Share you setups! How are you keeping yourself safe online?
-
So basically, a post to discuss sharing of setups and configurations, tools and rules for keeping yourself safe in this current day and age.
Just anything from ways to block botnets, ads and analytics, tools like pfBlocker, ntopng etc, custom firewall rules and VPN setups etc.
I think this could be a great post to both share and gain knowledge from others configurations.
Lets see what's out there!
-
This is a great thread, and i hope more people will share their setups.
I use Snort and pfBlockerNG and tons of custom IP and DNSBL lists. Im mostly focused on blocking telemetry and useless google traffic.
These feeds have most hits on my system:
https://raw.githubusercontent.com/nickspaargaren/no-google/master/pihole-google.txt https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
Just be carefull with the google feed. If you are using google in any way for e-mail or you have android phone, there is some whitelisting you have to do if you want your google account and android phone to be functional. However, 98% of all these entries are useless google spyware crap that can be safely blocked.
Im also using NtopNG to spy on my smart TV and stop it from "calling home". I have a separate manual feed in pfBlocker where i feed all the data i find in Ntop.
I was also able to extract tons of IP`s and host entries from uBlock origin and Privacy Badger tracking hosts and put them into that feed as well. This way, there is no need to use those plugins in browsers, except for uBlock which is still usefull for youtube adblocking. And speaking of youtube ad blocking, it seems like this guy had success blocking youtube ads with pfSense. However, it requires a lot of work and free time i dont have.
There are also specialised lists out there for Apple and Windows users that can be used to block telemetry.
Some usefull lists can be found here as well.
My current pfBlocker setup has almost 1000 hits per day, mostly by android devices and smart TVs.
As for firewall rules, i use NordVPN with WireGuard protocol and i have a simple rule that sends all traffic via VPN. Access to pfSense box and WAP is restricted with firewall rule, and traffic is allowed only from my main machine IP.
-
#1 Using pfSense
#2 VLANs to isolate IoT devices
#3 pfBlocker to block bad guy IPs
#4 PiHole to block ads and some bad things (I like the UI better)
#6 VLANs to isolate web accessible devices
#7 Point to Point VPN to backup important stuff to a friend's house who is also following #1
#8 Forcing all DNS requests to PiHole (there VLANs that are exceptions) -
@andyrh pretty much the same exact ;)
#3 - I use pfblocker via alias to only allow only US IPs to my plex and other services behind and to pfsense
#4 same I like the eye candy better on pihole
#7 not doing
#8 limited fashion on some vlans.
#9 Make sure nothing using dot or doh via block rules to known doh servers IPs and FQDNs via unbound and dot port(s).
edit:
#10 using ha proxy to allow access to my services behind pfsense, and limit in haproxy to specific fqdn. If port hit without specific sni, not allowed. -
@deanfourie Good idea.
1: SG-6100 with BiDi SFP for direct Fiber to the Home attach
2: Two VLANs - Home network and Guest network.
3: Aruba CX-6100 switch and Aruba IAP-315 APs with detailed pr. Device IPv4/IPv6 L2/L3 access lists enabled - based on client MAC address (to much hassle with 802.1x for wired home networking). One SSID and all wired ports are “colorless”. Mac-address defines which VLAN, role (access rights) is assigned to you.
Five network roles defined i switch/AP: ADMIN, CLIENT, IOT, SECURE IOT and GUEST. Role gets assigned from Radius based on Client Mac-address.
4: FreeRadius on pfSense with all well known MAC Addresses defined and assigned their apropriate role. Unknown MAC addresses get assigned the Guest Role.The Trick here is that different device types (Not guests) are still in the same VLAN/IP Subnet and can find each other (broadcast/arp) if allowed by the ACL role assigned in the switch/AP.
5: pfBlockerNG for Geo based aliases blocking inbound sessions to whitelisted countries. Russia, Belarus, China and North Korea blocked completely inbound/outbound.
6: pfBlockerNG for IP based blocklists and wellknown offending IPs
7: pfBlockerNG DNSBL with about 12 feeds active to block tracking, adds and phishing - including DOH Blocking.
8: Occationally NTopNG active to spy and monitor traffic, but for unknown reasons, NTopNG adds a 20 - 200 ms latency to occational packets once in a while (noticable), so it’s not running permanently.
9: Destination NAT on ANY outbound DNS, NTP requests from internal interfaces. Rerouted to pfSense NTP and DNS server.