Firewall Management using pfSense

This lab will cover the basics of firewalls by using the free firewall package pfSense. You will need to work in groups of 2 or 3 for this lab. Virtual machines running the pfSense package have been setup to work with the Syslab "white" network.

Requirements:

• You (and a partner)
• One computer on the "orange" network
• One computer on the "white" network; login before changing the network cable to the "white" network
• Your team number - see Prof. Norman

Throughout this lab, we will be using several IP addresses and subnets that you will need to keep track of. Please refer to the table below for your IP and subnet assignments, based off of your team number.

Goals

• Assign and setup a local LAN NAT subnet
• Understand how NAT networking works for Internet traffic
• Applying simple firewall rules
• Hosting internal NAT services externally using a NAT port forward
• Running a secure "deny-all" network

Overview

Each team will be using a pre-existing virtual firewall that has two network interfaces: a WAN interface in the 153.106.116.0/23 network, and a LAN interface in the Syslab VLAN. However, we will NOT be using the existing Syslab VLAN subnet (192.168.36.0/24), but will be defining additional subnets in the Syslab VLAN. Please make sure you know what additional subnet you will be assigning by consulting the chart above. (Note that subnets should be seperated by a layer2 network or VLAN. Broadcast and multicast packets are shared between these two subnets, so there may be unintentional overlap between the subnets. DHCP services operate over broadcast, so only one DHCP server can be on a layer 2 subnet. Additionally, for security reasons, you don't want packets potentially being exposed when they shouldn't be. However, for our purposes today and the setup of our Syslab networking, we will be breaking convention by running multiple subnets in a single Layer2 VLAN.)

Setup

The first thing we need to do is to setup the two computers we will be using for our lab exercise. Boot one of the computers in the "orange" 153.106.116.0/23 network, this computer will be referred to as the "WAN Computer" during this lab. The other computer should be booted into Windows, logged into, and then connected to the "white" Syslab network. This machine will be referred to as the "LAN computer" during this lab. If you need to, you may add a sticky note to these two machines to label them.

Lab Procedure

Step 1 - Logging into the Virtual Firewall

WAN Computer: Log into the pfSense administration interface by visiting your virtual firewall's web interface at http://. For example, for team '0', you would use http://153.106.116.110 . Log into the interface using the username "admin" and the password "bluestone". You will see the default Dashboard upon logging in. Feel free to explore the user interface of the pfSense system. At any point, you can navigate back to the Dashboard by clicking the "pfSense" logo in the upper left-hand corner of the webpage.

Step 2 - Configuring the Virtual Firewall LAN interface

WAN Computer: The first step to setting up our NAT firewall is to change the firewall's LAN interface to our desired subnet, resetting the IP address and subnet mask. Reference your assigned LAN subnet from the table above. We will be setting up the LAN interface to be the router/gateway for that subnet that you have been assigned (AKA, the "Firewall - LAN IP Address"). While you can use virtually any IP addresss in the LAN segment for the gateway, for this lab, please use the .1 address in your subnet; see the table above. For example, if you were team '0' and had the 192.168.110.0/24 subnet, the 192.168.110.1 address would be used for this next step. Perform the following actions:

After saving the configuration, you will be prompted to Apply Changes to the firewall. This takes a bit of time (1-2 minutes) as the firewall applies and restarts various daemons within the system. After it has completed, return to the Dashboard by clicking the pfSense logo and verify that the LAN address is up with your correct gateway IP. By default, the DHCP server on this firewall is disabled; we will keep it off for this exercise.

Question 1: What IPv4 addresses in this address block can't we use for host address?

Step 3 - Configuring a local LAN client

LAN Computer: Now that we have a routing NAT firewall in place, we need to set our local LAN computer with a manual static IP address, which will revert on next reboot. While any almost any subnet IP address could be used, for this lab, please use the .10 address as assigned in the table above for your subnet. For example, for team '0' again, you would use the 192.168.110.10 address.

To do this, do:

To verify things are working correctly, you want to check your IP address to make sure it was changed appropriately. Open up a command prompt by running the command: cmd.exe, then execute

Use the last output to verify you have set the IP address correctly.

Now that we are up and running, we want to make sure we have connectivity outbound through our NAT virtual firewall. Perform the following actions on your terminal:

1. ping <Firewall - LAN IP Address> (from the table)
2. ping 8.8.8.8
3. nslookup www.google.com
4. ping www.google.com

Everything should be able to be looked up and pinged ("pung?") successfully.

As a next step, we're going to investigate who our computer appears to be on the internet. We know that our IP address is in our LAN subnet (192.168.x.x/24), but how do we appear on the internet?

1. Open up a web browser on the LAN computer.
2. Visit http://www.whatsmyip.org.

Question 2: What IP address did you get? Explain why you see the address you see.

Step 4 - Adding a Simple Firewall Rule

Firewalls are extremely important as they allow system adminstrators to block or allow access to network and internet resources very granually. By default, our pfSense firewall is setup to allow all connections outbound from the LAN segment of the firewall, and allow almost nothing in from the WAN segment of the firewall. The only exception to the inbound rule is the management web page that you control the device through (but it would be best to just do that from the LAN network as a best-practice). As our next exercise, we're going to add a simple allow rule to allow machines on the WAN side to ping the firewall to confirm that it is running.

WAN Computer: Pull up a terminal window. Ping the virtual firewall's WAN IP address.

Question 3: Did the ping succeed? Why didn't the ping work?

1. Navigate to Firewall -> Rules
2. Click the "WAN" tab.
3. Click the green "Add" down-arrow button in the lower-right hand corner of the list to add a new rule to the end of the list.
4. In the Edit page:
1. Action: Pass
2. Interface: WAN
3. TCP/IP Version: IPv4
4. Protocol: ICMP
5. Source: any
6. Destination: WAN Address
7. Description: ICMP Allow In
8. Save
5. When prompted, reload the firewall rules.

Question 4: Explain in "plain English" what the above rule does.

Step 5 - Adding a Service Port Forward

To make our firewall do something useful, we are going to now move into setting up a port-forward for a service that is running on our LAN computer, so that it is accessible from computers on the WAN side. We will be exposing a simple HTTP web-server daemon on our LAN computer to the WAN connection, and pulling up a file on the LAN computer through the port forward.

LAN Computer: Pull up a cmd.exe window (Start Menu -> Run -> cmd.exe). Perform the following steps:

Python will spin up a simple HTTP server with the files that we have in our current directory. Fortunately, the W:\ drive is pre-populated with some files, like the Project Gutenbergcopy of the out-of-copyright Jane Austen novel Sense and Sensibility, in the ss.htm file. Let's first verify that we can see it on the web browser of our LAN computer. So, pull up a web-browser and visit...

Verify that you can see the page locally first before continuing to add a port forward to this computer and port number.

Question 5: Notice that the Python http server started on http://[::]:8000/. Explain in "plain English" what that means, and what network adapters are being used.

WAN Computer: On the pfSense virtual firewall webpage, we will be adding a special NAT port-forwarding rule into the firewall, so that we can connect to the HTTP server on our LAN computer. Perform the following actions:

1. Navigate to Firewall -> NAT
2. If not selected, select the "Port Forward" tab
3. Click the green "Add" button in the lower-right hand corner of the list to add a new rule.
4. In the Edit page:
1. Interface: WAN
2. Protocol: TCP
3. Destination: WAN Address
4. Destination port range: Other - Custom port 8000
5. Redirect target IP: <LAN Computer IP Address>
6. Redirect target port: Other - Custom port 8000
7. Description: Allow HTTP 8000 to LAN Computer
8. Save
5. When prompted, reload the firewall rules by Applying the changes.

At this point, we should be able to pull down the novel via the port forward we just set up. We will request the novel via the virtual firewall's WAN interface and be port-forwarded to the LAN computer running the mini web server. So, pull up your favorite web browser, and let's give it a go!

You should successfully pull down your novel! Congratulations, you have successfully set up a firewall with port-forwarding.

Question 6 - What ports can we setup in a NAT port forward? Do the ports on both sides have to be the same?

