Interesting… JimP says "netgate guys" as though there is really any difference between the companies.

The VPC wizard is not going to be in the "community edition" of pfSense anytime soon.

if it was a problem, we would have released a new version by now.

if it was a problem, we would have released an updated version by now.

If it installed correctly and easily before, it should also again.
I'd WIPE the drive and reformat, deleting all partitions.  Use linux.
Then reinstall pfsense.
Is this a full install?  I'm assuming it is.

You can use a fixed dhcp lease so that your selected clients always get the same IP. The use the whitelist to bypass squid for those IPs.

Steve

Nope. No 80 or 443 come to play. I've changed the Web UI's port and opened it in the firewall, it stays reachable now. Not sure what happens, seems like the anti-knockout rule isn't effective anymore as other connections continue to work. Should be able to verify that when changing it back to 443 and opening the port seperately from the knockout rule.

@pidakala:

I am trying out  pfSense on my home PC which I wanted to deploy in near future as router/firewall/IPS/web filtering system. I have downloaded Snort and playing with few settings on Snort. I find that the number of Alerts logged in under IPS Connectivity setting is overwhelming and too many. Is there anyway to Limit the Logging based on  number of logs per second etc. I could not find those settings on pfSense webConfigurator.

I am also looking for to stop TCP SYN Flood and UDP Flood attacks. Is there anyway to do this in Snort packages that comes with pfSense.

Thank you very much..

Suppress Lists are used in Snort to "rate limit" events.  You can also suppress certain common false positives entirely.  There is an older thread in the Packages sub-forum with the words "Master Suppress List" in the title.  It has suggestions for several experienced Snort users.

Snort with its associated rules is designed to look for specific attacks where the packet data matches content and metadata contained within the rules.  There are scan rules that can help with TCP SYN attacks.

Snort on pfSense offers a blocking mode that will insert an offender's IP address into a table in the pf firewall.  This effectively blocks further traffic from that offender until a timeout you set expires.  There is a basic How-To sticky thread posted in the Packages sub-forum for the Snort package.  You may find some useful information there.  There are also a number of experienced users who are regulars in that sub-forum.  You can post questions there and probably receive more and quicker replies.

Bill

I found the reason, I have two network cards with the same subnet, that was what produced the conflict.

Thanks

EasyRules are created by you or someone else.  When you view the firewall log, if you click on the red/white X under the Source column, it will prompt you to create an alias and firewall rule to block that IP address.  At some point, you or someone else must have done that.  You should be able to delete both the rule and the alias.

@FreeYourMind:

Hi bmeeks,

thank you for your quick reply and effort to help me out.

You were right, killing states was still unchecked and after i enabled it, it worked for me.
Unfortunately torrent traffic is still going through but at least the webpage from where i got the torrent file gets blocked.

With games its a little bit odd too, i can still play them but in case of d3 and wow it seems snort blocks the attempt to download an upcoming patch through the background downloader butr doesn`t reject the eonnection to the gaming servers itself.

If you dont mind me asking there is something about the configuration of snort i didnt understand.
All rules are working with the $Home net and $External Net variables but shouldnt be the WAN interface on which i activated snort be considered as $External Net? When i click on the view list button for home net it lists all my private networks but including the ip of my wan interface. That doesnt make sense to me or am i totally wrong here?

You don't want to ever block your own WAN interface.  Then nothing would get through your box.  You want to block either the far-end source or destination host, or sometimes one of your LAN clients.  You don't want blocks directly on any of the firewall interface IP addresses.  If that happened, you would be completely locked out of the firewall.  So that's why the firewall interface IPs (including the WAN IP) get put in $HOME_NET and included in the default PASS LIST of "never blocked" IP addresses.

As for your torrent and game stuff, are you sure that all the necessary rules are actually in place?  You will need to examine carefully the rules you have selected.  Doing this requires understanding the rule syntax and how rules operate in Snort or Suricata.  There are lots of how-to and tutorial links to be found on Google for that.  Snort only blocks what a rule specifically identifies.  To elaborate, the rules you are using may work off a simple list of IP addresses.  If that list only includes say popular torrent web sites (for fetching the torrent files themselves), then attempts to download the torrent file itself would be identified, but later connecting to some random seeder may not be if the IP address is not in the list.  Same for game servers.  I'm not saying this is your issue, but it is a possibility.  You will need to examine the P2P and GAMES rules individually to see what they are actually looking for to kick off an alert.

Bill

a good deal of thanks to both of you.
they direction you pointed me in, got me exactly the answers and information i am looking for.
colour me impressed!
regards
gerry

The button on the front does not work im in the same bind

What he said…  ^