Yeah, UTM (Unified Threat Management) is the marketing term. Though you could just as easily call pfsense a UTM device, it has firewall, VPN, IDS/IPS, and some content filtering, and we're working to fill more of the check boxes that make a UTM device. Not because we think it's great (I still like to split out things a lot more than any UTM would with everything turned on), but because that's what people want.
It's probably a bug, and probably still a bug in 1.2b1. We removed IPv6 from the kernel entirely, this definitely isn't going to work (no need to allow/block IPv6 traffic, pfsense is going to completely ignore it all).
Funny, my dutch linux/bsd magazine stated that their are real plans to push ipv6 into real action. :)
I am aware that ipsense blocks by default -well done-, but it doesn't hurd to add a rule explicitly denying some traffic. (and by this trowing up a 2nd barrier ;D).
Thanks what i was thinking.
I having a bit of problem enabling msn video conference ports i looked around and found they are dinamyc and Microsoft recomends a huge port range.
The actual Real-time Transport Protocol (RTP) streams are sent using dynamically allocated UDP ports in the range of 5004–65535. Without a way to open these UDP ports on any firewall in the path dynamically, the streams fail to reach their destination.
I don't know about sending syslog but personaly I have http://denyhosts.sourceforge.net/ on every box I own, I don't have any BSD box (except pfSense which has the ssh port closed so I didn't need to tried it) it works great on Linux boxes, maybe you can try it on pfSense?
I'll check it out, I see its in the FreeBSD ports tree so I'm sure it will work.
I would recommend using a proper split DNS infrastructure and don't use reflection. It's ugly any way it's done, but it's really ugly how we currently do it. :) A replacement is in the works for a future (post-1.2) release.
But if I turn reflection off, then whatever I try rsync won't work, did I miss something??
pass in quick on $lan route-to { ( rl2 firstfailoverip ) } from any to any keep state ( max-src-nodes 5 max-src-states 5 tcp.established 60 max-src-conn-rate 5 /1, overload <virusprot>flush global ) label "USER_RULE: adsl fail airband"
obviously replace firstfailoverip for my gateways ip address
and with this rule being the only pass i can get 20 connections in my download manager
A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox, ;D would be for me like a wet boy's dream has come true. :P :+
so that checkbox will remove all rules on the wan port
if you just want to block IP's, do that with firewall rules. You could create an Alias for "Bad Site IP's" or something, then use it in a firewall rule (suggest a reject, not block, rule on LAN, make sure you move it above the default rule).
