@Aydin: i think you need this: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html No. xogoc: you'll have to script your change to firewall_rules_edit.php and then trigger a filter reload.

you can try this (in turkish forums): http://forum.pfsense.org/index.php/topic,41243.0.html maybe you need change freebsd package name in url..

If you want 2.0.1 exactly, use RELENG_2_0 then edit pfsense-build.conf and change the PFSENSETAG to RELENG_2_0_1 That said, using RELENG_2_0 is fine. We only include beneficial safe fixes in the RELENG_2_0 branch so at the moment that gets you what may eventually be 2.0.2 (if we ever decide to release another 2.0.x release before 2.1 is out)

I wanted a set as well but it seems my country is not listed in the registration page :(

@ermal: check interface link negotiation or force it to the configured speed! You're right! I've found it by myself, autonegotiation wins in this case, forcing speed and duplex can cause troubles. Now I'm on 2.0.1, at last! Thanks A.

maybe this month..  :) http://forum.pfsense.org/index.php/topic,44583.msg233413.html#msg233413

I think what you want is XMLRPC. As far as I know, there is no reference for it. There is a DevWiki but I didn't see any info there on XMLRPC. There are some packages that use it for config sync, and of course pfSense itself uses it for config sync. I don't know what else it supported but I would like to know as well. In 2.0+ you can create users in the user manager and control exactly which pages they have access to but there aren't any ACLs on things like firewall rules to where it would owned by a user. You would probably have to keep track of this in your own application; maybe use the description of the firewall rule to store some info that's parseable to you (@@ownerid=45261903@@) just an example.

No, just standard unix host template. I'm not graphing anything exotic. If you want to graph pf bits, check out the pf mib http://files.pfsense.org/jimp/BEGEMOT-PF-MIB.txt

Well - that's the quickest fix ever! I have downloaded the pFsense 2.0.1 2GB nanobsd image and written it to a Sandisk Ultra 2GB CompactFlash card. It fits - success. The size is now less than 2,000,000,000 decimal bytes, so hopefully it will forevermore fit on anyone's definition of a 2GB card. Thanks.

AFAIK setfib does multiple routing tables, it doesn't do multiple arp tables. You still can't have the same IP+MAC on two interfaces with multiple routing tables unless they can also separate based on interface. ECMP lets you talk to the same destination via multiple paths, which is better for that scenario.

Ahh, I'm glad I found your posts! Coming from a Linux background I just assumed it was natural to be able to apply a nat rule to all interfaces and so thought I was totally ignorant as I tried to figure out how to make pfSense do it! (I'm still using 2.0-RELEASE (i386) built on Wed Sep 14 00:39:34 EDT 2011 –- Is the feature I need already available?) In any case, I agree - supporting groups for NAT, or multiple interface selection for nat, or even just an ALL interface option in nat (That should be easy if pf is anything like iptables) would be really great. My scenario is relatively simple and normal for a small ISP: We have several vlans bringing in customer traffic from different geographical locations, and a vlan for our server room, for example: 10.0.0.0/16: IPs for our server room - mail, web, etc. 10.1.0.0/16: East side of town 10.2.0.0/16: West side of town 10.3.0.0/16: Center of Town (You get the idea..) Let's say the public IP is 4.4.4.4. All vlans come into the pfSense box which then nats out through a real public IP. (Actually several real public IPs.) So obviously some of our servers - like our main webpage and email servers - need to be reached by all users -- regardless of whether they are at home or traveling -- we configure their mail clients to connect to 4.4.4.4 (via domain name) and it should just work whether they be at home or work or anywhere in the world. The problem is we have to add a forward rule for pop3s (port 995)  not only on the WAN interface for the mail server, but also on each and every customer access vlan interface. So if we have a web, a mail, a DNS server, a backup DNS and mail server, each with several ports listening, we could end up with having to add a lot of rules. So yes, being able to apply a NAT rule to a group or to ALL would be a most splendid and powerful feature! Thanks a million for a great product and keep up the good work! ~Jesse

