How To Install And Configure pfSense Firewall Pt1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
a firewall has been at the heart of it security for a long long time and pfsense is a very popular firewall to use not just because it's open source or because it's free but how do you actually install pfsense and how do you configure it well check out this video to find out more [Music] well here we are on the pfsn's website and as you can see you appear in bold open source security and down here it's the world's most trusted open source network security solution and that is what sets pfsense apart from the from the crowd from the the rest of the vendors out there you're typically purchasing you know some hardware and it comes with a you know closed proprietary solution for a firewall and you need a support contract if you want to be able to upgrade it and so on but with this good thing about this is it's an open source version and it's free and as long as you know what you're doing you can you know you can install on your own hardware you're going to install it with a virtual machine entirely up to you on your hand when it comes to select enterprises like this like the referencing here wouldn't be that too surprising if they actually purchase the entire hardware anyway and i mean that's what pfsense does i mean you can actually purchase the hardware you can go down that path if you particularly like i mean these days practically everything's getting virtualized anyway to be honest and so typically you probably won't do a just install under a hypervisor like we're going to do in this video but you've also got choices over here where you can actually buy it as a virtual appliance um you know through amazon aws microsoft azure and so on but it's that you know that's that flexibility i like where we can download it we can install it you know however we choose we just do our own support basically so what do we do for actually downloading this well over here we've got a tab which is the latest stable version i mean i'll include links for both but it's easy enough to google them now in our case it's pretty much an easy choice really i mean when it comes to architecture it's going to be this amd 64-bit we're not interested in this this is the specialized hardware for um the psn's this is when you're doing it yourself where you've got your own you know intel or amd processor i mean don't don't be confused where it says amd 64. it is actually talking about intel or amd 64. that's the only thing to point out though is it needs to be a 64-bit processor and to be honest the vast majority of computers these days are so we've got to pick that as our architecture incidentally that 2.5.0 just happens to be the latest version available at the time of release of this video but most of the time when it comes to the installation it's pretty much the same anyway but just moving on here the only choice really is um the installer which is you know what installation method do you want to use so they're giving us options where you know you can install it with memory stick or you've got the more common solution which is to actually just download it as nice or violent that's the option i like to go with because it gives me a bit of flexibility if i want to install this onto a physical machine i can actually burn that iso file to a usb memory stick and then i've got a bootable memory stick to boot the computer from or as in this case where we're going to put it onto a virtual machine i'm just going to attach that file to the virtual machine as if it was a cd-rom drive and away we go and the only other choice really after that is well where do you want to download it from i mean by default it's new york but there's three other places for me the closest would be frankfurt in germany but to be honest it's such a small file anyway it doesn't really make that much difference when it comes to the download speed for me so once you've picked all these options it's really just a case of you know clicking on the download button and away you go and that's when we want to the actual building the virtual machine and installing this operating system well now that we've actually downloaded pfsense or more specifically we've downloaded the installation file we need to install this onto a virtual machine so as you can see i don't actually have a virtual machine already prepared and i'm running you know vmware's esxi here so the process is pretty simple because all you've got to do is just tell esxi what operating system we're going to be running on the virtual machine it's then going to go to a template and it's going to create sort of like a bare bones virtual machine based on our choice of operating system it doesn't really matter if you want to you know install on a different vendor hypervisor the process is basically the same so in our case we're just going to go to virtual machines here and then we're going to click on the option to create or register a virtual machine now we've downloaded an installation file which means we need a completely brand new virtual machine to install into so these two options down here we'll just ignore them uh go the default option there we then need to give this virtual machine natural name now it appears to keep this in sync with the real name of the actual firewall we're actually going to build or you know whatever virtual machine you build you want the name that's um shown in esxi to match and what the actual hostname is on the computer itself because that makes it a lot easier to troubleshoot but you know whatever i type in here isn't going to be transferred across to the operating system that's just something to bear in mind so we will configure that um you know the name of the actual the actual hostname of pfsense the same