Firewall Management using pfSense

This lab will cover the basics of firewalls by using the free firewall package pfSense. You will need to work in groups of 3 (or pairs) for this lab. Virtual machines running the pfSense package have been setup to work with the Syslab "white" network.

Requirements:

Throughout this lab, we will be using several IP addresses and subnets that you will need to keep track of. Please refer to the table below for your IP and subnet assignments, based off of your team number.

Team NumberFirewall - WAN DNS NameFirewall - WAN IP AddressFirewall - LAN SubnetFirewall - LAN IP AddressClient - LAN IP Address
0fw-cs332-00.cs.calvin.edu153.106.116.110192.168.110.0/24192.168.110.1192.168.110.10
1fw-cs332-01.cs.calvin.edu153.106.116.111192.168.111.0/24192.168.111.1192.168.111.10
2fw-cs332-02.cs.calvin.edu153.106.116.112192.168.112.0/24192.168.112.1192.168.112.10
3fw-cs332-03.cs.calvin.edu153.106.116.113192.168.113.0/24192.168.113.1192.168.113.10
4fw-cs332-04.cs.calvin.edu153.106.116.114192.168.114.0/24192.168.114.1192.168.114.10
5fw-cs332-05.cs.calvin.edu153.106.116.115192.168.115.0/24192.168.115.1192.168.115.10
6fw-cs332-06.cs.calvin.edu153.106.116.116192.168.116.0/24192.168.116.1192.168.116.10
7fw-cs332-07.cs.calvin.edu153.106.116.117192.168.117.0/24192.168.117.1192.168.117.10
8fw-cs332-08.cs.calvin.edu153.106.116.118192.168.118.0/24192.168.118.1192.168.118.10
9fw-cs332-09.cs.calvin.edu153.106.116.119192.168.119.0/24192.168.119.1192.168.119.10

Goals

The following items should be understood when you have finished this lab:

Overview

Each team will be using a pre-existing virtual firewall that has two network interfaces: a WAN interface in the 153.106.116.0/23 network, and a LAN interface in the Syslab. However, we will NOT be using the existing Syslab subnet, but will be defining additional VLANs in the Syslab. Please make sure you know what additional VLAN you will be assigning by consulting the chart above.

Setup

The first thing we need to do is to setup the two computers we will be using for our lab exercise. Boot one of the computers in the "orange" 153.106.116.0/23 network, this computer will be referred to as the "WAN Computer" during this lab. The other computer should be booted using your USB keys into the USB Linux, connected to the "white" Syslab network. This machine will be referred to as the "LAN computer" during this lab.


Lab Procedure

Step 1 - Logging into the Virtual Firewall

WAN Computer: Log into the pfSense administration interface by visiting your virtual firewall's web interface at http://. For example, for team '0', you would use http://fw-cs332-00.cs.calvin.edu/ . Log into the interface using the username "admin" and the password "bluestone". You will see the default Dashboard upon logging in. Feel free to explore the user interface of the pfSense system. At any point, you can navigate back to the Dashboard by clicking the "pfSense" logo in the upper left-hand corner of the webpage.

Step 2 - Configuring the Virtual Firewall LAN interface

WAN Computer: The first step to setting up our NAT firewall is to assign the firewall's LAN interface an IP address and subnet. Reference your assigned LAN subnet from the table above. We will be setting up the second LAN interface to be the gateway for that subnet that you have been assigned. While you can use virtually any IP addresss in the LAN segment for the gateway, for this lab, please use the .1 address in your subnet; see the table above. For example, if you were team '0' and had the 192.168.110.0/24 subnet, the 192.168.110.1 address would be used for this next step. Perform the following actions:

  1. Navigate to Interfaces -> LAN
  2. General Configuration: IPv4 Configuration Type: Static IPv4
  3. General Configuration: IPv6 Configuration Type: None
  4. Static IPv4 address: <Your LAN address> / 24 (make sure to change the /32 to /24)
  5. Save

After saving the configuration, you will be prompted to Apply Changes to the firewall. This takes a bit of time as the firewall applies and restarts various daemons within the system. After it has completed, return to the Dashboard by clicking the pfSense logo and verify that the LAN address is up with your correct gateway IP. By default, the DHCP server on this firewall is disabled; we will keep it off for this exercise.

Question 1: What IPv4 addresses in this address block can't we use for host address?

