Packages wishlist?
-
@ermal:
Since there are so many request for different things i want just to ask a simple question:
Will detailed docs on making a package bring more patches/packages developed by the requesters?
I might throw some time to making a detailed doc on how to create a package for pfSense if i see some interest from people.Absolutely.
Again, ditto. I've been screwing around with some of the inc's and xml's in the packages I've installed, which is cool and all, but the package system is slightly arcane, and I would be far more likely to actually create a package if there were some kind of package docs than currently…turns out, the current situation is likely enough since I'm going to create a package, but that's beside the point. :)
-
Doc(s) on how to build packages would be awesome. I am REALLY wanting to build the bits for installing Dansguardian on pfsense.
- 12 days later
-
SpamAssassin
PGP encryption
keystroke encryption
bot/mailware/trojan/scanner
keyloger protection
- 20 days later
-
I would love to see a cacti package, it shouldn't be that hard to do.. it's just that I don't have any unix/freebsd knowledge.
The current RDD graphs can only be seen after logging in, I would love to place some graphs on our intranet page for our users to see. Cacti should allow us to do this and also provide more graphing options.
-
Radius server, not radius protocol, radius server ;D
- 14 days later
-
ntop, again :)
- 29 days later
-
adzapper
-
Maybe we should start a new thread and ask which packages people would like to run on pfSense in appliance mode. Since we have the ability to run pfsense with one NIC and no NAT there may be more interesting requests.
Here is the link in case someone would like to read about the variety of appliance uses for pfsense.
http://www.pfsense.org/index.php?option=com_content&task=view&id=71&Itemid=81
Wireless Access Point
VPN Appliance
Sniffer Appliance
DHCP Server Appliance
DNS Server Appliance
Voice over IP (VoIP) Appliance
With the nice package manager and active user base I bet there are more good ideas out there. I have read in other threads some people mention file sharing. That was discarded by some saying its a firewall you don't want to run samba on it.
Now it seems pfsense is an appliance also.
-
Appliance ideas:
Database Server (with replication)
Web Server
Streaming Music Server
Streaming Video Server
Email Server
Dev Server (options for CVS, SVN, GIT, wiki)
Mirror Client and Server
Session Border Controller - 16 days later
-
Some of these Appliance ideas are incorporated into FreeNAS, a related fork of m0n0wall.
I still haven't found the webserver solution I've been looking for. I want an embedded OS to run a webserver, with the /www/doc/ directory on a USB stick (diskless system). FreeNAS will do this just fine, but doesn't have per-directory authentication.
-
Here we go…
Postfix + Davecot POP server + procmail + blockmail.pl + spam assassin + clamav or other antivirus.
A complete client / server mail.
Connect to a mail server, recieve e-mails, scan for virus, use procmail + blockmail to police what is coming from (copy or not to another e-mail local account) and store in server.
In Lan , users can push the e-mail stored in server.
For send e-mail, listed users that can send and a option to copy to other mail what is sended, scan for virus, block attachments, add to e-mail body the message warning about audit.
I can help with commands or manually configure. A gui for that inside pfsense, would be very very good. -
How about Nagios? Im looking forward to have it on my pfsense box.
-
First, I would think it would be best to get the core elements 100% stable. Then get add-on packages like Squid Proxy, SquidGuard, IDS… working as stable as possible.
I would definitely like to help out schools that can't afford a lot for technology on pfSense But problems with SquidGuard puts a serious damper on that. See Google SafeSearch bug in the forum. Simple problems liek this can seriously limit utilization of pfSense.
I have two schools right now that need something like pfSense. I have to corporate donated hardware, just can't get the software that works.
Charlie
- 9 days later
-
1 - Peerguardian style package. Something to block out those bad ip's ;) Needs to have peerguardian style auto update blocklists. To me this is a big priority as there is not much for 64 bit windows support for this style of program. Having this feature at the router makes the most sense anyways.
2 - email. it actually would be nice to have an email appliance with webmail. I'm looking at clarkconnect, but only for the email functionality, as the rest is defiantly lacking compared to pfsense.
