1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A
    Docker image for squid 7.3 and above https://hub.docker.com/r/fredbcode/squid If pfsense does not push the update.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    patient0P
    @andresbraga if you still have the firewall rules as you posted, then I don't know why from the laptop you can't ping the pfSense Wireguard address 10.10.6.1 nor the pfSense gateway 10.10.1.1 What is the routing table of the laptop. And I would run a packet capture on pfSense and check what you see if you run the ping to 10.10.1.1 or 10.10.6.1.
Log in to post
Load new posts
  • D

    Squid and "Do not cache" option

    Locked
    8
    0 Votes
    8 Posts
    4k Views
    ?
    In squid < 3.0, you want the no_cache directive. Usage  no_cache deny|allow aclname Description A list of ACL elements, which, if matched, cause the reply to be immediately, removed from the cache. In other words, use this to force certain objects to never be cached. Default acl QUERY urlpath_regex cgi-bin ? no_cache deny QUERY The word 'DENY' is to indicate the ACL names, which should NOT be cached Example acl DENYPAGE urlpath_regex Servlet no_cache deny DENYPAGE The DENYPAGE acl assures that the url containing Servlet will NOT be cached.
  • J

    Spamd listening port?

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    J
    And thus my spam increase issue thanks to comcast blocking 25 both ways.  Thanks for the info.
  • J

    Flush/Clear SQUID Cache.

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • F

    [p3scan] Target ip error!

    Locked
    7
    0 Votes
    7 Posts
    4k Views
    N
    @NicolaPaone: @ron: firewall, It will be a few days possibly, but I'll put together a new update to the p3scan package shortly that fixes your issue.  I got approval from the original pfSense package maintainer to take over the maintainership, and I've been working on an update to the package.  The issue you are seeing is that the original p3scan-pf port does not correctly account for the packet redirect when using the PF redirection (i.e. the code doesn't look up the original sender IP address correctly in the TCP packet when using it in transparent mode, and it then sees itself as the original packer sender which loops).  The issue has nothing to do with the pfSense package, and is a bug in the base p3scan port to FreeBSD.  I have fixed it and have it working on one of my systems now.  I just need some time to get the patches together. I also have an update to the ClamAV pfSense package coming too that goes with this for AV scanning.  I'll have to get someone in the coreteam to post the updates when they are ready. Regards, Ron Hello everyone, I too found the bugs in question … I even tried to compile the package p3scan, but nothing ... Under linux (debian), no problem ... everything works the first blow. I believe both bugs p3scan for BSD. If I may give you a hand, I'm happy to collaborate with you. Let me know .... @Ron news???
  • C

    IMSpector: Whitelist full access not working for MSN

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • B

    Changing ftp local packages???

    Locked
    15
    0 Votes
    15 Posts
    16k Views
    X
    I don't know what dependancies exist with my pb so which command is dangerous ?
  • C

    Does IMSpector in Pfsense supports to mail out the LOG ?

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    R
    You would have to write a shell script. If using file logging the logs would be stored in /var/imspector
  • P

    Snort memory leak ?

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    P
    You were right, the first time I increased memory I did not add enough Finally, I add 400M Memory and is working fine now, thanks for your help
  • X

    Can't install WGET package (or other one)

    Locked
    11
    0 Votes
    11 Posts
    15k Views
    X
    In the beginning I want to correct my problem starting, because I can not install any package. (I am not against the use of fetch)
  • B

    LightSquid Configuration / DNS Name Issues

    Locked
    5
    0 Votes
    5 Posts
    6k Views
    D
    Check working with 'Demo  - return AUTHNAME, else DNSNAME, else IP  ' But any changing 'IP resolve method (future)' option take effect for new refreshing.
  • E

    Squid configuration

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    Cry HavokC
    (This belongs in the Packages forum) Yes, there is a GUI - try installing Squid and have a look.
  • F

