1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    D
    I recently start have trouble saving my HAProxy configuration due to a error. It keeps adding clientca_ in front of the SSL offload certificate name. On file level this file does not exist! I tested with both HA Proxy plugins, the regular and dev version. I tried to regenerate the SSL (Lets Encrypt) but this keeps happening. [ALERT] (45623) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_shared-frontend.pem' (No such file or directory). [ALERT] (45623) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:28] : 'bind 0.0.0.0:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_shared-frontend.pem Does anybody have the same behaviour? to be clear I have the 25.07-RC running. The relevant part of /var/etc/haproxy_test/haproxy.cfg frontend shared-frontend bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy_test/shared-frontend.crt_list ca-file /var/etc/haproxy_test/**clientca_**shared-frontend.pem verify required crl-file /var/etc/haproxy_test/**clientcrl_**shared-frontend.pem

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC
    @rlrobs Yes it’s still working fine here.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K
    @pulsartiger The database name is vnstat.db and its location is under /var/db/vnstat. With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    M
    I resolved this by accepting the T+Cs via https://www.maxmind.com/en/accounts/1205389/geolite2/eula

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    J
    @div444 i'm finding the same - did you find a solution or did reverting fix it? Hoping there is a patch fix or something to get it working! Rather not rollback if i can avoid it

  • Discussions about the Tailscale package

    90 Topics
    578 Posts
    T
    Re: How to update to the latest Tailscale version? I am on latest released Netgate 6100 pfSense PLUS v24 ( pfSense_plus-v24_11_amd64-pfSense_plus_v24_11 ) pkg config abi FreeBSD:15:amd64 pkg -vv | grep -A 3 "pfSense:" pfSense: { url : "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v24_11_amd64-pfSense_plus_v24_11", enabled : yes, priority : 0, cat /usr/local/etc/pkg.conf ABI=FreeBSD:15:amd64 ALTABI=freebsd:15:x86:64 PKG_ENV { SSL_CA_CERT_FILE=/etc/ssl/netgate-ca.pem SSL_CLIENT_CERT_FILE=/usr/local/etc/pfSense/pkg/repos/pfSense-repo-0001-cert.pem SSL_CLIENT_KEY_FILE=/usr/local/etc/pfSense/pkg/repos/pfSense-repo-0001-key.pem } This firewall is obviously running on FreeBSD 15 no longer on 14. But can I use the freshports link for FreeBSD 14 amd64 quarterly which is at tailscale 1.86.2 or can I only go up to version tailscale 1.84.2_1, and need to wait until they have a version of tailscale 1.86.2 or higher for the FreeBSD 15? Would it be good enough to tell it to ignore the OSVERSION? export IGNORE_OSVERSION=yes Note: use of 14 and not 15 ? pkg add https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly/All/tailscale-1.86.2.pkg service tailscaled restart tailscale up

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J
    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection. If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application? Thanks.
Log in to post
Load new posts
  • E

    Snort – Openssl-Heartbleed bug (CVE-2014-0160)

    16
    0 Votes
    16 Posts
    4k Views
    E
    Hi, following the steps to reproduce and bypass Snort: downloaded this script to test the vulnerability (and dump the memory) of the buggy pfsense –> https://gist.githubusercontent.com/sh1n0b1/10100394/raw/4f24ff250124a03ad2d3d6010b6402c3a483d2f3/ssltest.py the attacker runs the script (meanwhile the administrator of the pfsense is logged in from his browser); in the dump file is stored the session ID of the admin's session. 3)at this point, after the dump has occurred, Snort has recognised the attack and blocks the source ip. used a cookie editor (for example cookies manager+ from firefox addons) and create a custom cookie with the session ID extracted before. 5)now if we change the source ip (cell. tethering or using tor if can't change external ip) using the new cookies you will be able to Hijacking the session. However, for open source projects like this i think we should always see the cup half full( italian proverb :D), it's already so much what Snort does for the cost of 0. Edoardo
  • B

    Varnish - reverse proxy - backends order error

    6
    0 Votes
    6 Posts
    2k Views
    B
    Okay, so I reinstalled the varnish3 package, but I got this error in logs: php: /pkg_mgr_install.php: The command '/usr/local/etc/rc.d/varnish.sh' returned exit code '2', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 Message from VCC-compiler: Reference to unknown backend 'BACKEND' at ('input' Line 34 Pos 28) .backend = BACKEND; –-------------------------#######- In director specification starting at: ('input' Line 32 Pos 1) director LBD01 round-robin { ########-------------------- Running VCC-compiler failed, exit 1 VCL compilation failed' I give up this package in my point of view is very alpha.
  • belleraB

    [SOLVED] squidclient

    5
    0 Votes
    5 Posts
    8k Views
    belleraB
    Sticky thread about Monitor Squid Status, https://forum.pfsense.org/index.php?topic=28835.0
  • H

