pfSense Firewall - pfSense Administration Full Course

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] welcome this lesson introduces you to pfsense pfsense is a free open source feature-rich firewall along with firewall services it also performs a variety of network and security-related functions although pfsense runs on freebsd practically all management of the firewall after the initial configuration is done through a nicely laid out web interface initial setup is done with a convenient setup routine once you assign the interfaces and if needed ip addresses you'll be good to manage via the web you can see a complete list of applications and features at pfsense.org scroll to the bottom and select features from the footer menu pfsense offers you virtual private networking or vpn server high availability load balancing traffic shaping unified threat management or utm of course it's a router and a firewall domain name system or dns and dynamic host configuration protocol dhcp servers intrusion detection system and intrusion prevention system ids ips a transparent caching proxy web content filtering stateful packet inspection geographical ip blocking anti-spoofing virtual local area network or vlan support virtual private networking or vpn support with many options or surikata-based ids and ips emerging threats database ip blacklist database deep packet inspection open source add-ons many enterprise reliability and user authentication options web content filtering options including dns blacklisting great web-based configuration and management console system security options and copious reporting options many many enterprise products from companies like cisco juniper fortinet watchguard and palo alto to name just a few would charge you huge money to license these features on their devices depending on the size of your infrastructure you want to protect licensing could range from thousands to hundreds of thousands of dollars earlier in my information technology career i installed configured and maintained firewalls by several of those vendors for customers as a consultant later after finally learning of the outstanding benefits of open source software and discovering pfsense i installed pfsense virtual appliances in front of our entire it infrastructure whether you're a home user who enjoys learning about security a network administrator or system administrator at a small to medium-sized business or want a flexible free tool to secure your enterprise infrastructure or parts of it pfsense is worth your consideration pfsense provides a free firewall and form a software for your home or office that you can run on old hardware or virtualize or if you want a pre-installed cost-effective offering direct from netgate pfsense has you covered i have an sg 1100 on its way from netgate for my home this would be adequate for a home or a very small office of up to maybe 10 people or so maybe you could do 20 but why not go a little bit bigger if you have a small office if you have a larger office you could get an sg3100 or sg5100 if you have a large business consider the fully fledged high availability xg series in the coming lessons you'll learn how to download install and configure pfsense to protect your home or business this lesson covers the installation options available to you for pfsense whether you want pfsense for your home small office home office enterprise or the cloud pfsense has you covered for home or small office environments you could install pfsense on some of your old hardware you had lying around in your basement or you could buy a really low cost effective pre-installed hardware device from netgate i just ordered an sg 1100 for 159 us dollars to protect my home to install the hardware you want to download either the memory stick installer or the iso image the usb memory stick installer will let you just install the image to your memory stick plug that into a usb port on the system you want to turn into a firewall boot and install pfsense the iso image can be used to install from a cd-rom or dvd or can be used to create a virtualized appliance on a platform that doesn't yet have its own downloadable image like vmware esxi virtualbox kvm zen or proxmox if your infrastructure is in the cloud and amazon web services or microsoft azure there are pre-built images for you to use to protect your cloud environment if you want to upgrade a pfsense firewall you purchased from netgate you can download a pre-tuned image for your device i'm not sure what circumstances would lead you to want to do this as you can just upgrade from the web admin console but it's an available option that covers the installation options for pfsense you could download an iso image or memory stick image a cloud-based appliance for amazon web services or microsoft azure or a netgate optimized image this lesson covers the minimum recommended hardware for pfsense to run properly at a minimum you'll need a 500 megahertz central processing unit or cpu with 512 megabytes of random access memory or ram but a one gigahertz cpu with one gigabyte of ram is recommended you can if you want use hardware that's almost 20 years old to run pf sense one gigahertz processors came out in two thousand if you have old hardware it will very very likely be able to run pfsense if this is for home use and you don't mind circumventing your firewall while you look for replacement hardware in the event of a failure use what you will if this is for a business you may want some fairly modern reliable hardware pfsense provides some guidance about use of some of the features available that will work better with newer more capable hardware virtual private networking or vpn to connect to your home or business will require a beefier cpu if you want to use the captive portal feature locking down who can do what on your network that will also require a better cpu if you'll have large state tables which basically means you'll either have a lot of users or you'll have a few users with a whole lot of network connections to keep track of you'll need a beefier cpu and some of the packages you may want to install will require more cpu and ram the snort intrusion detection system intrusion prevention system or ids ips is one example the network interface card or nic you choose is as important as the cpu and the ram to your maximum throughput you want at least two nicks for pfsense to be set up in the most common configurations pfsense recommends intel cards or systems with built-in nics for throughput up to one gigabit per second you may want to learn more about available options if you need throughput better than one gigabit per second as a rough guideline with no packages installed pfsense recommends the following minimum hardware to produce the desired throughput listed if you want 10 to 20 megabits per second an intel or amd cpu of at least 500 megahertz as needed if you want 21 to 100 megabits per second a one gigahertz intel cpu or amd cpu is needed for 101 to 500 megabits it'll be an intel or amd cpu at 2 gigahertz or higher with pcie network adapters for more than 501 megabits per second you'll want a multi-core 2 gigahertz or higher cpu of course still using pcie network interface cards if you're using pfsense to protect your internal infrastructure including traffic within your wireless or wired networks you want a robust system for a detailed list of hardware that is compatible with freebsd see the latest freebsd compatible compatibility hardware list remember that pfsense runs on freebsd to summarize while you can run on hardware that's quite old you'll want more modern hardware for corporate systems and for higher throughput or for using additional features on your device like vpn or packages like snort ids ips one way you can set up an entire lab to learn to use pfsense is by using virtualization software like virtualbox virtualbox is maintained by oracle and is free and available to windows linux or mac os 10 users that should cover anyone taking this course you can download it at virtualbox.org virtualization software lets you run an operating system within an operating system the operating system you will run inside virtualbox is called a virtual machine or vm you can download pfsense as an iso image then boot your vm to that to install pfsense as a vm you can also put other windows or linux virtual machines on virtualbox and have them behind or inside your pfsense firewall you can set all of this up for free so please give it a try you'll see how to install virtualbox on windows and mac os 10 in the next lesson the process is very similar for installing on linux don't worry if you've never been exposed to virtualization before and this doesn't make sense to you right now you'll understand as you proceed through the lessons even if you plan to install directly to hardware eventually please consider learning virtualbox as understanding virtualbox can help you in the future whether you're a home user or an it professional you want to install and learn to use pf sense but you don't have any spare hardware you can use what to do use virtualbox it's free software that lets you run multiple operating systems within an application on your existing computer it's available for windows mac os 10 linux and solaris that covers any operating system you're likely to be using once you've tried a virtual environment installing on hardware seems slow and painful many server infrastructures are virtualized running on vmware esxi microsoft hyper-v or are in the cloud on amazon web services digitalocean or a similar provider taking a moment now to learn virtualbox increases your options for trying new operating systems and practicing new things yourself and can make using virtualization software at work more understandable the operating system you installed the downloaded virtualbox software to is called the host the systems you install are called virtual machines or guests virtual machines are often abbreviated as vms so let's get virtualbox installed download the appropriate package for your operating system from virtualbox.org slash wiki slash slash downloads once it's downloaded browse to the file it will probably be in your downloads folder unless you typically download to another location or moved it i'm showing the steps for mac os 10 here but it will be similar for other operating systems for mac os 10 double-click on the virtualbox dmg file to start the installation process your mac will verify the integrity of the downloaded file the box installation window will open double-click on the virtualbox.pkg file your system will verify the integrity of the virtualbox.pkg file a window will open asking you to run a program to determine if the software can be installed click on continue to continue the installation in the install oracle vm virtualbox window click on continue enter your username and password if prompted then click install software if the installation was successful click on close to close the installer window under number two in the virtual box window double-click on the applications folder to open it and browse to virtualbox double-click on virtualbox to launch it you can also launch it from launchpad for windows double-click the executable you downloaded and followed the default installation prompts then open it as you would any other application on a windows install consider right-clicking the downloaded executable and installing it as administrator i haven't had it happen myself but i had one student report a grayed out permission when he was trying to select a certain network setting installing as administrator will minimize your chances of encountering this error [Music] in this lesson we'll install pfsense as a virtual machine on virtualbox let's do this step by step go to pfsense.org download in the downloads dialog select amd 64-bit select cd image iso installer and select the mirror that's closest to you mirrors are just sites that have the same content hosted in multiple locations so you can pick one that's geographically close to you then click on download this will typically download to your downloads folder you'll have to extract the iso file after you download it once the file is downloaded go to the folder where it was downloaded typically your downloads folder right click on it and extract the file on a mac you can do this just by opening it with the archive utility and there it is i have another copy so it's showing as one once you have your iso file downloaded and extracted open virtualbox click on new in a meaningful name for your new vm select bsd for the type and freebsd 64-bit for the version and click on continue if you have plenty of memory i recommend putting at least two gigs or 20-48 megabytes and clicking continue create your virtual hard disk now leave vdi selected and click continue leave dynamically allocated and click continue this means the drive will be small and it'll only hold exactly what it needs to but the operating system will think the full space is there it'll just grow as it needs to it'll save space on your hard drive you can leave these at default so 16 gigabytes and pfsense for the name of the storage now it's there but we have to change some settings before we try and boot to it so right click and go to settings first click on storage click on the dvd drive choose your pfsense downloaded image you may have to browse to that by clicking choose optical disk file and browsing to it on your operating system then click on network i set my adapter to bridged adapter i have uh easier setup that way it's up to you you could leave it at nat and see how that works for you and also configure a second adapter we need two network interface cards for a firewall the other one is going to be internal network and click on ok we double click to boot our new virtual machine you'll see some text scroll by as the operating system installs when it says pfsense installer just hit enter to accept leave continue with default keymap highlighted and hit enter to select or you can scroll down to a different type of keyboard and hit enter to select that leave auto usf guided disk setup selected and click o and hit enter for ok here we're going to exit to the shell and we're going to say shutdown minus h now to shut down and halt now so when it says the operating system has halted press any key to reboot hit the command key if you're on a linux the left command key to get your cursor back or if you're on a windows hit control and alt and let go and then you'll get your cursor back at the bottom of the screen you'll see a little dvd click on that and click remove disk from device if you didn't do that step when you reboot you'd go through the install routine again so we'll press any key to reboot just let this time out or you could hit one to enter multi-user mode and when you get to this screen you're done for now we want an operating system with a graphical user interface or gui to be available to manage pfsense i'll show you how to install ubuntu desktop to fulfill that role you're free to use any virtualization software you may want virtualbox is free and it's available for windows mac os 10 and linux so that's why i chose it i'll start with a description of the network topology i'll use i'll have pfsense configured with two virtual interfaces or virtual network interface cards one will be bridged to my computer's network you could use nat if you prefer and the other will be on the internal network the internal network will only be visible to other systems added to it within virtual boxes network the bridged interface will be the wan interface and the internal network interface will be the lan interface this matches the configuration from the installing as a virtual appliance to virtualbox lesson this will have just one network interface on the internal virtualbox network so it will have to go through pfsense to get to our host network or the internet you may want to use a windows vm if you prefer you can download a windows vm from the link in the references section now we'll download ubuntu desktop and install it as a virtual machine for use in our lab so go to ubuntu.com download slash desktop and download ubuntu 18.04 lts lts is for long term support remember where that's