CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new notes

Browse Source
This commit is contained in:
Petar Cubela
2025-03-18 14:23:17 +01:00
parent e6c2775f5f
commit 6c47451c60
58 changed files with 1648 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
areas/OPNsense/opnsense-frankeriger-current.md Normal file
View File

@@ -0,0 +1,86 @@
## Intro
The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care.
The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.
### Plugins
- os-OPNcentral
- os-squid
- os-clamav
- os-c-icap
- os-acme-client
## Sophos features to reproduce
### Network
- [x] LAN port has a static network of: 192.168.9.254/24
- [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127
- [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)
- [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on
- [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)
- [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant
- [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued
### Authentication
- [x] Require MFA for: user portal, web admin console
- [ ] setup ad as "server" in opnsense
- [ ] import users form ad!!! (I hope it works...)
#### Not required
- [y] Kerberos for authenticating non-AD users (web authentication??)
- [y] captive portal
### Miscellaneous
- [x] sophos antivirus alternative (clamav + c-icap + squid web proxy)
- [x] SSL VPN - Needs to be tested properly
- [x] using SSL/TLS inspection with squid (transparent web proxy)
## Firewall rules to reproduce
- [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)
- [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)
- [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer
- [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )
## IPS
- [x] default general policies
- [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)
## Web Proxy
- [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
- [x] https encryption
- [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)
### Optional
The following features are too complicated and thus only optional.
## Web application firewall
- [ ] too complicated
## Wireless
- [ ] does it need to be configured on opnsense???
## Mail protection
- [y] scan ~~outgoing~~ incoming mails for malware (why??)
## Web Server
- not used