Build your own firewall

This is the follow up to my last article in which I promised to walk you through how to build your own small scale data-center for you Small Business. For our first part of the project we will start by building a simple but very robust hardware firewall running a Free BSD(Unix) operating system, called PfSense that can be deployed in less than an hour for the basic configuration. For this example this is the hardware I will be using an old Dell Dimension L866r pictured below ( yes a white Dell!). The reason that
I picked such an old system is to drive home the fact that for some of the stuff we will be doing you don’t need brand new high-end equipment, in fact for something like a firewall this system is pretty much overkill but since it is actually a functioning part of our network I decided to use it for demo purposes. Now the system has a Pentium 3 processor clocked at about 733Mhz and is sporting 128Mb of RAM, a 20Gig Western Digital hard drive which is again overkill since the space requirements for this OS is about 128MB meaning that it can be run off of a Compact Flash Card. We also used a pair of 3Coom 10/100 Ethernet cards because they are probably one of the most highly supported cards on the market and are very cheap with the average price being around $5 on the Internet. A few things to note, the minimum required for this Firewall/Router is 2 NIC’s, you can use more than just 2 however, for example if you have two Internet connections coming in, for example a cable modem and a DSL line you can use both by creating a second WAN interface however since not many people will use this set up we won’t cover it here. Another thing to note is since this is more than just a firewall but also in fact a router depending on your needs you can get rid of whatever Soho router you currently use or were thinking about getting, instead if you wish to keep or add Wi-Fi to your network you can either purchase a Wireless Access Point such as the Linksys WAP54g, or again if you already have a Soho router that you use you can configure it to run in bridge mode which basically turns off all of the routing functions and only provides wireless access. With all of that said this set up is so robust that you can add more than one NICs on the LAN side ( inside of your network) all on different subnet’s and use static routes to determine how the traffic will move on your network, this set up is good if you would like to separate your works stations from your servers, having your workstations, printers etc on one subnet e.g. 172.168.0.0 and your servers on 172.10.0.0, again while this an option most people will not use this so we will not cover it here.
Now lets take a look at the software itself. Like I said we will be using PfSense which is a spin off of the Monowall Project and is also made by the same person. The two are very similar but we chose Pfsense because we like it a little more than Monowall. Here is the basic information starting with the system requirements:
Minimum Hardware Requirements
The following outlines the minimum hardware requirements for pfSense 1.2. Note the minimum requirements are not suitable for all environments, see the Hardware Sizing Guidance page for information.
CPU – 100 MHz Pentium
RAM – 128 MB
Requirements specific to individual platforms follow.
Live CD
CD-ROM drive
USB flash drive or floppy drive to hold configuration file
Hard drive installation
CD-ROM for initial installation
1 GB hard drive
Embedded
128 MB Compact Flash card
Serial port for console
As you can see this is a very light weight install. I have already listed some of the features of the firewall but there are tons that I didn’t even touch so here is a full rundown directly from the PfSense website:
Features
pfSense includes most all the features in expensive commercial firewalls, and more in many cases. The following is a list of features currently available in the pfSense 1.2 release. All of these things are possible in the web interface, without touching anything at the command line.
In addition to features, this page also includes all limitations of the system of which we are aware. From our experience and the contributed experiences of thousands of our users, we understand very well what the software can and cannot do. Every software package has limitations. Where we differ from most is we clearly communicate them. We also welcome people to contribute to help eliminate these limitations. Many of the listed limitations are common to numerous open source and commercial firewalls. 1.2 limitations already fixed in the code that will become the next major release will be noted.
Firewall
• Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
• Able to limit simultaneous connections on a per-rule basis
• pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
• Option to log or not log traffic matching each rule.
• Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
• Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
• Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
• Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
o Enabled in pfSense by default
o Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
• Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
Reporting and Monitoring
RRD Graphs
The RRD graphs in pfSense maintain historical information on the following.
• CPU utilization
• Total throughput
• Firewall states
• Individual throughput for all interfaces
• Packets per second rates for all interfaces
• WAN interface gateway(s) ping response times
• Traffic shaper queues on systems with traffic shaping enable
Real Time Information
Historical information is important, but sometimes it’s more important to see real time information.
SVG graphs are available that show real time throughput for each interface.
For traffic shaper users, the Status -> Queues screen provides a real time display of queue usage using AJAX updated gauges.
The front page includes AJAX gauges for display of real time CPU, memory, swap and disk usage, and state table size.
Dynamic DNS
A Dynamic DNS client is included to allow you to register your public IP with a number of dynamic DNS service providers.
• DynDNS
• DHS
• DyNS
• easyDNS
• No-IP
• ODS.org
• ZoneEdit
A client is also available for RFC 2136 dynamic DNS updates, for use with DNS servers like BIND which support this means of updating.
Limitations
• Only works on primary WAN interface – multi-WAN support is available in 2.0.
• Can only update one account with a single provider. 2.0 enables the use of unlimited accounts.
• Only works when pfSense has the public IP assigned to one of its interfaces. If you have a modem that obtains your public IP and gives pfSense a private IP, the private IP will be registered with the provider. In 2.0, there is an option to determine your actual public IP and correctly register it.
Captive Portal
Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense Captive Portal.
• Maximum concurrent connections – Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.
• Idle timeout – Disconnect clients who are idle for more than the defined number of minutes.
• Hard timeout – Force a disconnect of all clients after the defined number of minutes.
• Logon pop up window – Option to pop up a window with a log off button.
• URL Redirection – after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.
• MAC filtering – by default, pfSense filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.
• Authentication options – There are three authentication options available.
o No authentication – This means the user just clicks through your portal page without entering credentials.
o Local user manager – A local user database can be configured and used for authentication.
o RADIUS authentication – This is the preferred authentication method for corporate environments and ISPs. It can be used to authenticate from Microsoft Active Directory and numerous other RADIUS servers.
• RADIUS capabilities
o Forced re-authentication
o Able to send Accounting updates
o RADIUS MAC authentication allows captive portal to authenticate to a RADIUS server using the client’s MAC address as the user name and password.
o Allows configuration of redundant RADIUS servers.
• HTTP or HTTPS – The portal page can be configured to use either HTTP or HTTPS.
• Pass-through MAC and IP addresses – MAC and IP addresses can be white listed to bypass the portal. Any machines with NAT port forwards will need to be bypassed so the reply traffic does not hit the portal. You may wish to exclude some machines for other reasons.
• File Manager – This allows you to upload images for use in your portal pages.
Limitations
• Can only run on one interface simultaneously.
• “Reverse” portal, i.e. capturing traffic originating from the Internet and entering your network, is not possible.
• Only entire IP and MAC addresses can be excluded from the portal, not individual protocols and ports.
• Currently not compatible with multi-WAN rules. We hope this will be resolved in 2.0.
DHCP Server and Relay
pfSense includes both DHCP Server and Relay functionality
And More…
This is by no means a conclusive list. It will be expanded as time permits.
Now that’s a lot of stuff!
Lets start with the install process. Start downloading the image from the website and burn it using your favorite program ( we like PowerISO and MagicISO). When you are finished burning the cd go to the machine that will become your firewall and start it up. Enter the BIOS by pressing the appropriate key, usually Delete or F1 but may be different depending on the manufacturer of the BIOS for us since it’s DELL we know that it’s F2. Change the boot order to put the CD-ROM/DVD-ROM to be the first boot device. Hit ‘escape’ then select “save and exit,” while the machine restarts put the cd containing the firewall image in the drive and wait for it to boot. Assuming you did everything correctly to this point you should be greeted with the following screen.

