PfSense boot sequence & files red.



  • Hi all,

    New in here.. Small question, it is not very clear to me which files i'm able to modify in order to make personal modifications suiting my environment.
    For now i've made reboot safe n steady mods in here; ```
    /etc/rc.conf.local

    
    Any best practices would be very welcomed.
    
    Also, is there a way to buy the book about version 2 as a PDF file or the only way for now is the 99$ subscription?
    
    Thanks,
    best regards,
    m.

  • Netgate Administrator

    The book has gone out to editors so should be released 'soon'. See this thread:
    https://forum.pfsense.org/index.php?topic=64781.0

    You should not be editing rc.conf.local.
    All the pfSense config is stored in the single file config.xml. What alterations are you wanting to make?

    Steve



  • @stephenw10:

    The book has gone out to editors so should be released 'soon'. See this thread:
    https://forum.pfsense.org/index.php?topic=64781.0

    You should not be editing rc.conf.local.
    All the pfSense config is stored in the single file config.xml. What alterations are you wanting to make?

    Steve

    Thanks for your reply Steve & that's excellent news for the book ! Will check the thread… Will physical buyer get a digital copy as well? would be great !!

    Back to my eggs here (hehe) and to reply to myself, here is what i've found on your doc website;

    NOTE on startup scripts: the usual rc.d scripts added to /usr/local/etc/rc.d/ will not function on a pfSense system. There is no rc.conf and you cannot create one as it will be deleted. 
    You'll need to create your own startup script in /usr/local/etc/rc.d/ just making sure it ends with .sh and is marked as executable (chmod +x), and it will run at boot time. 
    Alternatively if it's something that can be started with a single command you can easily add a <shellcmd> tag to your config.xml.</shellcmd>
    

    from here –> https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages

    And toward your question, this is what i'm trying to do:

    ifconfig re0 inet6 0000:0000:0000:0000:0000 -alias
    ifconfig re1 inet6 0000:0000:0000:0000:0000 -alias
    ifconfig re2 inet6 0000:0000:0000:0000:0000 -alias
    

    I'm getting millions of ipv6 icmp6 entries in my FW log which im willing to completely shut (inet6) on the whole subsystem.

    let me know,
    regards,

    m.


  • Banned

    Yes, you are getting millions of entries on your FW log because ICMP is NOT optional with IPv6. Stop doing completely foolish things. First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.


  • Netgate Administrator

    @doktornotor:

    First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.

    Two good options depending on whether or not you need IPv6 at all.
    The first option is in System: Advanced: Networking: by the way.

    Steve



  • @doktornotor:

    Yes, you are getting millions of entries on your FW log because ICMP is NOT optional with IPv6. Stop doing completely foolish things. First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.

    Yes indeed, i've checked the disable IPv6 checkbox in the gui, though every interface still gets an IPv6 address assigned.
    And let me add this to your sentence; …and IPv6 is NOT optional with pfSense 2.1.x it seems…

    I dont really get where it is foolish to completely disable something you just dont want on one's system; in my case IPv6.
    Its a bit like saying "yes yes, keep these NFS & FTP services running even if you don't use 'em, somebody will at some point..."

    And yes, if you can enlight me on that custom rule to do in order to get rid of the ICMP6 messages i'd be pleased.
    Because i've tried but the ICMP6 messages kept being logged on every try...

    Thanks,
    cheers,
    m.


  • Banned

    Discussed lots of times on the forum, use the search box. Other than that, you can also disable default rules logging, or simply stop blocking ICMP because it's just completely pointless.

    P.S. IPv6 stopped being optional starting from Windows Vista, it is being used by default on your local network by pretty much every modern OS out there.


  • Netgate Administrator

    Do you have your interfaces set as IPv6 type 'none'?

    Here at home my box has been upgraded since 1.2.3 and hence has IPv6 disabled, I would have to have manually enabled it. I see no IPv6 traffic at all.

    Steve


  • Banned

    Even with IPv6 set to none, the interfaces will have link-local addresses. There is no problem with that really.


  • Netgate Administrator

    I agree it's not a problem. I'm just surprised that I'm seeing absolutely no IPv6 traffic in the firewall logs despite having a variety of OSs running behind the box. Clearly I'm missing something here…  :-\

    Steve


  • Banned

    I guess you do not have the bogons rules enabled, because otherwise you'll see a crapload of useless junk in the logs. I've raised multiple complaints about the stupid 8000::/1 entry in /etc/bogonsv6 but got exactly nowhere with a real solution. (The  8000::/1 entry has already broken DHCPv6 multiple times, most of them probably fixed by some ad-hoc stuff behind the scenes.) Also stuff like SSDP/LLMNR is blocked, so if you create a rule on your LAN that states LAN subnet as source (instead of any), you again get a crapload of  firewall hits from fe80::/10 - again, got nowhere. I still cannot see how not blocking IPv4 multicasts but blocking IPv6 multicasts on LANs by default makes any sense or is consistent in any way, but I sincerely give up. Feels like fighting with windmills here.


  • Netgate Administrator

    Ah, OK. I don't have bogons blocked on internal networks no. However all of my LAN rules are using LAN subnet(s) as the source rather than any, they're IPv4 rules though.

    I have found one IPv6 entry in my firewall log, a blocked outgoing ICMP6 packet from my OpenVPN interface. Seems reasonable!  ;)

    Steve


Log in to reply