It's hard to really ask for much more.
-
I have not read thru all 14 pages of the wishlist so I'm not sure if this has been suggested or not.
One of the unique features that is available in Windows SBS servers is Remote Web Workspace (RWW). That feature is not available with any other version of windows or as standalone because it replaces the functionality of a terminal server to some extent. And Terminal Server CALs bring MS a lot of that green stuff.
For those that do not know what RWW is, please do a google search. A video or two of it in action is on the net. Also this: http://www.sbsfaq.com/Lists/FAQs/Attachments/135/Remote%20Web%20Workplace%20-%20Part%201.pdf is a good article on how RWW works behind the scenes.
Now back to the idea of a package: the way I see it, all the functionality that is needs to make an RWW alike package (I'll call it RDP Portal) is already available in pfSense.
Here is how I think the package should work:
The package:
1. Maintains a list of all machines on the private side (interfaces and network ranges configurable/selectable) that can be RDP-ied to. This list can either be manually generated, imported, or generated by doing a scan of the network(s) for machines that listen on TCP:3389 (port selectable in config.) Use DNS to resolve the names (that was understood, why did I even mention it.)
2. Presents a web page on the public side (again interface and IP selectable) that acts as the portal for the RDP Proxy. Once the users log in (authentication based on Kerberos or Radius), they are presented with a list of machines they can RDP into. Some form of access control list can probably be introduced through LDAP or other means here to restrict which machines the user get to see in that list. Also a TCPPing can probably be done to only list machines that are active. May have to be a background scheduled TCPPing so that the network is not jammed by these when the list need to be displayed to the portal client.
3. When a user selects a machine to connect to, a port forwarding rule is created on the fly that maps a dynamic high port (would be nice if a usable port range can be defined and a port from it is randomly selected) on the selected IP on the WAN side, mapping it to port 3389 of the target machine. At the same time a firewall rule is created between the IP that the client contacted the portal with and the RDP machine he chose to connect to. This is where this solution would differ from the MS RDP Proxy they implement in SBS. They proxy the connections and we will be doing this using port forwarding.
4. The RDP portal web page then redirect the user to a page with the ActiveX embedded RDP client to open an RDP connection for the client to the desired machine.
5. Does some sort of states monitoring to see when the connection ends or dies at which point both the port forwarding rule and the access rule can be removed (possibly with a delay since I think the RDP client does try to reestablish the session if for some reason it is lost.)
That is pretty much all I can think of to include in a package like that. I'm sure others can probably add some nifty features to it.
Now there may be security related ramifications of such a package because it would essentially be a scripted mechanism with root access.
I may have some time starting third week of February to possibly start developing a package like this. But I'm not going to be able to do it on my own. Will need help. Probably lots of it.
Thanks,
Shahid
- 22 days later
-
i want and need really bad for reporting system such as lightsquid for firewall rules in pfsense.
-
How about a x64 version and a VMWare package?? Seriously, what better to run on a firewall then a VM?? You could install a Host OS on a protected OS.
-
How about a x64 version and a VMWare package?? Seriously, what better to run on a firewall then a VM?? You could install a Host OS on a protected OS.
Until VMWare actually runs on FreeBSD, there's zero chance of it becoming a package. An amd64 port is in the works, but for fairly obvious reasons also won't be a package :)
–Bill
-
wanted:
OSSEC HIDS package for pfSense !
- 13 days later
-
Re: the question about docs -
If you can provide some better docs and how-to for the XML/GUI portion of the packaging, I will probably be able to provide a dnscache package. I want it, and there seem to be other people who want it; IMHO a fast caching resolver is a big win for a network with slower upstream connectivity, and it goes great with squid too. (It would be nice to implement it with an option for forward-only vs. full caching recursive resolver.)
I've done a lot of FreeBSD work, including building a near-appliance system of packages for a spam filtering system. I have a home FreeBSD system to develop on (at 6.4 currently) and the dnscache binary package should be easy; I've built lots of packages before, and that might even be available for 7.1 from the FreeBSD package repository.