once we configure it now when it comes to esxi you've got a choice of compatibility so this is the hardware compatibility and it's it's basically it boils down to compatibility between multiple hypervisors if you're running you know say two copies of esxi on the the network uh ca1 has got like version 6.5 for instance and this one here has got version 7. if i wanted to be able to transfer this virtual machine to the other server i've got to go with whichever you know hypervisor is the oldest version basically to get that compatibility so in that case i would pick esxi 6.5 because otherwise this version 7 hardware wouldn't work on esxi 6.5 so in my case there's only one physical machine anyway so it doesn't really matter but it's it's just something to bear in mind and then it just comes down to what operating system are you running so for esxi we've got to go for other uh when it comes to this guest os family so i'll pick that and the reason being is that pfsense is based on free bsd now this version it's using freebsd version 12 and what we downloaded was a 64-bit operating system so we've got to go with that choice there next thing is obviously where you want to store this so we're going to install it onto a faster nvme drive here and it goes off to its template and you know based on those choices and then it's come back with these uh answers and says this is this is what i think you need so what i'm going to do is i'm going to tweak this a bit i'm going to add an extra processor in there i mean i don't really need two but what the heck um i'm gonna put both of them onto one socket but it doesn't really matter two gig for the memory it doesn't actually need that amount of memory but what you can do with pfsense is you can add extra packages onto it you can make it more than just a basic firewall so i'm just adding this in and just a piece of mine now but i can always add it in later on if i wanted to i could increase it i could decrease it that's that that's a good thing about a virtual machine is you can you know you can reconfigure it um either on the fly or just you know by taking the actual virtual machine down and then it'll boot up and it pressed or you've either got more you know memory or something less memory depending on which direction you go in for the hard drive i'm just going to leave it on 8 gig it doesn't really matter but one thing to point out is although this is a lab normally what i would do i'd be thin provisioning the actual disk to save storage space but what i'm finding is particularly with pf sense here is it does have a big influence if i tell this to thin provision to drive it's very very slow found whereas if i leave it on thick provisioned and it's a lot to slow better so i'm just going to leave it on that i mean it gigs way more than enough so i'm just going to leave that i've got plenty of storage space to cover it uh for the controller i'm going to go with parallel because that's a better control that we use so the only thing i'll point out among all this spec that we've put in here is while this doesn't matter to me if i will respect this virtual machine if i was doing this on an actual cloud provider i'd end up paying more money for hardware that i didn't need if i would respect it so let's say for example i'd given this 8 gig of memory if i don't need a gig of memory i'll pay for a gig of memory regardless whereas with the hypervisor if i configure this with a gig of memory and it doesn't use it gig of memory that unused memory just stays in the pool so it doesn't really matter so just just something to bear in mind when you're using your own hypervisor where you know whereas you're using a cloud provider yeah costs do matter the next thing to do is i need an extra adapter here uh on network adapter i should say i'm gonna set the first one to be the management network a second one to be the external network i'm just going to go over to this diagram here the firewall that i'm building actually has four network segments this is the management network this is the external network but to make life a bit easier i'm not putting these interfaces in just yet it makes it a bit easier for the um initial setup because that's all interested in at this stage so i've got two interfaces uh first one's management second one's external next thing to do is we need to point this to an iso file and that's going to be the file that we downloaded so that's this one here now i've got this installed onto a local ssd drive i do have an nfs share here but it'll take longer to install i mean pfsense is a small file you can see it's only like 500 meg tall um but it's a it's a it's a case of one of our finders at least in my setup anyway it takes a long time to pull all those files through with nfs share because they're not on the same network they've got to go through all the firewalls and it yeah it's just basically a lot slower so as a quick fix basically what i'm doing is i'm just uploading the files to a local ssd drive and it makes the whole installation process a heck of a lot quicker so now that we've told it you know what hardware we want um what iso file to point to just click on next gives us our summary and then we'll click on finish so there we go it's built there natural virtual machine for us so it gives us details here i'm just going to expand these out for now because you'll see in a while this will become important so we'll just turn the actual computer on uh ah hey well i decided to undo what i did just there but the reason i'm interested in that is because this gives us the mac addresses it's just for peace of mind just so i can double check things if i'd put in four network cards straight up this would become extremely important and as it turns out what we'll find is that pf sense i'll end up like