Try without squid.

That's fine, empty always means defaults as Steve noted. If a field is required, we force you to fill it in, it'll kick back an input error if you leave fields that must be filled in blank.

Yep that seems to have done the trick for the strange timestamps  ;)
cheers

I am using both manual outbound NAT, but my optimization is set to normal. I am running Cisco phones. I have heard that polycom phones are more forgiving.

@robpal:

Stephenw10as a test i ssh'd into my pfsense with putty and key as usual and then from there pressed F8 for a shell and ssh'd into my linux box - though maybe a key auth for this one is overkill at the mo seen as though you need to get into my pfsense with a key to access the linux box i the 1st place??

Not sure if that's a question but I would agree, no point in having key authentication on the second stage. In fact it's better not to do that. If somneone cracks the key on your ssh session to your pfSense box they would then have the key for your linux box since it would have to be stored on the pfSense box unless you copied it across every time.

The advantage of using an ssh tunnel or just nested ssh sessions is that ssh is pretty much omnipresent in the unix world so it requires almost no setup.
I haven't really researched it in security terms but as far as I know SSH with key based authentication is considered secure. As secure as a VPN? Depends on the vpn encryption used. I'm open to opinions.

Steve

Out of inodes is either something (would have to be a package) has gone wild and created a huge number of small files (usually you run out of disk space before you run out of inodes, unless there is a huge number of small files). The other alternative is what Jim mentioned, a failing HD or CF will at times cause out of inodes messages rather than the more common read and/or write errors.

@jimp:

http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29

GOSH… i'm sorry :-X

Thanks!
You saved my day.

I forgot I had it set to Manual and the source was still the old Lan subnet.
Works as a charm now.

/Nicklas

You can add "DEFAULT Auth-Type: = Reject" with the GUI:

You just create a new entry on "Users" and put this in the correct custom-options box.

In pfsense 2.1 - when it is done and freeradius2 package is ready for pfsense 2.1 - you will be able to easy move entries in "Users" using the GUI.

@cmb:

Depends on what kind of scan you're doing. Things that use valid connections (ping scans, SYN scans) will work fine. Things that use scans that abuse TCP by setting flags that aren't valid will be blocked, legit TCP is enforced as with any worthwhile firewall. Just can't use many types of scans if you're behind or on a system with a firewall enabled.

^What he said.

I've got the pf firewall installed on my FreeBSD machines and use nmap to scan them.

It returns some packets being blocked and as the firewall not responding to ping, but if I set the -Pn flag it will continue the scan and show 1000 ports flitered.

sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.1.151, 16) => Operation not permitted Offending packet: TCP 192.168.1.150:?? > 192.168.1.151:?? ?? ttl=59 id=55250 iplen=15360 frag offset=512  (incomplete) sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.1.151, 16) => Operation not permitted Offending packet: TCP 192.168.1.150:48429 > 192.168.1.151:33217 FPU ttl=47 id=42102 iplen=15360   seq=1288232717 win=65535 <wscale 15,nop,mss="" 265,timestamp="" 4294967295="" 0,sackok="">+snip+ Completed NSE at 02:09, 10.00s elapsed Nmap scan report for 192.168.1.151 Host is up. All 1000 scanned ports on 192.168.1.151 are filtered Too many fingerprints match this host to give specific OS details</wscale>

@vassilis:

@jimp:

That depends on whether or not the IPMI is actually respecting its default gateway, but if it is a shared NIC you may be right it may just not be picking up the packets as they leave, and no amount of trickery on the firewall can help it. You might need to setup a simple bounce daemon on an internal server to reflect the ipmi port back, then connect from the vpn to that port on the internal server.

Thats exactly what I suspect aswell..

About not respecting the default gateway: Does it not show that its working when I can access the IPMI interface over a site-to-site VPN when the IPMI is not on the firewall itself but on a server within that network?

Yes if you can access it from another subnet, then it is probably using the gateway properly.

I have to assume he got it working from a port forward aspect atleast?

Connected to 41.204.105.165.
220 Welcome to the OpenDreambox FTP service.

Or maybe his IP address changed and this is someone else that has ftp open? ;)

on  a forum,
http://freebsd.1045724.n5.nabble.com/Dummynet-and-bursting-td5669253.html

written :

This is the literal Executed command:

/ sbin / ipfw pipe bw_up_pipeno} {$ config bw} {$ bw_up Kbit / s burst queue 500Kbytes 500 000
  The output from ipfw pipe show:

20 010: 1049 Mbit / s 0 500 000 ms burst
  q151082 500 KB 0 flows (1 buckets) sched weight 85 546 0 0 pri 0 lmax droptail
  FIFO sched 85 546 flags 0x0 type 0 1 active buckets
  0 ip 0.0.0.0 / 0 0.0.0.0 / 0 45 2832 0 0 0

But when tested in Pfsense is Not Running.

Thanks for clarification cmb. This is a REALLY good practice.

#!/usr/local/bin/php -q require_once('config.inc'); global $config; $a_filter = &$config['filter']['rule']; for ($i = 0; $i < count($a_filter); $i++) { printf("num:%d", $i); } ?>

…

: ./test.php num:0num:1num:2num:3num:4num:5num:6num:7num:8

Does your LOCALNET interface actually have an IP address?