I'm not intending to deploy fwknop as anything more than a first line of defence, a way to make reconnaisance of the system harder. Fwknop is valuable as a tool to hide the existence of a certain service, and to reduce the surface area of possible attack. This is true whether you use fwknop to protect access to a VPN service or to protect access to SSH.

For example – ssh is a strong security measure, in theory. When working properly, I trust it to keep the bad guys out. However, a zero-day exploit in ssh would make it possible to gain access if the firewall port is unconditionally open. The same could be said about VPN services like OpenVPN.

In other words, I'm not expecting fwknop to be the solution to all security problems, but rather to be an extra layer of obscurity in a defence-in-depth security scheme. What they can't see, they can't attack. And as a first layer of defence, I'd argue it's more secure than any other scheme, because it's 100% stealthy to any attacker who isn't able to sniff the network, and because the code is so small that finding a security hole will be that much harder. Finally, breaking fwknop security barely even gets you in the door.

Also fwknop is more advanced than simple port knocking. All authorization is done in a single packet, which is protected by strong encryption, and is not vulnerable to replay attacks, like other port knocking schemes are.

Either way, the feature I'm requesting help with is not specific to fwknop itself, but will be useful for other security schemes or even VPN servers that require creation of custom firewall tables.

I agree with Ermal.  What would be a better inclusion for the base code is to allow the default ARP setting to be changed from 5 minutes to something else.

The latest version has a 'Status' tab. If you downloaded FreeSWITCH without modifying /etc/inc/globals.inc then you have the latest version. Any new changes after launch will get its version incremented.

Mark

Short answer, no need to do the loop at all :D ::)

I think HKPolice is just trying to get you guys irritated.  I think the direction pfSense is taking is a good one.  I also do not like the idea of running all of my products on one single machine.  Single point of failure.  I would recommend he could get an alix box from pcengines and then use the PC as a NAS box.  Having a single box which runs everything means when you need to reboot for something you are taking down all of your applications/services.

PHPMailer works great but I've read that it is no longer in active development.

I found another alternative.
http://www.swiftmailer.org
The license is lgpl.

Features are:
    * Persistent connectivity improves performance
    * Connection types selected by user - extendable
    * Complete header control with RFC 2822 requirements handled
    * Internationalization support (i18n)
    * Connection redundancy support
    * Load balancing and/or throttling support
    * SSL & TLS Support - for Gmail servers
    * Embedded images or other file types
    * Full MIME 1.0 library included (create multipart messages, attachments etc)
    * Batch mail processing
    * Smart runtime caching (in small, self-maintained packets)
    * Send attachments of any size even with PHP's 8MB Memory Limit
    * Support for multiple attachments
    * Lossless protection against header injection (encode, don't strip)
    * Set message priority
    * Request read receipts
    * Pluggable SMTP authentication (LOGIN, PLAIN, MD5-CRAM, POP Before SMTP)
    * Anti-flooding support for servers with limits on emails-per-connection
    * Bandwidth monitor included
    * Extensive event-driven plugin support (easy to write)

No.

Also I get errors:
There were error(s) loading the rules: pfctl: DIOCADDRULE: Cannot allocate memory
And
There were error(s) loading the rules: pfctl: DIOCADDRULE: device busy

Maybe this 1st error sometimes cause pfsense to crash. Not sure

@Monoecus:

Does anybody know, when the move from CVS to git will be completed? I would be happy to be able to use git.

It's been somewhat delayed due to other personal commitments.  I don't have a time frame for the final conversion just yet.

–Bill

use Pf sense as the brand, will be better i think ::)

Sai,

git isn't really needed at the moment, but the problem with the compile comes from the iconv.h include file really being at /usr/include/sys/iconv.h rather than /usr/include/iconv.h

easiest way to fix it is to just symlink it to the location where git is trying to find it.

You will find shortly after this though that the newly restructured build process doesn't work with the "subshells" as the auto menu on the pfSense Dev ISO environment interferes with the subshell starting correctly.  You have to remove the menu part of the script from the automated login for root so the build process continues in the subshells as desired.  Otherwise it will give the impression that you've been logged out when the new subshell begins (the menu will get displayed and the build process hangs).

I haven't succeeded in getting a completely working build from this environment yet, but I've been working on it.  I can't get the environment to build in a plain FreeBSD 7.0 environment bootstrapped for pfSense development either.  The issues are different in each environment.  The builds from this environment seem to have inconsistencies in pfPorts components (such as the PHP versions or extensions it is looking for), and the builds from plain FreeBSD have kernel issues (a Dev ISO build actually works, but the regular ISO build has kernel issues) I haven't been able to track down yet.

Regards,
Ron

Scratch my above patch suggestion.  Although the fact that the kernel build flag files are not getting removed properly between builds is the symptom, my suggested fix doesn't address it completely as other scripts are looking for things in the original location also.

Ron