Upload File

pfsense is an open - sites.wp.odu.edu

16
Jesse Vallejos Firewall Report Introduction Pfsense is an open-source computer software that can be used to protect a network by acting as a router and firewall. While this particular application has many viable uses, this report will focus primarily on those related to firewall rules and configuration. More specifically, rules that are used to allow and deny traffic and rules that can block users from accessing specific sites that are not needed to complete workplace tasks. Allowing and Denying Traffic The first set of rules to be discussed in this report are those that are used to allow and deny traffic. These rules can be useful when the network needs to block certain features from user access or restrict the users to only accessing the network over a specific port. For example, consider a scenario where you want to use a Pfsense firewall to ensure that clients that are not on your private network can only access the server on port 80 (HTTP) and port 443 (HTTPS). In this scenario, you would want to create three firewall rules on the WAN. Two rules for allowing access to the server over port 80 and port 443 and one rule that blocks traffic to all ports. To set up the rules that allow access over ports 80 and 443, you will need to use a web browser to visit the IP address of your Pfsense firewall’s LAN, then click on the firewall rules tab. Since we are dealing with traffic that is not in our private network, we will then need to click on the WAN rules. Once on this page, we will create a pass rule to allow all traffic with a destination address of our server to access the server through port 80. Screenshot #1 below represents the pass rule, while screenshot #2 sets the destination to the IP address of the server, and the destination port range to port 80. As for creating a pass rule for port 443, the same steps will be followed except the destination port range will say port 443 to port 443.

Upload: others

Post on 26-May-2022

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Introduction

Pfsense is an open-source computer software that can be used to protect a network by

acting as a router and firewall. While this particular application has many viable uses, this report

will focus primarily on those related to firewall rules and configuration. More specifically, rules

that are used to allow and deny traffic and rules that can block users from accessing specific sites

that are not needed to complete workplace tasks.

Allowing and Denying Traffic

The first set of rules to be discussed in this report are those that are used to allow and

deny traffic. These rules can be useful when the network needs to block certain features from

user access or restrict the users to only accessing the network over a specific port. For example,

consider a scenario where you want to use a Pfsense firewall to ensure that clients that are not on

your private network can only access the server on port 80 (HTTP) and port 443 (HTTPS). In

this scenario, you would want to create three firewall rules on the WAN. Two rules for allowing

access to the server over port 80 and port 443 and one rule that blocks traffic to all ports.

To set up the rules that allow access over ports 80 and 443, you will need to use a web

browser to visit the IP address of your Pfsense firewall’s LAN, then click on the firewall rules

tab. Since we are dealing with traffic that is not in our private network, we will then need to click

on the WAN rules. Once on this page, we will create a pass rule to allow all traffic with a

destination address of our server to access the server through port 80. Screenshot #1 below

represents the pass rule, while screenshot #2 sets the destination to the IP address of the server,

and the destination port range to port 80. As for creating a pass rule for port 443, the same steps

will be followed except the destination port range will say port 443 to port 443.

Page 2: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #1

Screenshot #2

Page 3: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

After creating the rules for allowing traffic over ports 80 and 443, you will want to make

sure to click the green “apply changes” tab seen on your firewall rules page. Failure to click this

tab will cause the rules to be ignored despite seeing them listed in your rules list. Once you have

applied these rules, it is time to create a block rule to ensure that traffic is denied to all other

ports. Screenshot #3 below shows the creation of this block rule. Like the pass rules before, the

destination is set to the IP address of the server. However, this rule does not name any specific

ports, as we want to block traffic from accessing the server from any port.

Screenshot #3

Page 4: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

While it may seem problematic to include such a rule in our list, we can get around the

block rule by listing our pass rules higher in the rules list. Pfsense firewall rules act with a sense

of precedence where the rules that are higher in the list gain first priority. So, if we put the block

rule below our pass rules like in screenshot #4 below, then we can restrict outside server access

to only ports 80 and 443. This feature is useful when the firewall needs to allow access to only a

small number of ports because instead of blocking every known port that isn’t 80 or 443, we can

use one rule block, and add pass rules whenever a new port needs to be granted access.

