Advice about PFSense vs the other free offerings

KOM

Based in Latvia so no NSA backdoors to worry about :D

You're joking, right?  Being from Latvia isn't protection from anything.  Everybody is already in the NSA's pocket, and they've already shown they have no problems intercepting hardware en route and infecting it.  Hell, some of the ASICs inside the router may already be compromised.

jahonix

@Supermule:

Based in Latvia so no NSA backdoors

Right. That's KGB over there.

tim.mcmanus

@Supermule:

Based in Latvia so no NSA backdoors to worry about :D

Youtube Video

Guest

Thanks much. I'll pass on mikrotik for now. Maybe next router.

I made my decision. PFSense wins. Untangle requires paid upgrades to really become useful. Sophos is too complicated for easy things and it's hard to find good answers. The Sophos AV I was most interested in looks less important after some research.

PFSense with $30/year for snort is good. UPnP will help me with ooma and my slingboxes, also my NAS later when I want to access it from outside. Port forwarding looks easy if UPnP won't 'hold' the settings after I turn it off. My newly build small pc should power it nicely, in fact I might be able to replace it with something smaller and put the new pc to work as a HTPC, later.

I'm most interested in upgrading from DD-WRT to keep the bad guys out. With everyone under the sun scanning all day and who knows what they might find for a vulnerability, I want to be safe. I'm wondering if NAT and SPI will someday be looked upon as 'good in their day' until xxxx came along.

BBcan177

@jim1000:

PFSense with $30/year for snort is good.

If your going to use Snort or Suricata, you can also use the Emerging Threats List.. They have a free "Open" List, and also a "Pro" version which is a little pricey but very good….

I'm most interested in upgrading from DD-WRT to keep the bad guys out. With everyone under the sun scanning all day and who knows what they might find for a vulnerability, I want to be safe.

You can also use pfBlockerNG which will block known malicious IPs.
https://forum.pfsense.org/index.php?topic=86212.0

tim.mcmanus

@BBcan177:

@jim1000:

I'm most interested in upgrading from DD-WRT to keep the bad guys out. With everyone under the sun scanning all day and who knows what they might find for a vulnerability, I want to be safe.

You can also use pfBlockerNG which will block known malicious IPs.
https://forum.pfsense.org/index.php?topic=86212.0

Big +1 for pfBlocker.  I am using an iblocklist subscription that's been very helpful.

Remember, security is best done in layers.  Start simple, add a layer.  Wash, rinse, repeat.

BBcan177

@tim.mcmanus:

Big +1 for pfBlocker.  I am using an iblocklist subscription that's been very helpful.

Remember, security is best done in layers.  Start simple, add a layer.  Wash, rinse, repeat.

Hey Tim,

Im really not a big fan of IBlock lists, there are a lot of other lists available that will do a better job… I wrote a script here, that Dok posted... (Just don't let him take the credit ;)  )

https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975

Also v2.0 will have DNSBL domain name blocking via Unbound...

Jailer

@BBcan177:

@tim.mcmanus:

Big +1 for pfBlocker.  I am using an iblocklist subscription that's been very helpful.

Remember, security is best done in layers.  Start simple, add a layer.  Wash, rinse, repeat.

Hey Tim,

Im really not a big fan of IBlock lists, there are a lot of other lists available that will do a better job… I wrote a script here, that Dok posted... (Just don't let him take the credit ;)  )

https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975

Also v2.0 will have DNSBL domain name blocking via Unbound...

At the risk of sounding like a total noob, what all exactly does this block? I currently have the top 20 blocked. Will this block those as well as other known offenders?

tim.mcmanus

@Jailer:

@BBcan177:

@tim.mcmanus:

Big +1 for pfBlocker.  I am using an iblocklist subscription that's been very helpful.

Remember, security is best done in layers.  Start simple, add a layer.  Wash, rinse, repeat.

Hey Tim,

Im really not a big fan of IBlock lists, there are a lot of other lists available that will do a better job… I wrote a script here, that Dok posted... (Just don't let him take the credit ;)  )

https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975

Also v2.0 will have DNSBL domain name blocking via Unbound...

At the risk of sounding like a total noob, what all exactly does this block? I currently have the top 20 blocked. Will this block those as well as other known offenders?

Since it's better than what I got, I'd guess that it will.  Speaking about my subscription because it's what I got, they do collect known IPs and block them.  I can see script kiddie attacks being blocked scanning for port 22, 53, and a few others.  It's just another layer of security, but I'm going to clink that link to see if I can do better.

Props to BBcan177 for the improved linkage.

BBcan177

@Jailer:

At the risk of sounding like a total noob, what all exactly does this block? I currently have the top 20 blocked. Will this block those as well as other known offenders?

Unfortunately, the primary reason why I wrote pfBlockerNG was not for the Country blocking per se.. It was that the previous pfBlocker version couldn't handle a lot of the Threat Sources that are available… Also it didn't have any de-duplication of the lists... Not to mention that the Country lists were over 2 yrs out of date.

So to answer your question, if you use the Country Blocking features, it will download those first, then other lists are downloaded and if the IPs are already being blocked by a Country List, those IPs are skipped as they are already in the database...  So yes, the other lists make a big difference then just using Top20.