ideas on new install

[ldanna1945]

Hi group,
I've been working on a new Opnsense firewall for my home network.. I had many install challenges getting the basic install working . I am interested in ideas on setting it up for best protection of my home network. So far I have Zenarmor and GEOIP blocking installed and working. Thoughts on intrusion protection and adding Clamav to the firewall.  Firewall is a Protectli FW6D with 6 network interfaces. So far only the WAN and LAN are configured. System has 16 Gb of Ram and 500 Gig of storage in a M2 SATA drive.
What is the general consensus of what I should install additionally to give me peace of mind in protecting my home network?
any comments welcome.

Thanks
Larry

[BrandyWine]

So far I have Zenarmor and GEOIP blocking installed and working. Thoughts on intrusion protection and adding Clamav to the firewall.

GeoIP won't save you from pipe DoS, nor provides any actual security on the WAN side. GeoIP really only works by protecting LAN to WAN traffic. GeoIP cuts out some noise, but if hackers target you, they will not be in any of your GeoIP blocking rules. ;)

Run bogons, and suricata (ET Pro Telemetry). ClamAV is mediocre at best, and it wont help when all your traffic is under TLS. Any AV that runs on freeBSD will help protect the fw itself, but pick something better than clam. Maybe rkhunter is better (https://www.freshports.org/security/rkhunter), free and it's made to look for the stuff that would normally land on the system. "AV" is perhaps too broad for fw device. So install rkh, setup as specified. The daily check seems plausible since it's not a realtime scanner (realtime AV tools take resources to watch file writes or reads, which is impactful on any system, and is why you see more times than not many areas of the system are configured in AV to be ignored, not good).