downloading to because you'll need that iso file later i'm going to cancel because i've already downloaded it now open virtualbox and we'll create a new virtual machine give it a reasonable name it's already got linux selected and it's got version 64-bit which is what we want we'll click continue set memory to 2048 minimum if you have enough memory to do so we'll leave this at default and click create and continue dynamically allocated continue we're going to set the size at 20 gigabytes we'll right click and go to settings under storage we'll have to select our ubutu 1804 desktop if it's not listed there you'll just click choose and browse to it and under network we're going to select internal network this will let us talk to our firewall over the same internal network then click ok and then double click to start our vm when you get to this screen select install ubuntu and then it's defaults pretty much all the way through unless you have to change something because you have a different language we will choose minimal installation because all we really need on this vm is the web browser we don't need all the utilities and office software and games and we'll save some space by doing a minimal install so we will choose that click continue we're going to use lvm because we like lvm it's logical volume manager click on continue hopefully your time zone is right if if it isn't please just click in the appropriate area click continue add your name i like to keep the name similar to what i named it in the v as a vm so i'll type ubuntu [Music] and enter a password and i always leave mine set to require login require password for login once the installation is complete click restart now it says please remove the installation medium and then press enter you can just press enter it automatically does this for you log in using the credentials we entered get to a command prompt and check our networking so we have an ip on our virtualbox internal network of 192.168.111 and we should be able to get to our firewall you'll get a warning about the connection not being secure that's okay it's a self-signed certificate so we'll click on advanced we'll click on add exception and we'll click on confirm security extent exception and we're there this is a pfsense login screen where we can start configuring our firewall finally we get to start configuring pfsense startup virtualbox and make sure both your pfsense firewall and your ubuntu desktop or whatever you're using for a gui is started bring up your pfsense firewall virtual machine and make sure you know the address of the lan interface mine here is 192.168.1 yours will be too unless you changed that because it conflicts with your home network or business network then bring up your ubuntu desktop and make sure that it's on the right subnet just do ip address and then grep inet you can see we're here here we're on the 192.168.1 subnet so we're good then bring up your browser and go 192.168.1.1 if you get a warning about their certificate please click past that that's just because we're using a self-signed certificate type in admin and pfsense for the password and then click sign in and we enter our initial setup screen so we click on next they're trying to get us to buy global support if you're running a business it may be worth it to get this support i've never purchased it myself but it kind of depends on on how critical your infrastructure is and it supports the project and the price is reasonable i think anyway we'll click next here under general information you can give it a different name or you can keep pfsense for domain you can have local domain i'm going to type home dot local domain if you have an actual domain you can put that in here primary dns and secondary dns you can check with your internet service provider to put their ips in here there are dns servers ips or you can use some global google dns servers there's 8.8.8.8 and 8.8.8.4. and this is telling us that if our service provider gives us dns servers they can override what we put in here which is that's okay so we'll click next you can leave the server host name time server hostname at its default and change this to your timezone i'm in gmt-5 so i put that in click next for the wan interface this is going to depend on how your network is configured if you're on a home network you'll likely leave this at dhcp and you can leave the rest of these blank and it's okay to block these private networks from coming in on your wan interface and to block bogons bogons are non-routed ips those shouldn't be used by anyone so you can leave those checked all the rest you can leave blank unless you have to configure it for your isp and then click next lan ip unless you need this to be on a different subnet you could leave that at 192.168.1.1 with a 24-bit subnet mask click on next now we're going to change our admin password and click next and then we'll click on reload and it will reboot our firewall hey pfsense is now configured i'm going to click on check for updates because i always update as soon as i can after installing a new system and it says an update is available so we're going to confirm and download the latest version my internet connection is super slow so i'm not going to make you wait for this but once it's up to date we'll start configuring some features we've just done the initial setup on pfsense but something still isn't working so we'll have a look together first if you're using virtualbox please make sure your pfsense virtual machine and your ubuntu desktop if that's what you're using for your gui are running i also have another vm running for some troubleshooting that's not behind the firewall you could do this with your host system or you could have another vm running it's up to you and looking at pfsense again our lan ip just make sure you know that if it's not 192.168.1.1 make sure you know what that is and our ubuntu desktop right now doesn't seem to be able to resolve names on the internet that would be a dns problem so if we do ping www.google.com this will just get me their closest akamai server it doesn't work but if we bring up our other virtual machine and we ping www.google.com it does work and we get the ip address of the server where it was going to try and get to so now if we try and ping by ip address it works so that means we aren't able to resolve the name our networking works but our name resolution does not so let's go back to our firewall and let's see what might be holding us back here as far as dns settings i'm suspecting it's something with our dhcp settings yes we have no dns servers here so for now let's put 8.8.8.8 in here and 8.8.8.4 these are public dns servers that google lets anyone use and let's give that a try okay i did a reboot to make the dhcp settings take effect because restarting networking didn't seem to do it and now it looks like we're getting out to the internet yes we are so what we had to do to make this start working was go into services dhcp server and add dns servers here saved our changes and then had to do a release renew on the ip address on our clients to get the new settings so we're good to go to start configuring our device after you've done the initial setup and added dns servers to your dhcp configuration the next thing i recommend doing is enabling secure shell or ssh even if you don't have much or any linux or bsd experience i recommend enabling this so you can get to the freebsd command line on your pfence firewall if you need to although virtually all management tasks can be completed via the web interface and i encourage you to manage your firewall through it some things are much easier done at the command line one example is resetting your pfsense password this will be covered in the troubleshooting section enabling ssh is simple click on system then advanced scroll down under admin access and look for the secure shell section check the box that says enable secure shell leave sshd key only set to password or public key for now this will let us use either the public key or a password configuring key based authentication will be covered in the optional enabling public key authentication section toward the end of the course leave allow agent forwarding unchecked and the port used at 22. these values can be changed if needed later but we'll test with the defaults scroll to the bottom of the page and click save to save your changes that's it now that we've enabled ssh we'll test to make sure it's working i'll be testing from the ubuntu desktop vm we installed for the lab this is really easy just get to a command prompt and type ssh admin at 192.168.1.1 of course if the lan interface of your firewall is different you'll have to type that instead of 192.168.1.1 if things are working you'll be asked to add the sha-256 fingerprint to continue connecting type yes and hit enter you'll be asked for your password this is the password of the admin user on pfsense if you type it correctly you'll be taken to the pfsense menu screen detailed instructions on how to set up and use ssh clients for different operating systems is covered in the optional section on key-based authentication in the next lesson we'll add a user to pfsense lesson we're going to add a user this user is just kind of an emergency fallback in case something happens to your admin user or you lose a password of your admin user so from your pfsense dashboard click on the hamburger or menu icon choose system then user manager click on add to add a new user enter a username and password enter a full name if you want expiration date leave blank custom settings we'll leave blank for now we will add this user to the admins group by clicking on admins and then clicking move to member of so you can see over here on the left it would have groups that i'm not a member of and on the right it'll have groups that you want the person to be a member of we only have admins at this point because we haven't started doing much with groups if the person has an ssh key you can add that here we're going to cover that in the ssh lesson and similar with the ipsec pre-shared key so click on save to save your work and the new user is added and the new user is a member of the admins group in this lesson you'll learn how to disable ipv6 if you don't need ipv6 consider disabling it i very often only use ipv4 so disabling ipv6 saves me from having to duplicate all of my firewall rules or ipv6 equivalents on my firewall to block ipv6 traffic globally on your firewall ipv version 6 traffic globally and on each interface we'll also disable the default firewall rule permitting it on the lan interface to block it globally go to system advanced and click on the networking tab make sure the allow ipv6 checkbox is unchecked then scroll to the bottom and click save and it says here there's a note this does not disable any ipv6 features on the file firewall it only blocks traffic to disable ipv6 on your interfaces we'll start with the wan go to interfaces wand under ipv6 configuration type click none scroll down and save and apply your changes before you can do this step for the lan interfaces you'll have to disable dhcp for ipv6 on this interface to do this go to services ipdhcp for ipv6 and uncheck enable dhcpv6 server on this interface then scroll to the bottom and click save then we go back to interfaces lan and under ipv6 we select none then save and apply changes and as a final step go to firewall rules land and disable the ipv6 rule that allows all traffic just click little disable button and apply changes and that's it you've disabled ipv6 on your firewall in this lesson we'll learn to customize the dashboard so you can set it up however you like when you first log into pfsense you'll have this dashboard if there are any widgets you don't like you can just delete them i don't have netgate service and support so i don't need this window so i'm going to delete it i do like to see what's going on with my interfaces and i like this system information screen as well but let's add something else just click on the plus to see available widgets i also like to see my firewall logs so we'll add that and now we have our firewall logs at the bottom there are many widgets you can choose from some that might interest you are interface statistics traffic graphs openvpn or ipsec if you use vpn installed packages is interesting but uh i don't generally want it on my dashboard that's up to you and that's about it as far as what i'd like to put on but please have a look and customize it however you want in this lesson we'll see how to change the look and feel or theme of your pfsense firewall i do like the look and feel of the pfsense web configurator it's pretty clean and sharp looking and shows you what you need to see it's also nice to be able to have a little variety though to change your theme go to system general setup and scroll down to web configurator you can see theme is the first item under web configurator let's check out pfsense dark click save and then go back to the main menu to see what it looks like that seems pretty cool if you like dark themes we'll try another one there aren't very many so we'll just try a couple here let's try compact red it does give us a warning that this is a user-created theme but it is packaged with pfsense so that message could be an error go back to the main menu and here's the compact red i personally like the dark theme so i'm going to stick with that you can find sites to tell you how to rebrand pfsense yourself if you'd like it's helpful to know some css which stands for cascading style sheets if you want to do your own theme or to or be willing to learn or you can find themes already created on the internet however bear in mind that this is a security device downloading and installing software developed by someone else could introduce security issues for you so i generally stick with the provided themes that's it for changing your theme prior to diving into firewall rules and configuration we'll look at some considerations for best results in firewall deployment we'll discuss rules and rule sets stateful filtering blocking versus rejecting traffic and ingress versus egress first we'll discuss rules and rule sets firewalls process traffic and permit take action on or deny it based on rules once you create a rule you assign it to an interface or to interfaces rules are read from top to bottom in the list and traffic is processed based on the first match observed in the rule or rule sets if you have a rule that is likely to be used often it is best to have it higher in the list of rules this will reduce the processing load on your system the firewall won't have to go through a rule of rules that don't apply to get to the one that does as often if the common traffic is processed first for example if you use https a lot and ssh only a little and you want to have rules to allow both it makes sense to check for https first then ssh now we'll discuss stateful filtering you'll see this referred to as stateful packet inspection or spi by some firewall vendors such as cisco you want your firewall to keep track of information going out and you want to let the return traffic back into the requester however you don't want to let unrequested traffic or potentially malicious traffic into your network you don't want to have to define all this traffic manually because you likely don't know ahead of time what your users or even you will have to access in advance the firewall keeps track of outbound requests and listens for and processes related replies in a state table the state table records the source destination protocol ports and state of the connection as well as the interface involved you can see the state table on your pfsense firewall at any time by clicking on diagnostics and choosing states from the menu some examples of state types are established for active connections and fin weight 2 for a connection that is or is expected to be closing states are shown as pairs separated by a colon established colon established means the connection is established from the perspective of the sender and the receiver as far as the firewall can tell tcp is connection oriented so sessions can be established udp is connectionless so state is kind of