I guess this would be for blocking myspace or something. The only problem is they have ~7 ip addresses.
Keep people honest at work huh …  ::)

http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

New batch is building now.

Hi there,

it seems to work now. Thank you very much for your help.

BTW: The new web-interface looks gorgeous ;)

Cheers,
Manuel

Thx Sai,

yes indeed about Squid. I am getting into that.
I managed already to make a filter and add some IPs to it.

Now my next object is to create for every user a filter.
I have this in Squid.inc:

acl semirestricted_hosts src "/var/squid/acl/semirestricted_hosts.acl"
acl semirestrictedlist dstdom_regex -i "/var/squid/acl/semiwhite.acl"

Now, should I just add two more lines to create another filter?

Thx,

David

I've just fixed the file, and added a link to the dynamic view on the filter logging page.

In about an hour, grab the latest snapshot and you will see the new option.

Depending on the implementation it might be udp and tcp. I would make the rule use protocol udp+tcp.

Nope, you didn't get the point:

192.168.1.0/24–---LAN/pf1/WAN-----(VPN)-----WAN/pfcolo/LAN----192.168.0.0/24

You block traffic at LAN of pf1 leaving into the ipsectunnel like from pf1 LANsubnet to remote subnets before it goes into the tunnels.

Using 1.0.1-SNAPSHOT-02-02-2007 built on Sat Feb 3 20:14:47 EST 2007 now.
The ping issue is gone :).

Thanks to hoba for the heads up about it being fixed and to everyone working on the pfSense project.

In case you have to pay for traffic I would frequently check the rrd graphs. It should be an indicator for unusual high traffic. If you see something there it's time to monitor your traffic, either by viewing pftop from the shell or checking diagnostics>states. You should find the sucker pretty quick then.

sorry I meant put my etxernal IP (which everyone connect's to) to my internal IP which is what im hosting the service upon.

I seemed to get some issue's that way and I still can't work out how to allow msn but apart from that it seems to do the job well  :) fairly intuitive to use aswell, i'll just play a little more to try and sort this problem with MSN.

@yozh:

Oh okie. Thats cool. Is there anyway for me to import my rules now, or do I have to put them in manually ?

Manually…

Hmmm you're probably right, I'm connected at WRT45G place now, Ok will reset the linksys now…

It's just by design that we only filter incoming. There have been lots of discussions about changing that. Search the mailinglists for this discussions. If you are only interested in the result of the discussion: We (pfSense devteam) don't want to change that.

@ipfftw:

Id imagine its similar.

No, not in the case of what your asking for, sorry.

Cool, you were right on this one. I checked from home and it was ok. I was checking from my secondary location… but I use pfsense there also. Thanks for the reminder.

Btw, on FreeBSD it is possible to force mountd (rpc.mountd in your case) to bind to a specific port instead of dynamically choosing a port. That way it's possible to create a filter rule for mountd by using that particular port.

Regards
Daniel S. Haischt

Ok I know this is a late response but I figured out why the CIDR masks werent working.  It was because the users werent giving me the correct ranges or subnet masks so I was using the wrong CIDR masks.  I just tested it with our range and it works great.  I'll be moving us to pfsense in the next few weeks as a permanent solution.

For the first part of your question:
You need portforwards too as you have a NAT setup (I guess you have, not sure about that as you don't mention turning off advanced outbound nat).

For the second part:
pfSense utilizes an ftp proxy to handle ftp connections and nat. For your setup it might be better to turn it off (interfaces, lan, fthelper checkbox). By turning it off you will only be able to use passive ftp from lan to a server at wan. However you then can more easily write firewallrules for ftp.