@srk3461:

Is your client source is set correct !? Did you set any order pref!? Is your "Target Categories" set properly!

In your "Target Rules" under "Groups ACL" did you set your desired group to "white-list"? Is your "default access" at the bottom of the same is set to "allow"!?

Did you hit "save" bottom after all your configuration and then hit "apply" on general page of squid-guard!?

Try clearing your browser cache before checking!

I knew I forgot to hit apply; it officially works.  I double checked my configurations to see what the heck was going on; I forgot to add the LAN IP address in the whitelist.

Group ACL names and source IP addresses:

Ben: 10.0.0.1-10.0.0.4 (pfSense, my laptop, server, and FreeNAS)
Wireless Clients: 10.0.0.1 10.0.0.5 (pfSense; Wireless Router*)

The space in between the 10.0.0.1 and 10.0.0.5 represents a separate IP address.

Thanks for the info, man.

Edit: When I change my laptop's IP address from 10.0.0.2 to 10.0.0.5 with every setting as the same (subnet mask, gateway, DNS1, and DNS2), the group ACL doesn't go from Ben to Wireless Clients, just stays at Ben.  What else did I do wrong?  Must be pfSense 2.1-RC0-i386 has bugs in it; I'm going to install pfSense-2.0.3-AMD64

@adam65535:

I just tested pf with defragmentation using hping from another system and pf does normalize the traffic before sending it out.  It actually normalizes the traffic before tcpdump can even see it.  If the packets are bad enough though and pf can not or does not reassemble them then tcpdump on pfsense does see those bad fragmented packets.  It does not send them to the destination of course. I can only assume snort has an input point into the network at a lower level than tcpdump so that it can see the raw fragment packets at all times but I do not know.

It seems like we should always use BSD Target Type with frag3 when the admin does not disable the pfsense 'Disable Firewall Scrub' which is the default.

no the scrubbing done by pfSense firewall is not related to snort.
Since tpcudmp/pcap sees packets very early, before even stack has seen them.

I am having the same problem with i386 pfsense 2.0.3 and squid3. It appears that the proxy is working, however I only see tcp_miss. Oddly, if an image has been missed once, it is not missed again when attempting to reload.

@newbieuser1234:

This sounds dumb,but how would I interact with the gui? what IP's would I assign on the WAN and opt.  Would the opt1 (the other side of the bridge) be the same IP as the router behind it? just a bit confused on the IP addressing. Thanks again for all your help with this.

Sorry for taking so long to respond. Been a bit busy around here  ;D

Interacting with the gui is done through the LAN interface. That's why I suggested "pfsense can easily be used as a transparent bridge, see http://forum.pfsense.org/index.php/topic,20917.0.html and adapt accordingly. Don't forget allow any>any on both interfaces, and DO NOT use the lan interface as a member of the bridge."
pfsense works exactly the same (from a web gui USER's point of view) whether it's running as a bridge or a routing platform. As long as the LAN interface has a valid private ip and there is a rule allowing access to the webgui port, plugging something into the LAN will allow you to administer the box. The important thing to remember is that bridged interfaces have NO IPs, which means that you have to be careful with your rules (eg I have rules disallowing traffic not belonging to an interface's subnet from passing through the firewall, which wouldn't work with a bridge).
A common use case for this is a fully transparent firewalling bridge, which allows for traffic control both ways of the bridge. The bonus is that the bridge is completely invisible on both sides of it (WAN/DMZ), unless you sift through each and every packet observing changes in the packet as it goes through the bridge (which no sane person will do). The LAN interface is used to monitor and administer the bridge, just like I said above. A random tip: do NOT try setting up a bridged CARP cluster without doing your research first.

Back on track:

EDIT: hit go button too soon. A few thoughts popped up in my head after posting:
A fully transparent bridge should not be able to get on the internet. This means NO communications with the "outside world" which in turn means NO updates, NO snort rule updates (no ip assigned on the WAN, remember?  ;) )
A transparent bridge with internet is a bit different. If you have multiple static IPs, just assign one to the wan and proceed with bridging (yes even if it has an IP, yes I've tested a Frankenstein hybrid routing/bridged monster and it works perfectly, even LAN to OPT1 which according to documentation shouldn't work). If you don't have multiple static IPs a bit of default routes/nat will be needed. Basically since pfsense has no sense of other networks when used as a bridge, packets coming from itself will not know where to go or where they are coming from, and need a little "push" to get "out there"  :D

For HAproxy, the "-devel" variety is probably more like Beta.

