@Snailer: A fourth, lets call it a 'paranoid-idiot-fool-and-newbie-high-security's-firewall-proof' checkbox,  ;D would be for me like a wet boy's dream has come true.  :P :+ so that checkbox will remove all rules on the wan port same as youre virgin pfsense  ;D

Thanks for clearing this up.

if you just want to block IP's, do that with firewall rules. You could create an Alias for "Bad Site IP's" or something, then use it in a firewall rule (suggest a reject, not block, rule on LAN, make sure you move it above the default rule).

The dynamic refresh might not work quite right just yet. I'll take a closer look at it.

Multiinterfacebridging is not possible and won't be possible for 1.2.

You probably have the ftphelper enabled or are scanning from behind another pfSense with ftphelper enabled at LAN. As this is a proxy it wil redirect the traffic through it and cause a connect. This is normal and doesn't mean the other end actually has this port open.

yeah, thanks ulrich, here … Bill Marquette Mon, 04 Sep 2006 10:09:44 -0700 Or if you want fuck with the ISP and have a full blown network behind the pfSense box. Change the following line in /etc/inc/filter.inc       $rules .= "scrub all {$scrubnodf} {$mssclamp} fragment reassemble\n"; // reassemble all directions to:       $rules .= "scrub all min-ttl 255 {$scrubnodf} {$mssclamp} fragment reassemble\n"; // reassemble all directions That will reset the TTL to 255 (substitute whatever sufficiently high value appeals to you) as it passes through the pfSense box.  The above line lives on line 166 in filter.inc version 1.575.2.235.  BTW, this will have the other added advantage of being able to mask different OSs behind your pfSense box and the network layout as ALL packets will have a normalized TTL after traversing the firewall. I don't expect to ever put a gui wrapper around this, I feel it has rather limited use. --Bill

@rcarr: To fix this issue once you upgrade to 1.2-BETA-1 I'm a little confused after you warned everyone in no uncertain terms not to use any more snapshots or upgrades until the 1.2 release:  http://forum.pfsense.org/index.php/topic,4603.0.html At this point you should probably run 1.2b1 unless told otherwise, as I said in the linked thread. What Scott said there was just a confirmation of that, and he didn't say "don't use any snapshots until the 1.2 release". As it says in that thread, unless you're told otherwise, don't use snapshots, use the 1.2 beta release. Things can get broken between beta releases, like right now OPT outbound NAT is broken on snapshots but works fine on 1.2b1. For now, we follow this rule of thumb - If you run into a problem that was probably fixed by a snapshot since the last beta release and there currently is no major breakage in the snapshots, we'll suggest you upgrade to a snapshot. Unless you know, or have been told, that a snapshot is what you should be running, run the official 1.2 beta releases.

http://mxtoolbox.com/ can run tests against smtp too.

It's a bridge which means you have to use the upstream gateway for your clients and not the pfSense. The pfSense is just a transparent inline filter in this scenario.

Thanks! I will test it on Saturday  ;)

@cmb: Never use ifconfig aliases. They won't survive a reboot, aren't necessary, and is the wrong way to setup additional IP's on pfsense. See the Virtual IP page. Then look at the NAT page, Outbound tab. You'll need to enable Advanced Outbound NAT, and put in your NAT rules as desired. Thank you, now 1:1 NAT works!  :) I have not used Outbound tab because from which I understood "Automatic outbound NAT rule generation (IPSEC passthrough)" is sufficient. I also had to create a rules on the WAN interface to allow traffic from * to the destination internal address, it works, is it the correct way to let packet pass? Thank you in advance. Davide.

Thank you very much, Ben. Now I understand!

Thanks! I'll give that a try today.

PF for the main filter set. IPFW is used for captive portal and firewall schedules.

Yep, I just mentioned it.

/etc/rc.filter_configure_sync

In addition we load the ruleset with pfctl -o which optimizes the ruleset and removes duplicates.