    Browse with our without proxy settings

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    F
    I think this is the awnser: As you can see, pressing reload in Netscape (and some other browsers) doesn't simply re-fetch the page, it forces the cache not to serve the cached page. Many people doing tests of how the cache increases performance simply press reload, and believe that there has been no change in speed. The cache is, in fact, re-downloading the page from the origin server, so a speed increase is impossible. To test the cache properly you need two machines setup to access the cache, and a page that does not contain do not cache me headers. Pages that use ASP often include headers that force Squid not to cache the page, even if the authors are not aware of it's implications. So, to test the cache, choose a site that is off your local network (for a marked change, choose one in a different country) and access it from the first machine. Once it has download, change to the second machine and re-download the page. Once the page has downloaded there, check that the page is marked as a 'HIT' (in the file called access.log - the basics of which are covered earlier in this book). If the second accesses were marked as misses, it is probably because the origin server is asking Squid not to cache the page. Try a different page and see difference the cache makes to browsing speed. Many people are looking for an increase in performance on problem pages, since this is when people believe that they are getting the short end of the stick. If you choose a site that is too close, you may only be able to see a difference in the speed in the transaction-time field of the access.log.
  • J

    Squid working?

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    F
    I've the same thing. When I go to sites were are pictures to download with a slideshow, and I go back to the same URL, it seems that the pictures are not comming from the proxy but directly from the internet. Can this be a bug?
  • D

    SquidGuard update

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    D
    @Monoecus: I noticed one typo in the explanations above the blacklist sections: 4-all rule('allow' ro 'deny') should be an 'or' right? Besides, I saw that the Shallalist has been updated with new categories. Thanks must be "4-all rule('allow' or 'deny')" About Shallalist - this not my work  ???.
  • S

    New version of snort

    Locked
    12
    0 Votes
    12 Posts
    6k Views
    J
    Did you guys figure this out? I'm getting the same error now. It happens while snort is loading the rules, right after startup.
  • G

    SQUID 2.6.18.1 / cannot browse specific pages ?

    Locked
    11
    0 Votes
    11 Posts
    6k Views
    G
    Coming back to the reply of "Perry" Also i can confirm the problem http://www.squid-cache.org/bugs/show_bug.cgi?id=2342 Collected the data and as fare what i can see it is a http 1.0 / http 1.1 problem (Attach doc's) Is the http 1.0 / http 1.1 problem caused by the server or by SQUID or by PFSense I have to apologize but I am not a network specialist and do use SQUID somehow as "blackbox" regards Günther
  • B

    HOWTO : configure freeradius

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    D
    What are you wanting to do with FreeRADIUS? Are you trying to do something with the pfSense captive portal, or are you wanting to use it for wireless network authentication? There's many ways to configure FreeRADIUS - but only you know what you want to do. I don't use FreeRADIUS on pfSense, but I do maintain the FreeRADIUS packages for FreeBSD (which, amongst other things, underpins FreeRADIUS on pfSense) and I use FreeRADIUS on one of my FreeBSD servers. When I get the time, I will try to set up the pfSense FreeRADIUS package to see what it can do - but I have so many things to be getting on with at present.
  • M

    Manual download of Snort rules

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    M
    Ah well, thanks. :-) I'll try Snort on some better hardware.
  • M

    Transparent bridge mode to DMZ, and NAT to private LAN, and Snort?

    Locked
    2
    0 Votes
    2 Posts
    7k Views
    M
    Well, I've got pfSense bridging the WAN to the DMZ whilst NATting the Private LAN. So far so good. I'm trying to get Snort working now. I must say that pfSense is an excellent firewall; it is remarkably flexible and has a vast range of configuration options. Well done!!
  • J

    Proxy setup tutorial

    Locked
    13
    0 Votes
    13 Posts
    6k Views
    J
    @GruensFroeschli: No. You can. But you dont have to. in some banana countries, yes, you have to :) and, yes it works fine over open dns, and over squid, but cant support multiple WANs  ??? :-\
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.