@jetberrocal:

The e2g in  the freebsd ports is not the last version but is good enough.  They fixed the https filtering in two ways.  You can filter using ssl bump or with mitm.
Personally I prefer mitm because is easier to use but ssl bump works nicely.

Thanks a lot for your reply. I'd also want to do MITM if possible, I do have a captive portal on my network and all users are told to install the CA certificate so most errors should be avoided. Since E2 Guardian is now getting a few updates looking at their website…I will give it a shot for sure.

+1 for NXfilter

-teddy

Not at all. I got some help here https://forum.pfsense.org/index.php?topic=120370.0, but it still wasn't working for me. It ended up being just an old floating rule that I was playing with awhile ago and forgot to disable/delete. It wasn't doing anything until I tried to do policy based routing and it by design shut down the policy based routing. I hadn't realized I still had that rule enabled so I just deleted it and all is well.

So in short, policy based routing, that link should tell you what you need to know to get your setup working!

Thank you - issue self-solved via https://forum.pfsense.org/index.php?topic=93749.0

i guess the squid package could automagically generate a rule for each selected interface.
unfortunately, not everybody would agree with this.
It might also be tricky to be sure the rule is always on TOP.

Awesome, thanks jdijulio. Now, hopefully someone will take us up on that offer  :)

Pm me if you still need help with this

I totally missed my notifications on this topic.  Anyway, to help clarify my original intent behind this request I'll give some examples.

The idea is to make some pre-built "rulesets" that effectively harden egress traffic in a quick and easy way.  I suppose it pretty much combines a firewall and port alias into one merged alias name with all the protocols pre-assigned for the source & destination.  What I think could be useful is if these "rulesets" became a sort of optional baseline preset that was available as a quick select (kind of like the preset QOS traffic types).  From my experience firewall rules have been one of the most time consuming things to setup and having an easy way to import/apply standard rulesets across various customer sites would be really helpful….emphasis on the various customers and different network settings abroad.

Concept Firewall Rule Aliases

Name: Client To DC Traffic
Interface : (Assign like any other rule on the interface and simply specify the Alias name.)
Source: Client Interface VLan/Subnet/Other
Destination: Domain Controller IP Addresses(s) (linked firewall Alias)
Source Ports: Any (Specify if needed)
Destination Ports: (linked port Alias)
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
udp 123 for time service
udp for netlogon and netbios
TCP 139

Name: RODC To DC Traffic
Interface : (Assign like any other rule on the interface and simply specify the Alias name.)
Source: RODC IP(s) (linked firewall Alias)
Destination Address: Domain Controller IP Addresses
Source Ports: Any (Specify if needed)
Destination Ports: (linked port Alias)
UDP 53 DNS DNS
TCP 53 DNS DNS
TCP 135  RPC, EPM
TCP Static 53248  FRsRpc
TCP 389  LDAP
TCP and UDP Dynamic
1025  5000 Windows 2000, Windows 2003, Windows XP Ephemeral Ports
TCP and UDP Dynamic 49152  65535 Windows 2008, Windows Vista and all newer operating systems Ephemeral Ports

Name: Corporate DNS Traffic
Interface : (Assign like any other rule on the interface and simply specify the Alias name.)
Source: Interface Subnet/Other
Destination Address: Corp DNS Servers/Domain Controllers (linked firewall Alias)
Source Ports: Any (Specify if needed)
Destination Ports: UDP 53 "DNS" (linked port Alias)

Name: VCenter Management Traffic
Interface : (Assign like any other rule on the interface and simply specify the Alias name.)
Source: Interface VLan/Subnet/Other
Destination Address: VCenter Server(s) (linked firewall Alias)
Source Ports: Any (Specify if needed)
Destination Ports: (linked port Alias)

vCenter Server 6.0 22 TCP/UDP vCenter Server SSH Client System port for SSHD. This port is only used by the vCenter Server Appliance
vCenter Server 6.0 80 TCP Client PC vCenter Server vCenter Server requires port80for direct HTTP connections. Port80redirects requests to HTTPS port 443. This redirection is useful if you accidentally usehttp://serverinstead ofhttps://server.

WS-Management (also requires port443to be open).

If you use a Microsoft SQL database that is stored on the same virtual machine or physical server as vCenter Server, port80 is used by the SQL Reporting Service.

