Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 2524 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Non Sophos binaries (or feature request for new installed utility)

Greg Oliver

Hi,

 

I have in the past used the XG Home firewall and set it up for a friend last week who has new children to protect and have decided I want to move back to it as well.  I have a more complex home network (and needs) than he did, and need a couple more items as a result.

 

1.  Avahi (do not need any bus bindings) - I have an automated IoT household and my devices are all on a private / protected subnet currently.  Of course, they way all of our gadgets use mDNS nowadays, it makes it impossible to find them without a mDNS bridge or repeater.  It does not make sense to install another computer to bridge them as it just makes another security device to manage.  I do not mind installing my own compiled version of avahi, but it would be a nice feature of the home (and corporate versions - to find printers, eg) I think.

 

2.  NTP server / client - like chrony (do not think an explanation is required)

 

Questions:

1. Will the router drop packets with rule_0 before my rules to allow these connections to it  are applied?  I have not so fond memories of rule 0 :)

2. Has it been considered to allow rule 0 modifications yet?  It is really bad practice (I would never buy a product that did not allow me to modify *all* settings relating to my network) in my opinion.

 

Thanks in advance,

 

-Greg



This thread was automatically locked due to age.
Parents
  • 0

    1. Will the router drop packets with rule_0 before my rules to allow these connections to it  are applied?  I have not so fond memories of rule 0 :)

    As far as i understand your question, XG uses a first match rule set. So basically XG will look for a matching rule and proceed in this case. If no matching rule is found, XG will drop it per default. This is rule 0. 

    Check out this KBA: https://community.sophos.com/kb/en-us/131968

     

     

     

     

    2. Has it been considered to allow rule 0 modifications yet?  It is really bad practice (I would never buy a product that did not allow me to modify *all* settings relating to my network) in my opinion.

    What would be the alternative? Rule 0 is some kind of default drop. You would change the handling from default drop (Whitelist) to blacklist, which is even worse in a business environment my point of view. So lets say, you can change rule 0 to "allow everything". Then you have to maintain all rules to block explicit the traffic, which you do not want. As far as i can see, this is worst case. And even this, you can do. Simply create a ANY - ANY - ANY rule on bot and allow everything. Then start to block above the not wanted traffic, this will match before allow rule applies and you can use your rule 0 allow all. 

     

Reply
  • 0

    1. Will the router drop packets with rule_0 before my rules to allow these connections to it  are applied?  I have not so fond memories of rule 0 :)

    As far as i understand your question, XG uses a first match rule set. So basically XG will look for a matching rule and proceed in this case. If no matching rule is found, XG will drop it per default. This is rule 0. 

    Check out this KBA: https://community.sophos.com/kb/en-us/131968

     

     

     

     

    2. Has it been considered to allow rule 0 modifications yet?  It is really bad practice (I would never buy a product that did not allow me to modify *all* settings relating to my network) in my opinion.

    What would be the alternative? Rule 0 is some kind of default drop. You would change the handling from default drop (Whitelist) to blacklist, which is even worse in a business environment my point of view. So lets say, you can change rule 0 to "allow everything". Then you have to maintain all rules to block explicit the traffic, which you do not want. As far as i can see, this is worst case. And even this, you can do. Simply create a ANY - ANY - ANY rule on bot and allow everything. Then start to block above the not wanted traffic, this will match before allow rule applies and you can use your rule 0 allow all. 

     

Children
No Data