Smacked from sort of experienced back to novice
-
@Digiguy said in Smacked from sort of experienced back to novice:
I was interested in hosting a DMZ. Now my I have to figure out if I do it at home or at a place like Cloudflare.
If you intend to host a server behind your firewall, then a lot of my formal "simple approach" is no longer applicable. But I would strongly consider hosting a server at a dedicated hosting service.
I read your initial post as askng about simplicity versus tight security.
-
@bmeeks WOW! 1st I Thank you for the detailed response! pretty much in line with others. you stated two ends of the extremes. I would like to be somewhere in the middle. I feel guilty with the "Set it & Forget It" mentality. To be somewhere in the middle I agree a LOT of Google searches and Netgate searches will be required and as another poster said... time...
Again, so much to learn, so litte time :)
-
@Digiguy said in Smacked from sort of experienced back to novice:
Again, so much to learn, so litte time :)
Learning can be fun and a great challenge. Just remember that until you gain a lot of experience you may inadvertently break stuff. Make frequent manual config backups in pfSense so you can quickly roll back if you make a mistake and the wrath of momma and/or the kids comes down upon you.
But many users just want a functional home network. You can get that and still have plenty of security following the process I described in my post above.
-
@SteveITS said in Smacked from sort of experienced back to novice:
IPv6 is a tool, no harm in using it.
You're so right and message to me as well...thanks for the well-put short, sweet.
-
@bmeeks said in Smacked from sort of experienced back to novice:
Learning can be fun and a great challenge.
EXACTLY! And a big reason I am exploring, experimenting, and as you said breaking things. I always say, "A mistake is okay as long as you learn from it (and no one gets hurt)"
-
I like to start with pictures.
Draw a box, label it "pfSense".
Now draw arrows, label them WAN, LAN1, LAN2
Draw a few smaller boxes to represent devices and connect them to the different LANsThen think about what traffic you want to allow, what directions, what interface.
Remember that by default, pfSense will drop traffic into WAN from the outside world unless there is state.
That means "something from my network initiated traffic to something in the outside world, pfSense keeps state and allows the responses from the outside world".That lets me write words that lead to being able to write the rules.
-
@Digiguy said in Smacked from sort of experienced back to novice:
Guess I was under the assumption to block all outbound unless I know what it is...
That is a very hard task I guess almost no one is doing. Block it all, for some special VLAN with IoT, or let it all go out to the internet, not your local subnets though. There is no in between with that.
-
Yup. You might find basic web browsing works fine with only a few outbound ports allowed (80, 443, 53) but you'll soon find out just how much other stuff uses other ports.
You can add allow rules for services as you find them but that can take a while.
-
@stephenw10 said in Smacked from sort of experienced back to novice:
you'll soon find out just how much other stuff uses other ports.
Definitely the lesson I have learned . So then as a "network administrator" how does one "monitor" or check to make sure all well? I have looked through the firewall logs and I get lost rather quickly...
-
It depends who/what the users are. If they are real people they usually let you know pretty quick when things don't work.
If it's IoT devices etc you have to test yourself.
As with all things it's a question of security vs convenience. Though the actual security benefits are questionable at best and the inconvenience is significant so.....
