@Reid-Cooper said in Open source Firewall:

pfSense was really good in the past. But I agree, the days of building your own firewall on an old PC that you have are over.

Right - the cost just isn't worth running your old PC. Power alone will cost more than the cost of an ER-X or ER-L.

The last step there, "Networks" is still functionally the same, but the GUI has been updated.
0_1497720411597_26d90ab5-694d-4265-8cdc-3857472d3911-image.png

0_1497720454881_734d9d26-9ecc-47f3-ab3e-e0dbc5ab2657-image.png

@scottalanmiller said in Barracuda Borks Firewalls with Automatic Update:

@Dashrender said in Barracuda Borks Firewalls with Automatic Update:

ERL for crying out loud!

Keep one on spare for just these kinds of emergencies!

lol I was thinking the same - most can probably afford to just keep this on the shelf in case of an issue.

By default, traffic will pass between VLANs 1 & 2, unless you go into the firewall & add rules to deny traffic

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files.

<zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="http"/> <service name="https"/> <service name="ntp"/> <service name="dhcpv6-client"/> <service name="kerberos"/> <service name="ldaps"/> <service name="ssh"/> <service name="dns"/> <service name="ldap"/> </zone>

Those services are predefined right? You can also build your own services via the same process.

Ya and you can define specific ports. I prob could have grabbed a better example.

No, I think I've got it just need to investigate actually setting these up.

@RobLewisss said in Linux Iptables Firewall Automation:

@JulianJulian Thanks mate! I just downloaded the agent. I'll let you guys know how it works.

I also downloaded the agent to one of my Linux systems. It was very quick and simple.

The cloud interface picked up the installed agent imediately and I was able to manage it right there.

There are different groups that you can place each agent for different rules.

Definitely worth testing. Up to 5 servers for free!

@travisdh1 Workaround? Use iptables? Fedora? CentOS6? Ubuntu? Hm.....

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

While I have never made a how to with a port range, the basic firewalld syntax is used all over the place on this forum by me and every system that I have ever seen that accepts a port range does so with the range hyphenated from lower boundary to upper boundary.

I would have thought that this was a colon, though, not a hyphen.

I have never seen it commonly used with a colon to represent a range

Native IPTables. 🙂

I rarely work with native IPTables. That would explain a difference in point of view.

Yeah, and for me I pretty much have done raw edits on /etc/sysconfig/iptables and never used external tools. Now with FirewallD I'm relearning the syntax for everything on Linux firewalls.

Well, at least I'm not the only one then. Learning how to use firewall-cmd still feels a bit odd.

@dafyre said:

Scratch that... I was able to figure it out.

The configuration that you posted by default denies everything but SSH.

Thanks!

Correct 🙂

@Dashrender said:

@johnhooks said:

@scottalanmiller said:

@johnhooks said:

@scottalanmiller said:

@johnhooks said:

I think it still runs Linux, so yo could probably do most of that. However that kind of defeats the purpose of being centrally managed.

VyOS, it is extremely capable. We've been on VyOS or its parent Vyatta for a very, very long time.

Ya EdgeMax is, does the USG run VyOS?

Yes, they all do the same stuff under the hood.

Ok, I didn't realize that. But like I said, I think needing to dig into the cli on the USG kind of defeats the purpose of having everything centrally managed by the controller.

I thought I mentioned it's not about fully managing, it's more about the reports/graphs.

Yes it's a bit more expensive...

Ah I missed that.

@travisdh1 said:

@Dashrender said:

I've never understood how viruii got around AV products on machines running them. It's my understanding this is somehow possible because of other unpatched flaws in the OS, even though the AV knows about the virus, the virus can still get in through the OS flaw, then using that flaw disable the AV, and pwn the machine.

Do I understand that incorrectly?

It's normally through another piece of software than the OS today actually. Microsoft finally got most of the holes in their swiss cheese plugged. Ironically, the programming code that many AV use also creates a hole for malware to enter through. Wish I had a few minutes to find those articles that hit recently.

yeah I read those too - darn AV companies!

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

So if the OP wants to do web filtering and firewall services - what stuff should he buy?

Same thing that I keep saying... ERL and Squid.

I just wanted you to post it again 🙂

LOL. There it is.

@scottalanmiller Ha! I meant to say working at the level asking for more responsibilities, in addition to what your current role requires.

As far as i know it will stay active until you retire it.

Refrence: http://www.watchguard.com/docs/tradeup/wg_tradeup-program.pdf

So the exclusions I've had to add to get everything "functional" are listed below.

File System Shield

C:\Program Files (x86)\Meraki\m_agent_upgrade.exe

C:\Program Files (x86)\Meraki\meraki-ca-bundle.crt

C:\Program Files (x86)\Meraki\ndisscan.exe

C:\Program Files (x86)\Meraki\README-winvnc.txt

C:\Program Files (x86)\Meraki\screenshot-cmd.exe

C:\Program Files (x86)\Meraki\windows-wlan.exe

C:\Program Files (x86)\Meraki\winvnc.exe

Mail Shield

Inbound Mail - Un-check 'Scan inbound mail (POP3, IMAP4)' (UltraVNC)

Web Shield Process Exclusions
The same processes as in File System Shield

@Breffni-Potter said:

@coliver said:

@Breffni-Potter said:

Bidding starts at $2500.

Collection only 😄

Welp too rich for my blood.

But I just put an Apple Sticker on top. Therefore the price has gone up.

Oh... Man suddenly I really want these things... damn you Apple!

both Vulnerability Scan and Intrusion Prevention are disabled

@thecreativeone91 said:

Pfsense doesn't do well performance wise virtalized. At least it didn't used to. I think they have a pay for version optimized for VM platforms.

It's just FreeBSD plus drivers, right? It should do as well as FreeBSD does on whatever platform is in question. That FreeBSD doesn't have PV support for Xen is a major drawback to FreeBSD as a platform in general. But it should only be a question of drivers, in general.

Thanks for your support my Dear 🙂