Configuring a pfSense Firewall on the Client

Topology

Click the link below to view the network topology for this lab:

Topology

Introduction

A multitude of firewalls is commercially available in the market. Some organizations even build their own custom solutions. An organization might have a single firewall sitting on the only connection to the global Internet, or a sophisticated, defense-in-depth structure of firewalls that provides more protection for certain subnets than for others. Organizations might also establish internal zones that allow them to use firewalls to protect internal departments from each other and another system protecting the entire organization from outsiders. According to the 2013 Data Breach Investigations Report (http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf), 14 percent of all successful data breaches involve internal attackers.

Firewalls can be completely software-based and run on an endpoint or a server. They can be implemented in stand-alone hardware or a hybrid. Increasingly, vendors make their firewalls available as virtual appliances. In any case, the job of the firewall is fairly straightforward: to examine traffic going between the "outside" and the "inside," determine whether that traffic adheres to a set of rules, and decide what to do if it does not. Where most firewalls differ is in how they define the rules and determine what to do if the traffic does not meet the rules-not in the conceptual function, but in the implementation and the ongoing management of the device.

In this lab, you will delve into the configuration of the pfSense firewall to control client access to the Internet. The pfSense firewall is a current generation product that has most of the functionality and options that will be found in most firewall products, though the implementation may vary somewhat from firewall to firewall.

This lab has three parts which should be completed in the order specified:

  1. In the first part of the lab, you will plan the implementation of a local pfSense Firewall using a spreadsheet. You will answer all of the configuration questions in advance of actually making any changes to the firewall.
  2. In the second part of the lab, you will implement the configuration choices that you planned in Part 1 of this lab.
  3. Finally, if assigned by your instructor, you will explore the virtual environment on your own to answer a set of challenge questions that enable you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

  1. Complete a Physical Configuration planning worksheet and understand the general rules of physical configuration planning for a firewall that controls client access.
  2. Complete the Firewall Rules planning worksheet and understand the general rules for firewall rules planning for a firewall that controls client access.
  3. Configure the physical connectivity of a firewall that controls client access.
  4. Configure firewall rules for a firewall that controls client access.

Tools and Software

The following software and or utilities are required to complete this lab. You are encouraged to explore the Internet to learn more about the products and tools used in this lab.

  • pfSense Firewall

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

  1. A completed pfSenseFirewallPlanning.xlsx spreadsheet;
  2. Lab Report file including screen captures of the following steps: Part 2, Step 21;
  3. Optional: Challenge Questions file, if assigned by your instructor.

Configuring a pfSense Firewall on the Client

Hands-On Steps

Note: This lab contains detailed lab procedures that you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

  1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 "Student Landing" workstation

  1. On your local computer, createthe lab deliverable files.
  2. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to these questions as you proceed through the lab steps.

Part 1: Planning the Configuration

Note: There are two different approaches to configuring a firewall, or any computer software for that matter. The first, and most common, is to "dive right in" and trust that the process is fairly easy and straight-forward. The second approach is to plan the configuration steps in advance before implementing your choices. The "dive right in" approach is very common, especially in smaller shops or for individuals, but the more prudent, careful, and professional approach is to plan the configuration in advance. By documenting the configuration choices in advance, carefully considering each in the proper context, you streamline your process. Because even the most diligent planner can overlook something, by recording any changes that are made during the implementation process, you will have a starting point for replicating the configuration in the future-to assist in adding new firewalls or in replacing the existing one (in case of an outage).

In the next steps, you will complete the pfSenseFirewallPlanner spreadsheet. This spreadsheet contains two worksheets: Physical Configuration and Firewall Rules. The spreadsheet is designed to document answers to the questions prompted by the pfSense Firewall Setup Wizard, in the order you will be required to answer them. You will record the configuration settings for the pfSense firewall in this spreadsheet as you proceed through the lab. It is a good idea to scan Part 2 of this lab if you are unfamiliar with firewall configurations. Seeing how the questions are posed by the wizard might help you understand how the pfSenseFirewallPlanner spreadsheet works in conjunction with the wizard.

  1. Click the File Transfer buttonon the vWorkstation desktop to transfer the pfSenseFirewallPlanner filefrom the virtual desktop to your local computer.
  2. Open the pfSenseFirewallPlanner spreadsheet on your local computer.

The first item on the Physical Configuration worksheet is Hostname. A hostname is the unique name of the computer (host) on the network capable of originating or responding to an interaction using the Internet Protocol.

  1. In the Settings column of the Physical Configuration worksheet, type firewall.
  2. In the Comments column of the Physical Configuration worksheet, type firewall.local.

This is how the pfSense firewall refers to itself.

  1. The next item on the Physical Configuration worksheet is Domain. As this is a local firewall, type local in the Settings column.

