Hello everyone is the first message I write in this forum I have just discovered this fantastic system after going through PFsense OPNsense Endian Mikrotik.
I am testing it as a firewall and openvpn server installed on Apu2 hardware 2 Gb of ram I would need advice on which modules to activate to have optimal security as a firewall
Thank you very much Gianni
Hi Gianni,
IMVHO, “optimal security” is made through analysis, evaluation, wise configuration.
In many small offices, default config is “enough”. Otherwise…
Proxy plus webcontent filter are the starting options for manage “where a device can go”. Or even a user. ClamAv scan can be integrated too, but it will increase CPU use.
But if that is not enough for avoid data mongering around the network, adding an interesting tool like DPI could help avoid, or manage, the “kind” of traffic that may lead your ISP connection for take nap.
DPI is not that powerful without traffic shaping . NTop/Bandwidth monitor can help you analyze immediate data use, but is the settings into firewall, DPI and traffic shaping that can contain abuse of eccessive data.
Not least tools: threat shield and IPS. These are trickierr services to proper configure due to a necessary increased awareness of network traffic and vulnerability; they also can cause a lot of CPU usage.
Your worst enemy for a nice setup? Hurry.
If you already know what you need, you can go to install and configure everything. But if your hardening process of the network is just begun, every setup should settle (and monitored via logs and tests) for a bit. Only for avoding the build of the Great Wall of China if your enemies are a lot of ants on a warpath…
Also, don’t forget the balance of countermeasures… A nice men few years ago set a “lock account” policy on administrative account. Without any “backup account” for unlocking that…
3 Likes
I think I’d say that if all you want is a firewall, you’d be better off with something dedicated to that purpose like OPNSense or pfSense. @Andy_Wismer likes OPNSense, but I think their support sucks and prefer pfSense instead.
Thanks to everyone for the advice I find Nethserver much cleaner and faster than the various pfsense etc. I understood what the optimal configuration could be I just need threat shield in the meantime I will test it with these Thanks again to all of the precious information
Gianni
2 Likes
Welcome @grpse!
I have the same hardware, I think you can achieve a good balance between security and performance using these services:
- normal firewall rules
- IPS (suricata)
- fail2ban
- threat shield
Well, try not to overwhelm your config at first, like marking all categories in DNS or IPS lol! 
If you do so, besides making your internet slow, you can face some file sharing problems performance…
See what your client needs and prevent him from major issues without performance problems.
2 Likes