Configuring pfsense firewall for home network

By

 


In this blog, I am going to install configure, and even block a malicious domain in the form of a redhunt.net. We will create rules to block this domain. 

You can download the ISO file for the pfsense firewall from this pfsense website


Download the FreeBSD version from the FreeBSD website and we will set the type as BSD. FreeBSD is a free and open-source Unix-like system and popular server platform. It generally has a lower amount of security issues than Linux and makes it easy to set up a rule-based packet filtering firewall.

Now we will ensure that our virtual machine is in the bridged networking mode so that it can use its own IP address and does not have to share it with the host system.


INSTALLATION PHASE:

After starting the virtual machine you will initially see this screen at the start.


After choosing all the default options you will end up on this screen below. You can see it is asking Should VLANs be set up now? we will type "n". 


Now we can see that it is asking us to enter the WAN interface we will enter "em0" and when asked about LAN we simply press enter and asked to remove the LAN address we type "y".  

PS: You can set up more interfaces and connect them to the pfsense firewall but here as we are going to set up a basic traditional firewall for our home network we are not going to do that.


In this below picture we can see that now the em0 WAN interface is set up and our WAN address is 
192.168.194.102/24




CONFIGURATION PHASE:

Once we obtained the IP address of the WAN interface we will enter this in the browser of our host system and we can see the pfsense web login portal.


Enter username: admin and password: pfsense into the console. Now after logging in successfully by using these default credentials we can see the welcome screen and now we can start configuring the firewall.


Configure the firewall by adding the hostname, domain, and DNS server and click NEXT.


Now, we will keep timer server information as default and click NEXT.


Onto configuring the WAN interface we will select Static type and enter the em0 pfsense IP address we received the same as in our address bar in the static IP section with subnet /24 and default gateway 192.168.1.1. 

PS: My pfsense IP is 192.168.194.102/24 ignore the IP below as I had to reinstall pfsense due to an error.



Now it will ask you to change the default password. Click on finish and you will see a dashboard as we have completed the conguration.





CREATING FIREWALL RULES:

A firewall rule is created on the basis of three different actions:

  • Pass  -  This rule allows the traffic to pass the firewall.
  • Block-  This rule prevents the traffic to pass through the firewall by dropping the packets and NOT notifying the source IP.
  • Reject-  This rule prevents the traffic to pass through the firewall by dropping the packets and WILL notify the source IP. 

As we are building up a stateless traditional firewall the rules are created on the basis of the format below:

  • Permission - Here as discussed above the action permission rule is set on the firewall which will check on the ALLOW/ DENY permission.
  • Protocol     - Here we specify which protocol the rule applies to TCP/ UDP or we can choose "ANY" while creating the rule.
  • Source        - A Rule is created on the traffic coming from a specific source IP. We can allow or reject traffic coming from a single computer or a range of IP addresses like a subnet.
  • Destination - A rule is created to address the destination IP address. We can allow or reject traffic to a single computer or a range of IP addresses like a subnet.
  • Ports          - A rule can also be set up to allow or deny a single port.

Rule creation:

Now we will create a firewall rule to block a malicious domain redhunt.net. First we need to know the IP address of the domain. So we will go to the command prompt and type "ping redhunt.net" it will come up with the IP address of the domain, we can see that the IP address is 3.11.197.46.


Before creating the rule we will create an Alias of the domain so that even if the IP address of the site changes we will only need to change the IP instead of every rule. To create an alias click on the firewall on the top section of the bar and select Alias. Just enter the name as redhuntDOTnet and the IP address and save. Here, you can see that we have created an alias.



Now we will create the blocking rule.




  • Action        -  Block
  • Interface     - WAN
  • Protocol     - Any (We will not select a specific protocol like TCP/UDP)
  • Source        - We will select "Network - 192.168.194.0" as we want to impose the rule on our entire home network
  • Destination - Here we are blocking traffic from the domain. 

So, now we have created a rule to block any traffic to redhunt.net and block any traffic as we try to push all traffic through the pfsense machine.

This means if we change the default gateway of our host system we will not be able to access the internet as pfsense will be blocking every connection. To avoid that we will create a Allow all rule on the pfsense.

Firewalls follow hierarchy when it comes to rule so we will set up the rule as:

  • The firewall blocks traffic on redhunt.net. If the packet is attempting to reach 3.11.197.46 it will drop the packet to prevent connection.
  • The firewall allows all the rest traffic because of our pass rule.
We will create allow all rule like this and save.

