My home network has a DMZ, so I run inner and outer firewalls. Each of those is an Single Board Computer (SBC), basically a wee small box. They run OpenBSD.
Their main purpose is to protect us here from script kiddies, people attempting to abuse our systems and our finances for their gain. The boxen can only do so much; the script kiddies and the conmen are endlessly inventive in their attempts to abuse: witness advertising, a entire, utterly legal, creative industry built on the art of the con. Conmen and the ilk have many other means to apply their dark arts, beyond advertising & battering down firewalls, but, even so, a firewall should be kept alive and burning (yeah, yeah, I know, wrong metaphor, but WTH).
I see no script kiddies here. That doesn’t mean they’re not here, it simply means I don’t see them. Bluntly, I don’t know whether my firewalls and my other security stuff works, or whether the script kiddies are sufficiently devious for me not to notice their presence. I suspect the latter, but I don’t want to seek them out and disturb them, because, if they’re here, they’re kindly keeping themselves sufficiently quiet for me not to notice their presence. For some bizarre reason, they’ve (un)kindly not stolen my debt, so we all pretend they’re not here (which reminds me of one of my favourite ripostes: “I don’t believe in God, and I wish He’d return the compliment.”).
My real goal is to avoid the hassle of cleaning up a mess after the script kiddies, or nasty abusive conmen, have done their dreadful deeds, by trying to block them doing those dreadful deeds in the first place. I do not want to be among the low hanging fruit.
I don’t want to be the victim of illegal abusive conmen; the legal abusive conmen are bad enough. (Part of the reason I left the UK back in 2005 was to get out of their range: the British civil legal system is corrupt by design).
Note, incidentally, there’s no way my computer security could stop the dedicated nasty experts from breaking in; I am an individual, not a nation state. For that, I have another defence; I’m utterly boring, from their perspective. There’s nothing interesting here. The photo of Kim Jong–Un in bed with seven of President Trump’s daughters is obviously fake. The associated recordings are clearly those of a plank warping.
In reality, the exercise of running a somewhat less insecure than normal home network helps me professionally.
A disadvantage of running a network with a firewall on an SBC is occasionally the SBC stops working. When the SBC breaks, internet connectivity breaks. My inner firewall is, or was, a Soekris 6501, a perfectly fine single board computer I bought in 2012. It failed late on Sunday evening. It no longer boots. I’ve a hardware failure. It’s out of warranty, and, anyway, the manufacturer went under in 2017, so it won’t be repaired.
I have to admit I’d been expecting the problem. The machine had been having boot problems for a while, and those problems were getting worse. I have something lined up to replace it, but I’ve yet to configure it properly. I have to properly understand OpenBSD’s vmd, and I don’t.
So, temporarily, I’ve removed the 6501 and restored the 4801 that the 6501 replaced. The 4801 is an older model of Soekris SBC, one I bought in the early dreadnoughts before I left the UK. It’s clearly a little pressured by the traffic, but appears to be bearing up.
It can’t stay in place, though. The 4801 has 100Mbit network ports. My ISP, le post, are sending 500Mbit down the wire (a free upgrade from the 100Mbit connection I bought). The 4801 just can’t keep up. It’s not quite as bad as a TGV powered by a pedal, but ….