Today I would like to share some of my experiences with you in regards to firewalls, as this is an area of computing that is often overlooked. Far too many people rely simply on the Windows firewall and whatever filtering is done by your router. You’re being left in the dark about what is actually being filtered or done, can you even trust this? I hope after today I can help you take more control over your own network and its security.
Why Use a Custom Firewall
Not being able to set up my own options with Windows and a router’s basic firewall doesn’t work for me as I require more control. I require a solution that allows me to turn the knobs and push the buttons. Any solution that I don’t have the final say over just doesn’t work for me. Hopefully today you will see why I feel that way, for those of you who feel the same or would just like to have improved security over the basic router/Windows firewall. This might just be the solution you are looking for.
Firewall Requirements: Hardware and Software
What I plan to show is the basic hardware required to run your own Personal Firewall along with how simple this is to actually set up. The OS of choice is FreeBSD. Now, before I scare anyone off: don’t panic. If you have never stepped outside of the Windows world before, or live in your walled fruit garden, that is okay. We are going to be using a project that has dedicated itself to this cause, and unlike some people in the *NIX world they make a product that is easy to use and just works.
This project is called pfSense. The developers for the project have done an excellent job: gone are the days of fighting with the shell and manually editing iptables. With the recent release of version 2.0-RC1 they have even cut the install time down to answering a few simple questions so you can be up and running in minutes.
My main focus and what I will be setting up / touching on is :
- DCHP server
- DNS forwarder
- Network monitoring / management
- Port Forwarding
- Proxy Server
- Spam Block
- Whitelist and blacklist filtering
- Web content filtering
- Probably do a lot more for you too
To carry on forward, I will be breaking this down into:
- Hardware I used for this build / ideas for what you should be using.
- Installation of the OS and preparing for remote management
- Basic configuration
- Expanding the firewall’s capabilities through packages
The actual hardware requirements are not all that high and many of you will be able to setup your own pfSense firewall with some of the hardware that has been collecting dust for years. In fact, this is something I do recommend if you are on the fence about a project like this. It allows you to get your feet wet without spending a nickel. But, do check to ensure FreeBSD 8.1 support for your hardware if you have something rare. In my case, I did need a hardware upgrade since my ISP just increased my speeds. I have been using an 8 year old VIA C3 Nehemiah core at 1 GHz. Do not let this clock speed fool you: VIA C3’s have a very low IPC and this was, performance wise, somewhere between a 500 MHz Celeron and 500 MHz Pentium III.
That little low power VIA C3 worked great for years, but I have to move on as 15Mbps/1Mbps internet is now a thing of the past. With my new 25Mbps/2.5Mbps connection the VIA setup just couldn’t handle the load if I used the full potential of my connection under certain conditions. The biggest example would be P2P while moving more than 20Mbps; the internet would grind to a halt for everyone else and I could not even connect to the box. This worries me, as my ISP will be moving the 25/2.5 package to a 50/5 this Fall. This is not to mention that 250/15 is becoming available and looking like an attractive upgrade. So with that said, I went out and bought some new hardware.
What I ended up picking up was a Super Micro X7SPA-H-D525. In plain English, it’s an Intel Atom D525 (1.8 GHz dual core) board, with two integrated Intel Network Interface Cards (NICs). Another great feature is that it is passively cooled; silent computing is good computing. Feel free to check out the specs on your own, but for this project the dual NICs and that fact they are Intel makes this board a killer product. If I had to buy a NIC, a server Intel is the way to go.
You should note that I did consider an AMD E-350 and I also waited to see what the new VIA Nano x2 would look like before I pulled the trigger on this Atom board. AMD, if you are listening, you need some more dual NIC’s on the market or you are not an option at all. VIA, what happened to you and low power? Oh how times have changed.
The first thing I noticed when I received this board is the box it came in. Can you see below how it’s for a completely differently product? SuperMicro’s target audience is servers and high end workstations, so I guess they are not concerned about what they look like on the store shelf unlike the Taiwanese motherboard makes.
Opening up the box, there isn’t all that much to see: I/O back plate, 2 SATA cables, manual, driver CD (Windows and Linux), checklist of parts, and finally an unsecured motherboard. I didn’t get upset that the motherboard was in the wrong box, but I don’t like how this board was left to flop around. Thankfully mine was not damaged in transit.
