A Feature-rich Firewall Cum Router

pfSense is a free and Open Source firewall and router with good features and low hardware requirements, thereby giving you a cost-effective solution for your security needs

Friday, May 01, 2009

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Based on FreeBSD distribution, pfSense gives you twin functionality of a firewall and router application, within the same box. It is derived from the mOnOwall project, but provides more features. Some of these include firewall, NAT, load balancing, VPN and reporting.

Deploying pfSense
pfSense can be deployed in various scenarios. It can be deployed as a gateway firewall with the Internet connection terminating at the WAN port and the internal network on its LAN port. It can also handle multiple Internet connections and help you set up a DMZ on your network. For a larger network, you can deploy it as a LAN or WAN router. You can also set it up as a wireless access point, a VPN appliance, a DHCP server and much more.

We deployed pfSense as a gateway level firewall, where it offers three different options. First is the VMware appliance, second is a Live CD and third is the embedded version. The Live CD gives you the option of installing it on a hard drive, which is useful if you want to deploy it in a production environment. In case you want the Live CD option, then the settings can be saved on a removable media and restored if needed. The embedded version is for flash drives.

pfSense provides you exhaustive options for implementing firewall rules. These rules provide a lot of flexibility

We downloaded the VMware appliance and installed it on our server. After booting up, the console showed the list of options, such as resetting passwords, restarting web configurator, setting up LAN IP, etc. To open the web configuration page from another computer on the network, provide admin both as username and password.

Adding firewall rules
For adding firewall rules in pfSense, open up the web configuration page and navigate to firewall > rules. Now click on the 'add new rule' icon found at the right side of the page. A new page opens up, where all the necessary details are asked for to set up a rule.

In the first option 'Action,' choose block if you want to block the traffic else choose pass. The second option is used to disable a set rule. Then specify the interface where pfSense shall look for packets. Next choose the IP where this rule shall be made applicable. Then there is source and destination 'not' option, that enables you to invert the sense of the match. The interesting part is the 'Source OS' option, which enables you to apply specific rules to Linux or Windows machines. Similarly, there are other useful options available.

Removing a rule is pretty simple. First navigate to LAN or WAN tab wherever the rule is deployed. Check the rule you want to delete and then click on 'delete selected rule' icon on the right side of the page.

Configuring captive portal
The captive portal provides you the option of restricting Internet access to guest users. Through this portal, users are required to enter username and password to get access to the Internet. It is very much similar to accessing the WiFi network of a hotel.

For configuring the captive portal, navigate to Services > Captive portal and then click on the Captive Portal tab. Check the 'Enable Captive Portal' checkbox. Then select the interface on which the captive portal should run. Specify the maximum number of concurrent connections, idle timeout, redirection URLs, etc. You can set user authentication through the internal user manager or with the radius server. In case you are specifying radius authentication, provide the necessary details such as IP address, port number, etc. It also enables you to do HTTPS login. For this you need to specify the HTTPS server name, certificate and private key. You can also customize the page that will be displayed to guest users. Finally click on Save.

pfSense provides very elaborate and categorised system logs. A system admin can view log reports of systems, firewall, VPN, etc on his network.	The Captive Portal lets a cyber-cafe owner keep track of the duration for which a customer has browsed the Internet and bill him accordingly.

Adding and removing user
Now to add user to its internal database, navigate to Services > Users and click on 'Add User' icon. Provide username, password, full name and expiration date of the user. It the user account has no expiration date than leave it blank and click on Save to create the user. For deleting user, click on the 'delete user' icon found beside the user details row.

Configuring DHCP server
For enabling the DHCP server, navigate to services > DHCP server and check the 'enable DHCP server on LAN interface' to enable DHCP server. After that specify the range of IPs that will be allocated to the clients connecting to the server, for example 192.168.2.10 – 192.168.2.234. Next specify the DNS server address, gateway, ie the IP address of the pfSense server itself and then click on Save.

Log reports
For checking the logs that have been generated, navigate to Status > System logs. By default it displays last 50 system entries log. Apart from this you can also view logs generated by firewall, DHCP, settings, portal, etc. These logs are very helpful when troubleshooting and also keeping track
of different activities happening around pfSense.

Page(s)   1