Forums

meazz1
meazz1
Offline
Resolved
0 votes
I just install the community edition on my x86 which has 2 NICs.
The default setup is done, all the updates are done as well.

The incoming firewall webconfig is enabled by default. Does , it mean I should be ok or I need to harden more?

Secondly, I have setup up a VLAN and would like to create a firewall rule so VLAN does not have any LAN access except access to the internet.
Any help or a link on how to would be appreciated.
Monday, February 08 2021, 12:20 AM
Share this post:
Responses (7)
  • Accepted Answer

    meazz1
    meazz1
    Offline
    Tuesday, February 09 2021, 01:43 AM - #Permalink
    Resolved
    0 votes
    Thanks.
    I will start testing out this with default firewall and changing VLAN to HotLan.
    The reply is currently minimized Show
  • Accepted Answer

    meazz1
    meazz1
    Offline
    Tuesday, February 09 2021, 01:41 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Of course you can. The firewall is working out of the box.

    I think there has been a misunderstanding. The ClearOS firewall is completely open to it LAN and generally closed to traffic originating from the WAN (so it allows replies from the Internet e.g when browsing you favourite website). It also allows all traffic out from the LAN to the internet. If you close the firewall to SSH through the webconfig you are only affecting the WAN side. If you choose to open the firewall to SSH (so to the internet), make sure you have a strong root password as you will very quickly get a lot of password cracking attempts. The is just normal these days for anything exposed to the internet.

    The reason I recommend OpenVPN to access the server from the internet is because you can close the SSH port and access the server as if you are connected to the LAN.

    SSH can be secured more, e.g using SSH keys. There is a KB article about securing SSH more.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, February 08 2021, 08:26 PM - #Permalink
    Resolved
    0 votes
    Of course you can. The firewall is working out of the box.

    I think there has been a misunderstanding. The ClearOS firewall is completely open to it LAN and generally closed to traffic originating from the WAN (so it allows replies from the Internet e.g when browsing you favourite website). It also allows all traffic out from the LAN to the internet. If you close the firewall to SSH through the webconfig you are only affecting the WAN side. If you choose to open the firewall to SSH (so to the internet), make sure you have a strong root password as you will very quickly get a lot of password cracking attempts. The is just normal these days for anything exposed to the internet.

    The reason I recommend OpenVPN to access the server from the internet is because you can close the SSH port and access the server as if you are connected to the LAN.

    SSH can be secured more, e.g using SSH keys. There is a KB article about securing SSH more.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    meazz1
    meazz1
    Offline
    Monday, February 08 2021, 06:41 PM - #Permalink
    Resolved
    0 votes
    So, until I get familiar with the OpenVPN can I use this as is for my home use? Is the firewall protecting me or it's not?
    Thanks
    The reply is currently minimized Show
  • Accepted Answer

    Monday, February 08 2021, 02:42 PM - #Permalink
    Resolved
    0 votes
    OpenVPN is available from an app in the marketplace. The SSH server is installed and enabled by default. Each app has its own documentation (the sloping book icon on the top right of each webconfig screen) and we also have a Knowledge Base.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    meazz1
    meazz1
    Offline
    Monday, February 08 2021, 01:12 PM - #Permalink
    Resolved
    0 votes
    Is there a wiki or doc for newbie like me to setup OpnVPN or SSH for LAN / VLAN devices to access WAN?

    Thanks
    The reply is currently minimized Show
  • Accepted Answer

    Monday, February 08 2021, 09:50 AM - #Permalink
    Resolved
    0 votes
    Personally, before putting the macine into production I would close both Webconfig and SSH and only allow external access by OpenVPN (or perhaps a second SSH daemon only allowing SSH key access).

    If you have a single VLAN like this, just change it to a HotLAN. If you have multiple HotLAN's the firewall is buggy but it can be got round.
    The reply is currently minimized Show
Your Reply