|
|
|
|
|
|
by yabones
1918 days ago
|
|
|
The state of all network firewalls/routers is appalling. Even high end Cisco, Fortinet, or even Palo Alto gear is riddled with security issues, critically outdated packages, and general poor maintenance. IMO, the only way to have a reasonably secure device is to build it yourself. That's not going to be a popular opinion where the prevailing motto is "nobody gets fired for buying Cisco", but I don't really see any alternative. OpenWRT/Tomato are decent, but they still expose a web UI which is potentially a greater attack surface than ssh w/ public keys. I've seen some people have good results with OpenBSD or FreeBSD, others with skinny versions of Debian or CentOS. I took a crack at it last year on Debian (shameless plug: https://nbailey.ca/post/linux-firewall-ids/), and I've been happy with it so far. It is more expensive to build, but I expect this device to last more than a decade, or until I need greater than 1gbps per port. |
|
|
or configure uhttpd to only listen on localhost and use a ssh proxy tunnel to access the web interface. It saves you from the hassle of self signed certs too.l