creates a point-to-point encrypted tunnel between you and the external server.  Squid has no idea what's going on unless it's "inside" the encrypted tunnel, and it can only do that if you have your client it manually set to use pfSense as your web proxy, or if you're using a certificate on the client to trust your pfSense server. I will surely try this method. SquidGuard or SquidGuard-devel has to be used with Squid2. because those two SquidGuard versions might not work with Squid3

Makes complete sense, and agree with you! This is a smaller (home) environment, so having a separate machine just to serve a web page or two is a bit of an overkill … ;). Thanks!

It crashed a few times on my guest wifi network. 3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 65535 defrag trackers of size 88 3/8/2014 -- 14:37:18 - <info> -- defrag memory usage: 6553512 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- AutoFP mode using "Active Packets" flow load balancer 3/8/2014 -- 14:37:18 - <info> -- preallocated 1024 packets. Total memory 3135488 3/8/2014 -- 14:37:18 - <info> -- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 1000 hosts of size 60 3/8/2014 -- 14:37:18 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 10000 flows of size 144 3/8/2014 -- 14:37:18 - <info> -- flow memory usage: 2226432 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- IP reputation disabled 3/8/2014 -- 14:37:18 - <info> -- Added "35" classification types from the classification file 3/8/2014 -- 14:37:18 - <info> -- Added "19" reference types from the reference.config file 3/8/2014 -- 14:37:18 - <info> -- using magic-file /usr/share/misc/magic 3/8/2014 -- 14:37:18 - <info> -- Delayed detect disabled 3/8/2014 -- 14:37:45 - <info> -- 2 rule files processed. 14865 rules successfully loaded, 0 rules failed 3/8/2014 -- 14:38:47 - <info> -- 14873 signatures processed. 891 are IP-only rules, 4227 are inspecting packet payload, 11353 inspect application layer, 0 are decoder event only 3/8/2014 -- 14:38:47 - <info> -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 3/8/2014 -- 14:38:52 - <info> -- building signature grouping structure, stage 2: building source address list... complete 3/8/2014 -- 14:39:46 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete 3/8/2014 -- 14:40:03 - <info> -- Threshold config parsed: 0 rule(s) found 3/8/2014 -- 14:40:03 - <info> -- Core dump size is unlimited. 3/8/2014 -- 14:40:03 - <info> -- fast output device (regular) initialized: alerts.log 3/8/2014 -- 14:40:03 - <info> -- http-log output device (regular) initialized: http.log 3/8/2014 -- 14:40:03 - <info> -- Using 1 live device(s). 3/8/2014 -- 14:40:04 - <info> -- using interface ath0_wlan1 3/8/2014 -- 14:40:04 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 3/8/2014 -- 14:40:04 - <info> -- Found an MTU of 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- Set snaplen to 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- RunModeIdsPcapAutoFp initialised 3/8/2014 -- 14:40:04 - <info> -- stream "max-sessions": 262144 3/8/2014 -- 14:40:04 - <info> -- stream "prealloc-sessions": 32768 3/8/2014 -- 14:40:04 - <info> -- stream "memcap": 33554432 3/8/2014 -- 14:40:04 - <info> -- stream "midstream" session pickups: disabled 3/8/2014 -- 14:40:04 - <info> -- stream "async-oneside": disabled 3/8/2014 -- 14:40:04 - <info> -- stream "checksum-validation": disabled 3/8/2014 -- 14:40:04 - <info> -- stream."inline": disabled 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "memcap": 67108864 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "depth": 0 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toserver-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toclient-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- all 2 packet processing threads, 1 management threads initialized, engine started. 3/8/2014 -- 14:40:04 - <info> -- Signal Received.  Stopping engine. 3/8/2014 -- 14:40:04 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state 3/8/2014 -- 14:40:04 - <info> -- time elapsed 0.261s 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Packets 0, bytes 0 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Pcap Total:0 Recv:0 Drop:0 (nan%). 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Total flow handler queues - 1 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Queue 0  - pkts: 0            flows: 0          3/8/2014 -- 14:40:04 - <info> -- Stream TCP processed 0 TCP packets 3/8/2014 -- 14:40:04 - <info> -- Fast log output wrote 0 alerts 3/8/2014 -- 14:40:04 - <info> -- HTTP logger logged 0 requests 3/8/2014 -- 14:40:04 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:40:05 - <info> -- cleaning up signature grouping structure... complete 3/8/2014 -- 14:40:06 - <error> -- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> That's a wifi interface off Pfsense