simulated or set up for the purpose of knowing what may be expected in association with udp traffic being sent you'll see states like single colon multiple and multiple colon single for you do udp other protocols like internet control message protocol or icmp will have states as well any outbound request that is expecting a reply must have an entry in the state table for the traffic to be allowed now we'll discuss blocking versus rejecting blocking traffic silently drops it not notifying the sender in any way your device looks like it is turned off rejecting traffic sends an appropriate reply to the requester to let them know the device is there but the connection is not allowed in general it is good practice to have internet exposed devices block unwanted traffic and internal devices reject traffic that is not allowed blocking theoretically makes it more difficult for an attacker to know your device is even there and rejecting reduces the wait times associated with unanswered requests now we'll talk about ingress versus egress ingress and egress from the firewalls perspective if it's a device between your home or business and the internet refers to traffic into or out of your home or business network if you want to go to google.com from a browser on your computer to request for from your computer to the nearest google presence is considered egress traffic it's going to leave your network and go to the internet if you have a web server hosted in a dmz off the opt port on your pfsense firewall requests to that would be ingress traffic considering that the internet is a wild and crazy place with automated scanners and manual hackers constantly scouring any exposure for weaknesses you'll typically want to disallow all ingress traffic with very rare highly secure exceptions like virtual private networking or vpn connections if your network isn't too complex or maybe even if it is you may want to consider egress filtering as well you could start by allowing protocols you know you'll use all the time like http and https for web browsing or ssh for remotely accessing servers you have on the internet if you have any and making sure updates still work for all your computers and internet of things or iot devices hopefully those iot devices use http and https so they should not have any ports to open you would also want to allow domain name system or dns queries from all of your computers or at least from your internal dns forwarders or resolvers so name resolution can occur for your home network egress filtering can be a great way to see what's going on for work you want to have a pretty firm grasp on what other protocols are needed for your employees to do their work before denying traffic we'll cover some strategies for doing this with minimal chance of breaking things in an upcoming lesson try to mentally put yourself in the position of the firewall when deciding whether traffic is ingress or egress from its perspective traffic going into the lan interface would be egress traffic from the network's perspective traffic going from the firewall out on the wan interface would also be egress traffic coming into the lan interface would be ingress traffic going out from the firewall toward the land on the land interface would also be ingress i hope the following table will make this clearer in this lesson you learned about rules and rule sets stateful filtering blocking versus rejecting traffic and ingress versus egress in this lesson we'll learn about white listing and blacklisting they're just two different approaches to applying firewall rules blacklisting is denying things you don't want or things you believe likely to be malicious perhaps you want to block port 1337 because it's associated with shady shell you create a rule to block it it's great that you blocked one suspected bad thing on one port but there are sixty five thousand five hundred thirty four more tcp port numbers the bad guys will quickly migrate their badness to another port once people start blocking their first choice maintaining black lists for suspicious ports is extremely difficult this is not to be confused with smtp blacklisting or dns blacklisting although smtp and dns blacklisting is also difficult to maintain there are enough people working at it to make it a worthwhile added layer of defense whitelisting is allowing what you do want and blocking everything else you could allow http https ssh dns and ntp for example and block everything else if you know what you want to allow you don't have to know what you don't just white list what you want and block everything else this is the default mode for ingress filtering consider putting it in place for egress filtering too you can stop much badness that way just make sure you do some testing to make sure you're not going to break things and we'll cover that in a later lesson in this lesson we'll talk about where to place firewall rules to provide the greatest protection to the resources you want to protect and by placement i mean where on the firewall which interface in the firewall graphic depicted this is a very simple firewall configuration with a lan and a wand interface consider that you could possibly have many interfaces on your firewall as well as many networks in the form of other physical or virtual network interfaces or in the form of multiple virtual local area networks or vlans if you want to keep tcp port 1337 from making it to the internet if a computer is exploited on your lan it makes sense to block the rule on the lan interface put the rule protecting the asset or others as close to the threat as possible you want to protect your land from traffic coming from the internet you put the rule on the wan interface when you place your rules in this way all the other areas of your network are protected by the firewall you only specify an interface with pfsense and pfsense automatically assumes the rule is on an inbound direction from the firewall's perspective so if you apply a rule to the lan interface it will affect all traffic coming into the lan interface toward the firewall likewise with the wan this makes adding rules much simpler than with other vendors products if you need more granular control there's a special kind of rule called a floating rule that will let you control traffic in much more detail and we'll cover that in a separate lesson in this lesson we'll have a cursory look at floating rules to create a floating rule go to firewall rules and click on the floating tab then click add some differences you'll see now that floating rules have a match option which you won't find in regular rules you can select multiple interfaces you can select to apply quick which is enabled by default and you can't disable on a lan or wan rule and a direction you can choose is any you can also choose inbound or outbound and inbound is chosen by default for you and you cannot change that on an interface rule i will cover some high level considerations for floating rules there are some precautions with floating firewall rules they are more flexible than regular rules but because of that they're also more risky you could misconfigure something that may deny or worse permit traffic you don't intend also they're more difficult to troubleshoot your fellow network administrators may not be aware of floating rules and may not look for them causing extended troubleshooting and even in and of themselves they're more difficult to troubleshoot because of the many options available also determining source and destination for packets is not always straightforward outbound rules applied to the wan are applied after network address translation or nat has occurred so they have a local source of the firewalls ip some uses for floating rules include traffic shaping with alt q controlling traffic leaving the firewall itself for example to prevent the firewall from reaching specific ips or ports ensuring no traffic can exit from other paths into a secure network regardless of any other firewall rules created elsewhere and when you're using state timeouts tag match operations no state and sloppy state rules for asymmetric routing what is the processing order for floating rules rules for inbound traffic on floating rules work very similarly to interface rules firewall rules are processed after network address translation or nat rules so rules in the outbound direction cannot match a local source you would have to specify the gnatted ip address and floating rules are processed before interface rules and group rules when quick is enabled for rules on your firewall processing stops after the first match to a rule is hit this is the normal default behavior for interface rules on floating rules you have the option of disabling quick processing with quick disabled the last matching rule that's hit wins quick cannot be used with tagged queuing when managed with floating rules unless you have a very good reason for disabling it quick should be kept enabled with floating rules you have the option to select any interface configured or multiple interfaces by holding down the control key you can also specify multiple directions you could do any direction inbound or outbound you can use the tag and tagged fields to mark and manage specific traffic this can be used to take action on wan outbound traffic from a specific internal host that would not have been matched due to nat substituting the source address for example then time to roll up your sleeves in this lesson we get to configure a pfsense firewall rule if you're using your virtualbox lab make sure your pfsense firewall is running your ubuntu desktop or whatever you want to use for your gui and it's helpful to have an external system running as well in this case i have an ubuntu 1804 server once you log into pfsets go to firewall then rules in the menu we're going to block port 1337. you can see there's no rule for that there now but first we're going to do a quick test on our external 18.04 server we're going to use netcat to listen on port 1337. then on our ubuntu desktop which is behind the firewall we're going to telnet to our ubuntu server outside the firewall on port 1337 just to see that this works and if we look on the ubuntu server we just said hello so we have communication going back and forth over port one three three seven now we're going to make a firewall rule to block port 1337 on the lan interface remember if we want to block something going out of the lan the best place to do that is on the lan interface so we'll go add the action we'll want to take on this traffic is to reject remember we can reject for internal ips we block for external ips or external rules interface is lan ip version 4 transmission control protocol we won't mess with advanced at this time we'll look at that in a later lesson if you want to specify just one port you put it in the from side and you leave the two side blank we definitely want to log packets that are handled by this rule and we'll name this with a descriptive name reject 1337 shady shell and again we won't look at advanced at this time then you click on save to save the rule then click on apply changes now we'll go to our server and start netcat then we'll go back to our vm and we'll try again oh it's still working what's going on what do you think happened look at the server and we're still communicating even though we had a rule in there what what do you think is going on well the problem is rule order remember the first rule matched wins so we have a rule here allowing traffic from any ipv4 address on any port to any address on any port so it hit this allow rule before it got to our deny rule so what we want to do is move our rule up select the two rules you want to move this rule above hover over the anchor it'll turn into an up arrow and then shift and click to move this rule above those here we go now we'll click save again apply changes and we'll try it again start up netcat and then try and telnet again to port one three three seven and it says unable to connect to remote host connection refused so that's good then we'll go to related log entries there's a fair bit of stuff in there so we're going to look specifically for our port number click the little filter icon we'll look for a destination port of one three three seven and we see it was blocked we see the source ip and the destination ip so that's it now you know how to apply a firewall rule and move it up or down in your list so it works as you expect and how to test and what to look for in the logs learn about firewall aliases in the last lesson we learned how to add a firewall rule we could really only specify a few things about the rule though we could only for example put one port or one range of ports what if we want to add several you can add some flexibility and group things together with aliases to add an alias go to firewall aliases we're going to add some for ports but you can add aliases for ip addresses urls or for multiple things we'll go with ports so to add a new alias you click add we'll name this put a description that makes sense and we'll keep the type at ports but you can see you could select from many things here hosts networks urls and we'll put in some ports we're going to try and define the standard ports that we're going to want to allow out so we're going to allow port 80 http add a port port 443 https port 22 ssh i use this to manage servers if you don't need that you don't have to add it and port 53 dns we're going to have to add port 53 for udp alias as well so we'll save this and before we apply changes we'll add another one for udp and we'll add port 53 for dns and port 123 for network time protocol ntp save apply changes applying changes just adds these they aren't really doing anything yet until we apply them to an interface so since we want to apply these to the lan outbound so since we want to apply these to the lan outbound we'll go to firewall rules we click on lan so after we apply this rule we will deny all traffic not allowed by the rule we just put in so we'll click on add action is going to be pass interface lan ipv4 we'll do tcp first and then we'll do udp and for destination port range just put tcp standard outbound start typing and this should autofill for you i'm not going to log these packets because it's going to be a lot of traffic we'll put a description standard tcp standard outbound for lan save and apply changes and we'll add another rule this time change the protocol to udp start typing and udp standard out should come up we will log these put in a description save and apply changes i'm not sure which of these will get more traffic we'll just have a look after we've had it up for a while and when we find one gets more traffic we'll want that on top then we're going to add a rule to block anything that we haven't allowed above it's going to actually reject protocol will be any source will be lan net we do want to see what packets get dropped and we'll save apply changes we'll move this rule up above the one that allows all traffic remember hit shift and that little up arrow we'll save apply changes we'll disable the rule that allows all outbound traffic and apply changes i just want to clean things up a little by moving this rule up one there we go save and we'll have one more look before we do some testing so we've allowed udp standard out which is dns and ntp we've allowed tcp standard out which is port 8443 22 and 53. and we are dropping everything else and logging it so fingers crossed let's see if everything still works internet's working ntp looks like it's working and ssh is working i'll try and update updates are working yes looks like things are working there's one more set of services we want to add and that's some important icmp messages in this lesson we'll learn to apply icmp message types that are useful outbound to the lan interface icmp stands for internet control message protocol icmp provides some much needed guidance in controlling traffic icmp messages are broken down by message types and codes some message types can be risky and should be avoided if not absolutely needed some however are crucial to the proper operation of your network here are the types i recommend allowing type 3 destination unreachable type 8 icmp echo