@marcelloc:

Pfblocker has no binaries, it just create alias,rules and download blacklists.

I have no idea how it could crash a system.

Can you check what kind of report you have. Php, core dump?

The WAN interface hangs, the system is still up with console but WAN NIC is a zombie.  Only way to bring it back is a reboot.  Very odd this does not occur without pfBlocker installed, but with it installed we crash within 48 hours.

Perhaps it's memory related with pfblocker putting additional memory pressure on the box.

@marcelloc:

Logs shows squid2 binaries. Maybe you have squid guard installed too. Reinstall squid3 after squidguard and after every system updade.

Thanks foe your answer , i do have Dansgurdian but its not configured and deactivated
Anyway finally i removed the package and reinstalled it and came back to work again
Thanks

On the remote agent, I tried first to put the ip of the proxy first and it did not worked.

So I tried to put the ip of the zabbix server itself and still now joy.

On the server I have put that pfsense under the proxy.

Here are the logs from the remote client:

39928:20130214:200356.651 No active checks on server: host [name] not found
39928:20130214:200556.947 No active checks on server: host [name] not found
39928:20130214:201559.395 Got signal [signal:15(SIGTERM),sender_pid:28136,sender_uid:0,reason:65537]. Exiting …
39416:20130214:201559.395 Got signal [signal:15(SIGTERM),sender_pid:28136,sender_uid:0,reason:65537]. Exiting …
39131:20130214:201559.396 One child process died (PID:39928,exitcode/signal:65280). Exiting ...
39706:20130214:201559.395 Got signal [signal:15(SIGTERM),sender_pid:28136,sender_uid:0,reason:65537]. Exiting …
39131:20130214:201559.396 Zabbix Agent stopped. Zabbix 2.0.4 (revision 31984).
39103:20130214:201604.426 Starting Zabbix Agent [name]. Zabbix 2.0.4 (revision 31984).
39218:20130214:201604.427 agent #0 started [collector]
40083:20130214:201604.427 agent #4 started [active checks]
39472:20130214:201604.428 agent #1 started [listener]
39941:20130214:201604.428 agent #3 started [listener]
39745:20130214:201604.428 agent #2 started [listener]
40083:20130214:203903.271 Got signal [signal:15(SIGTERM),sender_pid:48333,sender_uid:0,reason:65537]. Exiting …
39941:20130214:203903.271 Got signal [signal:15(SIGTERM),sender_pid:48333,sender_uid:0,reason:65537]. Exiting …
39103:20130214:203903.272 One child process died (PID:40083,exitcode/signal:65280). Exiting ...
39745:20130214:203903.272 Got signal [signal:15(SIGTERM),sender_pid:48333,sender_uid:0,reason:65537]. Exiting …
39103:20130214:203905.273 Zabbix Agent stopped. Zabbix 2.0.4 (revision 31984).
60501:20130214:203908.285 Starting Zabbix Agent [name]. Zabbix 2.0.4 (revision 31984).
60831:20130214:203908.286 agent #1 started [listener]
61105:20130214:203908.286 agent #2 started [listener]
61451:20130214:203908.286 agent #4 started [active checks]
60558:20130214:203908.287 agent #0 started [collector]
61244:20130214:203908.287 agent #3 started [listener]

This agent is currently configured with the ip of the the interface on the link of open vpn

So server is on the local subnet 192.168.0.0/24    ip 192.168.0.31

All vlans are done also on the pfsense and there is a link site to site vpn from that site to the main site.

That remote site local subnet is 192.168.20.0/24

The link is 10.0.20.0/24  between the 2 sites.

On the main site there is another vlan which is 192.168.23.0/24

On the main site traffif from 192.168.23.0.24 does not get on 192.168.0.0/24

So the question is if the vlan routing is done on the main pfsense and the proxy for zabbix is also on the same box, could and should my setup work.

By the way snmp works as  I added snmp from the remote pfsense ( where the remote agent is) and I get the details on the zabbix server.

Cheers,

Raj

Did you check the Snort errors in the system logs?

Btw, you have to set the classtype option in your custom rules.

@johnpoz:

[…] he has not stated the skill set of his userbase.