Having a closer look at the board you will see that they are not kidding about aiming their products at servers and not the end users. We have a simple I/O setup that has the basics and nothing more: exactly what we want for our new firewall. Now if, for some reason, you require more USB connections, the board does have some headers that are located next to the PCI-E x16 slot (x4 electrically). Or, if you want to install your OS straight from a USB drive, or possibly run it from a USB drive, have a look by the 6 SATA ports. Yes, that is in fact a USB port. The final thing that I wanted to point out is that this board does use jumpers. The way the system ships, you don’t need to touch them, but it does allow you to disable things such as LAN ports on the board itself. Other than that its a very simple board.
I will admit this is overkill, but for $12.99 per stick how could I not buy 4 GB of memory!? My old firewall has 512 MB of RAM and memory usage hovers around 30%. So if you are salvaging parts, there is no need to worry too much about RAM. If you’re buying new, a 2 GB stick is, I think, the most you will need, allowing ample growth.
To house the board, I wanted something small and silent. I have the small part spot on right now with my VIA system, but the SFX PSU that the case uses is painful. With a 40 mm fan used in the PSU, it was either get just a PSU that was silent, or grab a new case/PSU combo. I went with a combo and picked up a Antec ISK300-65. It comes in a boring box, but the case is protected, so that is really all i can ask for. The interesting thing about this case is that it comes with a proprietary PSU.
Normally proprietary turns me right off. But with a Pico PSU even smaller and available at a high wattage, I am not worried about this. As a spare part, should I ever need it, it’s not an issue to get a hold of. Another thing I really like, and wish more mini ITX cases had, is the provision for an expansion slot. Antec does not let down here. Also, on the back you can see a switch to set the exhaust fan from High – Medium – Low. I am currently running it in my closet on medium, and the noise is barely audible. If you do require dead silence setting it to low will provide that for you. At the top left there is a socket to plug the power brick into. The interior of the case is the usual Antec quality. No sharp angles, nothing to cut you.
Overall, this case is well built but not without its flaws. The provision for only 2.5” HDDs might be a deal breaker for some, along with the requirement for a slim optical drive. Luckily for me I had an old 250 GB HDD from when I upgraded my laptop. To get around the slim optical drive requirement, I simply installed the OS from a drive outside the case. I wont be using one once I am up and running, just like with the system it is replacing.
Installation of the OS
I will say this straight from the start: Yes, the screen shots of the actual install are taken from a VM, and not the actual installation. There is no difference in the end result. I did this as it yields much higher quality images than using my camera to take a picture of the LCD, and I don’t have a serial cable. Had I still my box of old cables, I could have used PuTTy and did the install over a serial connection.
Here we are going to do a walk through of a CD installation as it’s the least complicated and the most common. We are also going to be doing a 32 bit installation of the OS. Yes, 64 bit operating systems are supported by my setup, along with pfSense, and I know that I won’t be able to address all of my memory (4 GB) with a 32 bit OS. At this time it is recommended to install the 32 bit version of the OS, so that is what I am doing here.
If you haven’t done so already, go and download the OS we will be installing (pfSense download link). Go to: New Installs -> here on the mirrors -> (pick a mirror) ->download -> pfSense-2.0-RC1-i386-20110226-1530.iso.gz. Once the file is downloaded, you need to extract it. WinRAR or 7zip should do the job. Now, burn that ISO you just downloaded to a bootable disk. If you are unsure how to do that, grab ImgBurn. With ImgBurn Select -> Write Image file to disk
Once you have your bootable disk ready, it’s time to boot the computer to the disk and you will be greeted with this screen:
Push 1 or simply wait for the timer to reach 0. The OS will continue to load and you will then see this:
You can go straight to the installer, but I prefer to boot from the CD 1st so we know all of the hardware works with the OS. So either push “C” or wait for this one to time out too. Then what we see here is a list of our network cards.
You are going to want to remember the name in the left most portion of the screen. So in our example above we see, em0 and em1. The names will depend on what network cards you have installed in your system and the driver that they are using. In our example, I have the VM using Intel cards, just like my actual system. Also during this time you are going to want to decide: what card is going to connect to the Internet, your WAN card? What card will be connected to your intranet, your LAN card? You need to know this so you know which ethernet cable to plug into your Cable modem or DSL modem and what cable to plug into your network switch. For this example, I will use em0 for my WAN card and em1 for my LAN card. Select “n” for setting up VLANs as we wont be touching on them in this guide.
