Practical OPNsense: Building Enterprise Firewalls With Open Source 9783755442882
Simple packet filters are becoming a thing of the past. Even the open-source domain is moving towards Next-Generation Fi
168 47 6MB
English Pages 537 Year 2023
Table of contents :
Practical OPNsense
Practical OPNsense
Preface
Preface of the third edition
Preface of the first and second edition
Overview
Resources
Legal
Introduction
Evolving.
Open Source.
Try before Buy.
Hardware-independent.
Unix.
Best Of.
History
Part I
For Beginners
Chapter 1: Quickstart
What is OPNsense?
IP address
Setup
Overview
Summary
Chapter 2: Lab Network
Resources
Virtualization
Hardware
Networks
Separate by switches
Separate by VLANs
Firewall
Addressing
Lab Server
Utilization
Chapter 3: Platform
Preparation
VMware
Workstation Pro
Workstation Player
ESXi
VirtualBox
vboxnet
Virtual machines
Hardware
Embedded systems
Chapter 4: Installation
Operating system
Storage
Post-installation tasks
VMware tools
Keyboard layout
System sounds
Chapter 5: Initial Setup
Initial setup
Defaults
Assigning the network adapter
Assigning IP addresses
Secondary setup
Security
Miscellaneous
Network card
IPv6
Routing
Final testing
Summary
Part II
For Intermediates
Chapter 6: Firewall
OPNsense as a firewall
Lab setup
Firewall rules
Logging
Throughput
Best practice
Additional filter
Time-based rules
Anti-spoofing
GeoIP
Technical background
Order of processing
Troubleshooting
Summary
Chapter 7: Transparent Firewall
Pros and cons
Lab setup
Configuration
Filter operation
Ruleset
Connection test
Uncover transparent firewall
Technical background
Summary
Chapter 8: Network Address Translation
Lab setup
Scenarios
One-to-One NAT
Simple outbound translation
Advanced outbound translation
Port forward
IPv6
NAT Reflection
Technical background
Summary
Chapter 9: Management Interface
Create a management interface
Secure management interface
Define management subnets
Firewall rules
Separate from end-user traffic
Bandwidth limitation
Two-factor authentication
Summary
Part III
For Experts
Chapter 10: IPsec VPN
Security
Lab setup
Connection setup
Firewall
Status
Address translation
Dead Peer Detection
IPv6
VPN throughput
Troubleshooting
Error pattern
Technical background
Outlook
IKEv2
Mobile clients
Tinc VPN
ZeroTier
Summary
Chapter 11: OpenVPN
Operation
Authentication
Username
Pre-shared key
Certificates
Differences to IPsec
Lab setup
Site-to-Site tunnel
Client
Ruleset
Connectivity
Client-server tunnel
Client
Troubleshooting
Certificates
Technical background
Summary
Chapter 12: High Availability
Basics
Lab network
CARP group
Stateless
Address translation
State tables
Synchronization of sessions
Synchronization of configuration
Best practice
Asymmetric routing
Master election
Synchronization
Quicker failover
Load balancing
IP version 6
Technical background
Summary
Chapter 13: NetFlow
The content of a flow
Lab setup
Collector
Troubleshooting
Insight
Technical background
IPv6
Summary
Chapter 14: Web Proxy
Lab setup
Explicit proxy
URL filter
Filter by category
Blacklists and whitelists
Troubleshooting
Proxy cluster
Functional test
TLS Inspection
Certificate Authority
Configuration
Client
Functional test
Transparent proxy
IPv6
Technical background
Limitations
Outlook
Summary
Chapter 15: Central Authentication
Protocols
LDAP
RADIUS
Lab setup
Microsoft Server
LDAP
RADIUS
Directory-as-a-Service
OPNsense as LDAP client
OPNsense as RADIUS client
Two-factor authentication
Troubleshooting
LDAP
RADIUS
Technical background
Summary
Part IV
For Hackers
Chapter 16: Multi-WAN
Requirements
Load distribution in the WAN
Lab environment
Web server
Operation
Configuration
Gateways
Health check
Gateway Groups
Firewall
Address translation
Scenario
Failure
Monitoring
IPv6
Technical background
Summary
Chapter 17: DSL router
DSL types
Lab setup
PPPoE Dial-in
LAN adapters
Network Bridge
DNS and DHCP
IPv4 with Address Translation
IPv6 with prefix delegation
Firewall
IPv4/IPv6
Management access
Technical background
Summary
Chapter 18: Intrusion Detection
IPS and IDS
Network integration
Lab setup
Attack
Activate IDS
Next attack
Fine tuning
Activate IPS
Transparent IDS
Network bridge
Technical background
Rules
Summary
Chapter 19: Command Line
configd
Configuration changes
Extension opn-cli
Undo changes
Updates
Packages
Summary
Chapter 20: Performance Tuning
Lab setup
Baseline
Virtual network adapter
Routing throughput
IPsec throughput
Measuring method
Increasing performance
AES-NI
Multiple CPU cores
MTU and MSS
Populate ARP cache
Summary
Part V
For Admins
Chapter 21: Best Practice
Factory reset
Thorough
Benchmark throughput
SSH login without password
Generate key pair
Display public key
Link public key with a firewall
Login with the private key
Password reset
Chapter 22: Configuration
Dropbox
Automatic backup
Google Drive
Access the API
Set up Drive
Upload
Automatic backup
Summary
Chapter 23: Life Hacks
Access from Windows
Span port
Telegram
Firewall rules with category
Quick search
Chapter 24: Application Programming Interface
How does the API work?
