@digidax:

So, after sniffing with tcpdump I can reproduce the problem now:
There is a bug in the IMAP preprocessor during handling TLS communication:
http://seclists.org/snort/2013/q3/453
Is there a bug tracker where I can see the status of this reported bug?

I my case, User 1 has a bad DSL-Line. If during the TLS session snort gets a hiccup, the mail server gets a broken TLS login and so it's close the session.

Until this bug is not fixed, there are two ways: disable the IMAP preprocessor OR switch of TLS for IMAP auth.

best regards
Frank

I have a new Snort package based on the 2.9.5.5 binary that is being reviewed by the pfSense Core Team now.  Hopefully they approve and merge it soon.  I believe some TLS fixes are in the new binary.

Bill

Thanks
It's working now

Remove
then install
then reboot

@thermo:

ssh into your pfsense & into the shell.

killall radiusd /usr/local/sbin/radiusd -X

and watch the output.

No need to kill the process just stop it on GUI.
radiusd -X  will run freeradius in debug mode and tells you everything.

In freeradius GUI you can enable the logging of good and bad authentications - passwords and usernames will be shown in pfsense syslog.

Further make sure that the switches and WLAN AP have the same shared secret as in freeradius NAS/Clients.

Make sure that your switches and APs send its correct NAS-IP to freeradizs and configured in Users.

Freeradius - View config could help you to find out if your Users file looks correct and represets all your paramwters.

The order in the users file is important. So if there is one user added twice the first match will win.

I've updated haproxy-full package to 1.1.

It's working fine on 2.0.3 and 2.1 as well.

Use the suppress icon to filter away blocks because of that SID.

of course it is possible, in squidguard using group acl feature you can create different user profiles by source or captiveportal usernames(squid3-dev required) with different filtering options

Hi,

you could try this:
http://wiki.squid-cache.org/SquidFaq/ClearingTheCache

Pruning the Cache Down
and
Changing the Cache Levels

Perhaps downsizing the HDD cache could solve the problem. But you changed the path and if it works it will be ok :)

Thank You for your help :)

I have a workaround which involves modifying havp.inc - I know it will get overwritten when I reinstall HAVP package. I wasn't able to get internal and NAT rules to work so I modified the rule / filter using supernetting so it will not redirect to HAVP if destination IP falls within the IP range.

If anyone has gotten internal and NAT rules to work, please let me know.

hi..
i followed it and its working fine at squid 3.3.5

http://forum.pfsense.org/index.php?topic=65102.0

i reinstalled the cron package, it was the latest one though, and the error disappeared, use the below works for me so will stick with it

command = /etc/rc.reboot (works in both crons)

Looks like this setting will always be ignored: https://github.com/pfsense/pfsense-packages/blob/4e3879cf61b174570a0a27ab84fd32040e044222/config/ntop2/ntop.xml

@Amirkabir:

Hi
I want to know how pfsense snort package block attacking hosts. Is there a plugin like snortsam in snort package?

Snort on pfSense makes use of an old third-party open-source plugin called Spoink.  This is compiled into the Snort binary on pfSense as an output plugin.  It sees all of the alerts and examines the IP addresses and compares them to an internal whitelist table.  Any IP address not matching up with a whitelist entry is then "blocked".  This blocking is done by calling the BSD pf (packet filter) API to insert the offending IP address into a block table called snort2c.  Currently snortsam is not used.

Bill

I was working on this exact problem with preserving the URI during redirect and had stumbled upon this thread.  I thought I would share the solution to help others who may be in the same boat.  Squid 3.2 required.

pfsense 2.0-RELEASE (i386)
squid3-dev 3.3.8 pkg 2.2

Use '^/.*$' in the Path regex field to match on domain + whatever.

http://wiki.squid-cache.org/Features/CustomErrors#deny_info_URL_codes_for_embedding

Simply add %R to the 'URL to redirect to' field so it looks like this: 'https://pfsense.org%R'  In this case, http://pfsense.org/mysuperpage.php redirects to https://pfsense.org/mysuperpage.php

pftop -i (real name of the interface)

e.g.

Seems to work for me.

marcelloc is right, a Firwall or Gateway can't filter LAN to LAN because it is normally Layer3 device.

You should use something like Asymmetric VLAN, so you dont need a lot of subnets to filter. Ceep it simple

Here is something to read:
ftp://ftp.dlink.es/FAQs/TS_AV.pdf
ftp://ftp.dlink.de/anleitungen/Switch/DGS-12xxT_Howto_de_overlapping_vlan_Rev_D.pdf

Edit:
Cisco explains it too
http://www.cisco.com/en/US/docs/switches/connectedgrid/cgs2520/software/release/15_0_2_ed/configuration/guide/cgs_asym-vlan.pdf

@Legion:

Thanks marcelloc. Doing that at least changed the error message to:

TCP_MISS/503 0 CONNECT some_rfc_1918_address_but_not_in_my_local_net:utorrent's_port - DIRECT/some_rfc_1918_address_but_not_in_my_local_net

Maybe it's something to do with the CONNECT method? Where I'd normally expect the GET method?

This torrent maybe trying to connect via ssl, that's why you only see CONNECT on logs