aligning its own network cards with esxi if i'd had four network cards that would be out they'll be out of sync this wouldn't be like you know uh the first network adapter for instance it usually ends up as being the second this ends up being the third and then the other two one becomes the first one it just gets really messy and it's to do with using uh the vmx net three and that was apparently but anyway we've booted up off our iso file so i'm just going to go with that option to accept that agreement there we go with the default option to install pfsense and then what we've got to do is well in my case i've got to pick a different keyboard because up in the top right you'll see it's actually saying it's gone with a us keyboard but i need to pick a uk keyboard and then now that i've done that i'm actually going to tell it to continue and use that uk keyboard now i've got a choice of you know what to install it's on to but i'm just going to go with the default option of a bios booth method i'm finding that's works better for me at least so we go with that and what the actual you know machine is now doing is basically it's actually installing the f-sense onto the computer and it's almost something it's a bit refreshing because quite a lot of operating systems i come across what they tend to do is they'll they'll boot up and get themselves into memory and then they'll ask you questions and then based on all of your answers it then installs the operating system onto your computer uh windows is slightly different and that sometimes what it does it does things in phases it might ask you a series of questions do a bit of the installation work then i'll ask you more questions do a bit more of the installation work so it does it in bits and pieces where is what pf sensor is doing is it literally installs the um the operating system under the actual hard drive and then it asks the questions so it does take a bit of a while here and not too long fortunately because you know it's a very small operating system anyway so we'll just wait uh for that to finish and then what it'll do is it'll it'll ask us to basically reboot and then we've got to answer some more questions so it's almost finished there we go so it's saying it's now actually finished the installation it's asking do you want to open up a shell and i'm just going to go with the default option of no it's giving us another final chance but no i'm not really interested i'm just going to go with a default option to reboot it should be pretty quick um you might notice that when it does reboot it it doesn't give you much time to to go through the bootloader uh you've got to be pretty quick if you want to go with a different option so it's like just a few seconds if you want to do something different otherwise it just boots up and that's it so i'll just wait for this to boot up the only thing is it might take a bit of a while for me because the uh i've got certain features disabled i'm being very very restricted on what these computers can do but uh we'll just see how long that takes oh there okay it wasn't too long right so first thing it's doing is it's showing us the actual network cards it knows of and it's actually fortunate it's showing us the mac addresses so if these were out of sync we'd know pretty soon but as you can see the first network card which it calls of bmx0 lines up with our mac address here and the second network card which it's calling vmx1 lines up there as well now what it's actually asking is do you want to actually start configuring vlans on this so in our case i don't need to do any but sometimes what you'll have is like in a real world environment you'll have a firewall that's got like a 10 gig interface for example and typically what you do is you carve that interface up into multiple vlans and then you've got an identical 10 gig interface there's a redundant link now in our case for this lab none of that really matters it's all the virtual anyway um and what i've got is i've actually got four virtual switches here so i don't need any vlans i could have done it that way i could have just had say one virtual switch and split it up um with multiple vlans but i haven't done that i've gone for but to me is an easier approach each network segment is a separate uh virtual switch just as if it would be a you know a series of four network switches for physical network switches and four physical adapters in this firewall so like i said i don't have to worry about vlans here so i'm just going to say no i don't need to configure any and it's now asking us which one of these interfaces is the external one what it calls the one interface now for us that's vmx1 so i'm just going to tell it that and then it wants to know which one's the lan so that's a vmx0 and then it's giving us an option to change our mind if we want to but i don't need to so i'll just say yes to that and then what it does is it literally reconfigures itself based on those decisions because we just go back to the diagram what it's doing basically is it's kind of like a plug and play um system really it's kind of similar to the routers or routers if you prefer that you get from service providers usually you plug you know your router into you know the service provider's network it would get an ip address through dhcp off the of your service provider but what it would do it would hard code its own ip address usually 192.168.1.1 onwards lan interface and then what you've got to do is plug your computer into that and either assign it an ip address within that network or get an ip address through dhcp and then you can get management access you know to your router and then if you want to change the ip addressing you can do that and pf sensor is doing the same sort of thing here when we go back it's got