I’m a jr sys admin/HD L2. I’m currently studying for my CCNA and was reading about defense in depth and how you should have a firewall sitting on your network but also have the FWs on the PCs enabled as well for the depth part.
We have a Cisco FW sitting on the network but the PCs are off. I asked about this when I first started and was told that since we have the FW on the network then it’s fine. Having the the PCs enabled would also require more configuration if specific ports are needed.
This made sense to me at the time but from a defense in depth POV this seems like a risk. What is best practice in this situation?
Now that I type this I realized we have Webroot on our endpoints, which, I believe, has a firewall. So maybe that satisfies the defense in depth. I dont know why my sys admin wouldn’t have just said that when asked, though.
Edit: I just confirmed that we have a local FW on the PCs through our Webroot antivirus
Edit 2: Thanks to some comments on here I have learned that Webroots firewall only works on outbound, not inbound. It relies on Windows Firewall for the inbound part.
Those of you criticizing me for asking this can shove it, I wouldn’t have learned this (as fast) if it weren’t for my post.
So for the longest time we've been having users complain about slower and slower logins, start menu becoming unresponsive, etc. We'd tried adding resources and checking upd storage speed. Today while researching slowness across rds servers I found several articles about clearing firewall rules to fix the start menu. Went and checked the rules on an rds. 80000+ rules...
Turns out windows 10 "apps" like the start menu, Xbox Live, Cortana, etc... All create firewall rules each time a user logs in. Then when they log out they get orphaned, repeat for infinity.
Back in 2018 Microsoft released a fix but it requires you add a registry key. Additionally it only stops new rules, so existing ones hang around. I've found a PowerShell script that cleans orphaned rules and I'm running this across our customers now.
Kb4467684 is the update
Reg key is REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy" /t REG_DWORD /v DeleteUserAppContainersOnLogoff /d 1 /f
PowerShell script is by LapuLapu here https://social.technet.microsoft.com/Forums/windowsserver/en-US/3fdfa58b-fe1b-4546-85d2-d43dac9bcc10/black-screen-on-all-new-connections-sessionhost-has-to-be-rebooted?forum=winserverTS
Hopefully this helps someone.
NetFence is a network monitoring tweak for ios 13/14 which intercepts all network connections from your device. It allows you see what network requests are being made by apps and presents you with an alert, giving you the option to allow or block the connection. It can be considered as a modern replacement for the ios 7 tweak Firewall IP. For those familiar with Mac, my tweak is inspired from LittleSnitch which is an excellent firewall for OS X.
NetFence records all the data that is being sent to the app servers and stores it locally on your device so that you can examine later. It will give you information about the link to which the app is connecting and also tell you if that link's host is well known for ads/tracking. The tweak can block content that you don't want app to send, for example you can use it to block google/firebase analytics which the majority of apps use to track user actions. While the main focus of NetFence is to provide an X-Ray visualisation of network traffic, it's objective is not be a full replacement for an ad-blocker. But it can still be used to block ads and other unwanted contents from apps/games.
Below is the complete list of available features:
This isn't a question or rant, just a sort of comment. We will continue to use professional services, but:
I kind of love my job. I get to be a jack of all trades master of none in my own playground that I get paid to "manage."
We have hired professional services for big "project" jobs since way before I started working for the company(which was a bit of time ago). And that has almost always been great. It takes a lot of the fear out of it knowing that an "expert" is there to make sure the job gets done right.
But I have been around long enough now that I know a thing or two. And lately these "experts" aren't as knowledgeable as I once thought they were. And all that is fine, but when you pay 30k(or a whole lot more) for a project so that its turnkey and professionally done right, and you know in your heart the actual hours spent by the engineer is pretty low, and that you could have done it for a few weekends of OT...
Its super awesome when I speak with engineers that really are experts in a specific field. I even feel at awe at times and wish I could buckle down and just focus hard on one thing. But more often than not, I find these guys may have the book smarts, but they are not much more knowledgeable than I am, and sometimes they are less so, and it can feel like I am wasting company money just to do things as we always have and to have the security blanket of someone else taking the responsibility.
This came a few years earlier than I thought it would, but here we are. I haven't had any experience with any device-based "cyber nanny" type applications in 20 years, but i'm generally not very enthused about installing anything like that. I figure there is probably a massive, crowd-sourced naughty domain list out there somewhere that I might be able to pipe into UDM's firewall.
Any thoughts on the firewall idea? Or is there something better?
I work for a municipality that currently has no firewalls. Our buildings are spread out but our main building only supports about 30 users max. I've been adding Unifi APs and switches. Have looked at the dream machine but am not sure if it's ready for the enterprise. My goal is to setup site to site VPNs eventually. We have around 8 buildings all on separate networks. What would you recommend for ease of use, support,and reliability?
Edit: also need the routing capability.
dog is a distributed firewall management system designed to manage hundreds+ of per-server firewalls.
dog is your network guard dog.
