OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of bimbar »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - bimbar

Pages: 1 ... 22 23 [24] 25 26 ... 30
346
General Discussion / Re: Best practices for opnsense firewalling? How do you do firewalling?
« on: November 05, 2021, 12:55:05 pm »
Now I feel validated ;) .

For services reachable from the internet I am aiming at client certificate authentication where possible, but that's a bit of a different topic than firewalling.

347
General Discussion / Re: How to create an alias for "the internet"?
« on: November 05, 2021, 12:53:19 pm »
Problem is, the services themselves don't tend to be very secure, in my experience.
I do agree that the client software brings its own problems, but then we're mostly talking windows here and anti virus software is usually already deployed on that.

If we abandon the necessity of verifying endpoint status, maybe a simple wireguard client to at least authenticate the user might be enough as a first step.

348
General Discussion / Re: OPNSense and ZTNA / SASE
« on: November 05, 2021, 12:50:36 pm »
Quote from: pmhausen on November 05, 2021, 12:46:17 pm
Let's start with "what does it look like in products that are available and tested now?" Any pointers?

I looked at an interesting solution from cloudflare, "Cloudflare Teams". I think it shows what something like that could look like, but it's not there yet.
I have seen something from fortinet, which I'm not sure is the way to go, and on monday I have a one hour session with checkpoint, so we'll see about that.
Also at the start of december, I'm going to attend a presentation by sophos, but I don't believe whatevery they will be showing has the potential to work, based off prior experience.

349
General Discussion / Re: How to create an alias for "the internet"?
« on: November 05, 2021, 12:40:05 pm »
Quote from: pmhausen on November 05, 2021, 12:29:28 pm
Looks like an abundance of Powerpoint and little substance. I'll stick to network isolation and perimeter defense, thank you.

I am not so sure about that.
What we really want is to have a bunch of users and a bunch of services, and be able to control who can access what. Traditional firewalling does not really achieve this. Sure, I can have a dmz for every server, but can I have a network for each user?
Seems hard to me without some sort of new technology.

350
General Discussion / Re: Is it possible to advertise ULA prefix only to IPv6 client?
« on: November 05, 2021, 12:37:21 pm »
Because it is really necessary. There are two main cases:

- You don't have a static IPv6 prefix but still want to do clustering.
- You have a static IPv6 prefix, but want to do multi-wan (you can do NPTv6 in that case).

God knows I tried, but with poor IPv6 support from clients for environments with more than one next-hop, it's not possible to go GUA.

351
General Discussion / OPNSense and ZTNA / SASE
« on: November 05, 2021, 12:34:48 pm »
My impression is that opnsense is a good traditional UTM firewall.

But what about the future?
Is some support for concepts like zero trust that are difficult or impossible to implement with a traditional firewall planned?
What might such a thing look like in an open source firewall?

352
General Discussion / Best practices for opnsense firewalling? How do you do firewalling?
« on: November 05, 2021, 12:32:13 pm »
I did ask this in another thread, but maybe it deserves its own.

I'll start with my personal universal firewall concept. Maybe someone else wants to share as well.

I divide networks into a few standard zone types (clients, servers, backend, dmz, admin, restricted, internet) with a standard communications matrix.
For example, clients are allowed to access servers, dmz and the internet.
I create a netgroup for each of those zone types with a standardized name (netgroup_dmz).
Then I create a second netgroup for each zone which contains all networks that are allowed to access it, called accessgroup_dmz.
More of those groups can be created for special needs according to the same scheme.

In my firewall rules there are only rules of the form "Allow quick accessgroup_XXX -> netgroup_XXX" .
For internet access there is a rule "Allow quick accessgroup_internet -> !netgroup_internet_inverted".
netgroup_internet_inverted contains all internal networks and net_blocked. Net_blocked is basically firehol L1.

For access from outside to inside there are interface rules on WAN of the form Allow quick !net_blocked -> PORTS -> This Firewall .

Importantly, there are no drop rules except the default drop. That makes the ruleset easier to understand and the order of rules is irrelevant.
If this ruleset is implemented somewhere else, all that is necessary is usually to add the local networks to the right aliases and create a few special rules for DMZs.

353
General Discussion / Re: How to create an alias for "the internet"?
« on: November 05, 2021, 12:22:48 pm »
Quote from: pmhausen on November 05, 2021, 11:07:54 am
Quote from: bimbar on November 05, 2021, 09:40:58 am
Is there some sort of best practice guide to opnsense firewalling anywhere?

http://www.wilyhacker.com/
 ;)

Seems it is at least entertaining, so I bought a copy. Still afraid it's probably a bit outdated as we're moving on to concepts like SASE and ZTNA.

354
General Discussion / Re: How to create an alias for "the internet"?
« on: November 05, 2021, 12:21:11 pm »
Quote from: chemlud on November 05, 2021, 10:57:45 am
...depends so, so much on your personal preferences and needs (thread model...)...

I don't entirely agree. There is right and wrong here.

355
General Discussion / Re: Is it possible to advertise ULA prefix only to IPv6 client?
« on: November 05, 2021, 12:18:32 pm »
Internal Networks (possibly fc00::/7) to Any NAT Outgoing on WAN for IPv6, pretty much.

356
General Discussion / Re: How to create an alias for "the internet"?
« on: November 05, 2021, 09:40:58 am »
Is there some sort of best practice guide to opnsense firewalling anywhere?

357
High availability / Re: How to do IPv6 with DHCPv6-PD?
« on: November 05, 2021, 09:39:01 am »
https://github.com/opnsense/core/pull/5185

358
21.7 Legacy Series / Re: HA configuration and service awareness
« on: November 05, 2021, 09:38:20 am »
I patch that in manually on mine after every update. It's really critical to anything IPv6 working.

359
German - Deutsch / Re: Best Practice, letzte Regel "allow all"
« on: November 04, 2021, 04:40:48 pm »
Best Practice wäre, alles explizit zuzulassen, was benötigt wird, und dann den Rest zu blocken.

360
High availability / Re: How to do IPv6 with DHCPv6-PD?
« on: November 04, 2021, 04:40:12 pm »
Explicit Routes should not be required.

If you want to do outgoing NAT, the Firewalls should also request an address, not only a prefix.

I do work with ULA addresses only on LAN.

Pages: 1 ... 22 23 [24] 25 26 ... 30
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2