yes. hi. hello. me again.

today let’s talk about building a firewall for my voluptuous rack.

i tweeted about building a PFsense firewall for the rack at the house.

these are my key takeaways after 5 minutes of research about building a firewall at the house.


use cases and constraints

let’s break this down into 2 sets of use cases, and hopefully we can find a solution to as many as possible.

firewall

I want TCP/UDP port level controls. period.

examples:

normally this is something we can do with iptables or ufw but we are mutating network entities in the kernel of the host we need to protect from. we genuinely have a solid use case for external hardware specific, kernel based firewalling.

  • block all TCP traffic on 3000-32767 0.0.0.0/0
  • block all TCP traffic except from 10.0.0.0/24
  • allow all TCP traffic on 22, 80, 443 from 0.0.0.0/0

routing

broken down by NICs [x]

  • outbound masquerade failover WAN 96.82.77.33/29
  • SNAT rules for Kubernetes
    • SNAT traffic from 96.82.77.34/29 -> 10.0.0.188/32 (alice)
    • SNAT traffic from 96.82.77.35/29 -> (yakko)
    • SNAT traffic from 96.82.77.36/29 -> (wakko)
    • SNAT traffic from 96.82.77.37/29 -> (dot)
  • inbound LAN 10.0.0.1/24

security

this is kernel/operating system level security concerns

  • layer 7 inspection
  • packet caputers
  • pen testing lab
  • running public facing interface unencrypted
  • running public facing interface as root

software decision (OPNsense vs PFsense)

i have decided to go with opnsense for the software layer.

PFsense is shady as fuck

checkout this court transcript that shows PFsense doing some shady shit with OPNsense.org domains.

furthermore there is some open source concerns i have with the build tools, and the ethics of the pfsense org in general. more detail:

hardware decision

i decided to go with the Supermicro SuperServer SYS-E300-9D you can find it here on amazon

here you can find the spec sheet

more specs we host

reasons for my decision

  • we wanted to rackmount this in the rack (19 inch rack kit here)
  • we wanted SFP hardware to develop on
  • we wanted up to 10G intel NICs to develop on
  • we wanted IPMI nic for IPMI experiments on kubernetes with controllers

more to come

stay tuned as we set up our hardware and software over the next few streams

view more live streams of our progress at twitch.tv/krisnova