I mean connecting to MSN with the standard Microsoft MSN Client. Someone on IRC suggested earlier that I try another IM client to see if that works, but I haven't tried that yet.

i have already read that doc and it did help a lot.. a lot of hard work is going into this project…POSIX is more fun than NT  ;D

Download the full update of RC2 from one of our mirrors and feed it to system>frimware update. The box will reboot after installation. After that remove the squid package at system>packages, installed packages tab, [x]. Then readd it again by pressing th [+] next to the squid line at the packages tab (just the way you did that the first time).

Plain firewall rules really isn't sufficient to block web sites, if you want to do it effectively.  Anyone looking to block web sites should look at a proxy server in addition to your perimeter firewall.

The rules label was incorrect.  That is now fixed.

These rules where inherited from m0n0wall:

allow our DHCP client out to the WAN XXX - should be more restrictive (not possible at the moment - need 'me' like in ipfw)

pass out quick on $wanif proto udp from any port = 68 to any port = 67
block in $log quick on $wanif proto udp from any port = 67 to $lansa/$lansn port = 68
pass in quick on $wanif proto udp from any port = 67 to any port = 68

can you send me the screenshots on how to do it? :) :) :) :) :)

Pleaseeee…... ;) ;D ;D ;D

im a novice... :)

THANKS A LOT!

Confirmed. Look for a bugfix in the upcoming RC2.
Thanks for reporting.

You should consider adding tcp 443 (https) too but besides that your rules seem to be ok.

Please add new posts with a more descriptive topic next time.

i couldnt get traffic shaping working unless i bridged them….....dunno why

and i tried pass rules on WAN interface to allow in web traffic to server,no good

im gonna have to start from scratch or install ipcop...........

@Juve:

Put the block rules first!  It will work better then  ;)

Yeah, rules are matched top down and first match wins  ;)

Check system>advanced settings. Disable webgui antilockout rule there (it keeps access to the firewall itself open at LAN) but make sure you have some other rule in place allowing access to the webgui.

The other option you mention is at this page too and is called "Static route filtering".

Many thanks.

not really  :(

I found a fix. For Gene6 FTP server, open ports 50000 - 50100 in pfSense.

For IIS FTP on 2003 Server enable the direct metabase edit. Then cd\Inetpub\AdminScripts and run adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700" and then open the ports in pfSense. Restart the FTP service. You can use whatever high ports you want, not just 5500-5700, they're just an example.

For IIS FTP on 2000 Server, make sure you have SP4. Use regedt32.exe to locate the key *HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters* and add a value named PassivePortRange of type REG_SZ. Edit the entry and type in your port range and open the ports in pfSense. Close the registry editor and restart the FTP service.

Other FTP server applications should be similar, but I only use and know these well since I'm an MCSE.

It applies for the traffic specified in the rule.

If you are not using NAT, then you need to turn the FTP helpers off on each of the interfaces.

I know with Cisco switches you can setup a private VLAN where the isolated ports can only communicate with the promiscuous port(s).  For example you have two computers on two isolated ports, and pfsense connected to a promiscuous port, each computer can communicate with the pfsense box, but not with each other.

The router/pfsense doesn't really interact at all if the communicating computers are on the same subnet.

This was fixed recently.  Run cvs_sync.sh releng_1 && shutdown -r now

This is perfect. Thanks for your help.