NEW to pfSense (2.0) impressions, some problems



  • Hi Everyone!

    Installed, 2.0 final on Supermicro D510, 4GB, Intel SSD. pfSense seems awesome!

    Only package is Snort so far.

    PROBLEMs

    #1 This stuff in sys log
    'snort[28496]: Warning: flowbits key 'http.chm' is set but not ever checked.'

    #2 Snort getting killed due to 'out of swap'
    RAM usage is 51% under load, it must spike when I'm not around? Maybe #1 is related??
    I didn't make a swap partition since I don't want the SSD to die.

    #3 After i press 'clear system log', the UI becomes unresponsive, restarting browser doesn't help

    I am considering using PF for production, i really hope i can figure out these problems. Please help me.



  • #1 - can be safely ignored

    #2 - you need more RAM, or to tune your Snort install



  • There are 2GBs free at the highest level of usage. Very strange for it to magically eat up 2GB more.



  • @redsquare:

    #3 After i press 'clear system log', the UI becomes unresponsive, restarting browser doesn't help

    Wait few minutes, if it do not get back, open console and Restart webConfigurator (option 11).
    Do no use Internet Explorer, as I saw in other posts ITS UNSUPPORTED!!!

    @redsquare:

    I am considering using PF for production, i really hope i can figure out these problems. Please help me.

    Be sure you will do. pfSense 2.0 is awesome!  ;)



  • Installed the 64bit version, #1) #2) seem solved.
    #3 Hasn't come back,
    however i did try "11) Restart webConfigurator" before, it did not help. Manually killing a few php processes did.

    Thanks for your responses guys, I'm loving pfSense.

    Is it normal for Snort to be at 99% CPU usage on an Atom D510, with 500kb/s (under 500 connections) worth of BitTorrent traffic?

    BTW I am using rules outlined here:
    http://www.smallnetbuilder.com/security/security-howto/31451-build-your-own-utm-with-pfsense-part-2?showall=&start=2



  • For snort, that depends on the rules and configuration. The rule sets chosen in that article are quite long. They make a good starting point, but you should be looking at what you actually need/want and using only those. As you're running BitTorrent, the P2P rules are probably a very good candidate for removal.

    Snort has options that allow you to identify which rules are causing the highest load, that may help you reduce them. In all honesty though you'll probably need to cull the rules quite a bit before that gets you any real benefit. I'd start by dropping all the NetBIOS and ICMP WAN rules, along with the DoS and DDoS rules. Then I'd suggest you drop the "scan" rules and if you've got current AV on all your boxes drop "trojan", "worm", "malware", "virus" and "botnet", amongst others.



  • Stats above are with BT Disabled.
    I am testing pf at home in consideration/preparation for production use, trying to choose the rules accordingly.

    How does one contribute to the project? I really hope the internals are solid because
    there are numerous UI bugs i've seen, i.e.:

    #4
    clicking on pfSense logo from the 'Snort' tab, generates a '404' by trying to go here
    'https://192.168.1.1/snort/index.php'

    #5
    snort > alerts > 'clear'
    doesn't clear anything and results in a blank page, multiple browsers confirm.

    #6 is 'Snort Whitelist doens't seem to work' at all, first reported ages ago, which is a big problem,
    imagine getting locked out of your production servers because of this
    http://forum.pfsense.org/index.php/topic,23647.0.html

    I add a single external IP to the whitelist, click save everywhere i see the save button in the snort section,
    reload snort, interface, restart pfsense, and that external IP still gets blocked.



  • You can report issues via the pfsense bugtracker at http://redmine.pfsense.org/
    and code patches via https://github.com/bsdperimeter


Log in to reply