There was an issue, since fixed. Your post should have gotten through. If not, go ahead and re-send it.

I see the A+ score - nice!!!  Much better than a C ;)

Ah well, obviously something munged at my end.
I'll have to investigate further.

Thanks for checking and confirming the Forum performance.

spoofed-DDOS (sDDOS, a new acronym?) really should be stopped at each ISP before it gets onto the internet backbone:
a) Customers with public IPS:
Each ISP has customers connected and knows what public IPs it has allocated to those customers. If it receives any packets from a customer with a source IP that is not one of the customer's proper allocated public IPs then drop the packet.

b) Customers who are not given public IPs but are in a CGN or similar managed by the ISP and who end up on shared public IPs:
The ISP can filter internally to make sure individual customer packets have source IPs that match the internal IP given to the customer.
In any case the ISP will NAT this stuff out to the public internet so dodgy source IPs will (should) be NATed out to be the ISP public IP. Thus the "spoofed" and "distributed" are not effective. It becomes like an ordinary "DOS".

c) In regions/countries where there are small ISPs that are [not willing|can't be trusted|do not have the technical skill] to do this filtering of traffic from their customers, then the next level up part of the backbone (to which these ISPs connect) should filter traffic, making sure that the source IP of all traffic received from "small and dodgy ISP X" is actually one of the public IPs that is allocated and routed to that ISP.

If that was put in place, then end-customers could not mount spoofed DDOS attacks just from a single place.

They could still do ordinary DOS from 1 or a few of their own source IPs. But that is easier to mitigate because the firewall can have pass rules that limit the number of new connections per second from each source IP and quickly start dropping the incoming SYN packets without creating state… - which should be much less processor intensive and not fill the state table.

And of course if someone has a bot that that they have managed to get installed in 1 million hosts via some malware then they can mount a real DDOS, rather than sDDOS.

I have seen similar behaviour on other sites, though not here, if you have load-balanced WANs. Connections coming from alternating addresses can confuse login status.

Steve

You can stick something like this into Cron package if you believe in S.M.A.R.T. :P

@Mr.:

'tIs a feature, not a bug ( ;D ;D ;D ).

I don't know, perhaps it's BB's pfblockerNG tables that are being backupped too? (I don't know :-[ ).
[/quote]

Nope, it's not a feature. It's a result of very poor pfSense config. We offer paid support exactly to prevent that : )

You're comparing pfSense to SAP. Pause. Think about what you're comparing.

In addition to that, I personally dislike SAP because it's 1) horribly overpriced 2) incredibly bad.

I linked what JimP said, it's just not possible.

I seriously laughed out loud

@KOM:

But if we post feedback for the Feedback forum in the Feedback forum, wouldn't that result in a Feedback loop?

I'll show myself out…

We are moving away from mirrors and focusing on infrastructure we control for better security, accountability, and so on.

Hello kaneda,

softether is a really fine project and for sure I consider that this will be a great win for the pfSense project
if this will be able to install as a optional packet! Great suggestion as I see it right.

There was a brief db issue a bit ago, since fixed.

This looks to be fixed. SMF got itself all confused somehow and hosed part of the database. Some db repair seemed to clean things up, and I upgraded SMF 2.0.9->2.0.10 since it included some bug fixes, though nothing that appeared to matter for us, maybe something there.

A small number of posts that came through today ended up getting deleted. That Russian thread Jared linked became the home of all new threads somehow for a period of time, and they ended up duplicated multiple times. I split out most of what ended up in there into their own threads. That thread had gotten up to 15+ pages of mostly duplicated posts so I'm sure I missed something. That thread itself also was deleted as it was otherwise weird.

All forum totals and counts were re-calculated after cleaning that up, as something to do with the weird thread messed up some people's counts.

Everything checks out fine now in SMF's db checks, and none of the errors that were flooding its error log have recurred since coming out of maintenance mode, so pretty sure this is all fine now.

Sounds reasonable to me. 
I have only used the VLAN features, personally.  Bridging and LAGGing and all that craziness screams for the need of a switch.  pfSense is not a switch.

@johnpoz:

What about users that use a larger icon set.. Shouldn't the favicon be 256x256 so they can just downsize ;) and get a nice pic..

What about the people that use 48x48 the medium size, etc..  Don't forget the blind people ;)

.ico files are containers (like zip files) that contain multiple bitmap image sizes (or they can only contain one size, 16x16 in this case), and end-use software can pick the right size it wants. That's why, as a web designer, they have to be careful on the .ico construction because , being a container, it can contain many different sizes and thus vary from small in size to huge in size (relatively), which would increase page load times and bandwidth usage. The client will download the entire .ico container regardless of which size image it intends to use inside that container

but, a more contemporary approach, you can avoid the container concept all together and use html meta data to point the devices to the right file. so the end user device only grabs the size image file it needs and not a container with every size image (uncompressed at that)

http://www.favicon-generator.org/ is a great resource that does this for you

ex:

pcap and pcapng - nice!! thanks..

It would definitely be nice if SMF handled timezones better, especially given the brokenness for those whose DST schedules differ from the US. We could run the server on UTC, but so many have set their offset accordingly for CST that it would probably break more than it fixes. That wouldn't fix the DST issue in general either, given the profile setting is only an offset from the server's time and offset from UTC changes with DST.

Not a great answer to this one unfortunately.

that would defently make the forum more usable!