PfSense: The Definitive Guide - The Definitive Guide To . - Heidling.se
1y ago
31 Views
1 Downloads
4.63 MB
515 Pages
Report/dmca
Download PDF

Transcription

pfSense: The Definitive GuideThe Definitive Guide to the pfSense OpenSource Firewall and Router DistributionChristopher M. BuechlerJim Pingle

pfSense: The Definitive Guide: The Definitive Guide to the pfSense OpenSource Firewall and Router Distributionby Christopher M. Buechler and Jim PingleBased on pfSense Version 1.2.3Publication date 2009Copyright 2009 Christopher M. BuechlerAbstractThe official guide to the pfSense open source firewall distribution.All rights reserved.

Table of ContentsForeword . xxixPreface . xxxi1. Authors . xxxii1.1. Chris Buechler . xxxii1.2. Jim Pingle . xxxii2. Acknowledgements . xxxii2.1. Book Cover Design . xxxiii2.2. pfSense Developers . xxxiii2.3. Personal Acknowledgements . xxxiv2.4. Reviewers . xxxiv3. Feedback . xxxv4. Typographic Conventions . xxxv1. Introduction . 11.1. Project Inception . 11.2. What does pfSense stand for/mean? . 11.3. Why FreeBSD? . 21.3.1. Wireless Support . 21.3.2. Network Performance . 21.3.3. Familiarity and ease of fork . 21.3.4. Alternative Operating System Support . 21.4. Common Deployments . 31.4.1. Perimeter Firewall . 31.4.2. LAN or WAN Router . 31.4.3. Wireless Access Point . 41.4.4. Special Purpose Appliances . 41.5. Versions . 51.5.1. 1.2.3 Release . 51.5.2. 1.2, 1.2.1, 1.2.2 Releases . 61.5.3. 1.0 Release . 61.5.4. Snapshot Releases . 61.5.5. 2.0 Release . 61.6. Platforms . 61.6.1. Live CD . 71.6.2. Full Install . 71.6.3. Embedded . 71.7. Networking Concepts . 81.7.1. Understanding Public and Private IP Addresses . 81.7.2. IP Subnetting Concepts . 10iii

pfSense: The Definitive Guide1.7.3. IP Address, Subnet and Gateway Configuration .1.7.4. Understanding CIDR Subnet Mask Notation .1.7.5. CIDR Summarization .1.7.6. Broadcast Domains .1.8. Interface Naming Terminology .1.8.1. LAN .1.8.2. WAN .1.8.3. OPT .1.8.4. OPT WAN .1.8.5. DMZ .1.8.6. FreeBSD interface naming .1.9. Finding Information and Getting Help .1.9.1. Finding Information .1.9.2. Getting Help .2. Hardware .2.1. Hardware Compatibility .2.1.1. Network Adapters .2.2. Minimum Hardware Requirements .2.2.1. Base Requirements .2.2.2. Platform-Specific Requirements .2.3. Hardware Selection .2.3.1. Preventing hardware headaches .2.4. Hardware Sizing Guidance .2.4.1. Throughput Considerations .2.4.2. Feature Considerations .3. Installing and Upgrading .3.1. Downloading pfSense .3.1.1. Verifying the integrity of the download .3.2. Full Installation .3.2.1. Preparing the CD .3.2.2. Booting the CD .3.2.3. Assigning Interfaces .3.2.4. Installing to the Hard Drive .3.3. Embedded Installation .3.3.1. Embedded Installation in Windows .3.3.2. Embedded Installation in Linux .3.3.3. Embedded Installation in FreeBSD .3.3.4. Embedded Installation in Mac OS X .3.3.5. Completing the Embedded Installation .3.4. Alternate Installation Techniques .3.4.1. Installation with drive in a different machine 12327272828293031323535383839414242

pfSense: The Definitive Guide3.4.2. Full Installation in VMware with USB Redirection .3.4.3. Embedded Installation in VMware with USB Redirection .3.5. Installation Troubleshooting .3.5.1. Boot from Live CD Fails .3.5.2. Boot from hard drive after CD installation fails .3.5.3. Interface link up not detected .3.5.4. Hardware Troubleshooting .3.5.5. Embedded Boot Problems on ALIX Hardware .3.6. Recovery Installation .3.6.1. Pre-Flight Installer Configuration Recovery .3.6.2. Installed Configuration Recovery .3.6.3. WebGUI Recovery .3.7. Upgrading an Existing Installation .3.7.1. Make a Backup . and a Backup Plan .3.7.2. Upgrading an Embedded Install .3.7.3. Upgrading a Full Install .3.7.4. Upgrading a Live CD Install .4. Configuration .4.1. Connecting to the WebGUI .4.2. Setup Wizard .4.2.1. General Information Screen .4.2.2. NTP and Time Zone Configuration .4.2.3. WAN Configuration .4.2.4. LAN Interface Configuration .4.2.5. Set admin password .4.2.6. Completing the Setup Wizard .4.3. Interface Configuration .4.3.1. Assign interfaces .4.3.2. WAN Interface .4.3.3. LAN Interface .4.3.4. Optional Interfaces .4.4. General Configuration Options .4.5. Advanced Configuration Options .4.5.1. Serial Console .4.5.2. Secure Shell (SSH) .4.5.3. Shared Physical Network .4.5.4. IPv6 .4.5.5. Filtering Bridge .4.5.6. WebGUI SSL certificate/key .4.5.7. Load Balancing .4.5.8. Miscellaneous 6263646464656566666667676868686869

