1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    johnpozJ
    @ha11oga11o if you resolve nextcloud.mydomain.xx to your external IP, ie the same one public people do then it would be handled by your haproxy. Example I have ssl offloading for external users for the public fqdn something.mydomain.tld - this resolves externally to my public IP that hits pfsense wan, this also resolves to my public IP when on my local network, so again haproxy handles the ssl, etc. But if I wanted or needed to access that directly on my local lan then I use its name.home.arpa:port that the service is on that doesn't do ssl, etc. What is the point of using the same fqdn internally and externally? What do you think that gets you other than issues?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    C
    Hi folks, Whenever I try to access a DNSBL blocked root domain it shows the block page but the moment it gets into a subfolder or file in the domain it only shows 1x1 px page. Meaning http://detectportal.firefox.com/ redirects to the DNSBL blockpage with the blocked domain info "This website detectportal.firefox.com has been blocked by the Network Administrator!" but if I try http://detectportal.firefox.com/canonical.html http://detectportal.firefox.com/success.txt http://detectportal.firefox.com/justatest it only shows 1x1pixel Is this by design? Is there anything I can do to make the rest of the pages show the alert? Regards

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    713 Topics
    4k Posts
    M
    I have my wiregaurd up and running and can ping from firewall to devices on the vlan but cannot get clients to ping each other.
Log in to post
Load new posts
  • T

    Log Snort to sguil(Security Onion)

    6
    0 Votes
    6 Posts
    6k Views
    BBcan177B
    @tbaror: Thanks all for the answers , but Snorby would be a good solution if he had some alerting rules facility The Snorby package in Security Onion has alerting functionality.
  • H

    Dont work squid filter

    1
    0 Votes
    1 Posts
    882 Views
    No one has replied
  • S

    Mailreport filter syntax

    3
    0 Votes
    3 Posts
    3k Views
    S
    good stuff, thanks a lot! now i'll go find a way to get a pfblocker report in the mail too!
  • I

    Snort blocks many websites with "block offender" checked

    4
    0 Votes
    4 Posts
    3k Views
    bmeeksB
    @iraiam: @fragged: The HTTP preprocessor does fire a lot of false positives. You can either add the single rules to your suppress list or enable this setting: Disable Alerts from this engine configuration. Default is Not Checked. You can find it under the settings for your Interface -> <interface name="">Preprocessors -> HTTP Inspect / Server Configuration (click the E to edit)</interface> Thanks, I'll give that setting a try, I don't have time to deal with single rules at the moment, maybe at a later date. Take Centurylink.com; it generated 19 blocks from one session. I went through the logs and checked a quite few of the blocks manually and found no actual threats. it makes sense to me to block offenders, providing it detects actual offenders without all the false positives. The HTTP_INSPECT preprocessor is unfortunately very good at generating false positives.  Some of them are likely the fault of code in the preprocessor itself, but many are due to various web servers not adhering strictly to the standards.  No matter which is the real problem, it's a fact of like for IDS/IPS admins that false positives will occur.  Snort on pfSense uses the binary file produced by the Snort VRT, so any bugs in that code show up in pfSense. There is a thread that lists many of the known false-positives, and some users have shared their Suppress Lists.  You might want to try some of their shared settings.  Here is the link:  https://forum.pfsense.org/index.php/topic,56267.0.html
  • A

    Help understand cron script

    5
    0 Votes
    5 Posts
    1k Views
    A
    The third script now errors and says "Illegal variable name."
  • K

    Squid3 reverse proxy randomly fails…

    2
    0 Votes
    2 Posts
    887 Views
    B
    You are going to have to give us some information to work with. Like the access.log I think when it is not working. Does restarting the service fix it? What do you have to do to get it working again?
  • C

    Snort reverse lookup icon

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @Clear-Pixel: Why is it often times many IP's are missing the reverse DNS info? Is it a DNS server with a poorly compiled DNS list? It would seem the IP would be out of compliance if no Name was attached? There are a fairly significant number of the "spammer" and other blacklisted IPs that do not resolve via DNS lookups.  Not really surprising when you realize these guys don't want to be found… ;) Bill
  • N

    SQStat 403

    Locked
    10
    0 Votes
    10 Posts
    7k Views
    jimpJ
    Posting this here since the thread is very high in search results for the sqstat 403 error: This is because the IP address querying the status from squid is not listed as an external cache manager. To find the IP in use, enable squid logging, try to access sqstat, and then run run: # grep "403.*active_requests" /var/squid/logs/access.log You will find lines such as this: 1390930259.701      0  192.168.1.1 TCP_DENIED/403 1410 GET cache_object://localhost/active_requests - NONE/- text/html Then go to Services > Proxy Server, on the Access Control tab, and add the IP from that line to the External Cache Managers box, e.g. 127.0.0.1;192.168.1.1; Save there, and for good measure go back to the main tab on squid and press save again, and then you should be able to access sqstat. If that alone does not work, and you have a filter such as squidGuard installed, make sure you have "localhost" listed in a whitelist or have access open from the LAN IP of the firewall itself.
  • B

    Sarg Vs Lightsquid

    2
    0 Votes
    2 Posts
    4k Views
    D
    @berrick: From my limited use of both these packages it seems they do the same thing, is this correct? Which is better sarg or lightsquid? regards Depends on your wishes. LightSquid easier, Sarg has more features.
  • R

    Squid No longer able to access my network from the outside.

