Messages

Caddy ist ebenfalls ein OPNsense Plugin, das mit sinnvollen Defaults daher kommt und Ingress mit TLS und Letsencrypt/ACME mit sehr wenig Konfigurationsaufwand realisiert.

Ja, wir habens dann auch gelassen. Ich hab Fernzugriff auf seinen Kram, wär toll, wenn wir in zwei Wochen mal kurz drauf schauen könnten.

BTW: FreeBSD is on the leading edge as far as RISC V is concerned due to the efforts at the Uni of Cambridge and the CHERI project.

Only that OpenBSD scales even worse for multicore and speeds of 10 G and beyond :-P

Since diverting to IDS is handled by explicit firewall rules you could exempt local management traffic from the IDS.

Static ARP enabled, possibly?

I'm still clueless.  Where can I go to also learn?

I was just taking his statement verbatim. If whoever is behind IPfire is problematic, so be it. I am not really interested in digging deeper. "Difficult" project leads in open source are not uncommon. Case closed for me.

The GeoIP databases are updated automatically. To check go to

Firewall: Aliases: GeoIP settings

and look at the "Last updated" timestamp.

The reason IPFire is being unrecommended, is the guys behind.

So I learned, thank you.

So there will likely be users for a Linux router with an OPNsense like user interface and decent support. The Linux user base is growing.

But there must be a dozen different firewall appliance distributions based on Linux given how the Linux community and ecosystem ticks? There ...

* insert Annakin and Padme meme *

Seriously, no takers? OpenWRT for sure. And they have an optional more capable UI IIRC?

Then again - you need hardware anyway. And Mikrotik Router OS while closed source is not that bad. I use it for everything Layer 2 here.

When you create the alias you define how frequently the source is pulled for updates.

I use 6 hours for most.

But it's another module, though since I went the "I only support cloudflare in caddy" it looks attractive.

I also know who WeidiDeng is.

Sounds awesome!

OK. How about being able to select more than one "Caddy internal access list" as a compromise? So one gets at least manageable objects for IPv4, IPv6, Cloudflare, other CDNs, ...

Also: what's with all the other fields in the access lists? Are any of them relevant for trusted proxies or just the address content?

Hi all, but specifically Cedric (@monviech):

I just added Cloudflare's egress IP addresses to Caddy as trusted proxies in one of our installations so client IP addresses get passed properly down the chain. Works as designed. But feels a little clumsy:

- You can only select a single "Caddy access list" - I originally created two, one for IPv4, one for IPv6, because "of course" only to find I needed to combine them into one.
- Although Cloudflare last changed the lists in 2023 they provide them under a static URL in text CIDR format, so they could be trivially pulled into a firewall alias with the existing mechanisms.

I will happily create a feature request on Github, but wanted to discuss if that would be feasible, first.

Kind regards,
Patrick

So in your case, it will continue to use your local DNS server which does not know about your home network names.

And possibly stops to be reachable at all, if it's not on a directly connected LAN and you direct all your traffic (0.0.0.0/0, ::/0) into the WireGuard Tunnel.

Please note what I'm saying is highly simplified, I have no insight into the governance of freebsd, nor met any of their team members yet.

See you in Brussels, possibly?