Confirm your NIC selection. Now we are being asked to enter the WAN card, or select “a” for auto detection. If you have already plugged you Ethernet cables in, you can try auto. But, I recommend manually specifying what card. So like we decided earlier on, we will enter em0 as out WAN card.
Simply enter the LAN card name : em1. Then push enter for the optional 1 interface name as we wont be using that.
You will then see a confirmation screen. Just ensure you have selected the correct card for LAN and WAN and push “y” to proceed.
Now we are ready to install this setup to our HDD. Yes, it will remember what we just configured so we wont have to do that again. Once installed we will no longer require the optical drive, so my example system, actual system does run without. Let’s get that started by entering 99.
The FreeBSD / pfSense< developers have done a great job at making this a painless installation, so we are more or less going to be picking the default options all the way through.Click accept and proceed to the next page.
Quick/Easy Install is perfect for your 1st time installation, so lets use that.
Yes, installation is this easy, just select OK.
Pick option 1 or 2 depending on your system. In my case, I have a dual core system, so I should pick the 1st option like I have highlighted. If you have a single core CPU, option 2 is what you want. Then, simply select reboot when prompted. Once your system is back up it should look something like this:
I recommend turning on SSHd, which is option 14. During the setup it’s always nice to have shell access via SSH. If you need a Telnet client, grab PuTTY. It’s nice not having to walk to the closet to change settings if you need the shell for something. At this point in time your box is ready to protect you from the outside world, but that doesn’t mean the fun is over already. Even though almost everything can be done with the browser GUI, that doesn’t mean the shell is useless to you. There are a few times I can think of when you will need access. From here, you can always re-setup you LAN /WAN cards (option 1). If you mess your configuration right up, option 4 and you’re back to a clean installation. If you forget your password, you will need to physically walk to the box. By default the system is unlocked with physical access. Yes, it can be locked down too. I do leave it unlocked, and if you want in without a password, you need to break into my house and bring your own monitor and keyboard, as nothing is attached to the box other than Ethernet once it’s up and running. I trust that is good enough for home use. Anyhow to get back on track, you can now SSH into your box. The default Login / Password is: “admin” / “pfsense” without the quotes. Now it’s time to setup your firewall.
I have now moved my firewall into my computer closet and wired up my firewall to the cable modem and switch. I also have my cable modem turned off as I get an IP for the new MAC address that this firewall has once the modem is turned back on. After all is said and done, you simply open your browser of choice, go to https://192.168.1.1 with a default login/pass of admin/pfsense (same as SSH) and you should see a screen that looks like this:
Since this is the first time you are installing the firewall we are going to use the setup wizard to help get us started. The pfSense developers were kind enough to make that the first thing you see, but in case it doesn’t come up, or you need to revisit the wizard again the the future you can find it from the menu bar at the top (will show up after the wizard is done). System -> Setup Wizard. When ready, select next to continue. You will now see this screen:
Under Hostname enter the network name you would like your firewall to have. Under Domain enter your domain if you have one; if not, enter your windows network name or simply leave it at its default name. DNS servers allow you to enter other DNS servers other than the ISP default servers. For example, Google provides some with IPs 184.108.40.206 and 220.127.116.11. Open DNS also provides some along with a few others. If you are unsure what to do, the default setting will work fine. Next to continue and you will now see this screen:
Here we can change the time server that you want the firewall to sync its time with. The default works great and you really only need to set the time zone to your local area. Once you have done that, it’s time to move on.
This next page sets up your WAN connection. If you simply set up via DHCP you don’t have much to do here. Otherwise, you should have some information provided from your ISP and will have to set this up as per your ISP’s requirements. For example: I will change my MAC Address, as some ISP’s expect to see a specific MAC, but in my case I am just leasing a different IP than I normally would for this walk through. Your can change your MAC if required under “General Configuration -> Mac Address”. Be sure to use only lower case values: it should look something like this : 00:25:90:38:2e:1d. Once this page matches the settings your ISP has provided (if any) scroll down to the bottom and click next
Setting up your LAN connection is much simpler. Unless you have any special requirements the default settings should work perfectly. If you do change your LAN IP, don’t forget to reboot the rest of your network equipment as they may not be accessible until the lease time they have expires and the devices go to renew an IP.
