It periodically checks, yes, depending on whatever settings you have configured. Things don't live in the cache forever, especially for dynamic content pages.

@jimp: Probably due to this: http://wiki.squid-cache.org/SquidFaq/SquidMemory#I_set_cache_mem_to_XX.2C_but_the_process_grows_beyond_that.21 Thanks for the link.  I looked around but never came up with that link.

Yeah the attacks come from the same IP over and over and there are zero alerts in snort.  The SQL Server is exposed because I develop outside the local network.  However you are correct…I have got the VPN working now, so maybe I'll close it down and connect via VPN.

Be aware that this is a UIO card and will only fit properly in SuperMicro motherboards with a UIO slot. UIO is apparently just a PCIe slot that is physically reversed, so if you remove the backplate you can mount it 'backwards' (I haven't tested this myself), but it's less than ideal, especially for a NIC where you want the external connections. That said, if you're aware of that, I think this card should work fine. It's basically just a PCIe switch chip (which is standard and 'invisible' to the OS) and a pair of Intel NICs which are well supported in pfSense.

You could do this, but pfSense is definitely an appliance distribution and doesn't provide any support for this kind of setup. Just getting it installed might be tricky. I would suggest that you either virtualize pfSense and a separate VM for a standard Linux/BSD server to run your Postgres server, or use the routing/firewall facilities of a standard Linux/BSD box instead of pfSense, e.g. a script like Shorewall is fairly nice to use for this.

Try testing from outside.  If it works you need to search the forum for "NAT reflection" since this has been discussed many times before.

The two OS slices are independent, but their intention is to be used as alternates for the same master configuration. The layout of the NanoBSD filesystem is thus: Slice 1: pfsense0 - First OS slice Slice 2: pfsense1 - Second OS slice Slice 3: cf - Configuration slice, also has some other persistent files (e.g. ssh keys, rrd graph backup, and so on) The config is always used directly off slice 3.

Well its up ruining  working ok now.   Thanks :))) I'm more use to using PF on a old desktop so if i messed up I just reload and the restore  my saved backup. The embeds are all new to me.. saved some bit of worry, specially when someone else paid 200 some for the device.

@danswartz: To be honest, you would be better off setting up a minimal server on your LAN using some linux distro and install a supported DNS server there as a secondary.  While you might be able to get pfsense to do what you want, it is really not intended to work that way, and you are (IMO) setting yourself up for problems down the road. I've actually got is setup as follows now Server NIC 1 = Primary DNS PBX = Secondary DNS PFSense = Tertiary DNS Server NIC 2 = Quaternary DNS (in case the first server nic was simply non-responsive) So I basically have 3 servers distributing DNS.  This is working quite well and dns resolution is very speedy.

I downloaded and installed the current 2.0 snapshot. Can I test this functionality with the current release? I would love some hints on how to set this up  :D

Ooooh…...thanks  ;D Knowing me I just plugged it into any ole SATA port. Thanks again!

Alright.  Thanks, I appreciate it.  I've watched the logs before didn't remember ever seeing it.

You can do exactly what's shown there that on a per-rule basis with the advanced options that are available.

I've identified the issue, we have a cat5 connection from the service provider. I had that plugged into our main switch on it's own VLAN with the WAN setting on the router. The main reason for this is the physical length of the cable that was run from the service providers plug to our computer room. This morning I tried moving those two cables to a desktop switch that I had. I still have the DHCP resetting issue, but the speed is working at the full 100Mbit. I'm not sure why having a switch in linw would cause a speed issue like that, and a asymmetrical issue at that. I know our ISP is assigning the IP based on MAC, all I can think is it has something to do with that. Any one have any comments? is this normal?

jades, There is a lot of info on the pfSense site about this: Hardware Sizing: http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49 Hardware Vendors: http://www.pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50 It depends more on throughput, the type of traffic you have, and what services you expect to run on pfSense (VPN, proxy, etc)

@jimp: You can filter traffic on bridged interfaces, so that would work fine, but the other concerns noted by wallabybob are valid. There will be increased CPU usage with traffic between interfaces, but that would be the same regardless of them being bridged or routed. You would also need to be careful to have each of these segments on their own layer2 broadcast domain – either separate switches or separate VLANs. Thanks to wallabybob and jimp for your posts. On the CPU usage, not an issue, we have a dual core 3 gig of ram system to do the job. This network is only 30 users so network usage should be reasonable. Mostly just telnet traffic to a set of AS/400's and web traffic. The segments will be on there own physical switches so that should be OK. Wallabybob, I fully agree on your comments about DNS/naming verses using IP address. I have been pushing that for a wile but now hit the wall and need to make the network changes. Is it fare to say that as long as I through enough hardware at PFSense it can scale up to fairly hi volumes? Do we have any examples that I can show the boss if needed? Thanks guys! Rich

Yes, surfing the web, trying to log into Spotify, etc. All tcp/ip or udp/ip activities. I'll see if I can get a trace later today, it's my neighbor's issue.

Thanks guys! I will give you a full report on how things went on sunday ;) More tips is appreciated!

2.0 is still a ways off. It'll be out "when it's ready" :-)  but is likely to be by the end of the year. It's a very ambitious release. Lots of features were added. You can install on a gmirror, yes, but the setup isn't handled properly in the installer yet. I think it appears in the installer but does not actually function at this point. There are instructions on the doc wiki for doing it by hand, and I've setup probably a dozen machines that way over time.

@cmb: The practical implications of this in production are non-existent for virtually every user. If you get hit with a DoS attack that big it's going to more than overfill your Internet pipe (unless you have a gigabit Internet connection), at which point it doesn't matter what your firewall does, you're offline until your ISP can stop the DoS traffic from being sent across your connection. Once it gets to your firewall, it's already consumed all your bandwidth and it's too late. This is usually true enough. In my case, it is indeed a high-bandwidth situation so the syn smackdown pfSense got in the labs are a real possibility. Don't get me wrong; the pfSense devs have done a great job, and features like XMLRPC for config-sharing in CARP clusters are simply awesome. It just seems that a combination of weak drivers in FreeBSD* and the uniprocessor nature of PF hold it back from scaling well enough for this particular situation. * Used to be a network engineer for a company that made a layer-7 filtering bridge based on FreeBSD so yeah, I feel your pain. :)