You now have your nice PFSense firewall connected to the net and your users are happily connected then you decided to put up publicly-accessible network services like a web server. But horror starts to creep in when you found out that your users (or your developers) cannot access your public server using their workstations within your local network.

You tried everything in vain and suddenly felt the urge to scream with all your might.

AAAARRGGGHHH!!!!

As far as you’re concerned, you’ve setup PFSense correctly. You have enabled port forwarding quite perfectly. The web server is running without a hitch. You have your DNS working perfectly. But your users cannot seem to access your internal server using your public IP address or domain..

..then you raised your limp hands in resignation.

Dont despair. It’s really simple.

1. Open your PFSense web gui.

2. Move your mouse over to System, and click Advanced.

3. Scroll down, and look at the Disable NAT Reflection field. Make sure that it is unchecked.

4. Click on Save.

That’s all there is to it! Enjoy!

Technorati PFSense, NAT, reflection
Site Search Tags: PFSense, NAT, reflection

PFSense is a great tool to have that provides a firewall, traffic shaping capabilities, load balancing and failover, and other features plus fully extensible by way of third party opensource “plugins” and packages that you can install via its web console.

Recently though, some of our devs need to connect via FTP to a remote server. And apparently they’ve encountered some weird problem with FTP:

user@ubuntu:~$ ftp some-server.com
Connected to some-server.com.
220 ProFTPD 1.3.1 Server (some-server.com) [143.44.52.54]
Name (some-server.com:user): ftpuser
331 Password required for ftpuser
Password:
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command
ftp: bind: Address already in use
ftp>

A little investigation revealed that in order for FTP to work, we need to have the FTP Helper proxy application working on the LAN interface of our PFSense box, then add a firewall rule, more like a “transparent FTP proxy”. If you get my drift.

Let’s do it

1. In PFSense, click on Interfaces, LAN

2. Make sure that “Disable the userland FTP-Proxy application” is unchecked.

3. Save your setting, and then click “Apply this setting”.

4. We will now add a rule to permit our LAN traffic to access our FTP-Proxy application ports 8000-8030 on 127.0.0.1 . To do so, click on the “+” button at the bottom or at the top, of the list of rules to add your new rule. Make sure that the new rule will be on top of all the other rules.

5. Save your new settings, and apply.

Test your FTP connection.

Enjoy!

Technorati pfsense, firewall, rule, ftp, access, outbound
Site Search Tags: pfsense, firewall, rule, ftp, access, outbound

OpenSource has been in existence for quite a long time. It has been known by so many names with various differences in how licenses take effect on certain products. Some of the widely-known opensource licenses to date are GNU’s own GPL and LGPL licenses, BSD’s own license, the Apache licenses, Mozilla Public License, the PHP license, among many others. These licenses are under the stewardship of the OpenSource Initiative (OSI) who accepts applications by individuals or groups and reviews or approves candidate licenses. Discussing the differences between each opensource license is a different matter however, one may visit the OSI site for more information.

“The software I’m using works fine. I paid for it and I don’t see the need to tinker with it’s programming. Why bother?”
Sure, if you’re happy with the proprietary product that you are using then I’m glad for you. However, there may be questions that you would want to be answered. Some of these questions might be listed in the following list:

1. Do you know how your software works internally?
2. Can the software you bought be customized according to your need?
3. Does it fit your need at all?
4. If it can be customized, how much did it cost for you (or the developer) to modify the software?
5. Are there security issues that you have encountered while using that software?
6. How often does the developer/vendor issue software fixes and patches to resolve certain usability and security issues?
7. How much did the software cost?
8. Are you satisfied with the support provided by the vendor?
9. Do you feel like you’ve been swindled when you purchased/commissioned the software?

If you answered NO to questions 1,2,3,8 and yes to questions 5 and 9, it’s time for you to consider choosing an opensource solution.

“Is going opensource painful?”
The answer is “it depends“. It depends on the type of project or solution that you want to implement, if what you need can be remedied by an opensource solution, and how willing or how committed you are to totally using opensource solutions. Chances are, around 65% of your requirements may have an opensource solution readily available. Over the years, the opensource movement is very active and have been filling some niches already. Currently it is slowly creeping into areas like healthcare, utilities, and management. With the plethora of opensource projects available, you may be able to implement from 65% to possibly 95 or 100% of your requirements fulfilled using opensource.

“If OpenSource is really that great, why hadn’t my friend Joe choose this path?”
Again, it depends. The projects that your friend Joe were working on at that time might not have an available opensource solution yet, or that his projects were very very sensitive enough that opensource is not yet advisable. We’d have to always bear in mind that opensource is not a magic pill that you can take and all your problems will go away. It requires a lot of the human factor in order for it to work. And that is what I truly appreciate with it. It brought back the feeling of responsibility, of being aware of what you are doing, of being totally conscious of what you are deploying and how the system totally behaves. It requires constant vigilance, of bug hunting and fixing. Yet, despite the daunting work, you will be backed by a dedicated community who are willing to spare some time to help you out. The countless mailing lists, forums, and support groups dedicated to specific projects are available 24x7 to help you out. It’s totally different from the 1-800 number that you’re asked to dial whenever you encounter problems, then answered by incompetent call center agents who actually did not try out the solutions that they are asking you to perform. How’s that for a reason?

Was I able to mention that you have full access to documentation and source code? Now you know.

“Ok, ok, I’m with you there. But I don’t know where to start.”
As in any endeavor, you’d have to know what you need in order for you to be able to know how to proceed. It would be better to list down your requirements. For example, you are an administrator and you manage a small network for a local business. You have to first ask yourself the following questions:

1. How many users do I have?
2. What operating systems am I currently using?
3. What network services do I need?
4. What services do the users need?
5. What type of hardware am I currently using?
6. What software applications are my users currently using?
7. What do I want to implement within 3 years?
8. What are my current skill sets?

After identifying and listing your answers, you can then start to plot out the solutions that you already know to fulfill your need. And I’m sure those require software to be purchased. Then you can start searching for the opensource equivalents.

The easiest place to start will be from Google. However, you may also skip over to Sourceforge for the latest opensource projects. You’d have to wade through countless opensource projects with stages ranging from Alpha, Beta, Release Candidates (RC), and Stable or Production grade. I suggest you stay away from Alphas or even Betas as these are still no where near complete and go for the Stable/Productions. RC’s are almost done, but not quite for they still have some fixing to be done.

“Since you’re so keen on brainwashing me, have you actually used OpenSource software?”
The answer is a big YES. I’ve been using and advocating OpenSource for years. My desktop runs Ubuntu Linux currently on 8.04 “Hardy Heron”. The servers I manage run on SuSE Linux Enterprise Server. Our firewall runs on PFSense, which is a BSD distribution based on Monowall and FreeBSD. I have implemented an opensource inventory and asset management solution using OCS Inventory NG and GLPI Asset Management. The company’s domain runs on Samba as primary domain controller authenticating to OpenLDAP since we still had to support existing Windows XP boxen, and some Linux desktops running a mix of Mandriva, Ubuntu, and Fedora.

Had we used proprietary solutions as opposed to what we had now? It would have costed the company millions for the same functionality that we got from opensource which costed us nothing but time and a little guts and dedication.

Technorati opensource, advocacy
Site Search Tags: opensource, advocacy