Press 1 then hit enter and you will see the files being loaded that will allow the system to run.

Next you will be asked whether you want to create VLANs, this is optional and will not be covered, so select ‘n’ then hit enter.

This is the screen that will allow you to configure your network cards. The system displays all the detected cards( hopefully I didn’t have to tell you to install the cards into the computer!) in our case em0 and em1 but the interface designations can be different, for instance we have seen the cards identified using “xl0″ and “xl1″. At the bottom it will ask you to select you LAN interface or press ‘a’ to auto detect, but I have never gotten the auto detect to work so we will do it manually, it doesn’t matter which you assign to what role but generally the way we do it is the ‘zero’ card is the one we use for the WAN side and it is normally the top card in the PCI ( the one that is closet to the CPU) and obviously the ‘one’ card becomes the LAN card.

So go ahead and assign your first card ‘em1′ in our case and press enter.
Now you will be asked to select your WAN interface which be ‘em0.’

The next step asks if you want to add an optional interface, since we are only using two cards we will just hit enter to skip this step.

Before everything is committed you will be given a summary of everything that will be added to the configuration go ahead and hit ‘y’ then enter.

Now all of the settings will be created and saved

You will then be brought back to the menu screen but this time you will have a few more options.

Before we touch any of the other settings we will first assign the IP addressing scheme for the LAN side, note this step is only necessary if you plan on using the firewall as router with DCHP and are not using another DHCP server such as a Soho router.
With that said chose option ‘2′ and you will be asked to assign a LAN IP address, now since we will be using it as a router we will choose the subnet and the first available address which is one, so our address will 172.168.10.1. You will then be asked about the Subnet Mask information, just because we felt like it we chose /16 which is the same 255.255.0.0. The standard mask for Soho systems is /24 or 255.255.255.0 which is what the store bought Soho routers will use. This doesn’t really matter for a small set up like this but this will have enough room for up to 253 hosts (computers) for the 172.168.10.0 to 172.168.10.255 range but in actuality this subnet cant support up to 65, 536 hosts, a number that a small business of 50 or less or even as much as 100 will not utilize.
In the next step you will be asked whether you want to turn on DHCP, since we want that select ‘y’ then enter

You will then be asked to choose the stat and ending range for the DHCP pool since I don’t anticipate needing more then 148 addresses in the DCHP pool I set the range to .2 to .150

Bear in mind that this is only the range of IP addresses that can be dynamically assigned, you are still able to use the rest of the addresses for static addresses but since this can cause some conflicts I recommend you only assign static addresses from the .151 to .254 range ( note you can not assign .0 or .255 as these are reserved for special functions). After some more processing you will be brought back to the menu

This is the end of the initial set up phase. The firewall is functional and will run but only from the cd. the next step will be to install the OS on the local hard drive. Press 99 then accept all the defaults as your are moved through the menus for the installation process. Once the install is done simply remove your cd and reboot the computer. You can now access the WebGUI through the ip adress that you specified for example 192.168.1.1