IMHO, yes pfSense can block it. I suppose you're trying to block bittorrent traffic coming from your LAN subnet, right? Can you post what are your firewall rules? Try using the rules implied in this example –> http://doc.pfsense.org/index.php/Example_basic_configuration , works for me.

HTH

@pinky:

netfilter service seems to be stopped crashed ?!?! so restarted it nothing, ….
reboot the firewall and all is working again till, .... it happens again...

Wrong OS, pfSense runs under Unix, not Linux.

Caused by the FTP proxy redirect.  Do the test from a different host that is not behind a pfSense firewall (if you are testing pfSense's exterior WAN).

This has been discussed at length on the public lists.

Create an alias containing all your subnets.
Write an allow rule for all but this alias and you're done.

@bairdmj:

I am trying to create a simple rule.  The rule will deny all LAN users access to one specific internet host (TCP/*).  To do this I have created a firewall rule on the LAN interface:

Proto  Source  Port  Destination  Port  Gateway  Schedule  Description 
TCP * * BLOCKED.IP.HERE * *   BLOCK OUTGOING TEST

The rule has been moved to the very top.  Beneath this rule, I do have one that allows LAN NET to access *, but since this rule is on top, it should work right?

This rule does not seem to be working.. all LAN users are able to access the blocked destination.  Does anyone have any ideas as to why this is not working?  Am I missing a step?

Thanks

Have you verified that destination traffic are the expected iow the ip you have in the block?.
Check your logs(obviusly turn it on if you dont)

Otherwise you can try and block a site you know have only one ipadress and se if that works.

/f

Then I'll say it again - you can't.  What you're effectively talking about is referred to as a "Man In The Middle attack".

@sullrich:

There is no reason you cannot control a squid server going to the internet now.  Simply control the flow on the incoming interface of pfSense.

I meant a squid server running on the pfSense box itself…

@GruensFroeschli:

get a list of all IP's of servers which are related to the website you want to block
(i suppose myspace has more than one server.)

make an alias with all the IP's you want blocked.

create a schedules firewall rule

set as destination the alias.

Firewall rules don't affect Squid running on the firewall.

I was not aware of your environment.

I also work for a wireless ISP a small one at the moment but in February will be adding 2000 Access Points. Right now the wifi network is stuck with NAT because we don't have enough real ip addresses hopefully that will change in the near future. I think to be like a large ISP we will need to dump NAT completely. Then use PFSense as a transparent firewall.

PFSense transparent firewall is described here:
http://pfsense.trendchiller.com/transparent_firewall.pdf

According to the above document FTP still might be an issue and Captive portal will not work with a transparent firewall. Will have to setup a test network and see if I that can be fixed.

Judge for you self :)
http://devwiki.pfsense.org/FTPTroubleShooting

http://forum.pfsense.org/index.php/topic,7096.0.html

Only you can say ;)  I'd allow 123/UDP to the pfSense host from both LAN and DMZ and make the pfSense host the timeserver. Yes Probably not If you port forward to those services Restrict by destination (say by only allowing LAN clients to access email services on the DMZ, not the entire Internet) Depends on how you implement the VPN.  There is no way to filter OpenVPN right now, but IPSec can be filtered.

Ok Kill this topic….. I see that this is SUCH A SMALL ISSUE that it should not get much thought!

.!,                    .!,
                                                    ~ 6 ~              ~ 6 ~                       
                                  .                  ' i     .- ^-.      ' i                                        
                                .l,                l l    /  .-.  \    l l                                         
                                  'l                  .l_l  .l  (- )  l  .l_l.                                MERRY CHRISTMAS 
                                /  \      )(l-'__l__)_(______                            TO ALL!                               /,  o\  )______________________o(                             
                            /*  ~\ [][][[[][ `-.                       
                          /    o  .' [][][][)]]] -)                                                    /_, ~ '  *_\_]                                          [_[(  (                           /.    *  *  _]                                      [\
                        /  -'
                        / *                                                      / *    . ~~'  o \            l  ll_ll_ll_ll  l        [___]                                                        /_,.~~'    *  \            l_ll_ll_ll_ll_l          [[]
                      / ~..  o          \ ::::::::::::::::::::::::::::::::::::::::::::::\                     / *    '~..  *    \ :::::::::::::::::::::::::::::::::::::::::::::::\                   
                    /_      o  ``.,,\ =========_/============'                     
                    /  *      *    ..~  '\                  l .-–.                                                 
                  /*    o  _..'*  o\                      ( (_)  )                   -.__.~''  *  ___.-'                        ----'                                     
                          ":-------:"

search the forums i have read about it all you have to do is create  the pool with the 3 instance in it. when you do the fail over just make sure all the different wans a covering each other 1->2->3, 2->3->1, 3->1->2

that should always keep you up

search forums 1st

not to bee the jerk and and captian obvious did you disable everything down to just the processor and the nics?
what kind of hard drive is in this thing and what kind of chipset is also running the thing? (nvidia) i have had 3coms and Intel nics in my machine and the only thing that has been tripping it up is my assistant that was covering for me when i was on vacation she pulled the power plug on the unit insted of the cable modem. i think that i was up for well since august no issues.

Not currently doable but it will be in 1.3.