This lab will cover the basics of firewalls by using the free firewall package pfSense. You will need to work in groups of 3 (or pairs) for this lab. Virtual machines running the pfSense package have been setup to work with the Syslab "white" network.
Throughout this lab, we will be using several IP addresses and subnets that you will need to keep track of. Please refer to the table below for your IP and subnet assignments, based off of your team number.
|Team Number||Firewall - WAN DNS Name||Firewall - WAN IP Address||Firewall - LAN Subnet||Firewall - LAN IP Address||Client - LAN IP Address|
Each team will be using a pre-existing virtual firewall that has two network interfaces: a WAN interface in the 184.108.40.206/23 network, and a LAN interface in the Syslab. However, we will NOT be using the existing Syslab subnet, but will be defining additional VLANs in the Syslab. Please make sure you know what additional VLAN you will be assigning by consulting the chart above.
The first thing we need to do is to setup the two computers we will be using for our lab exercise. Boot one of the computers in the "orange" 220.127.116.11/23 network, this computer will be referred to as the "WAN Computer" during this lab. The other computer should be booted using your USB keys into the USB Linux, connected to the "white" Syslab network. This machine will be referred to as the "LAN computer" during this lab.
WAN Computer: Log into the pfSense administration interface by visiting your virtual firewall's web interface at http://
WAN Computer: The first step to setting up our NAT firewall is to assign the firewall's LAN interface an IP address and subnet. Reference your assigned LAN subnet from the table above. We will be setting up the second LAN interface to be the gateway for that subnet that you have been assigned. While you can use virtually any IP addresss in the LAN segment for the gateway, for this lab, please use the .1 address in your subnet; see the table above. For example, if you were team '0' and had the 192.168.110.0/24 subnet, the 192.168.110.1 address would be used for this next step. Perform the following actions:
After saving the configuration, you will be prompted to Apply Changes to the firewall. This takes a bit of time as the firewall applies and restarts various daemons within the system. After it has completed, return to the Dashboard by clicking the pfSense logo and verify that the LAN address is up with your correct gateway IP. By default, the DHCP server on this firewall is disabled; we will keep it off for this exercise.
Question 1: What IPv4 addresses in this address block can't we use for host address?
LAN Computer: Now that we have a routing NAT firewall in place, we need to set our local LAN computer with a manual static IP address. While we can do this permanently, for the lab today we are just going to make a temporary change. We will open up a 'root' terminal window on your LAN computer, and reset your IP address to an address in your subnet. While any almost any subnet IP address could be used, for this lab, please use the .10 address as assigned in the table above for your subnet. For example, for team '0' again, you would use the 192.168.110.10 address.
To do this, do:
Use the information from this command to figure out what IP is currently active on what device interface; it should be a 192.168.36.x IP address on the device eth11 (or some such).
Use the last output to verify you have set the IP address correctly.
Now that we are up and running, we want to make sure we have connectivity outbound through our NAT virtual firewall. Perform the following actions on your terminal:
Everything should be able to be looked up and pinged ("pung?") successfully.
As a next step, we're going to investigate who our computer appears to be on the internet. We know that our IP address is in our LAN subnet (192.168.x.x/24), but how do we appear on the internet?
Question 2: What IP address did you get? Explain why you see the address you see.
Firewalls are extremely important as they allow system adminstrators to block or allow access to network and internet resources very granually. By default, our pfSense firewall is setup to allow all connections outbound from the LAN segment of the firewall, and allow almost nothing in from the WAN segment of the firewall. The only exception to the inbound rule is the management web page that you control the device through (but it would be best to just do that from the LAN network as a best-practice). As our next exercise, we're going to add a simple allow rule to allow machines on the WAN side to ping the firewall to confirm that it is running.
WAN Computer: Pull up a terminal window. Ping the virtual firewall's WAN IP address.
Question 3: Did the ping succeed? Why didn't the ping work?Pull up the pfSense virtual firewall webpage. We need to add a firewall rule to allow WAN machines to ping the firewall interface, which at this point is blocked. Perform the following actions:
Question 4: Explain in "plain English" what the above rule does.
To make our firewall do something useful, we are going to now move into setting up a port-forward for a service that is running on our LAN computer, so that it is accessible from computers on the WAN side. We will be exposing the SSH daemon on our LAN computer to the WAN connection, and logging into the LAN computer through the port forward.
