1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    E
    I even tried deleting and creating a new certificate. Any suggestions?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    It was all CVE fixes in the PHP GUI part of the package. See the Redmine ticket here: https://redmine.pfsense.org/issues/16414.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    572 Topics
    3k Posts
    keyserK
    @Antibiotic No it’s not possible with NtopNG as it is not a Netflow collector. You need nProbe for that which will “translate” recieved netflows into flows that NtopNG understands and can visualize (with very very little detail might I add as Netflows has no additonal information apart from sender/reciever and volume). The NtopNG package and the product in general is more geared towards visualising and recording traffic details from actual packet captures. This contains MUCH more metadata about the sessions than netflows (DNS names, protocol information and myriads of other things). But pffSense Plus has a builtin Netflow exporter if you have an external netflow collector on hand.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    V
    @Gertjan Thanks for your reply – that’s also my impression. The point is: I don’t really see any lists right now that are actually “maintained” in the sense of being actively cleaned up, checked for dead domains, categorized, etc. That’s why my main interest is more about the demand: Would curated lists really be a game changer for admins? Would they be more helpful than what’s available today, or are most people already using other alternatives? If so, which ones? And from your perspective, what would be your expectation towards “community lists”? (e.g. reliability, update frequency, categories, fewer false positives?)

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    501 Topics
    3k Posts
    A
    Hi, Please help to forward / report the bugs in ACME 1.0 package. Thanks.

  • Discussions about the FRR Dynamic Routing package on pfSense

    295 Topics
    1k Posts
    J
    Anyone else happen to notice that when configuring BFD, if you create a peer and select a profile - after save, re-edit the peer and the Profile is not represented. It appears as "None". You have to check the raw config to determine if the profile was actually assigned to the peer. This is on 2.8.1 (all packages up to date as of the date/time of this post). UPDATE: if re-edit and save (without re-configuring the profile none to what you want) - the save will strip the profile from the peer.

  • Discussions about the Tailscale package

    91 Topics
    611 Posts
    T
    Hi All, I use HAProxy to redirect to a range of https internal resources, this works really well at the moment through the WAN where I have source limits set up, and I can connect to the internal resources from limited external IP Addresses. Given I have tailscale I would like to basically be able to put custom dns entries in to point these hostnames to my pfsense tailscale IP4 address (100.89.148.118) but I am not having any luck getting this working. At the moment, I am just trying to connect to HAProxy using https://100.89.148.118 but it is getting blocked by the firewall. Sep 11 11:55:58 tailscale0 Default deny rule IPv4 (1000000103) 100.89.148.10:53148 100.89.148.118:443 TCP:S I have tried with and without NAT redirecting internally to 127.0.0.1, and I also have rules set up to allow any traffic to and from my tailnets (defined in an alias) but I still keep getting these connections from my other tailscale machines being blocked on the pfsense machine. Can someone give me some pointers on what I am missing because I can see the requests are coming through to the pfsense machine, and in theory the rules should allow it through but I cant see why they don't. I do have tailscale ACL in place, but clearly that is not an issue as the requests are making it through to the firewall. 0/0 B IPv4+6 TCP/UDP TailNets * TailNets * * none Allow across Tailnets 0/0 B IPv4+6 TCP/UDP * * * 443 (HTTPS) * none Allow Tailscale IP4 I also tried adding a EasyRule but because the tailscale0 interface doesn't exist in pfsense it throws an error and won't let me add that rule. Appreciate any help or tips, Cheers.

  • Discussions about WireGuard

    700 Topics
    4k Posts
    Bob.DigB
    @HFADmin If it is no Site2Site-VPN then you don't need any gateways in the first place... If that is true but you want to monitor the connection then you could create dummy-gateways just to ping the remote ip-addresses.
Log in to post
Load new posts
  • bmeeksB

    Snort Package Wish List

    14
    0 Votes
    14 Posts
    3k Views
    G
    @bmeeks: @gogol: I have three wishes: When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing I tried this once without much success.  It gets to be a real issue with the large rule sets.  I did add sorting columns in the last update to make it easier to locate a particular rule.  I can experiment with some other approaches.  It needs some type of dynamic bookmarking. I didn't even notice that the columns could be sorted. That's already something to make life easier ;) @bmeeks: @gogol: Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp? This has come up from several users, but I really don't know a good way to do this.  Snort the binary does not and cannot monitor the table.  At least it can't without adding significant customized code to the baseline source code from Sourcefire.  I don't think that is wise because then staying current with updates becomes a big problem.  The GUI does not run fulltime either, and launching some kind of independent process in the background seems messy. I also thought that another process would be needed. No problem. @bmeeks: @gogol: The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaneously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time? I can address this, but instead of random times how about the ability to set either the offset in minutes from the top of the hour, or set a specific time of day? A specific time of the day has my preference, but the user must be remembered to set it at installation time. So not all pfSense boxes in a timezone try to connect at the same time. Maybe a small note for the user to explain.
  • A

