Blocking constant attacks
-
One way or the other, the FW has to make a call whether it's blocked by country or just blocked, so what's the point of country block? The FW still burns cycles. Curious. I just use pfB to block outbound.
-
Inbound blocking only makes sense when you have port forwards in place or access to services on the firewall open like OpenVPN in this case. Then you can restrict by source IP using pfBlocker rather than just open it to everywhere.
Steve
-
@stephenw10 I see. I guess that may give support to using some rando upper port for VPN rather than something common like 443?
-
Yeah, you will always get way more hits on 443 than anything else. Port 1194 also gets probed as it's the default OpenVPN port. 11194 not so much. But really that only cleans your logs, security through obscurity is not real security.
-
@stephenw10 Yeah, the only real security is an air gap... But with 128K+ ports to choose from, I can be pretty obscure!
-
I really need to use 443 to be able to get to the vpn from work... I would normally just lock it down to my work IPs for this use.. But you do run into issues where only thing out is 443 tcp, etc. So in that case I can still access my vpn.. So I do the best I can and restrict it to US.. But my vpn and ha proxy doesn't need to spin cycles dealing with nonsense - much easier to just not let them any farther up the stack then the firewall.
-
@johnpoz said in Blocking constant attacks:
I would normally just lock it down to my work IPs for this use.
That's what I did. And I managed the FW. Nowadays (retired) I just enable VPN when I'm out of town (or Lazyboy).
-
@stephenw10 @provels I travel a lot and find that half the hotels block ports other than those used for web browsing, i.e., 80 and 443. While I have a UDP instance of OpenVPN running on port 1194, I frequently need to revert to the secondary instance on port 443 using TCP. So for usability, there is really no way around this.
-
@revengineer said in Blocking constant attacks:
hotels block ports other than those used for web browsing
Yup unless you pay for their "premium" wifi ;) quite common for them to do that - which is why running on 443 to get around those restrictions. But it can also see a lot of traffic that is not your vpn.
-
@revengineer @johnpoz Good to know, thanks.