    1
    0 Votes
    1 Posts
    507 Views
    No one has replied
  • M

    Allow HTTPS traffic straight out through WAN with squid?

    2
    0 Votes
    2 Posts
    976 Views
    jimpJ
    By default the firewall won't touch HTTPS with squid in transparent mode. Make sure your firewall rules allow access on the LAN interface from your LAN subnet to anywhere on port 443. So long as the rules pass it and squid doesn't touch it, it will go right out.
  • T

    Dansguardian 2.12.0.3 Signal 11

    89
    0 Votes
    89 Posts
    44k Views
    R
    Just figured out that the 2.12.0.6 version of DG that Marcello compiled does not have PCRE support… or at least that is my guess on the problem. It does not execute and of the regular expression functionality - such as URL regular expression modifications. Would anyone with a dev environment (Marcello?) be willing to compile the 2.12.0.6 or 2.12.0.7 version with PCRE? Or, for that matter, e2guardian (I'd be willing to mod the UI to get it working)? Thanks in advance!
  • W

    Pfblocker + memory limit

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B
    I am not sure if SquidGuard is the same as pfBlocker for the max table entries, but I would assume so. Did you edit the System:Advanced:Firewall/NAT  "Firewall Maximum Table Entries"
  • KOMK

    Speedtest.net Upload Test Fails with Squid/SquidGuard Enabled

    4
    0 Votes
    4 Posts
    2k Views
    B
    @KOM: 1. pkg_info: bsdinstaller-2.0.2013.0911 BSD Installer mega-package gettext-0.18.3 Going to need the rest of the information still ;)
  • mudmanc4M

    Snort blocking my local IP

    8
    0 Votes
    8 Posts
    2k Views
    bmeeksB
    @mudmanc4: I have changed the whitelist for that interface to the one created earlier,  restart snort, and made various protocol requests - no blocking that I can see at this point. Big info from you on this, much appreciated bmeeks ! Thank you.  Glad it's working for you now.  One item on my TODO list is to update the Snort package documentation and then include links to it from various spots in the package. Bill
  • S

    Sarg reports broken in 2014

    6
    0 Votes
    6 Posts
    2k Views
    S
    I have a fix! sarg can examine more than one log file, so regardless of order of execution of the rotate and log generation, just ensure all the logs, rotated or not, are used thus: [image: index.php?action=dlattach;topic=71070.0;attach=40150;image] Steve ![Screen Shot 2014-01-26 at 00.28.49.png](/public/imported_attachments/1/Screen Shot 2014-01-26 at 00.28.49.png) ![Screen Shot 2014-01-26 at 00.28.49.png_thumb](/public/imported_attachments/1/Screen Shot 2014-01-26 at 00.28.49.png_thumb)
  • Z

    Snort 2.9.6.0 released, can we have an upgraded package?

    6
    0 Votes
    6 Posts
    1k Views
    bmeeksB
    @BBcan17: @bmeeks: So I think we are stuck staying with a version that is at least 30 days old, or else require everyone to buy the paid subscription.  That would not be popular :'( Thanks Bill, If its not too much trouble, maybe you could post both updates and users could choose which version would work for them? This would allow us to debug the most recent Snort version while having the option to go down one version just in case? Well, that is a good idea.  There was, at one time, an active snort-dev package maintained by the old maintainer.  It was really bleeding edge, though.  I had considered resurrecting that old snort-dev tree, but not for "free" versus "paid" subscriptions, but instead to try and keep the most recent Snort binary out there.  I've just been busy lately with the current package and doing some work on a Suricata package, and just have not gotten around to it. Bill
  • T

    Pfblocker breaks amazon

    4
    0 Votes
    4 Posts
    1k Views
    R
    by using the country blocker, you'll also find it kills your ability to generate a return ticket and shipping label at Amazon.  (why is Amazon's return label eneration routing through Asia??) There is another thread here on using pfBlocker to generate the lists to be used by Snort and the rules set. I've found this option makes every problem like this (that I was having) go away without having a lot of custom pass rules. https://forum.pfsense.org/index.php/topic,64674.0.html Rick
  • N

    Snort not blocking for a full day? v2.9.4.6 pkg v2.6.0

    22
    0 Votes
    22 Posts
    7k Views
    bmeeksB
    @kevin067: It seems to me whatever pfblocker is doing internally to create it's alias tables, snort should do the same. As far as I can tell pfblocker (using "Alias_Only" mode) has been blocking well. Here's a link to the code inside pfblocker that creates those tables… http://www.pfsense.org/packages/config/pf-blocker/pfblocker.inc So the idea is to let snort use snort2c tables for the immediate blocking. Then append the ip's it finds into an alias for long term blocking (one that survives filter_reload, and reboots). using a normal incoming wan/outgoing lan rule. I like where the <snort2c>table is currently located up high in the pf rule chain such that it is hit very early in the packet's traversal of the firewall.  This gives Snort a chance to block early and protect users from "quick pass" rules farther down that would bypass Snort. It occurred to me last night there may a fix for the clearing problem triggered by the filter reloads.  I need to talk it over with the Core Team, but maybe the filter reload process could persist the <snort2c>block table out to a temp file during the reload process, and then read the file back in as part of the filter reload.  It is trivial to do this with the pfctl utility (dumping a table to a file and loading a table from a file). Bill</snort2c></snort2c>
  • N

    Not understanding openssl speed testing

    6
    0 Votes
    6 Posts
    3k Views
    jimpJ
    iperf is what we normally use. On endpoints beyond the firewall on each side.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.