Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Trel

Pages: [1] 2 3 4 5 ... 25
webGUI / Re: RRD graphs
« on: July 29, 2016, 03:24:41 pm »
I'm assuming that package needed to be installed to begin with and wouldn't import the RRD data first?

Firewalling / Re: Question on when a rule would trigger
« on: July 18, 2016, 12:45:46 pm »
It would be more correct to have source LAN net dest LAN address. but, in practice, they will pass the same traffic.

I believe that rules should be as narrow as necessary to do the job.

You should know what on your firewall needs to be accessed and have a rule for that. Otherwise not.

Is there a specific reason to include the source in that rule?

Firewalling / Re: Question on when a rule would trigger
« on: July 16, 2016, 07:50:24 pm »
I do understand and I don't need to turn logging on, I know exactly which scenario would hit that rule

So in that case, since I'm

1. Blocking all RFC1918 traffic on LAN with a generic rule
2. Only have the anti-lockout rule with allows specific ports to the firewall
3. Am running a reverse proxy both inside and out on the firewall (for ports not covered by the anti-lockout rule)

I DO want that LAN to LAN rule to exist then for that traffic.

Because that would not pass without that rule, correct?

Firewalling / Re: Question on when a rule would trigger
« on: July 16, 2016, 04:08:34 pm »
That rule will match traffic from LAN net to LAN address (which is included in LAN net) as was correctly pointed out already by @JasonJoel.

The rule is pointless unless it is passing traffic to LAN address (or maybe other VIPs on the LAN interface) that you need to be passed.

If you're wondering what the traffic is, enable logging on the rule and watch the logs.

There are no "rare events." Traffic is either same-subnet (not requiring router services) or it's not.

I get that logic, but if it's 100% accurate, it would never have fired at any point because it would be routing by the switch and never touching pfsense.

My hardware setup is Pfsense -- Wire -- Switch -- Everything else.

The only thing on that subnet that isn't on the far end of the switch is pfsense itself.

I get that the rule SHOULDN'T do anything, but as my screenshot shows, there is something hitting it that's matching it.

Perhaps I'm misunderstanding but the way everyone keeps explaining it, it should never fire, but if I look at the state by clicking it, it's showing an IP to a broadcast IP.

So, if that's getting passed, wouldn't removing it cause it to be blocked by the RFC1918 block rule that comes next?

"whatever is triggering it will get blocked by the rule 2 spots below it."

That is not how it works, first rule to trigger wins no other rules below that will be evaluated.

Rules are evaluated top down, first 1 that triggers stops further evaluation.  Rules need to be ordered in this fashion.

I meant if I remove the rule that everyone is saying does nothing.
The rule 2 down blocks all RFC1918 as a destination.  So without that pass, whatever is triggering it would be blocked as that block happens prior to the allow any at the bottom.

Firewalling / Re: Question on when a rule would trigger
« on: July 14, 2016, 04:45:14 pm »
Rule 1 is pointless.  It would allow access to the pfsense IP in that subnet, but bad way to do it.  If you want to allow access to pfsense interface IP in that network then use the lan address drop down.  Your this firewall rule allows access to any IP pfsense has be it lan segment or wan.

Are you using the antilock rules?  Those would allow access to pfsense on 80,443,22 or other port if using different ones.  So your firewall rule would allow for dns.  But you really should be more specific if your wanting to get restrictive.  so if you want to ping, and dns to pfsense lan IP then that would be the specific rule you would want to use. 

Your block rfc rule could be combined with your any any rule on the end and just use a ! rule for your rfc1918.  So dest NOT rfc1918 allow - this makes it 1 rule vs having 2.

What cases could be causing the rule to trigger in the screenshot I'm attaching.
I get that it's not the perfect way to do it, but I know if I remove it as is in this setup, whatever is triggering it will get blocked by the rule 2 spots below it.

Firewalling / Question on when a rule would trigger
« on: July 14, 2016, 11:14:24 am »
I've seen it mention that in a case of

1. Allow Lan subnet->Lan subnet
2. Allow any -> This firewall
3. Block RFC1918
4. Allow Any

Rule #1 should never trigger
I've always included it anyway

Looking at my rules, I see it has fired off a few times.  Any idea what specific traffic could trigger it?

General Questions / Re: Question on custom patches on upgrade
« on: May 12, 2016, 09:35:22 am »
Ah ok, I didn't realize that would happen on upgrade too.
I never had that box checked to begin with.


General Questions / Question on custom patches on upgrade
« on: May 12, 2016, 09:03:38 am »
When you upgrade versions, do patches automatically get disabled or is this something I would need to manually do prior to upgrading?
I have a patch installed the moment 2.3 for something that's fixed in 2.3.1.

Cache/Proxy / Re: Can Haproxy and Squid co-exist?
« on: May 11, 2016, 08:40:33 am »
The only way they would conflict is if they attempted to bind to the same IP address and port. So long as they're using different ports or IP addresses to bind, there would be no conflict even if both were used in a reverse proxy role.

I was thinking Squid might come with the reverse proxy enabled and listening on 80 by default, which is what I have HAProxy listening on currently.
I figured once I set them up there wouldn't be much (or any) issue.

Firewalling / Re: How can I block an external IP address?
« on: May 09, 2016, 04:28:31 pm »
Also where are you seeing that it's attacking/scanning still? Pfsense logs or on the server itself?

Cache/Proxy / Can Haproxy and Squid co-exist?
« on: May 09, 2016, 04:21:56 pm »
Can both of these be installed (2.3) provided Haproxy is used as a reverse proxy only and squid is not?

Use arpwatch or something like that to keep MAC<->IP associations, which you can correlate to your firewall logs' IPs.

Didn't arpwatch used to be available as a package?

Cache/Proxy / Re: [Solved] Can't get ACL to match on Haproxy
« on: May 09, 2016, 08:57:37 am »
Looks like a bug.. I'm writing hdr_dir in the config, that should of course been hdr_sub..  :o
Will fix that soon in a new version.

p.s. If you find other 'wierd' behavior let me know :).


Is this fixed in the latest devel version?  I see there's an update available.
I don't want to mess with it unless it's fixed as my current setup is "working" at the moment.

webGUI / Re: what does this symbol means?
« on: May 04, 2016, 03:14:47 pm »
There's supposed to be clickable text there.  If there's no text showing, there may not be anything clickable.

Pages: [1] 2 3 4 5 ... 25