Album

Wrt lan deny all for the fam, it's mostly hard on gamers cuz games tend to use wide port ranges and outbound IPs are potentially home isp networks not the game servers. But yeah it takes some time and research to really lock it down.

Most stuff is running through web protocols though. So right off the bat you create allow rules for any LAN device to hit ports: 80, 8080, 443, 8443 which are your common http and https ports. That's gonna get most ppl what they need.

I do ASN based allows for certain applications like Google, Facebook, etc.

For consoles they're pretty locked down so just give them full allow to the Internet. I don't do that actually but it's probably the better way.

IOT devices get only the ports they need to the IPs they need.

when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right?

No I mean my unbound resolves DNS for something like microsoft.com all by itself. It calls up the root name servers, finds the com nameservers, then asks the com nameservers for Microsoft. And for any subdomains it asks the MS name servers. This is instead of relying on external forwarding services like 8.8.8.8 or 1.1.1.1 or quad 9 or whatever. At least the former two are sure to be aggregating this data.

Additionally I do not allow devices on my network to reach out to external port 53, or 853 to circumvent lookups on my unbound by reaching out directly, which would then bypass the DNSBL. Anything for port 53 gets NAT'd to the unbound server. You can't redirect TLS attempts so those get hard blocked.

Curious to your IDS solution

Securicata is what opnsense uses. Pretty easy to set up.

I have an n100 box that I put opnsense on for routing, firewall, DHCP, DNS and IDS. It uses unbound for DNS and so I'm leveraging the blocklist functionality in unbound. And then I use unbound to resolve instead of using DoT forwarding.

Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.

All applications need specific allows. Thus internally no device can use dns over tls because 853 is blocked by default. Then I use a DNSBL to catch known DoH by domain since the cert is provided by domain name.

Yeah Mads Mickelson. I know him as the casino Royale bond villain. Imo one of the best ever

It'll also be wrong in every application you run in your browser. Even local sites.

Might be the best use of AI I've seen

Bad mortgages, bad ratings agencies, and definitely bad issuers.

Thanks for rephrasing. The thing is with regulation when there's a caveat/condition it's forbidden not just a correctness check. I think the underlying sentiment is correct, a blanket ban on something is surely easier to enforce than a nuanced approach.

But that's my whole point since the first post. A blanket ban on securitization just locks away the whole tool when really we should just work to implement effective regulation.

The real problem is that law and subsequent regulation lags behind innovation. Like AI or crypto would be an example. So back in 2008 there was a lot of lag on securitization as an innovation. Subsequent to the crisis, in 2025 market reg is well established on securitization products and derivatives.

It's not semantics when what you're saying doesn't make sense and is contradictory to reality.

Actually, I am not sure what issue you're even raising because of how poorly you communicated.

I thought about not responding at all, tbh, but then thought that it's clear you think there is a some sort of material difference between regulation and law.

Checking if the illegal thing has been done is often easier than checking if the regulated thing has been done correctly,

pointedly incorrect. and thats my point that checking the illegal thing is the same thing as checking the regulated thing. but you assert there is some difference.

Financial regulations are written in law, and thus illegal to violate.

No that's a bad analogy because no one is arguing the water should be taken away because of a misguided understanding that it's inherently dangerous.

The actual analogy is "People have died in water, so no one should swim anymore"

But that's obviously absurd. You hire life guards, teach people to swim, get a life vest, life savers, etc

It's the opposite. Regulation assumes business will do anything they think they can get away with if it will make a buck. A lack of regulation assumes companies won't do those things.

People think "regulators" allowed this to happen, but actually as "regulators" are agencies established by the government that act upon law. At the time of the 2008 financial crash there were limited or few laws (i.e. regulations) on derivatives. It's law makers that refused to act.

It seems people are largely unaware of the myriad of regulatory changes that came after 2008 and bernie that applied to derivatives and customer/investor protection in general.

The same set of factors that created 2008 is no longer applicable as the environment has changed. There will surely be new regulatory weaknesses that need to be addressed

Didn't read like that to me initially but if that's what you meant by it then my bad.