I don't know about 2.0.1. I have an issue with 2.1 but after an update, it worked like it should.

We support all the packages as best we can for support customers under their purchased hours. We're not necessarily all-knowing experts on every single one of them, but we know all of them to some degree, and can generally figure out anything we don't know. The main difference under commercial support on packages vs. base system is we can't vouch for the quality of packages. We'll fix any base system issues that are encountered (which is rare) at no cost to the customer, but can't provide any such assurance with any package other than our AutoConfigBackup. If a customer has an issue with a package and wants to put their purchased time towards fixing it, we can almost always accommodate, we just can't do it for free like we do for the base system.

@ezyclie:

So can i do this: http://forum.pfsense.org/index.php/topic,14609.0.html with embedded system? without loosing the changes?

If you are going to do this on console, follow the steps doing a rc.conf_mount_rw before changes and a rc.conf_mount_ro after changes.

on embedded /var is flushed every boot but looking the steps, I can see only changes to files on /usr dir.

att,
Marcello Coutinho

After a series of reboots it's all working now. I'm not thrilled by the stability here, but hey, I am running 2.1-DEVELOPMENT so I guess I can live with it for now :)
Any ideas of when 2.1-STABLE will be out? I read a lot about IPv6 Launch Day, and that's not very far away.

I believe that many of those rules are designed to alert when icmp traffic sourced from EXTERNAL_NET destined for HOME_NET.  So in order for those rules to alert,  a successful ping has to occur that matches those conditions.

When I was testing snort,  I was pinging from a lan interface to a lan interface.  Since neither was from a network associated with EXTERNAL_NET I would never see an alert.  In order to get an alert to fire, I modified both EXTERNAL_NET and HOME_NET variables in one of the icmp rules to read "Any".  This way, you don't have to be concerned with where your traffic originates from.

I also wonder where this issue currently stands?  I had no issue adding and enabling rules, but I'm new to this so I'm unable to determine if the rules are current or truncated to support the EOL version.

Thanks for the tips!  I tend to agree that firewall-based AV isn't really that useful, especially with so many sites using HTTPS these days.

I have no experience with clamAV, but our client-side ESET performs quite well, so maybe I'll leave well enough alone rather than get into Squid, etc.  (something else I have no experience with)

Thanks for the tip regarding pfBlocker, we currently use DynDNS for content filter at only $10/year, but it's DNS-based so easy to bypass for intermediate users.  This might be the answer I was looking for, though!

"Do not cache" does not mean "block".
It ist just not caching this sites.

To block (filter) sites you need additional tools like squidguard or dansguardian.

But please update your old system to an actual pfsense version like 2.0.1

Any update?

I've tried using Dansguardian with a firewall rule redirecting port 80 instead of Squid/SquidGuard intercept mode. This seems to work so far. Wondering if I should just stick with D then?

Not really clear on the difference between the two softwares.

Thanks for your help.

Does the stable version support vmxnet2?  Ideally I'd like to run vmxnet3, but this is my first run with pfSense so I'm trying to KISS.

Thanks, I'd tried that package, but I hadn't seen the thread link, I posted in there. It'd be really great to get this working!

thanks it worked for me.. and i didnt break my pfsense LOL. anyway thanks for the expertise.

@Nonsense:

Does one have to register to subscribe to the Emerging Threats rules (if so, then how?) or just place a check in the Install Emergingthreats rules box on the Global Settings page?

Right, no registration, just check the ET box, select the auto-update frequency interval, and save. You may need to manually update the rules, or stop/start snort to download then initially. After updating review the categories enabling those of interest under each interface. I think that's about all you need to do.

Hi,

Still can't find the cause - so when I get an open slot, I'll just try re-installing the whole system from scratch and see if it stops.

This system only serves 40 users or so, and I never get anywhere near the size limit of MBUF or state table.

I run it on a P4 3GHz with 2GB RAM, 40GB HDD and very seldomly the CPU goes above 10% and memory never above 40%. So I don't think it is a performance issue either.

Might it be a faulty RAM module?

Cheers,

MrsPotter

Thank you very much marcelloc! Worked like a charm :-)

The doc ends on the same point:

Yep, you got it exactly. Varnish does not handle SSL itself. If it receives a request that is SSL encrypted it will pass it directly to Apache. For us though, we have the load balancer decrypt/encrypt and all traffic between Varnish and Apache is normal HTTP (but we keep using a different port number so we can tell if the page will eventually be secured).

and suggests the same "when time permits solution"
_]Another way to handle SSL is

Another way to handle SSL is to put pound (http://www.apsis.ch/pound/) in front of varnish for port 443 and do lightweight SSL decryption and then you get the benefit of Varnish for even the SSL encrypted traffic._

The only thing that I can include in this package is the pass trough function. But IIRC, all servers should have the same config/sites to share the same ip as varnish can't see the request it self, just a ssl connection.

@albokos:

I'm digging out the .pac file solution, i've a good one it works when store locally on a pc now i try to set it to be accessible via the pfsense web server.

pac proxy configuration has a lot of good points, including filtering ssl urls.

good choice.

canefield,

I think you've reached the point to start googling for squid configs to support this feature and suggest improvements, just like the doc you found for varnish + ssl.

att,
Marcello Coutinho

I am still working to try to recitify this issue.

It it even possible to impliment the following solution in a Multi-Wan setup?

"Use squid tcp outgoing address directive to specify it."