@goldenshark Hi, I know this is old but....I want to do the same thing.

So in Squidguard we are supposed to able to block domains or even by specific URL's. On the FLIP side of that, we should be able to whitelist by domain or by URL.

Therefore, what if I block the entire DOMAIN youtube.com, but then WHITELIST a specific youtube video URL?

In theory this should work fine and the only limiting factor here would be THE ORDER that the block or whitelist items are applied by the filter!

So for example, In Squidguard if I block the DOMAIN youtube.com with a Target Category and then I also create a target category to WHITELIST the url, www.youtube.com/mymovie, then why would it not work? I can SET which target category gets applied before the other in my ACL's. I would ASSUME, last one applied wins. So any whitelist item would override the block list.

So in this example, if my BLOCK list is followed by my Whitelist when a request comes in, Youtube would be blocked first, then ALLOWED by my whitelist.

Unfortunately, I could not get this to work. An I have no idea of how squidguard is actually applying filters in this sense. It seems to not be allowing the Whitelist to override the Block list.

Anyone know how these Target Category's work in a hierarchy?

Also, if you really want a mess, apply a default BLACK LIST in Squid and then it seems that ALL the black list filters get applied last and nullify any Target categories you added.

Its not cool, as it is very quirky and sometimes you need to reboot Pfsense to even get the filters to work at all.

MP

@gertjan said in NUT issue with Netgate 3100:

@jostermacedo said in NUT issue with Netgate 3100:

Cyber Power

With a space ;)
What version ?

edit :
See also NUT upsmon : at the bottom of the page you'll find a way to test.
Another test : power pfSense from another wall outlet,and connect the USB to the UPS.
Have the connection established.
Login to to the console and/or SSH.
Now remove the power from the UPS.
Check the main pfSense logs. And what show up on the console ?

edit 2 :
You use probably the USB driver "usbhid-ups" : see here

https://networkupstools.org/docs/man/usbhid-ups.html

scroll down to "Unattended shutdowns" and do what is suggested.

Gertjan,

PfSense: 21.05.2
NUT: 2.7.4_8

thanks for the info. I'll try it tonight.

Joster

@jonathanlee

It has arrived !!! Thank you!!!

arrived.JPG

johnpoz,

Thank you very much for the guidance. I will perform as per the documentation.

Uncheck "Keep ntopng settings, graphs and traffic data" in settings and save. Uninstall official package. Intstall official package and disable ntopng in settings. Install official "sudo" package (or root login cli) . Open CLI and add packages in this order:

sudo pkg add -f https://mirror.xtom.com/freebsd-pkg/FreeBSD%3A12%3Aamd64/latest/All/lua53-5.3.6.pkg

sudo pkg add -f https://mirror.xtom.com/freebsd-pkg/FreeBSD%3A12%3Aamd64/latest/All/openldap24-client-2.4.59_4.pkg

sudo pkg add -f https://mirror.xtom.com/freebsd-pkg/FreeBSD%3A12%3Aamd64/latest/All/ntopng-5.0.d20210923,1.pkg

Enable ntopng in settings.

Works for pfSense 2.5.2, amd64. Now you have version ntopng 5.0.2 :)

Link for amr (FreeBSD 12): https://mirror.xtom.com/freebsd-pkg/

@technomilm

Try this :
Power down the device using Diagnostics => Halt system.
As soon as the device is actually halted, remove the power cable.
Take a the,coffee/whatever.
Put the power back on, boot the device.
You should be fine.

Btw : pfSense was trying to load some 'package' files. If you were loading any other package, like 'Notes' or 'Cron' you would most probably see the same error, so it's not really 'pfBlockerNG devel ' related.

@bmeeks awesome! thanks for the info! gives me a jump start when i tinker on this during the week, will definitely lab test it on some spare hardware.

As evidenced by the dearth of replies to your question, TOR, however noble its original design and intention, has had its reputation severely tarnished by association with the dark web and its bad actors. Thus I suspect no self-respecting firewall admin would consider putting anything TOR anywhere near their firewall.

@hulleyrob If I had to guess there are some things in redmine about packages not installing on reinstall, and this one talks about forcing reinstall sort of thing..

https://redmine.pfsense.org/issues/12235

To report the issue you have experienced we would really need some more details, and copies of your config you restored, etc..

But as you said its easy enough to work around.. But yeah it could get frustrating for someone, sure..

@NogBadTheBad @Gertjan :
I received my spare SG-1100, set it up using the absolute basics and installed the FreeRADIUS package on that unit. Exact same issue.

So the problem was the FreeRADIUS Server Certificate which was not created automatically, like in Tom's video. Right after installing the package I got the following notice:
ce6fb673-565f-4701-99eb-2e839613f9dc-image.jpeg
This was exactly the same on my production SG-1100 unit.

I don't understand why the SC could not be created where the CA was created just fine. I found this other post right here on the forums of another SG-1100 user running into the same issue. Could this be related to the SG-1100 specifically?

Anyway I created a Server Certificate under de FreeRADIUS CA and boom the server is running and it is authenticating.

Just one question as this is the first time I create my own certificate: The common name field cannot be left blank or I'll get an error creating the certificate:
4a3ac69e-ad16-4081-838b-ffc96bf1bfa5-image.jpeg

However I didn't know what to enter there for this special FreeRADIUS use case. So I just entered a non-existing url. Will that be adequate?

Thanks for your help!

Pete

@zoltrix
It seems you are correct, if I load nut on a workstation, I can poll statistics if I know the configured name and address without any configuration on the client side. You could make this harder by choosing a unique name instead of the default 'ups'. I don't see this as a security risk, but the nut manual has a section 'Notes on securing NUT' which may be of use. An easy fix on pfsense would be to block LAN access to the NUT port for all but trusted workstations.