I reinstalled the gui of the package and I have been able to uninstall it after that.
So I presume my updated install is now clear.

Same problem here, arpwatch service won't start.

If I look inside <tt>/usr/local/etc/rc.d/arpwatch.sh</tt> I find

/usr/local/sbin/arpwatch -d -f /var/log/arp.dat  -i bce2 > /var/log/arpwatch.reports 2>&1 &

But executing this on the command line only gives "<tt>Ambiguous output redirect.</tt>" (although this may just be a shell problem).

Anyway, arpwatch (2.1.a15_8 pkg v1.1.2) not working on pfSense 2.2-RELEASE (amd64) :(

Are you using Transparent mode?  Are the sites not being blocked HTTPS?

Thank you,

My mistake was that i used clone option on first frontend, then you can't see shared option.  :'(

I have the exact same issue on pfSense 2.2-RELEASE (amd64) (built on Thu Jan 22 14:03:54 CST 2015 FreeBSD 10.1-RELEASE-p4) with squid 3.4.10_2 (pkg 0.2.6).
The second number varies though, and it doesn't seem to always produce this error. I had it working for 2 weeks perfectly, but a few minutes ago my gateway went down and that led to this strange error again.

For reference, my error was:

Mar 1 20:14:29 php-fpm[42821]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2015/03/01 20:14:29| aclParseIpData: unknown netmask '0.20173389051966' in '0.40.0.0/0.20173389051966' FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071 Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.061 seconds = 0.031 user + 0.031 sys Maximum Resident Size: 45728 KB Page faults with physical i/o: 0' Mar 1 20:14:29 squid: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071

Ok, thanks for the info!!

Mine had updated automatically last might at midnight as schedule but I did a manual update just to check it and see.

Both seem to be functioning normally for me.

updated the first post…

Hi,
yes thats true. I forgot to write that. But the question still remain, why pfs or freebsd still on old version.

@SenselessCow:

First case WAN to get some experience but later preferably a setup as explained here: https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417

To run Snort in a "test mode" of sorts, simply uncheck the Block Offenders box on the INTERFACE SETTINGS tab for each Snort interface.  The checkbox is within the Alert Settings section of the tab.  With that box unchecked, Snort will alert and log the incident, but it will not insert any blocks into the firewall's packet filter engine for the IP addresses in the alert.

In the configuration described in the above paragraph, Snort is running as an IDS (Intrusion Detection System).  It detects a problem, but only alerts you to its presence.  When you check the Block Offenders checkbox and then restart Snort on the interface, it will insert blocks for the offending IP addresses (depending on the setting of the Which IP to Block drop-down) into the firewall's packet filter engine.  When the Block Offenders box is checked Snort behaves closer to an IPS (Intrusion Prevention System) within the limits described earlier in the thread relative to using libpcap and working from copies of packets, etc.

For the majority of home networks, running Snort on the LAN only is probably the best solution.  I run some rules on the WAN solely for the purpose of seeing some alerts from Snort as part of my testing.  My firewall rules block pretty much all unsolicited inbound traffic anyway, so Snort on the WAN for me is not adding to security.  It is just there to gather some log data really.

Bill

@marcelloc:

Better see cache.log and squid -k parse

Squid3 on pfsense 2.2 32 bits still need a package compilation to work in transparent mode. I'll ping Renato again…

how about 64bit version? non-transparent mode, cpu utilization going to 100% randomly and cache.log contains this:

2015/02/20 09:43:53 kid1| Starting new negotiateauthenticator helpers…
2015/02/20 09:43:53 kid1| Starting new negotiateauthenticator helpers...
2015/02/20 09:57:20 kid1| Starting new negotiateauthenticator helpers...
2015/02/20 09:57:20 kid1| Starting new negotiateauthenticator helpers...
2015/02/20 09:57:20 kid1| Starting new negotiateauthenticator helpers...
2015/02/20 10:03:25 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed
2015/02/20 10:03:28 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed
2015/02/20 10:03:47 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed
2015/02/20 10:04:17 kid1| Starting new memberof helpers...
2015/02/20 10:04:46 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed
2015/02/20 10:04:46 kid1| WARNING: memberof #Hlpr0 exited
2015/02/20 10:04:46 kid1| ERROR: The memberof helpers are crashing too rapidly, need help!
2015/02/20 10:04:47 kid1| WARNING: memberof #Hlpr0 exited
2015/02/20 10:04:47 kid1| ERROR: The memberof helpers are crashing too rapidly, need help!
2015/02/20 10:04:52 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed
2015/02/20 10:04:52 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed
2015/02/20 10:05:07 kid1| WARNING: memberof #Hlpr0 exited
2015/02/20 10:05:07 kid1| ERROR: The memberof helpers are crashing too rapidly, need help!
2015/02/20 10:06:12 kid1| WARNING: memberof #Hlpr0 exited
2015/02/20 10:06:15 kid1| WARNING: memberof #Hlpr0 exited
FATAL: The memberof helpers are crashing too rapidly, need help!

