Thanks KOM!

Hi, Thank you for your informaiton :)

There isn't really a list like that to view. You can see the connections on Diagnostics > States, and they are listed by interface, but there is no "why" – the "why" is up to the policy routing rules on the internal interface (e.g. LAN) and that part isn't retained in a visible way.

Thank you that is much more helpful and a lot less cryptic !

for ssh: -b bind_address             Use bind_address on the local machine as the source address of             the connection.  Only useful on systems with more than one             address. for scp it's trickier, but can probably be worked out with this: -o ssh_option             Can be used to pass options to ssh in the format used in             ssh_config(5).  This is useful for specifying options for which             there is no separate scp command-line flag.  For full details of             the options listed below, and their possible values, see             ssh_config(5). […]                   BindAddress

I believe the sAMAccountName in windows is limited to 20…  So guess you could get 4 extra characters that way..  But come on really why would anyone use such long usernames??

@firewalluser: The irony of what you suggest is, that the current setup where it shows hot plugging messages on the console is the only indicator I have when I plug an infected machine into a pfsense managed network and pfsense becomes compromised. Well sod's law I cant replicate the hotplug event again. Having read this thread https://forum.pfsense.org/index.php?topic=66908.0 as well as this thread https://forums.freebsd.org/threads/powerd-and-usb-nic.39207/ and a few others including some man pages, even though I'm using the built in intel motherboard nic (em0) with bios updates up to date I simply cant replicate the hotplug events. This was a default mem stick install with just vlans configured with 2 devices (a pc and rpi) connected to their own individual vlan. PowerD is off by default so shouldnt have been a factor, but seeing the hotplug event when I plugged a running rpi into the switch made me believe this caused the hotplug event to pop up on the console (didnt check system logs but since found out they do appear there). Whilst I was thinking this through, it did occur to me that monitoring the usb bus in much the same way a nic is monitored with IDS/IPS just doesnt exist. AV has it flaws, namely they have to find the virus first before they can search for it. Even then AV mainly just scans storage devices beit disks, cd's, floppies, network shares & mem sticks, for root kits and their like, some will also scan memory, but not very efficiently. DuQu2.0 I noticed when reading up the Kaspersky pdf's have only found traces of it on windows systems. Linux CD's are not hardened out of the box and having been hacked via linux which destroyed windows and backups, all my backups will be on read only DVD's from now on. But this got me wondered just how insecure systems are. It turns out you can remote access UEFI bios, some motherboards also come with 32MB of space for the UEFI bios when the bios code itself may only be 4MB in size, and theres some very detailed presentations around which show how easy it is to hack the UEFI bios as well as the old style and compromise them, one is only limited by their imagination as to the possibilities. It's possible to rewrite the firmware of some disk's so you could also use the cache to hide during runtime, and store to disk at switch off, in effect being able to hide from AV mem scans. Again skilled programmers needed, but not impossible https://www.reddit.com/r/netsec/comments/1jkuts/flashing_hard_drive_controller_firmware_to_enable plus it also crossed my mind, could the network cable in a rpi be used as a wifi antenna. I dont know as havent taken one apart, but when trying to isolate and eradicate whatever hit my system, its only by having some old software from the 1990's which gave me the break to see hidden 64mb partitions on memsticks as nothing showed up in gparted, but I could clearly see it when I did using wxhexeditor. Even now those memsticks are still isolated until I take them apart. So all in all, OS's and many industry standard practices still leave systems wide open for some serious hacking and I dont think most people have a clue just how easy it is for hackers with suitable funding.

Your ISP asked for an MRU (your MTU) of 1456, which your end understandably granted. You asked for an MRU (your ISP's MTU) of 1492, which was granted. Only your ISP can explain why they ask for an MRU of 1456.

It's simple. Do not use the bogons.

You need to isolate them with your vlans on your switch.

Max, Yes I have tuned the igb card per the recommendations.  I did not have time this weekend to secure erase my drive.  I will let you know if doing that fixes my problems. Thanks, northfaceseen

So, I have /dev/gps0 device. Who is using it, when I am trying to set it as serial GPS? Is it possible to configure it with serial GPS? In order to avoid talks about USB speed, please imagine, that my computer has no internet. Then any slow USB is better than nothing.

My intention was to have what would normally sit on the hard disk, on the network share. This way I can have another program monitor the changes made to the file system sat on the network share which would give me the ability to find changes made which are otherwise unaccountable. It doesnt solve the problem of stuff running in memory only though, but frequent reboots help counter that problem as a new pattern would develop as the (re)infection process takes place again, but its related to my other post about the Arp table showing the wrong info, latest example of my observations being here. https://forum.pfsense.org/index.php?action=post;quote=563341;topic=100968.0;last_msg=563341 Based on the malware I have got here which isnt being detected entirely by AV software, people/businesses need to start thinking about isolating their internet facing services, like web and/or email servers from their private networks and start to go physical machines. In a way virtualisation puts all your eggs in one basket, which is no different to MS Small Business Server or Linux LAMP servers in a way, so by having an individual machine for each public facing service, you need to automate the installation and setup process as quickly as possible by spinning up a new server whilst also treating it as a disposable pawn. Breaking all encryption at the firewall even for browsers is a must or have separate machines used exclusively for encrypted online access like for online banking in order to reduce risks across a LAN, business data getting compromised and so on. Whats interesting about DuQu2.0 only spotted by Kaspersky labs, is it steals MS SQL databases and email contacts from MS Exchange amongst other things, which is commercially advantageous in many ways especially as the global economy contracted by $13 trillion since June this year. The planets total GDP is only around $74 trillion if the investment websites quoting this info is correct, if not ignore the financial bit. Its also possible DuQu2.0 targets opensource software as well as a delivery conduit and might be whats buggering up my systems here, teh catch 22 is no AV has hard facts only traces of something. Edit. My catch 22 is, my email servers are down (have been for months as they keep getting hacked) so I only have the ability to post here my observations at the moment as all forum registrations need email to register aka a catch22.

Managed to get at the console, finally. Spurred on by your thoughts, I decided to go all out, so I got my server off the wall (to make room for the vga cable), got a spare monitor and stuff. Managed to revert to a previous configuration. thanks!

After some diagnostics I found out I did not have the allow options selected on all WAN rules. Funny is that the old igmpproxy worked without this settings (what should be a problem, because the reports from the host won't reach the igmpproxy) It seems everything is running fine now.

You would pass the necessary traffic on the originating interface (the one initially receiving the connection request, thus allowing the traffic into the firewall) to the appropriate destinations.

Well again look in the resolver log..  This is where errors in the resolver starting up would be listed.. Increasing the verbosity would log more info.. How is this NOT answering your question?? [image: resolverlog.png] [image: resolverlog.png_thumb]