I’d like to say, I’m so sad I couldn’t host a full GT due to a last minute drop out. I also didn’t have anymore resources to host a bigger tournament either. May have helped legitimize this Deathwatch concept at least a little bit. Now it’s just an obscure RTT after months of planning... I hope that the results can draw a modicum of attention to our faction somehow.
But anyways, I’m still gonna call it the East China Open GT to make myself feel better 😘
Use search for keywords on kill teams, strategem section, Army list breakdown, etc WARNING: Extremely long
As I’ve previously posted, I came in second place with a 4-1 win and an average score of 95 points across 5 rounds. Posted 23 pics with accompanying short form battle reports on each. Hope you guys do enjoy. The event is called East China Open for all who are interested.
Battle report East China Open GT with 23 pics and battle reports
My list Deathwatch Firewall 2.0
So at the tournament I can safely say, all the battles were uphill for my opponents. My only loss in game 4 was two critical errors on my part. The simple mistake of I didn’t put my unit on the objective in my base turn 1 and I was suppose to move and charge enemy objective but forgot to move. 10 point swing. Nothing you can do about being a noob. It wasn’t suppose to be hard in anyway and my opponent was almost tabled by turn 4, just waiting for me to walk over. I mention this because I want to quickly answer the question “are daemons hard for DW?” and the answer is, absolutely not. The daemons player just played much better and didn’t make mistakes that were as critical.
I’ll also post a pic of our league results later where DW still sits number 1.
With that out of the way, let’s kick off the analysis.
Army list breakdown
Bike Captain /w chainsword and storm shield WLT: Nowhere to Hide Relic: Dominus Aegis
Nothing new from previous firewall. Cover pierce is essential for an army reliant on masses of ap1 and 0 from flamers, bolters, and volkites
Librarian w/ jump pack Psychic powers: premorphic resonance and fortified with contempt
I traded in the chief libby role for jump pack. It’s amazing because now I’m never out of range to support the flank I need, especially with how spread out I was against the units at the end. It also made sure I was always out... keep reading on reddit ➡
Take control of apps' network access with AppFirewall!
AppFirewall intercepts outbound connections and prompts for your permission before continuing, similar to iOS' other permissions.
Afterwards, you can manage which sites are allowed & blocked in settings.
Add iOS 14 support.
Note : I’m not the developer . Brayden Traas ( u/yellow13) is the developer. Thanks for the update!
[[App Firewall (iOS 10-14)]]
Edit (Important) : I’m on 14.3 After install ..Apps are crashing when open. Some have no issue with the tweak.
Currently we have Cisco Asa 5505 firewall solution, which by itself is very old and also I get some complaints of users not being able to connect via VPN. Also i think support for this device ends in 2022 :)
Can you please recommend a firewall solution. The company in question is small about 60ish devices/people that work mostly from home. Need to setup tunnels to the parent company in another country.
I have experience with WatchGuard Firebox in previous company that i worked,but I had trouble with it with the constant everyday updates that would block all traffic for couple of minutes plus some other stuff.
Thanks for the help
I am having trouble wrapping my head around interface rules in pfSense. I am familiar with how firewalls work, but I don't quite understanding the meaning behind interface rules. Let's say I have the following subnets:
LAN1 - 10.0.1.1
LAN2 - 10.0.2.1
LAN3 - 10.0.3.1
If I specified the following rule:
Action: Pass Interface: LAN1 Source: LAN2 Destination: * (any)
what would the destination be: all clients on the LAN1 network (similar to the option "LAN1 net", or any clients on any network (LAN2 and LAN3 included)?
How about this rule:
Action: Block Interface: LAN2 Source: LAN3 Destination: LAN1
Would this even make sense, considering that this interface in no way pertains to either LAN1 or LAN3?
Also, as a final question, if I wanted to block LAN1 and
LAN3 LAN2 traffic from going to one another, I would create two rules:
Action: Block Interface: LAN1 Source: LAN2 net Destination: LAN1 net Action: Block Interface: LAN1 Source: LAN1 net Destination: LAN2 net
Would I then have to go on the LAN2 interface and invert each option, essentially making this:
Action: Block Interface: LAN2 Source: LAN1 net Destination: LAN2 net Action: Block Interface: LAN2 Source: LAN2 net Destination: LAN1 net
Or would this second set of rules be completely redundant and unnecessary?
Edit: correction for the last question
Did a pool few days ago about where people were hosting their selfhosted, now lets see how you all deal with your network =)
Most importantly, it can prompt and block outgoing connections like programs that phone home. I used to use Conseal PC Firewall, Kerio Firewall, Outpost Firewall 2009, and soon PC Tools Firewall Plus v7 in older Windows versions.