Next we enter in a proper password, changing it from the default password of pfSense. Then we move right along.
Click reload and you will see this screen while the system makes all the changes you have done.
Once you have done that and the system comes back up you should see the dashboard looking something like this:
As you can see from the system name I have used the default name for the server and changed my network name to be “burn”. I have also configured the DNS servers to use Google ones as opposed to the ones my ISP supplied. You can also notice that my WAN is down as I have yet to turn on my cable modem; for my LAN IP settings I kept the same for simplicity.
If you managed to reach this point, you are fine to start using the system now, once you plug in your modem if you have not done so already. However, I like to make a few more changes:
You can see you can have a few more bits of information displayed on the dashboard by clicking the little plus sign at the top left. Once I have mine set up the way I like it, it looks like this:
So now that the dashboard is all set up how I like it, I am going to have a look at the DCHP server. I will look at what settings it has by default and tweak it to my liking. To do that we go to the menu. Services -> DHCP Server:
I am going to change my range now from the default of 192.168.1.10 – 192.168.1.245 to the new setting of 192.168.1.100 – 192.168.1.245. This still allows my DHCP server to lease out 145 IP’s, which is more than enough for my home network. The reason I am doing this is that you cannot have static IP mappings in the same scope your DHCP server is able to lease IP’s in. I like the lower numbers for DCHP reservation, but it’s all personal preference. Now with that done, what I like to do is set up DCHP Static Mappings for some of the computers / equipment on my network. You might want to do this for any number of reasons, a few of mine are: I like network equipment on a static IP (e.g. printers and switches) and find it quicker to do it all from once interface, so Static Mappings are great for that. Servers also need to be on a static mapping if you need to forward any ports to it; a server could be as simple as you hosting a game, for example. To set a Static DCHP mapping you can use the same screen if you scroll down. If you don’t have a list of MAC addresses handy, it’s much easier to do it from here: Status -> DHCP Leases. You should now see something like this:
Simply click the “ + “ on the right of the computer you want to assign a static mapping to and this window opens:
Enter the IP address you want the computers DHCP Reservation to be and fill in any of the blanks you require, clicking save when done. This will then move you to the DHCP server page on its own. Go back to the DHCP Lease Page to add any more that you want/need to add. To view your static mappings and make changes go to Services -> DHCP Server like you have done in the past, scroll down to the bottom and you should now see all the DHCP Static Mappings. They should look something like this:
To connect to the internet, I get an IP from the cable modem I now plugged in. To do so, click on status -> interfaces, then click on renew for your WAN. You should now lease an IP.
If you have any issues doing this, a simple reboot may help. You can telnet in through PuTTY if you turned that option on during setup, or you can use the web interface by going to Diagnostics -> Reboot -> Yes. Upon logging back in you may notice your dashboard claims an update is ready. Click on the update and lets see what is actually happening:
We will go to the updater setting tab, and change the default value from nothing to “pfSense Stable Release Updates” and save that setting. By default it shows nightly builds, but unless you are specifically looking for them, you are better off staying with the stable release.
Now that the system is back online and only reporting stable updates, I will be forwarding a few ports. The reasons you would want to do this include: you could be running a web server, FTP server, or that some game just doesn’t want to behave without opening some ports for it. Whatever reason you have, it’s very simple to do. Once again from the menu: Firewall -> NAT. This will show you any rules you may have. Click on the PLUS at the far right as we are going to create a new one.
Let’s say we are going to want to run a web server on one of our computers. You would set it up like so:
Now let’s say some game needs some ports open so you can host a match. You will notice that I also changed the Protocol to to include UDP along with TCP as this program requires both over the same port. If you require UDP but only have TCP being forwarded, you will have issues as the firewall will not pass that traffic. So do ensure you know what kind of traffic will be coming through your port as you are forwarding it.
Now that you have that all set up, you might find accessing that web server on your local system is a bit of a challenge. You might notice when typing in the domain name your firewall is preventing you from accessing it, but we can resolve this with DNS name resolution. To do so, goto Services -> DNS forwarder.
We are going to add an entry under Hosts.
