I found that the developer version is 1.2-BETA-1.iso.gz.
Is it this one that I should use?

Thank you.

The administrator of ma.cx have disabled ezard.ma.cx for now.

[1] Advanced Options
[2]State Type

You can use these to help guard against DOS attacks

Yeah, it looks like that would help… but it could be a bit cumbersome if you were trying to make a firewall more resistant to attacks on all ports and destinations. I'd have to think about a good way to handle some sort of global settings.

What I did find helpful was increasing the number of states the firewall could track. I bumped it up from 10k to 40k and then 64k. The higher the setting, the more responsive the firewall itself remained while under attack and with the state tracking table full.

I was watching memory consumping (the ALIX box has 256MB total) and total free memory didn't seem to change much even when tracking 64k connection. In the past I've seen reports of anywhere from 3k to 1k of memory used by each connection tracked. Anyone know if these are still correct?

LAGG isn't supported under pfSense 1.2, regardless of the version of the underlying FreeBSD.  If you try to make this work, you are on your own.

Ok it will log the extended information, but when I deselect that option it leaves the firewall log empty.

I tried /etc/rc.d/syslogd stop / start

No effect.

I don't see that on any of my systems though I'm using pppoe and pptp on almost all of them as well.

processes.png
processes.png_thumb

WOOOOOOHOOOOOOO!!!!!!!!!!!!!!!!!!!!!!!

WORKED LIKE A DREAM!!!
WORKS GREAT!

THANK YOU!

Make sure only the master has an ip set in the carp sync settings to sync to. the slave should not sync the config back to the master as this will start a ping pong game followed by a filterreload as the config might have changed.

I never thought it was a good idea from microsoft to set such a low limit  :P

Just in case someone is searching for something similiar for osx: http://www.memention.com/airportflow/
Work's with pfSense as well as it just uses snmp.

Make sure your hosts are really doing nothing. This somehow sounds like one of your hosts is a bot starting to cause massive packet load. View pftop from the console of the pfsense when that happens again to see what's going on on your network.

Ah the troubleshooting skills of a pfSense Hero, thanks a lot man that will work great!

josh

LMAO – Alex Jones is going to make you go mental.

This should be doable using "proxyARP" virtual IPs then, maybe even type "other". Just test it using the live cd. You don't have to install anything for evaluation purpose.

pw username

Aha, worked it out. Said no to the VLAN and continued with the same settings. I can now access the web interface. Thanks GruensFroeschli  ;D

Hi Hoba !

I haven't solved anythink, just modify my pfsense box to do what in need…
I have understand why the logs are in ram and why clog generate circular log files.

This is the start of my work... in a 1.2 Rc2 realease.
Suggestions are welcome !

Do not try it if you have no enought space on your Hdd !

1, Install ssmtp :

#setenv PACKAGESITE ftp://ftp4.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
#pkg_add -r redir

#pkg_add -r ssmtp

2, rename the conf file /usr/local/etc/ssmtp.conf.sample to ssmtp.conf
Modify this file (give your smtp server parameters).

this is my ssmtp.conf file:

/etc/ssmtp.conf -- a config file for sSMTP sendmail. The person who gets all mail for userids < 1000 Make this empty to disable rewriting.

root=

The place where the mail goes. The actual machine name is required no MX records are consulted. Commonly mailhosts are named mail.domain.com The example will fit if you are in domain.com and your mailhub is so named. Example for SMTP port number 2525 mailhub=mail.your.domain:2525 Example for SMTP port number 25 (Standard/RFC)

mailhub=smtp.wanadoo.fr:25

Example for SSL encrypted connection mailhub=mail.your.domain:465 Where will the mail seem to come from?

#rewriteDomain=

The full hostname

#hostname=

Set this to never rewrite the "From:" line (unless not given) and to use that address in the "from line" of the envelope.

FromLineOverride=YES

Use SSL/TLS to send secure messages to server.

#UseTLS=YES

Use SSL/TLS certificate to authenticate against smtp host.

#UseTLSCert=YES

Use this RSA certificate. #TLSCert=/usr/local/etc/ssmtp/ssmtp.pem

I 've just modify the mailhub= , and uncomment FromLineOverride=YES

3, Install syslog-ng
#pkg_add -r syslog-ng

4, edit /usr/local/etc/syslog-ng/syslog-ng.conf (read the doc before).
this is my conf, not finished, i cath all log to messages logs).
This is just an example... This sample configuration file is essentially equilivent to the stock FreeBSD /etc/syslog.conf file.

options { long_hostnames(off); sync(0); };

sources

source src { unix-dgram("/var/run/log");
            unix-dgram("/var/run/logpriv" perm(0600));
    udp(); internal(); file("/dev/klog"); };

destination

destination firewall { file("/log/$DAY$MONTH$YEAR/filter.log"
  create_dirs(yes)); };
destination vpn { file("/log/$DAY$MONTH$YEAR/vpn.log"
  create_dirs(yes)); };
destination portalauth { file("/log/$DAY$MONTH$YEAR/portalauth.log"
  create_dirs(yes)); };
destination dhcp { file("/log/$DAY$MONTH$YEAR/dhcpd.log"
  create_dirs(yes)); };
destination messages { file("/log/$DAY$MONTH$YEAR/messages.log"
  create_dirs(yes)); };
destination cron { file("/log/$DAY$MONTH$YEAR/cron.log"
  create_dirs(yes)); };
destination auth { file("/log/$DAY$MONTH$YEAR/auth.log"
  create_dirs(yes)); };
destination sshlockout { program("/usr/local/sbin/sshlockout_pf"); };

destination ntpd { file("/log/$DAY$MONTH$YEAR/ntpd.log"
  create_dirs(yes)); };
destination ipsec { file("/log/$DAY$MONTH$YEAR/ipsec.log"
  create_dirs(yes)); };
destination openvpn { file("/log/$DAY$MONTH$YEAR/openvpn.log"
  create_dirs(yes)); };

