20250429 push notes

projects/OPNsense/Initial-Notes/OPNsense-about.md

@@ -0,0 +1,11 @@
+**OPNsense** is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
+
+OPNsense started as a fork of pfSense and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of bot m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.
+
+OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.
+
+
+## Mission Statement
+
+> "Our mission is to make OPNsense the most widely used open source security platform. We give users, developers and business a friendly, stable and transparent environment.
+> The project's name is derived from open and sense stands for: 'Open (source) makes sense.'"

projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md

@@ -0,0 +1,43 @@
+---
+title: "OPNsense - Maintenance time estimate"
+author: Petar Cubela
+date: July 03, 2024
+geometry: margin=1.5cm
+output: pdf_document
+---
+
+## Intro
+
+Let us roughly calculate the time needed to maintain a OPNsesne firewall.
+Here we assumer that the firewall is already configured. Thus we are looking at standard maintenance of the device.
+
+## OPNcentral
+
+We are using OPNcentral which is able to monitor arbitrary numbers of OPNsense firewalls: 
+
+- it manually/automatically creates backups of all integrated firewalls 
+- backups can be read and compared for any firewall integrated in OPNcentral
+- firmware, services and resources status of each OPNsense firewall can be managed via OPNcentral
+- plugin configuration can be managed and send to each firewall via OPNcentral 
+
+## Time Consumption
+
+- updates have to been done regularly which can be checked and updated for all firewalls simultaneously via OPNcentral (~ 1h per month for all firewalls!)
+- in general the firewall will run flawlessly once setup without much interaction as long as nothing complicated has to be changed. 
+- changes in the configuration for known features should be in general simple (~1h per month for all firewalls!)
+- changes for new plugins should take longer depending on the plugin but happens seldom (few/many days depending on plugin once each half year)
+- OpenVPN integration is better integrated in Sophos. We will probably need to export the client configuration for each user (~ 1h per week for each firewall, depending on the number of users requiring vpn)
+
+- there can be unexpected problems with the firewall in production use which we have to test and can not assess pre-usage (~ 1h per month a firewall)
+
+### Estimation
+
+- ~ 1h/month for updates
+- ~ 1h/month for small config changes
+- ~ up to days for configuring new desired plugins. happens once per year/half year?
+- ~ 1h/month for vpn client export
+- ~ 1h/month for unexpected issues/tickets 
+
+Which summarizes to **~ 4 hours per month** and more when new not-so-known plugins have to be configured.
+
+

projects/OPNsense/Initial-Notes/OPNsense-config.md

@@ -0,0 +1,38 @@
+## Intro
+
+Start from beginning with factory settings.
+
+### TODO
+
+- [x] create sbxadmin user
+- [x] Enable ssh
+- [x] check wan is working
+- [x] familiarize with Center management
+- [x] manage opnsense via wan port (use DynDNS)
+- [ ] try cluster of two opnsense nodes in proxmox
+
+### Comments
+
+- Very loooong boot times
+
+## Enable LAN Bridge
+
+Links to manuals:
+
+- <https://docs.opnsense.org/manual/how-tos/lan_bridge.html>
+- <https://kb.protectli.com/kb/how-to-enable-lan-bridge-in-opnsense/>
+
+## Enable SSH
+
+System -> Settings -> Administration -> Secure Shell
+
+- **Check** Enable Secure Shell
+- Login Group: wheel, admins
+- **DO NOT** permit root user login
+- Permit password login
+- Changed ssh port to 69
+
+
+## Central Management
+
+Follow: <https://docs.opnsense.org/vendor/deciso/opncentral.html>

projects/OPNsense/Initial-Notes/OPNsense-config_summary.md

@@ -0,0 +1,8 @@
+## DONE
+
+- general settings
+- SSH settings
+- Networkflow config (optional??)
+- Setup OpenVPN (authentication via local database)
+- local backup for OPNcentral
+- backup for hosts via OPNcentral

projects/OPNsense/Initial-Notes/OPNsense-future.md

@@ -0,0 +1,16 @@
+- mailgateway
+- reverse proxy (web application firewall)
+- ssl/tsl inspection and decryption
+- VPN authentication via Active Directory
+
+## TODO
+
+- [x] setup simple web server on a virtual linux machine
+- [x] setup smtp in a virtual linux machine
+- [x] set the test sever in opnsense's network
+
+## Notes
+
+VPN: Jan passwd: itKE=-gcbXN.=46 
+
+

projects/OPNsense/Initial-Notes/OPNsense.md

@@ -0,0 +1,3 @@
+[[OPNsense-about]]
+[[OPNsense-config]]
+[[OPNsense-config_summary]]

projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md

@@ -0,0 +1,4 @@
+## Introduction
+
+An _Intrusion Detection System_ (IDS) watches network traffic for suspicious patterns and can alert operators when a pattern matches a database of known behaviors.
+An _Intrusion Prevention System_ (IPS) goes a step further by inspecting each packet as it traverses a network interface to determine if the packet is suspicious in some way. If it matches a known pattern the system can drop the packet in an attempt to mitigate a threat.