Messages

Hey guys and girls, we are at the era of microservices
running everything in a box/os is not the way
running everything under one box [windows/appliance/linux/bsd] is the old model; so 1990.
Segmenting the usage at least per VM or container is more 2010, by services/pod it is more 2020.

So if you run OPNsense under FreeNAS, Proxmox, ESXi or Hyper-V you started well
now you should make another VM for your docker or better make a kubernetes cluster (try k3os to start it is easy).
then use OPNsense as gateway/firewall and add a proxy service (haproxy or nginx) on it to redirect the traffic on your docker machine/kubernetes cluster.
this is the way to do it.

now to make your kubernetes cluster resilient you will need a NAS: look at FreeNAS or OpenMediaVault for that and share a directory via iSCSI or NFS, or even SMB to start.

I understand PPTP is considered insecure but in my case the usage is more for the static IP I would use it than for a perspective of security/anonymity

As @Franco was suggesting in https://forum.opnsense.org/index.php?topic=8601.msg38670#msg38670 it would be possible to extend the module os-pptp and adding a section client like OpenVPN have.

Also @Franco asked, it would be easier to implement with a specific consideration and add option on demand.
So the specific configuration is already possible on pfSense Linux and it is with PureVPN: https://support.purevpn.com/command-line-setup-in-debian-linux

What do you think ?

[average update frequency]

hi myksto;

I'm glad I help you;
your setup seams fair

if you notice on https://iplists.firehol.org/ they have the average update frequency which is 41minutes; but I'll say a 1 day is fair enough to not being ban; I'll definitely don't go under every hour.

Best Practices ?

Hum; I'm a learner as you

but depend I add one or two of these list : https://firebog.net
- notice1 firehol and firebog may have overlaps.
- also as far I also understand firebog list which are just domain name and/or point to 127.0.0.1 so I use them in combination with unbound (probably works with dnsmasq too).
Actually I just discover in BIND OPNsense already integrate ads block list;.

Don't hesitate to share your try I'll be curious to test them too.

Hi;

sorry I lost my post but long story short

for
2) https://127.0.0.1/mkst/lists/ips.txt
3) https:\\127.0.0.1\mkst\lists\ips.txt

you must alter lighttpd via a vhosts or the os-nginx plugin

as you must understand the os-nginx is a better choice
this could inspire you : https://wiki.opnsense.org/manual/how-tos/nginx.html

if you want to use lighttpd you have to create a vhost file into :
/usr/local/etc/lighttpd/vhosts.d
than put your ips.txt into /usr/local/www/vhost (such as an example)

but you could also host your file into any webserver/service like github, gitlab or netlify

personally I use the same method as you but with public list I found here
http://iplists.firehol.org/

thank for sharing your tough it make me discover a new way of doing it :)
https://wiki.opnsense.org/manual/how-tos/edrop.html

:D

an interesting source of information is compiled by firehol
http://iplists.firehol.org/

you could compare different list and also see which one overlaps..

it is possible to see your file ?
I means it is snort formatted ?

Hi everyone;

1.
My public IP, in fact all ip of my ISP are blacklisted by spamhaus.
if I active the IPS mode on my WAN and active the DROP list what will happen ?

2.
If the IPS mode is activated on my LAN interface and I forward a ports; do these ports still under the IPS protection or the traffic will be forward before ?