Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 2521 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Non Sophos binaries (or feature request for new installed utility)

Greg Oliver

Hi,

 

I have in the past used the XG Home firewall and set it up for a friend last week who has new children to protect and have decided I want to move back to it as well.  I have a more complex home network (and needs) than he did, and need a couple more items as a result.

 

1.  Avahi (do not need any bus bindings) - I have an automated IoT household and my devices are all on a private / protected subnet currently.  Of course, they way all of our gadgets use mDNS nowadays, it makes it impossible to find them without a mDNS bridge or repeater.  It does not make sense to install another computer to bridge them as it just makes another security device to manage.  I do not mind installing my own compiled version of avahi, but it would be a nice feature of the home (and corporate versions - to find printers, eg) I think.

 

2.  NTP server / client - like chrony (do not think an explanation is required)

 

Questions:

1. Will the router drop packets with rule_0 before my rules to allow these connections to it  are applied?  I have not so fond memories of rule 0 :)

2. Has it been considered to allow rule 0 modifications yet?  It is really bad practice (I would never buy a product that did not allow me to modify *all* settings relating to my network) in my opinion.

 

Thanks in advance,

 

-Greg



This thread was automatically locked due to age.
  • 0

    1. Will the router drop packets with rule_0 before my rules to allow these connections to it  are applied?  I have not so fond memories of rule 0 :)

    As far as i understand your question, XG uses a first match rule set. So basically XG will look for a matching rule and proceed in this case. If no matching rule is found, XG will drop it per default. This is rule 0. 

    Check out this KBA: https://community.sophos.com/kb/en-us/131968

     

     

     

     

    2. Has it been considered to allow rule 0 modifications yet?  It is really bad practice (I would never buy a product that did not allow me to modify *all* settings relating to my network) in my opinion.

    What would be the alternative? Rule 0 is some kind of default drop. You would change the handling from default drop (Whitelist) to blacklist, which is even worse in a business environment my point of view. So lets say, you can change rule 0 to "allow everything". Then you have to maintain all rules to block explicit the traffic, which you do not want. As far as i can see, this is worst case. And even this, you can do. Simply create a ANY - ANY - ANY rule on bot and allow everything. Then start to block above the not wanted traffic, this will match before allow rule applies and you can use your rule 0 allow all. 

     

  • 0

    I think you have misunderstood the basic tenet of network security, drop everything by default and then create your own rules to allow specific traffic gives you full control of your network.

    Ian

  • 0 in reply to rfcat_vk

    No, I understand completely - I build global networks by day.  My issue with rule_0 is that it catches traffic I do not want caught (like dup packets on a single interface, or the same packet on multiple interfaces - a common DMZ setup)..

     

    I would have to create individual rules for each thing I find rather than turning the checks off and keeping my config simpler.  If it was in a corporate environment, I would have to train the damn NOC for all of these nuiances so they did not break stuff during maintenance windows and wake me up with the puzzled voice @ 2am  :)

  • 0 in reply to Greg Oliver

    When I was building networks not that long ago, I would want to know about duplicate packets because they mean you either have a failing device or a security issue where something is capturing and resending the packets eg spoofing.

    The only thing appearing on multiple interfaces should be broadcasts etc.

    ian