And once you're done studying up on that, check out the ACME Package so you can easily get a free trusted certificate for your firewall: https://doc.pfsense.org/index.php/ACME_package

Not at the moment.

@kpa: @Harvy66: My laymen's understanding. It's not an inherent security flaw, it just means one of the anti-exploit defenses does not work as well as expected. It is definitely an inherent security flaw. An unprivileged process should never be able to play games with the system's memory management and trick it into allocating more stack pages from an area of memory that the process already had access to. If the attacker can do that it opens up many opportunities for compromise because the stack contains the return addresses for function calls and if you manage to manipulate those anything is possible. The classic case is the (possibly the world's first such incident) Morris worm: https://en.wikipedia.org/wiki/Morris_worm Yeah, turned out it was something more nefarious. It wasn't just about smashing stacks in an application's own virtual memory, but being able to access kernel memory, allowing for priv esc attack.

i have done the following and it works: NAT - Port Forward: Interface: the interface the dash buttons are on (wifi-net) Protocoll: Tcp Source Adress: The IP of the Dash button Souce Ports: * Destination Adress: * Destination Ports: 443 (as the dash buttons try to establish a ssl-connection to amazon when pressed) Nat IP: The IP of the Computer on the Net which shall receive the info that the dash buttons try to connect to the internet aka have been pressed NAT Ports: 4321 (anyone does, no portrange needed, as the buttons only try to connect to :443) Corresponding Firewall Rule: Pass On the Nat IP-machine I can receive the connection requests using scapy in python: from scapy.all import * p = sniff(filter="tcp and port 4321", store=0) print p[IP].src Every Button Press generates 5 requests. Problem : Scapy uses a lot of ressources, will take ~30% CPU on a Raspy B. Problem2: I didnt manage to use socket  module, as the buttons dont really connect, they just send ssl-syn and receive some multiple acks from the nat-ip. Here's what Wireshark shows (running on the Nat-IP machine; *.127 is the dash button, *.125 is the Nat-IP client machine): https://ibb.co/hwwi55 [image: hwwi55]

@fleece: My son stays up too late gaming.  Could I use pfSense to restrict his Internet access during days of week and time of day, say from midnight to 6AM?  I can give him the same IP address through reserved DHCP or something. Yes. In Services/DHCP server you can give your son a static IP. Then, in Firewall/Schedules you can create a schedule. Then, in Firewall/Alias, you can create aliases with adresses your son is allowed to go to (the gaming, for example). Finally, in Firewall rules, you can: 1. Add the alias to allow him to game; 2. Add, in advanced settings (at the bottom) the schedule) which limits the time he can do that. So after that time, the can still google his home work (sorry, I still can't live with that thought, I'm old fashioned, back in my days we had books  :-[ ) but can't game. Or, of course, even beyond that: he can't internet at all. Or, beyond that, with two schedules: Firewall rule 1: he can game until 4 PM with a schedule. Firewall rule 2: he can game from 9 PM-10PM with a schedule.

I have installed Status_Traffic_Totals too, many moths ago, but it always seems to not be collecting data until I go look at it. I've re-installed it, but every time I go back and check it, it's all zeros.

I just told one example, actually I have this problem with any website. and I don't want to see the content, I just want to block the site.

@ast: Can we use squidguard together with pfblockerng? Of course. pfBlockerNG has many, many, many, blocklists.

Because pfSense saves its logs on RAM, after reboot I cannot see any of the logs from before the reboot, so I don't have any information on what happens when the firewall gets into this state. I didn't set-up a log server because I am not very sure about how fast I will run out of memory. What version are you running? full installs haven't logged to ram for some time now. A remote syslog wouldn't run out of ram … if configged badly, it might run out of diskspace

@johnpoz: get a bigger tube ;) That's the kind of responses I was looking for ;-) What size do you recommend?

https://forum.pfsense.org/index.php?topic=132534.msg728642#msg728642 I am on 2.4 snapshots and its running 2.4.3 just fine.

You could setup an additional pool and then control access using the deny/allow MAC fields.

The items on the status screen are all that relayd will show you. Between that and what you can find by filtering under Diag > States you can see what is connected. If you need more detailed information or control over balancing, you should consider moving to HAProxy.

There isn't anything on pfSense for that. pfSense isn't a mail server, it's a firewall. You need a mail server filtering appliance type distro to sit in front of your existing mail server.

Me too.  I just learned about it recently.  I thought I might try it.