Video: Installing and Configuring the Squid Proxy in pfSense

In this video, I discuss what a proxy is, why you might want to use one, and how to install and configure the Squid package in pfSense. It’s so easy that it takes only a few minutes to install and configure Squid.

Video: pfSense Rule Advanced Options

In this video, I use advanced firewall rule options to create a rule that only applies to Windows systems.

Video: Rule Scheduling with pfSense (part two)

This video provides more examples of using scheduling in pfSense. I alter one of the rules created in a previous video so it is only enforced during work hours, while still allowing access during the lunch hour.

Video: Rule Scheduling with pfSense

In the previous video, I covered how to block a website with pfSense. But we may not want to enforce rules at all times. No worries…pfSense makes it easy to use scheduling so rules are not always enforced, as demonstrated in the following video.

Video: Blocking Websites with pfSense

In this video, I cover how to block a website using pfSense rules two different ways: [1] using a single IP address; [2] using an alias to block multiple IP addresses. Once again, pfSense makes the whole process surprisingly easy.

Video: Configuring a DMZ with pfSense

Here’s a video I made about setting up a DMZ with pfSense. In this video, I do the following:

  1. Assign the DMZ interface.
  2. Set up DHCP on the DMZ interface.
  3. Create a firewall rule to prevent the DMZ from accessing the LAN.
  4. Test the configuration.

If I can do it in 15 minutes, then you can probably do it too.

Amazon Affiliate Purchases: October 2014

Here are some of the items readers bought through my Amazon affiliate links:

Coolerguys Programmable Thermal Fan Controller with LED Display

EnGenius Technologies Dual Band 2.4/5 GHz Wireless AC1200 Router with Gigabit and USB (ESR1200)

Fan Controller FC5V2 Black, Version 2, Changeable Display Colors, 30W per Channel, Controls up to 4 fans, RPM and TempretureDisplay

Samsung Electronics 840 EVO-Series 1TB 2.5-Inch SATA III Single Unit Version Internal Solid State Drive MZ-7TE1T0BW

The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall

A special thanks to everyone who used my affiliate links to make purchases from Amazon in October (or any other month). Remember, your purchases through’s affiliate links help keep the lights on at pfSense Setup HQ without costing you a dime.

September 2014 Amazon Affiliate Purchases

Here are some of the products readers purchased through my Amazon affiliate links during the month of September 2014:

EnGenius Technologies Long-Range Wireless-N Indoor AP/Bridge (ECB300)

Mikrotik RB951-2N Wireless Router 802.11b/g/n

NZXT Technologies Sentry 3 5.4-Inch Touch Screen Fan Controller Cooling AC-SEN-3-B1

Oriental Furniture Modern Furniture, 6-Feet Helsinki Fabric Japanese Privacy Screen Room Divider, 4 Panel Honey

Disney Infinity Power Disc Complete Series 1 Set of 20

Your purchases through this site’s Amazon affiliate links help keep the lights on at And it doesn’t cost you an extra cent: all commissions come from Amazon’s end of the sale.

Suricata Intrusion Detection: Part Five


Logs management in Suricata.

In the previous articles on Suricata, we covered basic installation and configuration of this intrusion detection system, including deciding which rules to download and use, and setting up an interface, in this article, we take a look at log management.

Log Management in Suricata

The top level of tabs has 11 different tabs; click “Logs Mgmt” tab (in the current version of Suricata, it is the 9th tab). Under “General Settings”, there are two options. The first is the “Remove Suricata Log Files During Package Uninstall” check box, which will cause the Suricata log files to be removed when the package is unstalled. The “Auto Log Management” check box enables automatic unattended management of the Suricata logs using parameters set in the rest of the page.

The next section is “Log Directory Size Limit”. The radio buttons in this section allow you to enable or disable the directory size limit. Enabling a limit imposes a hard limit on the combined log directory size of all Suricata interfaces. When the size limit is reached, rotated logs for all interfaces will be removed, and any active logs will be pruned to zero length. The edit box in this section allows you to set the log directory size; the default value is 20% of available space.

The next section is “Log Size and Retention Limits”. Here, you can configure different size and retention limits for different logs. These options will only be enabled if you checked the “Auto Log Management” check box. Logs which can be configured here are: alerts (Suricata alerts and event details), block (Suricata blocked IPs and event details), dns (DNS request and reply details), eve-json (JavaScript Object Notation data), files-json (captured HTTP events and session information), sid_changes (log of security ID [SID] changes made by SID Management config files), stats (Suricata performance stats), and tls (SMTP TLS handshake details). Settings will be ignored for any log in this list not enabled on the Interface Settings tab. When a log reaches the maximum size limit, it will be rotated and tagged with a time stamp.

