Hi all!
Since OPNsense provides many possibilities to filter traffic, I wonder which method is the best, less performance consuming one and maybe user friedly one. I do not think that you have to use every method because filtering lists/results maybe redundant.
Filtering methods:
- Firewall and blocklist as URL Table (applies to every traffic)
- Squid proxy with remote ACL (applies to proxied webtraffic)
- Bind and DNSBL/RPZ (applies to FQDN)
- OpenDNS (applies to FQDN)
- Suricata IPS (applies to every traffic)
- Sensei (applies to every traffic)
The first question is the layer/order/time when a method is applied. When I already block DNS, then clients will not request the resource and neither firewall, squid, IPS nor sensei will have to handle anything. But in this case, e.g. a web resource has been requested, the user will not know why his requests fails. If I had blocked via squid/sensei at least an info page would have been shown.
DNS blocking will not help if direct IPs are accessed. Damn! The more I think about it, you have to use at least some combinations to block everything.
What would you suggest to successfully block for example adware and tracker?