By the way, it also crashes Safari the second Safari 6.1 seed.

What is the MAC address? Is it an unusually "non-random" one?

thanks for clarifying this. I thought it was just missed.

Yes, it was a gateway group. The interfaces are not on VLANs.
I cann't reproduce it because it's a productive environment and the cable interface made problems.

The strange thing was, that pfsense couldn't resolve the ip for the endpoint while this time. I think the cable interface had the default route and I didn't bind the DNS servers to an interface.
Now I enabled automatic changing the default route.

39 views and no replies. Yet I am thinking this way in pfSense 2.1:

Internet >> Varnish3 >> ModSecurity_Apache Reverse Proxy >> HAPROXY+stud >> Portfwarded to >> webservers behind pfSense 2.1

In above, all the connections to port 80 from the Internet would first be handled by Varnish3 and delivers immediately if it is in cache, else passes to ModSecurity Apache Reverse Proxy or all connection to port 443 would be directly handled by  ModSecurity Apache Reverse Proxy which shall together with the connedtins to 80 be forwarded to HAPROXY-dev for loadbalancing which will finally be sent to the webservers behind firewall. Is this an ideal setup?

Now how it fares with SNI? I know of stud supports SNI, How does ModSecurity Apache Reverse Proxy handles SNI?

Can anyone guide me how to achieve this in gui (confusing to a command line guy)? And how to install an extra pacakge like stud and confugure without a gui interface to pacakge? Quite confused. hmmm…

Thanks in advance!

For dnsmasq I found this:

You can control how dnsmasq talks to a server: this forces queries to 10.1.2.3 to be routed via eth1 server=10.1.2.3@eth1

For smtp.inc fsockopen can replaced like in http://stackoverflow.com/questions/4765269/specify-source-ip-using-fsockopen:

$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); socket_bind($sock, '192.168.1.100'); socket_connect($sock, 'stackoverflow.com', 80);

I'm not a friend to make the config more complex with unnecessary routing.

For identifier I use "rad-az".

Ok

But it's receiving the heartbeat in ipv4

I really have no clue what is going wrong.  :-\

I have set a dedicated nic for the carp traffic with both ipv4 and ipv6 statuc adresses

The next ones to upload are OK again. NOT the ones there now, but the ones actually uploading as I type. Datestamp on them should be 20130629-1351

I can confirm this, the PPPs page is broken again and my serial maintenance console gets killed. I've updated Bug #2433.

There is no error reports in relation to the ModSecurity package except the line quoted above. It downloads the packages and xml files and finally halts at;

"Executing custom_php_resync_config_command()…"

It's just informative.

Fixed, thanks!

https://github.com/pfsense/pfsense/commit/210eea2caaaeaea672b59f3b61895866ef9ae365

wallabybob: Thank's for help! It's working!  :)

I go into detail about why it shows up that way on the doc I linked to there.

Interesting. I'm not sure I've seen that issue, but I wonder if that might help solve some of the quirks people have with quagga here and there.

@Clear-Pixel:

With the states not bound to a interface, I just hard coded it to block IP on the WAN interface and relay to Easy Rule alias. It is not perfect as I explained above, will have to see if there are other option that I can code to take care of the odd balled results in the firewall rule duplications for each IP added. There are still a few tweaks I can make before I dump the code here …. it really didn't take but 3 min to mod the code once i figured out the easiest way of going about adding the Easy Rules mod to states table.

I don't believe the limited data available in the Pfsense State is the perfect path to have all available options for analysis as it exist now to paint the entire picture. Part of the problem is I'm not familiar with FreeBSD and there tools available for gathering network information to know what direction to head in unless I dive into it.

I know there are other option such as the dynamic data in PFtop .... etc

I could do it but .... just not sure if I would want to commitment that much time as it would be a rather large task with no financial benefits.

Doing a firewall rule from there with the limited info is tricky given the assumptions (what about multi-wan? maybe a floating rule to block rather than interface specific?)

But doing DNS at least would be fine, and the existing DNS lookup link/page has links to places to run a whois from there. The firewall rules part was trivial by comparison because everything we needed was already given.

As for the financial part, you could post on the bounties section and see if anyone might be interested in tossing some money your way to help you make the time to do it. If enough other people think it's a good idea and they are willing to donate something to you to get it done, it could at least get you a nice dinner or a book or a new toy. I've done bounties for less. :-)