The next setting is the “Unified2 Log Limit”, which sets the maximum size for a unified2 log file before it is rotated and a new one created. Below that is the “Unified2 Archived Log Retention Period”. Here you can choose the retention period for the archived Barnyard2 binary log files. When Barnyard2 output is enabled, Suricata writes event data in binary format that Barnyard2 reads and processes. When finished processing a file, Barnyard2 moves it to an archive folder. The setting determines how long files remain in the archive folder before they are automatically deleted. Finally, there’s the “Captured Files Retention Period” dropdown box. Here you can choose the retention period for captured files. When file capture and storage is enabled, Suricata captures downloaded files from HTTP sessions and stores them, along with metadata, for later analysis. This setting determines how long files remain in the File Store folder before they are automatically deleted. Press the “Save” button at the bottom of the page to save settings.

External Links:

The official Suricata web site

Suricata Intrusion Detection: Part Four


Configuring app parser settings in Suricata.

In the previous articles on Suricata, we covered installation, configuring global settings and pass lists, and began looking at setting up an interface. In this article, we will continue setting up our first Suricata interface. In this example, we are configuring the WAN interface.

Configuring App Parsing

The next tab after “WAN Flow/Stream” is “WAN App Parsers“. This tab deals with parsers that operate on the application layer of the TCP/P model, the layer that specifies certain protocols that cover major aspects of functionality such as FTP, SMTP, and others.

The first setting is “Asn1 (Abstract Syntax One) Max Frames“. Abstract Syntax one is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking. Application later protocols such as X.400 e-mail, X.500 and LDAP directory services, H.323 (for VoIP) and SNMP use ASN.1 to describe the protocol data units they exchange. “Asn Max Frames” sets a limit for the maximum number of ASN.1 frames to decode (the default is 256).

The next heading is “DNS App-Layer Parser Settings“. Here, you can set parameters relevant to DNS, UDP and TCP parsing. “Global Memcap” and “Flow/State Memcap” set the global memcap and flow/state memcap limits respectively. The default global memcap is 16 MB and the flow/state memcap is 512 KB. The “Request Flood Limit” determines how many unreplied DNS requests are considered a flood; if this limit is reached, an alert is set. The default is 500. Finally, “UDP Parser” and “TCP Parser” enables UDP detection and parsing and TCP detection and parsing. The default for both settings is “yes“.

Below that is “HTTP App-Layer Parser Settings“. “Memcap” sets the memcap limit for the HTTP parser; the default is 64 MB. The “HTTP Parser” dropdown box allows you to enable or disable detection and parsing; there is also a third setting, “detection-only“, which enables detection but disables the parser. The final setting in this section is “Server Configurations“. Pressing the “plus” button allows you to add a new HTTP server policy configuration. You can set the “Engine Name“, as well an alias for the IP list to which the engine will be bound (you can specify “all” to bind the engine to all HTTP servers). The “Target Web Server Personality” allows you to choose the web server personality appropriate for the protected hosts. The default value is “IDS“, but you can set it for Apache 2 and different versions of Microsoft’s Internet Information Services. Below that are parameters for the request body limit and the response body limit, specifying the maximum number of HTTP request body and response body bytes to inspect, respectively. The default in each case is 4096 bytes. Setting either parameter to 0 causes Suricata to inspect the entire client-body or server-body. Finally, there are “Decode Settings“, which if set, will allow Suricata to decode the path and query. Checking the “URI Include-All” check box will include username, password, hostname and port in the normalized URI. Press “Save” at the bottom of the page to save settings for the server configuration or “Cancel” to cancel.

The last heading is “Other App-Layer Parser Settings“. Here, you can set detection and parsing options for several application-layer protocols such as TLS and SMTP. Each protocol has the option of [1] enabling detection and parsing; [2] disabling both detection and parsing, or [3] enabling detection but disabling parsing (“detection-only”). You can press “Save” to save your settings before you exit or “Reset“. Pressing sabe will rebuild the rules file, which may take several seconds. Suricata must also be restarted to activate any changes made.

Finally, the “Variables” tab allows you to set variables which can be used in rules. This prevents you from having to set IP addresses rule by rule. For example, after HOME_NET you can enter your home-IP address. Press “Save” at the bottom when you are done setting these variables.

That covers interface setup. Now that we have at least one interface configured, we can look at the logs. We will cover log settings in the next article.

External Links:

The official Suricata web site

© 2013 David Zientara. All rights reserved. Privacy Policy