pfsense

最後更新: 2018-10-02

目錄

  • Check pfsense Version
  • pfsense default login
  • pw file
  • Configure File
  • php shell
  • freebsd version
  • Function Limit

 

 


Check pfsense Version

cat /etc/version

2.7.1-RELEASE

 


pfsense default login

web: admin / pfsense

ssh: root, admin

 


ssh

當啟動了 ssh 後, root 及 admin 都可以 ssh pfsense

 


pw file

 

/etc/passwd

/etc/pwd.db

/etc/spwd.db

 


Configure File

保存好的 config file

/cf/conf/config.xml

# reload the config
# Restarting sshd (keeping actual ssh session) and restarting webgui.

/etc/rc.reload_all start

# Remove the running config and reuse the /cf/config.xml

rm /tmp/config.cache

 


pfSense php shell system

 

pfSsh.php

/* to output the interfaces configuration portion of the configuration */
print_r($config['interfaces']);

/* to enable SSH */
$config['system']['enablesshd'] = true;

/* to disable the firewall filter */
$config['system']['disablefilter'] = true;

/* to enable an interface and set a static ip address */
$config['interfaces']['wan']['disabled'] = false;
$config['interfaces']['wan']['ipaddr'] = "192.168.100.1";
$config['interfaces']['wan']['subnet'] = "24";

/* to save out the new configuration (config.xml) */
write_config();

 

 


pfsense 's freebsd version

 

2.7.1          14.0

2.2             10.1-RELEASE

2.1.15        8.3-RELEASE-p16

1.2.3          7.2-RELEASE-p5

P.S.

Checking command

  • cat /etc/version
  • uname -r

 


Function Limit

 

pptp

Connecting to a remote PPTP server (outbound) while using the same IP for incoming PPTP connections currently does not work due to NAT limitations in pf. The only currently working choice is to NAT the outbound PPTP connection to an additional WAN IP address.

Reroute traffic for remote PPTP servers out an additional IP

Map outbound GRE and tcp/1723 traffic to another VIP using the protocol option on manual outbound NAT rules. This allows an outbound NAT rule to move outgoing GRE traffic to a VIP instead of the WAN IP address.

ftp-proxy

FTP proxy is in-kernel (pfSense 2.0.x and 2.1.x)

* FTPS, or encrypted FTP, is not affected.

Disabling the FTP Proxy

System > Advanced, "System Tunables" Tab -> debug.pfftpproxy=1  # 1=> Disable

FTP traffic is identified by the use of port 21 ( 用以用 debug.pfftpports 設定 (e.g. 21,2121))

ftp-proxy 原理

FTP control connections should be  redirected into  the proxy using the pf(4) "rdr" command,
after which the proxy connects to the server on behalf of the client.

The proxy allows data connections to pass, rewriting and redirecting them
so that the right addresses are used.

All onnections from the server to the proxy have their destination address rewritten,
so they are redirected to the client.

 


Version 2.4

 

[T1]

There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: Cannot allocate memory

[S1]

Increase the "Firewall Maximum Table Entries" size to 400000 in System > Advanced, Firewall & NAT

[原因1]

Same happened here, and a search reveals many more users.

It seems the bogons table is getting very close to 100k entries these days:

# wc -l /etc/bogonsv6

95952 /etc/bogonsv6

During filter reload, it temporarily needs twice that, hitting the 200k limit.

Pfsense should really increase the default value. Especially since it'll hang with partially reloaded rules,

which could cause who knows what kind of downtime or security nightmares
 

 

 

Creative Commons license icon Creative Commons license icon