SAIT Capstone Installing Pfsense Firewalls Protecting From the Internet Justin Olmstead 2010 Installing Pfsense Firewalls 2010 Table of Contents Pre-installation Requirements ...................................................................................................................... 3 Installation .................................................................................................................................................... 3 Configuring Security Settings ........................................................................................................................ 3 Mac Filtering ............................................................................................................................................. 3 Block Bogon Networks .............................................................................................................................. 3 Block Private Networks ............................................................................................................................. 3 WebGUI Protocol ...................................................................................................................................... 4 Snort IDS Sensor Setup ................................................................................................................................. 4 Installing snort package ............................................................................................................................ 4 Setup Options ........................................................................................................................................... 4 Update Rules ............................................................................................................................................. 5 Categories ................................................................................................................................................. 6 Ensure Service is Running…....................................................................................................................... 6 Squid & Squid Guard ..................................................................................................................................... 6 Installing Squid Package ............................................................................................................................ 7 Config Example for Squid .......................................................................................................................... 7 Installing Squid Guard Package ................................................................................................................. 9 Configure Squid Guard ............................................................................................................................ 10 Page 2 of 10 Justin Olmstead Installing Pfsense Firewalls 2010 Pre-installation Requirements You will need: - Pfsense iso, burned to disc: http://www.pfsense.org/mirror.php?section=downloads A PC with at least: o 2 Nic cards (it is possible to do with one as a router-on-a-stick and Vlans, but not covered here) o 256MB ram (1GB+ for snort sensor rules) o 500MB hard drive Installation Follow: http://doc.pfsense.org/index.php/Installing_pfSense Configuring Security Settings There are several settings to configure for an Internet edge router Mac Filtering Services DHCP Server Static ARP This setting allows only specific Mac addresses (ie trusted switches routers and servers) access to and through the router Block Bogon Networks Interfaces WAN Block Bogon Networks When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8). You should generally leave this option turned on, unless your WAN network lies in such a private address space, too. Block Private Networks Interfaces WAN Block Private Networks When set, this option blocks traffic from IP addresses that are reserved (but not RFC 1918) or not yet assigned by IANA. Bogons are prefixes that should never appear in the Internet routing table, and obviously should not appear as the source address in any packets you receive. Page 3 of 10 Justin Olmstead Installing Pfsense Firewalls 2010 WebGUI Protocol System General setup WebGUI protocol HTTP HTTPS Setting the web GUI protocol to HTTPS (default is HTTP) Increases security and encrypts the transmission of login. Snort IDS Sensor Setup An IDS sensor has rule sets specific to known hacking attempts and can be configured to warn or automatically block originating IP’s Installing snort package System Packages Click the to begin installation. Do NOT navigate from this screen while installing. Setup Options Services Snort Input the information the same as what is in the screenshot below: Page 4 of 10 Justin Olmstead Installing Pfsense Firewalls 2010 Then “Save” Update Rules Click the Update Rules Tab Wait for it to finish Rule update. Do NOT navigate from this screen while updating. Page 5 of 10 Justin Olmstead Installing Pfsense Firewalls 2010 Categories Click the categories tab: Enable the following rulesets attack-responses.rules backdoor.rules bad-traffic.rules bad-traffic.so.rules ddos.rules dos.rules dos.so.rules emerging-attack_response.rules emerging-dos.rules emerging-drop.rules emerging-dshield.rules emerging-exploit.rules emerging-scan.rules icmp.rules other-ids.rules Consider the following if you have forward facing sql database : emerging-web_sql_injection.rules Save changes at bottom of page. Ensure Service is Running…. Status Services Squid & Squid Guard Squid is a high performance Http Proxy, which in combination with Squid guard package, allows for fine grain Access Control Lists, Blacklisting, white-listing, and time based restriction. Page 6 of 10 Justin Olmstead Installing Pfsense Firewalls 2010 Installing Squid Package System Packages Install Squid first. Configuration Example for Squid Go to Services Proxy Server General Settings Proxy interface Allow users on interface Transparent proxy Bypass proxy for Private Address Space (RFC 1918) destination Bypass proxy for these source IPs LAN The interface(s) the proxy server will bind to. If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut. If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary. Do not forward traffic to Private Address Space (RFC 1918) destination through the proxy server but directly through the firewall. Do not forward traffic from these source IPs through the proxy server but directly through the firewall. Separate by semi-colons (;). Enabled logging This will enable the access log. Don't switch this on if you don't have much disk space left. Page 7 of 10 Justin Olmstead Installing Pfsense Firewalls 2010 Log store directory /var/squid/log The directory where the log will be stored (note: do not end with a / mark) Log rotate Defines how many days of logfiles will be kept. Rotation is disabled if left empty. Proxy port 3128 This is the port the proxy server will listen on. ICP port This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP. Visible hostname Administrator email localhost This is the URL to be displayed in proxy server error messages. admin@localhost This is the email address displayed in error messages to the users. Language English Select the language in which the proxy server will display error messages to users. Disable XForward If not set, Squid will include your system's IP address or name in the HTTP requests it forwards. Disable VIA If not set, Squid will include a Via header in requests and replies as required by RFC2616. What to do with requests that have whitespace characters in the Page 8 of 10 strip strip: The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. Justin Olmstead Installing Pfsense Firewalls 2010 URI deny: The request is denied. The user receives an "Invalid Request" message. allow: The request is allowed and the URI is not changed. The whitespace characters remain in the URI. encode: The request is allowed and the whitespace characters are encoded according to RFC1738. chop:The request is allowed and the URI is chopped at the first whitespace. Use alternate DNS-servers for the proxy-server Suppress Squid Version If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;). If set, suppress Squid version string info in HTTP headers and HTML error pages. Custom Options You can put your own custom options here, separated by semi-colons (;). They'll be added to the configuration. They need to be squid.conf native options, otherwise squid will NOT work. Save Installing Squid Guard Package System Packages Install Squid Guard Page 9 of 10 Justin Olmstead Installing Pfsense Firewalls 2010 Configure Squid Guard Go to Services Proxy filter General Settings Several well made lists exist for squid guard already. Google “squid guard blacklists” and input one of theirs or use the one in the above example Click “Save”, then once it has downloaded and unpacked the blacklist, hit apply button to start squid guard Page 10 of 10 Justin Olmstead
© Copyright 2026 Paperzz