<div dir="ltr">Hmm. I'm on a custom small form factor build with Void Linux as the OS. My edge firewall rules aren't that complicated, and really easy with `ipset`, but some of those pfSense pre-fabs look nice. Especially the SG-1000 and SG-2220.</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 2, 2017 at 9:40 PM, Chuck Payne <span dir="ltr"><<a href="mailto:terrorpup@gmail.com" target="_blank">terrorpup@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Mon, Jan 2, 2017 at 8:13 PM, Alex Carver <span dir="ltr"><<a href="mailto:agcarver+ale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 2017-01-02 16:55, DJ-Pfulio wrote:<br>
</span><span>> On 01/02/2017 06:55 PM, Robert L. Harris wrote:<br>
>> Linux firewall<br>
><br>
> That can mean almost anything.<br>
><br>
> VLANs are "suggestions", not security, unless there is physical separation at<br>
> some point.<br>
><br>
> Better to segment the network using a different router port for each subnet and<br>
> separate "dumb" switches for each, as needed.<br>
><br>
> This is actually how I do it, but with pfsense for the router. A normal linux<br>
> distro can do it, just tie the firewall rules to the specific interface. Don't<br>
> know about typical $20 home routers.<br>
<br>
</span>If you have a router with something like OpenWRT installed then it can<br>
handle tagging, too. Otherwise it's probably easiest to get something<br>
like a Ubiquiti EdgeRouter if an appliance is desired instead of rolling<br>
one from scratch.<br>
<div class="m_-3239943313582626478HOEnZb"><div class="m_-3239943313582626478h5"><br>
______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/li<wbr>stinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/li<wbr>stinfo</a><br>
</div></div></blockquote></div><div class="gmail_extra"><br></div></div></div>Like JD, I use pfsense, but I also have a Netgear GT748 switch that does vlans. I have four that my pfsense manages </div><div class="gmail_extra"><br></div><div class="gmail_extra">vlan1 <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> things that can be open </div><div class="gmail_extra">vlan2 <a href="http://192.168.5.0/24" target="_blank">192.168.5.0/24</a> things that are blocked ( my kids network, they have their only wireless network )</div><div class="gmail_extra">vlan3 <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> things that I need for work, they can be access via my openvpn </div><div class="gmail_extra">vlan4 <a href="http://192.168.253.0/24" target="_blank">192.168.253.0/24</a> openvpn </div><div class="gmail_extra"><br></div><div class="gmail_extra">I know it a bit much, but after catching someone spying on me this summer, I had to bring things out. With kids under 18, I feel much better that I am monitor and blocking things. Like, my 5 year finds youtube videos of let things I not ready to talk about so easy, are bloclked now. The firewall logs are great. You can click on ip and setup rules right there, in matters of seconds. </div><div class="gmail_extra"><br></div><div class="gmail_extra">I tried to do with this openSUSE, they have a great firewall that is built in, but iptables rules can be hard to write. One thing that won me more over with pfsense, was the fact I had a hard fail on my Saturday. I fired up a virt, took a backup that I had made and restored it, it installed all my adds (nmap, openvpnclient, darkstat, and more ) with our me asking. It read it from the config, I only lost two vpn accounts because they made after my last backup. But I was only down for 15mins, I have since replaced the drive and it backup with the update config. Doing a fresh install of openSUSE or Debian, usually takes much longer. <br><br clear="all"><div><br></div>-- <br><div class="m_-3239943313582626478gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Terror PUP a.k.a<br>Chuck "PUP" Payne<br>------------------------------<wbr>-----------<br>Discover it! Enjoy it! Share it! openSUSE Linux.<br>------------------------------<wbr>-----------<br>openSUSE -- Terrorpup<br>openSUSE Ambassador/openSUSE Member<br>skype,twiiter,identica,<wbr>friendfeed -- terrorpup<br>freenode(irc) --terrorpup/lupinstein<br>Register Linux Userid: 155363<br> <br>Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try.</div></div>
</div></div>
<br>______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">James Sumners<br><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a> (technical profile)<br><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a> (personal site)<br><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a> (music)</div>
</div>