The "-full" variety needs to go away, but some people still rely on it. Its status should really be "Deprecated" or "Retired".

Well, as you can tell, I'm am noobie with this stuff.

I've ended up adding:

.c.youtube.com

to the Exception Regular Expression section of the URL lists under ACL's for Dansguardian.

Videos with ads on YouTube now stream.

Hoping this fixes things, and I have  not ignorantly created a security risk in doing so.

If anyone has any insights into this, let me know.

Cheers,
Paul.

This proble with squid start is solved after I upgraded to pfSense 2.1-RC0 build from 20130622 (http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/i386/pfSense_RELENG_2_1/updates/pfSense-Full-Update-2.1-RC0-i386-20130622-1453.tgz).

@Tikimotel:

I have a dual em NIC.
I've set my LAN/WAN (under the advanced button) "Speed and duplex" settings to "Default (no preference, typically autoselect)".

Yep, 'Default' was what was originally selected, I tried to change only when it didn't work. I defauted back and still no go!

Pressing save in the WAN/LAN menu saves some changes regarding DHCPv4 vs. DHCPv6 in the overall config of pfSense, which helps when the interface goes down and backup (If i remember correctly).
So this should solve your WAN dropping and only getting back after a reboot.

I have no IPV6 enabled. I changed back to 'Defualt' and saved and rebooted, yet the internet keeps on dying (but WAN interface appears to be active).

cheers for this dude.. just helped me

Right well a reboot of the firewall sorted out the problem.

Have to say I didn't get along with squid.
I found the performance tweaks here on the forum and through google.  Still not good IMO.

Pages were taking too long to load, youtube (and other sites) videos were also affected slightly even though I hadn't turned on dynamic caching.

So I have un-installed squid for now.  I might create a stand alone squid server at some point but who knows.

Thanks for your time mate :)

Snort 2.9.4.6 Pkg ver 2.5.9

Auto-Add Suppression Rules for Track By Source or Track By Destination from Alerts tab

Additional icons will now show up on the Alerts tab under the SRC and DST columns for displayed alerts.  A plus (+) icon will appear under an IP address in the SRC or DST columns.  Clicking the plus (+) icon will automatically add the IP to the Suppress List for the interface using the "track by src ip" or "track by dst ip " form.  If the IP address is already present in the Suppress List, then a disabled icon will be displayed.

This gives you three ways to suppress alerts.  By SRC IP, by DST IP, or by GID:SID.  The third method (by GID:SID) is global in that it will suppress the alert regardless of source or destination.  For this reason, when a global suppress list entry containing only the GID:SID with no other qualifiers is present, then no plus (+) icon will displayed for that alert under the SRC or DST columns.  This is because in the case of a globally suppressed alert, the IP addresses are irrelevant.

Note also in the screen shot below that (X) icons are also displayed.  These have been available for quite some time in the GUI.  When present, they indicate the IP address is currently being blocked.  Clicking the (X) icon will remove the IP address from the blocking table.

NewAlertsOptions.jpg
NewAlertsOptions.jpg_thumb

I too would like to have the temps displayed via LCDProc. I also have coretemp running with the temps displayed on the dashboard and a working lcdproc-dev package feeding a CFA-735. I agree with kilthro's placement too with having the temp displayed in the bottom, static region but since my CPU down-clocks when needed, i wouldn't want to lose that particular item but the states portion i could live without.

So, in short, I second this request.

There isn't a way to store that info long-term on pfSense directly. ntop can get some but probably not the detail you want, it would be more for a summary or graphing.

pfflowd (or softflowd, see the doc wiki) can export netflow data to a separate netflow server which then logs and records that information in a database, and you can then query or graph from there. The netflow server would be separate software, there have been several forum threads and mailing list threads discussing various free and commercial netflow server options.

While ntop is capable of acting as a Netflow collector and server, I haven't had a ton of luck getting it to do what I wanted in the past. It's also fairly heavy in terms of dependencies and resource requirements.