Seeking Alternatives to Zenarmor for OpnSense

[pradip.marathon]

Hello everyone,

I hope this message finds you well. I'm currently exploring firewall solutions and am interested in finding alternatives to Zenarmor that are compatible with OpnSense. I've been using Zenarmor and appreciate its features, but I'm curious to see if there are other similar tools available that work well with these platforms.

Does anyone have recommendations for other security software or add-ons that offer comparable functionality? Any experiences or insights into how well these alternatives integrate and perform would be greatly appreciated.

Thank you in advance for your help and suggestions!

Best regards,

[mimugmail]

I'm not aware of any solution. You can only run a mix of Squid with UT Blacklist to filter web categories, run Suricata in IPS mode, use DNS Filter (Unbound or AdGuard) and Blacklistslike FireHol to filter traffic. But this will in theory only fit the free version of Zenarmor with the lack of some ThreatIntel stuff.

[pradip.marathon]

Thank you for your reply.
I have already implemented the suggested solutions on OPNsense and pfSense. However, I am particularly interested in finding a solution that allows me to control traffic based on content, such as TLS/SSL inspection. Specifically, I aim to control the content within domains. For example, I want to allow access to YouTube but block specific content categories like sports, games, shorts, movies, and music. Similarly, after allowing Facebook, I would like to deny access to games. On WhatsApp, I want to restrict the transfer of specific content types, such as JPEG, AVI, and video files.

[meyergru]

That likely won't happen or at least be of severely limited use. TLS inspection can only work when you break up the traffic with an equivalent of a man-in-the-middle attack, effectively creating two separate connections between the target and your router and between your router and your client. The client has to trust this connection, thus, it must accept the presented TLS certificate. The latter must be created by your router, using your own CA, which in turn must be trusted by the client.

While you can import your own CA into the CA store of a PC to enable that, you cannot for IoT devices and probably not into specific apps like WhatsApp. So, in order to make this even work for most sites, you will need to deny SSL bump to make some sites and/or apps work.

[Seimus]

TLS inspection is just not worth it. Its mostly a buzz word and a feature targeted to enterprises.

As mentioned by meyergru there will be a lot of situations where you can not just use it or its very hard to implement it.

If you are having a public server accessible from internet sure, if you have some PCs that need to be under strict watch why not. But for everything else its pain and not worth it.

[Patrick M. Hausen]

If you are having a public server accessible from internet sure [...]

In which case you can just do old fashioned SSL termination on the firewall and clear text communication to the backend server.

[Seimus]

In which case you can just do old fashioned SSL termination on the firewall and clear text communication to the backend server.

Exactly! Thanks for finishing the sentence.