Did you google it??  http://www.thekelleys.org.uk/dnsmasq/doc.html

Yes I know "dnsmasq" is a DNS server, but I ask if pfsense use it.

If config file not exist, which is the best way to edit the DNS Server configuration in pfsense ?

cheers  :D

hello, my English is not very good, I have a pfsense, and have formed logs External syslog server, but the events of firewall are not regitrados in the server logs, the messages of authentication and messages of the system if, but what me intereza is really the messages of discarded or blocked packages, the server logs in freeBSD 6,1 Release, and syslog-ng 1.6,
some suggestion?

@sdale:

We are running 2.6.1.3

I look forward to playing with it  ;D

CVS Trac is the only option but there are some bugs that have been corrected without opening tickets for them. So only looking at the tickets won't help you unless you read the commit logs as well.

hey guys,
you are comparing a small linux box (200 MHz, 16 Mb RAM) to a computer with 256 or 512 Mb of RAM and a big processor.
so it is normal to have unstability problem with the small router when it handels a lot of connections, bittorent and P2P…. but DD-WRT have a X86 version that runs on PCs and it is really stable and faster than Pfsense.
I am using now many dd-wrt boxes as access points, and pfsense is doing the rest (DHCP, authentication...) pfsense never crash but it have a lot of bugs and missing futures.
it would be appreciated if pfsense have some of DD-WRT futures like

additionnal DHCP options / DNSmasq as DHCP server, windows networking is not working well in pfsense (from LAN to WAN, LAN clients cannot see PC connected on WAN domain for exemple in latest pfsense release). i think that this problem is related to a DNS / firewall bugs ? I prefer SPI firewall than pfsense, but it is a personal choice Access restrictions per IP or MAC address is also missed in actual Pfsense release. blocking P2P and other applications or website is easy with dd-wrt QoS, priority per IP, MAC, subnet or application... in VLANs also the hotspot options : DD-WRT can use chillispot, nocat, spuntik for authentications... it would be nice if chillispot can be add to pfsense via a package (it needs a package for chillispot, radius, webserver... MySQL is also preferable). a monitoring package like Rflow is also missed in pfsense, it is not perfect in dd-wrt but the best is to have a package or a small software that list all connected users (users, mac, ip, time and trafic) with the possibility to disconnect users
-finally a nice future that could be easy implemented in pfsense I thnik, is the possibility to define a user groups and to add (in captive portal) its static DHCP mapping

anyway pfsense is a very good firewall and the support on the forum is very fast and appreciable.

Chady

One additional mod to the pfctl form:

If you want to quickly pull out a single rule:

pfctl -vvs rules | grep "^@ <rulenum>"</rulenum>

Where is the rule number you are seeking.  The space before my closing double quote was on purpose to terminate the pattern so that ONLY the rule number being sought is returned.  Otherwise, the above might also match some other rule number that started off with the rule number you are seeking.  Ie, '77' and '77x' (x = 0 thru 9) would all match.

Without knowning more details (what server- and what firewall-arch) I would respond to

I want to avoid viruses on the server´s system files and in E-Mails, sent and received over the server

Scan e-Mails on their way to the server via a mailgateway. It wouldn't be the first time there was some strange side effect when doing the scanning on the same system having the normal mail service on. Get them out before they reach the final destination server (and the user) and run an additional AV on the normal filesystem of the server for file services.
But I would not run that kind of thing on the firewall itself. Keep the firewall architecture as clean as possible and don't mix it with further services if they don't have necessarily to do with it. E.g. split the fw-arch into three nets, WAN, DMZ and LAN and setup the mailgateway in the DMZ area. So you don't have any probably "bad things" in your LAN before it passes all your desired tests.

Just my thoughts on this :)

Not to mention that "dumb" switches are cheaper than manageable vlan capable switches.

Depending on what exactly you need I can do support for you too. You can reach me by mail at holger <dot>bauer <at>citec-ag <dot>de. Remote service shouldn't be any problem. If you need someone on site we could discuss this as well.</dot></at></dot>

Oh, just saw from the screenshot, it's even a livecd system  :o

Beta 2 is OLD. Please update to 1.0.1.

