BACHKHOA-NPOWER H THNG O TO CHUYN GIA MNG QUC T -----o0o---- TI HON THNH MN HC CompTIA Security + Certification

Tm hiu Pfsense Firewall

Ging vin hng dn: V QU HA. Sinh vin: Lp: - L vn Hunh - Nghim Bo Trung S0808H

Mc lc
Mc lc....................................................................................................................... 2 I. Gii thiu Firewall pfSense...................................................................................... 2 II. Ci t v cu hnh Pfsense.................................................................................... 4 1. Ci t Pfsense.................................................................................................... 4 2.Cu hnh card mng cho my Pfsense..................................................................7 3. t IP v thit lp DHCP cp pht vo bn trong mng LAN...............................8 4. Cu hnh Pfsense qua giao din web - WebGUI...................................................8 5. Ci t Packages............................................................................................... 12 5. Backup and Recovery........................................................................................ 13 III. Mt s ng dng v dch v c bn ca pfsense.................................................14 1. Tnh nng ca pfsense firewall..........................................................................14 1.2 NAT............................................................................................................... 14 1.3 Firewall Rules............................................................................................... 14 1.4 Firewall Schedules........................................................................................ 16 1.5 Traffic shaper............................................................................................... 17 1.6 Virtual IPs..................................................................................................... 20 2 .Mt s dch v ca pfsense .............................................................................................................................. 21 2.1 Captive portal............................................................................................... 21 2.2 DHCP Server................................................................................................. 24 2.3 Load Balancer............................................................................................... 25 3. VPN trn Pfsense............................................................................................... 27 3.1 VPN PPTP...................................................................................................... 27 3.2 OpenVPN Site to Site.................................................................................... 31 III. Trin khai m hnh mng Font-BackEnd..............................................................36 IV. Nhn xt.............................................................................................................. 43

I. Gii thiu Firewall pfSense

bo v cho h thng mng bn trong th chng ta c nhiu gii php nh s dng Router Cisco, dng tng la ca Microsoft nh ISA.

36

Tuy nhin nhng thnh phn k trn tng i tn km. V vy i vi ngi dng khng mun tn tin nhng li mun c mt tng la bo v h thng mng bn trong (mng ni b) khi m chng ta giao tip vi h thng mng bn ngoi (Internet) th PFSENSE l mt gii php tit kim v hiu qu tng i tt nht i vi ngi dng. pfSense l mt ng dng c chc nng nh tuyn vo tng la mnh v min ph, ng dng ny s cho php bn m rng mng ca mnh m khng b tha hip v s bo mt. Bt u vo nm 2004, khi m0n0wall mi bt u chp chng y l mt d n bo mt tp trung vo cc h thng nhng pfSense c hn 1 triu download v c s dng bo v cc mng tt c kch c, t cc mng gia nh n cc mng ln ca ca cc cng ty. ng dng ny c mt cng ng pht trin rt tch cc v nhiu tnh nng ang c b sung trong mi pht hnh nhm ci thin hn na tnh bo mt, s n nh v kh nng linh hot ca n

Pfsense bao gm nhiu tnh nng m bn vn thy trn cc thit b tng la hoc router thng mi, chng hn nh GUI trn nn Web to s qun l mt cch d dng. Trong khi phn mm min ph ny cn c nhiu tnh nng n tng i vi firewall/router min ph, tuy nhin cng c mt s hn ch. Pfsense h tr lc bi a ch ngun v a ch ch, cng ngun hoc cng ch hay a ch IP. N cng h tr chnh sch nh tuyn v c th hot ng trong cc ch bridge hoc transparent, cho php bn ch cn t pfSense gia cc thit b mng m khng cn i hi vic cu hnh b sung. pfSense cung cp network address translation (NAT) v tnh nng chuyn tip cng, tuy nhin ng dng ny vn cn mt s hn ch vi Point-to-Point Tunneling Protocol (PPTP), Generic Routing Encapsulation (GRE) v Session Initiation Protocol (SIP) khi s dng NAT. pfSense c da trn FreeBSD v giao thc Common Address Redundancy Protocol (CARP) ca FreeBSD, cung cp kh nng d phng bng cch cho php cc qun tr vin nhm hai hoc nhiu tng la vo mt nhm t ng chuyn i d phng. V n h tr nhiu kt ni mng din rng (WAN) nn

36

c th thc hin vic cn bng ti. Tuy nhin c mt hn ch vi n ch ch c th thc hin cn bng lu lng phn phi gia hai kt ni WAN v bn khng th ch nh c lu lng cho qua mt kt ni.

