Error 403 - Primitive Security Measures on the Forum
-
It's a private house. The owner can permit and deny access to anyone based on any criteria that suits them. Freedom of association.
If you come from a known questionable part of town (Internet), you may be required show some additional ID.If you don't like it you are entitle to your view/opinion. But if you want to participate in the hosts' private party you have to ad-hear to the hosts' criteria and rules.
Your seemingly desire to leap to conclusions about the pfSense router/firewall quality based on the security measures used for this web site forum does not afford much credibility.
Wow, I am surprised that with such limited amount of knowledge of the host (newbie first post) you know them so well. Almost as well as a used car salesman that knows this is the car for you before they even know your transportation needs.
-
KOM, I am voicing my concern about this.
It's all in how you say it. You basically came in as a brand-new user and called the pfSense team a bunch of idiots, and did so in a way that displayed arrogant ignorance. Honestly, what were you expecting? If you would have but simply said "I've found this and I'm concerned. What does everyone else think or can someone help out…", it would have gotten you a load of assistance. Flies & honey and all that.
At the moment I don't feel like dealing with running an exit node so it's transit-only.
A simple filter in your config will limit everything to safe ports. When I first started out, I had it wide open and it was only a matter of days before Linode was respectfully bugging me due to reported bogies on my node. After I filtered, I haven't had a report since.
-
I know. I'm just not in the mood. :) It runs fine and I'm moving enough traffic to feel I'm helping the cause enough as it is.
-
Well. This was certainly a 'worthwhile' use of my time.
jonesr thanks for the input. Frankly I'm pretty put off at this point by the complete lack of any apparent knowledge or discussion of the actual technical characteristics of pfSense. They act like a Windows crowd, or a high school locker room here. I'm glad to learn that this forum is not run by the same team as pfSense though.
PS - "Derelict", correctly it is 'TOR', regardless of the capitalization on their website which it appears you go by without knowing its meaning. ("The Onion Router") ;) And although it is very impressive that you'd like to associate yourself with TOR, do not pretend you run a node. You haven't known what it's actually called up to this point.
-
Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
https://www.torproject.org/docs/faq.html.en
I guess you know more about Tor than the project maintainers themselves.
-
@Quantum`:
Frankly I'm pretty put off at this point by the complete lack of any apparent knowledge or discussion of the actual technical characteristics of pfSense.
Your very first post here:
@Quantum`:Wow, I am surprised and disappointed with the elementary security measures on the pfSense forum.
This is supposed to be an advanced firewall, and yet you rely on Project Honeypot for the forum? Which blocks the TOR browser? And what's with the dumb questions at the bottom of every new post which never change? ("What is 5 + 6?" "Are you a spammer? (yes / no)" "What is 10 + 5?")
I hope the firewall isn't maintained by the same guys who run the forums. I'm not sure at this point if I want to learn the firewall, if it's by amateurs.
Entering a forum with inflammatory and demeaning accusations right from the start with your very first post is not the way to elicit a discussion. But it's a pretty effective means of picking a fight.
-
:o)
We should just let the troll toddler die of starvation and keep this thread from going to three pages.
-
Better yet, can someone press the lock button, please?
-
Thats so primitive…
-
Thats so primitive…
-
@Quantum`:
Frankly I'm pretty put off at this point by the complete lack of any apparent knowledge or discussion of the actual technical characteristics of pfSense.
Beyond mentioning it is based on FreeBSD 10.1 and a fork of the m0n0wall project in response to your comments about Windows, and repeating there is some arms-length between the actual firewall product and the forum hosting service, it is a broad subject. You don't appear to have asked any questions regarding pfSense itself, what is it you wanted to discuss?
-
Anyone else's Smite counts going through the roof lately? I've had 4 since yesterday even after I stopped responding to Quantum. I have a feeling that this Quantum guy is still having a tantrum and is coming here just to smite anyone who told him off. So childish.
-
Yeah,
56 so far from the little skin flutist. -
Yep, I'm up to 17 now. Was at 11 or 12 this morning. He is literally going over every single post of ours and smiting them.
Jim, Chris or Steve, can you please do something about this guy?
-
@KOM:
Anyone else's Smite counts going through the roof lately? I've had 4 since yesterday even after I stopped responding to Quantum. I have a feeling that this Quantum guy is still having a tantrum and is coming here just to smite anyone who told him off. So childish.
Yeah,
56 so far from the little skin flutist.@KOM:
Yep, I'm up to 17 now. Was at 11 or 12 this morning. He is literally going over every single post of ours and smiting them.
Jim, Chris or Steve, can you please do something about this guy?
Well maybe if you all didn't have such a need to be right all the time… ;) ...you would get along better with others and trolls. ;) Nobody likes a know-it-all. ;)
-
Well maybe if you all didn't have such a need to be right all the time… ;)
Being right is why karma here goes up.
Nobody likes a know-it-all. ;)
Exactly.
-
Nobody likes a know-it-all.
I don't know anything. Just ask my wife.
Oh look, I'm up to 18 now. And by wild coincidence, Quantum logged in recently.
Anyway, I'm done with this thread.
-
In this life… there are the smarter ones; and then there are the dumber ones.
Just an abstract philosophical observation.
