Turn that old PC into a hardcore firewall / router with FreeBSD based pfSense
While our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.
I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
Hereís a short summary of some of the eye catching features.
- Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
- Able to limit simultaneous connections on a per-rule basis
- pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
- Option to log or not log traffic matching each rule.
- Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
- Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
- Transparent layer 2 firewalling capable - can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
- Packet normalization - Description from the pf scrub documentation - ìëScrubbingí is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.î
- Enabled in pfSense by default
- Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
- Disable filter - you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
- pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.
Thereís a ton of other great features that you can read up on at http://is.gd/iauk
The LiveCD ISO is available from http://www.pfsense.org/mirror.php?section=downloads and for VMware folks, a prebuilt VM is available at http://files.pfsense.org/vmware/pfSense-1.2.2-VM.zip
Highlights
Hak5
(
5:48, 5:55, 5:48, 5:55
)
reload
(
5:52, 5:52
)
gateways
(
5:15, 5:15
)
DNS server
(
4:22, 4:26, 4:29, 4:22, 4:26, 4:29
)
Hak5
(
5:48, 5:55, 5:48, 5:55
)
reload
(
5:52, 5:52
)
gateways
(
5:15, 5:15
)
DNS server
(
4:22, 4:26, 4:29, 4:22, 4:26, 4:29
)
Automatically Generated Transcript(may not be 100% accurate) ( more )
" Back in I believe was it season to -- isn't that we did. Smooth wall. And arsenal -- has been going flawlessly for the last two years. I came across a basically. Smooth -- on crack -- guys like. It's called PF cents and basically it's built on free -- and it's a four. Of the monologue project now some -- he's not a wall something you don't. You find out more about that I believe that model -- dot org. In the PF cents dot com to actually download -- lives and live CD installer. Or an embedded installer -- we're gonna do is I'm gonna show you guys how easy it is to set up VF cents. That's going to be this episode -- wanted to do -- only been. Goal line and show you some of the more advanced stuff like open BP and end you know VPN site to sites so on and so forth. In future episodes so let's died in. Or going to do is we're going to start our computer with the live CD that we burned. Yes I'm aware that any -- all the VMware tools and what we're gonna do is. It's gonna start up. And we have the option. To install. Or just run PF sense. From the live CD installations. Now the nice thing about that is before you wouldn't make any changes to an existing installation of say are smooth wall. You can actually verified that set up is going to work -- your hardware. That it's going to work -- if you know your network infrastructure. Blah blah blah blah blah blah. So what -- now it is actually low in the live CD it's a start up here and there's there's a two step process first we're gonna set up in the the shell. And then we're actually going to -- again to yet sense from a another computer to set up the wizard. Asa right now to ask this if we want to -- lance we have absolutely no purpose for -- lands here in our infrastructure so we're gonna go ahead and say now. Now what we're gonna do is because. -- And in a BM I actually have to disconnect. Our network adapters. Because what it's gonna do is it's actually going to auto detect. For those of you who don't know -- or network interface names. I do but for the sake of showing -- let's go ahead and do that now the -- go ahead and select a and it's gonna ask the -- connecting land interface to ran a go ahead were to connect the land interface which on ours is a virtual machine. Interface so we're in -- come on back over here to PF sense. Editor and EM zero is changed to link state up so that's our land interface to come. Back and say hey now what's that assets for the Lan interface so ring connect the way and it affects. Come back in -- PF sense. And hit enter and EM one link state changed to up. So now you have the option to set an orange interface. We don't need an orange or face Serena -- and a and it's gonna ask you to confirm your interface election -- zero being the land and -- one being York -- Yes we would like to proceed. So now it's actually. Done with its initial configuration and it's gonna actually start. Come on come up their ago so now -- deal is -- to come over and in another machine. Reopen Internet. Now for the sake of testing and show you guys I've already set up static IP the address. For the local interface is defaulted to 1921681. Network so I've already got. I think. If I come down here. I get another interest now but. So right here where to go to one point two 168. -- one L one. And -- enter in the password Edmund and heard the username Edmund and the password is PS cents -- So here it's gonna launch the setup wizard for PF cents. Yet you're going to guide me through the process you sector hosting your domain your primary DNS server I myself when I'm testing things. Like to use DNS server external of my local DNS server just so that I know I had. Con activity. Three and a -- dot to dot to dot to. Dairy easy to remember fortitude to that -- If you ever need paying anything. That's what I -- just use because it's always up. So we're gonna select our time zone and are. Server for time. Were sent a static here because were actually plugged into our existing. Internal network three to set a static address and it's going to be. Ten that. -- dot zero about 134. Now you guys would probably use you or cable modems. Static or DH CP information. Are subnet is a 24 in -- gateways and that's and I don't know one. Come down here now these -- settings down here block bogey on networks and block RFC 1918. Networks. It's key if you're going to use. PF sense in a robber. Behind Robert configuration because you need unchecked in 1918. Because otherwise it -- brow correctly. It's like next and we're good with our land IP being 1921681. We're going to enter a password of Hak5 because we're very insecure like that. And we're gonna reload the interface -- man with a new password Hak5. Come over here. And we are going to. Verify. The of the PF cents. Interface to see if we actually have connectivity or not so let's go ahead and see that -- house is option number seven. And who will back -- And when you look at that we've actually got. Connectivity within was five minutes. It's very simple to set up. What would go into later are some of the more advanced options of IPSec VP he had open BP yen a lot of the services virtual like you support. Things of that nature. It's a very very powerful. Platform for running around her here you know using a Linksys now you've got to a machine. Lay in around your house I highly suggest you guys check -- yes that's that's great graphic with our RD tools -- RD graphs. And just some really nice applications. And platforms that really are available to you Linksys users. -- running -- the open WRT."
