You can add "DEFAULT Auth-Type: = Reject" with the GUI:

You just create a new entry on "Users" and put this in the correct custom-options box.

In pfsense 2.1 - when it is done and freeradius2 package is ready for pfsense 2.1 - you will be able to easy move entries in "Users" using the GUI.

@cmb:

Depends on what kind of scan you're doing. Things that use valid connections (ping scans, SYN scans) will work fine. Things that use scans that abuse TCP by setting flags that aren't valid will be blocked, legit TCP is enforced as with any worthwhile firewall. Just can't use many types of scans if you're behind or on a system with a firewall enabled.

^What he said.

I've got the pf firewall installed on my FreeBSD machines and use nmap to scan them.

It returns some packets being blocked and as the firewall not responding to ping, but if I set the -Pn flag it will continue the scan and show 1000 ports flitered.

sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.1.151, 16) => Operation not permitted Offending packet: TCP 192.168.1.150:?? > 192.168.1.151:?? ?? ttl=59 id=55250 iplen=15360 frag offset=512  (incomplete) sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.1.151, 16) => Operation not permitted Offending packet: TCP 192.168.1.150:48429 > 192.168.1.151:33217 FPU ttl=47 id=42102 iplen=15360   seq=1288232717 win=65535 <wscale 15,nop,mss="" 265,timestamp="" 4294967295="" 0,sackok="">+snip+ Completed NSE at 02:09, 10.00s elapsed Nmap scan report for 192.168.1.151 Host is up. All 1000 scanned ports on 192.168.1.151 are filtered Too many fingerprints match this host to give specific OS details</wscale>

@vassilis:

@jimp:

That depends on whether or not the IPMI is actually respecting its default gateway, but if it is a shared NIC you may be right it may just not be picking up the packets as they leave, and no amount of trickery on the firewall can help it. You might need to setup a simple bounce daemon on an internal server to reflect the ipmi port back, then connect from the vpn to that port on the internal server.

Thats exactly what I suspect aswell..

About not respecting the default gateway: Does it not show that its working when I can access the IPMI interface over a site-to-site VPN when the IPMI is not on the firewall itself but on a server within that network?

Yes if you can access it from another subnet, then it is probably using the gateway properly.

I have to assume he got it working from a port forward aspect atleast?

Connected to 41.204.105.165.
220 Welcome to the OpenDreambox FTP service.

Or maybe his IP address changed and this is someone else that has ftp open? ;)

on  a forum,
http://freebsd.1045724.n5.nabble.com/Dummynet-and-bursting-td5669253.html

written :

This is the literal Executed command:

/ sbin / ipfw pipe bw_up_pipeno} {$ config bw} {$ bw_up Kbit / s burst queue 500Kbytes 500 000
  The output from ipfw pipe show:

20 010: 1049 Mbit / s 0 500 000 ms burst
  q151082 500 KB 0 flows (1 buckets) sched weight 85 546 0 0 pri 0 lmax droptail
  FIFO sched 85 546 flags 0x0 type 0 1 active buckets
  0 ip 0.0.0.0 / 0 0.0.0.0 / 0 45 2832 0 0 0

But when tested in Pfsense is Not Running.

Thanks for clarification cmb. This is a REALLY good practice.

#!/usr/local/bin/php -q require_once('config.inc'); global $config; $a_filter = &$config['filter']['rule']; for ($i = 0; $i < count($a_filter); $i++) { printf("num:%d", $i); } ?>

…

: ./test.php num:0num:1num:2num:3num:4num:5num:6num:7num:8

Does your LOCALNET interface actually have an IP address?

this does seem to be the accepted work around , but seems like it really sucks to me.

here is what i would like to try,, getting uverse in a few days , ask the rep if i can bridge and was told yes.
then got home as search and saw you cant.
it seem like the ip pass would be dubble NAting

1. according to the book from moto bride mode exist and works
http://www.ron-berman.com/wp-content/uploads/2011/11/nvg510manual.pdf

"This guide describes the wide variety of features and functionality of the Motorola

Gateway, when
used in Router mode. The Motorola
Gateway may also be delivered in Bridge mode. In Bridge
mode, the Gateway acts as a pass-through device and allows the workstations on your LAN to have
public addresses directly on the Internet"

there is tel net   we need to poke that,

if not maby we can find the OG firmware from moto

2 there is the moto 2247-N8 ADSL2 802.11n Wi-Fi Gateway

this looks to be very close to the NVG510 sans the phone spliter
i wonder if the 2247 firmware can be loaded on the nvg510 to allow bridge mode.
the command line looks to be the same.

does anyone have a 2247 so that we can compare chipsets.

Pretty much every network in the world has a good deal of broadcast noise. Until you get up to hundreds or thousands of hosts it's not enough to impact anything short of a host gone nuts spewing huge amounts of broadcast traffic (thousands of pps, which I've only seen happen a couple times that can be classified as just "host gone nuts", it's very rare). That's the reason you generally don't want more than a /24 per broadcast domain, more than 254 active devices on a network and you may have enough broadcast noise that it becomes an issue (though usually not until you get to several times that many hosts).

I've been looking into the sweeping after bootup issue. It seems that when a startup service fails, it keeps the leds sweeping.
I had a look at the beastie while it was starting up over the serial port, and noticed that I was having cron die immediately after starting up. I looked into the crontab. There was an entry for squid that didn't get removed when I uninstalled the package. After removing it, it seems to have cleared up the problem.

Nice.
Comprehensive set of screenshots there!  :)

Steve

Time To Crack:
1306628104 centuries
Total Passwords in Pattern:
4 Septillion

on firewall -> nat -> outbound nat

change mode to manual and add mapping rule with:

interface: outbound interface you want to force the ip(wan2 for example)

source: smtp server ip address

source port: any

destination: any

destination port: any or 25

nat address: interface address or virtual ip

it is crazy. At the morning, rrd catches some data….

status_rrd_graph_img.png
status_rrd_graph_img.png_thumb

Finally, I got it work.

My network is behind pfsense and untangle where untangle act as bridge. I did some research on untangle forum and the problem was the antivirus. Untangle scan every single file that I downloaded through IDM. Because of that scanning process, it prohibit me to have multiple connection. What I did, I just simply turned off the antivirus and now I get no problem with my IDM.

Thanks for your answer guys, I really appreciate it.

If you had non-functional DNS on the host and tried doing those lookups at that point, at times PHP has a nasty habit of hanging onto failed responses and refusing to issue new queries. Running 'killall php' at the console should resolve, or at worst, reboot.

The RRD traffic graphs are generated from PF counters. If you're not filtering on bridge member interfaces, rather only the bridge itself, the graphs of the member interfaces will be blank because there is no data for them.

For Windows you can use the shutdown.exe tool that was on IIRC the Win2K resource kit and is freely downloadable from MS. It also works with all newer versions of Windows. You could also pkg_add samba on the firewall and use a "net rpc" command to power down from there. Probably easier to do it from a Windows server if you have one with shutdown.exe.