1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    Squid can be configured externally, I would love a how to guide on how to do this correctly.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    656 Posts
    C
    @elvisimprsntr Updated 25.07.1 to 1.90.6_1, copied and pasted from @elvisimprsntr's post: pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.6_1.pkg (Why it worked this time and not on previous updates: Over the last couple of days, I ran into the "Shared object "libutil.so.10, not found..." error that triggered the version 25.07.1 update issues some of us have been having. After I fixed that error, I decided to go back to the usual update method, and it worked.)

  • Discussions about WireGuard

    716 Topics
    4k Posts
    chpalmerC
    Im trying to set up Fubo TV for my mother using AT&T Wireless.. problem is they keep showing her California news channels... She wants local. Even though the website asks for her zip code they seem to default to the IP location. I have tried several times to sit down with this but can never get the thing to even ping from the other side. Connected with Wireguard here successfully for helping troubleshoot things for her otherwise.. Fubo is a PITA and keeps reverting back so I am finished trying to deal with them. Anyone got any tips? or a good tutorial??
Log in to post
Load new posts
  • V

    Snort - ….rules(385) threshold (in rule) is deprecated;...

    Locked
    3
    0 Votes
    3 Posts
    4k Views
    V
    Doh wrong oinkcode.  ::)
  • M

    Imspector 0.94 failed to install

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    M
    Thanks!
  • R

    Unbound: Can't access DNS server from IPSEC Connection

    Locked
    1
    0 Votes
    1 Posts
    978 Views
    No one has replied
  • A

    UDPXY v. 1.0 (Build 21) standard

    Locked
    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • M

    HAVP: Heuristics.Broken.Executable

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    M
    Hello,   change done, tested on two boxes and committed. To use this new option you should reinstall the package (at least the interface part). The tricky thing is that after you change this option you should restart clamd manually, because otherwise the change is not applied, and I don't know why you can't restart that service using the interface. To restart the service, just go in the "Diagnostic => Command Prompt" page and run in the "Execute Shell command": /usr/local/etc/rc.d/clamd stop then /usr/local/etc/rc.d/clamd start Hope it will be useful to all as it is for me… Ciao, Michele
  • A

    OpenNTP configuration blues

    Locked
    8
    0 Votes
    8 Posts
    3k Views
    jimpJ
    Well that isn't exactly the same thing. Binding to one IP changes how the responses are sourced for cases like VPNs, and not binding at all is more secure than merely filtering responses. Having the code to set that up for FreeBSD's NTP would help the cause though, it was just too much work at the time. I don't remember the issue with NTP but here is a similar one for SNMP, given that they're both UDP services it may be similar reasoning. SNMP bound to all interfaces, if you query it, will respond from whatever IP is "closer" to the client. So if you are on DMZ and query SNMP on the LAN IP of the firewall, it responds from the firewall's DMZ IP. Bind only to the LAN IP and the problem goes away. For the case of coming over an IPsec VPN, binding only on the interface included in the Phase 2 of the VPN allows it to talk properly over the VPN, where otherwise it has issues for some of the same reasons as above. It would try to respond back via the default gateway and use the wrong IP in the process, so it wouldn't match the Phase 2 and it would miss the VPN. Now admittedly I'm not intimately familiar with FreeBSD's ntp so I don't know if the restrict options can actually change the binding. If they do, it's news to me, but it would be very welcome news. I would very much like to use FreeBSD's ntp so we can use things like ntpq to get a detailed status report from it.
  • K

    Ubound install hangs and leave web configuration page hang too.

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • C

    SquidGuard + LdapGroup

    Locked
    6
    0 Votes
    6 Posts
    5k Views
    marcellocM
    A small contribution for this great package This script extract users from LDAP/Active Directory and apply on squidguard config To use this script, follow these steps: Rename group acl to active directory group name you want to apply Fill up AD info (hostname, username, dn, etc) on script Run the script via console, ssh or via cron squidguard_ldap.php // based on http://samjlevy.com/2011/02/using-php-and-ldap-to-list-of-members-of-an-active-directory-group/ // pfsense integration by marcelloc and ccesario # AD HOST (required) $ldap_host = "192.168.3.1"; # AD DIRECTORY DN(required) $ldap_dn = "DC=domain,DC=local"; # BIND USER(required) $user_bind = "cn=squidguard,cn=Users,DC=trf1,DC=gov,DC=br"; # PASSWORD BIND(required) $password = "super_secret_password"; #if you need to apply any prefix or sufix to retreived user #example: prefix user with domain(required) #$user_mask="DOMAIN\USER"; $user_mask="USER"; #################### # End of user options  # #################### require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/pkg-utils.inc"); require_once("/etc/inc/globals.inc"); #mount filesystem writable conf_mount_rw(); function explode_dn($dn, $with_attributes=0) {    $result = ldap_explode_dn($dn, $with_attributes);    foreach($result as $key => $value) {         $result[$key] = $value;    }    return $result; } function get_ldap_members($group,$user,$password) { global $ldap_host; global $ldap_dn; $LDAPFieldsToFind = array("member"); $ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP"); // OPTIONS TO AD ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION,3); ldap_set_option($ldap, LDAP_OPT_REFERRALS,0); ldap_bind($ldap, $user, $password) or die("Could not bind to LDAP"); $results = ldap_search($ldap,$ldap_dn,"cn=" . $group,$LDAPFieldsToFind); $member_list = ldap_get_entries($ldap, $results); $group_member_details = array(); foreach($member_list[0] as $list) if (is_array($list)) foreach($list as $member) { $member_dn = explode_dn($member); $member_cn = str_replace("CN=","",$member_dn[0]); $member_search = ldap_search($ldap, $ldap_dn, "(CN=" . $member_cn . ")"); $member_details = ldap_get_entries($ldap, $member_search); $group_member_details[] = array($member_details[0]['samaccountname'][0]); } ldap_close($ldap); array_shift($group_member_details); return $group_member_details; } // Read Pfsense config global $config,$g; $id=0; $apply_config=0; if (is_array ($config['installedpackages']['squidguardacl']['config'])) foreach($config['installedpackages']['squidguardacl']['config'] as $group) {   $members="";   echo  "Group : " . $group['name']."\n";   $result = get_ldap_members($group['name'],$user_bind,$password);   foreach($result as $key => $value) {     if (preg_match ("/\w+/",$value[0]))       $members .= "'".preg_replace("/USER/",$value[0],$user_mask)."' ";   }   if (!empty($members))   if($config['installedpackages']['squidguardacl']['config'][$id]['source'] != $members){   $config['installedpackages']['squidguardacl']['config'][$id]['source'] = $members;   $apply_config++;   }   $id++; } if ($apply_config > 0){ print "user list from LDAP is different from current group, applying new configuration..."; write_config(); include("/usr/local/pkg/squidguard.inc"); squidguard_resync(); print "done\n"; } #mount filesystem read-only conf_mount_ro(); ?> I've tested it only on my domain, so test it before production  ;) att, Marcello Coutinho
  • R

