Archive for July, 2008

GIF and GRE support now in 1.3

Friday, July 25th, 2008

Thanks to Ermal, we now have support for GIF and GRE tunneling in pfSense. Integration with IPsec is coming soon. This isn’t something most people will use, but some like to use gif with IPsec and some need GRE for interoperability with other vendors’ equipment (commonly Cisco in some specific configurations that utilize it).

The use of tunneling with IPsec allows the use of routing across VPN, rather than requiring a SPD match, which is preferable in some environments. It also allows the use of routing protocols across VPN.

Multiple PPPoE, PPTP, and Dynamic DNS now supported in 1.3!

Friday, July 25th, 2008

Thanks to the hard work of Ermal Luçi, pfSense 1.3 now contains a number of great interface and dynamic DNS related improvements. The following has all been completed.

  1. PPPoE and PPTP are now possible on any interface rather than just WAN. For multi-WAN with multiple PPPoE or PPTP connections you previously needed to do the PPPoE or PPTP on the modem or other device, now pfSense handles this directly.
  2. Dynamic DNS is now multi-account capable. This means you can use it with multiple WANs, and/or use multiple services on the same WAN.
  3. Read the rest of this entry »

Book review: Network Administration with FreeBSD

Thursday, July 24th, 2008

Amazon has posted my review of Network Administration with FreeBSD from Packt Publishing. It may be of interest to those of you working with stock FreeBSD systems. While I wouldn’t call it a great book, as my review indicates, it’s absolutely proven useful. I’ve picked it up on a few occasions for reference purposes.

For those new to FreeBSD and wanting to learn more, the above is not intended as a book for beginners. For anyone new to FreeBSD, I recommend Absolute FreeBSD. I have not yet had a chance to read the second edition, but recommend it because the first edition was great, Michael Lucus is an excellent writer, and it has gotten exceptional reviews from people whose reviews I always find spot on, like Richard Bejtlich.

None of this is really relevant to pfSense, unless you want to become a developer. We hide all the details of FreeBSD so you don’t need to know these things. But if you’re interested in deploying FreeBSD in other uses, these may be of use.

1.2.1 Snapshots are shaping up rapidly!

Thursday, July 24th, 2008

The 1.2.1 snapshots are shaping up much quicker than we thought they would.  Please see the previous blog entry for more information and jump in and help us test!

If all goes well we will be releasing a 1.2.1-RC1 this weekend!

DNS vulnerability details now publicly available

Tuesday, July 22nd, 2008

If you run your own DNS server and haven’t patched yet – now would be the time to do so. The details of the previously mentioned vulnerability were inadvertently made publicly available earlier today.

Our previous assertion that dnsmasq in pfSense is not vulnerable was correct. We will be putting out a version with the updated dnsmasq, however this is just to protect from the possibility of a different attack in the future. With this particular issue there is no immediate need to update caching-only DNS servers including pfSense.

So what needs to be patched?
The server that issues recursive queries to your DNS requests. What server this is varies depending on your configuration. I’ll group into two categories.

pfSense DNS Forwarder Users
For those who use the DNS forwarder on pfSense for all internal DNS, the servers that need to be patched are your ISP’s. For dynamic IP connections, in a default configuration the servers assigned by your ISP will be used for recursive lookups. You can override this by entering servers on the System -> General Setup page and unchecking the “Allow DNS server list to be overridden by DHCP/PPP on WAN” box.

Users of Internal DNS Servers
You will need to make sure your internal DNS server is patched.

How can I tell if I’m vulnerable?
Visit DoxPara and click the “Check my DNS” button.

Fixing the Issue Without Relying on your ISP
You can easily fix this without relying on your ISP applying patches by using OpenDNS, a free DNS service that was never vulnerable to this issue in the first place. To use OpenDNS, just enter 208.67.222.222 and 208.67.220.220 for your DNS servers in the General Setup page, and uncheck the “Allow DNS server list to be overridden by DHCP/PPP on WAN” box. Click Save on that page, and re-test. You will see you are no longer vulnerable.

pfSense Will Not Make Your Patched Servers Vulnerable
Unlike numerous other firewall and NAT products including some big name commercial vendors, pfSense will not un-randomize the source ports on NATed traffic leaving you vulnerable. If you are using NAT on anything other than pfSense, make sure that device isn’t defeating the purpose of the DNS server patches by improperly rewriting.  The DoxPara test will determine that.

pfSense is compatible with Xen 3.2.1 with HVM

Saturday, July 19th, 2008

All versions of pfSense are compatible with Xen 3.2.1 with HVM. Paravirtualization is not supported in current stable FreeBSD releases so it is not possible at this time, but HVM does work properly with the real mode boot fixes added in 3.2.1. You will need to use the make option “vmxassist=n”. To our knowledge, the Xen packages included with most major Linux distributions do not do this at this time, so you must compile it yourself with this option.

Thanks to Brian Zushi for this information. He restored his pfSense configuration from a physical box into a Xen VM and is currently running it in production.

Significant IPsec Improvements now in 1.3!

Friday, July 18th, 2008

We are pleased to welcome Matthew Grooms as our newest pfSense committer. As the developer of the Shrew Soft VPN client and an ipsec-tools developer, he brings a vast knowledge of IPsec to our development team.

Matthew recently committed some great IPsec improvements to 1.3. He provided the following, outlining these changes.
Read the rest of this entry »

Siproxd Package Working in 1.2.1

Friday, July 18th, 2008

After some fixes to the package and pfSense, the siproxd package is now working. This allows you to connect multiple SIP phones to the same SIP server on the Internet. This is problematic with many NAT implementations for the reasons described under NAT Limitations on the Features page.

pfSense Intro Video from Wide Open Mind

Thursday, July 17th, 2008

Wide Open Mind episode 9, Building a router with pfSense, contains a nicely done very basic overview of pfSense that offers a good introduction for the typical home user.

Not sure why he didn’t acknowledge the alert prior to recording.  :)  That’s the first time I’ve seen that message pop up on anything other than the Intel NICs in Nokia IP110/120/130 boxes. That feature generates a random MAC address from unassigned vendor space for NICs whose MAC address show to the OS as FF:FF:FF:FF:FF:FF. This is very rare, and occurs on atypical hardware that doesn’t store its MAC address in the “usual” location for whatever reason. The alert is basically a “hey, this is weird, but I fixed it” notification.

Nicely done video though.

Don’t use FTP!

Tuesday, July 15th, 2008

Recently came across a number of great reasons why you should not be using FTP.

Take a look at let me know what you think: http://stevenf.com/archive/dont-use-ftp.php