@hakkatil: I guess I did not make myself clear. What I am trying to say is make all the ports invisible on the WAN interface not on the webserver or any other device behind the firewall. If someone scans my public IP address, they won't be able to see any ports open. Just I need to know if this is even possible. I am prety sure that all the ports were not seen (may be open in pfsense) by outsiders but the webserver was still accessible when I use the pfsense 1.x. At least what grc.com showed all of the ports were stealth. Thank you Unless your WAN IP is different for your web server, there is no way to both make port 80 invisible to a scan and allow HTTP to work. Now if you had one IP for your firewall and one IP for your web server, you could have your firewall be all stealth and your web server would show up on a port scan as having port 80 open. What it comes down to is, what ever public IP address your web server is using, you will see port 80 opened, unless you block it, which will make HTTP not work.

Wonderful. That'll do it for me. Thank you for this good news vindenesen and taking time to explain it. Nice one.

perhaps CN=Users,DC=latticee,dc=com instead of OU=Users,DC=latticee,dc=com but thats definitively the wrong section for your request. (no bounty :) )

I use https://forum.pfsense.org/index.php?action=unread;all;start=0 when I read. (woo, 15,000th post!)

Upgrade.

@cmb: On rare occasions I've seen a host that wouldn't enable those settings properly until a host reboot, usually turning it off and back on suffices. How right you were. Both the servers I have tried this on have the exact same patchlevel of ESXi. One is a Proliant DL380G6, the other a SuperMicro whitebox. The proliant had no problem to enable promisc just by changing the setting. But the SM (which was the one i ran on primarily) did in fact require a reboot.

The better option is limiters if you are OK with giving them a fixed pipe.  There is a burst option in there for allowing people to exceed that limit for a short amount of time. https://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter To limit each device to a specific amount of bandwidth you'll need two limiters, one for download and one for upload.  When setting up the limiters, the download one should be set to "Destination addresses" and the upload one set to "Source addresses" in the "Mask" setting.  You'd then apply those limiters to your pass rule on the LAN firewall rules.

Glad to see you have the top man on the case.  ;) Steve

hey there, I contacted them about 2 weeks ago, they replied pretty fast so yours might be lost in the spam filter..?

@smildev: Hi, http/https filtering: http://www.youtube.com/watch?v=C1jNEC8QmL4 Port Forward: very easy, menu -  firewall > NAT > first tab Port Forward Hi, I cant seem to find how to do captive portal at the same time configure the WAN-LAN to be under bridge/transparent mode…. the video only shows the proxy aspect, which I was able to follow.

With the latest releases of pfsense (2.1.1 and 2.1.2)… When 'Allow ipv6' is unchecked there is an implicit QUICK rule that goes before any floating rules that blocks ipv6.  If 'Log packets blocked by the default rule' is also checked then those block rules will also log the ipv6 packets.  No floating rule with ipv6 will change that behavior because floating rules come after the implicit.  I don't know why you are not seeing the same behavior if 'Allow ipv6' is unchecked. if(!isset($config['syslog']['nologdefaultblock'])) $log = "log"; else $log = ""; if(!isset($config['system']['ipv6allow'])) { $ipfrules .= "# Block all IPv6\n"; $ipfrules .= "block in {$log} quick inet6 all label \"Block all IPv6\"\n"; $ipfrules .= "block out {$log} quick inet6 all label \"Block all IPv6\"\n"; } If default logging of blocked packets is enabled and 'Allow IPv6' is unchecked the following rules will be inserted before any user configurable rules… # Block all IPv6 block in log quick inet6 all label "Block all IPv6" block out log quick inet6 all label "Block all IPv6" This comes before any user rules (floating or otherwise) so no user rules should be able to change the logging when both of those conditions are met ('Log packets blocked by the default rule' checked and 'Allow IPv6' unchecked).  If 'Log packets blocked by the default rule' is not checked then all ipv6 packets would be blocked without logging.  You could not add any floating rule that would change the implicit QUICK behavior rules.

Loved the slides. That guy knows how to make a technical presentation entertaining.  :) Worrying though. Obviously not that worrying for me. Steve

After the reboot, sysctl did show eee_setting as 0. Edit: I tried changing the link speed and duplex of the connecting PC, and that made no difference. There are some tests included in the Windows nic driver that I ran, and during the time the problem occurs, they all succeed except for the connection test.    

There is no easy way of clearing disk space in the pfSense webgui. However using 11% is not a problem.  3GB is more than a normal install as Johnpoz said above. Are you running Squid? Even if you manually remove any surplus caching etc you won't get to 0%. pfSense requires ~500MB to run. Steve

You could give me a hand? Case ever with the screen shots thank you very much

According to this post I just found the alerts are not configurable. The developers have hard coded certain things to notify on and once you configure your SMTP server you will start receiving those alerts. https://forum.pfsense.org/index.php?topic=60906.0

@eiger3970: With pfSense connected, computers can ping others on the network, can ping pfSense, can ping the modem, but can't ping the Internet. A common cause of that is adding a gateway to the LAN interface. You should have only one system gateway and it should be on WAN and set as default. Check in System: Routing Gateways: Steve

I used Filezilla and Notepad++.  Seems to have worked fine.  Now to stop the DHCP entries in friend's syslog. Yeah, I noticed there was no GUI check box for that.  If it isn't broken… Thanks again.

Doesn't matter, since access to that is limited. What are they going to do? See what IPs I'm blocking  ;D Security through obsurity is perfect for this.