Figure 2 Firewall Configuration worksheet

  1. Leave the next two fields, Primary DNS Server and Secondary DNS Server, blank.

If the firewall uses DHCP to configure the WAN interface, then the DNS servers will be provided by DHCP.

  1. Type 172.21.4.10 in the Settings column of Time Server Hostname row.

This information should be provided by the network administrator (or your ISP).

Note: The pfSense firewall timestamps log entries; therefore, it is essential that all firewalls use the correct time and date so that logs can be easily correlated to security events. In production, a time server should ALWAYS be used.

  1. In the Settings column of the Timezone row, type UTC.

This information has been provided by the network administrator.

  1. Type Static in the Settings column of the WAN Interface row and type 192.168.16.5/24 in the Comments column.

According to the network administrator, this computer uses a static connection. The pfSense Firewall Setup Wizard offers a choice of DHCP, Static, PPPoE, and PPTP WAN interface types.

Figure 3 Firewall Configuration worksheet (continued)

  1. In this lab, there isn't an interface that will require a MAC address, so leave the Settings column for this row blank.

If required by your network configuration, you would type the source MAC address in the Settings column.

  1. In the Settings column of the MTU (Maximum Transmission Unit) row, type Default and adda note in the Comments column to indicate the default value is accurate.

For compatibility with the widest range of networks, pfSense allows us to specify an MTU size.

  1. Type 192.168.16.5 in the Settings column of the IPv4 address row.
  2. Type /24 in the Settings column of the Classless Interdomain Routing (CIDR) row.

If you receive an Excel error trying to type the / character, type ‘/24 to force Excel to accept the / character as a character and not a symbol.

Figure 4 Physical Configuration worksheet (continued)

  1. Leave the Settings column of the Gateway row blank.

Normally this is provided by your ISP and will be the default route to the Internet.

  1. Leave the Settings column of the DHCP hostname row blankand add a note in the Comments column.

A DHCP hostname is not required in this configuration, though some Internet Service Providers require it (for security and verification reasons).

  1. Make no changes to the rows related to the PPPoE WAN interface.

The PPPoE connection used by the virtual lab is established as a permanent connection and requires no specific configuration.

  1. Make no changes to the rows related to Point-to-Point Tunneling Protocol (PPTP).

The virtual lab does not use Point-to-Point Tunneling Protocol.

  1. Type No in the Settings column of the Block RFC1918 Private Networks row.

On a production "Internet-facing" firewall, you will almost always block RFC1918 Private Networks. In the lab environment, this setting will erroneously block addresses you use.

Note: RFC1918 is an Internet Activity Board document, called a Request for Comment-which is as close as one gets to a "standard" on the Internet-that describes what addresses can be used for private networks, or, more accurately, re-used for all private networks. Under normal circumstances, these addresses are never seen on the Internet. Hackers often use traffic with these address ranges in an attempt to confuse hardware and or software in a variety of ways. It is a good idea to force the firewall to block this traffic on a production firewall.

  1. Type No in the Settings column of the Block bogon networks row.

Note: Packets with addresses in address spaces not yet assigned by the Internet Assigned Names and Numbers Authority (IANA), but are not described in RFC1918, are referred to as bogons, or packets with bogus addresses. By setting this configuration option to "Don't block," you are allowing traffic with those addresses. The IANA assigned all of the IPv4 address blocks as of mid-2011, eliminating the possibility of bogus address blocks, even though there is no assurance that addresses in those blocks are valid.

  1. Type 172.30.0.5 in the Settings column of the LAN IP Address row.
  2. Type /24 in the Settings column of the Subnet Mask row.
  3. Type P&ss9999 in the Settings column of the Admin password row.

This information comes from the network administrator. Note that the password has the following characteristics: an uppercase character, at least one special character (the ampersand, which is the symbol &), and numbers (in this case, 9999). Passwords are admittedly poor tools to secure our assets, but are still used extensively on the Internet and by security tools.

Note: Up to this point, you have planned for the administrative configuration of the local firewall using the pfSense Firewall Planner spreadsheet. Now, you will complete the Firewall Rules worksheet.

The first consideration you will encounter is the order of your definition lists. You can compare the process of defining firewall rules to the process of defining most Access Control Lists (ACLs). In both cases, the simplest approach is best. These are not sophisticated programs with conditional branching logic, but rather simple lists of rules that are evaluated in order, and when there are two conflicting rules, the first rule in the list that applies is used. For example, if the line 3 of the definition, says "don't allow X for a certain condition," but in line 22, you decide to "allow X for a certain condition," the first rule that matches "a certain condition" is in line 3, so that is the rule that will always be followed.

