Firewall as a content filter

[porina]

 

My current home network probably isn't much different from most. I have a cable modem operating as a pure modem. This gets connected to a "wireless router" which does all the NAT stuff as well as provide wifi. Then I branch off additional switches for the wired part of network. The router does some basic firewall stuff but the interface isn't designed to do anything complicated easily.

 

I'm now debating adding a dedicated firewall, which logically would have to sit between the cable modem and existing router to see all traffic including wireless.

 

The main goal of the firewall here is NOT to prevent intrusion attacks, but instead it is to prevent unwanted data leakage from the internal network outside. As contradictory as it sounds, it also needs to be as unintrusive as possible. I'm thinking it would act on a blacklist only. Specific examples would be to block MS telemetry and Windows Update servers (I will separately handle manual updates). Other candidates would be known ad server servers, which if this works well I'd like to ditch adblock like plugins.

 

Now here is where things get complicated... because it would be "outside" the router, it is not on the private side of the network. I only get a single ip from ISP, so I think I have two options here.

 

1, firewall will also become the new router/NAT/DHCP/etc. My concern about this part is I know what I have now "works" and I'd have to make sure any new implementation would also work similarly.

2, Is there a way to configure it in a transparent mode so it doesn't exist as an IP level device (it does not have an assigned IP on the filtered ports), while still filtering IP traffic? I could then perhaps have a side channel connected to the internal network for control and monitoring. Or is my thinking just nonsense at this point? Would it be more correct to return some error state than leave a connection hanging open?

 

For either of the above, what software options are there? I'd value ease of use and performance (low additional latency for gaming). Doesn't have to be "free" but obviously don't suggest enterprise priced options... actually, it doesn't have to be software, as that implies I'd need hardware to install it on. It could also be a purpose built device optimised for the job.

 

[BubblyCharizard]

what wireless router do you have?

 

most modern routers have a decent firewall negating the need for a firewall 

 

[Donut417]

4 hours ago, porina said:

 

My current home network probably isn't much different from most. I have a cable modem operating as a pure modem. This gets connected to a "wireless router" which does all the NAT stuff as well as provide wifi. Then I branch off additional switches for the wired part of network. The router does some basic firewall stuff but the interface isn't designed to do anything complicated easily.

 

I'm now debating adding a dedicated firewall, which logically would have to sit between the cable modem and existing router to see all traffic including wireless.

 

The main goal of the firewall here is NOT to prevent intrusion attacks, but instead it is to prevent unwanted data leakage from the internal network outside. As contradictory as it sounds, it also needs to be as unintrusive as possible. I'm thinking it would act on a blacklist only. Specific examples would be to block MS telemetry and Windows Update servers (I will separately handle manual updates). Other candidates would be known ad server servers, which if this works well I'd like to ditch adblock like plugins.

 

Now here is where things get complicated... because it would be "outside" the router, it is not on the private side of the network. I only get a single ip from ISP, so I think I have two options here.

 

1, firewall will also become the new router/NAT/DHCP/etc. My concern about this part is I know what I have now "works" and I'd have to make sure any new implementation would also work similarly.

2, Is there a way to configure it in a transparent mode so it doesn't exist as an IP level device (it does not have an assigned IP on the filtered ports), while still filtering IP traffic? I could then perhaps have a side channel connected to the internal network for control and monitoring. Or is my thinking just nonsense at this point? Would it be more correct to return some error state than leave a connection hanging open?

 

For either of the above, what software options are there? I'd value ease of use and performance (low additional latency for gaming). Doesn't have to be "free" but obviously don't suggest enterprise priced options... actually, it doesn't have to be software, as that implies I'd need hardware to install it on. It could also be a purpose built device optimised for the job.

 

You ever thought of building a PFsense box to replace the router portion? It would have more powerful tools and abilities then any consumer and even some enterprise gear. Best part, the OS is free. You just need some hardware. It would handle your firewall and all other routing duties. Then I would hook the existing router to it via its LAN port, essentially just using the router as a switch/AP. Just make sure you disable the DHCP server. 

