Activity) Setting up a Firewall Flashcards
Setting up a Firewall
For this activity, we’ll be creating a brand new virtual machine that will act as a firewall. Firstly, head over to the pfSense website and download the ISO install file shown in the below screenshot. If you’re unsure what version to download for your host system, read the information at the bottom of this page.
Now that we have the .iso.gz file we need to unzip it, so we can access the .iso file. If you don’t already have 7Zip installed, you’ll need to download it, install it, and use it to extract the files. You should now have the .iso file!
Next, open VirtualBox and click on New in the top middle of the VirtualBox Manager windows. Name the virtual machine anything, we’ve gone with “BTL1 Firewall Exercise”, set the type as BSD, and the version as FreeBSD. If your host system is 64-bit, then download FreeBSD (64-bit).
The RAM minimum is 512 MB, but as we are just experimenting with pfSense it doesn’t need to have high resources to deal with traffic and operations. We suggest you set the memory size to 1024 MB. When creating a new virtual hard drive, select the VirtualBox Disk Image (VDI) file type.
Next we need to ensure that the virtual machine is in Bridged networking mode, so that the system has it’s own IP address instead of sharing the IP of our host system. Select your new virtual machine by left-clicking on it once in the VirtualBox Manager, then click the Settings cog at the top of the window. Go to the Network tab and change from NAT to Bridged Adapter.
Go back to the VirtualBox Manager window, and double-click your firewall virtual machine to run it. You will be prompted with the below window, asking you to import an optical disk – this is our .iso file for pfSense! Select it, and click Choose.
Follow the pfSense installer to get pfSense initialized correctly.
Once the installation is complete, manually shut down the virtual machine. If you don’t it will attempt to run the installer again. To stop this, we need to open the virtual machine settings from the VirtualBox Manager and remove the .iso file we used for installation.
Now that you can boot into your pfSense virtual machine properly, select option 1 and when asked “Should VLANs be set up now?” type “n”.
When asked to enter a WAN interface name, enter “em0”, and when asked to enter the LAN interface name, don’t enter anything and press Enter. When asked to remove the LAN IP address, type “y”.
In the below screenshot we can see that the em0 interface is enabled, and in our case we see the IP address 192.168.1.249. If you enter this IP into your browser on your host system, you will see the pfSense login portal.
Use the username:admin and the password:pfsense to log into the management console. On the first page we are presented with the configuration wizard, which we will be following to get everything set up correctly. Click Next to begin.
Configure the setting as shown below.
Leave the following settings as they are by default.
Below, we have changed the SelectedType from DHCP to Static. Under the Static IP Configuration section we have set the IP address to match the IP we’re currently using to access this web console (look at your address bar!). Make sure to change the subnet mask to 24, and the gateway as 192.168.1.1.
Creating Firewall Rules
From your pfSense web console, hover over Firewall on the top menu and click on Rules.
As we don’t currently have any firewall rules in place, all incoming connections are blocked by default as a safety measure. We’re going to quickly cover how to write some basic firewall rules. To get started click on the left Add button at the bottom of the page. Before we actually create our own rules, we’re going to explain the properties that we can set when creating a rule.
Action
There are three actions we can take with our firewall rules:
Pass: Allow the traffic to pass through the firewall.
Block: Prevents the traffic from passing through the firewall by dropping the connection, and not notifying the source IP (known as silent dropping).
Reject: Prevents the traffic from passing through the firewall by dropping the connection, and informing the source IP.
Disabled
Ticking this box will disable the rule, meaning that it is not actively used by the firewall, but the rule is not deleted so it can be enabled in the future.
Interface
Choose the interface from which packets must come to match this rule. For this walkthrough, we only have a WAN interface configured.
Address Family
Choose whether the rule applies to IPv4 traffic, IPv6 traffic, or both.
Protocol
Which protocol this rule applies to. For example, we could block TCP traffic but allow UDP traffic. We can also choose to use Any protocol, instead of a specific one.
Source
The source of the network connection the rule will apply to. For example, if we wanted to block connections to Facebook from this network, the source value would be 192.168.1.0/24, with a destination value of Facebook’s IP range.
Destination
The destination of the network connection the rule will apply to. See the example under the Source heading to understand what this means.
Log
We can optionally log traffic that matches this rule. If we were blocking connection to Facebook, we could log when this rule is enforced, allowing us to identify which hosts are attempting to connect to Facebook. In an enterprise, we would push these logs to a SIEM platform for centralized management and alerting.
Description
We can assign a description for this rule. This is a good idea when working in teams, so that other team members can understand what this rule does, and what it’s being used for.
Now that you understand the properties we can set within a rule, let’s create a rule to block a Security Blue Team-owned domain, Redhunt.net. Open a command prompt on your Windows system, or a terminal on a Kali Linux virtual machine, and type ping redhunt.net. You can instantly press CTRL+C to stop pinging. You now have the IP address of Redhunt.net!
Hover over Firewall on the top menu, and click Aliases. Aliases act as placeholders for real hosts, networks or ports. They can be used to minimize the number of changes that have to be made if a host, network or port changes. For example, if we create an Alias for a site we want to block, we can use that as the source or destination within firewall rules. If the IP of the site changes, we only need to change the Alias instead of every single rule. In the below screenshot we have set a name and the IP address of redhunt.net.
Now let’s create a firewall rule to block any host in our network connecting to the redhunt.net! Copy the below settings – we will explain them below
Let’s create our allow-all rule. Copy the settings we have used below.
Once this rule has been created, make sure it is placed below the redhunt.net blocking rule, otherwise when we change our default gateway, you’re going to lose internet connection until you restore it.
What we need to know next is our host system’s IP address, our host system’s DNS server IP, and our current default gateway. We can open a command prompt and use the command ipconfig /all to gather the information we need.
In our case (yours may be different), our host IP is 192.168.1.220, our default gateway to the internet is 192.168.1.254, and our DNS server is 192.168.1.254 (same as the gateway). At the moment, our host is sending traffic from 192.168.1.220 to 192.168.1.254, then out to the internet. Below is a network diagram showing how we need to configure our host to push traffic through pfSense out to the internet. We’ll explain it more below.
So at the moment, our host communicates with the router at 192.168.1.254 and that’s how we have internet connectivity. Our pfSense has the default gateway we assigned earlier, which is 192.168.1.1. Sometimes your router will sit at .1 in home networks, but in our case, it is at .254. What we need to do is:
Tell our host system to use the pfSense virtual machine (192.168.1.251) as its default gateway. Traffic outbound for the internet will now go to pfSense.
Tell our pfSense VM to use the router (192.168.1.254) as its default gateway, giving it internet connectivity.
The new network should look like the below diagram.
First things first, let’s change the default gateway in pfSense from 192.168.1.1 to the correct value, 192.168.1.254, giving us access to the internet. You can see the change we have made in the below screenshot by clicking on “Add a new gateway” and entering our router’s IP.
Next it’s time to update the settings for our host. In the Windows search bar, type “run” and press enter. The following popup will display.
Enter in “ncpa.cpl” and press enter. You should see something similar to the below screenshot. Our ethernet network connection is shown in the top right, as GardenNET.
Right-click on your primary connection, and select “Properties”. Find the line that reads “Internet Protocol Version 4”, and double left-click to open a new window, shown below. Here we can change from “obtain an IP address automatically” and “obtain DNS server address automatically” to set the values we need from our pfSense system. We have shown the before and after screenshots below. We will also explain what we’ve done underneath these images.