Now we can see these are the rules we have set up. (Make sure block rule is above the pass rule)



Before moving further we will understand how our pfsense machine and home network is set up.

  • pfsense virtual machine IP: 192.168.194.102
  • pfsense upstream gateway: 192.168.1.1
  • pfsense DNS server IP:  8.8.8.8
  • Host machine IP: 192.168.194.88 ( example Ip)
  • Default gateway: 192.168.194.210 ( example - This is how I can access the internet)
  • DNS server: 192.168.194.88
At the moment the architecture of my host machine where is sending traffic from 192.168.194.88 to 192.168.194.210 and then out to the internet. In this below picture we can see how we are set up and how we need to configure our host to push traffic through the pfsense to the internet.


  • Now we will tell our host machine to use the pfsense firewall(192.168.194.102) as the default gateway so that traffic outbound to the internet will go through pfsense.
  • We will also tell pfsense  VM to use the router as its default gateway (192.168.194.210).
Now our network will look like this: 



First, we will change the default gateway pfsense from 192.168.1.1 to 192.168.194.210.



Now we will update the settings of our host system. We can do it by pressing Win+ R then entering "ncpa.cpl"  then right-click on our connection and changing IPv4 settings and setting a Static IP as shown below.





Now all our traffic is going through the pfsense firewall to the internet. It will scan traffic against the rules we have created and allow or deny the connection. You can see below that we can access everything on the internet except "redhunt.net" because of the block rule we created.


Here, you can see I am receiving a ping reply from 8.8.8.8 while red hunt, net 3.11.197.46 is not accessible.







Thank you.

- Sanket



































 







Comments

Post a Comment

Popular posts from this blog

SIEM(Splunk) dashboard creation - Firewall

By
Image
Summary: In this blog we are going to create a Firewall Dashboard in SIEM tool Splunk which helps an organization to visualize its security in real-time. Dashboards : Dashboard consists of one or more panels displaying data visually, presenting it in a useful way in form of events, tables or charts which can be used to measure, monitor & analyze revelant key areas. Now, we will go forward and create a firewall dashboard which will help us in better analyzing our data. (P.s We have already uploaded firewall logs on splunk. Please check this blog -  https://bit.ly/3UQWoBP) First, we will install this "Infosec" app from -  https://splunkbase.splunk.com/app/4240 which adresses most common security issues and we will create the same dashboard. Dashboard Panels : Panels that our dashboard will have are: 1-  Blocked connections : (   We are using Palo Alto traffic logs to find out all the blocked connections) index=botsv2 sourcetype="pan:traffic" action=blocke...
Read more

Uploading demo logs and analyzing Firewall logs

By
Image
Summary: In this blog, we are going to download demo logs from GitHub and upload, understand and analyze FortiGate and Palo alto raw logs. Uploading logs to Splunk : We will start by downloading the dataset from  https://github.com/splunk/botsv1  this site. Here in the below pic, you can see two different datasets ( One containing normal and attack logs and the other one containing only attack logs). I am downloading the attack logs. This dataset contains different types of logs as shown below. As the botsv1 dataset contains only FortiGate firewall logs for Palo Alto logs we will download the botsv2 dataset from this site https://github.com/splunk/botsv2 Uploading logs to Splunk: After downloading both the datasets, extract and copy both the folders and paste them to  InstallationPath/Splunk/etc/apps    After this step, we will allow Splunk to parse the logs for a few seconds and then check as shown below. Here, we can see that both the datasets have been uploa...
Read more

My first Cybersecurity Certification

By
Image
After learning about CompTIA security+ through LinkedIn and after doing some initial research about the content, book, and objectives of the exam I got an understanding that this certification touches on every part of the fundamental cybersecurity domain in great detail. In this blog, I will discuss what I learned from the certification, the key materials to study and how to learn it so that it can be beneficial to apply these concepts while dealing with real-life situations or in a home-lab environment. How the certification helps? As we know CompTIA security+ is a global certification it validates and helps us have the baseline knowledge to perform core cybersecurity operations. It helps an individual to identify and address potential threats, risk management techniques, and also intrusion detection and prevention systems among others. As the exam covers 6 important domains within cybersecurity some of the key topics I learned and think were very essential in building up my knowledge...
Read more