LAN Computer: Pull up a terminal window, and elevate yourself to root (
sudo su). Perform the following steps:
The openssh-server may already be installed on your Linux distribution, but if it isn't already, the command above should install the daemon. While it should start the daemon automatically, we want to verify it before continuing.
Additionally, it is always good to verify which port a daemon is listening on. The
netstat command can be used to figure out all the ports that daemons are listening on, so we'll use it to verify SSH is listening on port 22 as is expected.
Question 5: What IP addresses are the 'sshd' daemon bound to? Why does it not match the LAN IP address?
At this point, the SSH daemon is running and ready for us. We will move onto configuring the port forward in our virtual firewall.
WAN Computer: On the pfSense virtual firewall webpage, we will be adding a special NAT port-forwarding rule into the firewall, so that we can connect via SSH into our LAN computer. Perform the following actions:
At this point, we should be able to SSH to our virtual firewall's WAN interface and be port-forwarded to the LAN computer running SSH. So, pull up your favorite SSH client, and let's give it a go! (Note: if you are on Windows, Putty should be installed. If you are using Linux, use
ssh from a terminal window.)
You should get a connection, and log into the
mradmin account using the standard
bluestone password. Congratulations, you have successfully set up a firewall with port-forwarding. Verify that you are on the correct machine by issuing the command (within your SSH connection):
Verify that the IP address of the computer that you are on matches the LAN computer that you set up.
Question 6 - What ports can we setup in a NAT port forward? Do the ports on both sides have to be the same?
Many organizations today will run several different network types on their networks, with different firewall rule sets. One of the most secure networks to run is a 'default-deny' network. Most computers that you probably have ever used have been set up in a 'default-allow' network mode, which allows you to connect out to the Internet to every machine available on any port that you want. To run a highly secure network, organizations are turning to locking down their critical infrastructure to reduce exposure to non-trusted computers and their exposure to compromise.
One of the more stringent requirements that companies may have to face is PCI compliance for credit-card processing. While PCI compliance is extremely complex, there are some basic things that we can cover to get a sense of what needs to happen in order to comply with the rules. All computers that process credit cards must be on NAT networks, with default-deny firewall rule sets for these NAT networks. Specific firewall rules to allow access to credit card vendors websites or processing servers are explicitly allowed, while denying everything else.
For this lab, we will implement a default-deny firewall ruleset with specific rules to only allow access to a few computers.
WAN Computer: Pull up the pfSense virtual firewall webpage. We will be adding LAN firewall rules to lock down our network connections. Perform the following actions:
LAN Computer: Pull up a web browser on your machine. Try to visit a few web sites; perhaps cnn.com or reddit.com.
Question 7 - Did your LAN firewall rule work? Why or why not?
Hopefully, your firewall rule did not work at all. (At least, that is the intent.) While you probably made a perfectly good rule, chances are it was added at the bottom of the firewall rule list. If it was, you will have noticed that it isn't doing anything at all. Firewalls are designed with two "basic" rules in mind:
Question 8 - What do you need to do to fix your LAN default-deny rule?
WAN Computer: Hopefully, you are still on the LAN firewall rules page. If not, navigate back there before continuing. Perform the following actions:
LAN Computer: Pull up your web browser again. Once again, try to hit up some different websites this time around - perhaps slashdot.org or imgur.com. Are the websites available now? (Note: if the original sites you pulled up still work, it is possible that the browser has the sites cached. If you clear your cache, or open up a InPrivate browser session, the sites should not load.)
Now that we have a default deny rule set in our firewall, we will be adding in specific rules to allow access to the a specific web site. To complete this section, you will be working with Google as your guide. Note: most websites use multiple domains that host parts of their website. For this section, we will be using a pretty simple website called the the Internet Storm Center, at http://www.isc.org.
WAN Computer: Perform the following items:
18.104.22.168). Look up on the internet what protocol (UDP or TCP) and what port DNS operates on.
Question 9 - Describe the rule(s) you added, including the protocol and ports you used.
Question 10 - What addresses are used by www.isc.org?
Question 11 - Describe the rule(s) you added, in detail.
LAN Computer: Perform the following items:
Submit your lab assignment via moodle.