You can disable the console menu on the advanced page. You can't require a login at this time.

Anyone that has physical access to your firewall can bypass even disabling the console menu (by removing hardware if nothing else), physical access is game over. Your firewall has to be in a secure physical environment to be secure.

Any HIDS on a firewall isn't going to be as useful as HIDS on actual accessible systems (like servers). Network IDS/IPS is much more important and relevant on a firewall. We may add some sort of HIDS package in the (maybe distant) future though.

@StefanS:

That may probably be correct in principle in such a way, however already differently saw.
We have at present a 2Mbit synchron connection, here had i already DoS.
From 2008 we will have 8Mibt synchron and i think that becomes with DoS not better.

It's the same whether you have 2 Mb or 8 Mb or 50 Mb. Every script kiddie on earth has enough bots under their control to DoS a connection of 50 Mb or less off of the Internet. Many have enough to DoS a 1 Gb connection or more.

In this type of scenario, your firewall, no matter what it is, can't help you. Your pipe coming from your ISP is overloaded, it doesn't matter what you do with the traffic once it gets to your end of the pipe, your connection is useless. Your ISP has to handle DoS attacks on their side of your connection so your connection isn't overloaded with the DoS traffic. There isn't anything you can do about it on your end, it's too late at that point.

Re: CA management, yes, eventually, though no work is currently happening in this area. If you start a bounty, it may get done faster.

Re: shaping with VPN, not possible at this time, but some changes are in the works that may allow this in a future release.

Re: mobile user, not sure on that one.

You should try upgrading
http://pfsense.basis06.com/download//updates/pfSense-Full-Update-1.2-BETA-1.tgz

if you disable the shaper, you may see the problem disappear, let us know.

Any memory or CPU bottleneck ?

Where do you live, maybe you can get some local language support.

If you bridge the interface, it won't get NAT'ed.

Or if you just want to route, enable Advanced Outbound NAT with no NAT rules.

What heiko suggested is a bit extreme unless you don't want to do any filtering whatsoever.

/usr/local/etc/rc.d/

Ok, i solved the problem …

I had to define another alias for a single port-RANGE.

Mixed, eg. Ports: 5001,5002,5010:5100 does not work !
for the Range i must define a new alias

Anyway thanks for your help !

MBChris
(Marking thread as solved)

OK.  Thanks.  :)

You cannot.  It is built into the kernel that we build.

The active / passive mode has to be set up in your ftp-server…

Upgrade to recent snapshot.

Just downloaded a new snapshot tonight and it appears to work now on my embedded platform.. Thanks!

@firestar:

I've updated the firmware of the testbox to:

1.2-BETA-1-TESTING-SNAPSHOT-05-11-2007
built on Mon May 14 11:30:09 EDT 2007

I noticed these lines in the System logs-OpenVPN:

openvpn[304]: Use --help for more information. openvpn[304]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:14: remote (2.0.6) openvpn[300]: Use --help for more information. openvpn[300]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:14: lport (2.0.6)

I never used or configured VPN/OpenVPN and in the other pfSense machine running the stable 1.0.1 version, the system log is obviously blank. Maybe a bug in snapshots?

This was a previous bug that has been fixed but the only way to fix it is to remove the blank entries from config.xml.

To do this enter the pfSense PHP shell and run these commands:

unset($config['installedpackages']["openvpnserver"]['config']);
unset($config['installedpackages']["openvpnclient"]['config']);
write_config();
exit

Thank you! That's very helpfully !!

Leander

@ugur:

rrd graphs stopped after 2 weeks

(1.0.1-SNAPSHOT-03-27-2007 built on Wed Mar 28 06:42:17 EDT 2007)

re-run possible without restart?

(hd have enough capacity)

resolved after search forum, thnx.

my Hardware is about an Intel III with 350 MHz and 368MB MB RAM installed on a CF card with 256 MB 50% space left. 10 MB swap wich was never ever used by pfsense.

Leander

I need also access to LAN - this very impotant
Thanks for answer's - i found man FreeBSD about this theme.