Why may I ask? Serious question... I don't know what I don't know... I have not run out of IPs on my primary subnet... thx

@@l0gic23 1. Because I’m an early enthusiast of the current protocol; 2. I want my network to be simple yet powerful, versatile and in line with what the Internet intended to be (no NATs, no design limitations - other than the project size itself - nor any shenanigans imposed to fix problems that existed on the Jurassic stack); and 3. To test my gear against the actual Internet standard and improve/fix it by providing feedback to the manufacturers or replacing them altogether with stuff manufacturers ACTUALLY care about.

@@UnderEu I better rewatch this channels video on why IP6 in the home/lab. Thanks!

A lot of modern apps either distribute a trust list on their own (especially if they are containerized / some library is trying to be OS-agnostic), and as a developer it makes a ton of sense to be cert pinning to the CA that issues your certs, but it means it's a nightmare for users behind TLS inspectors.

exactly. Admins can install a trusted CA cert to the workstations and re-sign all their inspected traffic with a subordinate CA signed by the same root, so browsers "mostly" work (Aside from HSTS sites) but standalone apps that just happen to use TCP 443 and TLS are harder.

The authors of TLS and related specs are very concerned with MITM / privacy attacks and don't care to reduce the level of security they provide to make TLS inspection easier. Sites *should* be deploying HSTS, apps using TLS *should* be validating their certs, asking them to do less so you can MITM their traffic isn't something they are interested in 'fixing'. The end result is the end users perpetually think IT has 'broken' something because the program tells them they are being attacked.

Nothing against you in particular, but I absolutely hate people who are trying to MITM TLS traffic. Thank god encrypted SNI is already on the horizon so you people can stop trying to filter the last clear text thing you have left.

eSNI (and it's successor ECH) has some issues with key distribution. It's a great concept but SNI is unencrypted for a reason. Unencrypted SNI (and ALPN) is a thing is so the server can identify which certificate it should use (to properly deal with multi-tenant servers / CDNs / virtual hosts / ...). ECH needs to encrypt the ClientHello using the edge server's key, not the origin's key, so the client needs to know which CDN / server it's accessing and get the key for that server. CF's eSNI would publish their key (their one key, for all of CF) via DNS TXT records, which doesn't work if you aren't using a single CDN for all of your traffic, so it was rejected as a standard. The current ECH version relies on DNS HTTPS records which are basically similar to an SRV. A single domain can have multiple HTTPS records, each of which points to an edge server, proto (http 1.1/2/3), and the edge server's key. But they still aren't widely deployed and supported.

I use a Protectli FW4B at home

Zenarmor doesn't intercept TLS, it only looks at the unencrypted headers. But you choose as a global setting which interfaces to operate on, and beyond that you can choose which interfaces apply to a policy.

Thank you very much for the quick reply! Looking forward to deploying this next week!

Neat! Лайка was the name of the first dog in space, hence the shirt.

It depends on the context. In general they are pushing security updates regularly, but large changes to the codebase take time, and OpenSSL continued 1.x security updates through the end of 2023 which OPNsense was including in their releases. AFAIK 24.1 will include OpenSSL 3.x.

I would also like to see a video on how to do this most efficiently!

Edge or Firefox

They both really different things and are used to protect different things. This is primarily focused on the destination of traffic (going out to the internet, from a client), Crowdsec is focused on incoming traffic to a server and sharing blocklists of simple attackers similar to fail2ban on a larger scale.

Apple-everything is both randomizing the MAC per-network and also no longer sending the hostname via DHCP, so tracking Apple devices is a challenge. They still respond to mdns if queried, but don't immediately advertise it. Zenarmor has caused me to raise eyebrows at some traffic and then spend 10+ minutes identifying the unknown client, only for it to be a sus mobile game on a modern iphone which is doing a good job at hiding its identity. But also, some things can be detected by their known protocol headers (i.e. VPNs), TLS has to send at least SNI and ALPN unencrypted (since the server needs to know the SNI to present the right cert), and more traditional IP-based ranges can also be used as well.

​@@apalrdsadventures did you take any next steps related to the sus games?

More control, less user friendly. Thats opnsense. On sophos youve got your beautiful insights and easy configuration whereas opnsense requires more expertise but has similar - if not better results and is free

The support and hardware, and every vendor has its own Theat İntelligence platform. Plus enterprises are moving to ZTNA

Yeah me too

u need the home version for it (can use the free 15 day trial)

Doing the NAT64 / Option 108 on OPNsense (mostly v6-only + macos), Linux CLAT comes later.

@@apalrdsadventures Looking forward to it. 👍

Suricata is a very manual solution to manage and curate block lists, and is very prone to false positives (and presumable also missing a lot of things, but you'll never know) if you don't put the work in to manage these block lists. That's largely what you get with a Zenarmor subscription, better feeds that they have curated and keep up to date.

@@apalrdsadventures not to mention suricata is VERY CPU intensive which can result in massive slowdowns.

OPNsense's 'native' IDS/IPS solution uses Suricata. Zenarmor gives you curated feeds for a fee vs administering all of the feeds and rulesets manually for Suricata. Both options can be used (potentially at the same time, on different interfaces) in OPNsense.

Don't whip it out in public or you will go to jail.