One additional mod to the pfctl form:

If you want to quickly pull out a single rule:

pfctl -vvs rules | grep "^@ <rulenum>"</rulenum>

Where is the rule number you are seeking.  The space before my closing double quote was on purpose to terminate the pattern so that ONLY the rule number being sought is returned.  Otherwise, the above might also match some other rule number that started off with the rule number you are seeking.  Ie, '77' and '77x' (x = 0 thru 9) would all match.

Without knowning more details (what server- and what firewall-arch) I would respond to

I want to avoid viruses on the server´s system files and in E-Mails, sent and received over the server

Scan e-Mails on their way to the server via a mailgateway. It wouldn't be the first time there was some strange side effect when doing the scanning on the same system having the normal mail service on. Get them out before they reach the final destination server (and the user) and run an additional AV on the normal filesystem of the server for file services.
But I would not run that kind of thing on the firewall itself. Keep the firewall architecture as clean as possible and don't mix it with further services if they don't have necessarily to do with it. E.g. split the fw-arch into three nets, WAN, DMZ and LAN and setup the mailgateway in the DMZ area. So you don't have any probably "bad things" in your LAN before it passes all your desired tests.

Just my thoughts on this :)

Not to mention that "dumb" switches are cheaper than manageable vlan capable switches.

Depending on what exactly you need I can do support for you too. You can reach me by mail at holger <dot>bauer <at>citec-ag <dot>de. Remote service shouldn't be any problem. If you need someone on site we could discuss this as well.</dot></at></dot>

Oh, just saw from the screenshot, it's even a livecd system  :o

Beta 2 is OLD. Please update to 1.0.1.

I am really looking forward to this package :)

Agree'd.  I am looking at mailing infrastructure scripts so that we can add email support to pfS.  Once this is completed we can e-mail all sorts of stuff, including this.

Do a nslookup on these sites. Then add all these IPs to a hosts alias and use policybased routing to send these connections out only through one of your wans. Alternatively you could just send out https protocol only one of your wans. At our office the https rule fixed 99% of all issues with onlinebanking sites (at least if they run as browsersession rather than using a special application).

Out head code has support for adding URLs as aliases btw but that version is not ready yet for productional use.

You may need to reflash then.

And in the future please do not hijack threads.

Congratulations!

The soekris is even easier to setup as it simply works with enabled keyboard and video and you don't have to swap kernels (though it doesn't have these components, the bios works around it pretty well). Just install pfsense from cdrom to your media in a system that supports booting from cdrom. Leave the nics assigned as sis and move the media to the soekris after the install has finished. You should be able to access the gui right away after booting up form the default lan interface. Enabling serial console at system>advanced is recommended. We installed a 2,5" hdd in my notebook this way and mounted it to bills soekris 4801 during the hackathon.

Sounds like an MTU issue to me. Try lowering the MTU at the WAN connection that has changed. Try something conservative like 1400 and go up from there until it breaks. Then go back one step.

@MrMoo:

pfSense uses mtree which performs a similar function and checks on every boot.

We do?  Guess I need to pay closer attention to our boot process.

–Bill

got pfsense rc2h running on an ibm 1u with one 3Ghz intel 4 interfaces.
had 400+ users last week on one day, 250 avg for 3 other days. ran like a champ.  Will be bringing up a dell poweredge 1850 with dual xeon 3.4s and 4 interfaces to be the primary in a carp pair soon.

Most likely, you should upgrade  ;D