When you install or upgrade vCenter Server, the installer prompts you to change the HTTP port for vCenter Server. Change the vCenter Server HTTP port to a custom value to ensure a successful installation or upgrade.
vCenter Server 6.0 88 TCP vCenter Server Active Directory Server VMware key distribution center port
vCenter Server 6.0 389 TCP/UDP vCenter Server Linked vCenter Servers This port must be open on the local and all remote instances of vCenter Server. This is the LDAP port number for the Directory Services for the vCenter Server group.

If another service is running on this port, it might be preferable to remove it or change its port to a different port. You can run the LDAP service on any port from 1025 through 65535.

If this instance is serving as the Microsoft Windows Active Directory, change the port number from 389 to an available port from 1025 through 65535.
vCenter Server 6.0 443 TCP vSphere Web Client vCenter Server The default port that the vCenter Server system uses to listen for connections from the vSphere Web Client. To enable the vCenter Server system to receive data from the vSphere Web Client, open port 443 in the firewall.

The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.

Port 443 is also used for these services:

WS-Management (also requires port 80 to be open)
    Third-party network management client connection to vCenter Server
    Third-party network management clients access to host

vCenter Server 6.0 514 UDP Syslog Collector Syslog Collector vSphere Syslog Collector port for vCenter Server on Windows and vSphere Syslog Service port for vCenter Server Appliance
vCenter Server 6.0 636 TCP Platform Service Controller Management Nodes For vCenter Server Enhanced Linked Mode, this is the SSL port of the local instance. If another service is running on this port, it might be preferable to remove it or change its port to a different port.
You can run the SSL service on any port from 1025through 65535. This port is also used during install to verify SSL certificates.
vCenter Server 6.0 902 TCP/UDP vCenter Server ESXi 6.0/5.x The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902to the vCenter Server system.
This port must not be blocked by firewalls between the server and the hosts or between hosts.

Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles.
vCenter Server 6.0 10080 TCP vCenter Server Inventory Service vCenter Server vCenter Inventory Service HTTP
vCenter Server 6.0 1514 TCP/UDP Syslog Collector Syslog Collector vSphere Syslog Collector TLS port for vCenter Server on Windows and vSphere Syslog Service TLS port for vCenter Server Appliance
vCenter Server 6.0 2012 TCP vCenter Server (Tomcat Server settings) vCenter Single Sign-On Control interface RPC for vCenter Single Sign-On(SSO).
vCenter Server 6.0 2014 TCP vCenter Server (Tomcat Server settings) vCenter Single Sign-On RPC port for all VMCA (VMware Certificate Authority) APIs.
vCenter Server 6.0 2020 TCP/UDP vCenter Server vCenter Server Authentication framework management
vCenter Server 6.0 6500 TCP/UDP vCenter Server ESXi host ESXi Dump Collector port
vCenter Server 6.0 6501 TCP Auto Deploy service ESXi Host Auto Deploy service
vCenter Server 6.0 6502 TCP Auto Deploy Manager vSphere Client Auto Deploy management
vCenter Server 6.0 7444 TCP

Secure Token Service
vCenter Server 6.0 8009 TCP vCenter Server vCenter Server AJP Port
vCenter Server 6.0 8089 TCP vCenter Server vCenter Server SDK Tunneling Port
vCenter Server 6.0 9443 TCP vSphere Web Client Server vSphere Web Client vSphere Web Client HTTPS
vCenter Server 6.0 11711 TCP vCenter Single Sign-On vCenter Single Sign-On VMware Directory service (vmdir) LDAP
vCenter Server 6.0 11712 TCP vCenter Single Sign-On vCenter Single Sign-On VMware Directory service (vmdir) LDAPS

@zevlag:

Can you perform a packet capture?  If you provide that I would be willing to consider helping.

https://doc.pfsense.org/index.php/Sniffers,_Packet_Capture

Hello. Sorry I didn't get the notification mail about your reply. I have news about that… but not good news.

1.- I tried with different eMail clients (all reports timeouts).
2.- I tried to install pfSense in a Dell DataVault but I continue geting timeouts
3.- I tried two diferents ADSL connetions without success.

Attached the log that you was asking for. The one called "firewall" is with pfSense firewall activated (no way to send mails with attachments). Thank you very much in advance.

firewall.txt
nofirewall.txt

This has been merged to master for 2.4 and 2_3 for 2.3.2. It'll be in the next round of 2.3.2 snapshots. Sorry it took a bit to merge.

I do use Kibana 4, i would upgrade to it.

