Learn pfSense 2.4
eBook - ePub

Learn pfSense 2.4

Get up and running with Pfsense and all the core concepts to build firewall and routing solutions

  1. 346 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Learn pfSense 2.4

Get up and running with Pfsense and all the core concepts to build firewall and routing solutions

Book details
Book preview
Table of contents
Citations

About This Book

Install, Configure and Setup different connections with pfSense

Key Features

  • Build firewall and routing solutions with PfSense.
  • Learn how to create captive portals, how to connect Pfsense to your https environment and so on.
  • Practical approach towards building firewall solutions for your organization

Book Description

As computer networks become ubiquitous, it has become increasingly important to both secure and optimize our networks. pfSense, an open-source router/firewall, provides an easy, cost-effective way of achieving this – and this book explains how to install and configure pfSense in such a way that even a networking beginner can successfully deploy and use pfSense.

This book begins by covering networking fundamentals, deployment scenarios, and hardware sizing guidelines, as well as how to install pfSense. The book then covers configuration of basic services such as DHCP, DNS, and captive portal and VLAN configuration. Careful consideration is given to the core firewall functionality of pfSense, and how to set up firewall rules and traffic shaping. Finally, the book covers the basics of VPNs, multi-WAN setups, routing and bridging, and how to perform diagnostics and troubleshooting on a network.

What you will learn

  • Install pfSense
  • Configure additional interfaces, and enable and configure DHCP
  • Understand Captive portal
  • Understand firewalls and NAT, and traffic shaping
  • Learn in detail about VPNs
  • Understand Multi-WAN
  • Learn about routing and bridging in detail
  • Understand the basics of diagnostics and troubleshooting networks

Who this book is for

This book is towards any network security professionals who want to get introduced to the world of firewalls and network configurations using Pfsense. No knowledge of PfSense is required

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Learn pfSense 2.4 by David Zientara in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2018
ISBN
9781789349009
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Firewall and NAT

Regardless of your deployment scenario, there is a good chance you will want to utilize pfSense to filter network traffic, as having control over traffic entering and leaving our networks is one of the main functions of a pfSense firewall. The primary mechanism that we employ for filtering traffic is the creation of firewall rules, and we will detail the process in this chapter. We will also introduce some real-world examples of using pfSense to selectively block traffic, or to allow certain traffic only during certain hours via scheduling.
Another component that we sometimes use in filtering traffic is Network Address Translation (NAT). NAT played an important role in forestalling IPv4 address exhaustion, as it enabled a network to have one IP address for the public internet and many private addresses, with NAT directing traffic in both directions to the correct destination. Although NAT is likely to diminish in importance with the continuing migration to IPv6, it is nonetheless likely to be a component of our networks in the near future, and will be covered in this chapter.
The following topics will be covered in this chapter:
  • Firewall fundamentals
  • Firewall best practices
  • Creating firewall rules
  • Scheduling
  • Aliases and virtual IPs
  • Network Address Translation (NAT)
  • Troubleshooting

Technical requirements

There are no additional technical requirements for this chapter beyond what was required for previous chapters. To implement the examples contained in this chapter, you will need a working pfSense firewall in either a real or virtual environment.

Firewall fundamentals

On a fundamental level, the purpose of a network firewall is to act as a packet filter. A firewall is placed on the boundary between trusted (internal) networks and untrusted (external) networks. When packets coming from the external network to the internal network do not match the packet filter’s set of rules (ruleset), the packets are either silently discarded (in other words, dropped) or an Internet Control Message Protocol (ICMP) message is returned to the sender (in which case we say the packet was rejected). If the packets match the ruleset, they are allowed through the firewall (in which case we say the packet passes through).
As you might have deduced, a good default firewall policy is to block all traffic not explicitly allowed. This is generally the policy that pfSense follows. In addition, the following two rules are in place when pfSense is initially installed and configured:
  • On the WAN interface, the RFC 1918 (private) and bogon (currently unassigned) networks are blocked by default, which makes sense, because we don't want private addresses to be the source or destination of packets sent over the public internet. It is not allowed, and routers on the public internet wouldn't know what to do with them anyway. The same goes for currently unassigned networks. Bogon networks cannot be the source of legitimate traffic; they may very well be the source of an attack, and we can eliminate the possibility of such an attack by blocking them.
  • On the LAN interface, there are two default rules: an Allow LAN to any rule for IPv4 traffic, and an Allow LAN to any rule for IPv6. These rules exist to make pfSense as plug-and-play as possible; without them, the LAN network would be blocked from accessing the WAN side of the network (thus, it would likely be blocked from accessing the internet). Note that these default rules are only automatically created on the LAN interface; if we add other interfaces in order to create more private networks, we will have to generate these rules ourselves, or create floating rules that apply to multiple interfaces.
pfSense has three options for firewall rules: pass, which allows traffic that matches the rule; block, which will silently drop traffic that matches the rule, and reject, which will also drop the traffic, but will send back a port unreachable message to the sender. In floating rules, there is also a match option, which allows us to divert traffic into queues, assuming that we have created such queues.
Early network firewalls were stateless–in other words, they treated each packet as a separate entity. Such firewalls did not know whether a packet was part of an existing connection, was trying to establish a new connection, or was a stray packet. By the 1990s, however, firewall developers realized that much overhead could be eliminated if firewalls kept track of the state of network connections–the IP addresses, the ports, and the sequence numbers of the packets. If packets were part of an already-established connection, they would be allowed through the firewall without having to be re-evaluated. Firewalls that keep track of network connections are called stateful firewalls.
pfSense is a stateful firewall. Thus, traffic that is part of an existing connection is allowed through. This is done through a mechanism known as stateful packet inspection.
The protocol used in a connection was not mentioned as one of the attributes of a connection that the firewall tracks. As a result, traffic that matches the IP address and port of the initial connection is allowed through even if it doesn't match the protocol of the initial connection. This allows, for example, the passage of ICMP control packets on a TCP or UDP connection.
While stateful firewalls greatly reduce the amount of work a firewall must do, they come with a downside. These connections, or states, have to be kept track of, which is done by creating entries in a table called a state table. In pfSense, each table entry uses up about 1 K of RAM. We can set the firewall’s maximum number of connections and maximum number of state table entries by navigating to System | Advanced and clicking on the Firewall and NAT tab. The Firewall Maximum States and Firewall Maximum Table Entries parameters are the relevant settings. The former parameter controls the maximum number of connections, whereas the latter controls the maximum number of entries, which can be greater than the number of connections–the use of a proxy server, for example, will not create an additional connection, but it will take up another entry in the table. You will want to make sure that Firewall Maximum Table Entries is set low enough that the state table does not use up all available memory.
The fact that the state table has a finite maximum size sets up a potential attack vector. If the number of connections reaches the number specified in Firewall Maximum States, unpredictable things may happen if any additional connections are...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. Packt Upsell
  4. Contributors
  5. Preface
  6. Getting Started with pfSense
  7. Installing pfSense
  8. Configuring pfSense
  9. Captive Portal
  10. Additional pfSense Services
  11. Firewall and NAT
  12. Traffic Shaping
  13. Virtual Private Networks
  14. Multiple WANs
  15. Routing and Bridging
  16. Diagnostics and Troubleshooting
  17. Assessments
  18. Other Books You May Enjoy