    OpenVPN Client Export Utility Missing Configuration

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    N
    You can add this in the custom options of teh client export utility - for every exported client config.
  • P

    Snort rules within categories grayed out

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    K
    The main problem with it is even if does get enabled & disabled as you tune the pfsense instance as soon as the next update happens it overwrites it. I have mentioned this before if someone was able to change it so that when you enable/disable it the change is made in the pulledpork/oinkmaster configuration file to remember it. Your only other option is to use pulledpork on another machine to pull the rules down and tune them and then copy them over to your pfsense box and disable auto-updates on the box itself. Regards, Kevin
  • T

    IP-Blocklist

    Locked
    496
    0 Votes
    496 Posts
    614k Views
    J
    I cannot remove ip-blocklist in 1.2.2. Is there a way to remove or uninstall it using terminal?  Thanks
  • A

    Stumped: cant get standard haproxy to work in VM pfsense, works ok in HW

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    A
    Not sure how to check if haproxy is running, but I can see it hitting the apache every second with its heartbead "head" requiest.
  • S

    Not caching any thing at all?

    Locked
    9
    0 Votes
    9 Posts
    4k Views
    N
    @saywhaat: @Nachtfalke: Choose this pattern: refresh_pattern -i .*apple\.com/.*\.(pkg|dmg) 259200 100% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private; refresh_pattern -i .*microsoft\.com/.*\.(cab|exe|msi|msp) 259200 100% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private; refresh_pattern -i .*windowsupdate\.com/.*\.(cab|exe|msi|msp) 259200 100% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private; refresh_pattern -i .*ubuntu\.com/.*\.(tar|bz|bz2|gpg|gz|zip|deb) 259200 100% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private; range_offset_limit 100 MB; quick_abort_pct 60; They are working for me with Windows XP updates and Windows 7 updates. Thanks, this worked..at least with files I download directly from the Microsoft site. I'm having the techs run automatic updates today, keeping my fingers crossed. I also added in a couple more MS subdomains. So if I enter in these refresh patterns for certain URLs, does this mean files from sites not included in my refresh pattern do not get cached? Files will always be cached if the site allows to cache them. If the header says "do not cache" then squid will not cache these files by default. But we can override these settings - that's why we use the refresh_pattern with the aadditional commands: override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private; Probably MS does not want you to cache updates  ;)
  • J

    Squid Performance Issues - Immediately after starting

    Locked
    9
    0 Votes
    9 Posts
    3k Views
    J
    I'm using ufs.
  • B

    HAProxy package overwrite

    Locked
    27
    0 Votes
    27 Posts
    13k Views
    J
    @marcelloc: @Briantist: I'm still seeing an old name on 64 bit. The 32 bit .xml on github is using the name haproxy-full it seems, but while still storing all the files in a directory called haproxy-legacy. Just a bit confused by the name, and I'd like the clear the whole thing up all at once. I'll do on next update. @Briantist: Also it still seems to be downloading from your site (e-sac.siteseguro.ws). Previously, I thought this would change to point back to the pfsense servers. Again files.pfsense has not the latest version(1.4.19) of haproxy. jwelter99, to disable haproxy gui package, go on services -> haproxy and uncheck Enable HAProxy Thanks, what I did was remove the haproxy package from pfsense, and then just did a pkg add to add it back to freebsd and used filter to do the rest.  Seems to be a reasonable approach as the config doesnt change often and pfsense updates don't happen often either(thats a good thing!)
  • C

    Imap proxy

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • S

    Squid and Squidguard not working in pfsense 2.0

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    D
    @rdevries: I am having the same issue. The blacklist is not downloading. I click on the download button and nothing happens. Try to use Chrome or FFox browser's, IE version's can have problem with ajax scripts.
  • J

    Ntop - Error 400 - won't start

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • C

    SquidGuard vs. DansGuardian

    Locked
    4
    0 Votes
    4 Posts
    23k Views
    marcellocM
    @mahoon: Hi marcelloc ,Squid +Dansguardian provide content filtering in addition to acl.Is there  performans losing ? Not at all. I'm using it in production with more levels without issues. dansguaridan + squid works fine A complex setup I could get working was: squid_with_kerberos_auth_and_no_cache  –> dansguardian ---> varnish ---> squid_cache
  • D

    Can't find Lightsquid in Package List

    Locked
    6
    0 Votes
    6 Posts
    2k Views
    K
    have a look at this (by nachtfalte) http://forum.pfsense.org/index.php/topic,43384.msg224600.html#msg224600
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.