You can customize your pfSense but there is nothing supported on that since pfSense is for remove the hackiness you do with a usual box.
For the matter yes you can modify slbd.sh to do what you want just return the exit status of ping.

You need to rebuild even pfctl.

@ermal:

Actually NO they should not have any priority.
I think for your original request there is a hook somewhere that searches /usr/local/pkg for inc files and for functions with $packagename_filter_rules or some such. Check the squid function name…

I want to explain what I mean
This hooks exists for squid, clamav, (and some other) Pkg

if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) {
require_once('squid.inc');
$natrules .= squid_generate_rules('nat');
}

if (is_package_installed('clamav') && file_exists('/usr/local/pkg/clamav.inc')) {
require_once('clamav.inc');
$natrules .= clamav_generate_rules('nat');
}

May be possible check all pacсckages ?

for ($installed_packages as $pkg) {
if (is_package_installed($pkg['package-name']) && file_exists($pkg['package-incfile'])) {
.. exec pkg _generate_rules('nat'); for package
}
}

Sorry. Perhaps I did not understand your answer completely

Thanks everyone, i'm a newbie so i asked a stupid question but now i can build pfSense from these tool.

You can make an image .img with command:
#/home/pfsense/tools/builder_scripts/build_embbded.sh

Sorry for breaking the party but in 2.0 we have per-ip shaping(dummynet) working!

Tonight I found a thread dedicated to this device in the hardware sub-forum, but seeing your replies here I don't feel so stupid posting here!  The last postings in there talked about an atom-based board that otherwise specs roughly the same as this one and same TDP–but for around double the money. :(

In any case, as I mentioned there, I think having a firewall running on a non-Intel instruction-set processor could possibly increase security WRT some processor-specific hacks that go around the OS that have been mentioned on Slashdot, among other places.  Any comments on that?

Thanks for the reply, and I'm glad to hear that you guys are at least considering it! :)

Mike

Thanks!
I like any method - IDE good idea.

I managed to install the 1.2.2 dev iso, but there is no /home/pfsense/tools directory

do I have now follow http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso ? or did I install it wrong?

try this : http://ftp.nhlue.edu.tw/pfsense/downloads/pfSense-Developers-1.2.2.iso.gz or whatever developer iso is available when you get to the mirrors.

Solved

I'm not intending to deploy fwknop as anything more than a first line of defence, a way to make reconnaisance of the system harder. Fwknop is valuable as a tool to hide the existence of a certain service, and to reduce the surface area of possible attack. This is true whether you use fwknop to protect access to a VPN service or to protect access to SSH.

For example – ssh is a strong security measure, in theory. When working properly, I trust it to keep the bad guys out. However, a zero-day exploit in ssh would make it possible to gain access if the firewall port is unconditionally open. The same could be said about VPN services like OpenVPN.

In other words, I'm not expecting fwknop to be the solution to all security problems, but rather to be an extra layer of obscurity in a defence-in-depth security scheme. What they can't see, they can't attack. And as a first layer of defence, I'd argue it's more secure than any other scheme, because it's 100% stealthy to any attacker who isn't able to sniff the network, and because the code is so small that finding a security hole will be that much harder. Finally, breaking fwknop security barely even gets you in the door.

Also fwknop is more advanced than simple port knocking. All authorization is done in a single packet, which is protected by strong encryption, and is not vulnerable to replay attacks, like other port knocking schemes are.

Either way, the feature I'm requesting help with is not specific to fwknop itself, but will be useful for other security schemes or even VPN servers that require creation of custom firewall tables.

I agree with Ermal.  What would be a better inclusion for the base code is to allow the default ARP setting to be changed from 5 minutes to something else.

The latest version has a 'Status' tab. If you downloaded FreeSWITCH without modifying /etc/inc/globals.inc then you have the latest version. Any new changes after launch will get its version incremented.

Mark

Short answer, no need to do the loop at all :D ::)