Step 3 - Configuring a local LAN client

LAN Computer: Now that we have a routing NAT firewall in place, we need to set our local LAN computer with a manual static IP address. While we can do this permanently, for the lab today we are just going to make a temporary change. We will open up a 'root' terminal window on your LAN computer, and reset your IP address to an address in your subnet. While any almost any subnet IP address could be used, for this lab, please use the .10 address as assigned in the table above for your subnet. For example, for team '0' again, you would use the 192.168.110.10 address.

To do this, do:

$ sudo su
(root) ip addr show

Use the information from this command to figure out what IP is currently active on what device interface; it should be a 192.168.36.x IP address on the device eth11 (or some such).

  1. (root) ip addr del <your current IP>/24 dev <your device>
  2. (root) ip addr add <your LAN IP>/24 dev <your device>
  3. (root) ip route add default via <LAN FW IP>
  4. (root) ip addr show

Use the last output to verify you have set the IP address correctly.

Now that we are up and running, we want to make sure we have connectivity outbound through our NAT virtual firewall. Perform the following actions on your terminal:

  1. ping <LAN FW IP>
  2. ping 8.8.8.8
  3. nslookup www.google.com
  4. ping www.google.com

Everything should be able to be looked up and pinged ("pung?") successfully.

As a next step, we're going to investigate who our computer appears to be on the internet. We know that our IP address is in our LAN subnet (192.168.x.x/24), but how do we appear on the internet?

  1. Open up a web browser on the LAN computer.
  2. Visit http://www.whatsmyip.org.

Question 2: What IP address did you get? Explain why you see the address you see.

Step 4 - Adding a Simple Firewall Rule

Firewalls are extremely important as they allow system adminstrators to block or allow access to network and internet resources very granually. By default, our pfSense firewall is setup to allow all connections outbound from the LAN segment of the firewall, and allow almost nothing in from the WAN segment of the firewall. The only exception to the inbound rule is the management web page that you control the device through (but it would be best to just do that from the LAN network as a best-practice). As our next exercise, we're going to add a simple allow rule to allow machines on the WAN side to ping the firewall to confirm that it is running.

WAN Computer: Pull up a terminal window. Ping the virtual firewall's WAN IP address.

Question 3: Did the ping succeed? Why didn't the ping work?

Pull up the pfSense virtual firewall webpage. We need to add a firewall rule to allow WAN machines to ping the firewall interface, which at this point is blocked. Perform the following actions:

  1. Navigate to Firewall -> Rules
  2. Click the "WAN" tab.
  3. Click the + button in the lower-right hand corner of the list to add a new rule.
  4. In the Edit page:
    1. Action: Pass
    2. Interface: WAN
    3. TCP/IP Version: IPv4
    4. Protocol: ICMP
    5. Source: any
    6. Destination: WAN Address
    7. Description: ICMP Allow In
    8. Save
  5. When prompted, reload the firewall rules.

Question 4: Explain in "plain English" what the above rule does.

Step 5 - Adding a Service Port Forward

To make our firewall do something useful, we are going to now move into setting up a port-forward for a service that is running on our LAN computer, so that it is accessible from computers on the WAN side. We will be exposing the SSH daemon on our LAN computer to the WAN connection, and logging into the LAN computer through the port forward.

LAN Computer: Pull up a terminal window, and elevate yourself to root (sudo su). Perform the following steps:

apt-get update && apt-get install openssh-server

The openssh-server may already be installed on your Linux distribution, but if it isn't already, the command above should install the daemon. While it should start the daemon automatically, we want to verify it before continuing.

service ssh status

Additionally, it is always good to verify which port a daemon is listening on. The netstat command can be used to figure out all the ports that daemons are listening on, so we'll use it to verify SSH is listening on port 22 as is expected.

netstat -taunp | grep ssh

Question 5: What IP addresses are the 'sshd' daemon bound to? Why does it not match the LAN IP address?

At this point, the SSH daemon is running and ready for us. We will move onto configuring the port forward in our virtual firewall.

WAN Computer: On the pfSense virtual firewall webpage, we will be adding a special NAT port-forwarding rule into the firewall, so that we can connect via SSH into our LAN computer. Perform the following actions:

  1. Navigate to Firewall -> NAT
  2. If not selected, select the "Port Forward" tab
  3. Click the + button in the lower-right hand corner of the list to add a new rule.
  4. In the Edit page:
    1. Interface: WAN
    2. Protocol: TCP
    3. Destination: WAN Address
    4. Destination port range: from: SSH
    5. Redirect target IP: <LAN Computer IP Address>
    6. Redirect target port: SSH
    7. Description: Allow SSH to LAN Computer
    8. Save
  5. When prompted, reload the firewall rules.

At this point, we should be able to SSH to our virtual firewall's WAN interface and be port-forwarded to the LAN computer running SSH. So, pull up your favorite SSH client, and let's give it a go! (Note: if you are on Windows, Putty should be installed. If you are using Linux, use ssh from a terminal window.)

ssh mradmin@<WAN FW IP Address>

You should get a connection, and log into the mradmin account using the standard bluestone password. Congratulations, you have successfully set up a firewall with port-forwarding. Verify that you are on the correct machine by issuing the command (within your SSH connection):

ip addr show

Verify that the IP address of the computer that you are on matches the LAN computer that you set up.

Question 6 - What ports can we setup in a NAT port forward? Do the ports on both sides have to be the same?

Step 6 - Running a LAN 'default-deny' firewall

Many organizations today will run several different network types on their networks, with different firewall rule sets. One of the most secure networks to run is a 'default-deny' network. Most computers that you probably have ever used have been set up in a 'default-allow' network mode, which allows you to connect out to the Internet to every machine available on any port that you want. To run a highly secure network, organizations are turning to locking down their critical infrastructure to reduce exposure to non-trusted computers and their exposure to compromise.

One of the more stringent requirements that companies may have to face is PCI compliance for credit-card processing. While PCI compliance is extremely complex, there are some basic things that we can cover to get a sense of what needs to happen in order to comply with the rules. All computers that process credit cards must be on NAT networks, with default-deny firewall rule sets for these NAT networks. Specific firewall rules to allow access to credit card vendors websites or processing servers are explicitly allowed, while denying everything else.

For this lab, we will implement a default-deny firewall ruleset with specific rules to only allow access to a few computers.

WAN Computer: Pull up the pfSense virtual firewall webpage. We will be adding LAN firewall rules to lock down our network connections. Perform the following actions:

  1. Navigate to Firewall -> Rules
  2. Click the + button in the lower-right hand corner of the list to add a new rule.
  3. In the Edit page:
    1. Action: Reject
    2. Interface: LAN
    3. Protocol: TCP
    4. Source: LAN Net
    5. Destination: any
    6. Destination port range: Any
    7. Description: Default deny for LAN Computers
    8. Save
  4. When prompted, reload the firewall rules.

LAN Computer: Pull up a web browser on your machine. Try to visit a few web sites; perhaps cnn.com or reddit.com.

Question 7 - Did your LAN firewall rule work? Why or why not?

Hopefully, your firewall rule did not work at all. (At least, that is the intent.) While you probably made a perfectly good rule, chances are it was added at the bottom of the firewall rule list. If it was, you will have noticed that it isn't doing anything at all. Firewalls are designed with two "basic" rules in mind:

Question 8 - What do you need to do to fix your LAN default-deny rule?

WAN Computer: Hopefully, you are still on the LAN firewall rules page. If not, navigate back there before continuing. Perform the following actions:

  1. Check the box next to our "Default Deny" rule that we created last step.
  2. Click the handarrow button next to the first rule in the list to move our rule above it.
  3. Remove the default allow rules for IPv4 and IPv6 by clicking the x button next to the rule.
  4. When prompted, reload the firewall rules.

LAN Computer: Pull up your web browser again. Once again, try to hit up some different websites this time around - perhaps slashdot.org or imgur.com. Are the websites available now? (Note: if the original sites you pulled up still work, it is possible that the browser has the sites cached. If you clear your cache, or open up a InPrivate browser session, the sites should not load.)

Step 7 - Adding explicit Allow rules

Now that we have a default deny rule set in our firewall, we will be adding in specific rules to allow access to the a specific web site. To complete this section, you will be working with Google as your guide. Note: most websites use multiple domains that host parts of their website. For this section, we will be using a pretty simple website called the the Internet Storm Center, at http://www.isc.org.

WAN Computer: Perform the following items:

LAN Computer: Perform the following items:

 

Submit your lab assignment via moodle.


Page created by Chris Wieringa. ©2016