@althornin:

You are allowing "prod net rule allow any to any" - your firewall is doing exactly that!
change the rule to "allow any to !mgmt"….

Yes i know this, but id like to know can i map rules to interfaces. Eg. Packet flow
is something like this:

Packet in Int1 -> Check against int1 rules -> Packet routed to Int2 -> Check against Int2 rules.

If this is not posible i think i try to modify that Firewall: Rules page so that i cab see all my rules
in one page (like checkpoint). I think this way i can get more cleaner picture how my fw rules are checked.

Br,

Ville

Can't say that I have ever seen the need for this.  Can you explain why that option is only needed in you're case?

Just keep in mind: You always have to block Incoming traffic at an Interface, so if you want to block traffic from LAN to Opt1 your rule has to be applied to the LAN Interface.
In your scenario I would use some Aliases to get your blacklist function and to keep number of rules low to have a better overview:

at all Interfaces:

block proto any source-ip "blacklistip" source-port any destination-ip any destination-port any
block proto tcp/udp source-ip any sourceport any destination-ip any destination-port "blacklistports"
pass proto any source-ip <interface>subnet sourceport any destination-ip any destination-port any

Needed Aliases for this:

blacklistip -  hosts alias with all blocked IPs
blacklistports - ports alias with blocked ports

This way you can simply add your IPs to the blackistip alias or ports to the blacklistports (at least if you want to handle them all the same way). For special needs you can combine ports and hosts aliases or invent more aliases. Try to use the alias system as much as you can. It can simplify things a lot.</interface>

That will most probably be a feature of 1.1 alias system. Not yet doable.

I did not get things working with siproxd and asterisk. Maybe I am feeling slow to day, but I am not getting it. Where should my asterisk box be pointing. I have a connection with iconnecthere and sipphone, and fortunately these are my only 2 SIP based providers. So what I need to do to the asterisk side so I can route my SIP accounts through siproxd on the pfsense box?

K

@Leoandru:

@billm:

The client connection limit and max connections/second are for the rule.  Soooo if client connection limit is set to 10, you can have 10 state entries total, it could be 10 from one host, or one each from 10 hosts.  New connections/second works the same way.

–Bill

Is it possible to have the Simultaneous client connection limit work on a per host basis? It would be a nice feature. I have been having problems lately with persons running bittorrent opening many connections all at the same time.

EDIT:

What about an option for limiting the total number of connections per source? "max-src-conn"
In other words, limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

Work up a GUI + filter.inc patch and we will entertain it.

Ok… I wait...

Thank!!

Let me know if you need any test...

do you have setup the firewall rulles for ping ?
if you put on the lan tab the opt1 tab and the opt2 tab this rule
icpm * * * * *

then they can ping lan network opt1 netwerk opt2 network and the internet

It works
Thanx a lot

@sullrich:

Aren't you comparing apples to oranges?  Last time I checked m0n0wall doesn't support atheros.

True, m0n0wall doesn't support Atheros. I need to check this with the atheros card removed.

apparently now works fine, thk sullrich :D

Wait for beta2 which has a static port option.  Search the forums for more information as this has been talked about already.

Yep.

In my experience blocking 6881-6999 will help in most cases.  A more effective solution involves squid.  Look at one of the squid threads for my suggestion of this feature.

This is the same problem like here: http://forum.pfsense.org/index.php?topic=293.0
You have to use advanced outbound nat to create additional nat mappings for the internal networks pfsense doesn't see directly (in the webgui at Firewall>NAT, outbound tab).

Also make sure you have all routes setup accordingly.

Don't worry, my NIC can't support 802.1q ;-)

delete this

Thank you

Merry Christmas ;-)

Use the virtual ip option and setup the ips as CARP or PARP.

Although inputting 8 class c's is not going to be fun!

Be carefule with update_file.sh … It pulls from CVS HEAD and not RELENG_1.

Speaking of which, it's time to fix this problem.

LOL … nope!  ;)  Guess I should go back to my roots of just trying to click on everything!

Thanks again...

-- Phob