Screenshot #4

Page 5: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

In addition to being able to allow and deny access to the server, a Pfsense firewall can

also be used to control the access that outside clients possess. One example of this feature would

be blocking the ability to ping the server from outside of the private network. While pinging may

not seem like a huge deal, blocking it can actually increase the security of the server as there are

known attacks such as the Ping of Death, which aims to crash servers by sending oversized or

unusually formatted pings. For more information on these types of attacks, see the Ping of Death

link at the end of this report.

With now having an understanding of why one may wish to block pings, it is time to

discuss the rule that will be needed. In order to disable pinging, we will need to create a WAN

rule that is set to block the ICMP protocol, as this enables the ability to ping. Screenshot #5

demonstrates the creation of this rule. In addition to this rule, it should also be noted that pinging

can also be enabled the same way, but by setting the action to pass as opposed to block.

Screenshot #5

Page 6: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

When pinging is enabled, an outside user should see results similar to those provided in

screenshot #6 below. Notice how the outside user was able to make contact with both the IP

address of the server and the firewall itself while maintaining 0% for its packet loss. In

comparison to this image, screenshot #7 was provided to demonstrate ping results after the ICMP

block rule was added. In this image, neither the firewall or the server itself could be reached and

there was a 100% packet loss recorded.

Screenshot #6

Page 7: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #7

Along with blocking the ICMP protocol, a Pfsense firewall can be used to block file-

sharing abilities with an outside user. To demonstrate this ability, the firewall needed to have

block rules implemented to stop the SMB protocol. While there is no direct protocol rule for

blocking SMB traffic, file sharing can still be prevented by adding block rules for ports 445 and

139. Screenshot #8 demonstrates the two rules that were created to prevent file sharing. Notice

how these rules are similar to the pass rules added before, but with different actions, protocols,

and ports.

Page 8: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #8

With now having implemented these file-sharing rules, it is time to see if an outside user

can still access the servers shared folders. Screenshot #9 below demonstrates the screen that a

client outside of the private network would see when accessing the shares. In comparison to this

screen capture, Screenshot #10 was provided to give an idea of what that client would see after

the rule was applied. As you can see, the user is unable to access any of the shared folders with

having ports 445 and 139 blocked. It should also be noted that blocking these ports is beneficial

to the security of the server, as these ports were once exploited by the WannaCry attack. For

more information on this attack and the flaws of these ports, please see the “Windows SMB

Users at Risk” link at the end of this report.

Page 9: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #9

Screenshot #10

Page 10: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Preventing Network Misuse

While the majority of this report has focused on protecting the network from users that

are not in the private network, there are still many things that Pfsense can do to protect the LAN.

For example, one of the more important rules to consider are those that prevent local users from

accessing sites that are either harmful or simply not suitable for workplace activities. This

section of the report will demonstrate how to block both a simple site such as stopfakenews.net,

as well as a more popular site like YouTube.com.

For both of these sites, a host override and a domain override were implemented in the

DNS resolver to block access by sending the user to a bogus IP address. Screenshot #11 below

has been provided to demonstrate the overrides that were created for this process. For the host

overrides, any user that entered the domain name for YouTube or stopfakenews was redirected to

the loopback IP address of 127.0.0.1. As for the domain overrides, users who entered these

domains were redirected to 192.168.100.100, which is a private IP address that is not affiliated

with any user or organization. While using just the host override would normally be necessary

for this process, I found that my machine did not want to properly block the site unless both a

host and domain override were implemented, so both were included for this exercise.

Page 11: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #11

To get a better look at the configuration of the host override, Screenshot #12 was

provided below. As you can see, the configuration of this feature is rather simple as you will

only need to know the domain name of the site and the IP address that you want the user to be

sent to. It should also be noted that this method of blocking a site is required for a site like

YouTube due to the wide range of potential IP addresses that are associated with the site. Sites

like stopfakenews.net on the other hand only have one IP address, meaning that they could be

blocked by their IP in addition to the override method.

Page 12: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #12

Along with the host override image, Screenshot #13 has been provided below to show

how the domain override was configured. Similar to the host override, the only data that is

needed is a valid domain name and an IP address of your choice. After these overrides were

saved, they were applied with the “apply changes” tab and tested to ensure that they properly

blocked their sites. Screenshot #14 and Screenshot #15 below represent the site access prior to

the override configurations. As for Screenshot #16 and Screenshot #17, these represent the end

result of entering these two domains after they were blocked. As you can see, both YouTube.com

and stopfakenews.net were successfully blocked by the host and domain override methods.