It's just understanding what's involved in hooking it in that's an issue for me - how to map setting up the configuration, forwarders/root servers, etc. into the pfSense menus, and whether there's actual PHP code to write or not.
-
It's just understanding what's involved in hooking it in that's an issue for me - how to map setting up the configuration, forwarders/root servers, etc. into the pfSense menus, and whether there's actual PHP code to write or not.
This might help you:
http://devwiki.pfsense.org/PfSenseDevHome
–> http://devwiki.pfsense.org/PackageInfo -
This might help you:
http://devwiki.pfsense.org/PfSenseDevHome
–> http://devwiki.pfsense.org/PackageInfoThank you! I had looked at the wiki previously, but hadn't found that overview page.
- 14 days later
-
PF SENSE as a Dynamic DNS server
can something like this be implemented
http://code.blitzaffe.com/pages/phpscripts/files/ddns_server_54-35 -
What about Dans Guardian???
- 9 days later
-
Hi
A preprocessor for Snort that block the packets that matches the rules before they ever reach the target, and make the Snort implementation a true IPS would be nice. -
DenyHosts. I was able to install it with the pkg_add command, so it shouldn't be that hard right.
I would love to help if someone can tell me what I need to do to get this package made, maybe and example. - about a month later
-
A USER TRACE MODULE!!
Kind of simple, i think : a module which when activated, logs everything regarding a certain authenticated user, from captive portal for instance. You go on the GUI, then type in the name of the user and here it goes, it displays you all the websites the user went to, and when he logged in etc…
Doing the same with pfsense requieres to log systems to a syslog, and to transfert squid logs files to a server, and you have to check each file to find what you're looking for. This module could be really usefull, and totally push to garbage products like zyxel G4100 or Ucopia boxes...
-
snort is already there use pfSense 1.2.3 RC1 and then look under packages.
- 2 months later
-
TOS/DSCP set and reset (or TOS/DSCP remarking)
- 9 days later
-
I would like to see a package that analyzes all traffic and organizes it in the same way that lightsquid does it. NTOP is the only package that comes close, but I found it unstable and the information is scattered.
For example each day you get a list of all your host ip addresses and underneath it will have all the sorted protocols used by that ip address and the ip addresses that it connected to.
192.168.1.28
HTTP
1 v7.cache5.c.youtube.com 1 24.9 M 24.9 M 18.1%
FTP
Sent
1 ftp.ftp.com 1 24.9 M 24.9 M 18.1%
Recieved
1 ftp.ftp.com 1 14.7 M 14.7 M X% - 12 days later
-
How about the R-U-ON server monitoring agent (http://www.r-u-on.com)?
- 25 days later
-
SS5 is a socks server that implements the SOCKS v4 and v5 protocol.
ports/net/ss5/
http://ss5.sourceforge.net/Have many good features, like bandwidth control per user, balancing and work with ldap.
-
http://update-accelerator.advproxy.net/
This looks fantastic and would be an awesome add-on for saving bandwidth. It caches updates from:
* Adobe
* Apple
* Avast
* Linux (.deb and .rpm)
* Microsoft
* Symantec
* Trend Micro
and you can add custom download sites too.It's been written specifically for IPCop - so I have no idea how hard it would be to "port".
From the Site:
The Update Accelerator caches files from update sites automatically at the first request. All subsequent downloads of these files from other clients will be processed with LAN speed.Even though the standard Web Proxy cache does almost the same job, there are important differences between the Web Proxy cache and the Update Accelerator cache.
For example, it would be difficult to store, reliably, a Service Pack with a size of about 300MB in the Web Proxy cache. Unlike a Web Proxy with its internal cache and uncontrollable results, the Update Accelerator works rather in a similar way to a File Server - dead reliable and independent of any Proxy cache size or replacement strategy.
