From owner-freebsd-questions@freebsd.org  Fri Jan 11 21:21:28 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96BCF149DF6A
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 11 Jan 2019 21:21:28 +0000 (UTC)
 (envelope-from byrnejb@harte-lyne.ca)
Received: from mx32.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx32.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0320E88C8C
 for <freebsd-questions@freebsd.org>; Fri, 11 Jan 2019 21:21:17 +0000 (UTC)
 (envelope-from byrnejb@harte-lyne.ca)
Received: from mx32.harte-lyne.ca (unknown [127.0.32.1])
 by mx32.harte-lyne.ca (Postfix) with ESMTP id 224BD4772
 for <freebsd-questions@freebsd.org>; Fri, 11 Jan 2019 16:21:11 -0500 (EST)
X-Virus-Scanned: amavisd-new at harte-lyne.ca
Received: from mx32.harte-lyne.ca ([127.0.32.1])
 by mx32.harte-lyne.ca (mx32.harte-lyne.ca [127.0.32.1]) (amavisd-new,
 port 10024)
 with ESMTP id W3odr5jZ_eu3 for <freebsd-questions@freebsd.org>;
 Fri, 11 Jan 2019 16:21:04 -0500 (EST)
Received: from webmail.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mx32.harte-lyne.ca (Postfix) with ESMTPSA id 5759B4767
 for <freebsd-questions@freebsd.org>; Fri, 11 Jan 2019 16:21:04 -0500 (EST)
Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll)
 by webmail.harte-lyne.ca with HTTP; Fri, 11 Jan 2019 16:21:04 -0500
Message-ID: <647ac45684fa13349cb3e3d833e0c405.squirrel@webmail.harte-lyne.ca>
Date: Fri, 11 Jan 2019 16:21:04 -0500
Subject: OPNsense
From: "James B. Byrne" <byrnejb@harte-lyne.ca>
To: freebsd-questions@freebsd.org
Reply-To: byrnejb@harte-lyne.ca
User-Agent: SquirrelMail/1.4.23 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Rspamd-Queue-Id: 0320E88C8C
X-Spamd-Bar: --------
X-Spamd-Result: default: False [-8.46 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 HAS_REPLYTO(0.00)[byrnejb@harte-lyne.ca];
 RBL_COMPOSITE_RCVD_IN_DNSWL_MED_DWL_DNSWL_LOW(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:216.185.71.0/26]; TO_DN_NONE(0.00)[];
 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; REPLYTO_ADDR_EQ_FROM(0.00)[];
 DKIM_TRACE(0.00)[harte-lyne.ca:+];
 RCVD_IN_DNSWL_MED(-0.20)[32.71.185.216.list.dnswl.org : 127.0.4.2];
 HAS_X_PRIO_THREE(0.00)[3];
 MX_GOOD(-0.01)[mx32.harte-lyne.ca,mx31.harte-lyne.ca,mx132.harte-lyne.ca];
 DMARC_POLICY_ALLOW(-0.50)[harte-lyne.ca,quarantine];
 NEURAL_HAM_SHORT(-0.96)[-0.962,0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:12021, ipnet:216.185.64.0/20, country:CA];
 IP_SCORE(-3.78)[ip: (-9.91), ipnet: 216.185.64.0/20(-4.95), asn: 12021(-3.96),
 country: CA(-0.09)]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[harte-lyne.ca:s=dkim_hll];
 RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1];
 DWL_DNSWL_LOW(0.00)[harte-lyne.ca.dwl.dnswl.org : 127.0.4.1]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 21:21:28 -0000

The weekend I am experimenting with an OPNsense firewall/router at one
of our sites.  I have been having mixed success with testing so far
and decided to take the whole network down while the user traffic is
negligible.  Since it is only a matter of a few plugs if things go
terribly wrong then I will just cut the test machine out and restore
the normal cabling configuration.

However,  I have a few reservations about the OPNsense appliance even
before I test it.  Specifically the apparent lack of any way to
black-hole repetitive logon attempts to various exposed services.

Does anyone here employ OPNsense as their corporate firewall?  What
are the best and worst features of the product?  Are there ways to
configure OPNsense to block repetitive initiations of new connections?



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3