@Aderium:

So bottom line you cant change configurations from the shell ?

Correct.  The shell is there for debugging, not for modifications to config files.

–Bill

We just recently fixed this problem.  The block rule for the overflow table was not in place.

This will appear in beta4.

Keep in mind that if this traffic is routed to you for what reason ever it takes away some of your bandwidth. So if this starts to become more you might have problems using all your bandwidth. However, this is not a pfSense issue but related to your ISP having something missconfigured.

wow. it seems to work great!
:o

my traffic cuts to halves and my browsing seem to be faster than ever.
i think this is better that traffic shaping itself

tnx alot!

rex

"cvs_sync.sh releng_1" syncs your box to what can be found at the web. It's the latest of pfSense developement. It's recommended to upgrade to the latest official release and then run this command on top if you encounter any problems or you encounter a bug that is already fixed in the codetree but there is no image/update for it yet.

@unit3:

I'm maintaining an OpenBSD firewall, but there's some concern at the moment that if I get hit by a truck, nobody else here knows enough about *BSD to keep it going. I've been looking at pfSense, and it looks pretty fantastic, so I'm thinking that moving our firewall to pfSense would be a reasonable plan.

However, I have a pretty large and heavily tested pf.conf already, is there an easy way to translate this into the XML format that pfSense wants for its configuration, so I don't have to manually migrate all the rules?

Need a job?  Ever considered that the truck might be someone hiring? :)

–Bill

@hoba:

In pfSense 1.1 you will be able to let the pfSense resolve the URLs by adding an URL-Type Alias but for now (v1.0) you have to do it based on the IPs.

Even then, it'll be limited to what DNS returns.  If yahoo (to continue the example) uses a DNS load balancer such as F5's 3DNS (now GTM) product, it's unlikely that two queries will result in the same answer.  Using DNS to resolve hostnames can be useful and I can see the alias name being populated with a dns entry where there's a checkbox or such that allows pfsense to auto-populate the IP, I don't however, expect us to update the alias automagically.

–Bill

Hello Guys,

I tried it on a hardware and  it partially worked. this what I have noticed;

1- All the interfaces has no IP address so I had to set the IP for the bridge interface manually.
2- For testing sake, Out bound/In bound was allowed but the client still did not get the IP address through dhcp so I set it manually and was able to surf.
3- For unknown reason I was only able to surf for a few minutes then it goes dowan and up again in a matter of 30 seconds more or less.
4- I could not access the mangement interface from the LAN side  but I was able to access it from the WAN side
5- When a reboot was made, the LAN , WAN interface has an IP address and the Bridge did not have an IP.

I will give it a thorough test over the weekend and post the results.
I guess I should learn about FreeBSD.  ;)

Al

For success activate bridge
IFCONFIG - all interfaces must be status active (check this)
interfaces must be plugin to active lan hardvare
interfaces cant plug to one switch or make cirkle sheme

In bridge0 all members must be forwarding state.

Need add procedure to webgui for test bridge problem (for begining – with writen me)

Next time i test Firewall with bridge & possoble write about

Yep it has. The releases after beta-2 had that bug in the webgui removed. If you choose the "port" option in the alias menu, now every single lines second dropdown with the bitmask is greyed out - not only the first one as it was in beta-2. So (as far as I see) it is truly and finally fixed :)

Thanks for the confirmation.  I discovered that I had not modified the subnet mask for the opt if from 32 to 24 :-(

All is well now ;-)

Tor

Ok.
Just to let you all know that it works.
Thank you all for your help.
Cheers

It will allow them to connect from BOS to CLT but it will not pass the thru the DMZ.

@Numbski:

I'm seeing that all of my pfSense boxes have a fixed number of states that it can handle, which is 10,000.

What sets this number?  Is it an arbitrary limit?  Kernel limitation?  Driver limitation?

I have an environment I'm looking to put 2 or more pfSense firewalls into place to share the load, and I think they have the horsepower to handle far more than a WRAP box can, but they are both limited to this 10,000 number.  What establishes this limit?

The 10K states is an arbitrary default set by pf.  Each state eats approx. 1K of RAM so 10K states could potentially eat 10MBytes - the pf (note, I'm not talking about pfsense) developers chose 10K due to a desire to have pf work out of the box on low memory platforms.  We've chosen to keep that limit, however, as hoba pointed out, this is changable in System->Advanced.  At some point, I may choose to make this a dynamic dynamic default based on system memory, but 10K is actually a halfway decent default that most users won't exceed.

–Bill

Well, not the wan interface, just the DMZ.

show me a tracert from this opt client to a lan IP. I'm using pfSense with multiple interfaces and firewalling between them even with aliases and it works like expected. Do you really see blocks at status>systemlogs, firewall? if yes, what rule does cause the block (click the small block icon in front of the line).

Forgot to mention beta-2. But I've already downloaded the latest snap

http://pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-03-2006/

and will test it tomorrow at first :)

I've come to similar probs with beta and (nat) rule creation. Sometimes it seems that the filter did not get updated as reported by pfSense. Will check this in the latest snapshot but sometimes it helps to edit a filter rule, save it and hit reload.

Greets,
Grey

On the incoming interface (EG. LAN)

I have added this on my web server to limit the SSH brute force attacks, and it works quite well.

But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses ;)

What it does is that it logs and blocks the third attempt and  it just blocks the 4.+  to avoid my logs are flodded.

iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP