Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - hendersonmc

Pages: [1]
IPv6 / Logged, but not formatted
« on: March 10, 2018, 02:46:36 pm »
I was investigating IPv6 link local traffic and wrote a rule to pass and log all link local traffic.

I was surprised to find out that at least one of the packets logged did not show up at all under the formatted output.

Can anyone explain what controls this behavior?

Installation and Upgrades / VGA console video configuration
« on: May 11, 2017, 09:57:39 am »
I have pfsense system that I built from a D2500 SBC. It has a VGA output, and I hooked up my old Nokia Multigraph 446Xpro monitor to it. The video refresh rate is a paltry 31.5kHz, which allows text to limited to about 80 characters across the screen... barely enough for the "*** Welcome to pfSense..." banner to display on a single line.

Is there a way thru the Shell interface to drive higher resolution video?

IPv6 / Key for dhcp6ctl
« on: January 31, 2017, 05:16:34 pm »
You may have noticed that the falling in your DHCP log entries

Jan 31 16:18:15   dhcp6c   20803   failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jan 31 16:18:15   dhcp6c   20803   failed initialize control message authentication
Jan 31 16:18:15   dhcp6c   20803   skip opening control port

These are error messages that happen when the dhcp6c process (that is responsible for interacting with a remote dhcp6 server) tries to open a TCP control port to receive commands from the dhcp6ctl command. The intent is to authenticate each command using as hash algorithm HMAC-MD5. Since there is no /usr/local/etc/dhcp6cctlkey in the file system for pfsense, the process inhibits receiving commands, which from a security perspective is the safe course of action.

If errors annoy you as much as they annoy me, just create the file with any secret one-line phrase that you like, encoded in base-64.

You can use this link to encode your secret phrase  

Firewalling / Firewall fails to match traffic with ACK flag
« on: December 29, 2016, 11:14:31 am »
I have setup my firewall to pass whitelisted LAN traffic and with a final rule to reject everything else with logging. My expectation was that this would result in result in no log entries for the protocols I have passed, but my experience has been that there often are log entries that show the final rule is blocking traffic that I know I have a rule to pass.

Dec 29 10:22:20   LAN    What is this? (1461874052)   TCP:FA
Dec 29 10:22:20   LAN    What is this? (1461874052)   TCP:PA
Dec 29 09:31:37   LAN    What is this? (1461874052)   TCP:FA

There is a rule to pass all traffic matching a LAN Net source address and Port 80 destination on my LAN interface. My expectation is to NOT see these entries, but the only way to rid myself of them is to duplicate the rule and go to the advanced settings to check for the ACK flag out of just the ACK flag. This workaround rids me of these false alarm log entries, and I have done it for multiple TCP protocols  now.

Why does the firewall fail to match the traffic if it has an ACK flag?

IPv6 / Comcast IPv6 address issue
« on: December 14, 2016, 05:37:30 pm »
Having trouble getting IPv6 running again.

My ISP was Earthlink who used Comcast to provide me with broadband via a cable modem. A couple of years ago, IPv6 started working with my pfsense router/firewall automatically based on the default configuration settings for WAN and LAN. This worked until my Comcast provided cable modem died. After replacing it, IPv6 was lost as the WAN quit getting an IPv6 address through DHCP6. I tried and failed to convince anyone to reconfigure, so, I went to for an IPv6 tunnel, which worked OK until my IPv4 address changed (replacing another broken cable modem was the cause of this).A little digging allowed me to correct my configuration to point to the new IPv4 addressed everything worked again. Until this month.

I got a letter at the beginning of the month from Comcast saying Earthlink was being bought out and my service would become exclusively provided by them by the end of the month. Naturally, they did not wait. Once again, my IPv4 address changed and IPv6 tunneling was broken. Hoping that I could get IPv6 support directly, I plugged my Mac directly into the cable modem and was pleased to see that I had a public IPv6 address. Testing the configuration gave me a score of 19/20 successful tests. I got a 10 out 10 from

So, I proceeded to delete my tunneling configuration, disable the DHCP6 server for the LAN, and setup WAN for DHCP6 and LAN with Track Interface for my IPv6 Configuration Type. Alas, this did not work!

After digging into the details, I noticed that the IPv6 address has a prefix length of 128 bits. The WAN Interface status shows "Gateway IPv6 fe80::xxxx:xxxx:xxxx:xxxx"; an IPv6 Link Local address. My Mac also gets no public IPv6 address plugged into the LAN.

I tried to revert my LAN back to a static IPv6 address and run the "DHCP6 Server & RA" that I was using from my tunneling. My Mac got the IPv6 address that I had previously configured. However, it still was not routing traffic via IPv6 to the internet. So, I was using half of the configuration to get an address, leading me to conclude that the address for my Mac was not the issue.

Finally, I redefined the GIF, assigned the GIF to an OPT1 interface and reenabled. WAN still has a DHCP6 configuration setting and a valid IPv6 address from Comcast. I get 19/20 from, so, as good as my Mac connected directly to the Comcast cable modem.

Can anyone think of something different I could try to get a working IPv6 configuration without tunneling? Also, can I retain the DHCP6 configuration for my LAN... I really hate IPv6 addresses that are randomly assigned.

Firewalling / Blocking traffic on same LAN segment
« on: December 05, 2016, 03:40:48 pm »
I am quite confused with why my firewall is logging the following blocked traffic.