II. Ci t v cu hnh Pfsense

1. Ci t Pfsense Trn my tnh ci Pfsense chng ta b a pfSense LiveCD Installer.. vo CD/DVD tin hnh ci t.

36

 Mn hnh Welcom to FreeBSD!

Chn 99 bt u qu trnh ci t Pfsense ln my tnh.

36

 Chn Accept these settings chp nhn vic ci t Pfsense.

Chn Quick/Easy Install hoc Custom Install ci t vo cng

Giao din textmode pfsense sau khi ci xong

36

2.Cu hnh card mng cho my Pfsense

Enter an Option : 1 v Chn s 1 bt u thit lp cc Interface Do you want to setup VLANs now -> Chn N

Da vo a ch MAC phn bit card mng Internal v External G le0 thit lp Interface LAN , le1 thit lp Interface WAN .Nu my c 2 card mng WAN th chn thm le2 thit lp Interface WAN2 Sau khi thit lp Interface th bn trng v n Enter khi c hi Enter the Optional Chn Y tin hnh qu trnh thit lp card mng.

Thng tin card mng ca pfsense sau khi c thit lp

36

3. t IP v thit lp DHCP cp pht vo bn trong mng LAN

Thit lp IP cho card mng LAN chn 2 ,Nhp IP m bn mun t v Enter the new LAN subnet bit count : 24 v Enter

Chn Y thit lp DHCP cp pht IP cho cc my Client (Network Internal). To di IP cp pht cho Client (Nh trong hnh t 10.0.0.10 > 10.0.0.100 ) 4. Cu hnh Pfsense qua giao din web - WebGUI Ti my Client -> Vo trnh duyt v g vo IP internal ca pfsense v ng nhp bng ti khon v mt khu mc nh : admin - pfsense

36

 Nhn Next

Khai bo DNS Server cho my Pfsense -> Next.

Chn mi gi cho pfsense > Next

36

Trong giao din WAN, c th chn gia nhiu kt ni khc nhau nh Static, Dynamic Host Configuration Protocol (DHCP), Point-to-Point Protocol v PPPoE. Chn kt ni thch hp nh c cu hnh bi ISP ca bn.

Cu hnh LAN hon ton rt n gin. Nu bn cha thc hin th trc khi ci t, bn ch cn thit lp a ch IP.

36

Thit lp li mt khu admin truy cp vo pfsense

Giao din cu hnh Pfsense trn nn web.

36

5. Ci t Packages Ngi dng c nhu cu thm cc chc nng m rng ca chng trnh ci t pfSense ,bn c th thm cc gi t mt la chn cc phn mm

Gi c th c ci t bng cch s dng Package Manager, nm ti menu System. Package Manager s hin th tt c cc gi c sn bao gm mt m t ngn gn v chc nng ca n. ci t mt gi phn mm, hy nhp vo "Add" biu tng trn bn phi ca trang.

Sau khi hon thnh ci t , gi mi s hin th trong "Installed packages" ca pfSense Package Manager.

36

Loi b mt Packages pfSense l tng i d dng. T quan im gi ci t, chn "Hy b" biu tng t phn bn phi ca trang. Vic ny s khi chy trnh ci t gi, m s hin th s tin b ca vic loi b gi. 5. Backup and Recovery Sao lu hay khi phc cu hnh pfsense vo Diagnostics/Backup/restore

Vic sao lu hay khi phc cu hnh pfsense cng tng i d dng. Bn ch cn chn khu vc cn sao lu hay khi phc cu hnh ca Aliases, NAT, traffic shaper,PPTP Server,system

36

III. Mt s ng dng v dch v c bn ca pfsense

1. Tnh nng ca pfsense firewall 1.1 pfSense Aliases

Aliases c th gip bn tit kim mt lng ln thi gian nu bn s dng chng mt cch chnh xc Mt Aliases ngn cho php bn s dng cho mt host ,cng hoc mng c th c s dng khi to cc rules trong pfSense .S dng Aliases s gip bn cho php bn lu tr nhiu mc trong mt ni duy nht c ngha l bn khng cn to ra nhiu rules cho nhm cc my hoc cng Vic sa i rules tr nn d dng hn 1.2 NAT PfSense cung cp network address translation (NAT) v tnh nng chuyn tip cng, tuy nhin ng dng ny vn cn mt s hn ch vi Point-to-Point Tunneling Protocol (PPTP), Generic Routing Encapsulation (GRE) v Session Initiation Protocol (SIP) khi s dng NAT. Trong Firewall bn cng c th cu hnh cc thit lp NAT nu cn s dng cng chuyn tip cho cc dch v hoc cu hnh NAT tnh (1:1) cho cc host c th. Thit lp mc nh ca NAT cho cc kt ni outbound l automatic/dynamic, tuy nhin bn c th thay i kiu manual nu cn. 1.3 Firewall Rules Ni lu cc rules (Lut) ca Firewall. vo Rules ca pfsense vo Firewall Rules. Mc nh pfsense cho php mi trafic ra/vo h thng .Bn phi to ra cc rules qun l mng bn trong firewall