Thank you for reading and hopefully answering soon. :)
I just wanted to get some insight here as I have very limited corporate IT exposure and experience. I'm sure its common for small businesses to use a SonicWall TZ or something, but is it common that medium and larger companies use the mid to high end SonicWalls at all? I'm just trying to get an idea of market share with regards to the bigger firewalls. I assume its mostly stuff like Cisco, HP and PA.
Good morning Reddit,
I'm writing to you today in need of some assistance. I am currently working on a task configuring two networks that can communicate safely with eachother through the use of a firewall. Both networks are working fine individually, however, when it comes to communicating across to the opposite networks the packets fail.
I ran a trace route to see where the issue lies and it seems to be at the routers of each network. I'm unsure on how to get the firewall to become operational and send packets between the networks successfully.
I'm assuming I need to configure VLANS 1 and 2 on the firewall but my knowledge is lacking. Does anyone have any tips? Attached is a link to the toplogy.
Just looking to get pointed in the right direction here then I can figure out the rest from there
We currently use Cacti to monitor our firewalls and it works great...it's just a bit dated.
I was looking at setting up a Grafana, InfluxDB, and Telegraf stack to replace our Cacti server but it seems that is more for singular networks.
Does anyone have suggestions on what kind of stack I should be looking at for SNMP polling (the reason I need polling vs traps is the sites I need to monitor typically don't have a spare machine that I can set up an agent on).
Or am I just misunderstanding Telegraf and Influx and it can indeed support many hosts? Or should I be looking at something line snmpcollector?
I tried a Grafana, Zabbix, MySQL stack, but was running into configuration issues.
Any and all help is greatly appreciated!
So to start off with a bit of context, I actually play with the DS4 as I don't have the AIM, and I have played extremely briefly with the aim at a friend's. Even with the DS4, I can say that this is by far one of the most immersive games I've ever played, the graphics here are some of the best on psvr next to Blood and Truth, and Farpoint, and the gunplay is fantastic, and there are so many! The DS4 provides a surprisingly good tracking experience, rifles and smgs work great offering just enough of the feeling that I'm holding them to get me immersed, and the pistols work even better then the AIM and feel amazing. The maps are super well designed and the audio is unmatched. I'm so happy I picked this up, as it's just bursting with quality, and I'd recommend anyone, AIM or DS4 to pick it up right now for around 9 bucks
So our ISP provides managed Router and manages our Unifi APs. We are testing a 3CX setup and need to disable SIP alg and enable port forwarding on the Firewall, and assign a static ip to the 3CX server. ISP has refused to share Router login details and is charging the equivalent of $30 for what shouldn't take more than 15mins to fix. Is this a normal procedure for from ISP that manage your Router and APs.
PS: For perspective, monthly minimum wage is $36
Hi all, I'm looking for a way to orchestrate the deployment of firewall rules to Palo altos and forcepoint FW's based on a risk assessment. Has anyone used Ansible/ansible tower to orchestrate such a process. I cannot see any other tool with more integration than Ansible 😀. Any light will be appreciated.
Right now it’s £8.24 in the Playstation Store but is there still enough people online during the day to actually play with?
Considering some machines have their windows firewall disable, but we plan to reactivate it to the strict minimum traffic allowed.
Do you know a tool that would gather tcp inbound/outbound connexion so it could run for some days and would give a synthetic view of the results. After that we could analyse it, consider what is normal/not normal and configure the rules.
A wireshark would give a too much detailled result, but maybe a tools that goes on top of that exist?
Hi Everybody!! ( supposed to be read in Dr. Nick Riviera's voice from the simpsons)
I've got a project about to kick off on migrating from a 3050 and 5060 to a 3250. I am trying to find the best option around this migration, I hear expedition but don't want to focus just on that.
Has anyone done a similar migration? What did you use for the work?
We have been reviewing some scripts from a contractor and I have been reviewing Expedition (outside prod support). The issue I have around Expedition is I can't really find any data around PA to PA migrations, probably since taking a "Device State" export/import works so "well", I've done it a few times. Does anyone have a link or three around PA migrations using Expedition?
Thanks as always! I love this sub!
So I'm not sure if this is something for r/nest or r/Calyx... but anyway.
So I upgraded from the MiFi 8000 to the MiFi M2000 this week, and it's definitely faster. So I proceed to attach it to my Asus router via USB. Basically, an in-place replacement for the 8000.
For some reason, the Asus with the M2000 attached now won't allow my Nest devices -- and a wifi-connected treadmill -- to connect. When I reattach the 8000 to my Asus router, all is well again.
Do I likely have a faulty M2000? I've tried using Google Public DNS (220.127.116.11) on the M2000, disabling IPv6 on the Asus, and finally doing a factory reset on the M2000, but none did any help.
All I'm certain of is that because of the Nest devices connecting to the Asus while the 8000 is attached but not when the M2000 is attached, something's likely wrong with the M2000.
Ordinarily I would try troubleshooting, but when the Nest devices include smoke alarms... I'd rather not spend more time on that.