32 Network Hardening – pfSense Internet
Dante Rocca; Mathew J. Heath Van Horn, PhD; and Jacob Christensen
The previous chapter had you add a pfSense server and configure the Intranet side to allow some normal network traffic on the network. This chapter specifically addresses the firewall configurations to access the outside Internet.
Learning Objectives
- Allow internet hosts to reach the DMZ without reaching the LAN
Prerequisites
Deliverables
- Screenshot of NAT rules
- Screenshot of Ubuntu Server webpage accessed from internet host
Resources
- We consolidated information from a wide variety of resources. However, three sources stand out as being particularly helpful to this lab and we want to recognize them here:
- Saifudeen Sidheeq – “How to Configure PfSense DMZ Setup? | Step by Step” – https://getlabsdone.com/how-to-configure-pfsense-dmz-setup/
- Frank at WunderTech – “How to Set Up a DMZ in pfSense” – https://www.wundertech.net/how-to-set-up-a-dmz-in-pfsense/
- Nikhath K – “pFSense DMZ Setup Guide” – https://bobcares.com/blog/pfsense-dmz-setup/
Contributors and Testers
- Julian Romano, Cybersecurity Student, ERAU-Prescott
- Jungsoo Noh, Cybersecurity Student, ERAU-Prescott
Phase I – Setting up the Lab
We are going to take up where we left off with the following lab configuration. Make sure you completed the previous lab before starting on this one!
Phase II – Allow Inbound Access
The whole point of having a web server is to allow visitors from the Internet to access the information you placed on the web server. Our internal users can reach the web service, which can be useful, but potential Internet visitors cannot. We are going to make some assumptions and declare our public IP address as 192.168.122.X (replace X with whatever address DHCP assigned you) and our private webserver IP address as 20.0.0.5. We need to forward traffic from the public interface to our internal machine.
- Open GNS3
- Create a new project: LAB_17
- Open the pfsense GUI from the Management Desktop
NOTE: As a reminder the default username is admin and the default password is pfsense.
- Due to the way GNS3 works we will need to allow private networks in the firewall (Figure 2)
- Go to Interfaces–>ISP
- Scroll down in this page and uncheck Block private networks and loopback addresses and uncheck Block bogon networks
NOTE: This isn’t something you would do on a real network. A “bogon” is jargon for a bogus network meaning that it is an IP that has not been delegated by the IANA yet. Both of these rules are set by default to prevent malicious actors who pretend to be from a non-existent network from getting traffic through the firewall.
- Save and Apply Changes
- Now we will utilize port forwarding in order to allow the External PC to access the webserver
- In pfSense, navigate to Firewall–>NAT–>Port Forward
- Click Add and set the following values (Figure 3)
Option Value Interface ISP Address Family IPv4 Protocol TCP Destination ISP address Destination Port Range From/To Port: HTTP Redirect Target IP Single host: 20.0.0.5 (replace with webserver IP) Redirect Target Port HTTP Description Allow ISP to reach DMZ - Save and Apply Changes
- A new firewall rule should be automatically created to pass HTTP traffic to the DMZ (Figure 4)
- Test to make sure that you can access the webserver
- From the external PC, open Firefox and go to the address http://192.168.122.66:80 (replace with the IP address of your ISP interface)
- You should see the webserver’s webpage
NOTE: If you are having trouble getting this to work…
1. Double-check your IP address assignments
2. Verify that the Apache2 service is online on the webserver
3. Double-check that the Port Forwarding rules match Step 4 and the figure provided
4. Double-check that pfSense accepts WAN–>DMZ HTTP traffic to pass through the firewall
Congratulations! Users from the Internet can reach your webserver!
End of Lab
Deliverables
2 Screenshots are needed to earn credit for this exercise:
- Screenshot of NAT rules
- Screenshot of Ubuntu Server webpage accessed from internet host
Homework
Assignment 1 – Merging with another organization
The CIO has come down and said we can no longer use the IP space 10.x.x.x/24 for our internal (BLUE) network, nor can we continue to use 99.x.x.x/24 for our management LAN. Your job is to change the environment to use new IP spaces for the BLUE LAN and the MANAGEMENT LAN.
RECOMMENDED GRADING CRITERIA:
- Screenshot of the GNS3 workspace with all devices placed and labeled (Phase II)
- Screenshot of the pfSense services dashboard after DHCP has been set up (Phase III)
- Screenshot of the web server successfully pinging a LAN PC and the Management PC (Phase IV)
- Screenshot of the 3 rules for the DMZ (Phase VII)
Assignment 2 – Verify the new network space by running network scans
- Import a Kali Linux VM into the GNS3 environment. Use the same network settings as the other devices used in this chapter.
- Attach a cable from the Kali machine to a switch and run nmap looking for active IP addresses and open ports. (type man nmap at the command prompt to read instructions about using nmap)
- Screenshot of ISP switch
- Screenshot of Management Switch
- Screenshot of DMZ switch
- Screenshot of LAN Switch
RECOMMENDED GRADING CRITERIA:
- four screenshots
- ISP has no open ports
- Management has open ports
- DMZ has open ports
- LAN has open ports