This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies. Learn more in our privacy policy.

Home
About
System Admin
Security
Tech
Home Lab
Threats
Weekly Digest
Deals
Advisories
Phishing Updates
Threats
Image Scraper
Contact

Installing Sophos Firewall on a mini PC

Overview of Sophos Firewall features

Sophos Firewall is software that behaves like a network appliance. It gives packet and stateful inspection, NAT, VPN for site-to-site and remote access, intrusion prevention, web and application filtering, and SSL inspection. On a mini PC, I use it as the gateway for a home network, replacing a cheap router with something I can actually control and audit. The bits that matter day to day are the firewall rules, NAT, DHCP, DNS forwarding and a basic VPN.

The firewall sits between your devices and the internet. It blocks unsolicited inbound traffic. It also gives you a clean way to restrict outbound traffic if a device gets compromised. For a home network, that cuts the attack surface and makes lateral movement harder. I treat the mini PC as a dedicated gateway, not a box running other random services.

Compared with consumer routers, Sophos Firewall gives clearer rule control and better logs. Compared with pfsense or OPNsense, it feels more like a managed appliance and less like a hobby project. Pick the one that matches how much time you want to spend. I use Sophos when I want a web UI that feels polished without giving up control.

Requirements for mini PC

Check the CPU, RAM and storage before you start. A dual-core CPU is the minimum I would bother with, 4 GB RAM is the floor, and 32 GB of flash or SSD space gives enough room to work with. Intel or Intel-compatible network controllers tend to cause fewer problems. WiFi on the mini PC is fine for a lab, but I would use a separate access point for anything serious. If you want physical separation of WAN and LAN, the mini PC needs two NICs. If not, plan on VLANs.

Back up anything you care about first. Connect one NIC to the internet-facing port and the other to a switch or a single client machine for the LAN. If the firmware supports it, set USB or external media first in the boot order. For the initial install, I prefer a keyboard and monitor. If you are doing it headless, have IPMI or serial access ready before you start.

Download the correct Sophos Firewall ISO from the official Sophos download page and read the release notes. If a checksum is provided, check it. On Linux:

sha256sum sophos-firewall.iso

Compare the output with the vendor checksum. If it does not match, stop there.

Step 1: Creating a bootable USB drive

On Linux:

  1. Identify the USB device with lsblk.
  2. Run:
sudo dd if=/path/to/sophos-firewall.iso of=/dev/sdX bs=4M status=progress conv=fsync
  1. Wait for the command to finish and run sync.

On Windows:

  1. Open Rufus.
  2. Select the ISO.
  3. Choose MBR or GPT to match the mini PC firmware, BIOS or UEFI.
  4. Click Start and accept the warnings.

Check the USB again after writing it. Reinsert it and confirm the files or run lsblk to check the device size. It should boot on the mini PC.

Rollback note: writing the USB overwrites the stick. It does not touch the mini PC until you boot from it.

Step 2: Installing Sophos Firewall on mini PC

  1. Boot the mini PC from the USB.
  2. At the installer prompt, select Install and follow the text-based installer.
  3. Assign the WAN and LAN interfaces when asked. If the installer asks about addressing, use DHCP on WAN unless you have a static public IP. Give the LAN a static private IP, for example 192.168.1.1/24.
  4. Finish the install and remove the USB when told to.

Rollback note: the installer formats the target drive. If you need the old OS, stop and image the disk first.

Step 3: Initial configuration of the firewall

  1. Connect a client to the LAN and set its gateway to the LAN IP you chose during install.
  2. Open a browser and go to https://192.168.1.1:4444. Accept the self-signed certificate for first access.
  3. The web admin asks for an admin account and password. Use the password created during the installer.
  4. Run the setup wizard to set time, DNS and update sources. Turn on automatic updates if you want the firewall to fetch definitions.

Step 4: Setting up firewall rules

I keep the rules minimal and explicit. An example rule to allow LAN to internet:

  1. In the web admin, go to the Firewall section.
  2. Create a new rule:
  • Name: LAN-to-WAN-Allow
  • Source zone: LAN
  • Source network: LAN net
  • Destination zone: WAN
  • Destination network: Any
  • Services: Any (restrict later)
  • Action: Allow
  1. Put the rule near the top of the ruleset, but below any blocking rules.

Verification: from a LAN host, run ping 8.8.8.8 and curl -I http://example.com. For ping, expect replies with TTL and time. For curl, expect HTTP/1.1 200 OK or a redirect.

Checks

Verifying installation success

Check that the web admin is reachable and the system shows the right interfaces. On a LAN client:

  1. ipconfig or ip a shows the client has an address in the LAN subnet.
  2. The browser connects to https:// on port 4444 and loads the dashboard.

If the dashboard shows critical services down, open the console on the mini PC and check the interface assignments again.

Testing network connectivity

Test DNS with nslookup or dig for a public host. Test HTTP with curl -I http://example.com. Test NAT from the firewall and check that outbound connections use the public IP.

Ensuring firewall rules are effective

Use the firewall live log or packet capture tool. Create a temporary rule that denies a single client and try outbound traffic from it. The log should show blocked entries with source IP, destination and rule name.

Final takeaways

Use separate LAN and WAN interfaces, back up the config before major changes, and test rules with logs and packet captures.

Work through the install in order and check each stage before moving on.

0
0
0
0
Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0
Tags:
Security

Related posts

Vector | vdev-v0.3.3

Vector vdev v0 3 3: patch release with crash, leak and parsing fixes, connector and tooling improvements, upgrade notes on prechecks, rolling updates, compat

Loki | v3.7.2

Loki v3 7 2: security and CVE fixes, updated S3 client to aws sdk v1 97 3, ruler panic fix for unset validation scheme, S3 Object Lock sends SHA256 checksum

Loki | v3.7.2

Loki v3 7 2: Patch release with CVE fixes, AWS S3 SDK update, ruler panic fix, S3 Object Lock SHA256 checksum support