    Postfix: Cant seem to whitelist

    4
    0 Votes
    4 Posts
    2k Views
    marcellocM
    @ant2ne: I made that change and I'm asked the person to resend the email. Ask him to include iatpnt2.iltech.org on externa dns too. That's why this message was blocked.
  • A

    Postfix errors connect to private/anvil

    3
    0 Votes
    3 Posts
    1k Views
    A
    Anvil Daemon currently set to disabled. Changed it to enabled and I will wait to see if the message appears in the log again.
  • L

    SquidGuard + Ldap (AD) (Patch - Updated)

    6
    0 Votes
    6 Posts
    11k Views
    L
    @jimp: OK this should now be integrated and available on 2.0.x and 2.1 with the current squidGuard package. I don't have a way to test, however. Thanks Jim !
  • D

    Squid + Dansguardian & transparent proxy

    9
    0 Votes
    9 Posts
    8k Views
    D
    @marcelloc: @demo: No, I've tried but It doesn't work. Client can access to internet without authentication. Check your firewall rules again. clients will access internet without proxy only when firewall permits. On pf I've created a rule that redirects traffic from lan address:80 to lan address:3128 but it doesn't work. Browser, configured with proxy's automatic detection, can access to internet without any authentication or filters. So I've created a rule that blocks traffic to lan address:80 and a NAT port forward that redirects traffic from 3128 to 8080. Browser now must be configured to use 3128 port, filtered too by dansguardian. If not set, browser can't access to internet. I think it's not a good way to do what I want for my lan, but in this moment I can't find another one…
  • A

    Squid / squidguard advice needed

    7
    0 Votes
    7 Posts
    5k Views
    S
    I will look into this. I had not seen that sort of info before. Thank you!
  • bmeeksB

    Snort Pkg 2.5.8 Change Log and Screenshots

    25
    0 Votes
    25 Posts
    7k Views
    bmeeksB
    @marcelloc: @bmeeks: You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful. I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort. On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias. Oh…OK.  I wasn't initially understanding his intent.  I'm not sure this idea really fits into what Snort is about, though.  Sounds more like something for one of the other packages like pfBlocker perhaps. Bill
  • B

    Snort not working on 2.1 RC0

    16
    0 Votes
    16 Posts
    5k Views
    bmeeksB
    @Mitterwald: Just did an update to the current RC0 snapshot and deinstalled snort and installed it again. The config still remained on my pfsense. But now it seems to work again. WAN is up for over 30 Minutes now, already blocked several attackers. So seems ok for me again. P.S.: I didn't changed any VMWare settings up to now. Some things changed in the latest snapshot of the RC0 release.  I have not investigated what changed, but I did notice my test 2.1RC0 box was prompting me about an update. Bill
  • S

    Squid3 and PLEX

    3
    0 Votes
    3 Posts
    2k Views
    S
    @marcelloc: Try to fill https field options. No luck with that.  Am I getting the FQDN and URI stuff correct?  The actual address that I am looking to start is something like: https://starch.hopto.org/web/ If it makes any difference that is a dynamic dns I use to keep up with my home IP as it changes often.  Would there be any issue with that?
  • I

    Squid3-dev mitm configuration

    2
    0 Votes
    2 Posts
    2k Views
    marcellocM
    @iodaddio: So if you have http/https going through squid3 proxy, I have transparent for both and mitm.  Then how does dansguardian check traffic?  It seems that once squid3 breaks into http/https it would need to send the hacked traffic to then be scanned by dansguardian…  not sure how that works.  sorry, proxy setups still mystify me. It will not, only icap/redirector calls will work as it's a ssl connection. Try squidguard or enable mitm on dansguardian(alpha code for mitm) @iodaddio: I ask because my assumption is that if I make 2 nat rules to send traffic to dansguardian. it would then be responsible for mitm, is that correct?  I think that would be setup like this: No need to do nat rules while using squid3-dev(The package will do that for you).
  • E