    Web cache server is not working for me

    2
    0 Votes
    2 Posts
    689 Views
    belleraB
    pfSense version? Package version do you want to install? There are different squid package versions. LAN/WAN scenario? (One LAN or more, one WAN or more?).
  • A

    Firewall Rule, Squid and Squidguard

    6
    0 Votes
    6 Posts
    3k Views
    belleraB
    Yes, whitelists go before blacklists. That's all. If you need to do something like !block_bad_words filter_some_domains !block_with_big_black_lists you can see a trick at https://forum.pfsense.org/index.php?topic=73759.msg404261#msg404261
  • BBcan177B

    Snort IPrep

    15
    0 Votes
    15 Posts
    3k Views
    bmeeksB
    @BBcan17: @bmeeks: @BBcan17: I noticed this in the Blocked log? Not sure how that got added? I check the blocklist and its not there. 224 255.255.255.255 (spp_reputation) packets blacklisted - 04/15/14-13:10:56                               (portscan) UDP Filtered Portsweep - 04/15/14-10:19:22 Obviously it was a broadcast.  Could be a bug in the IP REP preprocessor code within Snort itself.  Done improperly, a test of a broadcast address could seem to match any IP address.  All the GUI package code does is set a handful of snort.conf parameters for the preprocessor. I guess add that to the Whitelst? Nah…I wouldn't bother.  You generally don't care if a broadcast is blocked because that is all subnet localized anyway.
  • T

    Prevent snort from blocking particular websites

    2
    0 Votes
    2 Posts
    2k Views
    bmeeksB
    @thelongdivider: The title says it all.  Whenever snort is enable even the most popular websites like amazon and newegg are blocked by snort, as well as a couple of less common websites that are important to me.  Is there any way to unblock these sites on a website to website basis? Welcome to the world of false positives.  It happens with all IDS systems.  You need to examine the alerts, and if you trust the web site and are sure it is a false positive, you have two options: (1) suppress the alert or (2) add the host to a Pass List.  Here are some links to the Documentation Wiki with some details on each method. https://doc.pfsense.org/index.php/Snort_suppress_list https://doc.pfsense.org/index.php/Snort_passlist There is also a long thread here in the Packages forum containing known false positives and the corresponding Suppress List entries for them.  Here is a link to that thread: https://forum.pfsense.org/index.php?topic=64674.0 Bill
  • I

    Snort: Alerts in the suppress list still visible in logg

    15
    1 Votes
    15 Posts
    4k Views
    P
    @BBcan17: @Priller, Did you try to re-install Snort? Or a De-install and re-install (Make sure the Checkbox is click to keep settings after deinstall) My bad for hijacking the original Snort problem reported.  Snort is working fine for me, it's Suricata that is exhibiting the identical problem that the OP reported with Snort. So, for Suricata, yes I did try a de-install and re-install.  I performed that both keeping the config … and also a total removed and rebuilt the config by hand.
  • ?

    Upgraded pfSense 2.1 with Quagga OSPF, exiting on signal 6

    6
    0 Votes
    6 Posts
    2k Views
    N
    Looks like the dead timer is doing it (40s default), although it gets the hello messages quite regularly: 08:37:50.196698 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:37:59.869506 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:38:09.148189 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:38:18.830889 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68
  • S

    Cannot Install OpenVPN Client Export Utililty

    6
    0 Votes
    6 Posts
    2k Views
    S
    Thanks jimp!  That worked!
  • F

    Squidguard + SSL error page

    5
    0 Votes
    5 Posts
    2k Views
    belleraB
    @mendilli: if you want error page to bee seen for https sites, you should use squid3-dev with https transparent option As @mendilli said, you need squid3-dev + squidGuard+squid3 for SSL Bump (SSL interception). Steps (in Spanish), use translate.google.com https://forum.pfsense.org/index.php?topic=73007.msg402349#msg402349 https://forum.pfsense.org/index.php?topic=73740.0
  • A

    Squid3-dev 3.3.10 pkg 2.2.2 failed to start after upgrading

    2
    0 Votes
    2 Posts
    1k Views
    belleraB
    I saw strange numbers in this case: https://forum.pfsense.org/index.php?topic=74567.0 Look for interfaces activated at your squid3-dev And look for this reported bug, https://forum.pfsense.org/index.php?topic=62256.msg407762#msg407762
  • J

    Free Radius + Captive Portal No valid RADIUS responses received

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • N

    Zebedee

    1
    0 Votes
    1 Posts
    645 Views
    No one has replied
  • O

    DansGuardian AD Groups

    2
    0 Votes
    2 Posts
    1k Views
    O
    Anyone?
  • A

    Upgrade causes snort to enable barnyard (Snort 2.9.5.6 pkg v3.0.6)