one ip address that's picked up through dhcp on the one and it's got one ip address that it's hard coded now as far as this network's concerned this is it's entirely temporary i mean it's a case of although i've got a specific network here the ip address that i've got through dhcp doesn't line up and that's just literally because it's temporary for the safe you know for the length of this video and play through i'm going to be using dhcp just to keep my life easier but uh when i actually finish building this lab for real i'll be hard coding all of this so i'm just going to go back to the console because we need to do some final changes because i mean we actually already have this um this virtual machine's already built ready to go to be able to manage this firewall and it's already set up for this other network so we already we actually have to configure uh the firewall to match that network so we're just going to do that which is option number two to change the ip address so i've got to tell it it's specifically for the lan interface i needed to change it on so that's option number two and i want to know what is the ip address so it's 172.16.18.254. just double check yep 172.16 18.254 and it wants to know how many bits have been used to make up the subnet mask so in our case it's 24. is there a gateway that you need to configure on this line interface well there isn't in this in this network it's just a stub network so we don't need a gateway on this interface once you know what the ipv6 interface is well i'm not going to be using that at least not term at the moment so i'll just go with the default and say no don't have one and then it wants to know do you want to actually enable a dhcp server on the lan so that would be useful and you know if you're going to do like a plug-and-play approach but we're not not for this lab anyway so i'm going to say no so what it does it actually disables dhcp servers we're then being asked do you want to revert to http as the web configurator protocol now with pf sense let's go back to diagram again what we've been doing so far is we've been configuring this firewall through the console but it's actually managed through a web interface so that's the reason i've got this um actual virtual machine already built i need to be able to get access into the web server of this firewall through a web browser on that machine and it's actually asking us the question do we want to revert back to http but that's not a secure protocol it doesn't make sense to do it unless you've got some particular issues so we don't want to do that we want to continue to use https because if you use http anybody who can intercept that traffic can get the the actual username and the password and through the exchange of information between the management computer for instance and the actual firewall so we definitely don't do that so it's now finished making that change to the lan and it's actually telling us well if you want to go in and configure this firewall use that url so i'll just hit enter to continue and then what we're going to do now is well i've got to actually boot this virtual machine up and then what i'm going to do is actually log in to that ip address so i just pause the video there get my virtual machine up and running and then once i'm ready i'll bring it back well our management computer is now up and running so what i have to actually do now is to finish off the actual installation process through what is going to be a web wizard basically so i've pointed the the web browser here to the actual uh you know pfcenter firewall and that's the url that it shows you on the console uh not surprisingly you know we're getting a warning about a security risk because this is a it's a self-signed certificate but it's also a private ip address so we'll just click on advanced uh scroll down the bottom and just say yeah we'll accept that risk and continue we'll then log in with a username of admin uh default user password is pf sense now i don't have much like real estate on this screen basically because this computer doesn't have access to the internet so it's a case if i can't put something like vmware's open tools on there for instance to uh to give me a bigger screen so yeah it's a bit crammed at the minute but it'll do now as you can see it says it's got a like a wizard to go through because we've got to go through this um process just to finish things off if you will so we'll go through a process where we configure it to the console just to get that initial setup of the interfaces and then we finish off that bare bones installation if you will through this web browser so first thing it's saying is yeah just welcome so just click on next and it's just telling us about an opportunity for 24x7 support let's click on next now here's where we start making the changes so by default this is going to be called you know pfsense which kind of makes sense really but i'm going to change it over to fw uh domain it's set for home. i'm just going to call it something else uh templab.lana's what i've called it before for instance i'll just go with that now the primary dns server in my case it's going to be well i've already configured this during my trials for this uh pf sense on esxi you see i've already used an ip address of 172 16 17.10 for instance now that references this dns server over here what's gonna it doesn't exist yet but once it's up and running the idea is this this machine in fact all machines what they'll do is they'll come to this server as their dns server and this will act as a dns forwarder to be able to get um you know dns resolution to the internet for instance or to resolve any dns names within the actual you know lab itself so at the moment i'm well aware that that server's not up and running but we're going to configure it all the same uh so we'll be coming back to it later because it's not particularly important now i just need to get uh you know the firewall up and running and then i can start building my servers afterwards so one thing to point out is down here it's actually set to this setting where it says override dns and that's ticked and it's saying allow dns servers to be overridden by dhcp slash ppp on the one what that means is if you're running dhcp on the one interface which by default you are any dns servers that this firewall learns through dhcp will override whatever you put here now i've put in one ip address as my primary dina server i haven't put anything in as a secondary because i only have the one dns server but it's a case of whatever i put in it's going to get overridden by whatever this firewall gets you know from dhcp anyway so i'm going to untick that box because i want to force everything to a specific dns server i want to have control over dns resolution so we've deselected that and then move on to the next step so we're up to step three now so it wants us to sit you know where we're going to get our time from because it's going to sync itself using ntp to well by default a server called 2.pfsense.pool.ntp.org we can change that to something else i mean it's a publicly available ntp option if you go to ntp.org it'll give you a big laundry list basically of uh servers or pools that you can point to but i'm just going to leave that there for now timezone for me actually etc udc would actually work but what i'm going to do though is i'm still just going to change it i'm going to point it to europe london so you just set that to whatever you you know whatever your timezone happens to be change the you know the time server pool name if you want it's entirely up to you but ntp is extremely crucial um not just for network devices in general because that helps in troubleshooting so for instance if the clock on a computer is out of sync and so you get you know called two o'clock in the morning somebody's reporting a problem if the clock's out of sync on that on the computer that uh is having the issue it's gonna be a lot harder to look in the logs and equate any faults against the time so you definitely want ntp to be in sync definitely crucial for firewalls because of security reasons you want to know you know when somebody was trying to hack something when somebody was up to strange behavior doing up to no good and so on that is something hackers tend to do as little they'll play around with the time if they can they'll try to raise logs and so on so you might be able to see or somebody cleared the logs at this certain time of the day and so on uh you can spot patterns all that sort of stuff but another reason is there are features out there things like vpns i believe where they can be very very fussy if the uh the clocks are out of sync so getting everybody synced up to ntps everybody's in agreement definitely crucial so do make sure you know you're allowing access to ntp uh whether it's an ntp service that you're running on your own network or whether it's a public internet one make sure you're getting ntp and that these computers are actually you know up to date with that clock so that's step three so just click on next and now it's wanting to know well it's actually giving us the option to change what what we're going to do for the configuration of these interfaces now i did mention before that you know for my real lab once i actually rebuild all this this will get hard code and that's something you definitely want to be doing on a firewall and in this case for the for the sake of this same video series i'm just going to leave it on dhcp and it's just going to make my life a bit easier so i'm not going to change anything but that's what it's giving us the choice the choice to do i mean there's all sorts of you know peop over at ppp over ethernet options ppt pptp options these are all usually associated with um with one links and so on which they don't apply to us one thing i'll point out though is because this is a firewall which is on an actual private network and it's actually behind an actual private network i want to disable these options because it's going to have to communicate with the computers that are in private networks if this is on the public internet if this one interface was the public interface i would leave those ticked because what it does it stops computers with a private ip address and trying to get access into your network these you know these sort of things shouldn't be happening on a service provider your service provider should be blocking private ip addressing across the internet that should stop you and sending traffic out with the private ipads this should stop any private ip addressing coming towards you and there's all these other networks that are technically public they're not part of like rfc 19 for instance but they're they are reserved i pay address ranges so those shouldn't be on the um the internet either so in our case as i say because we're sitting or hiding behind an actual private network and not actually touching um the actual public internet directly even though you know the diagram might imply otherwise uh i want to disable that otherwise things just will not work so click next next step is it's asking us basically the same do you want to change your mind for the lan interface so this is an opportunity like i was saying before where basically what the firewall is doing it's being plug and play we're going to get everything through dhcp on this because we assume you plug into the isp we're going to start off with an ip address of 192.168.1.1 um but you can change your mind if you know later on if you like in our case we've already did that whilst we were