Here is the raw log
Dec 5 14:27:51   filterlog: 484,16777216,,1461874052,em1,match,block,in,4,0x0,,128,24459,0,none,17,udp,79,,,56294,161,59

My confusion is for multiple reasons

1. The two addresses listed on on the same Ethernet segment. My firewall has an address of, so a unicast message between and should not even make it to the interface (switches are smart), and if they did, I would think the Ethernet address would block further processing of the message in the chip that implements Ethernet.

2. The rule listed is that last rule, that rejects all LAN traffic not permitted by previous rules. I have a rule that allows TCP/UDP protocol for an alias of ports including SNMP port 161 traffic destined for an alias of addresses for the internal LAN devices. The implication is that that rule was not matched.

3. Final confusion is how to interpret the raw log data, which seems to have more data than the formatted log entry. I assume that understanding all the log data will help better understand why this entry was made.

Dec 5 14:53:58   LAN    Reject other (1461874052)   UDP
Dec 5 14:53:58   filterlog: 484,16777216,,1461874052,em1,match,block,in,4,0x0,,128,25088,0,none,17,udp,68,,,52850,161,48

I can tell em1=LAN plus I can guess what 484 and "match,block,in" mean, but that leaves ",16777216,," and ",4,0x0,,128,25088,0,none,17," plus 68 and 48 as unformatted mysteries to me.

4. Not sure I understand how you tell the difference between blocked and rejected traffic in the raw log data either...

IDS/IPS / Rule reference links in Snort/Surricata Alerts GUI
« on: May 12, 2016, 02:51:31 pm »
I stumbled upon reference URLs in the Emerging Threats rules that show information about the rule and threat when I was considering rules to disable/enable for an interface. For instance, if you saw the following "ET POLICY Executable served from Amazon S3" description in your alerts for your LAN interface, you could edit the LAN interface, go to the LAN Rules tab, change the selected rule set to emerging-policy.rules set, scroll down to the rule and double click on it (or click on the SID), and then you get a View Rules Raw Text popup window that shows this

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,; reference:url,; classtype:bad-unknown; sid:2013414; rev:5;)

As you can see from this rule, there are two reference URLs embedded in the rule definition.

What I am wondering is the the Alerts GUI can be altered to provide any and all links in a convenient way... maybe a column for rule references that displays something link this

1, 2 

that are actually linked respectively to and

Software can do anything, right?

General Questions / CPU usage vs Idle process usage
« on: May 23, 2015, 03:04:36 pm »
The System Information widget of the dashboard display usually tells me that overall CPU usage of my Atom is 50% or greater. I do have a busy dashboard with 10 widgets, including the Traffic Graphs which updates at 1 sec and displays 4 of my 5 interfaces (1 physical, 4 VLANs). Dropping widgets and slowing refresh intervals does cause CPU usage to drop beneath 50% (say, down to 20%), but it seems to climb back to 50% or greater.

At the same time, I have monitored using Diagnostics : System Activity and see that the two idle processes indicate much more idle time than expected given the CPU Usage. The update rate is faster (refreshed every 2 seconds vs 10 seconds on System Information widget), but it does not seem to be even close to the expected value (i.e. if I see 50% usage, I expect the last 10 values of WCPU to average 50%, if I see 20% CPU usage, then I expect the last 10 values of WCPU for the idle processes to average 80%, etc.)

Can anyone explain the discrepancy between these two numbers?

IDS/IPS / IDS monitoring of PKI certificate usage
« on: March 26, 2015, 11:47:10 am »
I am interested in discussing the idea of using snort or suricata to monitor external systems being accessed with PKI encryption. The main reason for this is to implement active management of PKI certificates to reduce the chance that protected systems will inappropriately trust a certificate. If the IDS tracks the certificate used by an external server (i.e. pins the certificate), then any change would generate a IDS alert. If configured as an IPS, the alert would allow the IPS to stop the initial exchange of PKI packets and prevent an encrypted tunnel to a questionable external source.

The pinned certificates could also be processed to determine the issuing CA. Each unexpected change to a server certificate could then also generate an IDS alert for that CA. At some threshold of CA alerts, the IPS could automatically block encrypted traffic for a questionable CA (generating a dynamic blacklist). Likewise, the IPS could block all encrypted traffic except for PKI certificates issued from a whitelist of trusted CAs. Any alerts for certificates not on whitelist could be used by security operations personnel to determine if they should add an CA to the whitelist. To ease the burden of qualifying CAs, the nominal list of CAs who passed the WebTrust audit could be maintained by the IDS and automatically added to the whitelist with an appropriate alert that could be reviewed as needed at a later date.


I have a D2500CCE with 8GB memory and a 1 TB SSHD that I am trying to load with pfsense 2.1.5 for the first time. Initially, I downloaded the .iso for the CD and burned it using my Mac running OS X Yosemite via the Disk Utility and my Apple Superdrive. I checked out the CD on my Mac and everything looked fine. (Same as mounting the .iso file as a virtual volume)

Crossing my fingers, I unplugged the Superdrive and plugged it into the D2500CCE. The BIOS reported everything looking good, including seeing the Superdrive as an optical device, but the boot fails after that without ever spinning up the CD.

Next I looked at trying to use a memory sick for loading pfSense-memstick-2.1.5-RELEASE-i386.img, but the Disk Utility program does not known how to deal with the .img format (it prefers another format with an .dmg file extension).

I even considered using the dd utility from the command line to transfer the image, but ran into permissions errors, even using my administrative account (which is different than the root owner of the file system).

If anyone can point me to how to overcome any of these approaches, or has another approach that would work, I would be extremely grateful.

Pages: [1]