Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 2521 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Non Sophos binaries (or feature request for new installed utility)

Greg Oliver

Hi,

 

I have in the past used the XG Home firewall and set it up for a friend last week who has new children to protect and have decided I want to move back to it as well.  I have a more complex home network (and needs) than he did, and need a couple more items as a result.

 

1.  Avahi (do not need any bus bindings) - I have an automated IoT household and my devices are all on a private / protected subnet currently.  Of course, they way all of our gadgets use mDNS nowadays, it makes it impossible to find them without a mDNS bridge or repeater.  It does not make sense to install another computer to bridge them as it just makes another security device to manage.  I do not mind installing my own compiled version of avahi, but it would be a nice feature of the home (and corporate versions - to find printers, eg) I think.

 

2.  NTP server / client - like chrony (do not think an explanation is required)

 

Questions:

1. Will the router drop packets with rule_0 before my rules to allow these connections to it  are applied?  I have not so fond memories of rule 0 :)

2. Has it been considered to allow rule 0 modifications yet?  It is really bad practice (I would never buy a product that did not allow me to modify *all* settings relating to my network) in my opinion.

 

Thanks in advance,

 

-Greg



This thread was automatically locked due to age.
Parents
  • 0

    I think you have misunderstood the basic tenet of network security, drop everything by default and then create your own rules to allow specific traffic gives you full control of your network.

    Ian

  • 0 in reply to rfcat_vk

    No, I understand completely - I build global networks by day.  My issue with rule_0 is that it catches traffic I do not want caught (like dup packets on a single interface, or the same packet on multiple interfaces - a common DMZ setup)..

     

    I would have to create individual rules for each thing I find rather than turning the checks off and keeping my config simpler.  If it was in a corporate environment, I would have to train the damn NOC for all of these nuiances so they did not break stuff during maintenance windows and wake me up with the puzzled voice @ 2am  :)

  • 0 in reply to Greg Oliver

    When I was building networks not that long ago, I would want to know about duplicate packets because they mean you either have a failing device or a security issue where something is capturing and resending the packets eg spoofing.

    The only thing appearing on multiple interfaces should be broadcasts etc.

    ian

Reply
  • 0 in reply to Greg Oliver

    When I was building networks not that long ago, I would want to know about duplicate packets because they mean you either have a failing device or a security issue where something is capturing and resending the packets eg spoofing.

    The only thing appearing on multiple interfaces should be broadcasts etc.

    ian

Children
No Data