-
http://update-accelerator.advproxy.net/
This looks fantastic and would be an awesome add-on for saving bandwidth. It caches updates from:
* Adobe
* Apple
* Avast
* Linux (.deb and .rpm)
* Microsoft
* Symantec
* Trend Micro
and you can add custom download sites too.It's been written specifically for IPCop - so I have no idea how hard it would be to "port".
From the Site:
The Update Accelerator caches files from update sites automatically at the first request. All subsequent downloads of these files from other clients will be processed with LAN speed.Even though the standard Web Proxy cache does almost the same job, there are important differences between the Web Proxy cache and the Update Accelerator cache.
For example, it would be difficult to store, reliably, a Service Pack with a size of about 300MB in the Web Proxy cache. Unlike a Web Proxy with its internal cache and uncontrollable results, the Update Accelerator works rather in a similar way to a File Server - dead reliable and independent of any Proxy cache size or replacement strategy.
With the right settings, Squid will happily cache updates, including service packs, as long as you have the proper directives in the config.
I have it caching updates for my repair bench and it does a great job. It does the adobe updates without any special config, too.
http://doc.pfsense.org/index.php/Squid_Package_Tuning#Caching_Windows_Updates
- 14 days later
-
Hi I'm using nagios & nrpe a lot, so many thanks for added nrpe package!
..but it would be great to change/add a few things:
-
I need be able to add some custom commands to nrpe.cfg via GUI, at this moment I have to manually place them in /usr/local/pkg/nrpe2.xml
(not sure if it is possible to do in other way at this moment) -
would be great include test for "warning" and "critical" command parameters in /usr/local/pkg/nrpe2.inc . At this moment after configuration via GUI I have in nrpe.cfg :
command[check_myhost_ssh]=/usr/local/libexec/nagios/check_ssh -w -c -t 20 -H my.host.net
and as a result:
/usr/lib/nagios/plugins/check_nrpe -n -H 192.168.55.11 -p 5666 -c check_myhost_ssh
Usage:check_ssh [-46] [-t <timeout>] [-r <remote version="">] [-p <port>] <host>I think something like next would be good:
diff /usr/local/pkg/nrpe2.inc.orig /usr/local/pkg/nrpe2.inc
147c147,151
< $cmds[] = "command[{$cmd['name']}]=/usr/local/libexec/nagios/{$cmd['command']} -w {$cmd['warning']} -c {$cmd['critical']} {$cmd['extra']}\n";
–-if (isset($cmd['warning'])) {
$cmds[] = "command[{$cmd['name']}]=/usr/local/libexec/nagios/{$cmd['command']} -w {$cmd['warning']} -c {$cmd['critical']} {$cmd['extra']}\n";
} else {
$cmds[] = "command[{$cmd['name']}]=/usr/local/libexec/nagios/{$cmd['command']} {$cmd['extra']}\n";
}
188c192- also there is still a bug in the nagios-plugins-1.4.13,1 which would be great resolve :
/usr/local/libexec/nagios/check_procs -w 5 -c 10 -s Z
/libexec/ld-elf.so.1: /lib/libc.so.7: version FBSD_1.1 required by /usr/local/libexec/nagios/check_procs not found (and this is a bit annoying …)
(this is the only plugin which requires FBSD_1.1, all other are ok with FBSD_1.0)
Many thanks in advance</host></port></remote></timeout>
-
-
Dansguardian! If Comixwall (an OpenBSD based firewall) was able to use this I see no reason why pfSense can't . IMSpector for SMTP to monitor rogue employees leaking out confidential information would be a welcome addition.
-
DNS Blacklist package, OpenDNS and SquidGuard can all block domains like DANS guardian can.
-
Yes, combination of those certainly can but it's not as flexible as Dansguardian. A lot of guys are clamoring for it to be included, If others were able to include it so could we.
-
OSPF/bgp package support (see www.qugga.net) it's OSPF/BGP package support . Package for solaris, redhat and linux platform exist none Freebsd package at this moment. But source available, and BGP works fine (not like openBGP ;-) sorry..;-))
- 28 days later
-
hi
my pfsense has squid as a transparent proxy and I want use DNS black list can it work???