@dennypage said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

@wolffire said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

I really like ntopng, but I'd rather it not be able to access the internet whenever it wants.

Is it possible to block package processes from doing so?

You can't block individual packages. The closest you could get is to find the domain or addresses the package is accessing and block those.

With specific regard to ntopng, I haven't examined all the callouts but I don't recall it doing much unless you were using the licensed version (activation check), or had one of ntopng's "active" modes enabled.

Make sure you have Active Network Discovery disabled in ntopng. It's in Settings / Preferences / Network Discovery / Active Network Discovery. This option should never be enabled on pfSense. Ditto for Active Monitoring.

Thanks for the quick answer.

I'm a little surprised about not being able to lockdown individual processes for those 'who watches the watcher?' types of situations. Finding a dynamic workaround will be painful.

As far as ntopng, I just don't want it to be able do anything online unless I've configured it to do so; I loath the idea of telemetry being sent off to various companies.
Not that I've found anything (I haven't taken a serious look yet); I'm just a bit weary.

Speaking of the settings, after reading that post about inadvertently scanning the Internet, I definitely ensured active monitoring and network discovery was turned off. 😆

@PiAxel said in update from 25.07 beta to 25.07 RC:

The last version doesn't work for me!

??

How do you know that the latest version doesn't work for you, before installing that latest version ?

( 😊 )

@patient0 OK, that helped. I'm fairly certain I had tried clicking Add time before and it hadn't worked - with the error I previously reported. In any case, it worked for me now. Thank you!

@cmcdonald Appears to be back/fixed. Thanks.

@Bob-Dig

Needing a periodic reset every night does sound slightly odd but can you not reset what you need to via Chron?

☕️

@LukasInCloud - not sure what the difference was, but disabled the Wire Guard instance, fixed the issue. I think I may have updated it, but I was able to restart the vpn instance and have not had any issues since, even though I didn't change any settings to the vpn connection.

@ivanz você pode criar um agendamento em schedules e depois na regra de aceitar a conexão do OpenVPN na sua porta WAN do pfSense você aplicar a mesma nas opções avançadas da regra de aceitar a conexão do seu servidor de VPN o horário criado para ser aplicado.

24eeadd0-9c0b-41c6-9074-2030244f94d4-image.png

bcbc9e86-0248-45be-9e4c-e4859f78639c-image.png

4d8018b2-3997-4ba5-889c-93eba6b2823a-image.png

No, just ordered from Amazon.

Nice. 👍

I managed to resolve my above issue and for anyone ending up with the same question:

My issue was caused because of a colleague who added a floating rule, rejecting traffic coming form another alias with logging disabled on that rule. Unfortunately that alias contained a different FQDN that resolved to the same IP of the removed FQDN.

What is the important lesson here:

Apparently the PF box handles floating rules AFTER interface rules. And since logging of that floating rule was disabled, the firewall log logged the allowed traffic from the interface rule, but blocked the traffic afterwards based on the floating rule with no logging! You end up seeing an allow in your log, but it is blocked in the end!

This must be a culprit some else will face one day or another :)

Do you have the NDI from the device? If you send that to me in chat I can check for an ACB key.

What is the difference between the device/PC that IPV6 works on and the ones that don’t? I would start with looking at the IPV6 settings on the devices/PCs that are having problems. I’m going to guess that your router advertisements are managed. Try stateless DHCP advertisements and see if that solves your problem.

Sulla web GUI di pfSense vai in diagnostica e poi in command prompt,nella casella execute shell command digita il seguente comando: certctl rehash
Attendi un output e poi ricontrolla gli aggiornamenti o i pacchetti e dovrebbe funzionare.
pfSense 2.7.0 è una versione vecchia,quindi penso dovresti aggiornare alla versione 2.7.2 e poi alla versione 2.8.0,prima di fare qualsiasi cosa ricordati di salvare il file XML della configurazione attuale di pfSense.

Saluti

Hmm, I thought we'd fixed that. Let me see...

Ah, maybe not: https://redmine.pfsense.org/issues/16207

@EChondo

What's your pfSense version ?
The instructions are shown here :

1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

@EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

No need to wait x days.
You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

@jhg said in Installing 2.8 behind archaic PPPoE/VLAN from CenturyLink:

Is this available yet?

It's in testing now. No issues so far so should be available soon,

@luckman212

Click on the image :

1c8c8a2b-ed5f-4dd1-8694-8be0e58350e8-image.png

I didn't test other search engines ...

edit : the link @kpa posted is, imho, the best answer ( and totally not-FreeBSD related ^^ ).

@aaronouthier There was a bug in 24.3/11 where deleting multiple rules would reorder them. There’s a patch.

But otherwise no it’s not normal at a reboot. Maybe compare config files before and after?

I saw where the Netgate kernel developer updated the Suricata package in the pfSense 25.07 development branch to work with the new kernel PPPoE driver. But so far as I know that updated package has not been migrated to 2.8 CE.

Here is the commit into the DEVEL branch: https://github.com/pfsense/FreeBSD-ports/commit/68a06b3a33c690042b61fb4ccfe96f3138e83b72.