Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kejianshi

Pages: 1 2 3 4 [5] 6 7 8 9 ... 332
61
If the traffic passed an interface with suricata running on it and the traffic matched a rule it should at least fire off an alert.

62
OpenVPN / Re: OpenVpn Made me crazy! Routing problem?
« on: November 25, 2017, 08:47:09 am »
Its late, so if I'm posting in error, forgive me.

However, when VPNs are involved, its best to makes sure that the networks involved are different.

Its also best if both are moved to private but not common numbers...

Like 192.168.32.0/24 for the local network.

Then

192.168.33.0/24 for the remote network.

And move the VPN networks in pfsense to something sane but also unique and uncommon like 10.12.14.0/24

You really don't want your networks getting confused about where to send your packets. 

You never know what you might want to connect to this in the future, so why not make it idiot proof?

63
I'm not the authority on much of anything, but I'm pretty sure if someone sees a big error in the config they will point it out. 

64
I hope this is constructive criticism.  Knowing what you might have done or was supposed to do or the directions tell you to do is completely unhelpful. 

When people absolutely refuse to post their actual setups (we are talking screenshots of the pfsense configurations), good things rarely happen.

I wish you luck.

65
IDS/IPS / Re: Suricata not dropping any traffic
« on: November 25, 2017, 03:58:58 am »
The smart people will tell you this is a horrible idea, however, this is what I've done. 

In services > suricata

Go to SID MGMT

create a new sid configuration file.  Save it as something like-my-dropsid.conf

Put this inside it:

pcre:"a"*
pcre:"b"*
pcre:"c"*
pcre:"d"*
pcre:"e"*
pcre:"f"*
pcre:"g"*
pcre:"h"*
pcre:"i"*
pcre:"j"*
pcre:"k"*
pcre:"l"*
pcre:"m"*
pcre:"n"*
pcre:"o"*
pcre:"p"*
pcre:"q"*
pcre:"r"*
pcre:"s"*
pcre:"t"*
pcre:"u"*
pcre:"v"*
pcre:"w"*
pcre:"x"*
pcre:"y"*
pcre:"z"*
pcre:"A"*
pcre:"B"*
pcre:"C"*
pcre:"D"*
pcre:"E"*
pcre:"F"*
pcre:"G"*
pcre:"H"*
pcre:"I"*
pcre:"J"*
pcre:"K"*
pcre:"L"*
pcre:"M"*
pcre:"N"*
pcre:"O"*
pcre:"P"*
pcre:"Q"*
pcre:"R"*
pcre:"S"*
pcre:"T"*
pcre:"U"*
pcre:"V"*
pcre:"W"*
pcre:"X"*
pcre:"Y"*
pcre:"Z"*
pcre:"0"*
pcre:"1"*
pcre:"2"*
pcre:"3"*
pcre:"4"*
pcre:"5"*
pcre:"6"*
pcre:"7"*
pcre:"8"*
pcre:"9"*



Be sure to Enable Automatic SID State Management

at the bottom, put a check mark in the interface you want the rules to get modified for.

In the Drop SID File column, select the new file you made. 

Finally, click save....

It will take a moment to process.  Hope that helps you.

I'm sure there is a much better way to do this.  I'd be happy to know it if anyone can tell me.

66
IDS/IPS / Re: Suricata not dropping any traffic
« on: November 25, 2017, 03:51:44 am »
There actually is a bit of disagreement among the most knowledgeable people I've talked to. 

Some tell me they think that an Intrusion Detection System (IDS) should just detect and and alert. 

I'm with you.  I want the OPTION to also drop that offending traffic. 

Pfsense will drop the traffic if thats what you configure it to do. 

67
Suricata works on interfaces you define.  If the traffic never touches that interface suricata never sees it. 

68
I know a way to make all rules drop, but its a bit of a nuclear option.   Very simple though.  Let me know if you still want to do that.

69
IDS/IPS / Re: Suricata not dropping any traffic
« on: November 25, 2017, 02:01:18 am »
I know a way to make all rules drop, but its a bit of a nuclear option.   Very simple though.  Let me know if you still want to do that.

70
I'm not sure.  I did take a look at it though. 

I've done this using pfsense as server and with ALL TRAFFIC routed from the pfsense client to the pfsense server and it worked great.

In other words.  The client side had a peer-to-peer configuration but the server side was remote access configuration. 

For what you are trying to achieve, that worked wonderfully.  I'm not sure what is going on with express VPN.

I can tell you that you want all, not some and not selectively when it comes to traffic being routed via that vpn.

People will really need to see your openvpn cofig.  The one you actually entered and not the instructions from expressvpn.

Also, your firewall rules. 

71
Firewalling / Re: Apple TV can't watch iTunes rented movies
« on: November 24, 2017, 01:52:51 am »
Check your firewall rules to be sure you have allowed everything through.  It shouldn't be broken.

72
I'm not sure.  I have not seen expressvpn server configuration and I haven't seen your pfsense client configuration. 

73
My experiences overseas using VPN back to the states. 

1.  Latency impacts bandwidth.  So, you are much better off running your VPN client on each device that needs the vpn rather than running it on 1 centralized device that serves vpn to everything else. 

2.  Companies are always claiming to be able to provide you Netflix and other video streaming sites.  My experience is that unless you have a dedicated IP, thats not going to be reliable.  Actually, if you want the best possible experience, buy a pfsense for someone in the states to replace their cheap router on the condition they let you run a vpn on it using their IP and bandwidth.  I have my own personal pfsense in my house in the USA and my friends who travel also have them at their houses.  We share.  Residential IPs give the best results.

3.  Pfsense doesn't leak DNS.  At least not for me when I use it as the server.  Every pfsense I've got running in the USA can slice through netflix blocks, no problem. 

74
Hardware / Re: Unofficial QOTOM Hardware Topic
« on: November 23, 2017, 11:38:00 am »
Sorry - Just kidding.  Didn't mean to hurt the bottom line or anything. 

75
Hardware / Re: New Hardware Selection Help
« on: November 23, 2017, 11:16:36 am »
Aliexpress isn't magic. If you want something very custom you need to build it from components.

Pages: 1 2 3 4 [5] 6 7 8 9 ... 332