[jnic]

sounds like you might want to look into pfsense

[porina]

On 10/14/2017 at 2:11 PM, Donut417 said:

You ever thought of building a PFsense box to replace the router portion? It would have more powerful tools and abilities then any consumer and even some enterprise gear. Best part, the OS is free. You just need some hardware. It would handle your firewall and all other routing duties. Then I would hook the existing router to it via its LAN port, essentially just using the router as a switch/AP. Just make sure you disable the DHCP server. 

 

On 10/14/2017 at 4:34 PM, jnic said:

sounds like you might want to look into pfsense

I've kinda decided to give pfsense a play. It was on the to look at list already. Thinking about it, I have a HP Microserver Gen8 idle at the moment, and it has two ethernet ports so it could be ideal for such a use case. It is less clear what the hardware requirements are, the official ones seem low and no problem, but another site that tops google search suggests I might want more. The server has a Celeron G1610T CPU (Ivy Bridge, dual core, 2.3 GHz) and 8GB ECC ram. I'm not going to upgrade the ram, but the CPU is more the concern...

[Sir Asvald]

On ‎14‎/‎10‎/‎2017 at 4:34 PM, jnic said:

sounds like you might want to look into pfsense

Pfsense is awesome!  I have it and I've got 4 networks connected to it.

 

1. Public Network, anyone visiting connects to it
2. Private Network, that's my network for servers which I host and such
3. "Home Network", for my family
4. Dev Network, for testing before putting into production.  

 

 

 

[Brian Blankenship]

You could employ a webproxy, but nothing you do here is going to be "unintrusive" at all. I mean you can block sites (can't go to Gmail.com) or, you can block ports (443 blocked no secure websites for you) or, you can try your hand at content filtering. A web proxy can do that but, you are talking about something like a Websense filter (Websense/Bluecoat/Proofpoint Security Gate (with ICAP enabled). Yes, pfSense has a proxy package or two but, I'm not sure they are up to what you are asking for since all squidgaurd does is URL filtering.

 

Is this truly a home network or are you running a business off it? If it's just home then, why are you so concerned? Who don't you trust on your network? Normally when people do this kind of security it's because they can't trust all everyone (or anyone) on their network. Like a bank for example.

 

Now Snort will do IPS (Intrusion Prevention System)

And Suricata will do IDS (Intrusion Detection System)

 

But if you really want stop data exfiltration from your network, you'll need to isolate your bad actors and minimize their access and contact.

[porina]

39 minutes ago, Brian Blankenship said:

Is this truly a home network or are you running a business off it? If it's just home then, why are you so concerned? Who don't you trust on your network? Normally when people do this kind of security it's because they can't trust all everyone (or anyone) on their network. Like a bank for example.

As mentioned in OP, the primary use of this is a glorified adblock, anti-telemetry, and anti-Windows Update (I can't afford reboots other than when I explicitly say so). I'm tiered or micro-managing each individual system, just seems easier to centralise the filtering. It is just for me. I do have far more systems than average, and now that it is getting cooler more of them will be in active use more often too.

[Brian Blankenship]

2 hours ago, porina said:

As mentioned in OP, the primary use of this is a glorified adblock, anti-telemetry, and anti-Windows Update (I can't afford reboots other than when I explicitly say so). I'm tiered or micro-managing each individual system, just seems easier to centralise the filtering. It is just for me. I do have far more systems than average, and now that it is getting cooler more of them will be in active use more often too.

I see. You are more like me than I thought at first. pfSense can block updates to windows even without a proxy, just put in a domain pointer for the updates. I think its still windowsupdate.com, you could just redirect that to 127.0.0.1 and remove the redirect when you are ready to update. If you the BIND package you can have a view for each machine if you need to be that granular and control them individually.

[jnic]

8 hours ago, porina said:

The server has a Celeron G1610T CPU (Ivy Bridge, dual core, 2.3 GHz) and 8GB ECC ram. I'm not going to upgrade the ram, but the CPU is more the concern...

CPU should be fine, you could always swap it out for one with the same socket latter on if you are having problems 

 

I use a i5 2400 and 4GB of ram for mine and it is at 5% CPU usage or less most of the time, and i have quite a few plug ins running 

[leadeater]

@porina Also have a look at Sophos XG Home as well as pfsense, you might like one more than the other and both are excellent.