I am really looking forward to this package :)

Agree'd.  I am looking at mailing infrastructure scripts so that we can add email support to pfS.  Once this is completed we can e-mail all sorts of stuff, including this.

Do a nslookup on these sites. Then add all these IPs to a hosts alias and use policybased routing to send these connections out only through one of your wans. Alternatively you could just send out https protocol only one of your wans. At our office the https rule fixed 99% of all issues with onlinebanking sites (at least if they run as browsersession rather than using a special application).

Out head code has support for adding URLs as aliases btw but that version is not ready yet for productional use.

You may need to reflash then.

And in the future please do not hijack threads.

Congratulations!

The soekris is even easier to setup as it simply works with enabled keyboard and video and you don't have to swap kernels (though it doesn't have these components, the bios works around it pretty well). Just install pfsense from cdrom to your media in a system that supports booting from cdrom. Leave the nics assigned as sis and move the media to the soekris after the install has finished. You should be able to access the gui right away after booting up form the default lan interface. Enabling serial console at system>advanced is recommended. We installed a 2,5" hdd in my notebook this way and mounted it to bills soekris 4801 during the hackathon.

Sounds like an MTU issue to me. Try lowering the MTU at the WAN connection that has changed. Try something conservative like 1400 and go up from there until it breaks. Then go back one step.

@MrMoo:

pfSense uses mtree which performs a similar function and checks on every boot.

We do?  Guess I need to pay closer attention to our boot process.

–Bill

got pfsense rc2h running on an ibm 1u with one 3Ghz intel 4 interfaces.
had 400+ users last week on one day, 250 avg for 3 other days. ran like a champ.  Will be bringing up a dell poweredge 1850 with dual xeon 3.4s and 4 interfaces to be the primary in a carp pair soon.

Most likely, you should upgrade  ;D

That's correct though there are some mechanisms to throttle the opposite end.
See http://www.openbsd.org/faq/pf/queueing.html#red and http://www.openbsd.org/faq/pf/queueing.html#ecn for some backend information of the shaper pfSense uses.

Thanks once again ;)

Oh. I can see where the name really cause confusion.

http://en.wikipedia.org/wiki/D_programming_language_%28disambiguation%29

:-\

It's also mentioned at the downloadpage at pfsense.com and even at the shell after assigning the interfaces the first time.

Please use something more descriptive the next time you start a thread. This one sounds like you are drowning and need a baywatch babe.

@techatdd:

There are too different bugs:

(Configuration: 192.168.1.2 pfsense Beta3 with a PPPOE Wan Connection as the default gateway and 192.168.1.4 pfsense running squid with a second PPPOE Wan connection.)

First. When I configure a Nat rule on the 192.168.1.2 for redirecting http traffic to 192.168.1.4:3128(squid) I get simply no HTTP Respond back so nothing works. The same NAT rule works fine, when I configure it on 192.168.1.4 and set this box as the default gateway.

You can't redirect to an internal server from inside.  With reflection, it might work, but will be horribly slow.  PF isn't designed for it and the NAT hooks aren't in the correct place to allow for it.  We won't be changing that behaviour, it's a limitation in the OS.

@techatdd:

The second bug has nothing to do with squid (it dos not works with or without a transparent squid).
Second. When I configure on 192.168.1.2 the second box (192.168.1.4) as a rulebased loadbalancing gateway and create a firewall rule selecting this gateway for port 80 traffic, the inbound traffic works fine, but the outbound traffic is terribly slow (<1 kb/s) after something like 64 kb.

See above.  Same problem.

–Bill

@fuzzy:

Will pfsense be a participating mentoring organization in the google summer of code 2006? If so, when will there be ideas posted on the google participating mentoring organization links?

Unlikely.  But FreeBSD will be.  Don't let our lack of participation prevent you from implementing any of these ideas:
http://wiki.pfsense.com/wikka.php?wakka=BillM
http://wiki.pfsense.com/wikka.php?wakka=GeekGod
http://wiki.pfsense.com/wikka.php?wakka=IdeasThatAreGoodButNotReadyQuiteYet

–Bill

haha that robot from LExx would be great. Man i havn't watched that show sense highschool i use to rush home from college classes at night just to watch it.

um, if we had a large enough floppy array could run pfsense;)