CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250429 push notes

Browse Source
This commit is contained in:
Petar Cubela
2025-04-29 16:29:52 +02:00
parent 214941710d
commit 0cb3f588fa
69 changed files with 944 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
projects/OPNsense/unknown/opnsense-bussines-edition.md Normal file
View File

@@ -0,0 +1,21 @@
## Intro
[Source](https://docs.opnsense.org/be.html#)
> A mission critical version of the well-known OPNsense firewall.
> The Business Edition offers additional safeguards where functional changes are being included in a more conservative manner and feedback has been collected from development and community.
> Offering specific business-oriented features and third party security verification. Currently, the only open source LINCE compliant firewall.
> - Mission critical
> - LINCE compliant (security verification by trained third party independent professionals)
> - Commercial firmware repository
> - Free GeoIP database
> - Official OPNsense Open Virtualisation Image
> - Central Management, including easy one click remote host access, provisioning and monitoring.
> - Web Application Firewall
> - Free E-Book (English & German)
### More Information
- [Central Management](https://docs.opnsense.org/vendor/deciso/opncentral.html)
- [Web Application Firewall](https://docs.opnsense.org/vendor/deciso/opnwaf.html)
- [Extended Blocklist](https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html)

17
projects/OPNsense/unknown/opnsense-central-management.md Normal file
View File

@@ -0,0 +1,17 @@
## MyNotes
- It is advised to generate proper certificates for the machines.
## Installation
Install `os-OPNcentral` under System->Firmware->Plugins
## Register new hosts
- Generate an API key and secret from the machine which should be granted access to.
- API keys are managed in the user manager
-
## Provisioning Classes

62
projects/OPNsense/unknown/opnsense-checklists.md Normal file
View File

@@ -0,0 +1,62 @@
## Sbx Office IP
- 213.160.17.142/28
- 213.160.17.141
## Generic Checklist
- [x] Set WAN - generic DHCP
- [x] Set LAN - generic 192.168.1.1
- [x] timezone: Europe/Berlin
- [x] Set Hostname (OPNsense) , domain name (localhost)
- [x] ntp server
- [x] static dns setup
- [x] std sbxadmin user
- [x] enable assess log (system -> settings -> administration)
- [x] LAN Bridge - generic all ports in bridge except igc1 (second port) is WAN port
- [x] enable ssh: enable, DO NOT permit root login, permit password login, port: 22
- [ ] firewall rules (LAN, WLAN, WLAN Guest {drop packets to LAN} ), std port activation
- [ ] local backups
- [ ] add office public ip as trusted (wan only reachable via office ip)
### Optional
- [x] web filtering
- [x] http scanning
- [ ] application control
- [x] ssl/tls inspection
- [ ] ssl certificates
### Mandatory Plugins
- [x] OPNcentral (for central management)
## Special Checklist
- [ ] add license TO: system -> firmware -> settings
- [ ] WAN - static config or pppoe or whatever
- [ ] LAN - ip network
- [ ] domain name (gw.domain.tld)
- [ ] ldap server config
- [ ] system update on first boot! (WITH BUSSINES LICENSE)
- [ ] setup dhcp server if used
- [ ] connect to opncentral
- [ ] create backups to opncentral
- [ ] setup ldap server
- [ ] setup openvpn server with authentication via ldap
## OPNsense Importer
> "All Full Images have the OPNsense Importer feature that offers flexibility in recovering failed firewalls, testing new releases without overwriting the current installation by running the new version in memory with the existing configuration or migrating configurations to new hardware installations."
- Create generic standard config to import at each customer install.
## OPNcentral Provisioning
We can use OPNcentral to provision the configuration of the customer's device, which is probably more useful than using the importer. Has to be tested.
## Notes
- ATTENTION: On first initial install bussines license has to be configured before updating!!
- DNS Servers: Cloudflare

86
projects/OPNsense/unknown/opnsense-frankeriger-current.md Normal file
View File

@@ -0,0 +1,86 @@
## Intro
The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care.
The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.
### Plugins
- os-OPNcentral
- os-squid
- os-clamav
- os-c-icap
- os-acme-client
## Sophos features to reproduce
### Network
- [x] LAN port has a static network of: 192.168.9.254/24
- [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127
- [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)
- [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on
- [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)
- [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant
- [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued
### Authentication
- [x] Require MFA for: user portal, web admin console
- [ ] setup ad as "server" in opnsense
- [ ] import users form ad!!! (I hope it works...)
#### Not required
- [y] Kerberos for authenticating non-AD users (web authentication??)
- [y] captive portal
### Miscellaneous
- [x] sophos antivirus alternative (clamav + c-icap + squid web proxy)
- [x] SSL VPN - Needs to be tested properly
- [x] using SSL/TLS inspection with squid (transparent web proxy)
## Firewall rules to reproduce
- [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)
- [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)
- [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer
- [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )
## IPS
- [x] default general policies
- [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)
## Web Proxy
- [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
- [x] https encryption
- [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)
### Optional
The following features are too complicated and thus only optional.
## Web application firewall
- [ ] too complicated
## Wireless
- [ ] does it need to be configured on opnsense???
## Mail protection
- [y] scan ~~outgoing~~ incoming mails for malware (why??)
## Web Server
- not used

5
projects/OPNsense/unknown/opnsense-planing.md Normal file
View File

@@ -0,0 +1,5 @@
1. Learn Central Management
2. Include firewall to OPNcentral
3. Setup acme for ssl/ setup OPNWAF with acme included
4. Provision OPNsense Firewall via central management

40
projects/OPNsense/unknown/opnsense-proposal-draft.md Normal file
View File

@@ -0,0 +1,40 @@
## Introduction
Goal: Propose a UTM firewall based on the opnsense operating system to the customer.
Make "Bundles" including different kind of features with different price tags:
### Features
#### Main
- Base setup (routing, generic config, firewall rules, vlans, authentication via ad, etc...)
- VPN (standard OpenVPN)
- Free SSL certs (via ACME and Lets Encrypt) with auto-renewal
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL inspection, managed TLS exclusion, https de-/encryption) (!NOTE!: opnsense ca needs to be trusted from every client, which can be distributed by a GPO rule)
- Extend Feature of OPNsense Antivirus (with clamav + c-icap)
- IDS/IPS Protection via Suricata
#### Not implemented yet
- Mail Protection via Mail Relay on OPNsense
- WAF
#### Optional
- DynDNS
- Backup of config to google cloud, git or nextcloud (standard is backup locally and to opncentral)
- `OPNProxy`-Plugin extends Web Proxy to fine grained control of user/group access to certain domains/urls
### Bundles
#### Level 1
- Base
- VPN
- SSL certs (can be managed centrally by opncentral and pushed to specific customers when needed)
#### Level 2
- Web Proxy + Antivirus
- IDS/IPS Protection
#### Level 3
- Mail Protection
- WAF