That's the point. Of course, the user can also use proxies to circumvent IP address blocks. Some procies have HTTP/HTML interfaces, so users won't even have to reconfigure their browsers.

Dropbox is, of course, a service for losers. ;) Geeks would have their own FTP servers, shell boxes, VPN endpoints. They might even bring in their own 3G router if they feel the urge to bypass the firewall with their work PC. I've even seen idiots unplugging the fax machine to dial into the internet via an old analogue modem (with the result that, on the next day, large parts of the companies's IT were infected by a virus).

The Computer Science lessons in school are actually a good way for kids to learn hacking firewalls. Not because it's taught (it isn't), but because the school's firewall is pretty restrictive. Once one kid finds out how to circumvent the blocks, this knowledge will spread to the other kids. If one these kids has a parent, and this parent is one of smizzio's users, this user might trun into a "script kiddie", erm, "script daddy/mommy" ;) - capable of circumventing security measures, but not understanding the risk.

Logging is a way to get the user's attention (if it's allowed in your country). Make sure that the users know that every bit of traffic is logged and that they'll get into trouble if anything pops up which might look like an IP address of a proxy, dropbox, VPN tunnels, whatever. if you don't want to be seen as the "network nazi", you might mention that surfing for lolcats is okay. ;)

I seen this problem for while.  I figured on just waiting.  Today running Beta 2.1 I got nightly update and found ntop to look different.  I seen on bottom it was on latest now.  Looks MUCH nicer then old Ntop..  Thank you for work done to update this!!!

@jimp:

Did it work with ntop 4.x? Do you see any errors in the system log?

It's possible it's a vmware driver issue or an ntop issue, we may not able to do anything about it directly.

Yes it works with the version 4.x.

I see a lot of false positives on my systems. It annoys me like hell tbh.

#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

suppress gen_id 120, sig_id 3

(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE

suppress gen_id 120, sig_id 8
#PSNG_TCP_PORTSWEEP
suppress gen_id 122, sig_id 3
#ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
suppress gen_id 1, sig_id 2011124
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#PSNG_TCP_PORTSWEEP_FILTERED
suppress gen_id 122, sig_id 7
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#FILE-IDENTIFY download of executable content
suppress gen_id 1, sig_id 11192
#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419
#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819

#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306

This is my suppress list, but its not nearly as long as it should be!

(http_inspect) IIS UNICODE CODEPOINT ENCODING - 02/22-03:06:06 is triggered.

FILE-IDENTIFY download of executable content - 02/02-06:01:51
ET INFO Packed Executable Download - 02/02-06:01:51
ET POLICY PE EXE or DLL Windows file download - 02/02-06:01:51
FILE-IDENTIFY Portable Executable binary file magic detected - 02/02-06:01:51

Is triggered on whitelisted SRC IP's. It blocks Windows Update among other things.

So snort is in my view not working as it should and its CORE functionality for a modern FW.

Yes… that's wierd... I'll try to reinstall the package.

Wow, I am an idiot.

After examining the files, I figured out that it is under the settings for each interface, which is not specified in the guide on the site.

Sorry about the trouble, thank you for link!

Andy

@greenpoise:

what is the connect in the reports?

The ammount of connections to this site, including all gifs, css, htmls, phps. If a site has 40 objects, you will get 40 connects each time the page is loaded.

@duanes:

I have the same problem.

follow the topic instructions to change it's value

Thank you very much for your help jimp. It worked great.

Just for any googler's sake, steps taken were:

1. Install a FreeBSD 8.1 VM (I used VirtualBox but for this purpose, a VM is a VM.
2. Update the installation using freebsd-update.
3. Update ports using portsnap.
4. Build package on VM (cd/usr/ports/sysutils/megacli; make package-recursive)
5. Copy the package (tbz file) to the pfsense box using scp from the pfsense box (scp mark@192.168.15.158:/usr/ports/sysutils/megacli/megacli-8.05.06.tbz .)
6. Install package on pfsense box (pkg_add name-of-package-file.tbz)

Thanks again!

Did you try reinstall the squid package ? Config will remain.

Further you need to post output of the system log so that we can try to help.