(I was working up a reply, and you responded before I could hit submit… but there is still something I can add: You can also control the tag, or get a message in from another command like so: echo Hello World | logger -t mytag -p local0.info

Still no ETA. I post snapshots every now and then from 2.1 on FreeBSD 8.1 here: http://files.pfsense.org/jimp/ipv6/ but there are none for 9 yet.

hhm ok after some testing around i will come to the result that i need to change some sed command's inside the builder_common.sh after changing all sed ""  (all sed's with double quotes) to sed (without double quotes) it works and the errors are gone :) sed "" change to sed example: sed "" -e /ttyd0/s/off/on/ ${PFSENSEBASEDIR}/etc/ttys change to sed -e /ttyd0/s/off/on/ ${PFSENSEBASEDIR}/etc/ttys now the pfSense 2.0.1-RELEASE-nanobsd (i386) with vga is booting yoohooo :) hope someone else can need this info best regards ren22 portsnap fetch && portsnap extract cd /home/pfsense/tools/builder_scripts ./clean_build.sh ./set_version.sh RELENG_8_1 cvsup.de.freebsd.org ./update_git_repos.sh ./apply_kernel_patches.sh ./build_iso.sh ./build_nano.sh Using /usr/home/pfsense/tools/builder_scripts/remove.list.iso.8 … Operation ./build_nano.sh has started at Sat Nov 19 21:10:51 CET 2011 Remove list: /usr/home/pfsense/tools/builder_scripts/remove.list.iso.8                   Copy list: /usr/home/pfsense/tools/builder_scripts/../builder_scripts/copy.list.RELENG_8_0             MAKEOBJDIRPREFIX: /usr/obj.pfSense           pfSense build dir: /usr/pfSensesrc/src             pfSense version: 2.0-RELEASE                     CVS User: sullrich                   Verbosity:                     BASE_DIR: /usr/home/pfsense/tools/builder_scripts/../..                     BASEDIR: /usr/local/pfsense-fs                 Checkout dir: /usr/home/pfsense/tools/builder_scripts/../../pfSense                 Custom root: /usr/home/pfsense/tools/builder_scripts/../../pfSense               CVS IP address: cvs.pfsense.org                 Updates dir: /tmp/builder//updates                 pfS Base dir: /usr/local/pfsense-fs               FreeSBIE path: /usr/home/pfsense/tools/builder_scripts/../../freesbie2               FreeSBIE conf: /dev/null                   Source DIR: /usr/pfSensesrc/src                   Clone DIR: /usr/local/pfsense-clone               Custom overlay:             pfSense version: 8               FreeBSD branch: RELENG_8_1                 pfSense Tag: RELENG_2_0                 EXTRAPLUGINS: customroot                 EXTRAPLUGINS: customscripts                 EXTRAPLUGINS: pkginstall                 EXTRAPLUGINS: buildmodules             MODULES_OVERRIDE: i2c             MODULES_OVERRIDE: ipmi             MODULES_OVERRIDE: acpi             MODULES_OVERRIDE: ndis             MODULES_OVERRIDE: ipfw             MODULES_OVERRIDE: ipdivert             MODULES_OVERRIDE: dummynet             MODULES_OVERRIDE: fdescfs             MODULES_OVERRIDE: cpufreq             MODULES_OVERRIDE: opensolaris             MODULES_OVERRIDE: zfs             MODULES_OVERRIDE: glxsb             MODULES_OVERRIDE: runfw             MODULES_OVERRIDE: if_stf               Git Repository: https://github.com/bsdperimeter/pfsense.git                   Git Branch:               Custom Config:                     ISOPATH: /tmp/builder//pfSense.iso                     IMGPATH: /tmp/builder//pfSense.img                 MEMSTICKPATH: /tmp/builder//pfSense-memstick.img                   KERNELCONF:         TARGET_ARCH_CONF_DIR: /usr/pfSensesrc/src/sys/i386/conf/     