request ping and bear in mind you don't have to explicitly allow the reply back in the firewall will keep track of that for you type 11 time exceeded and type 12 parameter problem please note that my recommendation here differs from the authors they're saying allowing any type of icmp is typically acceptable while i defer to their knowledge regarding firewalls as a security professional i do know that some icmp protocol types are abused one example is source routing if i would have to enable source routing to make my network work i should just fix my network not rely on a protocol to fix that for me i will leave it up to you whether you want to allow all or whether you want to allow just the ones that i recommended it's very easy to just select all instead of the individual ones that i'm recommending unlike with tcp and udp when creating a rule for icmp you can specify multiple types you want to work with in a single rule without the need for creating an alias go to firewall rules and click on land because we're configuring a lan rule click on add it doesn't matter if you add to the top or the bottom of your rule list we're going to move this to the right location when we're done this will be a pass rule it'll be on the lan interface ipv4 then we'll select icmp for the type you can see you get a whole drop down list full of icmp subtypes here to select multiple types you just click the control key and left click we'll want destination unreachable time exceeded i'm sorry these aren't in alphabetical or or type number order so you just kind of have to scroll around and find them parameter problem and echo request so we have those four selected we will want to log these and we'll put in a good description and click save apply changes and we'll want it after the udp and tcp rules so put the check mark next to the one you want to move it below and just click to move the ones checked above this one and save and apply changes and we can make sure ping at least is working by just doing a ping and making sure we get a reply so we've applied our new rule and it appears to be working you see we have echo request parameter problem time exceeded and destination unreachable allowed it has to be above the reject any rule of course and should probably be below the tcp and udp rules we added earlier this should be much less frequent than tcp and udp traffic and seeing that the vast majority of our traffic is tcp this rule should be higher as well so we'll go ahead and adjust that now there we go now our most used rule is higher in the list save and apply changes in this lesson you'll learn some methods you can use to white list outbound traffic with minimal chance of denying something necessary for people to do their work the ports and icmp message types in the previous lessons will likely be all you'll need for your home network on corporate networks more protocols or ports may have to be allowed outbound than this if you're the system or network administrator hopefully you know any special needs that may have to be accommodated if for some reason you don't you'll learn how to figure this out in this lesson you could have batch jobs that send traffic on non-standard ports or on ports that we may not have allowed one way to look for this is to enable logging on a copy of the default outbound rule to permit all traffic you can then look through the logs to see what was permitted you can then weigh which ones you want to allow and block and test to make sure things are working to do this let's go to firewall rules and click on lan we have several rules here we'll just ignore that and pretend we have a default configuration we'll make a copy of the default rule that allows any outbound lan connection click the little copy icon we'll copy it just as is and then modify it click on edit we'll uncheck disable this rule that'll enable it and we'll add a check to log packets that are handled by this rule so click on save apply changes and then we want this rule to be almost at the top it's good practice to never put anything above your anti-lockout rule if you have a mistake in your rule and it doesn't behave as expected and it blocks all traffic and you put it above this anti-lockout rule you'll lock yourself out of http https and ssh access to your firewall you'll be restricted to the console interface until you fix it so we're going to move this rule so it's above all of these rules except the anti-lockout rule rule you do shift click and there we go and the only difference between this and the default rule to allow any is that we're logging all traffic now bear in mind if we have other rules here none of those will get hit because everything will be met by this so this isn't something you'd want to do long term you just want to do this to see what's flowing you aren't decreasing security from the default configuration but if you've added rules that you want obeyed those will be skipped so we can go to our log oops if you get that message it means you haven't saved a change yet so make sure you click save and apply and then do what you were going to do so let's look at related log entries there's nothing in there yet because we haven't done anything yet so let's go to google and see if we have anything in the logs yes so we have some hits here we have a hit for dns and we have a hit for port 443 looks like pretty much repetitions of dns and 443. oh here's something else though oh that's also 443. okay so so far all we really see is dns and internet traffic https what you could do when you're just configuring your firewall if you want to see what's running is leave this running for maybe a week if you have a fairly sophisticated infrastructure and then you could do some filtering to see what ports you may be missing so we can say exclamation mark 53 so that'll just show us things that are not port 53 because we put an exclamation mark in front of it to use regular expressions we can do the same with 443 now we'll see things that aren't https so you can use this strategy to figure out what protocols are flowing across your firewall i'm going to get rid of this rule because i want my other rules to be used so i just delete make sure you're on the right rule here when you do this before you're doing changes like this it can be a good idea to back up your configuration backup and restore will be covered in a later lesson but i can tell you i can tell you unfortunately from experience that it's good to back up before doing changes like this but just make sure you're on the right rule and click delete are you sure you want to delete this rule i can't make sure and click ok apply changes and the is back the way it was another option is to go to diagnostics packet capture and just capture packets on the interface you're interested in probably you're going to want to see what's going on on your lan interface this in my opinion is kind of overkill you're going to get a lot of data here all you'd really like to see for this is what ports you may not already know about you don't have to do a deep dive onto what's actually flowing you can look up port numbers you don't recognize to see if you want to allow them or not so i recommend the firewall rule way if you want to dive a little deeper you could certainly enable packet capture in this lesson you'll learn how to look at what your firewall is blocking with your new egress rules and how to tune them if needed we'll have a look at my home sg 1100 to do this chances are good that your firewall is blocking a fair bit of outbound traffic with your original rule set unless you followed the strategy for whitelisting outbound traffic lesson and created a white list based on your understanding of what you have going out even if you did some observation first it's good to check the logs and see what may have been missed remember our initial rules for the lan outbound port are allowing http https ssh dns on both udp and tcp ports network time protocol and several icmp message types in reviewing my firewall logs with those rules configured i found two protocols we'll have a deeper look at both were blocked by my catch all block any rule at the end of the list one is google's quick protocol on udp port 443 which i decided to leave blocked and the other is apple's push notification service on tcp port 5223 which i decided to allow we'll start by going to firewall rules and we want to look at the lan so you can see some rules here that i haven't gone through with you yet like these dns blacklist lists we'll go over those uh in a future lesson but here are the ports we just discussed that are allowed outbound tcp udp and several icmp message types anything that gets past those will be blocked by this rule that catches everything that's left so let's have a look at the related logs and we're going to filter and we'll look for anything blocked udp port 443 port 443 is usually https so it caught my eye when i saw some log entries for udp port 443 i wasn't aware of a protocol that regularly uses that port so i looked real quick for udp port 443 and it says it's quick udp internet connections quic and it appears to be a google project you can see how much overhead is generated with a tcp https connection you have several communications between the sender and receiver and google quick because it uses udp will be much lighter on your systems it's supposed to be faster and use less bandwidth however it offers the disadvantage of bypassing my web filters i don't have any web filters configured yet but we will when we do our squid proxy lessons so i decided to leave that in block mode the other rule i've added in our firewall rules or the other port was 5223 which is the apple push notification service it's worked its way out of my logs so we really can't look at it there but it looks similar to the log entry we just looked at we'll go back to related logs again and see what else we can find let's look at this udp port 3478 and it looks like it's a stun port or it could also be used by apple i'm going to go ahead and leave this as it is for now but it's something we can keep an eye on if any of my apple devices are acting up i can have a closer look at that so that's how to tune your firewall rules to match what you're seeing in your logs in this lesson you'll learn how to put your rules in an order that will optimize performance and manipulate traffic in the way you intended although it has been hit upon in previous lessons rule order on firewalls is so important it deserves a quick lesson of its own as already mentioned the most used rules should appear first in the rule order there are exceptions though to view your rules go to firewall rules and we'll be primarily looking at the lan interface we see here that our default deny all rule has 52 kilobits of traffic well our xbox rules have far less traffic we wouldn't want to move this rule above those though if we do that what would happen that's right these rules would never be hit all the traffic would be denied and my xbox wouldn't work how sad similarly with udp even if udp were very low we wouldn't want to move this rule above there or dns would stop working if you haven't experienced dns problems before they really mess you up on anything to do with the internet we'll cover the default deny or blacklist and default allow or whitelist considerations now for default deny or blacklist deny specific traffic you may want to stop dns blacklists for example place your most used deny rules highest on that list place the next most used rules after that and so on permit the traffic that you want to allow again place your most used rules highest on the list and then deny anything not permitted by previous rules for a default allow or whitelist configuration deny any specific traffic you may want to stop such as a dns blacklist place your most used deny rules highest on the list and then the last rule should be one that permits any other traffic and i've already mentioned it but it's worth reiterating even if your default rules at the end whether you use whitelisting or blacklisting get more hits than other rules you don't want to move those up and if they do get a lot of hits you probably want to see what's going on there if you're doing white listing this would be normal if you're doing black listing and a lot of things are getting to your default deny list you want to make sure you understand what those are you may want to investigate if it's something that is sending traffic that it shouldn't and it's been infected or you may want to allow something so you can have your needed services running on your network as mentioned in a previous lesson many of these rules probably all of them will have zero if any hits on the wan interface this is because when traffic is allowed if it's being allowed in the state table we aren't allowing any traffic by default from the wan anyway so any traffic that is allowed is allowed based on a state table entry so someone requested traffic from the internet and the response is permitted if you want to filter traffic here on the wan interface you'll have to configure a floating rule to catch those so that's it for rule order remember your default deny should be at the bottom of your list if you're using blacklisting and your default allow should be at the bottom of your list if you're using whitelisting and then order by your most used rules first making sure that if you're using blacklisting you deny specific traffic you want to deny first and then permit things you want to allow in this lesson we'll see how to add rule separators so we can group related rules to see what rules are configured go to firewall rules and we're going to look at the lan interface we don't have very many rules configured but you can see some are related these were our standard outbound rules so we have tcp udp and icmp that we want to allow outbound we'll add a separator to describe those and give us a visual cue that they're related right now scroll down to the bottom and click add separator give a descriptive name for your separator choose a color these are allow rules so i click green but you can pick whatever you like click save and then just click and drag the separator to where you want it let's add another one for our deny rule and we'll click red because it's a deny rule save and put it up here so now we can easily see we've got a bunch of standard outbound rules and we've got our deny rule we could have specialized cases where we want to allow some more ports one example for me on my home firewall is xbox xbox needs a bunch of ports open but they aren't my standard ports so i didn't want to add them here i just put some more ports in for my xbox and put a separator after you're done click save and apply changes and you're done that's it for adding this lesson is an introduction to the pf blocker ng installable package for pfsense pf blocker ng is an extremely useful plugin i recommend everyone with a pf sense firewall install it dallas hasselhorst on his blog linux included said that if he could choose only one package to enable on pfsense pf blocker ng would be it dallas has several outstanding blog posts about pf blocker ng among other things a link to his blog is provided below i agree with dallas the suite of tools provided with this package is indispensable per the pf blocker ng info page on the netgate documentation pf blocker ng allows assigning many ip address url lists from sites like iblock list to a single alias and then choosing a rule action blocking countries and ip ranges replacement of both country block and ip block list by providing the same functionality and more in one package and it uses native functions of pfsense instead of file hacks and table manipulation features include country block features ip block list features xml rpc synchronization dashboard widgets with aliases applied and package hits lists are updated frequently many new options to choose what to block and how to block and network lists may be used for custom rules pf blocker ng aggregates several ip and dns block lists into a single list that can be checked by your firewall these lists are drawn from popular feeds stopping traffic before dns name resolution is even complete can save a lot of effort by