32 Network Hardening – pfSense Internet

Dante Rocca; Mathew J. Heath Van Horn, PhD; and Jacob Christensen

The previous chapter had you add a pfSense server and configure the Intranet side to allow some normal network traffic on the network.  This chapter specifically addresses the firewall configurations to access the outside Internet.

Learning Objectives

  • Allow internet hosts to reach the DMZ without reaching the LAN

Prerequisites

Deliverables

  • Screenshot of NAT rules
  • Screenshot of Ubuntu Server webpage accessed from internet host

Resources

Contributors and Testers

  • Julian Romano, Cybersecurity Student, ERAU-Prescott
  • Jungsoo Noh, Cybersecurity Student, ERAU-Prescott

Phase I – Setting up the Lab

We are going to take up where we left off with the following lab configuration.  Make sure you completed the previous lab before starting on this one!

gns3
Figure 1 – Final GNS3 network

Phase II – Allow Inbound Access

The whole point of having a web server is to allow visitors from the Internet to access the information you placed on the web server. Our internal users can reach the web service, which can be useful, but potential Internet visitors cannot. We are going to make some assumptions and declare our public IP address as 192.168.122.X (replace X with whatever address DHCP assigned you) and our private webserver IP address as 20.0.0.5.  We need to forward traffic from the public interface to our internal machine.

  1. Open GNS3
    1. Create a new project: LAB_17
  2. Open the pfsense GUI from the Management Desktop

    NOTE: As a reminder the default username is admin and the default password is pfsense.

  3. Due to the way GNS3 works we will need to allow private networks in the firewall (Figure 2)
    1. Go to Interfaces–>ISP
    2. Scroll down in this page and uncheck Block private networks and loopback addresses and uncheck Block bogon networks

      NOTE: This isn’t something you would do on a real network. A “bogon” is jargon for a bogus network meaning that it is an IP that has not been delegated by the IANA yet. Both of these rules are set by default to prevent malicious actors who pretend to be from a non-existent network from getting traffic through the firewall.

    3. Save and Apply Changes
  4. Now we will utilize port forwarding in order to allow the External PC to access the webserver
    1. In pfSense, navigate to Firewall–>NAT–>Port Forward
    2. Click Add and set the following values (Figure 3)
      Option Value
      Interface ISP
      Address Family IPv4
      Protocol TCP
      Destination ISP address
      Destination Port Range From/To Port: HTTP
      Redirect Target IP Single host: 20.0.0.5 (replace with webserver IP)
      Redirect Target Port HTTP
      Description Allow ISP to reach DMZ
    3. Save and Apply Changes
  5. A new firewall rule should be automatically created to pass HTTP traffic to the DMZ (Figure 4)
  6. Test to make sure that you can access the webserver
    1. From the external PC, open Firefox and go to the address http://192.168.122.66:80 (replace with the IP address of your ISP interface)
    2. You should see the webserver’s webpage
      default webpage
      Figure 5 – Successful connection from external PC to webserver

      NOTE: If you are having trouble getting this to work…

      1. Double-check your IP address assignments

      2. Verify that the Apache2 service is online on the webserver

      3. Double-check that the Port Forwarding rules match Step 4 and the figure provided

      4. Double-check that pfSense accepts WAN–>DMZ HTTP traffic to pass through the firewall

Congratulations! Users from the Internet can reach your webserver!

End of Lab

Deliverables

2 Screenshots are needed to earn credit for this exercise:

  • Screenshot of NAT rules
  • Screenshot of Ubuntu Server webpage accessed from internet host

Homework

Assignment 1 – Merging with another organization

The CIO has come down and said we can no longer use the IP space 10.x.x.x/24 for our internal (BLUE) network, nor can we continue to use 99.x.x.x/24 for our management LAN.  Your job is to change the environment to use new IP spaces for the BLUE LAN and the MANAGEMENT LAN.

RECOMMENDED GRADING CRITERIA:

  • Screenshot of the GNS3 workspace with all devices placed and labeled (Phase II)
  • Screenshot of the pfSense services dashboard after DHCP has been set up (Phase III)
  • Screenshot of the web server successfully pinging a LAN PC and the Management PC (Phase IV)
  • Screenshot of the 3 rules for the DMZ (Phase VII)

Assignment 2 – Verify the new network space by running network scans

  • Import a Kali Linux VM into the GNS3 environment.  Use the same network settings as the other devices used in this chapter.
  • Attach a cable from the Kali machine to a switch and run nmap looking for active IP addresses and open ports. (type man nmap at the command prompt to read instructions about using nmap)
    • Screenshot of ISP switch
    • Screenshot of Management Switch
    • Screenshot of DMZ switch
    • Screenshot of LAN Switch

RECOMMENDED GRADING CRITERIA:

  • four screenshots
    • ISP has no open ports
    • Management has open ports
    • DMZ has open ports
    • LAN has open ports
Figures for the Printed Version
pfsense login
Figure 2 – Allow all IP address spaces
pfsense login
Figure 3 – pfSense port forwarding configuration
pfsense login
Figure 4 – New firewall added to ISP interface

License

Icon for the Creative Commons Attribution 4.0 International License

Mastering Enterprise Networks Copyright © 2024 by Mathew J. Heath Van Horn is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book