Generally questions too pfsense



  • Hi,

    In the first place thank you for pfsense.
    You make a very good job here.

    Also we are not so lucky any longer with Astaro and look for alternatives.
    We have several firm locations, these are connected via VPN.
    In addition some VPN Clients connect themselves with the locations.

    I have some questions too pfsense in which direction it will move.

    Does a commercial support exist?
    Can one get a invoise of / from pfsense team?

    VPN:
    Is Split Tunneling supported?
    It must be possible with the mobile VPN user to define several networks.

    Is a better CA management planned?
    The VPN Clients (mobile user) needs pk12 Certs.

    Is it possible that a mobile user can connect itself via VPN Client with location B?
    Location A and B are connect via VPN Site to Site.

    Is it possible to support in the VPN tunnel VoIP with the Trafic Shaper?

    About IPS, Portscan etc:
    Is there "TCP,UDP,ICMP SYN Flood",  Protection?
    It will give a Policy "drop silent" or "Terminate conection" ?
    Does it give an Anti-Portscan?
    Will it be possible exception to define? (define source and destination networks that should be excluded from Intrusion Protection)
    Performance Tuning ? ( In order to increase the performance and minimize the amount of false positive alerts you can specify your internal servers that are protected by the IPS.)
    It to be possible to receive Notify by E-Mail? (snort, Portscan, etc)

    That would be for the beginning enough  ;)
    I have there still some other things, those am however not so important.

    thx

    Stefan



  • @StefanS:

    Does a commercial support exist?

    Yes, a company exists, owned by the founders of this project, that will be providing commercial support. It will help fund the future development of this project as well. More on this to come in about a week to 10 days.

    @StefanS:

    VPN:
    Is Split Tunneling supported?
    It must be possible with the mobile VPN user to define several networks.

    Split tunneling should work with IPsec. I use OpenVPN, which definitely allows split tunneling, and lets you easily push routes to the clients. It's my preferred method of VPN, personally.

    @StefanS:

    Is a better CA management planned?
    The VPN Clients (mobile user) needs pk12 Certs.

    @StefanS:

    Is it possible that a mobile user can connect itself via VPN Client with location B?
    Location A and B are connect via VPN Site to Site.

    Is it possible to support in the VPN tunnel VoIP with the Trafic Shaper?

    @StefanS:

    About IPS, Portscan etc:
    Is there "TCP,UDP,ICMP SYN Flood",  Protection?

    Yes, but this isn't all it's hyped to be. This type of DoS is unlikely with most Internet connections, what you're likely to see is a DDoS, which unless you're a carrier with a multiple-Gbps connection to the Internet, you can't do anything about.

    @StefanS:

    It will give a Policy "drop silent" or "Terminate conection" ?

    Yes, drop and reject on firewall rules, respectively.

    @StefanS:

    Does it give an Anti-Portscan?

    Snort can be configured to block hosts it detects doing anything "bad", including port scans. Dropping people that port scan is pretty pointless though, really. That's clueless script kiddie level stuff, if your network is actually vulnerable to somebody dumb enough to full port scan you, your network has serious problems. The serious bad guys just don't do that kind of stuff.

    @StefanS:

    Will it be possible exception to define? (define source and destination networks that should be excluded from Intrusion Protection)

    Yes

    @StefanS:

    Performance Tuning ? ( In order to increase the performance and minimize the amount of false positive alerts you can specify your internal servers that are protected by the IPS.)

    You should really just do a test install and look at the Snort package. Pretty much all your questions will be addressed there. They're all Yes, from what I can tell. It should be quickly clear to you though, after you check out the Snort package.

    @StefanS:

    It to be possible to receive Notify by E-Mail? (snort, Portscan, etc)

    There is an email logging alert system in development, it won't be available until the 1.3 release though, maybe 4-8 months from now (hard to guess that far in the future with 1.2 not being out yet).



  • Hi cmb

    Thanks for the rapid answer.
    I find pfsense within a short time good headway did.

    Can you say something to these questions?

    Is a better CA management planned?
    The VPN Clients (mobile user) needs pk12 Certs.

    Is it possible that a mobile user can connect itself via VPN Client with location B?
    Location A and B are connect via VPN Site to Site.

    Is it possible to support in the VPN tunnel VoIP with the Trafic Shaper?

    About DoS, you say.

    es, but this isn't all it's hyped to be. This type of DoS is unlikely with most Internet connections, what you're likely to see is a DDoS, which unless you're a carrier with a multiple-Gbps connection to the Internet, you can't do anything about.

    That may probably be correct in principle in such a way, however already differently saw.
    We have at present a 2Mbit synchron connection, here had i already DoS.
    From 2008 we will have 8Mibt synchron and i think that becomes with DoS not better.

    About Portscan, here i agree you also in principle.
    But I would not like to let my trousers so that other ones see my open ports.  ;)

    thx

    Stefan



  • @StefanS:

    That may probably be correct in principle in such a way, however already differently saw.
    We have at present a 2Mbit synchron connection, here had i already DoS.
    From 2008 we will have 8Mibt synchron and i think that becomes with DoS not better.

    It's the same whether you have 2 Mb or 8 Mb or 50 Mb. Every script kiddie on earth has enough bots under their control to DoS a connection of 50 Mb or less off of the Internet. Many have enough to DoS a 1 Gb connection or more.

    In this type of scenario, your firewall, no matter what it is, can't help you. Your pipe coming from your ISP is overloaded, it doesn't matter what you do with the traffic once it gets to your end of the pipe, your connection is useless. Your ISP has to handle DoS attacks on their side of your connection so your connection isn't overloaded with the DoS traffic. There isn't anything you can do about it on your end, it's too late at that point.

    Re: CA management, yes, eventually, though no work is currently happening in this area. If you start a bounty, it may get done faster.

    Re: shaping with VPN, not possible at this time, but some changes are in the works that may allow this in a future release.

    Re: mobile user, not sure on that one.


Log in to reply