[ale] Firewall convo

Jerald Sheets questy at gmail.com
Fri Apr 17 10:39:02 EDT 2020 

I üst wanted to let everyone know I decided to go Ubiquiti.  All the parts and the integration, the telemetry, and the customizability are outstanding, and they’re TINY!  It will all fit in that cabinet just fine.  I feel justified because the Ubiquiti stuff is actually a little Linux box.  :)


Thanks, everybody!  
Much appreciated!!!


—jms



> On Apr 10, 2020, at 5:08 PM, Derek Atkins via Ale <ale at ale.org> wrote:
> 
> If you only have 1 IP address then you will need to do port-based NAT in
> order to serve multiple items..  I.e., the consumer of that 1 IP would
> need to be a router and then it would NAT traffic to your DMZ and/or
> internal network as necessary.
> 
> I am sure a pfSense can do this.  I also know the ER-X would do it.
> 
> -derek
> 
> On Fri, April 10, 2020 5:03 pm, Jeff Hubbs via Ale wrote:
>> I'm looking to have Comcast Business installed at home as a backup
>> (their reps can stop calling my phone *any old time now* until I've had
>> a chance to actually read over the contract). Will pfSense enable me to
>> establish a DMZ for Internet-facing servers? I'm getting only one IP
>> address at this time, so I understand that I will have to have the first
>> thing on the DMZ be a machine to act as reverse proxy if I want to
>> present multiple web sites.
>> 
>> On 4/10/20 4:33 PM, Derek Atkins via Ale wrote:
>>> Hi,
>>> 
>>> On Fri, April 10, 2020 4:25 pm, Robert Story wrote:
>>> [snip]
>>>> Sorry, I wasn't clear. Using their GUI or CLI tools are fine. I mean
>>>> that if you edit files yourself (eg /etc/network/interfaces) or make
>>>> local modifications (maybe iptables rules), those changes will likely
>>>> be overwritten on reboot or when their GUI/CLI tools are used to modify
>>>> something that will regenerate those files..
>>> Ah, yes, that's definitely true.  Any changes you make outside the
>>> /config
>>> directory will not last beyond a reboot.  Having said that, you CAN
>>> write
>>> a shell script that will re-introduce your changes upon reboot, and I've
>>> used that method myself to deal with certain shortcomings of the Unifi
>>> firmware.
>>> 
>>> For example, unifi does not handle IPv6 source-based routing for IPv6
>>> through its default configuration, but you can configure it through the
>>> Linux interfaces.  So I wrote a script that is stored in
>>> /config/scripts/post-config.d/ that edits /etc/iproute2/rt_tables and
>>> then
>>> runs a bunch of "ip -6" commands to set up my route and routes.  Works
>>> great for me, but it does make it a tad harder to manage vs using the
>>> GUI
>>> interface.
>>> 
>>>> My point was that if you prefer shell access over GUI, with the ER-X
>>>> (and openWRT too) you have to learn what you can safely modify just
>>>> like any other Linux system and what you need to modify using
>>>> non-standard commands for that system.
>>> Yes, I agree with that.  But once you learn what you can modify safely
>>> and
>>> the tricks for how to modify everything else, you can script it all up
>>> just fine!  :)
>>> 
>>>> Robert
>>> -derek
>>> 
>> 
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>> 
> 
> 
> -- 
>       Derek Atkins                 617-623-3745
>       derek at ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list