Installing Pfsense Firewalls

SAIT Capstone
Installing Pfsense Firewalls
Protecting From the Internet
Justin Olmstead
2010
Installing Pfsense Firewalls 2010
Table of Contents
Pre-installation Requirements ...................................................................................................................... 3
Installation .................................................................................................................................................... 3
Configuring Security Settings ........................................................................................................................ 3
Mac Filtering ............................................................................................................................................. 3
Block Bogon Networks .............................................................................................................................. 3
Block Private Networks ............................................................................................................................. 3
WebGUI Protocol ...................................................................................................................................... 4
Snort IDS Sensor Setup ................................................................................................................................. 4
Installing snort package ............................................................................................................................ 4
Setup Options ........................................................................................................................................... 4
Update Rules ............................................................................................................................................. 5
Categories ................................................................................................................................................. 6
Ensure Service is Running…....................................................................................................................... 6
Squid & Squid Guard ..................................................................................................................................... 6
Installing Squid Package ............................................................................................................................ 7
Config Example for Squid .......................................................................................................................... 7
Installing Squid Guard Package ................................................................................................................. 9
Configure Squid Guard ............................................................................................................................ 10
Page 2 of 10
Justin Olmstead
Installing Pfsense Firewalls 2010
Pre-installation Requirements
You will need:
-
Pfsense iso, burned to disc: http://www.pfsense.org/mirror.php?section=downloads
A PC with at least:
o 2 Nic cards (it is possible to do with one as a router-on-a-stick and Vlans, but not
covered here)
o 256MB ram (1GB+ for snort sensor rules)
o 500MB hard drive
Installation
Follow: http://doc.pfsense.org/index.php/Installing_pfSense
Configuring Security Settings
There are several settings to configure for an Internet edge router
Mac Filtering
Services  DHCP Server  Static ARP
This setting allows only specific Mac addresses (ie trusted switches routers and servers) access to and
through the router
Block Bogon Networks
Interfaces  WAN  Block Bogon Networks
When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC
1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8). You should generally leave
this option turned on, unless your WAN network lies in such a private address space, too.
Block Private Networks
Interfaces  WAN  Block Private Networks
When set, this option blocks traffic from IP addresses that are reserved (but not RFC 1918) or not yet
assigned by IANA.
Bogons are prefixes that should never appear in the Internet routing table, and obviously should not
appear as the source address in any packets you receive.
Page 3 of 10
Justin Olmstead
Installing Pfsense Firewalls 2010
WebGUI Protocol
System  General setup  WebGUI protocol HTTP HTTPS
Setting the web GUI protocol to HTTPS (default is HTTP) Increases security and encrypts the
transmission of login.
Snort IDS Sensor Setup
An IDS sensor has rule sets specific to known hacking attempts and can be configured to warn or
automatically block originating IP’s
Installing snort package
System Packages
Click the
to begin installation. Do NOT navigate from this screen while installing.
Setup Options
Services  Snort
Input the information the same as what is in the screenshot below:
Page 4 of 10
Justin Olmstead
Installing Pfsense Firewalls 2010
Then “Save”
Update Rules
Click the Update Rules Tab
Wait for it to finish Rule update. Do NOT navigate from this screen while updating.
Page 5 of 10
Justin Olmstead
Installing Pfsense Firewalls 2010
Categories
Click the categories tab:
Enable the following rulesets
attack-responses.rules
backdoor.rules
bad-traffic.rules
bad-traffic.so.rules
ddos.rules
dos.rules
dos.so.rules
emerging-attack_response.rules
emerging-dos.rules
emerging-drop.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-scan.rules
icmp.rules
other-ids.rules
Consider the following if you have forward facing sql database :
emerging-web_sql_injection.rules
Save changes at bottom of page.
Ensure Service is Running….
Status  Services
Squid & Squid Guard
Squid is a high performance Http Proxy, which in combination with Squid guard package, allows for fine
grain Access Control Lists, Blacklisting, white-listing, and time based restriction.
Page 6 of 10
Justin Olmstead
Installing Pfsense Firewalls 2010
Installing Squid Package
System Packages
Install Squid first.
Configuration Example for Squid
Go to Services  Proxy Server  General Settings
Proxy
interface
Allow users on
interface
Transparent
proxy
Bypass proxy for
Private Address
Space (RFC
1918)
destination
Bypass proxy for
these source IPs
LAN
The interface(s) the proxy server will bind to.
If this field is checked, the users connected to the interface selected in
the 'Proxy interface' field will be allowed to use the proxy, i.e., there
will be no need to add the interface's subnet to the list of allowed
subnets. This is just a shortcut.
If transparent mode is enabled, all requests for destination port 80 will
be forwarded to the proxy server without any additional configuration
necessary.
Do not forward traffic to Private Address Space (RFC
1918) destination through the proxy server but directly through the
firewall.
Do not forward traffic from these source IPs through the proxy server
but directly through the firewall. Separate by semi-colons (;).
Enabled logging
This will enable the access log. Don't switch this on if you don't have
much disk space left.
Page 7 of 10
Justin Olmstead
Installing Pfsense Firewalls 2010
Log store
directory
/var/squid/log
The directory where the log will be stored (note: do not end with a /
mark)
Log rotate
Defines how many days of logfiles will be kept. Rotation is disabled if
left empty.
Proxy port
3128
This is the port the proxy server will listen on.
ICP port
This is the port the Proxy Server will send and receive ICP queries to
and from neighbor caches. Leave this blank if you don't want the proxy
server to communicate with neighbor caches through ICP.
Visible
hostname
Administrator
email
localhost
This is the URL to be displayed in proxy server error messages.
admin@localhost
This is the email address displayed in error messages to the users.
Language
English
Select the language in which the proxy server will display error
messages to users.
Disable XForward
If not set, Squid will include your system's IP address or name in the
HTTP requests it forwards.
Disable VIA
If not set, Squid will include a Via header in requests and replies as
required by RFC2616.
What to do with
requests that
have whitespace
characters in the
Page 8 of 10
strip
strip: The whitespace characters are stripped out of the URL. This is
the behavior recommended by RFC2396.
Justin Olmstead
Installing Pfsense Firewalls 2010
URI
deny: The request is denied. The user receives an "Invalid Request"
message.
allow: The request is allowed and the URI is not changed. The
whitespace characters remain in the URI.
encode: The request is allowed and the whitespace characters are
encoded according to RFC1738.
chop:The request is allowed and the URI is chopped at the first
whitespace.
Use alternate
DNS-servers for
the proxy-server
Suppress Squid
Version
If you want to use other DNS-servers than the DNS-forwarder, enter
the IPs here, separated by semi-colons (;).
If set, suppress Squid version string info in HTTP headers and HTML
error pages.
Custom Options
You can put your own custom options here, separated by semi-colons
(;). They'll be added to the configuration. They need to be squid.conf
native options, otherwise squid will NOT work.
Save
Installing Squid Guard Package
System Packages
Install Squid Guard
Page 9 of 10
Justin Olmstead
Installing Pfsense Firewalls 2010
Configure Squid Guard
Go to Services  Proxy filter  General Settings
Several well made lists exist for squid guard already. Google “squid guard blacklists” and input one of
theirs or use the one in the above example
Click “Save”, then once it has downloaded and unpacked the blacklist, hit apply button to start squid
guard
Page 10 of 10
Justin Olmstead