Thanks for the reply Steve.  That's what I was thinking, that there probably isn't any risk of anything breaking out of the tunnel between the ISP and the WAN connection on the pfsense box, but I wasn't sure. Thanks for the link as well.  I should have mentioned that I'd seen it, but it seemed easier to plug a cable between the modem and one of the switches on the LAN as no other changes were necessary.  I haven't made any changes for NAT on either the modem or the pfsense box, although may have turned it off on the modem a few years ago when I put it in bridge mode as it's turned off now.  I assume the modem is just passing the internet connection to pfsense and not doing any NAT and that pfsense is the only thing doing NAT. The reason I was thinking of using the modem for wireless is to segregate my Directv network from the LAN by creating a VLAN.  The Directv boxes are networked using coax, but they need to use wireless to get an internet connection without some other piece of hardware I don't have and would have to buy.  I don't like having boxes I don't control on the LAN but the WNDR WAP doesn't do VLAN's.  I could buy another access point, but since the modem's wireless isn't being used I figured why not, assuming I'm not opening up a security hole.  Since it's already working most of the configuration is already sorted out. Bill

uhm sir kejianshi, im doing well with dansguardian, but i have this one scenario when on of users have an access which is not applicable to others, i've tried the users in dansguardian but the result is failed, is it really possible sir? tnx

Yep - Cool article.  I'm sure they will leave it there.  There is no rivalry.

The results obtained from any vulnerability scanner are open to interpretation.  The fact is that Nessus, run from the inside, will find vulnerabilities.  My own healthcare clients are using a couple of different Unix/Linux firewalls and fare poorly against a Nessus scan - typically DNS vulnerabilities.  Nessus is a good starting point to for a risk assessment but its verdict on your vulnerabilities is not a verdict on your HIPAA compliance.  The best fit for Nessus and HIPAA is when it is used for regular monitoring and inventory - what's different about your network from yesterday or last year?  Nessus scans could have a place in your HIPAA policies, but its scans need to be considered within the overall culture and policy of your organization. HIPAA security assessments typically center on gap analysis - what are your security policies and are you adhering to them?  Do those policies meet or exceed the standards set by the government?  Have you documented all locations that contain ePHI, either at active or at rest?  Do you have a complete inventory of your information assets?  Do you have backup policies?  Are you adhering to your backup policies?  The law typically tells us what to do, but not how to do it, that's for each organization to define through their policies.  See http://scap.nist.gov/hipaa/ for a good assessment toolkit. Government HIPAA auditors usually are involved after the fact.  The real HIPAA police are the patients and the healthcare organizations themselves.  Fines await those who expose patient health or financial information.  The fines are not issued because you failed a Nessus scan but instead because you may not have done everything in your power to prevent the exposure of protected health or financial information.

Thanks Jim

Here it is! Many thanks and congratulations to all who are involved. [image: pfsense2.1RELEASE.jpg] [image: pfsense2.1RELEASE.jpg_thumb]

You think most TLS cuts it? I wouldn't trust a key or a cert of any length or strength that I hadn't hand-carried and exchanged privately.  Especially when you consider that every packet from the initial handshake forward might be stored, replayed and picked apart if you believe the hype…  And I do. "The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher." ^^^^  You go ahead and trust that  ^^^^ Anyway - The things that I would do are appropriate for denying state-backed players.  Not necessarily something some guy trying to view porn anonymously would worry about.  I mean who really cares who is looking at what porn anyway? I think I like a world with secrets better than without.  I don't like the chilling effect that happens when the only entity that has any privacy are the police/government but not their subjects. http://www.youtube.com/watch?v=o66FUc61MvU  (funny...  but true)

Thanks Guys, Yes I am in the UK with FTTC, I am currently getting around 31mb according to speedtest.net this morning. I am going to try and keep it simple for now to get everything working. I will just use on NIC and then the AP from the switches for now. Once I have had a play about with, find what I like and feel more confident I may consider segregating it more. The issue with upnp over different subnets may cause a problem if I segregate the wireless from the LAN as I have one media player in the bedroom that uses the wireless. The other reason is that the PC with the smallest case currently only has room for one PCI card… although I have another desktop that could be used it is quite a bit bigger and I am trying to do this project without spending money.

I would expect more from an Atom with Gigabit interfaces. Something >500Mbps. It's not clear exactly how you had the test setup connected. If that's between two VMs connected to the same switch I would expect near Gigabit results, the traffic would not be going through the pfSense box at all. It's very easy to overlook something and end up testing the wrong thing in these sorts of test. Steve

Some things are available in the "/installer/" web installer code, could probably be re-used for such a thing. One of the things I have in my notes for 2.2 is some gmirror management in the GUI (add drive, remove drive, etc, etc)

Where exactly did you see the error? And which exact pfSense version? All 2.0.x versions (2.0, 2.0.1, 2.0.2, 2.0.3) are based on FreeBSD 8.1 It appears to be a PHP error from the Suhosin protection. It may or may not be something to worry about. For example, if you leave your GUI port wide open to the world and you get that, it may be worrisome. Otherwise, maybe not. Without more detail it's impossible to say.

216.146.35.35 216.146.36.36 I'm sure there are many many others. I suppose you could also ping the NTP time servers by IP per country or region… For example...  96.47.67.105 Some such servers don't like to get pinged every millisecond, so maybe like every 5 or 10 seconds. For your purposes, 96.47.67.105 (or another reliable NTP server) is probably better than a DNS IP.

To do it properly you have to put the guests on a different interface+subnet. Then they can infect each other as much as they like, and you can control what they can access on the main LAN (or block all access to the main LAN). For that you have to have another NIC or a VLAN-capable switch (to securely use a NIC  to share 2 interfaces/VLANs). You can do messy things with subnet masks, so that some groups of devices on the LAN don't actually talk to each other successfully. But anyone with their own device can set their own IP address/mask to get around that. So it can be a poor-mans kind-of solution that helps stop casual user devices from messing your real network. But it is never secure against people who actually intend to attack you. Of course the other advice is don't have open writeable shares!

no one about pppoe ?!?

http://doc.pfsense.org/index.php/Blocking_websites

Thanks. Yes the Cavium chip does seem to rely on some binary blobs and such. It would be very nice to have it working under any OS. At the moment it just sits there using power.  ::) I doubt we'd have any luck from Cavium though if you don't ask you don't get as they say and we did get the ancient SDK from Safenet with almost no problems. Though if we developed a driver from it I'm not sure what the licensing terms would be. I'm really looking for as OS I can boot headless from a CF card that has development tools included. Most OSes that will boot headless, like OpenWRT, are very cut down with good reason. Ubuntu server looks like a promising candidate with a few tweaks. Steve