your firewall and a lot of risk for you if resolution of a bad site completed the firewall would then have to analyze all traffic using other tools hopefully recognizing and stopping the bad traffic you're stopping name resolution from occurring so malware that relies on it can't phone home to receive further instructions or malware in the following lessons we'll install and configure the main features available with pf blocker ng if you like the project please consider contributing to bbcan177's patreon campaign i did he's put a huge amount of effort into making this a useful easy to install and use package you could just google for bb can 177 patreon we'll install a pf blocker ng package in this lesson installing pfsense packages is pretty straightforward go to system package manager and click on available packages there are a lot of packages you can choose from they're in alphabetical order so scroll down to pf blocker ng you can see there are two entries there there's pf blocker ng and pf blocker ng developer which is d-e-v-e-l i would normally not install a developer package on a production system but i'm going to go with dallas hasselhorst on this and with my own experience and say that this is a stable package and there are features that i want you to be able to use available on the developer release so click install and confirm you'll see progress as it installs and i recommend not clicking away from here until it's done and it says it's done and it was successful now if we go back to installed packages we see that pf blocker is installed we can also see that it's now available under firewall pf blocker ng so that's it you've installed pf blocker ng in upcoming lessons we'll learn how to configure it good job in this lesson we'll enable pf blocker ng and configure dns blacklisting or dnsbl and ip blacklisting using a setup wizard we can see that nothing for pf blocker ng is enabled even though it's installed because we haven't enabled anything yet to use the wizard go to firewall pf blocker ng and it brings us to a wizard that will configure an entry-level configuration for ip and dns blacklisting we'll look at how to manually configure these in a future lesson so to continue in the wizard we'll click next and it's saying that any settings we had before will be wiped out and it will configure a kind of standard or default installation for ip blacklisting and dns blacklisting it'll block the worst known malicious domains so we'll click next the inbound firewall interface is the wan the outbound interface is the lan so we click next it configures a virtual ip address to send blocked traffic to we'll just leave the ip address and the port numbers at default and click next it gives us one more warning that everything's about to be wiped if we have any configuration this is a brand new installation so we don't have anything so we'll click finish and it's running its first update it says pf blocker ng has has been successfully configured and updated it will now block ips based on some recommended feed source providers it'll also block most adverts based on feed sources including easy list easy and easy privacy it says to review the update log for any errors so we'll scroll back up and make sure there weren't any errors it does tell us we've hit a hard limit of four hundred 000 table entries that should be plenty then we'll just scroll back up real quick and look for any other errors or messages the wizard set quite a few things up for us and we see no other errors except for the four hundred thousand entry limit reached if you have vlans it says you should enable dns blacklist to permit firewall rule options to allow all subnets to access the blacklist we don't have any vlans configured at this time and we can look at things that are reported under the reports alerts tab if we see anything there that we want to allow you can whitelist it right from the alerts tab and then we can look in reports and statistics tabs for an in-depth summary of all ip and dns blacklist events so let's take a look at the ip tab says it's enabled these defaults should be fine for us and dns blacklist says that's enabled tld is not enabled and we'll cover that in a different lesson the wizard quickly and easily set up ip and dns blacklisting for us with very few things to do on our part that's it for this lesson good job so what is an intrusion detection system intrusion prevention system or ids ips as the name implies it's a system for detecting and or preventing network intrusions when attackers try to find and exploit vulnerabilities on your servers there are patterns in the network traffic that can be detected and if configured for prevention blocked upon detection one simple example is a directory traversal attack when an attacker tries to find a vulnerable server there will be attempts to go up directory levels sent in her requests to your server the get request to your web server will look something like this in simple terms the ids can look for a pattern like dot dot slash dot dot slash dot dot slash and create an alert if it's seen that's not something you would normally type but it is something a manual attack or an automated tool would put in to try and detect directory traversal vulnerabilities it could also block the offending ip address if it's configured for prevention this will keep the attacker from going after your server for a length of time you determine or permanently until you manually allow the traffic from there again an ids or ips can have hundreds or thousands of patterns like the above that check traffic for many many types of attacks this is an example of signature based detection snort does signature based and protocol based detection signature-based detection is described above stateful protocol analysis looks for deviations in a pre-defined set of norms for how a protocol should function if someone is using secure shell or ssh over a port other than its standard port of tcp port 22 snort should detect this and respond accordingly we'll be installing snort ids ips on pfsense and looking at its operation in some upcoming lessons installing snort on pfsense is pretty straightforward once you log into your firewall go to system package manager click on available packages and you can see it's a pretty huge list we're going to scroll down to snort right here the latest is snort 3.2.9.9 underscore one snort is an open source intrusion prevention intrusion detection system and click on install click on confirm and leave this until it goes through all these steps so it's on 2 of 9 309 just let it go until it gets all these steps done and it's installing and doing a base configuration of snort for you you can look through the installation notes if you'd like what we really want to see is this success message at the end it also says snort installation successfully completed at the top now we go back to installed packages and it says snort is installed in the next lesson we'll do some initial configuration as mentioned in a previous lesson snort runs on rules before we dive into configuring snort it's helpful to understand rule sets and to be prepared to download and install them by registering with snort for rules you want if that's applicable for the rules you want rule sets available for download are snort vrt snort gpl version 2 et open and et pro et stands for emerging threats and open app id detectors i'll discuss each of those now snort vrt brt stands for vulnerability research team it used to be a group of volunteers on the snort team but i believe it now falls under talos which is still a team at snort but i believe is paid from the snort tallow site it says talos formerly the vrt is a group of leading edge network security experts working around the clock to proactively discover assess and respond to the latest trends in hacking activities intrusion attempts malware and vulnerabilities there's a free subscription and a paid subscription the free subscription is 30 days behind the paid subscription service so you won't have updates until 30 days after they're discovered by the vrt team you'll still have a huge database of rules historic rules that cover many many things and existing threats but you won't have the very latest the paid subscriber rule set is full featured and is updated twice a week or more often if a vulnerability comes out between updates i recommend a paid subscription for business and if 29 a year sounds reasonable to you a page subscription for home too a business license is a bit more pricey at 399 dollars per sensor but considering what you'd spend on a product like a palo alto subscription or anti-malware for your company it seems very reasonable snort gpl version 2 rule set the snort gpl version tool rule set is the official community rule set it's certified by talos and on the pf sense configuration page it says it's free of charge without any snort subscriber license restrictions it's updated daily but only has a subset of the subscriber rule set et stands for emerging threats the et rule sets are maintained by proof point the free version of emerging threats the open source one offers more limited coverage than the et pro version et pro has daily updates and extensive coverage of current malware threats the site seems to direct me to a sales rep instead of telling me the price so i doubt it's very cheap i'll post the price if i find one but i recommend et open unless you feel the need to research how much et pro costs sourcefire open app id detectors open app id is an application focused detection language and processing module for snort according to the snort website open app id is free and i recommend enabling this rule set in upcoming lessons you'll learn how to enable rule sets you choose and how to schedule automatic updates for them enabling rule sets is pretty straightforward if you haven't already done so and want snort vrt rules please register with snort you just go to snort.org and click sign in and if you don't already have a registration just create one it's free and the easiest way to register for your free rule set is go to services snort global settings and click the link to sign up for a free registered user rules account if you'd like the personal edition it's only 29.99 per year 30 a year business is 400 a year 399 a year and i've already signed up so i have my free oink code already personal seems uh really reasonable at 30 a year so i will be doing that for my home router but i'm gonna i'm not going to do that right at this time so once you do this you'll get your oink code and you can copy this and you'll be using that as you register so we'll click enable snort vrt it's asking for our code we come here and copy the code and paste it since we're doing the free version at this time we'll enable snort gpl version 2. we'll also enable emerging threat open i don't have a pro license so we'll leave that unchecked we'll enable open app id and we'll enable rules for open app id i update once a day and i do it in a and i do it at a time where i probably won't be on the computer or on the network because i have a horrible network at home horrible internet service provider that over subscribes so i don't have very good bandwidth i do like to hide deprecated rules deprecated rules are rules that are no longer supported so they shouldn't really be used and if you check this you won't see those so you won't be able to use them you don't need to disable ssl peer verification unless you're on a corporate network and you're using a web proxy and you're using a trusted certificate at work so you should probably be able to leave this unchecked for home you may or may not have to check this at work please try without this checked and see if that works for you and then revisit it if you have to for removed blocked hosts you can leave it at never or you can select an interval i'm going to put four days since this is at home you may think you want never but there's two reasons you may not want to do that one is if you're working at on a corporate device and it's remote and you don't have physical access and you lock yourself out for some reason you will not be able to get back in until you get access to your firewall through different means and the other is that i p addresses change ownership all the time a bad guy could be operating on an ip address one day and a good guy the next and you won't be able to get to the website of the good guy if you block it forever i leave remove blocked hosts after deinstall unchecked but please check this if you're uninstalling and reinstalling for troubleshooting purposes if something's not working right in snort and you want to uninstall and reinstall please consider checking that also keep snort settings after deinstall i leave this checked but if i'm removing for troubleshooting and reinstalling i want a clean install so i would uncheck that and i do check startup shutdown logging so i'll capture detailed system logs about startups and start up and shut down events and then click on save in the next lesson we'll do updates and then we will assign snort to interfaces in a future lesson before you can start using your new snort ids ips you'll have to do your first update although it's really easy to kick it off it can take some time depending on the speed of your internet connection just go to services snort click on updates and then click on update rules you'll get this pop-up that says updating rule sets may take a while please wait for the process to complete this dialog will auto close when the update is finished i'm going to leave that up until it's finished you can see that once the signatures are updated you'll get a result success you'll see md5 hash signatures for each rule set and you'll see a date that the mda md5 signature was generated so we know snort is up to date next we'll assign snort to interfaces this lesson will talk about choosing a deployment strategy for your ids or ips we'll discuss enabling rules on interfaces soon but before doing that it is useful to discuss the detection versus prevention piece of an ids ips in detect mode an ids will tell you badness is occurring but will not act on that information other than generating an alert and log entries that something potentially dangerous is happening or has happened in prevent mode an ips will actively block offending traffic for snort that means once a snort rule has been violated snort will block the traffic from the source or the destination or both ips as you specify in snort on pfsense enabling prevent mode is done by checking the block offenders and optionally kill states check boxes in services snort edit interfaces lan or wan or other and then lan settings and alert settings we'll look at that now so your services snort i'm going to pick lan just edit and under alert settings it would be block offenders if you check this it's in prevention mode it's going to stop that traffic kill states will stop existing sessions let's say you went to a server and everything was fine but then some badness was detected something on that server tried to attack your network and that's recognized by snort snort could then drop that active session even though it was originally okay and then which ips to block do you want to block the source the destination or both if you're pretty familiar with firewalls and your network using prevent mode may be fine from the start provided you're prepared to do some quick troubleshooting if something is blocked from a false positive when i was managing a network with a lot of developers something in the way they did ssh tunneling was triggering false positives and blocking their traffic i don't remember the details now but i was able to pretty quickly find the rule that was causing the false positives and tune it or disable it it happened as soon as i enabled snort ips in front of the servers in my environment so it was easy to know that it was firewall related and to fix it if you're new to such activities or you're not sure whether you may have some false positives that could block your network traffic you may want to start with block offenders unchecked leaving snort in detect mode you can check the logs to see what's been alerted on tune it and then enable for blocking once