Model View Controller
Documentation
Read Access
Write Access
What does the API cover?
API browser
Security
Technical background
Outlook
Summary
Appendix A: IP Version 6
Crash course
Appendix B: Editing Files in FreeBSD
Show content of a file
Edit a file
Easy Editor
Vi IMproved
Appendix C: Pattern Matching
Selections
Quantifiers
Characters
Special characters
Examples
Testing
Appendix D: Bonus Material
Bibliography
Index
Impressum
Practical OPNsense
Practical OPNsense
Preface
Preface of the third edition
Preface of the first and second edition
Overview
Resources
Legal
Introduction
Evolving.
Open Source.
Try before Buy.
Hardware-independent.
Unix.
Best Of.
History
Part I
For Beginners
Chapter 1: Quickstart
What is OPNsense?
IP address
Setup
Overview
Summary
Chapter 2: Lab Network
Resources
Virtualization
Hardware
Networks
Separate by switches
Separate by VLANs
Firewall
Addressing
Lab Server
Utilization
Chapter 3: Platform
Preparation
VMware
Workstation Pro
Workstation Player
ESXi
VirtualBox
vboxnet
Virtual machines
Hardware
Embedded systems
Chapter 4: Installation
Operating system
Storage
Post-installation tasks
VMware tools
Keyboard layout
System sounds
Chapter 5: Initial Setup
Initial setup
Defaults
Assigning the network adapter
Assigning IP addresses
Secondary setup
Security
Miscellaneous
Network card
IPv6
Routing
Final testing
Summary
Part II
For Intermediates
Chapter 6: Firewall
OPNsense as a firewall
Lab setup
Firewall rules
Logging
Throughput
Best practice
Additional filter
Time-based rules
Anti-spoofing
GeoIP
Technical background
Order of processing
Troubleshooting
Summary
Chapter 7: Transparent Firewall
Pros and cons
Lab setup
Configuration
Filter operation
Ruleset
Connection test
Uncover transparent firewall
Technical background
Summary
Chapter 8: Network Address Translation
Lab setup
Scenarios
One-to-One NAT
Simple outbound translation
Advanced outbound translation
Port forward
IPv6
NAT Reflection
Technical background
Summary
Chapter 9: Management Interface
Create a management interface
Secure management interface
Define management subnets
Firewall rules
Separate from end-user traffic
Bandwidth limitation
Two-factor authentication
Summary
Part III
For Experts
Chapter 10: IPsec VPN
Security
Lab setup
Connection setup
Firewall
Status
Address translation
Dead Peer Detection
IPv6
VPN throughput
Troubleshooting
Error pattern
Technical background
Outlook
IKEv2
Mobile clients
Tinc VPN
ZeroTier
Summary
Chapter 11: OpenVPN
Operation
Authentication
Username
Pre-shared key
Certificates
Differences to IPsec
Lab setup
Site-to-Site tunnel
Client
Ruleset
Connectivity
Client-server tunnel
Client
Troubleshooting
Certificates
Technical background
Summary
Chapter 12: High Availability
Basics
Lab network
CARP group
Stateless
Address translation
State tables
Synchronization of sessions
Synchronization of configuration
Best practice
Asymmetric routing
Master election
Synchronization
Quicker failover
Load balancing
IP version 6
Technical background
Summary
Chapter 13: NetFlow
The content of a flow
Lab setup
Collector
Troubleshooting
Insight
Technical background
IPv6
Summary
Chapter 14: Web Proxy
Lab setup
Explicit proxy
URL filter
Filter by category
Blacklists and whitelists
Troubleshooting
Proxy cluster
Functional test
TLS Inspection
Certificate Authority
Configuration
Client
Functional test
Transparent proxy
IPv6
Technical background
Limitations