Page 13: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #13

Screenshot #14

Page 14: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #15

Screenshot #16

Page 15: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Screenshot #17

Conclusion

As you can see, the Pfsense firewall has many useful features when it comes to protecting

a network. By adding simple rules to allow and deny both server access and network features,

Pfsense can provide added layers of security and convenience. Whether you need to prepare for

the dangers of the users that are not on the private network or provide restrictions to those that

are local to it, Pfsense has a variety of features to help meet your needs.

Page 16: Pfsense is an open - sites.wp.odu.edu

Jesse Vallejos

Firewall Report

Additional Information

Ping of Death

https://www.imperva.com/learn/application-security/ping-of-death/

Windows SMB Users at Risk

https://www.makeuseof.com/tag/windows-smb-users-risk-block-ports-protect/

https://www.imperva.com/learn/application-security/ping-of-death/
https://www.makeuseof.com/tag/windows-smb-users-risk-block-ports-protect/

Introduction to pfSense - growthpixel.com · pfSense Use Case Introduction to pfSense ISP Modem/ Router Internet Switch DHCP Server Firewall NAT Computers DHCP Relay Agent Multi WAN

How to Configure PfSense

PfSense Wireless Interfaces

Firewalling pfsense-part2

Hacom pfSense Deployment Guide pfSense Deployment... · Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial

VPN Pfsense

Freeswitch on pfSense

Pfsense Server

manual de iptables pfsense

Tutorial Pfsense

pfSense Tutorial BSDCan 2008 · pfSense Tutorial BSDCan 2008 From zero to hero with pfSense ... pfSense has many base features and can be extended with ... Proxy ARP CARP

BSD Firewalling, pfSense and m0n0wall

pfSense Installation Slide

Setting up pfSense as a Stateful Bridging Firewall. Contentsusers.ox.ac.uk/~clas0415/...pfSense-as-a-Stateful-Bridging-Firewall... · Setting up pfSense as a Stateful Bridging Firewall

Configuracion Cliente Pfsense en Windows

PFSENSE LoadBalance FailOver V3

INSTALL PFSENSE+LUSCA

Installing PfSense - PFSenseDocs

pfSense Security Appliance EVALUATION REPORT · pfSense Security Appliance EVALUATION REPORT for Rubicon ... of the pfSense firewall distribution that is distributed on their

pfSense - 2.0 and beyond - Huihoodocs.huihoo.com/pfsense/pfsense-2.0-and-beyond.pdf · Introduction to pfSense • Customized FreeBSD distribution tailored for use as a firewall and

Documentacion pfsense, por UPC

pfSense OpenVPN Tutorial

Manual PfSense

Graduation project report - pfSense

Introduction to pfSense - TetranoodleIntroduction to pfSense @tetranoodle Describe pfSense and its features Install pfSense Configure pfSense Configure DHCP server. FreeBSD based Open

Using pfSense as a Firewall - growthpixel.com · Using pfSense as a Firewall @tetranoodle Describe a firewall and its functions Configure pfSense as a firewall Setup and manage firewall

PFSENSE Informe Ultimo

Install VirtualBox & pfSense - rg.net · Install VirtualBox & pfSense BTNOG2 / Thimphu 2014.09.21 6-1 VirtualBox & pfSense Creative Commons: Attribution & Share Alike 1

ICTF15 PfSense IPS Firewall

Practicas pfsense vlan

Integrate pfSense - Netsurion€¦ · pfSense. Categories • pfSense-Traffic allowed and blocked details. This category provides information related to traffic blocked or passed

Pfsense - The Definitive Guide.en.Es

Summary System requirements Web interfacetln.lib.mi.us/dept/technology-services/wifi/files/pfsense/pfSense...TLN – Wireless Statistics Subcommittee October, 2013 pfSense Summary

Pfsense VPN 2.0

DPDK, VPP & pfSense 3 VPP & pfSense 3.0 Jim Thompson DPDK Summit Userspace - Dublin- 2017