[ale] Firewall convo

Jeff Hubbs jhubbslist at att.net
Fri Apr 10 17:03:33 EDT 2020


I'm looking to have Comcast Business installed at home as a backup 
(their reps can stop calling my phone *any old time now* until I've had 
a chance to actually read over the contract). Will pfSense enable me to 
establish a DMZ for Internet-facing servers? I'm getting only one IP 
address at this time, so I understand that I will have to have the first 
thing on the DMZ be a machine to act as reverse proxy if I want to 
present multiple web sites.

On 4/10/20 4:33 PM, Derek Atkins via Ale wrote:
> Hi,
>
> On Fri, April 10, 2020 4:25 pm, Robert Story wrote:
> [snip]
>> Sorry, I wasn't clear. Using their GUI or CLI tools are fine. I mean
>> that if you edit files yourself (eg /etc/network/interfaces) or make
>> local modifications (maybe iptables rules), those changes will likely
>> be overwritten on reboot or when their GUI/CLI tools are used to modify
>> something that will regenerate those files..
> Ah, yes, that's definitely true.  Any changes you make outside the /config
> directory will not last beyond a reboot.  Having said that, you CAN write
> a shell script that will re-introduce your changes upon reboot, and I've
> used that method myself to deal with certain shortcomings of the Unifi
> firmware.
>
> For example, unifi does not handle IPv6 source-based routing for IPv6
> through its default configuration, but you can configure it through the
> Linux interfaces.  So I wrote a script that is stored in
> /config/scripts/post-config.d/ that edits /etc/iproute2/rt_tables and then
> runs a bunch of "ip -6" commands to set up my route and routes.  Works
> great for me, but it does make it a tad harder to manage vs using the GUI
> interface.
>
>> My point was that if you prefer shell access over GUI, with the ER-X
>> (and openWRT too) you have to learn what you can safely modify just
>> like any other Linux system and what you need to modify using
>> non-standard commands for that system.
> Yes, I agree with that.  But once you learn what you can modify safely and
> the tricks for how to modify everything else, you can script it all up
> just fine!  :)
>
>> Robert
> -derek
>



More information about the Ale mailing list