Hello and thanks for the awesome software! I’ve test drove a few other FOSS FW/IPS/IDS solutions and this was the most intuitive one yet although I do have some feedback and questions so I’ll start with the two merged first then go into details.
I’m sure most of this is just me only using this for about 24 hours and never been a Firewall Administrator in my 32 years of seeing ATM/DSL/ISDN /PRI/T1/DS3 come and go. I build networks I’ve never had to secure one.so it’s probably my ignorance and lack of education at this point in time.
It would be nice if when you select a module to install that it would provide feedback as to the location of the file(s) you need to edit.
I found snmp.conf in 4 locations but only /etc/snmpd.conf was the correct one to edit. Maybe somewhere on the WebUI it could say something like “parsing config file at /path/to/module.conf?” wiki.ipfire.org - Net-SNMP daemon doesn’t say $h!t about where the file is.
IPS Log Viewer show entries similar to below:
SANITIZED.PUB.IP 11312 → 18.104.22.168:53 ET INFO Observed DNS Query to .biz TLD
To me, as a newb that’s completely worthless! Who is the network client making that request to the DNS service? I just kept shutting down ports on my cisco switch until the entries stopped. It would be nice to know the client behind NAT that is asking for the .biz domain in the log entry. I just had to eventually use what I know and setup RSPAN on the switch and used wireshark to find further offending clients.
hat is the point of Location Blocking if it is still able to get through that and only be finally dropped by a FW rule for entire CIDR netblocks I have had to manually enter?
I wont get started on the PXE boot server setup that took me 6 hours to figure out, I’ll be editing the WIKI with details.
VRRP for HA? (probably need to RTFM on that one, but not there yet.)
DHCP update DNS doesn’t seem to function, I’ve had to edit HOSTS for every client and the logs still do not perform lookups so that seem not right to me.
Who’s on FIrst? (order of operations)
FW Rule> Location> IPS> IDS?
I have no idea man…like…none at all
WebUI based file editor would be awesome. One page that has all the installed modules listed and a simple click to open the file, edit it and apply which would restart the service.
IP6 is disabled or so I thought I read that but netstat shows services listening on ports over that protocol. I’m not sure what to believe anymore…THE CAKE IS A LIE!
Anyway it’s 3am for me and for some reason I have everything but USA and CANADA blocked with the location module and I still have log files being filled chock of entries from RU trying to RDP/SIP/SQL/DNS hack my pants off.
I’m off for now but I look forward to chatting with y’all and getting “more better” at this.