Define filters Level Filters

filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };

Facility Filters

filter f_auth { facility(auth, authpriv); };
filter f_authpriv { facility(authpriv); };
filter f_syslog { facility (syslog); };
filter f_cron { facility (cron); };
#filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };
filter ntp   {program (ntpd); };
filter f_racoon   {program (racoon); };
filter f_openvpn   {program (openvpn); };
#filter f_firewall-drop { facility (local0) and match("drop"); };
filter f_firewall-pass { facility (local0) and match("pass"); };

#log { source(src); filter(f_local0); destination(firewall); };
log { source(src); filter(f_firewall-pass); destination(firewall); };
log { source(src); filter(f_local3); destination(vpn); };
log { source(src); filter(f_local4); destination(portalauth); };
log { source(src); filter(f_local7); destination(dhcp); };
#log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_auth); destination(auth); };
log { source(src); filter(f_auth); destination(sshlockout); };
log { source(src); filter(ntp); destination(ntpd); };
log { source(src); filter(f_racoon); destination(ipsec); };
log { source(src); filter(f_openvpn); destination(openvpn); };
log { source(src); destination(messages); };

5, modify the /etc/rc file, comment the creation of clog files
(or better test if syslog-ng exist and do an else / then

generate circular logfiles

#if [ ! "$PLATFORM" = "cdrom" ]; then

clog -i -s 512144 /var/log/system.log clog -i -s 512144 /var/log/filter.log clog -i -s 65535 /var/log/dhcpd.log clog -i -s 65535 /var/log/vpn.log clog -i -s 65535 /var/log/openvpn.log clog -i -s 65535 /var/log/portalauth.log clog -i -s 65535 /var/log/ipsec.log clog -i -s 65535 /var/log/slbd.log clog -i -s 65535 /var/log/lighttpd.log clog -i -s 65535 /var/log/ntpd.log

#else
#    clog -i -s 65535 /var/log/system.log
#    clog -i -s 65535 /var/log/filter.log
#    clog -i -s 65535 /var/log/dhcpd.log
#    clog -i -s 65535 /var/log/vpn.log

clog -i -s 65535 /var/log/openvpn.log

#    clog -i -s 65535 /var/log/portalauth.log
#    clog -i -s 65535 /var/log/ipsec.log
#    clog -i -s 65535 /var/log/slbd.log

clog -i -s 65535 /var/log/ntpd.log

#fi

change permissions on newly created clog files.

#chmod 0600 /var/log/system.log /var/log/filter.log /var/log/dhcpd.log /var/log/vpn.log /var/log/portalauth.log /var/log/slbd.log

6, start syslog-ng (you can insert it before the cron start)

echo -n "Starting Syslog-ng… "
/usr/local/sbin/syslog-ng
echo "done.

7, modify the /etc/rc.bootup and comment the original syslog start
/* start syslogd */
/system_syslogd_start();/

8, stop syslogd and start syslog-ng to test if all is ok

9, reboot.

A this time you have syslog-ng working on your system, and you can send mail.

you can make your own script to send the log by mail, and rotate the logs files...

I've make a little script for me who send the log by mail, and delete directory older than one year...

#!/bin/sh
#Require ssmtp & syslog-ng

chemin des logs

path=/log/$(date '+%d%m%Y')

Les variables des dates

jour=$(date '+%d%m')
annee=$(date '+%Y')
anterieur=$(($annee-1))

les variables d'email (envoi de mail email =oui ou non)

email=oui
expediteur=xxx@wanadoo.fr
destinataire=xxx@mkws.net
sujet='Log Wifi du '$jour$annee''

On génere le header(pour ssmtp), on l'insere dans le fichier log, et envoi du mail

if cat $path/portalauth.log | grep -a logportalauth > /dev/null;
then echo -e "From:$expediteur\nTo:$destinataire\nSubject:$sujet\n" > $path/$jour$annee.log
echo -e "\nPortail Captif:" | tee -a $path/$jour$annee.log > /dev/null
cat $path/portalauth.log | grep -a logportalauth | tee -a $path/$jour$annee.log > /dev/null
echo -e "\nServeur Dhcp:" | tee -a $path/$jour$annee.log > /dev/null
cat $path/dhcpd.log | grep -a DHCPACK | tee -a $path/$jour$annee.log > /dev/null
echo -e "\nPare-feu:" | tee -a $path/$jour$annee.log > /dev/null
cat $path/filter.log | grep -a rule | tee -a $path/$jour$annee.log > /dev/null

else echo -e "From:$expediteur\nTo:$destinataire\nSubject:$sujet\n" > $path/$jour$annee.log
echo -e "\nPortail Captif:" | tee -a $path/$jour$annee.log > /dev/null
echo "Pas de connexion au portail captif aujourd'ui!" | tee -a $path/$jour$annee.log > /dev/null
fi

case $email in
oui)
/usr/local/sbin/ssmtp $destinataire < $path/$jour$annee.log;;
non)
;;
esac

#On verifie l'existence du répertoire de l'année antérieur et on le supprime
[ -d $path/$jour$anterieur ]&& rm -Rf $path/$jour$anterieur

–---------------------------------------------------------------------------------------------------
Marc