That’s it: we can now type www.mysitename.com in our browser and have it work. pfSense also supports Dynamic DNS, so if your IP address has the potential to change, but you need an updated record, you might want to set this up. Services -> Dynamic DNS Clients -> click the plus.
You can see that pfSense supports a wide range of options for you. Everyone has a slightly different set up. But once you sign up for a service you now know where to input the provided values. This feature is a lot more elegant that running some no-ip.com app on your desktop.
The last thing i want to show off is the RRD Graphs. Status -> RRD Graphs.
This shows off some potential useful information about your system. You can get Memory and CPU loads from here along with many other statistics that you may find interesting or could help you troubleshoot a network problem. Also, let’s be clear I have only touched the tip of the iceberg with the stock features, but for now that should get you started. Even if a feature that comes stock is missing, you probably still can get it when using pfSense. That is the beauty of the Package Manager.
Another great feature of pfSense is its support of add-on packages. Basically, in a nutshell, these are easy to install add-on modules to add features to the firewall that are not in the stock build. So if this firewall is missing something right off the bat that you require, check to see if a package has been created that suits your needs. If not and you still need it, the pfSense forum has a section called Post a Bounty. What you do here is place a Bounty for the feature you want with a cash reward and the Developers / Contributors will write a package for you to claim that bounty. You can view and install them from: System -> Package Manager -> Available Packages
I strongly recommend that you read through these packages and see what works and is required for you. I will walk through the installation of Squid and squidGuard as they are very popular. To install a package simply click the + sign on the right of the package and you will see a confirmation screen and then get to watch it install.
So once you have both installed you can now access Squid from Services -> Proxy Server and squidGuard from Services -> Proxy Filter. The way I like to setup my Proxy for use at home is:
- Proxy Interface : LAN
- Allow Users on Interface: checked
- Transparent Proxy: checked (This one is so you don’t have to manually set up any systems to use the proxy)
- Log Store Directory: /tmp
- Proxy Port:3128
- Custom Options : refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*\.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims; range_offset_limit -1;
Then click save; all other default settings work great. We added that string into the Custom Options so that we can cache Windows Update.
Next we move over to the Cache Management tab. The settings you have here really are going to depend on what hardware you have as you can over tax your system. I am going to be using these values bases on my set up.
- Hard Disk Cache Size : 5000
- Memory Cache Size : 1024
- Minimum Object Size : 0
- Maximum Object Size : 512000
Click save once again when you’re done.
Now your Proxy server should be all setup and ready to rock. Now we are going to setup squidGuard. Services->Proxy Filter
- Enabled : Checked
- Blacklist: Checked
- Enter your Black list, find them here
- Go to Blacklists tab
- Click downloaded
- Then go grab a much needed cup of coffee as this takes a few minutes
Now that you got your coffee, that download should be finished. So we now will go to the “Common ACL” tab.
Now, how you set this up really depends on your situation. If you don’t want anyone to bypass the filter by using an IP, ensure you check Not to allow IP Addresses in URL. Redirect mode is how a page is handled that is blocked. Use Safe Search, check that if you don’t want Porn / drugs and such coming up in your search engine. Also, if you enable safe search, also ensure you blacklist search engines. You should only allow the ones that support safe search. When you have that basic information set up for your network needs, click the green plus next to “Target rules”. Then simply pick what content you want to allow to enter your network. Even if you don’t want to block access to protect kids for example, you can still use squidGuard to block ads and spyware sites for example. Also ensure you go to the very bottom and change the default access from deny to allow if you don’t want the Internet to be white list only browsing. Now at this time you can enjoy your proxy.
So, what I do like to do at the very end is give the system one last reboot, and that will most likely be the last time you touch the system until you upgrade the OS Version or the hardware. Also, I would ensure your keyboard is disconnected at this point also, as having to reboot it, or power back on from a power failure, etc. and wondering why it doesn’t come back online can be painful and even more so when you release it’s a keyboard error. Many BIOSes will hang with no keyboard, so make sure you disable that in yours – now is a good time to ensure you double checked that one. I had well over a year uptime on my last system before this one. My current plans are to not turn this box off until I upgrade the OS.
So, if I still have anyone still following along after all this, thanks for reading. I hope I helped show you how I set up a simple yet powerful home firewall that is strong enough for corporate use. If anyone is a pfSense user, hopefully this little guide was still some use a a beginners quick reference.