on the console so i can just leave that as is so next is change the password now you might have noticed it's been complaining about the password right from the get go so i do need to put a different password in now you really want to put in a much stronger password that i'm going to use much longer one more complicated but because it's just a video video because it's just a video of the series that i'm doing and this is just going to be short-lived it doesn't really matter it just makes my life easier for getting these um configurations done so change the password ah good i did get it right right so we're now at the step seven so i'll just click on reload so it's taking those changes on board and it's picked up through the wizard and then it's reloading itself so they go saying oh step kind of stepping it was pretty much the actual reload step nine is it just general reminder you know you can get 24x7 support you know there's a server here if you want to do it but in our case not too fussed about that we're done so that's it so that's the actual um wizard finished so it's just going to finish off and then it'll give us basically it'll give us an actual dashboard where we can actually start configuring things from because one thing i'll point out is what this firewall does it it does go in some way to make things a bit more secure and that it doesn't put any firewall rules on this external interface and what that means is you get what's called an implicit deny rule where basically any traffic that comes in into this interface into the firewall will be dropped and that's as i say through what's what it refers to as an implicit denial rule you don't see a rule but it's sitting there in the background dropping traffic on the internal interface on the other hand it's what what it's done it's actually set up an interface uh rule or three rules actually one uh what it does is it allows anything on this network to get management access of the firewall it's actually a fallback option so even if you like really mess up the firewall rules you'll still be able to get management access to the firewall but it's also got two of the rules one for ip version 4 and one for ipv6 which allows any traffic into the firewall now from a plug-and-play perspective that's great it makes your life easier from a security perspective it's terrible um the mantra from security for a long long time now has been assumed somebody is on your network or your network has been hacked that's been known off for a long long time so the one thing you do not want to do is allow any traffic uh through an interface you want to be operating on least privilege so for example say this um computer here it needs management access to that firewall so we need a rule that allows management access from this computer to this firewall it also needs dns access to that server over there so we need a rule for that it probably needs you know https access out to the internet so we'll need a rule for that but that's it we want to block every other type of traffic coming from this computer or the entire network and in its entirety we want to be making sure we're making things as difficult as possible because the security is a bit of a cat and mouse game and sometimes you win sometimes you lose it's a case of trying to set up a like an onion ring of security layers to make it as difficult difficult as you possibly can if someone is determined enough they'll probably just bypass your security process through social engineering or something or you know some user will click on a link and next thing you know you've got malware on your computer and somebody might just get paid off and bribed you name it as there are ways of getting around whatever security you put in place so you just make it as difficult as you possibly can and that is one thing you definitely want to be doing because there are you know there are tools out there that have been known for a long long time they've been available and they're still available where they use internet relay chat for example so by default if somebody had planted some malware on this computer that was using internet relay chat it would be able to get that direct access out to the the server out there on the internet and this little botnet can do whatever it's being told though through internet relay chat because we're going to put in more restrictive rules here we'll stop that sort of um thing from going on uh yes we're allowing https access out to the internet any clever attackers gonna make sure that that's the protocol they use but it's a case of there are a lot of tools that don't do that so make sure you block them and when it comes to things like https you'd go with their more sophisticated security solutions where yes the firewall allows them you know we allow https through the firewall but you've got something else that actually inspects that traffic so you'd probably have like a proxy server doing content inspection uh it would actually decrypt that sort of traffic and it will check it and see if it's legitimate uh make sure it's not going to websites it's not allowed to make sure it's not up to no good in our case it's just a lab so that's pretty much the best i can do or at least for now so just go back and see if that's done yeah it's done so it's just going through the licensing deals up there so just click on accept up there uh yeah thank you note from them and here we are the dashboard now like i was saying before you see what i've got is i don't have something like you know vmware's tools on here to make the screen bigger because the the computer doesn't have access to the internet yet but this is the bare-bones dashboard um it's not really up to much i mean disk space use usage so far is 18 percent memory utilization 12 out of 2 gig