1.
As you all observed yesterday, I still run OpenWrt - currently on a Cisco Meraki MX60W
device. I also use OpenWrt to create a separate VLAN for AMPRLAN traffic (those configs
are in the Wiki). I can use routing, masquerade and NAT in another VLAN - if I need to
temporally assign a device a 44 Public IP for testing and use.
2.I am running the firewall on my tunnel, which is iptables and zone-based in OpenWrt.
Only relevant inbound ports for known services are allowed (e.g. 80/tcp for HTTP from
0.0.0.0/0 and 53/udp for DNS from 44.0.0.0/8). For additional security, I use a script ran
with ampr-ripd updates - to only allow Pings and IPENCAP traffic from the IPs located in
the Portal (script available on the Firewall Wiki page - someone offered an update to the
script, but it has not yet been tested or implemented in the one found at the Wiki).
I currently only use Apache, HTML and some PHP on the visible web server. The
"largest" concern here is the PHP-based APRS Code recovery tool (someone in this
forum previously helped me better sanitize the input, as to prevent command injections).
3.I do monitor traffic with softflowd package in OpenWrt. I collect and record the data
with NfSen (
http://nfsen.sourceforge.net).
I also run snmpd for bandwidth statistics.
* Would you be willing to share the SANS IP script you have?* What threats does this list
block?
4.PFsense also implements Snort, perhaps you can route traffic through a Virtual Machine
to test?
5.When needed, I previously used a firewall rule that only allows x SYNs from given IP in
x minutes. If greater than x attempts - REJECT.
6.Regarding DNS, I do not open my server to the outside world. Only those at 44.0.0.0/8
are able to reach and use it.