@sowen: Well…yes, no and maybe.... the header rewrite $rewrite_item[] = array(F_TARGETURL => '(http://www.youtube.com/watch?v=.*)',        F_REPLACETO => '\1&edufilter=XXXXXXXXXXXXXXXXXXXXXXXX', F_MODE => 'i'); Forces the users to use your specific educational channel, which you can then control. However, I do not know how to rewrite the header to force all proxy users to use "safety mode". YouTube Safety Mode is enforced by rewriting a specific cookie in client request headers, while SafeSearch (for google etc...) is enforced by simply adding a string to the request URL (which is what the edufilter filtering does). a quick google of "rewrite youtube header to use safety mode" brings up some info, but most of it is at least a couple years old and I'm not sure how (or if) it could be implemented in pfSense / squidguard. Youtube Safe Search RewriteCond URL .youtube.com. RewriteHeader Cookie: (.*) PREF=f2=8000000 RewriteRule (.)?youtube.com(.?.*) $1youtube.com$2&safety_mode=true [I,L] ; === Safety Mode for YouTube ===     <proxy bc_safesearch_youtube_cookies="">url.domain=youtube.com     request.header.cookie="PREF=" action.BC_SafeSearch_YouTube_Cookie_Rewrite(yes)     action.BC_SafeSearch_YouTube_Cookie_append(yes)           define action BC_SafeSearch_YouTube_Cookie_Rewrite           rewrite( request.header.Cookie, "(PREF=[^,]+)", "$(1)&f2=8000000" )           end           define action BC_SafeSearch_YouTube_Cookie_append           append( request.header.Cookie, "PREF=f2=8000000" )           end ; === End of Safety Mode for YouTube === ***********************</proxy> Do I need edit cookies in the individual browser? If so, then its not an feasible option because cookies will erased if we clear the history. Somehow SquidGuard has to come up with the solution for this.

@canux: Thanks for the info.  Do you have a paid subscription as well? Yes I use a Snort VRT and ET Pro subscription. Some of the other boxes I have use the Open Snort and ET Rulesets. Did you upgrade Snort to the latest version? There were two releases fairly recently.

This issue can be corrected by upgrading to Snort 2.9.6.2 pkg v3.1.1. ;D

@KOM: If I rememebr right, you had to have users_sites and sites_users selected or it won't work. They are both currently selected.

I was a bit confused because most of the tutorials online for HVAP show the version number being reported. I guess it's nothing to be worried about. Thanks for the reply. My HVAP Alert dashboard widget is working: [image: hvap3.jpg] I am running the 2.1.4-RELEASE (i386) inside Vmware esxi.

Hello I found a solution for disabling default setting "http_access allow localhost", default settings are in /usr/local/pkg/squid.inc. Maybe someone can find this useful. I have second question I need some help. Now Dansguardian filter groups are working but asking user for credentials every time you start the browser. Is it possible to use domain login credentials with browser, so when you login to computer you automatically get rules for using the internet. Regards Binkec

as i hate reading unresolved forum posts, when googling for solutions, i'll give some feedback lately… solved it by reinstalling all because other problems appeared soon after this one due to a hard disk failure. thanks for your reply anyway doctornotor, i missed it at the time.  :( i think i looked for line 42, but i don't remember, why i didn't post it... now fighting with other things (havp blocking fine, syslog entries there, but dashboard widget not showing alarms anymore on 2.1.4) but thats another post if reinstalling doesn't solve it... itsol