PfSense boot sequence & files red.
-
Hi all,
New in here.. Small question, it is not very clear to me which files i'm able to modify in order to make personal modifications suiting my environment.
For now i've made reboot safe n steady mods in here; ```
/etc/rc.conf.localAny best practices would be very welcomed. Also, is there a way to buy the book about version 2 as a PDF file or the only way for now is the 99$ subscription? Thanks, best regards, m.
-
The book has gone out to editors so should be released 'soon'. See this thread:
https://forum.pfsense.org/index.php?topic=64781.0You should not be editing rc.conf.local.
All the pfSense config is stored in the single file config.xml. What alterations are you wanting to make?Steve
-
The book has gone out to editors so should be released 'soon'. See this thread:
https://forum.pfsense.org/index.php?topic=64781.0You should not be editing rc.conf.local.
All the pfSense config is stored in the single file config.xml. What alterations are you wanting to make?Steve
Thanks for your reply Steve & that's excellent news for the book ! Will check the thread… Will physical buyer get a digital copy as well? would be great !!
Back to my eggs here (hehe) and to reply to myself, here is what i've found on your doc website;
NOTE on startup scripts: the usual rc.d scripts added to /usr/local/etc/rc.d/ will not function on a pfSense system. There is no rc.conf and you cannot create one as it will be deleted. You'll need to create your own startup script in /usr/local/etc/rc.d/ just making sure it ends with .sh and is marked as executable (chmod +x), and it will run at boot time. Alternatively if it's something that can be started with a single command you can easily add a <shellcmd> tag to your config.xml.</shellcmd>
from here –> https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages
And toward your question, this is what i'm trying to do:
ifconfig re0 inet6 0000:0000:0000:0000:0000 -alias ifconfig re1 inet6 0000:0000:0000:0000:0000 -alias ifconfig re2 inet6 0000:0000:0000:0000:0000 -alias
I'm getting millions of ipv6 icmp6 entries in my FW log which im willing to completely shut (inet6) on the whole subsystem.
let me know,
regards,m.
-
Yes, you are getting millions of entries on your FW log because ICMP is NOT optional with IPv6. Stop doing completely foolish things. First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.
-
First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.
Two good options depending on whether or not you need IPv6 at all.
The first option is in System: Advanced: Networking: by the way.Steve
-
Yes, you are getting millions of entries on your FW log because ICMP is NOT optional with IPv6. Stop doing completely foolish things. First, there's a checkbox in the GUI to disable IPv6 and second you can make a custom FW rule without logging.
Yes indeed, i've checked the disable IPv6 checkbox in the gui, though every interface still gets an IPv6 address assigned.
And let me add this to your sentence; …and IPv6 is NOT optional with pfSense 2.1.x it seems…I dont really get where it is foolish to completely disable something you just dont want on one's system; in my case IPv6.
Its a bit like saying "yes yes, keep these NFS & FTP services running even if you don't use 'em, somebody will at some point..."And yes, if you can enlight me on that custom rule to do in order to get rid of the ICMP6 messages i'd be pleased.
Because i've tried but the ICMP6 messages kept being logged on every try...Thanks,
cheers,
m. -
Discussed lots of times on the forum, use the search box. Other than that, you can also disable default rules logging, or simply stop blocking ICMP because it's just completely pointless.
P.S. IPv6 stopped being optional starting from Windows Vista, it is being used by default on your local network by pretty much every modern OS out there.
-
Do you have your interfaces set as IPv6 type 'none'?
Here at home my box has been upgraded since 1.2.3 and hence has IPv6 disabled, I would have to have manually enabled it. I see no IPv6 traffic at all.
Steve
-
Even with IPv6 set to none, the interfaces will have link-local addresses. There is no problem with that really.
-
I agree it's not a problem. I'm just surprised that I'm seeing absolutely no IPv6 traffic in the firewall logs despite having a variety of OSs running behind the box. Clearly I'm missing something here… :-\
Steve
-
I guess you do not have the bogons rules enabled, because otherwise you'll see a crapload of useless junk in the logs. I've raised multiple complaints about the stupid 8000::/1 entry in /etc/bogonsv6 but got exactly nowhere with a real solution. (The 8000::/1 entry has already broken DHCPv6 multiple times, most of them probably fixed by some ad-hoc stuff behind the scenes.) Also stuff like SSDP/LLMNR is blocked, so if you create a rule on your LAN that states LAN subnet as source (instead of any), you again get a crapload of firewall hits from fe80::/10 - again, got nowhere. I still cannot see how not blocking IPv4 multicasts but blocking IPv6 multicasts on LANs by default makes any sense or is consistent in any way, but I sincerely give up. Feels like fighting with windmills here.
-
Ah, OK. I don't have bogons blocked on internal networks no. However all of my LAN rules are using LAN subnet(s) as the source rather than any, they're IPv4 rules though.
I have found one IPv6 entry in my firewall log, a blocked outgoing ICMP6 packet from my OpenVPN interface. Seems reasonable! ;)
Steve