36

 add rules mi nhn vo biu tng du

V d: To rules Cm truy cp web s dng cng 80 cho cc my LAN trong MayLan l tn Aliases .Sau khi to xong nhn Save v Apply Changes

36

1.4 Firewall Schedules Cc Firewall rules c th c sp xp n c ch hot ng vo cc thi im nht nh trong ngy hoc vo nhng ngy nht nh c th hoc cc ngy trong tun.

to mt Schedules mi vo Firewall > Schedules : Nhn du +

V d:To lch tn GioLamViec ca thng 12 T th hai n th by v thi gian t 8 gi n 17 gi Sau khi to xong nhn Add Time

Bn di s hin ra lch chi tit va thit lp Xong nhn Save

36

1.5 Traffic shaper Traffic Sharper gip bn theo di v qun l bng thng mng d dng v hiu qu hn Traffic Shaping l phng php ti u ha kt ni Internet. N tng ti a tc trong khi m bo ti thiu thi gian tr .Khi s dng nhng gi d liu ACK c sp xp th t u tin trong ng truyn ti ln, iu ny cho php tin trnh ti v c tip tc vi tc ti a. Cu hnh Traffic Sharper qun l bng thng M giao din Web ca Pfsense -> chn Firewall -> Traffic Sharper

Chn Next

Chn Inside l Lan -> nhp vo tc download ca ng truyn Outside chn Wan v nhp vo tc Upload ca ng truyn Chn Next

36

 H tr Voice IP > Next

Chn Next

36

 H tr mng ngang hng nh BitTorent , CuteMX, iMesh.

H tr mng chi game nh BattleNET , Xbox360 ,v mt s game trc tuyn

36

 Qun l bng thng ca mt s ng dng khc nh Remote Service ,VPN, Messengers, Web,Mail , Miscellaneous

1.6 Virtual IPs Mt Virtual IPs c th s dng bt k a ch IP ca pfSense, khng phi l mt a ch IP chnh. Trong cc tnh hung khc nhau, mi trong s c cc tnh nng ring ca n. Virtual IP c s dng cho php pfSense ng cch chuyn tip lu lng cho nhng vic nh chuyn tip cng NAT, NAT Outbound, v NAT 1:1. H cng cho php cc tnh nng nh failover, v c th cho php cc dch v trn router gn kt vi a ch IP khc nhau.

CARP

36

 C th c s dng bi cc bc tng la chnh n chy cc dch v

hoc c chuyn tip

To ra lp 2 traffic cho cc VIP C th c s dng cho clustering (tng la v tng la ch failover ch

ch)
Cc VIP c trong cng mt subnet IP ca giao din thc S tr li ICMP ping nu c php theo cc quy tc tng la.

Proxy ARP Khng th c s dng bi cc bc tng la chnh n, nhng c th c chuyn tip

To ra lp 2 giao thng cho cc VIP Cc VIP c th c trong mt subnet khc vi IP ca giao din thc Khng tr li gi tin ICMP ping.

Khc
C th c s dng nu cc tuyn ng cung cp cho bn VIP ca bn d

sao m khng cn thng bo lp 2

Khng th c s dng bi cc bc tng la chnh n, nhng c th c

chuyn tip
Cc VIP c th c trong mt subnet khc vi cc giao din IP Khng tr li ICMP Ping.

2 .Mt s dch v ca pfsense

2.1 Captive portal Captive portal l 1 tnh nng thuc dng flexible, ch c trn cc firewall thng mi ln. Tnh nng ny gip redirect trnh duyt ca ngi dng vo 1 trang web
36

nh sn, t gip chng ta c th qun l c ngi dng . Tnh nng ny tin tin hn cc kiu ng nhp nh WPA, WPA2 ch ngi dng s thao tc trc tip vi 1 trang web (http, https) ch khng phi l bng ng nhp kh khan nh kiu authentication WPA,WPA2. Tnh nng captive portal nm mc Services/captive portal

Captive portal: Tinh chnh cc chc nng ca Captive Portal. Pass-though MAC: Cc MAC address c cu hnh trong mc ny s c b qua,khng authentication. Allowed IP address: Cc IP address c cu hnh s khng authentication. Users: To local user dng kiu authentication: local user File Manager: Upload trang qun l ca Captive portal ln pfsense.

