OpenSense Hardening & sunnyvalley.cloud referral

I have been reading about and watching pfSense and OpenSense videos for one year. Time to pull the trigger.

Looking to have a rock-hard residential connection. Which setup tweaks do you recommend? Plug-ins?

Anyone have a sunnyvalley.cloud referral link?

Comments

  • edited May 2023

    @hornet said: rock-hard residential connection.

    @hornet said: Time to pull the trigger.

    Guess you had a look at the OPNsense docs already?
    https://docs.opnsense.org/

    Besides that, entirely depends on what you intend to do besides sticking in WAN and LAN somewhere.
    Take a look at the dnscrypt-proxy plugin with @Brueggus dnscry.pt resolvers. Working great and he's running some of the few dnscrypt servers with actually working DNSSEC, no-logging and no-filtering flags.

    @hornet said: sunnyvalley

    Didn't take a closer look at Sensei so far, but I guess the privacy policy would turn me off - kinda laying in the nature of their product.

  • For pfSense you could look into the "snort" plugin. Depending on which rules you load, you might limit/block your outgoing connections as well, if you activate everything available. So your hard-rock residential connection would go both ways :-)
    Requires a bit of tuning, so you can still access everything you want and block the opposite.
    If you want, you can not only harden your WAN, but also your LAN interface, in case you have some sus IOT devices etc.
    We don't know your specific HW / network setup... In case you don't have a dedicated firewall device with multiple network interfaces, for the start you can even virtualize it on any old PC (ideally with 2 NICs): install Proxmox, create at least 2 additional virtual bridges and connect them to your pfSense VM and configure the IPs. I assume you have an ISP router/firewall at home already. There you have to configure all (the ones you need) incoming connections being forwarded to your pfSense VM and all the filtering/firewalling/NATing/DHCP will be configured there.
    Just try it out, you can't break anything. If you loose the connection, change the gateway IP on your clients back to your router, revert the firewall settings there... and nothing ever happend ;-)
    Good luck

    Thanked by (1)hornet
  • I love my pfSense boxes

  • ip geo blocking is one of the best features

    https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide

    In haskellcpanel this is just:

    CC_DENY = CN
    
    Thanked by (1)hornet

    Fuck this 24/7 internet spew of trivia and celebrity bullshit.

  • @Encoders said:
    ip geo blocking is one of the best features

    https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide

    In haskellcpanel this is just:

    CC_DENY = CN
    

    well you better use a good, accurate geo database for that.

    Thanked by (3)hornet FrankZ AlwaysSkint
  • @Neoon said:

    @Encoders said:
    ip geo blocking is one of the best features

    https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide

    In haskellcpanel this is just:

    CC_DENY = CN
    

    well you better use a good, accurate geo database for that.

    Inaccurate GEO database is also ok. If you are really geofencing your website, then you dont really care that much about visitors, but care more about providing service to the customers you already have.

    Thanked by (1)hornet
  • @somik said:

    @Neoon said:

    @Encoders said:
    ip geo blocking is one of the best features

    https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide

    In haskellcpanel this is just:

    CC_DENY = CN
    

    well you better use a good, accurate geo database for that.

    Inaccurate GEO database is also ok. If you are really geofencing your website, then you dont really care that much about visitors, but care more about providing service to the customers you already have.

    Inaccurate also means, you have false positives, means you blocking out your existing costumer base.

  • @Neoon said:

    @somik said:

    @Neoon said:

    @Encoders said:
    ip geo blocking is one of the best features

    https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide

    In haskellcpanel this is just:

    CC_DENY = CN
    

    well you better use a good, accurate geo database for that.

    Inaccurate GEO database is also ok. If you are really geofencing your website, then you dont really care that much about visitors, but care more about providing service to the customers you already have.

    Inaccurate also means, you have false positives, means you blocking out your existing costumer base.

    If you block your existing customer base, they can always contact you to unblock, so that's a no. You are only blocking a subset of your new customers.

  • NeoonNeoon OG
    edited May 2023

    @somik said:

    @Neoon said:

    @somik said:

    @Neoon said:

    @Encoders said:
    ip geo blocking is one of the best features

    https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide

    In haskellcpanel this is just:

    CC_DENY = CN
    

    well you better use a good, accurate geo database for that.

    Inaccurate GEO database is also ok. If you are really geofencing your website, then you dont really care that much about visitors, but care more about providing service to the customers you already have.

    Inaccurate also means, you have false positives, means you blocking out your existing costumer base.

    If you block your existing customer base, they can always contact you to unblock, so that's a no. You are only blocking a subset of your new customers.

    If there is an option to overrule the database yes, otherwise no.

  • @Neoon said:

    @somik said:

    @Neoon said:

    @somik said:

    @Neoon said:

    @Encoders said:
    ip geo blocking is one of the best features

    https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide

    In haskellcpanel this is just:

    CC_DENY = CN
    

    well you better use a good, accurate geo database for that.

    Inaccurate GEO database is also ok. If you are really geofencing your website, then you dont really care that much about visitors, but care more about providing service to the customers you already have.

    Inaccurate also means, you have false positives, means you blocking out your existing costumer base.

    If you block your existing customer base, they can always contact you to unblock, so that's a no. You are only blocking a subset of your new customers.

    If there is an option to overrule the database yes, otherwise no.

    Oh ya! Cause you are using external blocklist database. However i think most softwares has provisions for whitelisting IPs. I know the default firewalls do. Not so sure about the pfsense ones...

  • Speaking from experience of working in the NGFW (Next-Gen Firewall) industry for around 3 years, my semi-professional opinion: Geolocation based on an IP database is basically useless in terms of increasing security. Attack vectors can come from any IP space from any part of any country. An attacker could use any number of ways to bypass these types of restrictions, from something as basic as just a VPN or proxy, to as high end as deploying C&C malware on victim machines. IP Reputation databases and heuristic detection with a IPS suite, plus a repeated offender dynamic blocklist such as CrowdSec or fail2ban is going to be far more effective than blindly blocking IP spaces just because of the country they come from.

    Thanked by (1)ehab

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • Block everything & add back what you need selectively

  • @havoc said:
    Block everything & add back what you need selectively

    If there were a way to do this (reasonably) easily, I would!

Sign In or Register to comment.