The second consideration is whether the firewall is, by default, permissive or restrictive-that is to say whether everything is allowed by default (permissive) or not allowed by default (restrictive). In the first case (permissive), very few support calls are generated, and users are usually happier because everything that they wish to do is allowed by default, as rules exist only for known security problems, which rarely interfere with what a user wants to do. However, this approach also leaves the door open for a wide variety of security risks. The restrictive approach says that, by default, everything is restricted unless it is specifically allowed. From a security standpoint, this is the preferred approach, though it requires more thoughtful configuration of the rules. The second approach, restrictive, is applied by the pfSense firewall: Every type of packet that is not explicitly passed is blocked by default. In other words, every packet that comes into the computer is evaluated by the firewall rules and is blocked by the firewall if it is not explicitly allowed (or passed).

In the next steps, you will use the Firewall Rules worksheet to plan the configuration of a local firewall for this virtual computer. You will allow specific actions and block everything else. You will begin by deciding which actions to allow. You must recognize that any actions you allow may have security implications in and of themselves, but to be useful you have to allow the computer to do some actions and have some interactions with the network.

  1. Click the Firewall Rules tab at the bottom of the pfSenseFirewallPlanner worksheet to open the Firewall Rules worksheet.

Figure 5 Firewall Rules worksheet

  1. Compare the headings in the Firewall Rules worksheet with the following table. Each field in the worksheet is described in this table. You will need this information to complete the firewall rules configuration.

Column

Column Title

Description

A

Action

Action indicates the action you wish the pfSense firewall to take when it encounters a certain type of network traffic. The choices are pass, block, or reject. The difference between block and reject is important. In the case of block, the questionable incoming packet is blocked and discarded (or logged, based upon the setting for that option). There is no indication to the sender that the packet has not reached the intended destination. If reject is chosen, then a packet is returned to the senderindicating that the packet or packets they sent were not accepted. There are numerous cases of rejected packets being used by malicious software and malicious individuals to verify that a computer exists at a designated IP address, and then to attempt additional infiltration. It is, therefore, recommended that traffic be rejected only in very specific cases.

B

Disabled

Disabled allows a rule to be disabled but not deleted. This can be used for testing purposes or to temporarily allow a certain action.

C

Interface

Interface allows a firewall rule to be applied only to a specific interface (WAN or LAN) or type of tunnel in the interface (PPPoE, PPTP, or IPSec).

D

Protocol

Protocol allows rules to be applied only to certain types of packets, which use a specific protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

E-H

Source IP Address

Source IP Address allows inverting the address comparison (if NOT is marked) and the specification of the IPv4 address and CIDR (/n) indicator.

I-J

Source Port Range

Source Port Range allows the rule to be applied only to specific source port ranges or to any source port ranges. Because the source computer uses the ephemeral ports (usually port numbers from 49152 to 65535) as the source port and can use any available ephemeral port, this option is usually left blank or "Any."

K

Source O/S

Source O/S enables traffic to be allowed by a certain rule only from specific operating systems and only for Transmission Control Protocol (TCP) traffic.

L-O

Destination IP address

Destination IP Address allows inverting the address comparison (if NOT is marked) as well as specification of the IPv4 address and CIDR (/n) indicator.

P-Q

Destination Port Range

Destination Port Range allows the rule to be applied only to specific destination port ranges or to any source port ranges.

R

Log

Log indicates if the packets handled by this specific rule should be logged.

S

Description

Description allows a brief alphanumeric description of each rule to be entered.

  1. Note: In the next steps, you will use the Firewall Rules worksheet to plan the configuration of a local firewall for this virtual computer. You will allow specific actions and block everything else. You will begin by deciding which actions to allow. You must recognize that any actions you allow may have security implications in and of themselves, but to be useful you have to allow the computer to do some actions and have some interactions with the network. In this lab, you will allow the traffic displayed in this figure.

    Figure 6 Firewall Rules' allowable traffic

    The pfSense firewall requires a different rule for Secure Hypertext Transfer Protocol (HTTPS) traffic. At this time, you will not specify a rule for HTTPS traffic. This means that when the browser encounters a Web site that utilizes the HTTPS protocol, that traffic will not be passed through the firewall. Keep in mind that this is a good example for a lab exercise, but not for practical implementation. In actual implementations, there should also be a rule to pass, block, or reject HTTPS traffic.
  2. In Column S of the Firewall Rules worksheet, type Internet Browsing.

You will create a rule to allow browsing of the Internet according to the following definition: Pass (Column A) all traffic on the LAN interface (Column C) using TCP protocol (Column D) from any type of address with any value with any subnet mask (Column E-H) for the standard port range for Hyper Text Transport Protocol (HTTP) (Column I-J) for any Destination IP Address (Column L-O) for the HTTP port range (Column P-Q), and there is no need to log the traffic (Column R).

