Greetings,
I need to create an alias for the Internet. Like 0.0.0.0 but exkl. 10.0.0.0/8, 192.168.0.0/16 and so on. How can I accomplish that?
Thanks very much in advance
Guybrush
Create network/host aliases for everything that is not "the Internet".
Create a group alias with all those as members.
Use "invert destination" in your rule.
...as we have a built-in alias for "This firewall", why isn't there a default (but editable) alias for all private subnets? ;-)
Is there some sort of best practice guide to opnsense firewalling anywhere?
...depends so, so much on your personal preferences and needs (thread model...)...
Quote from: bimbar on November 05, 2021, 09:40:58 AM
Is there some sort of best practice guide to opnsense firewalling anywhere?
http://www.wilyhacker.com/
;)
Quote from: chemlud on November 05, 2021, 10:57:45 AM
...depends so, so much on your personal preferences and needs (thread model...)...
I don't entirely agree. There is right and wrong here.
Quote from: pmhausen on November 05, 2021, 11:07:54 AM
Quote from: bimbar on November 05, 2021, 09:40:58 AM
Is there some sort of best practice guide to opnsense firewalling anywhere?
http://www.wilyhacker.com/
;)
Seems it is at least entertaining, so I bought a copy. Still afraid it's probably a bit outdated as we're moving on to concepts like SASE and ZTNA.
Looks like an abundance of Powerpoint and little substance. I'll stick to network isolation and perimeter defense, thank you.
Quote from: pmhausen on November 05, 2021, 12:29:28 PM
Looks like an abundance of Powerpoint and little substance. I'll stick to network isolation and perimeter defense, thank you.
I am not so sure about that.
What we really want is to have a bunch of users and a bunch of services, and be able to control who can access what. Traditional firewalling does not really achieve this. Sure, I can have a dmz for every server, but can I have a network for each user?
Seems hard to me without some sort of new technology.
The services themselves need to implement strong authentication and identification like they always did. To in any way restrict the user from an "outside" framework means to control the end device. Which always has failed and in my opinion always will. Device management products by "industry leaders" like McAfee, Trendmicro etc. have been doing more harm and have had more security problems themselves than they have provided solutions.
Just my take on the topic - your prerogative to disagree ;)
Problem is, the services themselves don't tend to be very secure, in my experience.
I do agree that the client software brings its own problems, but then we're mostly talking windows here and anti virus software is usually already deployed on that.
If we abandon the necessity of verifying endpoint status, maybe a simple wireguard client to at least authenticate the user might be enough as a first step.
Quote from: bimbar on November 05, 2021, 12:53:19 PM
we're mostly talking windows here and anti virus software is usually already deployed on that.
Not in my company. Enable Microsoft Windows Defender or whatever they call it today, enable firewall, done. No snake oil on our systems. Windows antivirus software is actively doing harm as proven over and over again.
Quote from: pmhausen on November 05, 2021, 01:05:04 PM
Quote from: bimbar on November 05, 2021, 12:53:19 PM
we're mostly talking windows here and anti virus software is usually already deployed on that.
Not in my company. Enable Microsoft Windows Defender or whatever they call it today, enable firewall, done. No snake oil on our systems. Windows antivirus software is actively doing harm as proven over and over again.
Possibly. I'm not a huge fan of Windows Defender either. I think we need to accept that windows systems as a whole are inherently unsafe. Or maybe all client systems ;) .
Quote from: bimbar on November 05, 2021, 12:21:11 PM
Quote from: chemlud on November 05, 2021, 10:57:45 AM
...depends so, so much on your personal preferences and needs (thread model...)...
I don't entirely agree. There is right and wrong here.
Your discussions here fully support my statement :-D