    Snort Memory Consumption

    2
    0 Votes
    2 Posts
    2k Views
    bmeeksB
    @ESWBitto: I'm having an issue where my snort sensors are using over 700 mb of memory each. If I only had one sensor that would not really matter, but I have 7! We've had to tweak the amount of rules and Emerging threats that are used and frankly I don't want to have to sacrifice not using all or most of the rule sets. Is this the norm? Does anyone have any suggestions on tweaking the memory usage? In the gui the selected option for the lowest memory consumption for best performance is already selected (I think it was the default) I believe I read somewhere that each sensor by default should only use 200 MB each. Bitto Snort with a lot of enabled rules and a lot of connections will eat memory.  There are settings that can be tweaked to improve this a bit, but nothing beats having at least 4 GB of RAM per sensor.  RAM is pretty cheap these days anyway. Also, there is no point in trying to run all the rules (both ET and Snort VRT).  I'm sure there are partisans on both sides of the issue who will swear one set is better than the other (ET vs. VRT), but you might consider choosing Snort VRT with the IPS-Connectivity policy to start with.  That will catch most stuff and not give a lot of false positives.  As you gain experience with Snort and its behavior with your specific network traffic, you can bump up to the IPS-Balanced or even IPS-Security policies.  Just be aware that these are likely to start giving false positives and need tuning. Here is a link about hardware sizing for Snort:  http://mikelococo.com/2011/08/snort-capacity-planning/ Bill
  • N

    OpenVPN Client Export Utility - Option Requests

    3
    0 Votes
    3 Posts
    2k Views
    N
    Figure that since the http-proxy option is already there it shouldn't be to much to just make proxy type selectable.  (http proxy or socks proxy)
  • D

    Squid3 Dynamic Content Cachine Profiles

    3
    0 Votes
    3 Posts
    1k Views
    D
    that would be terrific.
  • G

    Squidguard error page external redirect - no images

    1
    0 Votes
    1 Posts
    976 Views
    No one has replied
  • B

    Bug in squid in trasparent mode? No redirect if…

    1
    0 Votes
    1 Posts
    753 Views
    No one has replied
  • F

    DansGuardian Authentication in Windows.

    5
    0 Votes
    5 Posts
    2k Views
    F
    @marcelloc: @friskee: Any ideas? you do not need wbinfo -u. It will work only on small user lists. wbinfo -t is all you need to know if it is running or not. how do I know that it can successfully pull users from active directory?
  • L

    Squid.conf Bungled acl safeports

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • marcellocM

    Patch to show Available Packages by category on pfsense 2.1

    12
    0 Votes
    12 Posts
    4k Views
    jimpJ
    Defaulting to a restricted one-category list tab does a few bad things (and probably more I'm not thinking of): 1. As mentioned previously, people will not see the tabs and wonder where packages disappeared to. 2. People will have to hunt through multiple tabs to find a package if they don't know and can't correctly guess the package category. What took two clicks before suddenly takes half a dozen and a lot more time. 3. It makes it less obvious just how many awesome packages there are. The giant list makes us look good there. :-) I would not use tabs at all, but do search and include categories in the search. Your "tabs" could now just be shortcut links to search the category, or a search filter that does the same job. Best thing, I think, would be that the default should be 'all packages' but have a search box right at the top. Maybe a drop down to restrict by category but it would have "All packages" as its first choice. Perhaps something like: [ Text Box For Search ] [Category Drop-Down] [ "Go"/"Search" button ] Enter search terms to filter the list, or select the category from the box, press search (no text entry) would display all packages in the category. Since the entire list of packages is known before the page is rendered, that could all be done in javascript and could do autocomplete or immediate filtering (meaning it could look like AJAX but doesn't actually make additional calls)
  • N

    Openvpn speed differences between full install & nanobsd

    3
    0 Votes
    3 Posts
    1k Views
    N
    thank you. it's weird though because i don't see a cpu spike when i download a large file over vpn on the 1 ghz system.
  • A

    Open-VM-Tools [Stable 8.7.0.3046 (build-425873)platform: 2.0]

    9
    0 Votes
    9 Posts
    2k Views
    A
    If I am not mistaken, VMware had provided the drivers for FreeBSD. Don't get me wrong here.. VMTools works, not sure what one gains by installing it other then adding drivers for network cards. I can understand VMware tools for Windows etc. but for pfSense my main goal was for VXN. If the drivers don't work, I don't want to install VMTools and break my baby ;)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.