any help pls.. thanks,,

OK, so the base program I found and then modified. It used lsof and ipnat but it could all be done with pfctl -ss output as far as I can see.

Bear in mind this is crufty 14-year-old code that probably is horribly bad in many ways.

https://gist.github.com/jim-p/78b7637ef5ce8c7b3219

Moved this to Packages since it's specific to OSPF and not specific to 2.1.1

@heper:

have made a quick attempt to get ospf working with a similar openvpn tls/ssl setup in VM - and failed :(

after some digging with openvpn "topology subnet" i did manage to get ospf to get to a full-link state … but routing failed.
perhaps jimp or ermal or any other core dev could shed some light on this.

OSPF requires tun mode to use /30 tunnel networks, or tap mode for a shared instance with multiple clients.

I've not seen it work in tun mode w/topology subnet.

It would be a good update…

@dgcom:

@bmeeks:

I assume you are talking about rule updates with the updates download issue.  If so, that could be because the Snort VRT folks tie rule versions to specific Snort binary versions.  This is completely out of the control of the Snort package on pfSense.

Yes, I am talking about rule download issue. But I wonder how this breaks during restore? It should be downloading rules for whatever version of Snort initiated said download, right? Regardless of what version the restored config was… It restored my oinkmastercode and tried to download something but then complained that checksum was wrong.
If no one else is suffering this, it might be not important to spend your time on, really. Thank you for you work on this package, Bill.

I will take a look at this by playing around in a virtual machine.  It will be a week or two before I have some time, though.  Trying to get the next Snort update out the door and also will be away on a family trip for a week.

Bill

@marcelloc:

That will be a great addition to the package.

Is there any public ip reputation network that whe can use?

I was told the Emerging Threats guys are working on one, but I'm not sure if it will be free or pay.  Maybe they will do something similar to what they do for the rules:  offer a comprehensive and daily updated list for paying customers, and a slightly dated and maybe not quite as comprehensive list for free.

The Snort IP Reputation preprocessor is pretty simple, though.  All it needs is a text file with one IP address or CIDR network per line, so that should lend itself to use with many of the other types of lists out there.

Bill

G'day all lovers of the finest firewall in the world  ;D

Would anybody happen to know what this error means:

The 4.37 is the Synology that acts as the UPS server. Yesterday I was literally flooded with this (a couple of 100 emails about this), and normally I also get these a couple of times a week.

Google didn't help me any further. I am trying to understand who is trying to write what to where and who is messing around with that ( :P). In NUT the light is green, the synology also doesn't complain about anything UPS-related, so I am, at least temporary, once again completely lost.

Thank you for any help  ;D

I understand your point.  But on pfsense you can get help from core team (paid support) to fix packages in that situation or to fast develop new ones.

Community help as much as free time permits  :)

@Dadoo:

Ahhh… I see. Whitelists are per-interface, not per-firewall. That explains why some of the addresses on the whitelist were blocked, while others were not.  The GUI doesn't make that obvious. Now that I've set a whitelist for both interfaces, that seems to have solved the problem.

Thanks for your help.

You're welcome.  I am starting a project to revise/update the Snort package documentation on the pfSense Documentation Wiki.  It will take me some time to get everything updated.  The stuff there now is way old and goes back many Snort versions well before I began offering some updates to the code.  Once the documentation update is complete, I will then make sure the various HELP links within the Snort GUI to point to the relevant Wiki page.

Bill

I vaguely remember somebody mentioning that Snort's block list works correctly on 2.1.1, which is about to release  really soon.

@https://github.com/pfsense/pfsense/commit/c40d6c7a99c35838ed222b83ee3d8c903a68e6b6:

etc/version

@@ -1 +1 @@

-2.1.1-PRERELEASE

+2.1.1-RELEASE

@neokeane:

Is it possible to install a specific version package via web gui?

I can install it via console, but I want to see and configure it by web gui too.

WebGUI configurator for packages - specific program for generate package config files. You can not simple take any package and manage him via WebGUI.

You can install any accesible FreeBSD package from console and manage him via config file (by unix style) at one's own risk.
Or you can install existing pfSense package via WebGUI and manage him via GUI.

anyone ??  :(  :(  :(

I have not tested it on iphone or android yet.

CMB,
Thanks for making the change back to HTTP. I surely appreciate it. I haven't tried it yet but I will be getting to this later today.

Bryan,
Thanks for being understanding. I certainly wasn't moaning and expecting someone else to do the heavy lifting for me. I was simply asking to be pointed in the right direction. I obviously have a very large upgrade project ahead of me. We knew this was coming but as usual, the project wasn't at the top of the list. I had already been looking at setting up our own repository to buy us some time but then the change happened to the package system and it was too late. It looks like I have been given a second chance.

Thanks guys.