Step 6 - Running a LAN 'default-deny' firewall

Many organizations today will run several different network types on their networks, with different firewall rule sets. One of the most secure networks to run is a 'default-deny' network. Most computers that you probably have ever used have been set up in a 'default-allow' network mode, which allows you to connect out to the Internet to every machine available on any port that you want. To run a highly secure network, organizations are turning to locking down their critical infrastructure to reduce exposure to non-trusted computers and their exposure to compromise.

One of the more stringent requirements that companies may have to face is PCI compliance for credit-card processing. While PCI compliance is extremely complex, there are some basic things that we can cover to get a sense of what needs to happen in order to comply with the rules. All computers that process credit cards must be on NAT networks, with default-deny firewall rule sets for these NAT networks. Specific firewall rules to allow access to credit card vendors websites or processing servers are explicitly allowed, while denying everything else.

For this lab, we will implement a default-deny firewall ruleset with specific rules to only allow access to a few computers.

WAN Computer: Pull up the pfSense virtual firewall webpage. We will be adding LAN firewall rules to lock down our network connections. Perform the following actions:

1. Navigate to Firewall -> Rules
2. Navigate to the LAN tab
3. Click the green "Add" down-arrow button in the lower-right hand corner of the list to add a new rule to the end of the list.
4. In the Edit page:
1. Action: Reject
2. Interface: LAN
3. Protocol: TCP
4. Source: LAN Net
5. Destination: any
6. Destination port range: Any
7. Description: Default deny for LAN Computers
8. Save
5. When prompted, reload the firewall rules.

LAN Computer: Pull up a web browser on your machine. Try to visit a few web sites; perhaps cnn.com or reddit.com.

Question 7 - Did your LAN firewall rule work? Why or why not?

Hopefully, your firewall rule did not work at all. (At least, that is the intent.) While you probably made a perfectly good rule, chances are it was added at the bottom of the firewall rule list. If it was, you will have noticed that it isn't doing anything at all. Firewalls are designed with two "basic" rules in mind:

• Rules are executed top-down.
• If no rules exist to the contrary, deny every connection attempt.

Question 8 - What do you need to do to fix your LAN default-deny rule?

WAN Computer: Hopefully, you are still on the LAN firewall rules page. If not, navigate back there before continuing. Perform the following actions:

1. Drag and drop our "Default Deny" rule that we created last step to the top of the list.
2. Remove the default allow rules for IPv4 and IPv6.
3. When prompted, reload the firewall rules.

LAN Computer: Pull up your web browser again. Once again, try to hit up some different websites this time around - perhaps slashdot.org or imgur.com. Are the websites available now? (Note: if the original sites you pulled up still work, it is possible that the browser has the sites cached. If you clear your cache, or open up a InPrivate browser session, the sites should not load.)

Step 7 - Adding explicit Allow rules

Now that we have a default deny rule set in our firewall, we will be adding in specific rules to allow access to the a specific web site. To complete this section, you will be working with Google as your guide. Note: most websites use multiple domains that host parts of their website. For this section, we will be using a pretty simple website called the the Internet Storm Center, at http://www.isc.org.

WAN Computer: Perform the following items:

• Modify the virtual firewall to allow DNS requests to CIT's DNS servers (153.106.4.99 and 153.106.124.99). Look up on the internet what protocol (UDP or TCP) and what port DNS operates on.
  

  Question 9 - Describe the rule(s) you added, including the protocol and ports you used.

  
  
• Figure out the IPv4 addresses used by the www.isc.org website
  

  Question 10 - What addresses are used by www.isc.org?

  
  
• Modify the virtual firewall to allow web requests on the LAN out to http://www.isc.org/ for both HTTP and HTTPS
  
  

  Question 11 - Describe the rule(s) you added, in detail.

LAN Computer: Perform the following items:

• Verify that you cannot reach any other websites; for example, cs.calvin.edu.
• Verify that you can reach the http://www.isc.org website. If you find you cannot get to this website, go back and fix your rule in the firewall.
• Verify that you cannot SSH to the cs-ssh.calvin.edu server.

Submit your lab assignment as normal per your instructor..

Page created by Chris Wieringa. ©2016 Updated 2021