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @adam65535: Upgrade of the primary… Now the primary has barnyard enabled for both LAN and WAN too.  Not sure what is causing this.  Not a big deal though.  I just disabled it on the primary for both instances and the backup server got the synced snort config and is disabled there now too. There was a little logic error I introduced into the Barnyard2 migration code that migrates old settings into the new format to support the enhanced output plugins.  I was keying off only one of two parameter that must BOTH be true for Barnyard to have been enabled under the old config.  As a consequence of only looking at one and not both, the migration script was turning on Barnyard2 if it had ever been enabled in the past on an interface. I am fixing that for future upgrades, but for this one the damage is sort of done.  Thankfully it's not a fatal thing.  Just disable Barnyard2 on the interface again and save the update. There are some problems with updating synced pairs with sync still on.  I recommend turning off sync, upgrading all the machines to the same version, then re-enable sync. Bill
  • P

    [Suricata IDS] Extracting encrypted and unencrypted data files

    9
    0 Votes
    9 Posts
    4k Views
    bmeeksB
    @pfNeo: I did another test and I did find some files in the directory, but not the actual dll file. I found file.1 and file.1.meta. file.1 contained the following (stripped) text {"status":"success","url":"http:\/\/www.SOMEWEBSITE.com\/PHPFILE.php?=somecodeinphp"} file.1.meta contains the following TIME:              [stripped content] SRC IP:            [stripped content] DST IP:            [stripped content] PROTO:              [stripped content] SRC PORT:          [stripped content] DST PORT:          [stripped content] HTTP URI:          [stripped content] HTTP HOST:        [stripped content] HTTP REFERER:      [stripped content] HTTP USER AGENT:  [stripped content] FILENAME:          /URLPATH/file.dll MAGIC:            <unknown>STATE:            CLOSED SIZE:              126</unknown> Thanks for the feedback.  Just got back in the country from a vacation and still catching up.' Sorry about giving you the wrong rules file name.  It is custom.rules.  The snort.rules are all the pre-packaged rules. As I mentioned, testing of the file capture ability in Suricata is not something I had a chance to test.  One possible issue is I may have the "magic file" setting messed up.  If you have some knowledge and want to experiment, you can edit that feature in the suricata.yaml file.  There is a "template" for that file in /usr/local/pkg/suricata called suricata_yaml_template.inc. Please post back what you discover.  I want to get this working properly.  I have been multitasking with the Snort package and working on Suricata blocking.  This has limited my time to experiment more with this feature. Bill
  • bmeeksB

    NEW - Suricata 1.4.6 IDS pkg. v0.2-BETA Released

    39
    0 Votes
    39 Posts
    18k Views
    bmeeksB
    @Supermule: Thanks a billion Bill!! Youre SO much the man of this project right now! Thank you.  One caveat for Suricata blocking.  Initially it will have to operate the same way as Snort does using libpcap.  Thus it won't be true inline-mode IPS.  Ermal has to make some changes in the ipfw code within pfSense in order to accommodate true inline IPS mode.  However, due to the problem of context switching between kernel mode and user-land, IPS mode when it comes won't be nearly as fast as the pseudo-IPS mode Snort uses (and that Suricata will use initially).  So true inline IPS is probably not going to be very useful for heavily loaded firewalls.  That's just the nature of the beast unless you go to highly customized code, and if you do that then you can't easily follow the upstream updates. The kernel changes to support true IPS may or may not make it into 2.2.  That is not up to me.  It is up to the pfSense team.  However, I can include the pseudo-IPS mode without those kernel changes.  That means pseudo-IPS can work with 2.1.x releases.  The pseudo-IPS mode is what I am working on now. Bill
  • D

    Snort blocked ips in reverse order

    5
    0 Votes
    5 Posts
    1k Views
    bmeeksB
    @BBcan17: In my installations I see the Alerts tab showing the entries newest first. When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert. If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be. Ah…OK.  I will look into that.  The BLOCKED tab does some grouping by taking a blocked IP and then finding all the matching entries for that particular IP anywhere in the Alerts log file.  So if IP address 1.2.3.4 has been blocked say 10 times in the last 3 days, when it gets blocked again, the BLOCKED tab will show all the previous 10 entries along with the current one.  This assumes two things:  (1) you have the blocks being automatically cleared on some interval, and (2) the alerts log has not been itself cleared out. UPDATE:  there is no sorting of the grouped IP data.  That is, the code does not specifically sort by alert time when grouping IPs for display on the BLOCKED tab. Bill
  • Z

    Snort does not run in WAN interface in pfSense 2.1

    26
    0 Votes
    26 Posts
    11k Views
    Z
    FYI The following being enabled kept the WAN interface from turning on. It will show enabled, but it will have that red X next to it and it refused to start. After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list) 2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt If I disable that, then the WAN interface is able to show the green play button (running) without issue.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.