you're sure you won't be blocking legitimate traffic for a corporate network or for someone who has never administered a firewall whether home or business i recommend getting familiar with the firewall by using monitor mode for a few days or weeks before enabling prevention by checking block offenders also remember if you're putting pfsense outside your home wireless device you'll likely be using network address translation from that device to pfsense that means everything on your home network will look as though it's coming from the one ip address for the outside interface on your home wireless access point firewall router if anything on your home network is flagged by snort your whole home network will not be able to reach the internet until you troubleshoot the problem this issue would mainly come to light if you enable block offenders on the lan interface blocking the source ip address to summarize if you're feeling lucky you may go straight to blocking mode but i recommend the more cautious detection mode until you see what snort alerts on ok you've selected your rule sets and updated them there's one more step before snort will start doing its thing and protecting your network you have to assign snort to interfaces on your firewall i recommend enabling snort on both the inside and the outside interfaces bear in mind if you're placing pfsense outside your home wireless router or firewall or outside another router or firewall at work all the traffic on the inside interface of pfsense will appear to be coming through your natted ip address of your device that means if there's one offender on your inside interface all traffic to pfsense may be blocked until you fix the problem and find a different way into your firewall i'm okay with this risk on my home network if you're paranoid and you have management support on your corporate network you can configure it at work as well an alternative is to configure internal interface in ids or detect mode and your external interface in protection mode then watch your logs for alerts if you're alerted but don't see it for days weeks or months it'll be very late in the game for you to try and repair the damage to assign rules to interfaces go to services snort and snort interfaces will already be selected click on add we'll do the wan interface first leave enable interfaces checked interface is when description is when we don't worry about the snap length i do like to send alerts to system logs we'll leave these at default and on the external interface i do like to automatically block hosts that generate snort alerts we'll block the source ip we'll leave these all at default unchecked we'll also leave the networks snort should inspect and white list at defaults and we don't have a suppression or filtering list at this point so we'll leave that default and we have no advanced configuration passthrough options configured so you click save we'll add our internal interface as well send alerts to system logs block offenders we'll do source again leave defaults and remember with block offenders if you're at work you may not want to you may want to not do this and just very carefully watch your logs every day click on save then we're going to start snort on the interfaces and we're successful you've got snort set up in a basic configuration good job welcome back in this section we'll install surikata intrusion detection and intrusion prevention system surikata is a kind of meerkat perhaps the name was chosen because meerkats are watchful creatures always on alert for danger snort is older and has a large community for support and documentation suicata is newer and supports multi-threading which can greatly improve performance surikata also supports ip reputation and automated protocol detection i see those as the key differences and beyond that i leave it to your personal preference which you choose you can try both and see what you like best i don't know if it's possible to run both surikata and snort on the same firewall at the same time but even if it is i don't recommend it having two services trying to manage network flows at the same time will be resource intensive and may result in conflicts and difficulty in troubleshooting in this section we'll remove snort install suricata configure surikata and test ids functionality let's get started welcome back in this lesson we'll remove snort in preparation for installing surikata let's take a moment to do a quick backup before removing snort so we can quickly go back if you decide you prefer snort go to diagnostics back up and restore and be sure that skip packages is not checked if this is checked it will not backup packages which is not what we want so make sure this is unchecked you can encrypt if you like you'd be you'd have to put a password in here and don't forget that password or you won't be able to get into your file and then click download configuration as xml click save file ok and then it will typically go into your downloads folder to remove snort we'll go to system package manager you click the trash can icon next to snort click confirm and your system will remove snort for you and it says pf sense package snort removal successfully completed if we click back on installed packages there will be none now because we removed the only one we had on this firewall in the next lesson we'll install cericotta good job welcome back in this lesson we'll install the surikata package click on system and package manager available packages scroll all the way down to surikata and click install click confirm and let the package manager download it and we get the message pf sense package srikata installation successfully completed and we look at installed packages and cericato is there that's it in the next lesson we'll start configuring surikata good job welcome back in this lesson we'll configure cericada's global settings click on services surikata and global settings check the box to install et open emerging threat rules of course if you have a pro license you can install that i do find emerging threats license subscriptions kind of pricey but if you're interested you could contact proofpoint if you'd like to explore your options if you have your oink master code i still love that name you can install snort rules and you can install snort gpl version 2 community rules and this doesn't require any license or registration if you have a paid snort license you will get these rules as part of your download i do have a paid subscription for about thirty dollars u.s per year for my home firewall and even uh corporate subscription is is very reasonable if you want to explore those i don't worry about hiding deprecated rules i just leave those for update interval i select once a day and i set my time for two in the morning you can set that to whatever time makes sense for your network whether it's your home network or your business you'll probably want it to be off hours so you don't affect bandwidth and if you have multiple firewalls remember not to have them all update at the same time or you could run into performance issues on your network we're going to check live swap on update but i'll update the lesson if this causes a problem for me i don't know it says it could cause problems but let's give it a shot and for the geolight 2 update we're going to get these but we'll have to get a license key from max mind so we'll click on register for a free max mind user account you'll receive an email on how to set up your max mind account go to services and click on my license key and click on generate new license key this key will be used for geoip update as instructed here it says use geoip update version 3.1.1 or newer then we confirm and here's our license key we could have just clicked copy we'll paste that here and for remove blocked hosts i recommend one hour but please use your use your own judgment there if you manage a remote site and you have to get into pfsense and there's a chance you could lock yourself out one hour is a long time not to be able to help with uh an issue there so you may want to set it to lower than that you could set it to 30 minutes or 15 minutes if you want to and if it's for home you could set it longer or even set it to never so no a blocked user would never be allowed in until you manually remove them now bear in mind that malicious activity shifts around quite a bit so bad guys will use sites like digital ocean or things like that and once they're done doing their badness or they get caught and booted off that ip could be reissued to a legitimate user and they then would be blocked so you probably don't want to keep it on never but just do what you think is best there and adjust it as you need to we will not log to the system log but if you use syslog and you send all your message messages to a syslog server you may want to check this and we will leave this checked to keep all settings suicata settings after deinstall but you would probably want to uncheck that if you're going to remove surikata and leave it off this is just if you're taking it off and reinstalling it for some reason so we click save and that's it in the next lesson we'll click on updates and we'll look at how to update for the first time welcome back in this lesson we'll do our first updates for surikata so you go to services surikata updates and because nothing is ever updated of course everything says unknown it would update at 2 in the morning if we wanted to wait but let's see let's check and make sure that our updates will work so we don't have to wait until tomorrow to find out there may be a problem so you click update and it says updating rule sets this may take a while and we'll just make sure you could close this or you can just leave it and let it close by itself when the update is done we're going to let this go and we're going to check back on it in a few minutes what you'll see when this downloads successfully is the md5 hashes and the md5 signature update times i don't have snort configured yet at least with the snort subscriber rules but i will and i recommend you enable that in the next lesson we'll assign interfaces to surikata good job welcome back in this lesson we'll assign interfaces to surikata so we can monitor them or block malicious activity on them to add an interface go to services suricata interfaces and click on add we'll start with the basic wan settings be sure enable is checked interface should be wan description i just leave it at when but you could make it more descriptive if you'd want i leave send alerts to system log unchecked if you have a syslog system that collects and manages logs for you you may want to check that i also leave enable stats log unchecked enable http log append http log and log extended http info are all checked enable tls log and tracked file log and enable file store along with enable packet log are all unchecked you could check these as you'd like you can test them out see if you get useful information and if there's a useful balance between what's logged and log space i think the most chatty of these would be enable packet log i leave eve json log off eve is extensible event format and it puts all alerts http logs anomalies and metadata into a single file that is formatted so it can be read by third-party tools like log stash or jq more info is available in the downloadable pdf uh with the link or in the description for the for the lesson looks like an interesting thing to explore but we'll leave it for now black offenders make sure this is checked for your wan and leave your ips mode at legacy mode this way we don't have to worry about whether our nic driver works with netmap kill states this means that if a connection is up and malicious activity is seen later and one of the ips is blocked this will stop that traffic along with any future traffic under which i p to block for when i select source this will mean an ip on the internet that's coming into our network would get blocked leave block on drop only unchecked if you do check this it would only block on drop actions if you don't check this it would block on alert or drops so we'll leave that unchecked run mode will leave an auto fp max pending packets we'll leave at 10 24. detect engine profile we'll leave at medium pattern matcher algorithm auto signature group header auto inspection recursion limit we'll leave at 3 000. detect will leave unchecked promiscuous mode will leave checked and interface pcap snap length will leave at 15 18. all the homenet extranet and pass list will leave at default alert suppression and filtering will leave at default and advanced configuration passthrough is left blank then we'll click on save we'll look at wan categories we'll enable the snort gpl version 2 rules and then for wan we'll try select all for lan i do not recommend this at first you want to look kind of carefully through the rules and try and pick ones that make sense for you then we'll click on save and then we'll start surikata i recommend the same settings for the lan except that at first i recommend not checking block offenders just look at logs to see what kind of traffic you may have and to tune land categories i would keep this less restrictive depending on your company's policies if you're at a f if you're at work and if you're at home just uh make it reasonable you can definitely enable these the talo certified rules and if you see any here that makes sense to you you can enable them and see how it works and go back to interfaces enable surykata for land and you won't have this yet until you do the next section but there's a dmz setup here and when you have your dmz set up i would block in both directions you should have very little traffic that's not standard going into or out of your dmz and again categories for the dmz you can be quite restrictive here and save and back to interfaces and start it's tough to see if blocking is working without some allowed ports that's why i'm testing on this dmz setup and you'll learn how to set up a dmz as i said on in an upcoming section but for now we'll just see that suryakata is working and is blocking welcome back in this lesson we'll make sure surikata blocks malicious traffic you won't be able to follow this lesson as i present it until you get a dmz setup if you run any scanning tool against a wan interface with no ports open you won't see anything at all and your packets will be dropped which is a basic purpose of a firewall to see interesting traffic you'll want to allow at least one port through you'll learn how to set up a dmz in a future section for us we're going to have an nginx web server listening on port 80 in our dmz you'll learn how to set up a dmz an nginx server and how to test that it's working and blocking malicious traffic with snort in an upcoming section of this course for now i want you to see that surikata works as we've configured it i'll be running nikto from a kali linux virtual machine i have running kali is free to download and is designed specifically for penetration testing and network forensics so it has a lot of tools built in i'll be using a free easy to run quick and dirty web scanner called nikto you can download nicto for free and it's available for linux windows and mac os we'll start with surikata disabled on the wan and dmz interfaces so go to services suricata and click the stop button on the wan and dmz interfaces find the public ip of your pfsense firewall you can find that by just clicking on the pf sense icon in the upper left and looking at the wan interface so you can see ours is 192.168.254.102. we'll make sure that we can see the nginx default page on that site and refresh to make sure it's not cached and at the terminal we just type nicto dash dash host and then the ip address and it'll take maybe 30 or 40 seconds to run and then once you're done you can see how long it took to run and what it found so let's try again with surikata enabled on those interfaces we'll click start it's probably good not to start two interfaces at once and we'll try our scan again and this time you really can't see it yet but it's already timing out it's not working so let's look at blocks and you can see that it saw a nicto web scan is in progress and it blocked our ip i'm going