Enable captive portal: nh du chn nu mun s dng captive portal. Maximum concurrent connections:Gii hn cc connection trn mi ip/user/mac Idle timeout:Nu mi ip khng cn truy cp mng trong 1 thi gian xc nh th s ngt kt ni ca ip/user/mac. Hard timeout: Gii hn thi gian kt ni ca mi ip/users/mac. Logout popup windows: Xut hin 1 popup thng bo cho ip/user/mac Redirect URL: a ch URL m ngi dng s c direct ti sau khi ng nhp
36

MAC filtering: nh du vo nu pfsense nm trc router. Bi v pfsense qun l kt ni theo MAC (mc nh). M khi d liu qua Router s b thay i mac address nn nu timeout th ton b ngi dng s mt kt ni. Authentication: Chn kiu chng thc. Pfsense h tr 3 kiu: No authentication: pfsense s iu hng ngi dng ti 1 trang nht nh m khng chng thc. Local user manager: pfsense h tr to user chng thc. Radius authentication: Chng thc bng radius server (Cn ch ra a ch ip ca radius, port, ...)

36

To trang index.htm c ni dung: <form method="post" action="$PORTAL_ACTION$"> <input name="auth_user" type="text"> <input name="auth_pass" type="password"> <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$"> <input name="accept" type="submit" value="Continue"> </form> Ri chn browse trong portal page content ri up file ny ln. Ri bm SAVE lu li. Cui cng ta to user trong tab user ca captive portal.

2.2 DHCP Server DHCP Server chnh cu hnh cho mng TCP/IP bng cch t ng gn cc a ch IP cho khch hng khi h vo mng.

36

Mc d c th gn a ch IP vnh vin cho bt c my tnh no trn mng

2.3 Load Balancer Chc nng cn bng ti ca pfsense c nhng c im u im - Min ph. - C kh nng b sung thm tnh nng bng gi dch v cng thm. - D ci t, cu hnh. Hn ch - Phi trang b thm modem nu khng c sn. - Khng c h tr t nh sn xut nh cc thit b cn bng ti khc. - Vn cha c tnh nng lc URL nh cc thit b thng mi. - i hi ngi s dng phi c kin thc c bn v mng cu hnh.

36

 cu hnh load balancing vo Services -> Load Balancer

n vo nt

thm Pool

Cu hnh nh sau: Name: LoadBalancer Type: Gateway Behavior : Load Balancing Monitor IP: Chn monitor IP ca gateway interface no th phn chn Interface name tng ng , n vo add to pool . Save li v n Apply Change

Sang tab LAN, n vo du + thm rule Action chn Pass Protocol chn any Gateway: chn LoadBalancer
36

Save v Apply Rule kim tra vo Status / Load Balancer

Hai ng truyn u Online

Khi mt ng truyn Offline

3. VPN trn Pfsense VPN l mt mng ring s dng h thng mng cng cng (thng l Internet) kt ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni tht kh phc tp nh ng dy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng xa 3.1 VPN PPTP s dng chc nng ny bn vo VPN / PPTP

36

Chn Enable PPTP server bt tnh nng VPN Server address : a ch server m client s kt ni vo Remote address range :Di a ch IP s cp khi VPN Client kt ni RADIUS : Chng thc qua RADIUS Chn Save v chuyn qua tab User to ti khon

Sau khi to xong user ,bn vo Firewall Rules

To Rules cho php VPN client truy cp vo mng Trn VPN Client ,trong Network Connections chn Create a new connection

36

Chn Conect to the network at my workplace > Next Chn Virtual Provate Network connection > Next

36

in tn cho kt ni VPN > Next in a ch IP ca VPN Server > Next

in ti khon v mt khu v nhn Connect

36

3.2 OpenVPN Site to Site

To Share key cho pfsense Vo Diagnostics > Command: Ti Execute Shell command chy lnh : openvpn --genkey --secret /dev/stdout v nhn Execute

36

 to kt ni Site to site vo VPN / OpenVPN Ti Tab Server nhn

36

Protocol : Giao thc s dng cho VPN Dynamic IP: Cho php Client kt ni bng IP ng c cp pht bi DHCP Server Local Port: Cng OpenVPN server s lng nghe.Mc nh l cng 1194 Address pool: a ch pfsense s cp pht cho Client. Remote network: Khai bo mng m pfsense s kt ni n