  1. In Column A of the Firewall Rules worksheet, select Passfrom the drop-down list to allow Internet traffic.
  2. In Column C, type LAN.
  3. In Column D, type TCP.
  4. In Column F and G, type Any.
  5. In Column I and J, type Any.
  6. In Column M and N, type Any.
  7. In Column P and Q, type HTTP.
  8. In Column R, type No.
  9. .Repeat steps 25-33 to create the following rule descriptions (Column S). If necessary, use the table following to determine which adjustments to make.
    • Allow e-mail to and from anyone and specify the port range as the one used by the Simple Mail Transfer Protocol (SMTP).
    • Allow File Transfer Protocol (FTP) so that users can send files back and forth.
    • Allow Domain Name Service (DNS) so that users can type URLs instead of requiring them to know specific IP addresses of any Web sites they wish to visit.
    • Allow Internet Control Message Protocol (ICMP)messages, such as the PING diagnostic message.

Firewall Rule

Protocol

Destination Port Range

Allow SMTP

TCP

Any-Any

Allow FTP

TCP

Any-Any

Allow DNS

TCP

Any-Any

Allow ICMP

ICMP

Any-Any

Part 2: Configuring the Firewall

  1. Double-click the pfSense firewall icon on the virtual desktop to open the pfSense firewall application in an Internet Explorer window.

Figure 7 pfSense firewall Login

  1. Click OK to accept the default username and password and open the application.
  2. Maximize the application window, if necessary.

Figure 8 pfSense firewall System Overview

  1. Click System > Setup wizardfrom the pfSense menu.
  2. Click Next to continue.

Figure 9 pfSense Setup Wizard initial configuration screen

  1. Refer to the Physical Configuration worksheet from the pfSenseFirewallPlanner spreadsheet that you completed in Part 1 of this lab.
  2. Use the entries in the Settings column of the Physical Configuration worksheet to complete the fields on the pfSense Firewall Setup Wizard.

Figure 10 pfSense configuration settings

  1. Click Next to continue.
  2. Repeat steps 7-8 for the remaining fields of the pfSense Firewall Setup Wizard.
  3. When prompted, type P&ss9999, the new pfSense firewall password that enables you to continue.5772150209550
  4. When prompted by the pfSense Firewall Setup Wizard, click Reload to reload pfSense with new changes.

Figure 11 pfSense Firewall Setup Wizard Reload prompt

While reloading, the pfSense firewall will display a progress meter. When the process is completed, the pfSense firewall System Overview screen will be displayed.

  1. Click Firewall > Rules from the pfSense firewall menu to configure the firewall with the rules you defined in Part 1 of this lab.
  2. Click the LAN tab to begin adding the new rules that you configured in Part 1 of this lab.

Notice that there is already a rule on the LAN tab: "Default LAN -> Any." This rule allows any traffic that originates on, or goes through, the Local Area Network (LAN) to which the computer is attached. It is common for organizations to allow unrestricted outbound access and the pfSense firewall adds this unrestricted rule by default. However, from a security standpoint, you should allow only the type of access you want your users to have (and block everything else). This is what LAN (outbound) rules are for: limiting access from a trusted network to an untrusted network.

  1. Check the Default LAN -> any Rule and then click Delete(small black x).

Figure 12 Delete the default permit rule.

  1. When prompted, click OK.

Figure 13 Confirm

  1. Then click Apply changes.

Figure 14 Apply Changes

  1. Click the Plus button (the Add new rule button) at the bottom right side of the Rules table on the pfSense firewall application window to add a new rule.

Figure 15 Add new rule button

  1. Use the entries in the Firewall Rules worksheet to create a rule for Internet browsing.

You will notice that there are additional fields in this screen (Advanced Options, State Type, No XMLRPC Sync, and Schedule and Gateway). Do not make any changes to those fields for the purposes of this lab.

Figure 16 New Firewall Rules: Edit screen

  1. Click Save at the bottom of the pageto save each rule and return to the Firewall Rules screen.
  2. Repeat steps 17-19 for the remaining rules on the Firewall Rules worksheet. When you are done, your rule set should look like the one shown in the following Figure.

Figure 17 Completed pfSense Rules table

  1. Make a screen capture showing your completed Rules table and paste it into your Lab Report file.
  2. After any discrepancies in the rules have been corrected, clickthe Apply changes buttonabove the Rules table to apply the rule changes that you have made to the firewall.

Figure 18 Apply changes button

After the settings have been applied, the red message bar will change to indicate that fact.

Figure 19 Confirmation message

  1. Save the completed spreadsheet as yourname_pfSenseFirewallPlanner.xls, replacing yourname with your own name and submit the file with your lab deliverables.
  2. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.