I seem to remember that lightsquid was sort of flakey with the latest greatest version 3 squid, So I tended to use the older more stable squid.  Not sure what you are using.

@bonkas:

Has this issue been resolved?

I am also running a PPPoE Connection and trying to get Suricata configured but my logs are flooded with "SC_ERR_DATALINK_UNIMPLEMENTED" errors.

Suricata will not start automatically after a pfsense restart, is this by design or caused by these errors?

Regards,

No, not resolved and can't be really resolved until there is an upstream patch to Suricata so it recognizes the DLT_NULL data link type that FreeBSD assigns to PPPoE interfaces.  This is a problem in the Suricata binary that comes from upstream.

You can make it partially work by hand-editing the suricata.yaml file and telling it the interface is an Ethernet physical link (by using the real physical NIC driver name), but you will still get occasional errors due to the PPPoE frame headers since Suricata does not expect to see them on a physical Ethernet interface.  Also, I can't guarantee you that all the detection signatures will work properly.  In short, this kind of hack is unsupported and you would be on your own.

If you have a PPPoE interface and want IDS/IPS on it, then you should use Snort instead of Suricata.  The Snort binary fully supports the DLT_NULL data link type that FreeBSD uses.

Bill

sounds like you are missing blacklists… try downloading them.

Squidguard rotates logs daily when enabled.
Squidguard itself maintains 3 log files.

/var/squidGuard/log/block.log /var/squidGuard/log/sg_configurator.log /var/squidGuard/log/squidGuard.log

There is no setting in the GUI for days of number of kb in size.
Maybe "dvserg" can add this option into Squidguard gui/package.

@rjcrowder:

@dvserg:

No, its not suppurted.

You could obviously write a shell script to download multiple and combine them…

Hand-made way possible if you know how it may work. But many users know only GUI way.

@adiadasman:

Bill,

The UUID issue does appear to be my problem. Please check your PMs as I have replied back to your original message.

Got your PM reply and answered.  We can communicate back and forth in PM land.

Bill

I reset the data and it all came back.

I don't know your UPS, but my experience with other UPSes is:

Upon line power loss, the system monitoring the UPS is informed about that event. The monitoring box remains running for the grace period (fpr example, 10 minutes).

If line power has not returned within the grace period, machines get shut down (that may include the monitoring machine). There will be a preset time to allow all machines to shut down (for example, 5 minutes).

At this point there a two options:

1. If line power remains offline, the UPS will eventually gt to the point where the battery runs flat and it will shutdown the output. When line power returns, the UPS will eventually restart the output and the machines will reboot-sfter-power-loss (as configured in the BIOS).
2. The line power returns before the UPS has shut down, this are a bit more interesting. Machines have been shut down already, but as they see no power loss, they will not reboot-after-power-loss. Ideally, the UPS would wait for the shutdown time period (5 minutes in my example), power cycle the outputs and everything is fine again.

Regardless: I let the pfSense box run until the UPS power fails (no automatic shutdown or anything). Same for the modem, PBX, switches and even a few of the WLAN APs. I am aware that this causes additional drain on the battery of the UPS even after the server machines have shut down, but what the heck? Plus, with a communication infrastructure left online until the very last second, all remaining systems can continue to yell for help.

I have seen a couple of IPv6 lists floating around, but can't remember where. My honest opinion is IPv6 lists are useless, unless they are used to ban entire subnets. The ease with which you can jump from IP to IP on IPv6 renders a single bad host in a list useless.

My recommendation is to use snort/suricata to keep track of bad hosts in IPv6, and based on repeated offenders in a subnet, ban the entire subnet in a list of your own. Bad IPv6 traffic is low, it's the perfect time to experiment and tweak your security systems.

@MilesDeep:

At first, enabling the SIP Detection works.  The daemon starts.  After awhile, it the daemon stops and SIP detection is disabled.

Does this have anything to do with fact that the update, which occurred last night, failed?

No, a rules update will not disable nor enable a preprocessor.  I will check and be sure the default is enabled for future updates, but for now just look at the PREPROCESSORS tab and check all the preprocessors in the GENERAL section down towards the bottom of the page, then click SAVE.  You usually don't need the two SCADA preprocessors, but it hurts nothing to enable them as well.

Bill

Ok I found 2 solutions:

1. the good one is to simply add the following line in PfSense web configuration, Services, Proxy server, General, Custom Settings, Custom Options:

ignore_expect_100 on

yes, it works also for the REVERSE proxy.

2. the bad one (just to know it exists) is to modify the source code of the web services' CLIENT SIDEs, in C#, by adding this line:

System.Net.ServicePointManager.Expect100Continue = false;

before instantiating the SoapClient object: MySoapClient My_WS_Client = new MySoapClient(); .

I do have a local website (owncloud) that I do not want to be cached. Was thinking of adding an "include" in the squid.inc file so everytime the package gets reloaded / changed by pfsense the cache deny all will kick in for that specific site. Where can I set that up?

So, in sum it the squid.inc will always overwrite the squid.conf, so in the squid.inc add an include cache_exceptions.conf with cache deny all for the sites I don't want cache enabled. How can that be accomplished?

I saw that initially but wasn't sure it was the root cause of your problem.  You could try checking your ACLs for obvious problems (like being blank or empty) and then recreating them.

Thanks, have done that for the initial config, but is there a method to keep things synchronised thereafter?

did you forget to search? https://forum.pfsense.org/index.php?topic=81118.0

check out the 2.2 board.. there is a workaround

https://forum.pfsense.org/index.php?topic=82232.0

thank you and Cino

(great answer)Cino
That is from Limter being enabled… Goto Traffic Shaper, Limter tab.. Click on first limter you created, Show Advance Options; change Bucket Size to 256. Do this to the rest of them and you shouldn't see that message anymore

HAHAHAHAHA

We just want to have fun :D

@BBcan177:

… You know that its a proven fact that Men are color blind... Or thats what the Women are telling us.... lol..