I would also very much like to use SNORT to block P2P traffic.  SNORT does an excellent job of detecting P2P no mater what port is being used.  I have SNORT running on the WAN interface set to block any one who generates a snort aleart.  However with P2P traffic it is always my own public IP that is detected as "generating" the alert.  Since my own IP is in the whitelist all that is acomplished is that I am alearted to the use of the programs.  I would run SNORT on the LAN side but I have about 25 other smaller firewalls behind PFsense with each of them connecting 5-20 individual clients. So if I blocked any one ip on my LAN interface I will cut off internet to several people. If it were possible to run SNORT on the WAN interface and set it to block BOTH ip addressees associated with a SNORT alert.  I believe that this would solve my problem and effectively stop the P2P. (And help keep my little wisp from getting sued by the RIAA)  ;)

(1) when using an incoming ftp server you would be best to disable the ftp helper on the interface in question.
(2) pure ftpd can use passive ftp where you set a port range 3000-3500 and you forward those ports along with port 21 on to the server.
(3) most ftp servers allow you to work with nat by allowing a field to enter the public ip address in the ftp server startup script to allow for better translation.
(4) first thing to do is get your ftp server working correctly without nat then add the nat specific stuff into ftp server configuration and firewall after the thing is working.

good luck

its nothing fancy.. just some oldass compaq deskpro i picked up for like $50. no raid or anything like that.. i'll check what kind of motherboard/NIC its got.. thanks

If the squid package supports AUTH then require people to authenticate to the proxy.  That'll make it fairly trivial to track who visited where (assuming you enable logging of the authenticated user).

This may break some things that perform web updates, so you may have to spend some time adding ACL rules that'll bypass the auth for certain destinations.

The shellcmd options in the config.xml get backed up with the config.xml. I prefer this attempt as it lets you easier restore a system.

Wow, this is great info to know about FiOS.  I had no idea!  :o

In my area of the Left Coast, we don't have Verizon FiOS, but we have Paxio FTTH (fiber to the home).  I opted for the 100M/100M service, although less expensive plans are available (http://www.paxio.com).  My biggest problem has been building a router that will support the full bandwidth of the connection!  Right now I'm on a mini-ITX platform with an Intel dual-NIC card and it's doing pretty well:

I don't think that this will work at all. From what the tech's have told me, and what I've read about the MoCA technology is that it uses unprovisioned bandwidth from the ONT using the MoCA protocol in order to provide video services to your motorola boxes. Otherwise, you'd be sharing your 5 mbit or 15 mbit or 30 mbit connection with 2-10 mbit of video, and that wouldn't work very well at ALL.

As far as I know the only way to get verizon FiOS TV is through the MoCA trash Actiontec. There's a reason I had them install via ethernet, and why I still have DirecTV HD. I pole-mounted a DirecTV slimline 5 LNB dish outside my house so if at some point in the future verizon decides to get rid of the crappy MoCA actiontec non-sense I can switch over. But until they do, the actiontec router is a deal breaker. I refuse to use it, it's just plain crappy in 500 different ways. It locks up, has a small state table, is slow, and unreliable.

Besides, DirecTV has more HD's anyways, and is about to pwn't the HD cable/sat industry once their next 2 birds go live. (excuse the shameless plug)

I'm currently running with a cisco router for my house internet, but trying to get pfSense to work. Apparently the DHCP client portion of pfSense is either currently broken, or the mac address cloning in combination with DHCP doesn't work.

Thanks, i'll try that.

At firewall>lan create a rule like this:

pass, protocol tcp, source lan subnet, destination any, port 25, logging checked, gateway default.

Make sure this rule applies before other rules allowing port 25 out like the default lan to any rule. You'll now see green pass icons in your systemlogs at status>systemlogs, firewall tab. If you want to see more than only the last few items set up a remote syslogserver so you can browse through the past few days/weeks or whatever is needed.

here is the EXACT arp statement as it is on the existing router, this is what i need to put into pfsense to replace that existing router.
–--------------------------------
IP Address/Bitmask
A.A.A.A/32

On Interface
LAN

Proxy on Interface
WAN

On the existing router there is no mention whatsoever of either A.A.A.A or B.B.B.B in the NAT area. I hope this helps clear things up, and thank you so much for your help so far.

I also noticed that /etc/rc.d/ntpd start | stop | restart | status | poll – none of the options, do anything.  I haven't looked much at it either, but again, probably my lack of understanding here.  Just seems to work a lot differently then I would expect.

Thanks, again, for any insight!

@hoba:

Afaik it's hardcoded in the slbd binary and therefor not that easily configurable but I might be wrong here.

You are absolutely correct.

what a gold nugget!  This kind of command is why I keep reading the forums.  I wish I knew about this sooner!

Any ideas why or how?

OK thanks will try this and report back.  I'm aware of the spam danger.

As of the keyboard mapping, doesn't it exist any solution for this with pfsense?  I thought that such stuff was kind of basic….?

/hank

Well, I guess if they way I said it make too hard to understand, i'll try to simplify it.

In essence, How can I add/enable tunl0 interface for ipip support on pfsense ( as it's a FreeBSD system and I
have no knowledge of it. though I know it's UNIX-like OS ).

for example : i could not just add this "ifconfig tun0 create" on pfsense console terminal, can I ?
WebGUI doesn't really help in solving what I want.

Thanks,

:D