The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Harvy66

Pages: [1] 2 3 4 5 ... 148
1
Something is clearly wrong here.  If it was fragmented at source, you shouldn't be seeing fragments at all, just a series of un-fragmented packets containing the fragments of the original datagram.  If you're seeing fragmented packets, as shown in that capture, they're being fragmented elsewhere.  Was that capture actually at the source?  Or the destination?

Quote
just a series of un-fragmented packets containing the fragments of the original datagram
This just made my head explode. A series of unfragmented packets containing fragments. Yes, this is how Ethernet and IPv4 work for all fragmented IPv4 packets that cannot fit in an Ethernet frame or MTU.

If I send a 64KiB ICMP packet, I expect it to be fragmented as it leaves the source because no switch I know supports 64KiB jumbo frames.

2
General Questions / Re: Annoying Snort Issue
« on: December 14, 2017, 11:23:31 am »
It's not that it can't parse one rule, it's that it can't parse the file and the parse error is in one of the rules. It's the exact definition of corrupted. Do you really want to use corrupted rules? There is no way the logic could make assumptions about if accepting what it thinks were parable rules and just ignoring the non-parse-able parts of the file. Depending on the format, it's probably impossible to be sure what you've parsed so far is valid if the file as a whole is not valid.

3
Traffic Shaping / Re: Traffic shaping on three VLANs with HFSC
« on: December 13, 2017, 10:03:56 am »
That is a scary setup, but I guess if it "works".

4
Traffic Shaping / Re: Cannot reduce Interface bandwidth
« on: December 13, 2017, 10:02:44 am »
The interface validation uses the pre-bandwidth change calculated child bandwidths instead of post change. Scaling up the parent bandwidth is fine, but down does not work.

5
Firewalling / Re: MAC Filtering on PF
« on: December 13, 2017, 09:55:35 am »
^^^^
For the most part????  I'd say not at all.  The lower 24 bits are simply a serial number.  The upper 24 are mostly assigned to a manufacturer, with a couple of bits reserved for unicast/multicast and locally assigned address.

you might be able to find a correlation between certain bits in a MAC address and certain models of NICs if you know something about the supply chain.

OK guys, the next 10,000 NICs are going to Russia. Now you have 10,000 sequential MACs being sold in stores in Russia, assuming they used sequential and not random. Not sure why random would be a good idea for this case. And also assuming MACs are not being spoofed. Not that you'll ever see a MAC from outside of your broadcast domain.

6
2.4 Development Snapshots / Re: Disk Usage Space Error
« on: December 13, 2017, 09:51:06 am »
If you're using ZFS and have a snapshot or some other FS level object that references old blocks, "deleting" files does not clear out the data.

In your example that makes perfect sense but that doesn't explain how *Prior* to deleting any and all logs. Say it was at 40% disk utilized and when I selected delete all historic logs, charts, graphs, etc.

The system actually displayed the usage as increasing to say 41~45% and fluctuated.

A day later upon logging in the disk space was back down to 20% so this tells me there is UI / Process bug. A lay person would expect one of two outcomes which are the following:

- Delete: Disk space is immediately reclaimed and reflected
- Delete: Minimal disk space is reclaimed and reflected based on your example

In no way would a lay person expect to see a delete to cause the disk space to decrease in capacity and increase in initial space.  :o  :-[   

With a COW FS, you don't actual delete the data, you just create more metadata about the data not being there, which increases storage. I'm not say that's what happened, I am not sure if going from 40% to 45% is within the range of norm, but I know the general concept does happen.

pfSense is not for lay people, it's targeting power and enterprise users. IF you want something simple to use, try a router/firewall from BestBuy. If you want advanced control, you need to become more advanced.

Word of warning about ZFS, never run out of storage. Because you need to first increase the amount of storage used to delete data, if your storage is full, you can't even delete data to free up space.

7
As a rule of thumb, not sure if there are any exceptions, the rules you specific in the UI only apples to newly created states. Packets that are out of state will never hit your manually created rules.

8
Firewalling / Re: MAC Filtering on PF
« on: December 12, 2017, 03:09:52 pm »
1) MAC addresses are not associated with countries, for the most part
2) MAC addresses are only link local. You will only ever see the single MAC address from your ISP's gateway.

9
2.4 Development Snapshots / Re: Disk Usage Space Error
« on: December 12, 2017, 03:06:47 pm »
If you're using ZFS and have a snapshot or some other FS level object that references old blocks, "deleting" files does not clear out the data.

10
Traffic Shaping / Re: Traffic shaping on three VLANs with HFSC
« on: December 07, 2017, 09:01:38 am »
Shaping is per interface and ALTQ only shapes egress. Sharing state across interfaces would be a nightmare from a performance and implementation complexity standpoint.

That being said, you have use limiters to shape ingress on the WAN and "share" bandwidth that way.

11
General Discussion / Re: pfsense 2.4.2 upnp bug?
« on: December 06, 2017, 04:01:33 pm »
pfSense by default trusts the LAN and not the WAN. The deny by default logic only applies for untrusted interfaces. LAN side, UPNP, DHCP, DNS, management, SSH, etc are all allowed.

12
General Questions / Re: Is pfsense FIPS 140-2 complainant
« on: December 05, 2017, 07:03:02 am »
Doing a quick wiki, FIPS 140-2 is about physical security.

Quote
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

It's logically impossible for software to comply with this.

FIPS 140 seems to be about cryptographic modules. pfSense/FreeBSD may use some cryptographic modules, but are not themselves cryptographic modules.

13
Traffic Shaping / Re: Traffic shaping on three VLANs with HFSC
« on: December 04, 2017, 11:30:42 am »
Personally, I never had any luck with the wizard and just manually setup shaping. It took me less time to figure it out on my own than reading how to use the wizard.

14
Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 04, 2017, 11:29:40 am »
I assume the "net.inet.ip.dummynet.fqcodel" settings you mentioned in your just prior post.

15
Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 01, 2017, 10:35:20 am »
Your target should also be at least 1.5x how long it takes to send an MTU amount of data at your bandwidth. Cake does this automatically as they found general limit works well.

The reason for this is you don't want a single MTU sized packet to trip the drop logic.

Pages: [1] 2 3 4 5 ... 148