What do you run; Opnsense, pfsense, Smoothwall, maybe a WAF like wazuh?
Today was update/audit firewall day. I’m running a standalone instance of pFsense on a Protectli Vault FW4B - 4 Port - Intel Quad Core - 8GB RAM - 120GB mSATA SSD with unbound, pfBlockerNG, Suricata, ntopng, and heavily filtered. I did bump the swap to 8 GB as I’ve previously noticed a few ‘out of swap’ errors under load.
Before I signed off, I ran it through a couple porn sites to see if my adblocking strategy was working. Not one intrusive ad. Sweet!
Show me what you got.
OpenWRT on a Linksys router, with adguard home for DNS blocking.
I used to run OPNSense on some older x86 hardware, but wanted to move to something simpler and less power hungry.
I think I have the same protectli as you and it is awesome. Need it for my 2.5gb uplink. I use openwrt on it… Didn’t really like opnsense. I am more used to linux than bsd.
I host lots of services and get bombarded by scrapers, scanners, and skids both at home and on my VPSs.
I use ipset for the usual blocklists which I download regularly. I also have tarpits on 22/tcp (endlessh). I pipe the IPs from the endlessh logs into fail2ban which feeds the ipsets. I have ipset blocks and fail2ban on my home firewall and all VPSs and coordinate over mqtt. So
any fail2ban trigger > mqtt > every ipset block. Touch my 22/tcp anywhere and you get banned instantly everywhere. The program I use for this is called vallumd and it runs on openwrt.I also put maltrail everywhere but I’m not totally sure how to interpret and respond to the results. Probably will implement a pipe from maltrail to my mqtt > blocklist setup.
I don’t do any network-level adblocking… Might be a future project.
Nothing fancy, old ubiquiti gateway with a dedicated pihole server for my DNS.
Same. What’s the deal with having elaborate firewall stuff for a normal family home anyway?
If the built in stuff isn’t good enough then 99.9% of households would be compromised a long time ago already.
The last stats I remember reading cited some 1.5 million home networks are compromised on a daily basis. Some people, such as myself, run more complex services on their local servers that are perhaps tied into remotes such as VPS. You’ll see a lot of selfhosters with rather elaborate firewall defenses set up. I self host a lot of services I use that the ‘normal family home’ would outsource to public entities. I have a rack in the closet and several VPS, so I need something more than just Windows Firewall, or similar, that I can dial in to my unique environment.
Also, because I can.
Valid! I also tinker with selfhosting using Docker containers, didn’t think of firewalls the same way. Thank you.
No worries mate. What do you host?
Nothing spectacular.
Git, Paperless, UniFi Controller, Pihole, Mattermost chat, Immich, Home Assistant, Frigate, Syncthing, Hoarder. Just stuff for myself, my home, and my friends. And 🏴☠️
And you?
The usual. Might be a few I’ve missed:
- Homarr
- Code-server
- Netdata
- Searxng
- Change-detection
- Readeck
- Checkcle
- Duckdns
- Obsidian
- Dozzle
- Loki-promtail-1
- Loki-loki-1
- Root-influxdb2-1
- Cadvisor-redis
- Dbeaver
- Pairdrop
- Speedtest-tracker
- Btop-plus-plus
- Portainer
- Grocy
- Loki-grafana-1
- Cup
- Web-check
- Omni-tools
- Cadvisor-prometheus
- Watchtower-fork
- Barcode-buddy
- Ittools
- Nessus
- Dockerbot
- Fusion
- Bytestash
- Uptime-kuma
- Karakeep-web
- Karakeep-chrome
- Karakeep-meili
- Cadvisor
- Gitlab
- RocketChat
- Anonaddy
- Etherpad
- Archivebox
- FreshRSS
- FileStash
- piHole
- LAMP Stack
- UnRaid
- Proxmox
Some of it is for fun and testing, learning. Which I used to do. I used to have an old watchdog that I put pfsense on, just don’t need it nowadays.
Once i learn how it works and have run through the setup, I move on. Just need to spend my time in other areas, but now I have an understanding of it and can apply that logic or idea to other things and troubleshooting.
This is perfectly valid! I to a lot of tinkering with selfhosting using Docker containers, and I have learned a ton from that. I feel a bit silly that I didn’t make the connection with firewalls - just tinkering for fun!
Pfsense guy here, and professionally Palo alto guy. Can someone tl;dr the purpose of blockerng and suricata? I thought I remember the Lawrence systems folks mentioning using it for IPS but with segmentation at home “human” IPS seems more relevant than digital
- Suricata: Open source IDS/IPS
- PfBlockerNG: Used to block ads, malicious content, and manage access based on IP geolocation and domain names. It provides features like DNS-based blocking
Some of the features of both overlap which might not be a bad thing.
Thanks for the succinct reply!
OpenBSD pf
Edit: just home/hobby now, I’m not in tech anymore.
Also this. On some unremarkable HP office PC that’s probably about a decade old. No ad filtering or anything as it interferes with others in the house. I’ve thought about trying a second unbound service with adblocking for me, but haven’t gotten around to it.
No ad filtering or anything as it interferes with others in the house
Ahhh the WAF (Wife Aceptance Factor). I made a seperate Vlan for my lady friend so when she comes over to visit, I don’t have to reinvent the wheel for her. She can have all the ads and slop she can stomach, just keep it on your seperate branch and we’ll both be happy.
I run a secondary wifi network with “Ads” in its name, whose vlan doesn’t get forced into pihole DNS. It mostly prevents me from having to hear complaints from others in the house, and they barely ever use it.
I quite like this idea, thanks! If I did this I could adblock all the rest of my network, which might help with blocking ads on things like smart TV’s. I could also DMZ that wireless network. I would consider their devices untrusted (not malicious, just not careful), and they wouldn’t notice the difference.