I've told the ones who matter what my plans are now for my Xen system, and what role (if any) that pfSense will play. Most of you don't want to know though.
Bye.
-
@Quantum`:
In this life… there are the smarter ones; and then there are the dumber ones.
Just an abstract philosophical observation.
I've told the ones who matter what my plans are now for my Xen system, and what role (if any) that pfSense will play. Most of you don't want to know though.
Bye.
Bear in mind that there will always be smarter and dumber than you…Just an abstract philosophical observation.
F.
-
@Quantum`:
I've told the ones who matter what my plans are now for my Xen system, and what role (if any) that pfSense will play. Most of you don't want to know though.
Bye.
Not if you are unable to express it without insults. Which could be a significant indicator of your place on the smarter / dumber scale.
Wow. More than 100 smites per post so far, and no applause.
-
And, of course, today someone DOSed the forum.
-
@gonzopancho:
And, of course, today someone DOSed the forum.
It ain't no big thing. We can wait for their adolescent temper tantrum to be over. That's just part of living with 6+ billion spoiled adolescent brats.
The pfSense forums use of Project Honey Pot has just be validated.
-
@gonzopancho:
And, of course, today someone DOSed the forum.
That of course was extremely mature and not primitive at all… ;D ::)
-
I didn't notice the DOSing… Was the site down for .64 seconds or something?
-
@Quantum`:
Wow, I am surprised and disappointed with the elementary security measures on the pfSense forum.
You emailed me asking about why you couldn't reach the forum from your server. I replied asking what its IP is, and you replied you were actually talking about Tor. I replied that yes, often httpBL ends up with Tor exit nodes' IPs blocked because they're frequent sources of abuse, and that if it were easy to just exclude Tor exit nodes, I'd do it. We have no intention of blocking Tor, we just block IPs that are actively spamming and abusing things per httpBL.
We're running anti-spam measures that are common to many, many websites. Anyone who's run a popular forum knows the onslaught of abuse you deal with. The anti-spam measures unfortunately have to go to great lengths to keep the site from being flooded with spam registrations and posts. It has nothing whatsoever to do with security.
@Quantum`:
If I were to put spam in the forum, is there no control? Are there no moderators who could ban me? Would a spam post upset things such that everyone is thrown off-balance and the world goes higgledy-piggldy, and nothing could be done about it?
We'd rather not have to hire someone full time to sit here and clean up spam, which is truly what would be required without spam prevention measures that are painful at times for a tiny fraction of a percent of users. You've clearly never run a popular website that accepts user-submitted content of any type.
Project Honeypot is actually really good at this type of thing, and a significant improvement from "Stop Forum Spam" that we used prior to switching over to it. SFS and many similar options leave IPs blacklisted for months or years past the last known malicious activity from that IP, so it ends up blocking tons of IPs in ISPs' dynamic IP pools that had a compromised machine months or years previously when it was assigned to a different customer. httpBL is configurable for how recently you care about abuse. We use 30 days, and a pretty high threshold for "badness", so only IPs that have been significantly malicious in the past 30 days are affected. Unfortunately, that catches Tor exit nodes from time to time. Outside of Tor exit nodes, it has a very low rate of false positives. We get maybe 1 complaint a month on average with false positives outside of Tor (generally IPs used by those behind CGN), and it blocks upwards of 2000 requests a day on average. And httpBL is willing to whitelist Tor exit nodes if you submit them.
@Quantum`:
Frankly I'm pretty put off at this point by the complete lack of any apparent knowledge or discussion of the actual technical characteristics of pfSense.
If you want to talk about technical characteristics, start a thread asking about technical characteristics. If you want to create a shit storm, start a thread bitching about commonly employed spam prevention measures that are standard to any popular forum on the Internet that isn't overrun with spam.
-
I removed smites from those who got them in this thread.
I didn't notice the DOSing… Was the site down for .64 seconds or something?
About 3.5 hours actually, unless you're on IPv6. The IPv4 IP had to be null routed for a bit to keep everything else up, there wasn't enough coming in on v6 for it to matter so that stayed up. Blew out a 10 million state limit in no time. IPv6 and things other than the forum were hit and miss for roughly a half hour until the null route was put into place.
-
Thats it then - Yes. I'm using IPV6, even on my VPNs. I guess I wouldn't have noticed.
Still - I doubt its related to this thread. People have been talking about one particular SYN Flood attack for a while.
Could have been anyone. -
Still - I doubt its related to this thread. People have been talking about one particular SYN Flood attack for a while.
Could have been anyone.Indeed, it could have been anyone. There is no solid indication of who is responsible. This thread's timing could just be a coincidence.
I'm in contact with the guy in the other thread re: that SYN flood. There doesn't have to be anything "special" about it, blasting millions of new connections per second at any stateful firewall ends poorly. We now have a state limit in place on connections to the forum so if it happens again, it'll at least only take the forum down.
-
@cmb:
Indeed, it could have been anyone. There is no solid indication of who is responsible. This thread's timing could just be a coincidence.
"According to Verisign's latest Distributed Denial of Service Trends report, attacks can cost between $5 (USD) per hour or as low as $2 (USD) an hour. In addition, massive and longstanding attacks can be launched for as little as $800 a month."
http://www.securityweek.com/ddos-hire-services-cheap-effective