Cryptography: La chn phng thc m ha Authentication method: Shared Key Shared key: Nhp Shared Key ca pfsense

LZO compression : Nn gi tin khi chuyn d liu s dng LZO Chn Save

To rules cho php kt ni OpenVPN trn WAN

36

Trn pfsense2 Vo VPN/OpenVPN chn Tab Client nhn

Protocol : Giao thc m server s dng cho VPN Server Address : a ch ca Server OpenVPN Server port : Cng kt ni cho cc thit lp VPN trn pfSense1 Interface IP : a ch IP m server s gn cho Client Remote network:Di IP Internal ca pfsense1

36

La chn phng thc m ha v in Shared key ca pfsense1 vo v nhn Save

36

III. Trin khai m hnh mng Font-BackEnd

M hnh mng Font/BackEnd gip h thng mng chng li cc t tn cng ca hacker gip bo v d liu trong Local an ton v d dang qun l cc traffic trong mng LAN. M hnh ny tuy l c an ton cao nhng b li chi ph u t cho n rt tn km.

Yu cu m hnh mng Front-Backend - Cu hnh dch v Load Balancer cho WAN1 v WAN2 - Public Web Server - Cho php my XP ra ngoi Internet Cu hnh dch v Load Balancer Trn Pfsense1 vo Service / Load Balancer Nhn bt u cu hnh

36

Name : LoadBalancer Type : Gateway Behavior : Load Balancing Monitor IP v Interface Name phi chn tng t nhau V d : WAN2s Gateway th chn WAN2 v nhn Add to pool Chn Save Vo Status / Load Balancer xem trng thi ca dch v

36

Public WebServer Trn Pfsense 1 vo Firewall / NAT: Port Forward Nhn thm NAT rules

External address : Chon Interface address ,nu bn muons vo web trong mng LAN ,bn c chon any Protocol : TCP External Port range : HTTP NAT IP : a ch ca Web Server Chn Auto-add a firewall rule to permit traffic through this NAT rule > Save

36

Cho php my XP2 ra ngoi Internet Trn pfsense 1 vo Firewall / Aliases

36

To Aliase mi vi tn l Pfsense2 To rule cho php Pfsense 2 ra ngoi Internet

Action : Pass Interface: LAN

36

Protocol : any Source : Single host or ailas > Pfsense2 Destination : any Gateway : default

Trn my Pfsense 2 to rules cho php cc my trong mng LAN c th duyt web

Action : Pass

36

Interface : LAN Protocol : TCP Source : Lan subnet Destination : any Destination port range : HTTP Chn save v kim tra

36

IV. Nhn xt
bo v cho h thng mng bn trong th chng ta c nhiu gii php nh s dng Router Cisco, dng tng la ca Microsoft nh ISA. Tuy nhin nhng thnh phn k trn tng i tn km. V vy i vi ngi dng khng mun tn tin nhng li mun c mt tng la bo v h thng mng bn trong (mng ni b) khi m chng ta giao tip vi h thng mng bn ngoi (Internet) th Pfsense l mt gii php tit kim v hiu qu tng i tt nht i vi ngi dng. c im cng kh quan trng l cu hnh ci t v s dng phn mm Pfsense khng i hi phi cao nh nhng phn mm mi hin nay. Chng ta ch cn mt my tnh P3, Ram 128, HDD 1GB th cng dng nn mt tng la Pfsense bo v mng bn trong. pfSense l mt ng dng c chc nng nh tuyn vo tng la mnh v ng dng ny s cho php bn m rng mng ca mnh m khng b tha hip v s bo mt.Phn mm c thit k nh gn, d dng cu hnh thng qua giao din web v c bit l c kh nng ci t thm gi dch v m rng tnh nng. Tng la pfSense c th p ng c mt mng doanh nghip nh v n cng d dng trong qun l v cung cp nhiu tnh nng nh trong cc sn phm thng mi. Mc d vy mt s tnh nng c s dng trong cc doanh nghip ln vn cn nhiu hn ch, chnh v vy ti khng khuyn cc bn s dng trong mi trng ln nh vy. Vi cng ng pht trin tch cc ca ng dng ny, d n nn gii quyt cc vn ny nh cc tnh nng mi c b sung. Bn hon ton c th b sung pfSense vo danh sch cc gii php firewall/router mng ang pht trin, gi thnh thp hoc min ph.

36