Firewall for home

ehorn

Active Member
Jun 21, 2012
342
52
28
Thanks again for that very good article cactus, it led me to ask questions I did not think/know of. Also, seeing just how involved wire-speed packet capture becomes (especially as one moves up to faster gear and closer to the core).

I am thinking about the following edge implementation:



A tap on the dirty side leading into an instance of Snort running in 'passive' mode to detect, log and analysis what's happening outside the door; giving me detection.

Once in the house, another instance of Snort running 'inline' to alert and enforce drop rules/rewrite packets (if desired); giving me prevention.

Having two instance seems ideal to reveal a complete picture of what is occurring in and around the edge and to visually ensure firewall/router rule sets are being enforced.

I do have some minor concerns about latency on the inline side. But I suspect it will be acceptable for my needs.

So a hypervisor running the following VM's:

- Snort (Passive mode)
- pfSense (Router/Firewall/DHCP/NAT)
- Snort (Inline)

Seem logical? Has anyone setup similar implementations? Any recommendations/thoughts/gotchas/etc on such an implementation (or variant) plan?

The next steps will be to size the hardware. The guide is quite helpful in that regard.

Thanks guys - peace,
 
Last edited:

ehorn

Active Member
Jun 21, 2012
342
52
28
Hi gigatexal,

lol... Yeah,

I think such an implementation offers much better security, value, and flexibility than something like a zyxel unit (or similar price/performance SOHO/SMB UTM's).

Plus the experience gained will be (for me) what it is really about... Learning and sharing ideas.

peace,
 

gigatexal

I'm here to learn
Nov 25, 2012
2,766
529
113
Portland, Oregon
alexandarnarayan.com
you know what would be awesome is some sort of retaliation ability, to verify an intrusion and then somehow get back at them. sure it's illegal but if i'm being hacked or portscanned by some script kiddie i at least want to take him off the net for a while
 

ehorn

Active Member
Jun 21, 2012
342
52
28
you know what would be awesome is some sort of retaliation ability, to verify an intrusion and then somehow get back at them. sure it's illegal but if i'm being hacked or portscanned by some script kiddie i at least want to take him off the net for a while
Kinda like a digital form of "M.A.D." in a nuclear world? Hehe...

What I am trying to visualize is more efficient VM/networking for this... My original thinking had (7) physical NICs in the VM and a passive TAP. That seems like too much hardware for what I am trying to do...

Here is a variation which requires only 4 physical NICs and adds some capabilities:



This configuration will not give me inline IPS capability on the LAN side, but I think this layout will let me use vNICS/vSwitches on each side of the router for packet capture.

Also, this layout lets me assign one of the pNIC's to the physical switch for pcap/monitoring back to the applicance for any physical switch port/vlan as the need may arise.

Probably just going to need to test it... But is anyone here a wiz with VM networking that can validate this diagram?
 
Last edited: