Okay so after some more testing, this appears as though it is state related.  I will see a "in on vr1" only when a new connection arrives on the vr1 interface.

Squid may be closing the connections early, and pf may be removing the states due to that. The blocks you are seeing are just traffic that arrives after the state has already been removed. Not really necessary for normal operation, people wouldn't even notice that in most cases.

well that's a straight foward answer, thank you :) you can mark this as solved.

The ftp proxy logs allowed connections, that is likely what you are seeing in the log.

ok thanks a lot. what an easy, read read read i hate myself ): a turkish says : perfection hide in simplicity.

Hi, I do not use SNORT or HAVP. I know that snort isn't easy to configure and not so many people are using it because of its complexity. HAVP shouldn't be so hard to configure but I do not have any pfsense box here to test. So the best way would be that you create a new thread and asking for help to configure HAVP and then someone who knows HAVP can help you or you provide screenshots of the configration pages so that we can help you with this.

Draw a picture, it would be better if you draw "what you have" and "what you want to achieve"

whats about the package "spamd" ?

Never mind. Found the culprit.. Had Snort ICMP rule set. Glad to see it's effective. :)

thanks ;D that is what i want.

I only tried to suggest that, change your modem to bridging and use only firewall in routing mode. that ease a bit to troubleshoot gre and other things also.

@pcboarders: i got to get pfsense works in ingress in my head and i think i should be able to figure the rest of filtering out thanks Again created to alias nfsports with the 4 ports and created fileservers with the serverips hope this works got it setup and will try it, see what  happens seems to work for all printers and files that are ubuntu based (nfs) samba is having a canary re-configuring samba to see if that works

If the machin is spamming to an suspect IP address cut it from the network, save all data on the mahcine, check them for viruses and trojans and then kill the machin and do a reinstallation. The problem ist not pfsense or your network - it is the maleware!

Good to hear

Hi, sorry for the delay, i've added an image of how we our network is at the moment. [image: 10993d1313072528-help-rules-routing-2-lan-setup-admin-curriculum-network-simplified-map.jpg]

OK, i'm testing it now….

Thx Jimp. http://forum.pfsense.org/index.php/topic,39627.0.html  (same topic discussed here also, Jimp response more thorough) @jimp: It isn't "reverse" lookups in that way. You can add hostnames to an alias. Periodically, these are resolved again to ensure the IPs are up to date. They are used like any other IP-based alias entry.

Thx Jimp! @jimp: You can, in aliases, in 2.0. They are re-resolved periodically. You can also do this in 1.2.3 but in a hackish way. It only works with the second or later value in an alias It only resolves when the filter ruleset is (re)loaded, so basically when you save/apply. You can cron a filter reload if you really want to hack it up.

Firewall is updated, yesterdays build has some clitch with the aliases. But todays doesn't have. Problem solved