Optimal methods of filtering everything

Started by thefunkygibbon, February 15, 2022, 02:47:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 15, 2022, 02:47:30 PM Last Edit: February 15, 2022, 02:49:35 PM by thefunkygibbon
Hi all,

New to OPNSense, but not new to Firewalls and UTM's etc. (although it's been some years since I did any web proxy/filtering jobs... things have moved on it seems in the last 10odd years!)

I'm a little confused about a bunch of things and I would really appreciate some advise.

Here are my take on things.  I'm assuming that I can't / shouldn't run most of these concurrently but i'd love to hear what everyone else is doing.

What I want -  Malicious/phishing/spam blocking, AV scanning, adblocking, Geoblocking.  Blocking on a per user/IP basis. Transparent rather than setting an explicit proxy.


  • Web Proxy - Can do URL blocking and block all the above categories (dependant on having a URL blacklist... which i'm struggling to find other than 1 which doesn't appear to have many items in each category). 

  • ClamAV - Can do AV obviously - relies on web proxy/caching to be in place.  so presumably can't work with zenarmor

  • ZenArmor - Has most of the functionality I'd desire (except AV) but I'm not going to pay $100 a year for it)

  • PiHole - Already run this on a docker image.  Working fine for the most part.

  • OpenDNS - Used to use this, useful except it was a little slow to use and no way of differentiating between users.

So my question is, what would be the best/least expensive product/combination to get as much functionality as possible from my requirements above?  I am assuming that using multiples of the above is going to a) cause conflicts  b) cause confusion where you don't know what is blocking. 

Thanks in advance for your thoughts .

March 09, 2022, 10:42:05 AM #1
160 views and noone can be arsed to reply :-(  such a shame that the only people who seem to reply to things are the devs, when they see fit.
April 16, 2022, 10:47:24 AM #2
Have you progressed since February? My 2cnts.
You want to do a lot of stuff but your first question should be: is this (practically) possible/needed. For some questions i would answer: no.

The world is encrypted (https) now. The router knows very little about the payload. This means that "web filtering" and "clamav" are quite useless. You can of course configure MITM to terminate the SSL on the router. But every client/device on your network should trust your own signed certificate. Is not possible with a lot of devices.

PiHole has better statistics and logs, but dns sinkholing is also possible with opnsense itself. Not sure about your question about OpenDNS. Your dns sinkhole choice should resolve the request somewhere. This can be google, 9quad or your ISP. This is hardware independent.
To be fair i have a forum question opened about blocking per network. Similar to your "per user/IP basis.".

So, in the end you can not do *that* much of stuff on a router. I made some (vlan) subnets with a couple of simple firewall rules.
NTP server forward every request to opnsense itself. The same for DNS. DNS sinkhole. RADIUS for my WLAN on the WIFI.
And that is about it.

Without open ports (services to the internet) i also do not seed the need for IPS/IDS.

You can complicate things very quickly. And that is a great learning experience. But is it useful to use?
I bought a Qotom mini pc for this. It is somewhat expensive but it works great.
May 17, 2022, 10:33:34 PM #3
Quote from: EdwinKM on April 16, 2022, 10:47:24 AM
The world is encrypted (https) now. The router knows very little about the payload. This means that "web filtering" and "clamav" are quite useless. You can of course configure MITM to terminate the SSL on the router. But every client/device on your network should trust your own signed certificate. Is not possible with a lot of devices.

I see it in a similar way, but I would like to take this opportunity to ask you a question about encryption.

What options for inspecting SSL traffic are currently possible, I mean by means of squid it works for example but unfortunately, as far as I know, this does not work in combination with ips.

Sslsplit is another tool, with it the traffic can be mirrored decrypted, unfortunately I don't know exactly how a benefit can be drawn from it by switching an ips in between.

Maybe you or someone else can show me a way to inspect ssl and be able to prevent threats.

DoH can also be a potential threat, I have found that a DOH query when breaking the connection, for example using sslsplit, no longer works correctly if no certificates were stored for the request. This was tested from the console from a client behind the proxy.

Perhaps a plugin will be developed to this end, or a function for suricata so that a proxy connection could be monitored with it.
Print
Go Up Pages1
User actions