Changes between Initial Version and Version 1 of Cnbp2019/Agenda/pfSenseFirewall


Ignore:
Timestamp:
Mar 10, 2019, 10:30:19 AM (6 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Cnbp2019/Agenda/pfSenseFirewall

    v1 v1  
     1= Firewall =
     2pfSense firewall functions support traditional firewall, NAT, mark traffic flow, traffic shaping, scheduling based on time and even controlling based on IP reputation.
     3
     4== Aliases ==
     5
     6Here we can create recognizable names/ placeholders to resources like IP addresses, Port numbers. This is useful in creating multiple firewall rules against one resource as if you need to change the resource it is just a single location that we need to modify.
     7
     8The name of an alias can be entered instead of the host, network or port where indicated. The alias will be resolved according to the list defined. If an alias cannot be resolved (e.g. because it was deleted), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.
     9
     10=== Create IP Alias ===
     11Go to Firewall > Aliases and click '''+ Add'''
     12    • Name: wwwserver
     13    • Description: Web Server
     14    • Type: Host(s)
     15    • IP or FQDN: 192.248.7.XYZ
     16    • Add host
     17     
     18and Save. If you click Add then it will allow you to add multiple IP addresses for a single name  you will have multiple options for type as Hosts, Ports, Networks, or Urls to IP lists, port list
     19 
     20    • Name: wwwport
     21    • Description: Web Server HTTP & HTTPS ports
     22    • Type: Port(s)
     23    • Port: 80
     24    • Add Port
     25    • Port: 443
     26and Save and Apply
     27If you select '''All''', you will find all aliases created.
     28
     29== Schedule ==
     30
     31Schedules act as placeholders for time ranges to be used in firewall rules.
     32
     33To create a schedule, Go to Firewall > Schedules > '''+Add'''
     34
     35    • Schedule Name: Office_Hours
     36    • Description: Normal Office hours
     37    • Date: click on Mon, Tue, Wed, Thu, Fri
     38    • Time: 8.00 to 16.00 and click add time
     39    • Save
     40
     41== Virtual IPs ==
     42
     43To create NAT mappings we need to create a virtual IP. This acts as a secondary IP for the network of the interface it is configured.
     44As an example lets create a VIP to be NAT for your server. You may refer IP table reservation for your server Public IP
     45
     46Go to Firewall > Virtual IPs > ''' +Add '''
     47    • Type: IP Alias
     48    • Interface: WAN
     49    • Address: 192.248.7.XYZ and the mask (/) as 32
     50    • Description: Public IP for server
     51and Save
     52
     53== NAT ==
     54Here we may create NATs based on Port Forward, one to one, outbound, NPT.
     55
     56We will focus on one to one NAT for workshop
     57
     58Go to Firewall > 1:1 > Add
     59    • Interface: WAN
     60    • External Subnet IP: 192.248.7.XYZ
     61    • Internal IP: Single host 192.168.XY.1
     62    • Destination: Any
     63    • Description: Public NAT
     64
     65== Rules ==
     66
     67Lets allow http and https ports from outside
     68
     69Go to Firewall > Rules > WAN > Add to end
     70    • Action: pass
     71    • Interface: WAN
     72    • Address Family: IPv4+IPv6
     73    • Protocol: TCP
     74    • Source: Any
     75    • Destination: Single host or Alias: wwwserver
     76    • Destination Port: Custom: wwwport
     77    • Log: ticked
     78    • Description: Allow any to Web ports of wwwserver
     79Save
     80
     81For LAN side, by default web ports are enabled. If you need to allow any other port then,
     82
     83Go to Firewall > Rules > WAN > Add to top
     84    • Action: pass
     85    • Interface: LAN
     86    • Address Family: IPv4+IPv6
     87    • Protocol: TCP
     88    • Source: Single host or Alias: wwwserver
     89    • Destination: Any
     90    • Destination Port: SSH
     91    • Log: ticked
     92    • Description: Allow wwwserver to SSH outside
     93Save
     94
     95You may also add different Separators to define rule groups.
     96Click '''+ Separator''' Give a Name (eg: web) and a Color
     97You may drag and drop the separator by holding from its name. Also you may drag rules by holding from the rules '''Anchor''' mark
     98Once drag and Dropping finished click '''Save''' and '''Apply''' to complete the separation.
     99
     100== Traffic Shaper ==
     101
     102By adding a traffic shaper you can control traffic queues with different filters. But creating a queue manually will be more advanced and the easiest way is to go through the wizard.
     103Go to Firewall > Traffic Shaper > Wizards > traffic_shaper_wizard_dedicated.xml
     104 
     105* Enter Number of WAN type connections: 1 > Next
     106* Parameters:
     107   * Local Interface: LAN
     108   * Local Interface: PRIQ
     109   * WAN Interface: WAN
     110   * WAN Interface: PRIQ
     111   * Upload: 10 Mbit/s
     112   * Download 50 Mbits/s >> Next
     113* Voice over IP disabled >> Next
     114* Penalty Box >> Next ( for the lab we may not use penalty box, but you can try mentioning a single IP or an Alias to multiple IP's )
     115* Peer to Peer Networking
     116   * Enable
     117   * p2pCatchAll: ticked
     118   * Bandwidth: 2 %
     119   * Enable P2P protocols >> Next
     120* Network Games: Disabled >> Next
     121* Other Networking Protocols: Disabled >> Next
     122* Finish
     123
     124This will refresh the state tables
     125.
     126If you go back to Traffic Shaper, you can tweak settings
     127
     128> Reference: ​https://www.netgate.com/docs/pfsense/trafficshaper/traffic-shaping-guide.html