thx

i the future i will look before asking

ive founded what ive looking for

Squid will not start on boot-up in transparent mode. The service also stops when certain changes are made to the firewall. (Example: changing web-gui access from HTTP to HTTPS). I experienced the same problem onto different systems.

My quick fix for the boot-up was to add two lines before exit 0 in /etc/rc:

/usr/local/bin/beep.sh start 2>&1 >/dev/null
sleep 15
/usr/local/etc/rc.d/proxy_monitor.sh&
exit 0

If the service stops when firewall changes are made, I reapply my access control list, and SQUID starts working again. (Just starting the service from the gui seems to be hit and miss with respect to the access control rules actually working).

There is only one setting where you can disable the firewall completely and that is at system>interfaces like sullrich told you. This is a 1.0.1 release? Maybe a reinstall is in order.

@dr-rox:

Strange, even after upgrade rules works only after reboot.

Sounds like a reinstall is in order then.

Thats for the link hoba. I search for vpn, didnt try hamachi. figures lol.

Ill check that out as well sullrich.

Our acl's are of a first match type.  Put a rule at the beginning that allows the restricted PC access to the website(s) needed (and to DNS possibly) and follow that up with a deny rule from that restricted PC to any.  The remaining policy will apply to the rest of your machines.

–Bill

Should be related.

Please search the forum. Nearly any question concerning ftp has already been answered. pfSense has a ftp proxy that will dynamically open and close ports for ftp when needed and replace the private IP with the correct public one IF configured correctly.

The mainproblem is when trying to block anything but http is that lot's of IM Applications or P2P Apps switch to use port 80 if they can't get out on their default ports. You only might be able to cut this down by using a proxy. Try the squid package and configure it for transparent use. On top of that block anything going out but the desired ports.

To make all local subnets available to the other end either use a subnet that covers all subnets at the multi interface site or build 3 parallel tunnels.

The webgui will be availble through ipsec without any problems by it's local IPs.

You will find sime IPSEC Clients and a howto to one of them at out linksection: http://pfsense.com/index.php?id=33

set the source to "single host or alias" and then type sshblock, :)
thanks again.

hoba,

Thanks for the reply, I have them enabled.

sfm

Reloaded from scratch on my home machine and STILL could not access it from the office.
(the other tests were between two offices)

Turns out my residential ISP was blocking the custom port.  Lovely.

Well, after a change to another custom port, all is well.

Thanks for the help, everyone!

I having this same problem will try what you recommended.

unfortunately not. You would need a pfrules to config.xml converter as everything is generated on change/bootup from the config.xml.

At status>systemlogs, settings disable the default logging. Then add a block rule/block rules at WAN with a logging flag that only log the desired traffic.

normal PPPOE is used between the waninterface and a utp adsl modem

for wat you want you need a lan interface and a wan interface
and enable pppoe on the wan interface
you can't do this with only 1 network card

I think you should be able to trigger that by adding advanced options to the ftp forward at wan to 127.0.0.1 (the rule the helper created automatically for you when creating the portforward).

You only will see the +icon if there is an unassigned interface. You need a 3rd nic for the scenario from the tutorial. If simple portforwards work for you you should just use it.

anything should i do at firewall side?