pfSense: The Definitive Guide4.5.9. Traffic Shaper and Firewall Advanced .4.5.10. Network Address Translation .4.5.11. Hardware Options .4.6. Console Menu Basics .4.6.1. Assign Interfaces .4.6.2. Set LAN IP address .4.6.3. Reset webConfigurator password .4.6.4. Reset to factory defaults .4.6.5. Reboot system .4.6.6. Halt system .4.6.7. Ping host .4.6.8. Shell .4.6.9. PFtop .4.6.10. Filter Logs .4.6.11. Restart webConfigurator .4.6.12. pfSense Developer Shell (Formerly PHP shell) .4.6.13. Upgrade from console .4.6.14. Enable/Disable Secure Shell (sshd) .4.6.15. Move configuration file to removable device .4.7. Time Synchronization .4.7.1. Time Zones .4.7.2. Time Keeping Problems .4.8. Troubleshooting .4.8.1. Cannot access WebGUI from LAN .4.8.2. No Internet from LAN .4.9. pfSense's XML Configuration File .4.9.1. Manually editing your configuration .4.10. What to do if you get locked out of the WebGUI .4.10.1. Forgotten Password .4.10.2. Forgotten Password with a Locked Console .4.10.3. HTTP vs HTTPS Confusion .4.10.4. Blocked Access with Firewall Rules .4.10.5. Remotely Circumvent Firewall Lockout with Rules .4.10.6. Remotely Circumvent Firewall Lockout with SSH Tunneling .4.10.7. Locked Out Due to Squid Configuration Error .4.11. Final Configuration Thoughts .5. Backup and Recovery .5.1. Backup Strategies .5.2. Making Backups in the WebGUI .5.3. Using the AutoConfigBackup Package .5.3.1. Functionality and Benefits 08184848585858686868788888989909090

pfSense: The Definitive Guide5.3.2. pfSense Version Compatibility . 915.3.3. Installation and Configuration . 915.3.4. Bare Metal Restoration . 925.3.5. Checking the AutoConfigBackup Status . 935.4. Alternate Remote Backup Techniques . 935.4.1. Pull with wget . 935.4.2. Push with SCP . 945.4.3. Basic SSH backup . 945.5. Restoring from Backups . 955.5.1. Restoring with the WebGUI . 955.5.2. Restoring from the Config History . 965.5.3. Restoring with PFI . 965.5.4. Restoring by Mounting the CF/HDD . 975.5.5. Rescue Config During Install . 985.6. Backup Files and Directories with the Backup Package . 985.6.1. Backing up RRD Data . 985.6.2. Restoring RRD Data . 985.7. Caveats and Gotchas . 996. Firewall . 1006.1. Firewalling Fundamentals . 1006.1.1. Basic terminology . 1006.1.2. Stateful Filtering . 1006.1.3. Ingress Filtering . 1016.1.4. Egress Filtering . 1016.1.5. Block vs. Reject . 1046.2. Introduction to the Firewall Rules screen . 1056.2.1. Adding a firewall rule . 1076.2.2. Editing Firewall Rules . 1076.2.3. Moving Firewall Rules . 1076.2.4. Deleting Firewall Rules . 1086.3. Aliases . 1086.3.1. Configuring Aliases . 1086.3.2. Using Aliases . 1096.3.3. Alias Enhancements in 2.0 . 1116.4. Firewall Rule Best Practices . 1126.4.1. Default Deny . 1126.4.2. Keep it short . 1126.4.3. Review your Rules . 1126.4.4. Document your Configuration . 1136.4.5. Reducing Log Noise . 1136.4.6. Logging Practices . 114vii