to stop the scan and that's our ip and it blocked it it saw that saw the nicto scan was coming in and stopped it so if this is not malicious traffic this is malicious traffic because it says nicto you know somebody was running a web scan but if it's a false positive of some kind you can tune your firewall by seeing what rule was used or rules and setting it not to block on those rules but if you just want to get someone off your block list you can click remove and now if we go back to our web page and we refresh you can see that the default nginx page is still coming up for us that's it for this lesson and this section you've enabled surikata added rule sets added interfaces and tested to make sure it blocks malicious traffic welcome back in this section we'll configure a demilitarized zone or dmz for an nginx web server we'll also configure snort to protect our server here's what we'll cover in this section you'll understand what a dmz is and why it's useful we'll review the network topology of our lab environment we'll configure networking for our pfsense firewall to accommodate our dmz we'll do this by adding a physical interface and we'll configure the new opt interface to be our dmz interface we'll also spin up a linux mint vm for the internal network and a linux mint vm for our dmz network then we'll configure the firewall to permit traffic from the dmz for testing then we'll add firewall rules to send web traffic from the outside interface to the dmz and we'll configure firewall rules to allow ssh to our web server from the internal network so you can manage your server we'll also protect our web server with snort lots of fun stuff ahead so i'll see you in the next lesson welcome back as mentioned in the last lesson dmz stands for demilitarized zone it's a term borrowed from the military think of the boundary between north and south korea this is perhaps the most famous dmz the fenced off and heavily guarded and patrolled border is a no man's land anyone in there is suspect anyone having to enter must be authorized and they will be very closely monitored by both sides it would be very nice if we could trust people to behave well when we expose a server to the internet like a web server or an email server as you'll see from your logs on any server exposed to the internet this just isn't the case hostile forces are constantly looking for weaknesses in our servers and if they find any they'll try to exploit them and take over or abuse our server the next logical step for an attacker is to see what else she could get into after breaking into the exposed server if someone breaks into your web server and your web server is on your internal network the attacker would be able to go after any system on your corporate local area network or lan if you configure your environment as i recommend and show you here damage from such an attack will be limited you should put any service you have to expose to the internet or to people outside your network in a dmz anything in your dmz should be hardened and monitored closely for any sign of compromise network traffic to and from the server should be tightly restricted for a web server only web traffic from the internet should be allowed to access it management traffic such as ssh for linux or remote desktop protocol or rdp for windows should only be allowed from the internal network the dmz server should not be allowed to communicate with the lan except in very controlled circumstances like allowing logs to be sent to a log server to summarize a dmz is a network location where you can put things you want to share with outside consumers traffic flow into and out of the dmz should be closely monitored see you in the next lesson welcome back in this lesson we'll have a look at the network topology of our dmz we'll be setting this up in virtualbox the topology is pretty straightforward we'll allow incoming traffic from the internet in this case our home network or the place we're hosting virtualbox into our web server in the dmz over ports 80 http and 443 for https we'll deny all other inbound traffic from the internet we'll allow traffic from our internal network over port 22 which is ssh so we could manage our server from the corporate network we'll add a network interface card on our pfsense firewall which will become our dmz this interface will use a new internal only network called inet2 for my virtualbox environment i use 192.168.254 network for the wan the 10.0.0.0 network for the dmz and the 192.168 network for the internal or corporate network these are all class c or slash 24-bit masks and the mask would be 255.255.255.0 if you spelled it out we'll go through the steps for the entire process in upcoming lessons welcome back in this lesson we're going to get pfsense set up to use our dmz there are a few things to look at in settings all of them are in the network first make sure that your adapter 1 or your wan is set to bridged adapter it could be a challenge to get it to work if you have matte or network address translation selected so make sure it's make sure it says bridged adapter adapter 2 should be attached to an internal network it's called int net think i said inet in the other video sorry about that adapter 3 you're going to check enable network adapter internal network and yours will probably not come up already filled out like this but put the number two in there so it'll say int net two then click on ok and we'll start our pfsense server and we can see our wan ip address and our lan ip address you can see our wan ip is on the one i mentioned 192 168.254 and specific ip the host ip is 138. the lan ip is 192.168.1.1 which is default for a brand new firewall so in the next lesson we'll start setting up our linux mint machines on the internal and the dmz networks welcome back in this lesson we're going to download and install the first of two linux mint servers this one will be for our internal network so just go to linuxmint.com and click on download i use the mate version 64-bit so just click on 64-bit under mate click on the world site or a location that's close to you and let the file download i'm going to close this because i've already done that in virtualbox click on new give your new virtual machine a sensible name so you'll know what it is you can leave ubuntu 64-bit selected because mate is based on ubuntu click on continue change your memory to at least 20 48 or 2 megabytes if you can if you have enough memory uh your virtual machine will run better create a new hard disk now virtual disk image dynamically allocated so it will grow as needed instead of just take up all the space at once make it at least 20 gigabytes remember this will grow as you need it so it will not take up 20 gigabytes of space unless your machine grows to that size click on create you're going to have to change a few things before you start this vm so right click and go to settings or have it selected and go to settings up here under storage go to the controller and browse to your linux mint iso you downloaded earlier if you can't if it's not listed here it probably won't be you'll click choose virtual optical disk file and you'll browse to that wherever it was downloaded probably in your downloads folder and under network choose internal network and int net so this is the first of the two internal networks and this is the corporate network behind your dmz make sure enable network adapter is checked and then click on ok and double click to start the virtual machine and this will start the installation process click start click enter to start linux mint and mint will start in live cd mode so we're going to want to install linux mint you can see the icon for it right here on the desktop double click that icon and most of this will be defaults i'll tell you where it's different select your keyboard layout if it's not english us i select this in case it's needed it just means it will install licensed software if it needs to for drivers click on continue i also check use lvm which is logical volume manager because it's easier to resize hard drives if you have to later on if you check that i don't usually encrypt for especially for lab virtual machines and click on install now click on continue it already has our time zone selected my time zone select yours if it's different you just click where you want it and click continue i like to make the virtual box name the computer name the same as my virtual machine name this is up to you but just please make it something that you'll understand if you're ssh into the system you get pretty confusing if you don't select a sensible name and i leave require my password to login checked or selected and i don't encrypt my home folder for a lab environment click continue once the installation finishes just click restart now to restart it should take care of removing that iso image from the virtual cd player for you so just press enter log in with the username and password used at startup you can read through these things if you'd like there's some useful information there but i usually just uncheck this and close okay we can get to our firewall but we can't get out to the internet yet because we haven't configured a dns server on the firewall we'll accept the risk and continue for the http certificate it's just admin and pfsense for the initial login then we're going to change the password of course and that's it for this lesson we'll do our initial configuration of the firewall and get it set up for the dmz in the next lesson welcome back in this lesson we'll continue configuring our firewall for the dmz i'm configuring dns on this firewall because i started with a clean build for this lesson you won't have to do that if you're using a firewall that's already up and running it's much nicer to configure the firewall through the nicely designed web gui so we'll use that first we'll create a dmz interface from your menu choose interfaces and assignments you can see there's one available network port that has not been assigned click add we'll change the name from opt 1 to dmz and we'll check enable interface we'll choose a static ipv4 for configuration type and we'll set the ip address at 10.0.0.1 and we'll use a 24-bit mask that's a class c subnet this is a private network so we don't want to block private networks and we won't worry about bogons at this point click save apply changes and it says this changes have been applied successfully now if we go back to interfaces assignments we can see the dmz interface is assigned i'm going to go to firewall general setup and make sure we have dns servers you'll already have this if you're not starting with a clean config the way i was for this lesson and we'll click on save now we'll configure some firewall rules when you first configure a new interface it comes without any rules meaning no traffic can flow on that interface so go to firewall rules we'll click on dmz and you can see there are no rules at all we'll click on add we'll leave the action as pass interfaces dmz family is ipv4 we'll leave it as any source you could specify your individual servers in here and say what your individual servers are allowed to do on the outbound destination is any we'll select dns for the protocol actually the protocol is going to be udp source will be dmz net destination will be any i'm going to go ahead and log packets we do want to know what dns resolutions are happening and give your rule a name that makes sense i'm calling this dns outbound from dmz click on save we won't apply changes yet because we'll put in a few more rules first if you want to add a rule above an existing rule you click the add with the up arrow if you want to add one below you click the add with the down arrow and we've already covered this in the rules section but you'll want to put the more used protocols higher they'll be hit first and they won't have to go through the list looking for the right hit we'll add a rule below for network time protocol or ntp source will be dmz network again protocol is udp and we'll choose ntp port 123. we'll save that we'll add another rule at the bottom it shouldn't be used very often and it's really just for testing and we're going to allow icmp which is internet control messaging protocol and that's what you use to ping source will be dmz net destination will be any protocol is going to be icmp we could specify echo requests and replies and that is the safest way if all you want to do is echoes because there are other types of things you can do with this protocol that we would not want to allow but this is just for testing so we're going to leave it and we will log these packets and click save and apply changes next we'll set up our second linux mint machine and that'll be acting as a server we'll install nginx on that welcome back in this lesson we're going to configure our second linux mint to be our dmz server linux mint is actually a desktop operating system but it doesn't matter we can configure it as a server which we're going to do in this lesson a lot of the steps are very similar so we're going to kind of fast forward through those and focus on the differences pick a practical name for your server remember two gigs of memory disk size is 20 gigabytes under settings again you still have to pick your iso image and under networking we want to choose internal network and make sure you choose internet 2 that will be the dmz network and we'll power on double click install linux mint install third-party software use lvm because we have static networking on our dmz we'll keep getting this warning until we configure networking so don't worry about that we'll click restart now press enter click on menu and control center scroll down to internet and network and network connections click on the wired connection 1. and then go to ipv4 settings select manual add and dns servers and those will just be separated by a comma ipv6 was set to ignore you could see when i clicked add it put an extra line in there we had to delete that to get saved to be available so click save and we now have a network connection let's see if we can ping our gateway and we can let's see if we can resolve a name on the internet and we can and we can also ping and get a reply so this means dns is working and networking is working let's see if we can do updates and that's not working why do you think that would be we haven't allowed that on our firewall yet so let's take a look and see what we need to do on our firewall see how we can figure out how to add the right protocols so it couldn't connect anything and give us a whole bunch of errors now we're back on our internal linux mint installation and we're going to go to related log entries we should see a bunch of failed traffic here looks like it's trying to use port 80 for all of this so let's see if we allow port 80 if updates will work go back to firewall rules dmz and we'll add a rule for port 80. it's going to be tcp http oh source we'll do dmz net we're not going to log these because it will probably be quite a bit of traffic when we're doing a download when we're doing updates and it's going to be http http outbound from dmz for linux updates we'll click save comply now we'll try again and look at that we get updates i like to upgrade my servers as soon as i build them so i don't have to worry about any vulnerabilities that could be exploited not long after i did this updates stopped working i had to add a rule for port 53 inbound on the wan from the dns server 8.8.8.8. and once i did that it worked fine you may or may not have to do that please look at your firewall logs if something's not working and figure out what you may have to change to fix it in the next lesson we'll install nginx a web server on our linux mint dmz build welcome back in this lesson we'll install nginx on a linux mint computer in the dmz first we'll make sure updates work if updates don't work please troubleshoot until you get them working then we'll do sudo apt install nginx to install nginx there are a few commands you'll want to know to manage your nginx server sudo service nginx status will tell you the status of your server it looks like it's running so we'll do a test you can just type localhost in your browser and it'll take you