Do you use syslog? It fist strips the date and time from the rest, changes it to the correct kibana time stamp. Then i filter the filter log and openvpn.
I am working on the 2.3 gateway log. The Filter log you need the patten for and for geo you need the geo datafile

This is My code:

filter { 
#Date time translation
  if [program] == "syslog" {
    grok {
      match => [ "message", "(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.?): (?<msg>.)" ]
    }
    mutate {
      gsub => ["datetime","  "," "]
    }
    date {
      match => [ "datetime", "MMM dd HH:mm:ss" ]
    }
    mutate {
      replace => [ "message", "%{msg}" ]
    }
    mutate {
      remove_field => [ "msg", "datetime" ]
    }
}
#Filterlog
if "filterlog" in [prog] { 
    grok {
      patterns_dir => "/etc/logstash/conf.d/patterns"
      match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
        "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv4_SPECIFIC_DATA_ECN}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}" ]
    }
    mutate {
      lowercase => [ 'proto' ]
    }
  }
#OpenVPN
if "openvpn" in [prog] {
  grok {
    match => [ "message", "user '%{WORD:openvpn_user}'" ]
    match => [ "message", "%{WORD:openvpn_user}/%{IP:openvpn_scr_ip}:%{INT:openvpn_scr_port} MULTI_sva: pool returned IPv4=%{IP:openvpn_ip}" ]
  }
  #GEO DATA
    geoip {
    source => "openvpn_scr_ip"
    database => "/etc/logstash/GeoLiteCity.dat"
      }
}
}</msg></prog></datetime>

Thanks all for the replies, i didn't had a chance to use any of the suggested possible solutions yet as i am in the middle of a major problem after having followed a tutorial i found online, so i erased everything already 3 times and keep restarting from scratch…..
As soon as i will be able to assign again a test site the correct address i'll be back.
By the way i am using CentOS 6.8 and i made previous tests with both the firewall on (Selinux) and off, lately i was following a step by step guide to rename the address where my site would appear, but it would just end up on a blank page, the tutorial was even giving slightly different names or wrong folder locations but i managed to find the right paths and still didn't work, i think it's because with any new releases of the software, these developers tends to rename things and put them in different places, which it wouldn't be too bad if at least they would still works when someone manage to find them, but no luck......
https://wiki.bitnami.com/Applications/BitNami_Joomla!https://wiki.bitnami.com/Applications/BitNami_Joomla!/How_to_install_multiple_Joomla!_in_the_same_instance

@Ben.:

Is there an update about the smokeping package?

With pfSense having made some pretty major changes back at version 2.3 - nginx is now used instead of lighttpd, RRD graphing is no longer used due to the amount of prerequisite packages that would increase the distribution size significantly - so if it was being worked on, these two changes alone probably threw a monkey wrench into the works.

IF someone IS working on it, then you might want to contact jdillard about using the D3 graphing engine that is now used for the monitoring graphs, and will also be used for vnstat when it eventually returns as a package.

I don't quite get this (yet) - can you edit your post and clarify? This is what I get from reading your post:

I don't know FortiGate so I don't know what "100 groups" would contain (groups of what?) and why an alias with the same contents isn't doing it for you.

Is the point that you want to directly enter a bunch of hosts rather than name the list of hosts and use that name?  If so, you'll find quite a few people will find a rule that applies to "hosts allowed to ssh" becomes more readable than "a rule applying to john.mydomain, fred.mydomain, jane.mydomain, p1033.mydomain, p1042@mydomain" etc.  Being able to name the list should make it easier. If it isn't, then perhaps explain why?

"Third" and "fifth" column are from a GUI that I can't see. It sounds like basic hover-and-lookup. Post a screenshot of what you want to see.

As for hosts in multiple groups - pfSense has handled nested aliases for a long time. Suppose jane needs to be in 50 groups. You can either add jane's host (say jane.mydomain) to those 50 groups, or you can define an alias for her (Jane's IP = 1.2.3.4) and add that alias to all the groups - when you change "Jane's IP" to 1.2.3.5, all the groups containing it will update as well, you don't have to change them all.  Try it, and ask for help in the "support" forum pages if you can't make it work.

The support for multiple vlans and subnets stinks.  I've tried everything to get it working, its more of a headache then anything.  There was a project a while ago called NSFilter, that was almost perfect (with a few bugs), then that died.  Something like that again would be perfect.