" Back in I believe was it season to -- isn't that we did. Smooth wall. And arsenal -- has been going flawlessly for the last two years. I came across a basically. Smooth -- on crack -- guys like. It's called PF cents and basically it's built on free -- and it's a four. Of the monologue project now some -- he's not a wall something you don't. You find out more about that I believe that model -- dot org. In the PF cents dot com to actually download -- lives and live CD installer. Or an embedded installer -- we're gonna do is I'm gonna show you guys how easy it is to set up VF cents. That's going to be this episode -- wanted to do -- only been. Goal line and show you some of the more advanced stuff like open BP and end you know VPN site to sites so on and so forth. In future episodes so let's died in. Or going to do is we're going to start our computer with the live CD that we burned. Yes I'm aware that any -- all the VMware tools and what we're gonna do is. It's gonna start up. And we have the option. To install. Or just run PF sense. From the live CD installations. Now the nice thing about that is before you wouldn't make any changes to an existing installation of say are smooth wall. You can actually verified that set up is going to work -- your hardware. That it's going to work -- if you know your network infrastructure. Blah blah blah blah blah blah. So what -- now it is actually low in the live CD it's a start up here and there's there's a two step process first we're gonna set up in the the shell. And then we're actually going to -- again to yet sense from a another computer to set up the wizard. Asa right now to ask this if we want to -- lance we have absolutely no purpose for -- lands here in our infrastructure so we're gonna go ahead and say now. Now what we're gonna do is because. -- And in a BM I actually have to disconnect. Our network adapters. Because what it's gonna do is it's actually going to auto detect. For those of you who don't know -- or network interface names. I do but for the sake of showing -- let's go ahead and do that now the -- go ahead and select a and it's gonna ask the -- connecting land interface to ran a go ahead were to connect the land interface which on ours is a virtual machine. Interface so we're in -- come on back over here to PF sense. Editor and EM zero is changed to link state up so that's our land interface to come. Back and say hey now what's that assets for the Lan interface so ring connect the way and it affects. Come back in -- PF sense. And hit enter and EM one link state changed to up. So now you have the option to set an orange interface. We don't need an orange or face Serena -- and a and it's gonna ask you to confirm your interface election -- zero being the land and -- one being York -- Yes we would like to proceed. So now it's actually. Done with its initial configuration and it's gonna actually start. Come on come up their ago so now -- deal is -- to come over and in another machine. Reopen Internet. Now for the sake of testing and show you guys I've already set up static IP the address. For the local interface is defaulted to 1921681. Network so I've already got. I think. If I come down here. I get another interest now but. So right here where to go to one point two 168. -- one L one. And -- enter in the password Edmund and heard the username Edmund and the password is PS cents -- So here it's gonna launch the setup wizard for PF cents. Yet you're going to guide me through the process you sector hosting your domain your primary DNS server I myself when I'm testing things. Like to use DNS server external of my local DNS server just so that I know I had. Con activity. Three and a -- dot to dot to dot to. Dairy easy to remember fortitude to that -- If you ever need paying anything. That's what I -- just use because it's always up. So we're gonna select our time zone and are. Server for time. Were sent a static here because were actually plugged into our existing. Internal network three to set a static address and it's going to be. Ten that. -- dot zero about 134. Now you guys would probably use you or cable modems. Static or DH CP information. Are subnet is a 24 in -- gateways and that's and I don't know one. Come down here now these -- settings down here block bogey on networks and block RFC 1918. Networks. It's key if you're going to use. PF sense in a robber. Behind Robert configuration because you need unchecked in 1918. Because otherwise it -- brow correctly. It's like next and we're good with our land IP being 1921681. We're going to enter a password of Hak5 because we're very insecure like that. And we're gonna reload the interface -- man with a new password Hak5. Come over here. And we are going to. Verify. The of the PF cents. Interface to see if we actually have connectivity or not so let's go ahead and see that -- house is option number seven. And who will back -- And when you look at that we've actually got. Connectivity within was five minutes. It's very simple to set up. What would go into later are some of the more advanced options of IPSec VP he had open BP yen a lot of the services virtual like you support. Things of that nature. It's a very very powerful. Platform for running around her here you know using a Linksys now you've got to a machine. Lay in around your house I highly suggest you guys check -- yes that's that's great graphic with our RD tools -- RD graphs. And just some really nice applications. And platforms that really are available to you Linksys users. -- running -- the open WRT."
Advertisement
