OPNsense Forum

English Forums => General Discussion => Topic started by: Guybrush on November 04, 2021, 11:35:08 PM

Title: How to create an alias for "the internet"?
Post by: Guybrush on November 04, 2021, 11:35:08 PM
Greetings,

I need to create an alias for the Internet. Like 0.0.0.0 but exkl. 10.0.0.0/8, 192.168.0.0/16 and so on. How can I accomplish that?

Thanks very much in advance
Guybrush
Title: Re: How to create an alias for "the internet"?
Post by: Patrick M. Hausen on November 05, 2021, 07:13:11 AM
Create network/host aliases for everything that is not "the Internet".
Create a group alias with all those as members.
Use "invert destination" in your rule.
Title: Re: How to create an alias for "the internet"?
Post by: chemlud on November 05, 2021, 09:13:50 AM
...as we have a built-in alias for "This firewall", why isn't there a default (but editable) alias for all private subnets? ;-)
Title: Re: How to create an alias for "the internet"?
Post by: bimbar on November 05, 2021, 09:40:58 AM
Is there some sort of best practice guide to opnsense firewalling anywhere?
Title: Re: How to create an alias for "the internet"?
Post by: chemlud on November 05, 2021, 10:57:45 AM
...depends so, so much on your personal preferences and needs (thread model...)...
Title: Re: How to create an alias for "the internet"?
Post by: Patrick M. Hausen on November 05, 2021, 11:07:54 AM
Quote from: bimbar on November 05, 2021, 09:40:58 AM
Is there some sort of best practice guide to opnsense firewalling anywhere?

http://www.wilyhacker.com/
;)
Title: Re: How to create an alias for "the internet"?
Post by: bimbar on November 05, 2021, 12:21:11 PM
Quote from: chemlud on November 05, 2021, 10:57:45 AM
...depends so, so much on your personal preferences and needs (thread model...)...

I don't entirely agree. There is right and wrong here.
Title: Re: How to create an alias for "the internet"?
Post by: bimbar on November 05, 2021, 12:22:48 PM
Quote from: pmhausen on November 05, 2021, 11:07:54 AM
Quote from: bimbar on November 05, 2021, 09:40:58 AM
Is there some sort of best practice guide to opnsense firewalling anywhere?

http://www.wilyhacker.com/
;)

Seems it is at least entertaining, so I bought a copy. Still afraid it's probably a bit outdated as we're moving on to concepts like SASE and ZTNA.
Title: Re: How to create an alias for "the internet"?
Post by: Patrick M. Hausen on November 05, 2021, 12:29:28 PM
Looks like an abundance of Powerpoint and little substance. I'll stick to network isolation and perimeter defense, thank you.
Title: Re: How to create an alias for "the internet"?
Post by: bimbar on November 05, 2021, 12:40:05 PM
Quote from: pmhausen on November 05, 2021, 12:29:28 PM
Looks like an abundance of Powerpoint and little substance. I'll stick to network isolation and perimeter defense, thank you.

I am not so sure about that.
What we really want is to have a bunch of users and a bunch of services, and be able to control who can access what. Traditional firewalling does not really achieve this. Sure, I can have a dmz for every server, but can I have a network for each user?
Seems hard to me without some sort of new technology.
Title: Re: How to create an alias for "the internet"?
Post by: Patrick M. Hausen on November 05, 2021, 12:45:28 PM
The services themselves need to implement strong authentication and identification like they always did. To in any way restrict the user from an "outside" framework means to control the end device. Which always has failed and in my opinion always will. Device management products by "industry leaders" like McAfee, Trendmicro etc. have been doing more harm and have had more security problems themselves than they have provided solutions.

Just my take on the topic - your prerogative to disagree ;)
Title: Re: How to create an alias for "the internet"?
Post by: bimbar on November 05, 2021, 12:53:19 PM
Problem is, the services themselves don't tend to be very secure, in my experience.
I do agree that the client software brings its own problems, but then we're mostly talking windows here and anti virus software is usually already deployed on that.

If we abandon the necessity of verifying endpoint status, maybe a simple wireguard client to at least authenticate the user might be enough as a first step.
Title: Re: How to create an alias for "the internet"?
Post by: Patrick M. Hausen on November 05, 2021, 01:05:04 PM
Quote from: bimbar on November 05, 2021, 12:53:19 PM
we're mostly talking windows here and anti virus software is usually already deployed on that.
Not in my company. Enable Microsoft Windows Defender or whatever they call it today, enable firewall, done. No snake oil on our systems. Windows antivirus software is actively doing harm as proven over and over again.
Title: Re: How to create an alias for "the internet"?
Post by: bimbar on November 05, 2021, 01:10:22 PM
Quote from: pmhausen on November 05, 2021, 01:05:04 PM
Quote from: bimbar on November 05, 2021, 12:53:19 PM
we're mostly talking windows here and anti virus software is usually already deployed on that.
Not in my company. Enable Microsoft Windows Defender or whatever they call it today, enable firewall, done. No snake oil on our systems. Windows antivirus software is actively doing harm as proven over and over again.

Possibly. I'm not a huge fan of Windows Defender either. I think we need to accept that windows systems as a whole are inherently unsafe. Or maybe all client systems ;) .
Title: Re: How to create an alias for "the internet"?
Post by: chemlud on November 05, 2021, 01:33:46 PM
Quote from: bimbar on November 05, 2021, 12:21:11 PM
Quote from: chemlud on November 05, 2021, 10:57:45 AM
...depends so, so much on your personal preferences and needs (thread model...)...

I don't entirely agree. There is right and wrong here.

Your discussions here fully support my statement :-D