to your nginx startup page so we can see that it's running you just type q to get out of that little status page you type sudo service nginx stop to stop nginx now if we refresh it won't work and sudo service nginx start to start it and it's back so that's really all there is to it you've got nginx installed and in the next lesson we'll allow nginx inbound to the dmz on the firewall good job welcome back in this lesson we're going to configure the firewall so it will allow inbound traffic from the internet to our web server we'll do this using port forwarding so we go to firewall nat and under port forward we'll click the add button the interface is going to be wan protocol is going to be tcp the destination is going to be the wan address this is going to look like it's coming into the wan address we'll do http and looking back at our web server we see that its internal ips 10.0.0.10 so we'll enter that as the redirect target ip redirect port will be http description is http inbound from internet and don't worry about nat reflection but we do want to add an associated filter rule this rule will be linked with this nat entry so if we make changes to this nat entry in the future it'll also change the associated firewall rule so we'll click save and apply changes and then we want to look at the ip address of our firewall the wan address and it's 192.168.254.138. so if we go to that ip we should get our nginx page our nginx default page it doesn't appear to be working yet so let's take a look at our logs so because we're using an internal ip address scheme on our wan port one of our rules is conflicting it's saying to block private networks from wan so we're going to have to tell it not to do that so we go to interfaces when and down here it says block private networks we'll uncheck that and click save apply changes and it works now we can get to this ip from our host which is simulating the wan next we'll learn how to protect our web server with snort welcome back in this lesson we're going to protect our new web server in the dmz with snort i must admit it was a lot easier than i thought i hadn't done this in quite a while and it's pretty straightforward to monitor an interface with snort you go to services snort snort interfaces and if your wan interface isn't here or you have no interfaces defined just click add and add your wan interface now once you add snort to the interface it will not yet be started i did a fair bit of troubleshooting before i figured out i hadn't started snort on that interface i was wondering why it wasn't catching anything so remember to start snort on that interface now we'll do a quick test to make sure snort is going to stop my attack and snort should be configured the way you had it configured for uh the previous lessons just make sure blocking of offensive source ips is allowed and i'll review that in a minute with you so first we'll make sure we can get to our nginx server in the dmz and there it is then we'll run a tool called nicto nicto is a free web scanner you can download and run it yourself i'm running a cali linux virtual machine which is designed for pen testing so it has lots of tools for this so let's see what happens when we run nicto first we'll do it with the first we'll do it with snort stopped and see what it looks like nicto is a pretty cool tool by the way to test your own web servers and make sure they look secure oh i was blocked from before so i'm going to remove that ip make sure our web page is up and try again there we go that looks better it takes a few minutes and it runs a lot of tests against the web server and it will report suspicious things or misconfigurations back to you okay it sent 7915 requests it had zero errors and it only had these three items antique click jacking x frame option header is not present the xss protection header is not defined and the x content type options header is not set to make sure your snort interface is set to block click on edit and scroll down to alert settings and make sure that block offenders is checked i personally recommend just blocking the source ip make sure you click save and apply and you'll be good we'll turn snort protection on by starting it and then we'll try again it takes quite a while to time out we'll come back to it but let's look in our blocked tab and we can see it saw that it was trying to do a web webroot directory traversal attack and it's on unknown method and it blocked it and it takes quite a while to run and time out it said there were 20 errors and it finally timed out it gave up so it looks like snort is working and is protecting our web server welcome back now that we have the dmz configured and a web server running on it you want to be able to manage your web server from the inside or corporate lan a straightforward way to do this is to have your web server in the dmz listen for ssh connections on a port other than port 22. tcp port 22 is the standard port for ssh if you have servers you manage on the internet you'll likely want to be able to do that on port 22. if you redirect all port 22 traffic to the server in the dmz you'll no longer be able to get out there and manage those other servers all port 22 traffic from the lan would be redirected to the nginx server in the dmz an easy way around this is to configure the server to listen for incoming connections on a different port we'll do that now get on your dmz server and go to the command prompt we'll start by installing openssh server to do that just type sudo apt install open ssh server minus y put in your password if you're prompted and openssh server will install once ssh server is installed you can change the default port to a port of your choosing by editing the etsy ssh sshd underscore config file first we'll make a copy of that file we can see we only have one copy of it we don't have any backups yet so we'll make one sudo cp sshd to sshd.0 and we see our backup is there if you already had a dot zero file you could save your new one as a dot one or increment the numbers as appropriate once you've made your backup edit the sshd config file if this is a default install of mint you may have to install vim first you just do that with sudo apt install vim i've already installed it so that's done so to edit the sshd config file it's sudo vim sshd config just scroll down to port 22 remove the pound sign or hash mark in front type i for insert and add two twos to the end so it's port two two two two hit escape colon wq for write and quit and now if we do a diff on the original file and our edited version you can see the only change is removing the pound sign and adding two two twos to the end there so port two two two two is now the port your servo will listen on for ssh connections after we restart at the ssh service but first we're going to have a look at some commands to manage ssh so type system control system control is enabled ssh and it should say enabled here if it doesn't you just type sudo system control enable ssh it's not going to do anything for us because we've already got it running but or enabled but that's okay and we also want to see if ssh is active so you type system control that is active ssh and it should say active and if it doesn't just type system control start you're gonna have to do sudo for this or you'll be prompted for a password so we got prompted for a password because we didn't type sudo and it starts it but what we're going to do now is restart ssh to make sure it's listening on port one or port two two two two and finally we can look at the status of ssh and you should see a line in here that says active active running and then the uptime the start time and it also tells us what port it's listening on so let's test ssh the command to do that is ssh your username at localhost minus p and then the port number which is two two two two you don't really have to have your username in front if you want to log in as the same user that you're logged in as in other words since i'm logged in as theo it would assume that i want to log in as theo if i don't put that in there you'll be prompted to accept the fingerprint the first time you log into the server and then you'll be prompted for your password and we're logged in so ssh is working and listening on port 2222 let's test sudo permissions while we're here and we have sudo if you didn't have sudo you type sudo user mod minus a capital g sudo group and the username and it was already there so it didn't make any changes but that's where you'd type and then you would again test to make sure it works but we're all set here so that's it for this lesson good job in the next lesson we'll configure the firewall to pass tcp traffic on port 2222 to the web server in the dmz welcome back in this lesson we'll configure the firewall to forward outbound traffic from the lan on port 2222 to the nginx server in the dmz to do this go to firewall nat and we'll add a port forward rule but we'll have it go below the existing rule the interface will be lan protocol will be tcp destination will be the lan address destination port will be 2222 and the redirected target will be the ip address of our web server which is 10.10.0.10 and the redirect port will also be two two two two and we'll leave add associated firewall rule selected click on save and apply changes and since we're on the lan we see 192.168.1.1 is our lan ip address so we'll type ssh ted l or your username at 192.168.1.1 minus p2222 and we're in my username on the other server is actually theo so i had to change that but we're in in this lesson we'll talk about troubleshooting if you have your firewall long enough and you do enough with it eventually you're going to run into an issue troubleshooting in general relies heavily on gathering as much information you can about an issue and then searching for an answer on the internet asking a question in a forum or opening a case with technical support even if you have paid technical support i recommend troubleshooting in the order i present if you're an experienced troubleshooter you have your own methodology and can try whatever you want use your own judgment about when to open a case if you have paid technical support but realize that it takes time to get a ticket open and to get someone helping you the quickest and easiest resolution to an issue is often found by locating a blog post or forum discussion that already exists about the particular issue you're experiencing if you want to ask a question in a forum be sure the same question hasn't already been asked and answered on that forum first use the forum's search feature to check this open a case with technical support will likely result in a few hours of your time even if the issue is ultimately an easy fix here's one example of troubleshooting a minor issue with my pfsense sg 1100 i was trying to set up a rule to block some snort alerts that are noisy but weren't adding much value and i got an error message it said suppress list land support and some number is defined for this interface but it could not be found the error message leads me to believe some file was supposed to be created when i tried to create this rule but it wasn't created for some reason so what's the quickest fix well following our rules first thing we did was search for the answer on the internet and it came up pretty quickly the recommended solution worked well for me but there was an additional step i had to assign the new list to an interface so i posted a new answer to this post on the forum for anyone else who may be having the same issue i don't have paid support so my other option besides a google search would have been to post a question on the netgate forum the first response probably would have been why didn't i use the search feature and find out that the answer already existed but even if it wasn't there if it were a new issue i would have to wait for someone to respond and if you have paid support and you open a support ticket in my experience even a fast response even a fast response will take you about a half hour total you have to call or email you have to provide information about your support contract you have to provide information about the issue and you have to wait for someone to research and get back to you chances are very good that if you're experiencing something it's not the first time in history that anyone's experienced this and also are very good that if someone else has experienced it and resolved it you may find an answer about it on the internet section 7.9 of the pfsense book is devoted to troubleshooting here are the topics covered in that section it tells you what to do if you cannot access it tells you what to do if you cannot access the web gui from the lan it tells you how to troubleshoot having no internet from the lan discusses some lan interface issues some dns resolution issues client gateway issues firewall rule issues and nat issues so if you have trouble with any of those things check the pfsense book before even searching the internet when troubleshooting stay calm i know that sounds easy but when you have everyone from the ceo on down yelling at you because the internet's not working and it's costing you money it may not be easy but you have to do it just have confidence stay calm and you'll figure it out roll back any recent changes you may have made if that doesn't work gather the information you're going to need and search things to find for your internet search are your pfsense version specific error or log messages a description of what you are doing or why there's a problem and your hardware information if applicable that's it for the troubleshooting lesson hopefully you won't need to troubleshoot very often but you will get better at it with practice in this lesson you'll learn how to back up your pfsense firewall and restore it from a backed up file to do a backup just go to diagnostics backup and restore depending on what packages you have installed you might check do not backup package information and this is for work you might consider encrypting you would encrypt by checking this box and then it will ask you to input a password we're going to leave it unencrypted i leave do not backup rrd data checked our rd data is used to present analytical data graphically and we are going to back up package information you could pick a whole bunch of different areas to back up we're going to back up everything so if this will let you download a configuration file as an xml select save file and it looks like it backed up and then to restore from a backup file you just browse to it highlight the file you want click open and then click restore configuration are you are you sure you wish to restore the configuration click ok and it will restore and then reboot the firewall so that's how easy it is to back up and restore your pfsense firewall and i definitely recommend backing up before and after any major changes in this lesson we'll learn how to update the pfsense firewall software if you have your default system information page in the web gui version information is there right under the bios information so you can see it says that my system is up to the latest version if that weren't the case it would tell me an update is available here i would go to system update and then there would be a button here to allow me to update i would just click on that and update and then it will reboot the system if necessary i've never heard of an update breaking things in pf sense but you don't want to risk it unless you have a recent backup so do a backup before updating and it's good practice to back up frequently anyway that's all it takes to keep your firewall up to date good job

Info

Channel: Knowledge Power

Views: 21,165

Rating: 4.965517 out of 5

Keywords: ccna, mcsa, linux, fortinet, fortigate, vpn, ipsec, ssl, decurity, network, firewall, mobile, iphone, computer science, sql, voip, engineer, oracle, database, AI, artificial inteligance, كورسات, فايروول, احمد نظمي, windows, kali linux, centos, network security, network شرح, network course, network +, network engineer, network master, cisco, sophos, pfsense, ids, monitoring, best, top

Id: wv1qTYR3faQ

Channel Id: undefined

Length: 215min 46sec (12946 seconds)

Published: Tue Sep 22 2020