pfSense: The Definitive Guide6.5. Rule Methodology .6.5.1. Automatically Added Firewall Rules .6.6. Configuring firewall rules .6.6.1. Action .6.6.2. Disabled .6.6.3. Interface .6.6.4. Protocol .6.6.5. Source .6.6.6. Source OS .6.6.7. Destination .6.6.8. Log .6.6.9. Advanced Options .6.6.10. State Type .6.6.11. No XML-RPC Sync .6.6.12. Schedule .6.6.13. Gateway .6.6.14. Description .6.7. Methods of Using Additional Public IPs .6.7.1. Choosing between routing, bridging, and NAT .6.8. Virtual IPs .6.8.1. Proxy ARP .6.8.2. CARP .6.8.3. Other .6.9. Time Based Rules .6.9.1. Time Based Rules Logic .6.9.2. Time Based Rules Caveats .6.9.3. Configuring Schedules for Time Based Rules .6.10. Viewing the Firewall Logs .6.10.1. Viewing in the WebGUI .6.10.2. Viewing from the Console Menu .6.10.3. Viewing from the Shell .6.10.4. Why do I sometimes see blocked log entries for legitimateconnections? .6.11. Troubleshooting Firewall Rules .6.11.1. Check your logs .6.11.2. Review rule parameters .6.11.3. Review rule ordering .6.11.4. Rules and interfaces .6.11.5. Enable rule logging .6.11.6. Troubleshooting with packet captures .7. Network Address Translation 1132132132132132133133134

pfSense: The Definitive Guide7.1. Default NAT Configuration .7.1.1. Default Outbound NAT Configuration .7.1.2. Default Inbound NAT Configuration .7.2. Port Forwards .7.2.1. Risks of Port Forwarding .7.2.2. Port Forwarding and Local Services .7.2.3. Adding Port Forwards .7.2.4. Port Forward Limitations .7.2.5. Service Self-Configuration With UPnP .7.2.6. Traffic Redirection with Port Forwards .7.3. 1:1 NAT .7.3.1. Risks of 1:1 NAT .7.3.2. Configuring 1:1 NAT .7.3.3. 1:1 NAT on the WAN IP, aka "DMZ" on Linksys .7.4. Ordering of NAT and Firewall Processing .7.4.1. Extrapolating to additional interfaces .7.4.2. Rules for NAT .7.5. NAT Reflection .7.5.1. Configuring and Using NAT Reflection .7.5.2. Split DNS .7.6. Outbound NAT .7.6.1. Default Outbound NAT Rules .7.6.2. Static Port .7.6.3. Disabling Outbound NAT .7.7. Choosing a NAT Configuration .7.7.1. Single Public IP per WAN .7.7.2. Multiple Public IPs per WAN .7.8. NAT and Protocol Compatibility .7.8.1. FTP .7.8.2. TFTP .7.8.3. PPTP / GRE .7.8.4. Online Games .7.9. Troubleshooting .7.9.1. Port Forward Troubleshooting .7.9.2. NAT Reflection Troubleshooting .7.9.3. Outbound NAT Troubleshooting .8. Routing .8.1. Static Routes .8.1.1. Example static route .8.1.2. Bypass Firewall Rules for Traffic on Same Interface .8.1.3. ICMP Redirects 55155157158159159159160161

pfSense: The Definitive Guide8.2. Routing Public IPs .8.2.1. IP Assignments .8.2.2. Interface Configuration .8.2.3. NAT Configuration .8.2.4. Firewall Rule Configuration .8.3. Routing Protocols .8.3.1. RIP .8.3.2. BGP .8.4. Route Troubleshooting .8.4.1. Viewing Routes .8.4.2. Using traceroute .8.4.3. Routes and VPNs .9. Bridging .9.1. Bridging and Layer 2 Loops .

pfSense: The Definitive Guide: The Definitive Guide to the pfSense Open Source Firewall and Router Distribution by Christopher M. Buechler and Jim Pingle Based on pfSense Version 1.2.3 Publication date 2009 . Embedded Installation in Linux . 38 3.3.3. Embedded Installation in FreeBSD . 38 3.3.4. Embedded Installation in Mac OS X .

Related Books

Claim Appeals, Adjustments and Voids - Nevada

Claim Appeals, Adjustments and Voids - Nevada

ẻ Tín dụ ố ế Sacombank

ẻ Tín dụ ố ế Sacombank

Beginner's Security Guide - UBNetDef

Beginner's Security Guide - UBNetDef

Lab 7: Configuring the pfSense Firewall - Las Positas College

Lab 7: Configuring the pfSense Firewall - Las Positas College

CASE STUDY Army Cyber School Leverages FD.io to Achieve Superior .

CASE STUDY Army Cyber School Leverages FD.io to Achieve Superior .

Firewall Appliance - SUCCESS Office Systems

Firewall Appliance - SUCCESS Office Systems

SHOP MANUAL MASSEY-HARRIS - Free

SHOP MANUAL MASSEY-HARRIS - Free

The definiTive blueprinT To lead managemenT - HubSpot

The definiTive blueprinT To lead managemenT - HubSpot

Definitive Technology PROSUB1000 Use and Care Manual

Definitive Technology PROSUB1000 Use and Care Manual

Sexual Offences Definitive Guideline

Sexual Offences Definitive Guideline

Django The Definitive Guide Companion eBook

Django The Definitive Guide Companion eBook

PopularTags

Recent Views