@FreeYourMind: Hi bmeeks, thank you for your quick reply and effort to help me out. You were right, killing states was still unchecked and after i enabled it, it worked for me. Unfortunately torrent traffic is still going through but at least the webpage from where i got the torrent file gets blocked. With games its a little bit odd too, i can still play them but in case of d3 and wow it seems snort blocks the attempt to download an upcoming patch through the background downloader butr doesn`t reject the eonnection to the gaming servers itself. If you dont mind me asking there is something about the configuration of snort i didnt understand. All rules are working with the $Home net and $External Net variables but shouldnt be the WAN interface on which i activated snort be considered as $External Net? When i click on the view list button for home net it lists all my private networks but including the ip of my wan interface. That doesnt make sense to me or am i totally wrong here? You don't want to ever block your own WAN interface.  Then nothing would get through your box.  You want to block either the far-end source or destination host, or sometimes one of your LAN clients.  You don't want blocks directly on any of the firewall interface IP addresses.  If that happened, you would be completely locked out of the firewall.  So that's why the firewall interface IPs (including the WAN IP) get put in $HOME_NET and included in the default PASS LIST of "never blocked" IP addresses. As for your torrent and game stuff, are you sure that all the necessary rules are actually in place?  You will need to examine carefully the rules you have selected.  Doing this requires understanding the rule syntax and how rules operate in Snort or Suricata.  There are lots of how-to and tutorial links to be found on Google for that.  Snort only blocks what a rule specifically identifies.  To elaborate, the rules you are using may work off a simple list of IP addresses.  If that list only includes say popular torrent web sites (for fetching the torrent files themselves), then attempts to download the torrent file itself would be identified, but later connecting to some random seeder may not be if the IP address is not in the list.  Same for game servers.  I'm not saying this is your issue, but it is a possibility.  You will need to examine the P2P and GAMES rules individually to see what they are actually looking for to kick off an alert. Bill

a good deal of thanks to both of you. they direction you pointed me in, got me exactly the answers and information i am looking for. colour me impressed! regards gerry

The button on the front does not work im in the same bind

What he said…  ^

@yon: Iwant to use short /48ip address, before it was normal work in /48 Ok.  Good luck.

You probably corrupted the squid cache. I'd blow away the cache and reinstall squid after that. Stop squid service in gui Then from a command prompt cd /var/squid/cache rm -rf * squid -z Then reboot pfsense Might help  - Not sure

Put the x32 image on a stick and everything works with the same settings. It is a different stick. I will try putting the x64 on this one and testing again…

Enter "apinger" in the search box above.

The kingstons in the raid have been great so far - They have to go 5 years before I call them officially great. Right now, they are only at year one.  But TRIM is set up correctly - I think that is key.

Well, got this one sorted out.  :P I found a router which I had plugged back in and was using as a switch which was calling dyndns.org with updates. Because it was not going through the FW rules, it was picking up the w rong gateway and hence, IP address. Disabled it and all is well….

Yes - Snort will often just protect you to death… I often recommend it to people I really dislike.

Yep - Its pretty cool for what you need. There is another guy who is trying to get 3 or 4 separate sites communicating well - For him, this is probably also the best / easiest option. But easy is relative - Maybe he will see your post and ask your instruction.

OK. Gotcha. Thank you. I look into it

It's been answered plenty of times, the OP has done it correctly here. If you bridge the interfaces and move filtering from the bridge members to the bridge interface then the resulting interfaces will behave like switch. It will be much slower than even the cheapest switch (in most cases) but there are advantages. You can filter traffic between the ports for example. There are legitimate reasons to do this, buying a quad port nic just yo bridge them is not one of them. I have 3 interfaces bridged on my home box here. It has 10 NICs, they aren't removable and I don't need 10 subnets. The box cost me £40.  ;) Steve

Yep - Now you have to block every proxy service on earth by name or IP also….  Good luck.

Thanks jimp