Squid Cache (Version 3.4.10): Terminated abnormally.
CPU Usage: 38855.042 seconds = 38840.176 user + 14.866 sys
Maximum Resident Size: 774000 KB
Page faults with physical i/o: 11
2015/02/20 10:06:18 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...

"memberof" from squid.conf:

external_acl_type memberof ttl=300 ipv4 %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -K -R -b "dc=,dc=local" -D "squid_k@.local" -W "/usr/local/etc/squid/squid_k.pass" -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=Internet,DC=***,DC=local))" -h 192.168.0.231 192.168.0.239

can i use "ext_ldap_group_acl" helper from squid version 3.3.10 for example, coz it's just an external (to squid) program if i understand correctly, and it working fine on pfsense 2.1.5?

@fsansfil:

This may be helpful when I have majority rules enabled for blocking, but still want to test how specific rules react without affecting connections… or just for some special logging purposes.

Yes we need the log rule action ;)

F.

I have considered adding that feature.  Still trying to figure out the best way to expose it while at the same time not totally upsetting things for all the users that are accustomed to the legacy method of the package (where any alert is the same as a block).  I have tossed a few possibilities around in my head.  Whatever I do for Snort would likely also get rolled into Suricata.

Bill

@mmjlz:

Hi,

are you using webconfigurator with https? if yes, this had always helped me:

If you’re using SSL to secure your webConfigurator, pfSense sends the block page (sgerror.php) over an https connection. By default, any good browser will NOT load an http URL inside an iFrame on an https page (it’s a security thing)

Solution
Instead, you can set lighttpd to ignore sgerror.php when it redirects http requests to https.

1. Go to “Diagnostics > Edit File” and load /etc/inc/system.inc
    Find the lines that modify your lighttpd config to redirect http to https, which should say:
    $SERVER["socket"] == ":80" {
    $HTTP["host"] =~ "(.)" {
    url.redirect = ( "^/(.)" => "https://%1{$redirectport}/$1" )
    }
    }

2. Update them to NOT redirect the file beginning sgerror.php:
    $SERVER["socket"] == ":80" {
    $HTTP["host"] =~ "(.)" {
    url.redirect = ( "^/^(sgerror)(.)" => "https://%1{$redirectport}/$1" )
    }
    }

3. Save.

4. Go to "Diagnostics > Edit File" and load /usr/local/pkg/squidguard_configurator.inc
    Find the lines starting with: $guiport = (!empty
    Make a new line below and enter: $guiport = '80';

5. Save. Restart your webConfigurator (shell option 11).

6. Restart SquidGuard

maybe it helps you too :)

You are a star this fixed the problem for me Thank you very much :)

Hi,

I have a similar setup. I have one LAN and one WAN and the OpenVPN Server running.
I use my mobile devices to redirect all traffic through the VPN and then browse the web using my internet connection.

And I can confirm that snort cannot listen on the OpenVPN interface and snort cannot see something on LAN. But snort analyzes the traffic from OpenVPN to the web on the WAN interface.

PS:
It seems to be independent if the OpenVPN server is listening to the LAN or the WAN interface.

@ghkrauss:

I notice that just using ETPro with Snort will not allow configuration of the wan interface.

That is not true.  You can use any rule set on any configured interface.  What leads you to think Snort does not support ETPro on the WAN interface?

@ghkrauss:

Does one have to use snort rules with ETPro rules?

No, you can use just the Emerging Threats rules if you like (or just the Snort GPLv2 Community rules, or any combination of ET, VRT and Community rules).

@ghkrauss:

How does one configure Snort for use of Emerging Threat ETPro ruleset?

On the GLOBAL SETTINGS tab click the checkbox to enable ETPro rules then type your subscription code into the text box that will appear.  The page uses dynamic HTML to show/hide form fields as different options are enabled.  Be sure you are using a current version browser that supports dynamic HTML (pretty much anything these days will).

There is a sticky thread in the Packages forum for quickly setting up Snort for new users.  You may find it helpful.

Bill