FREESBIE_COMPLETED_MAIL:         FREESBIE_ERROR_MAIL:                     OVFPATH: /tmp/builder/                     OVFFILE: pfSense.ovf                     OVAFILE: pfSense.ova                     OVFVMDK: pfSense.vmdk                   OVFSTRINGS:                       OVFMF:                     OVFCERT:                     SRC_CONF: /usr/home/pfsense/tools/builder_scripts/conf/src.conf.embedded.8 CROSS_COMPILE_PORTS_BINARIES:             SPLIT_ARCH_BUILD:     UPDATES_TARBALL_FILENAME: /tmp/builder//updates/pfSense-Full-Update-2.0-RELEASE-i386-20111119-2110.tgz         PKG_INSTALL_PORTSPFS:   CUSTOM_CALL_SHELL_FUNCTION: Cleaning build directories: pfsense-fs pfsense-clone Done! Using GIT to checkout RELENG_2_0 Checking out tag RELENG_2_0...Done! Making sure we are in the right branch... [OK] (RELENG_2_0) Creating tarball of checked out contents…Done! Building world and kernels for Embedded... 8  RELENG_8_1 ... +++ NO_BUILDWORLD set, skipping build Ensuring that the btxld problem does not happen on subsequent runs... Installing world for i386 architecture... Making hierarchy Installing everything Building embedded VGA kernel... Not adding D-Trace to Kernel... KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf ARCH:        i386 SRC_CONF:    src.conf.embedded.8 Kernel build for pfSense_wrap_vga.8.i386 started on Sat Nov 19 21:11:25 CET 2011 stage 1: configuring the kernel stage 2.2: rebuilding the object tree stage 2.3: build tools stage 3.1: making dependencies stage 3.2: building everything Kernel build for pfSense_wrap_vga.8.i386 completed on Sat Nov 19 21:11:55 CET 2011 Installing embedded VGA kernel... Installing kernel Installing kernels to LiveCD area....done. Phase populate_extra... Making devd... Done. Mounting devfs /usr/local/pfsense-fs/dev ... Merging extra items... Running plugins: customroot customscripts pkginstall buildmodules Done! Using /usr/home/pfsense/tools/builder_scripts/../builder_scripts/copy.list.RELENG_8_0... Populating newer binaries found on host jail/os (usr/local)... Installing collected library information (usr/local), please wait... Fixing up NanoBSD Specific items... Creating md5 summary of files present...Done. Copying config.xml from conf.default/ to cf/conf/ Testing PHP installation in /usr/local/pfsense-fs: FCGI-PASSED PASSED  [OK] Installing packages listed in /tmp/pfspackages Finding origins… 2 found Finding dependencies... 2 found Sorting 4 packages by dependencies... done. Copying 4 packages [0….] Cloning /usr/local/pfsense-fs to /usr/local/pfsense-clone…Done! Using TAR to clone... Deleting files listed in /usr/home/pfsense/tools/builder_scripts/remove.list.iso.8 [nanoo] sandisk 1g [nanoo] NANO_MEDIASIZE: 1947518 [nanoo] NANO_HEADS: 16 [nanoo] NANO_SECTS: 63 [nanoo] NANO_BOOT0CFG: -o packet -s 1 -m 3 Configuring NanoBSD /etc Configuring NanoBSD setup Using TAR to clone setup_nanobsd()… Pruning NanoBSD usr directory... building NanoBSD disk image (i386)... 30912+0 records in 30912+0 records out 997097472 bytes transferred in 15.441514 secs (64572520 bytes/sec) ******* Working on device /dev/md0 ******* fdisk: invalid fdisk partition table found fdisk: Class not found ******* Working on device /dev/md0 ******* parameters extracted from in-core disklabel are: cylinders=1932 heads=16 sectors/track=63 (1008 blks/cyl) Figures below won't work with BIOS for partitions not in cyl 1 parameters to be used for BIOS calculations are: cylinders=1932 heads=16 sectors/track=63 (1008 blks/cyl) Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS bootblock is: The data for partition 1 is: sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)     start 63, size 922257 (450 Meg), flag 80 (active)         beg: cyl 0/ head 1/ sector 1;         end: cyl 914/ head 15/ sector 63 The data for partition 2 is: sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)     start 922383, size 922257 (450 Meg), flag 0         beg: cyl 915/ head 1/ sector 1;         end: cyl 805/ head 15/ sector 63 The data for partition 3 is: sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)     start 1844640, size 102816 (50 Meg), flag 0         beg: cyl 806/ head 0/ sector 1;         end: cyl 907/ head 15/ sector 63 The data for partition 4 is: <unused># /dev/md0s1: 8 partitions: #        size  offset    fstype  [fsize bsize bps/cpg]   a:  922241      16    unused        0    0   c:  922257        0    unused        0    0        # "raw" part, don't edit /dev/md0s1a: 450.3MB (922241 sectors) block size 4096, fragment size 512         using 36 cylinder groups of 12.66MB, 3240 blks, 1632 inodes. super-block backups (for fsck -b #) at: 32, 25952, 51872, 77792, 103712, 129632, 155552, 181472, 207392, 233312, 259232, 285152, 311072, 336992, 362912, 388832, 414752, 440672, 466592, 492512, 518432, 544352, 570272, 596192, 622112, 648032, 673952, 699872, 725792, 751712, 777632, 803552, 829472, 855392, 881312, 907232 Filesystem  1K-blocks Used  Avail Capacity  Mounted on /dev/md0s1a    453327    1 417060    0%    /tmp/builder/.mnt 283395 blocks Filesystem  1K-blocks  Used  Avail Capacity  Mounted on /dev/md0s1a    453327 145586 271475    35%    /tmp/builder/.mnt Mounting and duplicating NanoBSD pfsense1 /dev/md0s2a /tmp/builder//.mnt 7205+1 records in 7205+1 records out 472195584 bytes transferred in 33.322620 secs (14170422 bytes/sec) Filesystem  1K-blocks  Used  Avail Capacity  Mounted on /dev/md0s2a    453327 145586 271475    35%    /tmp/builder/.mnt /dev/ufs/pfsense1 / ufs ro,sync,noatime 1 1 /dev/ufs/cf /cf ufs ro,sync,noatime 1 1 /dev/ufs/pfsense1 / ufs ro,sync,noatime 1 1 /dev/ufs/cf /cf ufs ro,sync,noatime 1 1 Creating /cf area to hold config.xml /dev/md0s3: 50.2MB (102816 sectors) block size 4096, fragment size 512         using 4 cylinder groups of 12.55MB, 3214 blks, 1632 inodes. super-block backups (for fsck -b #) at: 32, 25744, 51456, 77168 34 blocks [nanoo] Creating NanoBSD upgrade file from first slice… 7205+1 records in 7205+1 records out 472195584 bytes transferred in 31.662914 secs (14913207 bytes/sec) Image completed. /tmp/builder// -rw-r--r--  1 root  wheel  951M Nov 19 21:13 /tmp/builder//nanobsd_vga.full.img -rw-r--r--  1 root  wheel  450M Nov 19 21:14 /tmp/builder//nanobsd_vga.upgrade.img Operation ./build_nano.sh has ended at Sat Nov 19 21:14:10 CET 2011</unused>

I figured it out by looking at one of the pre-recorded macros. global $config; This isn't in the help or documentation anywhere.. I guess I'm the only person who ever got tripped up on it though!

@ermal: There is rate limit on the login attempts a host can make. So its not based on user but host sending login attempts. Its hardcoded in php code to 5 attempts in 15minutes but do not quote me on that. That's the sort of thing I'm looking for. If it were configurable for # attempts and # minutes for future, it would be nice. Also worth adding to the documentation if correct. While it allows multiple clients (which causes the limit to scale) it's not nearly enough for heavy duty brute force to be viable. Thanks. As to the others…? :)

Thanks jimp! I see you updated http://doc.pfsense.org/index.php/Creating_Your_Own_Package_Repository already too, fantastic.