cpu utilization deadly scope but to be fair the firewall is not really doing anything anyway so what we're going to do is i'm going to make some changes because if we go over to if we go over to the rules for example i'll show you what i was talking about so we've only got two interfaces and you can see here it's showing we've got one called one one called lan you've also got this one called floating now what you've got are options here floating rules are rules that apply to all interfaces but these interface rules trump these floating rules so if i put a rule on the as a floating rule that blocks access to something but you know say there's a rule on the lan interface that allows it well that one on the on the the lan interface takes precedence anywhere so there's only certain types of rules you end up playing putting onto a floating rule as opposed to the interface so most of the time i just set up the actual land rule the landed one rules for example now one of the first things i want to do is to actually change these rules so you've got choices here you can add a rule at the top of the list or you can add a list a rule at the bottom of the list one thing you can't do is add a rule in between existing rules which is a bit of a pin you can drag them around but i'll show you what i mean as we go through it and then what i'll do is i'll show you like a completed damn set of rules that i can think of at this moment at a time that might come in useful so i'm just going to click on that and what i actually want for this one interfaces i actually want to block i want to put an explicit block for traffic on this interface so i'm going to block ipv4 i'm going to stick to ipv4 for now because i know there's no ipv6 out there anyway but i'm going to block any protocol because ip is a suite of protocols i want to block all ip traffic i don't care where it's coming from i don't care where it's going to but i do want to log it as well so i'm just going to put that description there i'm just going to say yeah explicit deny rule so you can see been there done that and it's remembered on the browser so i'll just click save as you can see there's a rule there it's telling us you know the protocols ipv4 everything else is a wild card so it's any source any protocol any porting destination and so on um but the thing is although the rules being created it's not actually applied so we'll click on that apply button and now it's actually applied uh just go back to the rules now if we go back to the lan interface this is what i was talking about before we've got what's called an anti-lockout rule that's sitting at the top you can't delete it from here you've got to go into the system to remove it and it's effectively allowing any device on this same network that's been called lan to get access to portfolio 3 or port 80 in order to get management access to the firewall so that's the reason it's called an anti-lockout it's to stop you basically locking yourself out the firewall because if you can't get in the firewall you're basically stuck so what i'm going to do is i'm going to come up with a series of rules i don't like this where it's allowing uh all ipv4 into the into the firewall and all ipv6 that means is just nuts from a security point of view makes sense probably from plug and play but it's not a good idea so what i want to do is i want to add a series of rules so for example i want to what i'll do is i'm going to set up a rule for dns for example just to give you an example so i've got one here it's it says we're on the line interface it's ipv4 protocol is udp now the source i actually want it to be the lan network so it saves me having to specify what the actual ip ranges is for example because this rule apply is going to apply to any computer that's got an ip address in the range 172 16 18.0 24 that's coming in on that interface and i'm being very specific i'm not saying allow any i'm being very specific because it stops spoofing for example i mean technically you wouldn't be able to get access to the dns server as such well in the case of udp you'd be able to send requests to the actual dns server if you were spoofing ip addressing but uh it's a case of well if your ip address isn't that in that range anyway it the firewall it's not going to get sent directly to the firewall anyway it's going to get a bit confusing but um it's still better from a security perspective to be very very specific in terms of source ranges now destination i need to be much more specific about that at the moment i'm just going to leave it as any because what i'm going to do is i'll show you how you can actually set a post i mean i could what i could do here i can actually go to this option here which is single host or earlier so i can start putting in an ip address but what i can do is set up what are called aliases and that'll make my life easier so for now i'm just going to leave that set to any uh i'm going to set the actual port to be 53. when you select one of these pre-built uh application ports it automatically mirrors it to the um the port over on that one anyway so that's fine because that's to do with a range of ports you're going to use i don't need to keep an eye on this traffic so i don't need to to log it and i'm just going to change this description to allow dns for example click on save again although we've got a rule uh which is here it i clicked if you notice i clicked on the option there which is to add it to the top of the list that rule basically trumps everything it's always going to be at the top top of the list it has to be to to you know prevent yourself being locked out but it's a case of this rule although i've configured it it hasn't been applied yet so i'm just going to click on apply and then that's now an effect but what i'm