Outlook
Summary
Chapter 15: Central Authentication
Protocols
LDAP
RADIUS
Lab setup
Microsoft Server
LDAP
RADIUS
Directory-as-a-Service
OPNsense as LDAP client
OPNsense as RADIUS client
Two-factor authentication
Troubleshooting
LDAP
RADIUS
Technical background
Summary
Part IV
For Hackers
Chapter 16: Multi-WAN
Requirements
Load distribution in the WAN
Lab environment
Web server
Operation
Configuration
Gateways
Health check
Gateway Groups
Firewall
Address translation
Scenario
Failure
Monitoring
IPv6
Technical background
Summary
Chapter 17: DSL router
DSL types
Lab setup
PPPoE Dial-in
LAN adapters
Network Bridge
DNS and DHCP
IPv4 with Address Translation
IPv6 with prefix delegation
Firewall
IPv4/IPv6
Management access
Technical background
Summary
Chapter 18: Intrusion Detection
IPS and IDS
Network integration
Lab setup
Attack
Activate IDS
Next attack
Fine tuning
Activate IPS
Transparent IDS
Network bridge
Technical background
Rules
Summary
Chapter 19: Command Line
configd
Configuration changes
Extension opn-cli
Undo changes
Updates
Packages
Summary
Chapter 20: Performance Tuning
Lab setup
Baseline
Virtual network adapter
Routing throughput
IPsec throughput
Measuring method
Increasing performance
AES-NI
Multiple CPU cores
MTU and MSS
Populate ARP cache
Summary
Part V
For Admins
Chapter 21: Best Practice
Factory reset
Thorough
Benchmark throughput
SSH login without password
Generate key pair
Display public key
Link public key with a firewall
Login with the private key
Password reset
Chapter 22: Configuration
Dropbox
Automatic backup
Google Drive
Access the API
Set up Drive
Upload
Automatic backup
Summary
Chapter 23: Life Hacks
Access from Windows
Span port
Telegram
Firewall rules with category
Quick search
Chapter 24: Application Programming Interface
How does the API work?
Model View Controller
Documentation
Read Access
Write Access
What does the API cover?
API browser
Security
Technical background
Outlook
Summary
Appendix A: IP Version 6
Crash course
Appendix B: Editing Files in FreeBSD
Show content of a file
Edit a file
Easy Editor
Vi IMproved
Appendix C: Pattern Matching
Selections
Quantifiers
Characters
Special characters
Examples
Testing
Appendix D: Bonus Material
Bibliography
Index
Impressum
![Pro Open Source Mail: Building an Enterprise Mail Solution [1 ed.]
9781590595985, 159059598X](https://ebin.pub/img/200x200/pro-open-source-mail-building-an-enterprise-mail-solution-1nbsped-9781590595985-159059598x.jpg)
![Quartz Job Scheduling Framework: Building Open Source Enterprise Applications [1 ed.]
9780131886704, 0131886703](https://ebin.pub/img/200x200/quartz-job-scheduling-framework-building-open-source-enterprise-applications-1nbsped-9780131886704-0131886703.jpg)
![Open source for business a practical guide to open source software licensing [Third ed.]
2015906061](https://ebin.pub/img/200x200/open-source-for-business-a-practical-guide-to-open-source-software-licensing-thirdnbsped-2015906061.jpg)
![Open Source for the Enterprise [1 ed.]
0596101198, 9780596101190](https://ebin.pub/img/200x200/open-source-for-the-enterprise-1nbsped-0596101198-9780596101190.jpg)
![Expanding Choice: Moving to Linux and Open Source with Novell Open Enterprise Server [1st edition]
0672327228, 9780672327223](https://ebin.pub/img/200x200/expanding-choice-moving-to-linux-and-open-source-with-novell-open-enterprise-server-1st-edition-0672327228-9780672327223.jpg)
