What's people's firewall choice
- Thread starter Mikey
- Start date
Need to look at OPNsense over pfsense. Running Sophos XG atm on a Pondesk unit, but have a low powered Dell R220 with pfsense installed, but not in service atm.
Last edited:
I’ve been a long time pfSense user up until a week ago. They’re very very similar in terms of functionality but Netgate has some shady history so I decided to eventually switch.
Yup hence why I never fully go with it. Mulled moving Sophos XG onto the R220 or putting opnsense on it
I like filtering offered by Sophos XG / Untangle, but with more and more encryption of traffic I’m leaning towards DNS / pfblocker style filtering.
Torrent port forwarding for themixingbowl and that’s it re external exposure.
Last edited:
I ran Debian for about 10 years, then bounced between straight OpenBSD, Arch(!), OpenWRT, VyOS and IPFire. I keep meaning to give OPNSense another go, but I never get around to scheduling the downtime and I'd miss cake too much.
Firewall or Edge Security software?
Most of the replies in this thread are for Edge software/devices.
For a straight firewall, I find Windows 10 quite hard to beat these days. MikroTik RouterOS has a decent firewall. And I sell Untangle so I probably ought to say that’s my favourite…
Most of the replies in this thread are for Edge software/devices.
For a straight firewall, I find Windows 10 quite hard to beat these days. MikroTik RouterOS has a decent firewall. And I sell Untangle so I probably ought to say that’s my favourite…
I found the Windows firewall hellish and ponderous, especially compared to straight
pf. For example, to open port 6728 only on VPN interface wg0, but to drop it elsewhere? In pf it's as simple as pass in on wg0 from any to any port 6728. It's almost as simple on Linux, especially with a front-end like firewalld or ufw. Doing such a thing on Windows escapes me, and that's before we consider more complex rules like accepting traffic on the port/interface from only a given subnet and redirecting it elsewhere; so I'm happy to be pointed the right way to learn some new tricks if you know a good resource. Isn't MikroTik's firewall just iptables/nftables, or did you mean their GUI?
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
Zone Alarm
Do you use the command line? The entire raison d’etre of Windows is to hide the complexity so of course if you use the GUI it’s not going to be the simplest route to a solution but if you read up on command line configuration of Windows firewall it’s actually quite powerful.
NAT gives no protection because the packets are tagged from your machine otherwise they’d never find their way back.
The state full inspection firewall on most domestic routers is actually pretty decent these days and given that it’s running in every machine on yiur network usually Windows firewall is remarkably good.
Generally, when people think Firewalls like OPNSense or PFSense they’re actually not talking about the firewall but the additional security controls and features like local DNS servers, SNORT, Spam filters, parental controls etc.
NAT by default blocks [unsolicited] inbound connections - which adds a level of shielding against port/service vulnerabilities before [SPI] firewall features.
If you connect a system directly to the internet without it being behind a NAT and/or firewall it often won't end well.
Last edited:
NAT isn’t blocking those connections, it just doesn’t forward them on anywhere and it generally sends a message back to the sender telling the sender that the packet has been dropped. Even if it just drops the packets it still tells an attacker that there is something there. So all the attacker needs to do is ask for another entry in your lookup table and there are usually only 253 entries to play with on most folks routers. That’s why you still need a firewall.
Which is kind of semantics even if it is an unintended "feature" of NAT - any good router doesn't give a would be attacker much of a heads up (hence grc.com).