going to do is i'm going to create an alias first to make this a lot more specific because that's what you want to do you want to be you know using least privilege here you want to be as very specific as you possibly can now i've come over here which was um probably jumped a bit too quick if you've got a firewall here from the drop down option there you've got aliases at the moment with md so what i can do is i mean i can add aliases for ips uh ports and urls i'm gonna click on ads now what i can do here is i could set up a kind of like a host name or i can set this up as a group of ip addresses for example so i'm going to call this one dns servers because i mean at the moment in this diagram we've only got one dns server but you know over time we might expand things i might change ip addressing who knows by setting up a kind of a an overarching name called dns servers it's just a list of dns servers so it gives me a lot of flexibility and saved me having to do a lot of changes further down the line now i could put a description in if i like but you know i'm basing on the d or the actual name to be the yeah the clue there i've got choices and terms that type something like hosts i can have networks for example uh in this case it's specific hosts and this is going to be 172.16. um i think it's 17.10. let me just double check 172.16.17.10 yep so i'll just save that i'll apply the changes so technically there's only one device here but because the name has no real reference to that that's not a host name that's been related to the actual ip address this to me it's just going to be potentially a group because i can go back into here and i can add another entry for instance i can say all right i've got another server called 172.16.17.11 for example i could add that in so hence why i'm seeing this this has the potential to be an actual group versus a specific host but we've done that anyway i'm not too fussed now i only at the moment i only need to reference one specific dns server i'm going back to the rules again we'll go back to the lan interface and what i can do is i can i can change this rule and i can make it more specific so i'll edit that rule and what i can do is we're at the moment we're pointing to a destination of any i'll change it over to single host or alias now the actual parser here uh is actually quite clever because as soon as i start typing it's going to associate that with an alias so i'm just going to click it and it's it's not because i've actually used that name in a you know previous build or anything it's just that it's actually parsing it knows that that there's an alias out there called dns servers so this is making this um this rule much more specific so again we've got to apply the changes for that to take effect so now what we've got instead of a rule that's pointing to any dns server out there it's actually pointing to an alias which is being translated to 16 17.10 but the good thing about this is that if i want to make a change i don't have to change the rule itself all i've got to do is update the actual alias entry and that makes life a lot easier it makes things a lot more simpler it's also less um riskier should we say there's less chance of something go wrong if i just keep adding service to this list versus having to edit the actual rule itself uh less chances of something going wrong then so yeah but this trying to do a bit of forward thinking when it comes to you know creating rules like this but i mean a good thing with pf sensor i mean as i was saying although you've got this choice of either adding a rule at the top or the bottom you can actually you know grab a hold of a rule for instance and drag them so i can drag that rule above that rule for instance or i can drag that one above that one i can never go above that one because it's an inbuilt rule it's built into the system so i've only got the flexibility of these three rules that we've got now but all this needs changing uh so what i'm going to do i'm just going to click save technically i didn't remove it at all but the fact that i was moving things around as far as it's concerned oh you change something so anyway what i'm going to do is i'm just going to update all this and just flesh it out a bit more and then once i've done that i'll come back and we'll pick up from there well thanks for making it to the end of this video i really do hope you found it useful if so then do click the like button and share because that encourages youtube's algorithm to suggest it to other people who might find it useful as well if you're new to the channel and you'd like to see more content like this then yeah do subscribe just remember to click the little bell icon though that way you'll get notifications when i send new content out if you've got any comments any suggestions if you want to leave any feedback at all please post that in the comments section below and if you'd like to support the channel i've left links to both patreon and paypal in the description below but above all thanks very much for watching i'll see you in the next video [Music] you
Info
Channel: Tech Tutorials - David McKone
Views: 6,004
Rating: undefined out of 5
Keywords: How To Install And Configure pfSense Firewall, pfsense firewall, pfsense 2.5, pfsense installation and configuration, pfsense firewall rules, how to install pfsense, how to install pfsense firewall step by step, how to install pfsense on vmware, how to install pfsense 2.5.0, pfsense 2.5.0 install, pfsense installation and configuration step by step, pfsense installation, install pfsense, install pfsense in vm, install pfsense in vmware, install pfsense in esxi
Id: DVTNqzt9IFo
Channel Id: undefined
Length: 47min 28sec (2848 seconds)
Published: Sat Mar 20 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.