pfSense Gold Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Harvy66

Pages: [1] 2 3 4 5 ... 148
1
As a rule of thumb, not sure if there are any exceptions, the rules you specific in the UI only apples to newly created states. Packets that are out of state will never hit your manually created rules.

2
Firewalling / Re: MAC Filtering on PF
« on: Yesterday at 03:09:52 pm »
1) MAC addresses are not associated with countries, for the most part
2) MAC addresses are only link local. You will only ever see the single MAC address from your ISP's gateway.

3
2.4 Development Snapshots / Re: Disk Usage Space Error
« on: Yesterday at 03:06:47 pm »
If you're using ZFS and have a snapshot or some other FS level object that references old blocks, "deleting" files does not clear out the data.

4
Traffic Shaping / Re: Traffic shaping on three VLANs with HFSC
« on: December 07, 2017, 09:01:38 am »
Shaping is per interface and ALTQ only shapes egress. Sharing state across interfaces would be a nightmare from a performance and implementation complexity standpoint.

That being said, you have use limiters to shape ingress on the WAN and "share" bandwidth that way.

5
General Discussion / Re: pfsense 2.4.2 upnp bug?
« on: December 06, 2017, 04:01:33 pm »
pfSense by default trusts the LAN and not the WAN. The deny by default logic only applies for untrusted interfaces. LAN side, UPNP, DHCP, DNS, management, SSH, etc are all allowed.

6
General Questions / Re: Is pfsense FIPS 140-2 complainant
« on: December 05, 2017, 07:03:02 am »
Doing a quick wiki, FIPS 140-2 is about physical security.

Quote
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

It's logically impossible for software to comply with this.

FIPS 140 seems to be about cryptographic modules. pfSense/FreeBSD may use some cryptographic modules, but are not themselves cryptographic modules.

7
Traffic Shaping / Re: Traffic shaping on three VLANs with HFSC
« on: December 04, 2017, 11:30:42 am »
Personally, I never had any luck with the wizard and just manually setup shaping. It took me less time to figure it out on my own than reading how to use the wizard.

8
Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 04, 2017, 11:29:40 am »
I assume the "net.inet.ip.dummynet.fqcodel" settings you mentioned in your just prior post.

9
Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 01, 2017, 10:35:20 am »
Your target should also be at least 1.5x how long it takes to send an MTU amount of data at your bandwidth. Cake does this automatically as they found general limit works well.

The reason for this is you don't want a single MTU sized packet to trip the drop logic.

10
Hardware / Re: Powerful Hardware Recommendation Please
« on: December 01, 2017, 10:30:36 am »
30watt envelope with full 1Gb, plus VPN, plus IPS is probably impossible with any non-ASIC technology for at least the next 5 years.

11
Firewalling / Re: Help understanding firewall rule behaviour
« on: November 28, 2017, 11:35:50 am »
Cellphones are notorious for these invalid states.

12
Firewalling / Re: Block ICMP Flooding
« on: November 28, 2017, 08:32:42 am »
They're sending spoofed packets. Trivial to do. You learn how to do this in network 101. You can't stop traffic from hitting you, only ignore the traffic. The same way a bullet proof vest doesn't stop someone from shooting at you. A firewall doesn't stop a fire, it stops a fire from spreading.

13
Hardware / Re: NIC for PFSense
« on: November 28, 2017, 08:29:35 am »
Nice to know. Annoying that Intel lists that NIC as supporting the yottamark when it does not come with one. It's quite confusing.

14
Hardware / Re: NIC for PFSense
« on: November 27, 2017, 03:15:52 pm »
It could be because of OEM, but according to https://www.intel.com/content/www/us/en/support/articles/000007074/network-and-i-o/ethernet-products.html Intel® Gigabit CT NICs should have a yottamark.

https://www.intel.com/content/www/us/en/support/articles/000007074/network-and-i-o/ethernet-products.html
Quote
This article applies to:
Active Products

Intel® Ethernet Converged Network Adapter X540-T1 Intel® Ethernet Converged Network Adapter X540-T2 Intel® Ethernet Converged Network Adapter X520-T2 Intel® Ethernet Converged Network Adapter X520-SR2
Intel® Ethernet Converged Network Adapter X520-SR1 Intel® Ethernet Converged Network Adapter X520-QDA1 Intel® Ethernet Converged Network Adapter X520-LR1 Intel® Ethernet Converged Network Adapter X520-DA2 Intel® 10 Gigabit AF DA Dual Port Server Adapter Intel® 10 Gigabit AT2 Server Adapter Intel® 10 Gigabit XF SR Server Adapter Intel® 10 Gigabit XF SR Dual Port Server Adapter Intel® Gigabit CT Desktop Adapter  Intel® Gigabit CT Desktop Adapter Series Intel® PRO/1000 CT Network Connection Intel® PRO/1000 CT Adapter Series Intel® PRO/1000 GT Desktop Adapter Intel® PRO/1000 GT Desktop Adapter Series Intel® PRO/1000 MT Desktop Adapter Series Intel® PRO/1000 PM Network Connection Intel® PRO/1000 PM Adapter Series Intel® PRO/1000 PT Desktop Adapter Series Intel® PRO/1000 T Desktop Adapter Series Intel® Ethernet Server Adapter I210-T1 Intel® Ethernet Server Adapter I340-F4 Intel® Ethernet Server Adapter I340-T4 Intel® Ethernet Server Adapter I350-T2 Intel® Ethernet Server Adapter I350-T4 Intel® Gigabit EF Dual Port Server Adapter Intel® Gigabit ET2 Quad Port Server Adapter Intel® Gigabit ET Dual Port Server Adapter Intel® Gigabit ET Quad Port Server Adapter Intel® PRO/1000 GT Quad Port Server Adapter

The only official way to tell if you have a "Genuine Intel® Network Adapter" is the yottamark, according to their website. There may be exceptions, but their website makes it sound like no yottamark means it's not genuine.

15
Wow, no mention of the $120 3.6ghz quad-core i3-8100?

Pages: [1] 2 3 4 5 ... 148