I recommend postfix forwarder for this job.

It does an excellent job of stopping spam bots without any external blocklists but you can add those.

In the firewall log, if you click the red "X" then a popup will tell you which rule has caused the block.

@crester:

Thank you Bill.
I have read the post and it looks it will be a nice workaround until next release.

Reading the post, I have understood how pfSense and Snort work together, because I didn't understand very well how was the processes, as I have a 3-way-hands. and flow (and payload) previous the block.
It has created me a doubt and sorry, I have just landed to pfSense.
What is then the diference if I check "Use IPS Policy"?

is in the pfSense roadmap get snort true inline?

No, there is no roadmap yet for a true inline IDS on pfSense (at least not that I am aware of).  The Snort VRT folks are actually migrating away from that somewhat and pushing folks over to using Barnyard2 and incorporating plugins there such as snortsam.  My reading of their blog posts leads me to believe they will slowly phase out the Output Plugins API that things like Spoink currently rely on.

Bill

Well, there is an option under the web interface (System: Advanced: Notifications) to send emails already. Can you re-use this functionality to send the emails?

@rjcrowder:

@plkmplkm:

EDIT: just a question: in this configuration, the squid field "Bypass proxy for these destination IPs" is still active even if is binded to the loopback iterface or i have to set something in the DG config (i haven't find anything similiar)?

The setting will not have any effect. The way to bypass Dansguardian (and subsequently squid) is to change your firewall rule so that certain IP's are not redirected to port 8080. For example, I have my redirect rule set to not redirect the 192.168.5.208/28 range to port 8080. Then I can put devices such as the Xbox in that IP address range.

Perfect, thank you very much, you're the best  ;)

actually I don't want it to be transparent.

I am using pfsense to simulate a clients network, and all web traffic is https via 3128. I am trying to replicate this in the office before the appliance goes back to the client location.

using a 4 port router I can simulate the gateway and point traffic to the pfsense box, I need to understand how to force all https traffic through 3128 and make it work…

any suggestions would be great.

thanks

@bmeeks:

@nexys:

Now it really works!!! Thank you very much, you just helped me a lot.

You are welcome.  Sorry I did not catch that "drop" versus "alert" change on my first post.  Must have been reading while half asleep… :D

Bill

Look this capture http://puu.sh/2UdxH.png

Edit: When I finished writing this post I went up to 5000.

@steve40:

I had this same exact problem for weeks and nearly decided to scrap the product out of frustration. Then I did a swapinfo -h and saw that my swap space was 100% utilized and only 2MB in size. Then I realized I had chosen the quick and easy install which doesn't ask any questions and lays out your entire partitions for you.

I re-ran the install to disk option in the mode where you get to chose your own layout and made sure to check the swap space allocation and even raised it to 4096MB. I haven't had the problem since.

Hope this helps someone out there.

Damn… I too did the simple install.

@qwertz:

Also the password is saved clear text in the config.xml.
Shouldn't it be encrypted ?

It can't be securely.
http://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml%3F

@Deadringers:

hmm I think I may have found out what it was…

so I upgraded my ESXI guests yesterday to use the VMXNET 3 adapters rather than the e1000

With this meant I had to re apply the config on my 2008r2 DC to the new adapter - here I referenced that the DNS server my DC should use was it's actual IP rather than it's loopback.

I think this was some how producing an in correct result as far as snort was concerned?

Because now I have changed it to 127.0.0.1 and I am getting no DNS errors.

Yep…I don't know all the super secret details of Microsoft AD servers, but I do know the domain controllers want themselves (the loopback address) for DNS.  Glad you got it sorted out.

Bill

@heavy1metal:

Quick question for you, since facebook defaults to HTTPS, what configuration setup did you need to do in order to get it to filter HTTPS? Are you using Squid3? Did you just forward 443 > 8080?

You can't forward 443. You have to use an explicit proxy config if you want to filter SSL. Even then, Dans cannot filter the content for SSL (the traffic is encrypted) - only block by address.

That did it!  Thank you so much.

Don't know what happend but nothing on may custom options code but now again all internet explorer versions are blocked. Can someone help me on this how to block user agent only for some source subnets but not for all ?

I appreciate your help!

Thank you, very usefull info, i haven't found it searching in the forum.