Thanks Chris.

Yep, I've seen that menu many times while attempting wan/lan/nic combinations.

Woke up after a few hours, tried it again, it works. I have no idea what the problem was but I know I was impatient last night, plugging and unplugging interfaces during the boot to get around the watchdog who seemed annoyed at only one live interface. (my LAN consisted of a laptop with a low battery, and it kept sleeping)

From what I can see so far, this is a VERY nice solution! Kudos to everyone involved.

@cmb:

Yeah, disabling autofill stops that from happening, I keep it disabled for that reason. I think you can just disable the field color change to yellow, and still leave autofill enabled if you want to use it.

Yup, there is an option to just disable the field colour change.  However as I don't use the Autofill feature, I've just disabled it, putting the colours back the way they should be.

thanks…
I knew I'd seen it before, but I couldn't find the thread.

For anyone who picks up this tread in the future, use root to login to winscp not admin.

I posted (and eventually deleted) a similar problem yesterday.  It looks like it takes OpenNTP quite some time to become a valid source of time.  It also rather strangely reports itself as 2 strata higher than it's time source, rather than the normal one.  This means you need to pay careful attention to the stratum of the time source you're using, otherwise you may still not have a valid time source :(

Yes, just replace the file from a vanilla installation.

It looks like hard disk corruption at first glance.  Voodoo.

@craigdrown:

Hi Aldo,
just local auth for now. Will get freeradius going once we get this sorted.
The auth is no problem. Client gets an ip in the specified range the the server ip address as the gateway, but the clients are getting a blank entry for a subnet (even though a submet is entered in pfsense)- this seems a problem, otherwise won't all ips be treated as local and not go via the gateway?
Thanks for your help
Cheers,
Craig

i dont really understand your question.

netmask should be 255.255.255.255 on pppoe clients with gateway of pppoe server ip.

No idea, but I'm missing exactly the same thing.

Did you have any luck with it yet?

You can disable the console menu on the advanced page. You can't require a login at this time.

Anyone that has physical access to your firewall can bypass even disabling the console menu (by removing hardware if nothing else), physical access is game over. Your firewall has to be in a secure physical environment to be secure.

Any HIDS on a firewall isn't going to be as useful as HIDS on actual accessible systems (like servers). Network IDS/IPS is much more important and relevant on a firewall. We may add some sort of HIDS package in the (maybe distant) future though.

@StefanS:

That may probably be correct in principle in such a way, however already differently saw.
We have at present a 2Mbit synchron connection, here had i already DoS.
From 2008 we will have 8Mibt synchron and i think that becomes with DoS not better.

It's the same whether you have 2 Mb or 8 Mb or 50 Mb. Every script kiddie on earth has enough bots under their control to DoS a connection of 50 Mb or less off of the Internet. Many have enough to DoS a 1 Gb connection or more.

In this type of scenario, your firewall, no matter what it is, can't help you. Your pipe coming from your ISP is overloaded, it doesn't matter what you do with the traffic once it gets to your end of the pipe, your connection is useless. Your ISP has to handle DoS attacks on their side of your connection so your connection isn't overloaded with the DoS traffic. There isn't anything you can do about it on your end, it's too late at that point.

Re: CA management, yes, eventually, though no work is currently happening in this area. If you start a bounty, it may get done faster.

Re: shaping with VPN, not possible at this time, but some changes are in the works that may allow this in a future release.

Re: mobile user, not sure on that one.

You should try upgrading
http://pfsense.basis06.com/download//updates/pfSense-Full-Update-1.2-BETA-1.tgz

if you disable the shaper, you may see the problem disappear, let us know.

Any memory or CPU bottleneck ?

Where do you live, maybe you can get some local language support.

If you bridge the interface, it won't get NAT'ed.

Or if you just want to route, enable Advanced Outbound NAT with no NAT rules.

What heiko suggested is a bit extreme unless you don't want to do any filtering whatsoever.

/usr/local/etc/rc.d/

Ok, i solved the problem …

I had to define another alias for a single port-RANGE.

Mixed, eg. Ports: 5001,5002,5010:5100 does not work !
for the Range i must define a new alias

Anyway thanks for your help !

MBChris
(Marking thread as solved)

OK.  Thanks.  :)

You cannot.  It is built into the kernel that we build.

The active / passive mode has to be set up in your ftp-server…

Upgrade to recent snapshot.