AntiVirus:
If you do not want to use HAVP anymore you can try the new squid 3.3.5 package which includes actual antivirus. Search the forum for the squiod 3.3.x thread.

Mobile devices:
How are these connected? Via VPN or via W(LAN) interface on your pfsense?

In general you can use transparent proxy on squid and select the interfaces where squid should listen to.
If the devices are connected via OpenVPN for example then you must OpenVPN to an interface (Interfaces –> assign) and then select this interface on squid.

squid in transparent mode filters only http port 80
non-transparent squid filters http and https port 443 but you need to configure the proxy IP on all devices.
squid 3.3.5 can filter http and https in transparent mode.

@cmb:

It's never worked, just not something that can work.

thanks for the confirmation.

i've been trying to find a distro that can do it. so far i have not found any, let along a few options that i can choose from…

@newbieuser1234:

I have never used a span port with an IPS.  Is snort able to block traffic via a span port, or do I have to use an inline connection with two nics?  I want to have my snort box on a WAN switch if I can use a port span.  If not, I will use the dual nic and plug in before the router.  I have multiple static IP addresses.  Thanks.

Snort on pfSense is not truly "inline".  Instead, it adds rules to the existing firewall set to block particular IP addresses.  Technically a third-party output plugin called Spoink works within Snort on pfSense to stick offending IP addresses into the pf engine's blocking table.

So when used on pfSense, a SPAN port would really not be of much use.  Unless the traffic is coming through the pfSense firewall Snort is running on, any blocks put in place would be meaningless.

Now if all you want is just to get alerts, then a SPAN port connection would do that.  Just be aware that no actual blocking would happen for every offending IP.  Only those which actually needed to traverse the firewall would be impacted by any block.

Bill

Check logs. It might happen due to ssl issues

Thanks for your reply!
I did as your guide, it works. But the squid proxy log is disabled.

Is there a config file for the squidguard (proxy filter) page that I can modify how many blocked entries are displayed in the GUI? It limits it to 50 by default. The file squidguard_configurator.inc has a define statement that sets max log lines at 500. Is this meaning max gui entries or max entries to the block.log file? I cannot seem to find the file that has this value in it.

Anyone know the location of the file, if it exists and this is possible?

Added in the latest Unbound package - thanks @Reiner030

A bit late on this thread - but adding 127.0.0.0/8 would hinder mail servers making use of RBLs.

I just pushed some changes which should fix the empty element and your multiple core problem. Thanks for your input.

The box was upgraded from 2.0.1 to 2.0.3 last night.  The php errors listed were from when the box was on 2.0.1.  The timestamp on system_certmanager.php has remained at "Feb 26  2011", if that means anything.

Answer
After searching online and especially here in the forums

I saw that you can fix the problem if you delete and create squid libraries

squid makes some problems if the computer not turn off normally

ssh to your pfsense
and use this

Unistalled stable and installed squid-dev(3.3.5 pkg 2.1.2). Still the same behaviour.
Any further idea?

Thanks,
grassu

It installs OK here in a test VM on 2.0.3. Try it again, it may have been a temporary failure.

@bmeeks:

@gogol:

I have three wishes:

When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing

I tried this once without much success.  It gets to be a real issue with the large rule sets.  I did add sorting columns in the last update to make it easier to locate a particular rule.  I can experiment with some other approaches.  It needs some type of dynamic bookmarking.

I didn't even notice that the columns could be sorted. That's already something to make life easier ;)

@bmeeks:

@gogol:

Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp?

This has come up from several users, but I really don't know a good way to do this.  Snort the binary does not and cannot monitor the table.  At least it can't without adding significant customized code to the baseline source code from Sourcefire.  I don't think that is wise because then staying current with updates becomes a big problem.  The GUI does not run fulltime either, and launching some kind of independent process in the background seems messy.

I also thought that another process would be needed. No problem.

@bmeeks:

@gogol:

The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaneously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time?

I can address this, but instead of random times how about the ability to set either the offset in minutes from the top of the hour, or set a specific time of day?

A specific time of the day has my preference, but the user must be remembered to set it at installation time. So not all pfSense boxes in a timezone try to connect at the same time. Maybe a small note for the user to explain.

@ant2ne:

I made that change and I'm asked the person to resend the email.

Ask him to include iatpnt2.iltech.org on externa dns too. That's why this message was blocked.

Anvil Daemon currently set to disabled. Changed it to enabled and I will wait to see if the message appears in the log again.

@jimp:

OK this should now be integrated and available on 2.0.x and 2.1 with the current squidGuard package. I don't have a way to test, however.

Thanks Jim !

@marcelloc:

@demo:

No, I've tried but It doesn't work. Client can access to internet without authentication.

Check your firewall rules again. clients will access internet without proxy only when firewall permits.

On pf I've created a rule that redirects traffic from lan address:80 to lan address:3128 but it doesn't work. Browser, configured with proxy's automatic detection, can access to internet without any authentication or filters.
So I've created a rule that blocks traffic to lan address:80 and a NAT port forward that redirects traffic from 3128 to 8080. Browser now must be configured to use 3128 port, filtered too by dansguardian. If not set, browser can't access to internet.
I think it's not a good way to do what I want for my lan, but in this moment I can't find another one…

I will look into this. I had not seen that sort of info before.

Thank you!