Lab 9 - Building and testing a firewall VM using pfSense

Goal

Firewalls are an import component in any Internet connected organization's security process. In this labwe will install and configure pfSense, an open source FreeBSD Firewall applicance, as a VM in VMWare. We will then configure and test it.

A Firewall normally requires two interface. We will create a VM with two interfaces, one a NATed interface to the Internet, and the second a private "LAN Segment" that allows VM's to share a common, private, LAN. The firewall will work between these two interfaces, pass packets from the first interface (NATed) to the LAN Segment. Other VM's can now use this second interface to connect through the firewall to the Internet.

Steps

Step 1 - aquire pfSesnse

Download or aquire from the instructure the latest pfSense .iso file (2.1.2). The software is here, or your instructor has it on his external hard drive. You will want the AMD64 version, "Live CD with installer".

Step 2 - create and build VM
  1. Start up VMWare. Create a new VM. Create a new typical VM. Select the ISO file you aquired (/home/skon/OSs/pfSense-LiveCD-2.1.2-RELEASE-amd64.iso). Select "Other" Guest OS. Select "FreeBSD 64-bit". Name the VM "pfSense". Make the Hard Driver 2GB.
  2. When the ISO boots up, select "i" to install on the harddrive. Then it will install and reboot to the installed version.
  3. Before You finish the last step on the creation, click the "Customize Hardware" button. Set the first Network interface to "NAT", and create a second interface (use the "Add" button on the bottom). For the second interface select "LAN Segment". Create for it a new segment called "pfSense".
Screenshot_-_04252014_-_065218_AM.png
Step 3 - Setup pfSense
  1. Boot up pfSense for the first time. The VM screen is the console terminal
  2. The system will prompt you to setup the WAN interface. Say "No" to the vlan question. Set the first interface (em0) to the WAN, and the second interface to le0.
  3. Drop out to the shell in PFSense (option 8), and "ping 8.8.8.8" to confirm networking. Exit back to menu.
  4. On the pfsense take note of ip address of the NATed (WAN) interface. This is the ip of the WAN interface.
  5. Select option two to set up the LAN interface. We want this to be it's own NATed lan.
  6. Set a fixed address of 10.1.1.1. Set a network MASK of 24 (255.255.255.0).
  7. Take the defaults until it asks if you wish a DHCP server. Say yes.
  8. Enter start address range of 10.1.1.10. An end range of 10.1.1.30.
Step 4 - Get Kali connected to pfSense
  1. In the Kali VM, before booting, right click on the the VM tab in Workstation. Change the network interface to use "LAN Segment", with the segment name being: "pfSense". All of Kali's network traffic should now go through pfSense.
  2. Start up your Kali VM.
  3. Login to Kali, "root", "toor".
  4. Check it's ip address. It should be in the DHCP ranger entered from above.
  5. On Kali check you address. See if yu can ping the PFSense (10.1.1.1). The host system, (you wll need to check this)
  6. On the pfSense, make sure you can ping Kali.
Step 5 - Login and setup Firewall
  1. From Kali, check for internet access. You should have it.
  2. From Kali, go to 10.1.1.1. You should see the pfSense web interface. Login as "admin", "pfsense".
  3. Click on the pfSense logo to skip the "wizard" setup, and go directly to the main page.
  4. On the interfaces tab, look at both the interfaces. What do you see?
  5. On the "Firewall" tab go to rules.
  6. Determine, and report. Does the firewall drop or accept packets that don't match any rule?
  7. Note that there are two sets of rules, one for the LAN, and one for the WAN. What is the purpose of each?
Step 6 - Firewall rules.
  1. For each of the following capture the results and include, with comments and answers, in the lab report.
  2. Try to ping the Firewall wall from host system (ping the WAN IP). This does not work. Why?
  3. Try to ping the Firewall from Kali. Start by pinging the LAN side, e.g. 10.1.1.1. This should work. Why?
  4. Now try to ping the WAN side of pfsense. This is probably 172.16.202.128, but you can figure it out by looking at the WAN interface from Kali.
  5. Try to ping the host system from Kali (e.g. ping through the firewall). You can ping the VMWare NAT, which is probably 172.16.202.1, (but you can figure it out with ifconfig on the host)
  6. Finally - is there a way to ping Kali from the host system in it's current state? Explain why or why not.
Step 7 - Writing rules.

In this last phase you will try to add rules. as before for each of the following capture the results and include, with comments and answers, in the lab report. Show each rule you write. For some of these you will need to do some research. Do not get discouraged. If you get completely stuck, talk to me your friendly professor).

  1. Add a rule to stop pinging from the Kali to pfSense.
  2. Go into the tab "Status" and select "System Logs". Then select "Firewall". This logs all rules that fire. Show the result of the block from above.
  3. Remove the rule from #1, and check the log again.
  4. Add the rule back in, but set as a "log only" rule. Show what happens, and explain. Why would you do this?
  5. Write a rule(s) to all the host to ping the firewall. Show the rule. Check the log.
  6. Write rule(s) that allow the firewall to be pinged, but the nothing beyond it can be pinged.
  7. Write a rule to disallow any connection to www.google.com. Show that it works.
  8. Write a rule to allow ssh connections from the host to Kali. Demonstrate that this works.
Step 8 - Port Forwarding
  1. Consider this problem - you wish to host a website on Kali. But it's behind a NAT. Why is this a problem?
  2. Add a web server to Kali. This is simple, using the "sudo apt-get install apache2" command. You should be able to get to the default page using the browser on Kali.
  3. Show that you cannot get to the server from the host system's browser.
  4. Do some research, and implement a proper solution to get through to the web server from the host. Demonstrate, describe, and document your solution.
  5. The solution is something called port forwarding.

  • LAN Segment:
Topic attachments
I Attachment Action Size Date Who Comment
Pngpng Screenshot_-_04252014_-_065218_AM.png manage 86.3 K 2014-04-25 - 12:54 JimSkon LAN Segment
Topic revision: r9 - 2014-04-27 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback