The point is, if you've searched and found a number of threads where people are told that it can't be done then maybe it's because it can't be done. Yes, using a static DHCP or static ARP and then blocking those IP ranges are your only options on pfSense.  One option is to create a virtual IP and DHCP range just for those you want to block.

@subfire91: how can you measure the size of syn attacks in mbit/s?? Interface line rates on your border router minus the historical value of normal traffic at that time of day on that interface.

Problem solved. I needed to select "Bypass firewall rules for traffic on the same interface" under "System->Advanced". BBB [image: Capture.PNG] [image: Capture.PNG_thumb]

@compucoder: Hi everyone, I have a puzzling dilemma and can't figure it out. We have a developer who is using a remote client WSDL file and that file is written so it works on the client subnet. It basically has 10.0.0.0 addresses it uses for hitting their servers. What I am trying to do is if the firewall sees a outbound connection from the developer trying to hit a 10.0.0.x IP address to forward it to the clients public IP address. I guess I am trying to do the opposite of port forwarding. I think I want a redirect rule but don't know how to do this in PFSense. So something like this: LAN->10.0.0.x Redirect or forward so it looks like this LAN->69.x.x.x (client public IP) Thanks for any help. Not quite the answer your looking for, but your developer should be able to just change the address in the WSDL or in his connection code to point to the proper IP.  Much easier than trying to do weirdness with pfSense. I've done it before with Java, don't see why it'd be different with other languages.

There is a way in vanilla pfSense, although it might not be implemented on the GUI. @http://www.experts-exchange.com/OS/Linux/Administration/Q_23504337.html: Out of squid.conf: #  TAG: request_body_max_size  (KB) #      This specifies the maximum size for an HTTP request body. #      In other words, the maximum size of a PUT/POST request. #      A user who attempts to send a request with a body larger #      than this limit receives an "Invalid Request" error message. #      If you set this parameter to a zero (the default), there will #      be no limit imposed. #Default: request_body_max_size 0 KB This will limit file uploads for ALL users going over this proxy as this currently can't be ACL driven. I played a bit and found a solution that should work (at least in my limited testing, it worked): You need to add the following lines to your squid.conf: –------------------- external_acl_type request_body %{Content-Length} /var/tmp/request.sh acl request_max_1 external request_body 1000000 acl request_max_3 external request_body 3000000 /var/tmp/request.sh is the external helper program needed (see code snippet below) and may be placed at any location you want (probably /usr/lib/squid/, this is (on my system) the directory where all the other helper apps reside). 1000000 would mean 1MB is allowed and 300000 would mean 3MB are allowed (change according to your needs) Now you need to apply access rules based on this acls in your squid.conf, f.e.x: acl powerusers src 192.168.1.0/24 acl students src 192.168.2.0/24 http_access allow powerusers request_max_3 http_access allow students request_max_1 I hope this works for you, it does for me. #!/bin/sh while read size limit; do   if [ "${size}" -gt "${limit}" ]; then     echo ERR   else     echo OK   fi done –--------------------

hahhaha…thanx mate... love your support

Nm, it was an access control issue with the PBX.  My LAN subnet was not listed in access controls. Thx anyway

To block these sites, I forced all DHCP clients to use my AD Server as the DNS resolver with OpenDNS as my forwarding Internet DNS server.  On the FW, I just set port 53 or DNS to only use OpenDNS as only DNS - all other DNS resolvers are blocked (this is on OUTBOUND or LAN).  In AD, I create DNS zones such as logmein.com, temaviewer.com, and all the DNS I want to prevent to go out internally, and I resolve them to the IP address of google.com - everytime they try to resolve these sites, they redirect to google.com.  If they try to use GoogleDNS or other, it doesn't work either.  It was easier to put these DNS hosts in AD than in pfSense - hopefully there is a better option in pf's future.

You can use the squidguards time rules in conjunction with squid, but the firewall rules method is a lot easier for simple times.

One more thing, I had "synproxy state" checked under my rules and didn't realize it would affect the services / ports in this way.  But basically, whenever I had "synproxy state" checked instead of "keep state", it would skip the rule and go to default deny, and block it.  I thought synproxy worked for all TCP connections?  Who knows… guess it was always nice to see the output of pfctl whenever I loaded a new pf.conf for debugging purposes.  Is synproxy state not for HTTPS / SSH?  Enlighten me.  ;D

Fixed!! when set pfSense in bridge mode it uses Spanning Tree (STP) to control the bridge (like a switch). this maybe conflicts with my switch and its vlan's (where STP is default enabled for each port). however, i just disable STP on the switch port where the WAN is connected and then i can ping to/from bridged DMZ. this problem would never occured when i used 3 switches, one for each segment, instead of VLAN's on same switch.

so, since your WAN gateway IP address and your DMZ gateway IP address are the same, I'm pretty sure you need to bridge your WAN and DMZ interfaces. you'll need to configure your network interfaces in ESXi to permit promiscuous mode in order for the bridging to work. I have a similar setup and had similar results until i figured out the issues with bridging and promiscuous mode. hope this helps.

nope not working anymore

@Gob: now there's lateral thinking! Sure. It would get boring otherwise, wouldn't it?  ;-) 1. allow MAC OS 2. allow Windows 3. deny the rest How about that? Rules out iPhones as we just learned. But I'm sure you come up with some VAXes or other uncommon gear and it doesn't work this way. Anyone surfing with a PSP?   ;-)))

One is probably the console (keyboard/video, or serial) logged in and sitting at the menu. The other is probably the interactive session you're using.

It could be like you mentioned where it gets to the UPNP process on the firewall before reaching the firewall rules. I just tried creating a block rule for 2189 and I can still get to the UPNP process.

Only option I can think of is send all internet traffic through the proxy and bypass proxy for some sites. In Squid disable transparent proxy. In "Internet Explorer"(not sure if other browsers supports this) > Options > Connections > Lan settings : set proxy address x.x.x.x port 3128. Under "advanced" you can add addresses that will not use the proxy server. Hope this helps