From owner-freebsd-questions@freebsd.org Sat Jan 12 17:06:24 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4597A1497BBC for ; Sat, 12 Jan 2019 17:06:24 +0000 (UTC) (envelope-from sysadmin@grouchysysadmin.com) Received: from outbound02.knthost.com (outbound02.knthost.com [209.195.10.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.knthost.com", Issuer "COMODO ECC Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1384F8E1C4 for ; Sat, 12 Jan 2019 17:06:22 +0000 (UTC) (envelope-from sysadmin@grouchysysadmin.com) Reply-To: sysadmin@i.grouchysysadmin.com DKIM-Filter: OpenDKIM Filter v2.10.3 outbound02.knthost.com 78A925658E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grouchysysadmin.com; s=default; t=1547312776; bh=K36k1yTdoHUhnMwWfzrvXArS2Zrm2Mm8QVCXfgv3A+M=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=jszjRght0AJkWEnkM4/SibegBCXMuruq3kzB/7uFqpOgY5JuM7zTl2+IyVpdUnY9j 1HcEb/Dl3MCA/Ir5mTtKeglfIGtPspI08tJRN3Gy54guxuq3f+lmvyAuIGQaJRYY4O 8KMfGNZACovlZiMZPu6QT/oM6qxw7MusTysxnDGMb9wkSJyItdWvMz3exPqHsqpKYD B+s03Wdx11OcfdodvjIdDnxGo1OMULASyjy2JJwZPzB1VhmF1mRju6z/Tmw1I/7fRB P35XKU+cqqcyNEahqtL4lgjdf82k230ELd3bLZDLNsFX5PZt9/AFE/DVc8GwBoQlK/ 9LH1N5s6sH9kg== Subject: Re: OPNsense To: freebsd-questions@freebsd.org References: <647ac45684fa13349cb3e3d833e0c405.squirrel@webmail.harte-lyne.ca> From: Grouchy Sysadmin Message-ID: <78f20bd6-9561-da01-e9bb-52c85be98f0a@grouchysysadmin.com> Date: Sat, 12 Jan 2019 09:06:07 -0800 MIME-Version: 1.0 In-Reply-To: <647ac45684fa13349cb3e3d833e0c405.squirrel@webmail.harte-lyne.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 1384F8E1C4 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=grouchysysadmin.com header.s=default header.b=jszjRght X-Spamd-Result: default: False [-2.35 / 15.00]; ARC_NA(0.00)[]; HAS_REPLYTO(0.00)[sysadmin@i.grouchysysadmin.com]; R_DKIM_ALLOW(-0.20)[grouchysysadmin.com:s=default]; NEURAL_HAM_MEDIUM(-0.72)[-0.720,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.98)[-0.982,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[grouchysysadmin.com]; RCPT_COUNT_ONE(0.00)[1]; REPLYTO_DOM_NEQ_FROM_DOM(0.00)[]; DKIM_TRACE(0.00)[grouchysysadmin.com:+]; MX_GOOD(-0.01)[secure-mx.knthost.com,secure-mx.knthost.com]; NEURAL_HAM_SHORT(-0.22)[-0.220,0]; R_SPF_NA(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-0.02)[country: US(-0.08)]; ASN(0.00)[asn:6597, ipnet:209.195.0.0/18, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[82.10.195.209.list.dnswl.org : 127.0.5.1] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jan 2019 17:06:24 -0000 On 1/11/19 1:21 PM, James B. Byrne via freebsd-questions wrote: > The weekend I am experimenting with an OPNsense firewall/router at one > of our sites. I have been having mixed success with testing so far > and decided to take the whole network down while the user traffic is > negligible. Since it is only a matter of a few plugs if things go > terribly wrong then I will just cut the test machine out and restore > the normal cabling configuration. > > However, I have a few reservations about the OPNsense appliance even > before I test it. Specifically the apparent lack of any way to > black-hole repetitive logon attempts to various exposed services. > > Does anyone here employ OPNsense as their corporate firewall? What > are the best and worst features of the product? Are there ways to > configure OPNsense to block repetitive initiations of new connections? I used it for around six months and it worked fine. The firewall rules should allow you to block by IP, or write a custom rule for Suricata with the built in IPS.