INTRUSION DETECTION USING PFSENSE - OPEN

SOURCE FREEBSD FIREWALL

PfSense is an open source firewall based on FreeBsd can work as router/IDS/IPS as
well. In the following sections we will look at how to configure PfSense after installation,
have look at its WebGUI we will see how to create firewall rules/VLAN and detects
intrusion detection in PfSense. PfSense can run on very old machine because it uses
very limited resources to get it going.
The minimum hardware requirements to use PfSense is a computer with the following:

 CPU – 100 MHz Pentium

 RAM – 128 MB

 CD-ROM for initial installation

 1 GB hard drive

 Two Network Interface Cards

For PfSense we will be using with two NIC cards. One NIC card we will be using it For
WAN connection and One NIC card we will be using for Internal Network which we
name it ‘LAN’. We will use two host machine namely ‘Ubuntu’ and ‘Windows 7’ which
we will be connected with the internal network ‘LAN’ which in turns will get internet
connection via WAN link in PfSense. We also will need windows 7 and Ubuntu host
machine. The two machine can be physical machine separately or like here installed in
virtual Box and connected with pfSense via internal ‘LAN’ network.
We will be using the following network diagram for the illustration purposes of our work
below:

Pic: Anticipated Network Diagram

Initial Boot up and installation of PfSense:

1. After downloading the latest version of PfSense (Version 2.1.5) burn it to cd with cd
burning software and boot up the cd from the BIOS.
2. After the initial boot up the users will be presented with following menu:

We can press enter for the default option to select.

3. After some decompression of images the PfSense will come to following screen.
Then we press ‘I’ for installation of PfSense to the hardrive.
4. Then we will be prompted with ‘Configure console’ windows which we should come
down to the last option with our down arrow in the keyboard and select ‘Accept these
settings’.

5. On the next screen we select ‘Quick install’ and press enter.

6. In the next step we select Ok button for accepting our installation which will install the
PfSense in to our first hard drive created for the installation.

7. In the next windows we will see the pfsesnse will be formatting our hard drive and
install the pfsesnse. It will roughly take about 10 minutes depending on the power of the
machine we are installing on.
8. In the next screen we will be prompted to install the kernel. We will select the first
option (Symetric multiprocessing kernel) highlight it and press enter.

9. In the next screen we will prompted with the reboot option which we should select
and press enter. The PfSense will reboot now. After that we will again be presented with
welcome to PfSense boot menu. This time we press enter to select the default.

10. The PfSense will boot the default profile as it’s the first initial boot up after
installation we will configure the LAN/WAN/VPN/DMZ here in the console menu of the
PfSense. If our Two NIC card is connected with the PC we installed the PfSense on the
two NIC card will be shown on the upper part of the configuration menu of the PfSense
as follows:

11. We need to take note of this em0 and em1 as we will need it for setting up our WAN
and Internal ‘LAN’ connection we mention above for the PfSense.
In this set up we will use em1 for the ‘WAN’ connection and the em0 for the ‘LAN’
connection.

12. The first configuration option we will be seeing is the prompt for creating VLAN. We
will not be creating VLAN in this console menu. We will configure it in the Web console
menu of the PfSense after we configure this initial console configuration.

13. After that we will be asked for choosing our ‘WAN’ interfaces. By default it will be
asking for auto recognition. We will type in em1 for our ‘WAN’ interfaces as we
promised earlier.

14. We will then choose our ‘LAN’ interfaces. As like before it will by default accept the
auto recognition. But we will select em0 as planned.
We will be then asked for optional interface to configure. This interfaces are set up
usually for creating DMZ. We will be creating it in the web console later on.

15. We will then confirm (type ‘y’) then in the next step that we configured the correct
interfaces for ‘LAN and ‘WAN’.
We can see we selected the em1 interface for WAN connection and the em0 interface for
the ‘LAN’ connection.

16. We will be then presented with completed PfSense initial console menu where we
can see the WAN link got DHCP leased IPv4 address from our ADSL Modem (Router).
The IP address usually we get it from the ISP.
Here our WAN IP we see is 10.0.2.15 which we got from our ISP provider and out LAN
IPv4 address we got in the private IP range (192.168.1.1).
17. For our configuration as many of you can easily get confused with LAN IP
(192.168.1.1) same as our default gateway which happens to be the routers IP. So to
make it clear as for our initial configuration we want to use our PfSense as
(firewall/Intrusion detection) rather than a router we will change the LAN IP address in
another Private IP range 192.168.0.3/24 range. We also want to configure the LAN
interfaces to lease out IP address for other two hosts we will be using (Ubuntu &
Windows 7).
We also need to change the ‘WAN’ interface IPv4 address to the 192.168.1.105/1
address. We will for Internet connection will set the default gateway to 192.168.1.1
(Home router Address) in the web console later on.

Changing LAN Interface IP Address:

 From the PfSense console select option 2 'Set interface(s) IP address'.
 At the Enter the number of the interface you wish to configure: prompt, type 2 to
choose the LAN interface.
 When prompted, use the following IP Address: 192.168.0.3
 Use 24 at the ‘LAN IPv4 subnet bit count prompt’.
 Then we Type y at the prompt when asked if you would like to enable the DHCP
server on LAN.
 We will be asked to provide the starting address range, use the following starting
IP Address: 192.168.0.4
 We will then be asked to specify the ending IP Address for the DHCP range. Use
the following IP Address: 192.168.0.245
  Then Type y when asked to enable web configuration.
 At this point PfSense will lease the addresses within: 192.168.0.10-
192.168.0.245 range.

Changing WAN Interface IP Address:

 From the PfSense console select option 2 'Set interface(s) IP address'.
 At the Enter the number of the interface you wish to configure: prompt, type 1 to
choose the WAN interface.
 When prompted, use the following IP Address: 192.168.1.105
 Use 1 at the ‘WAN IPv4 subnet bit count prompt’.
 Then we Type y at the prompt to make the changes

In order to make the DHCP working we need to restart the PfSense. After the initial boot
up we will select the default option from the console menu by pressing enter and we will
be shorty be presented with our final PfSense console menu with the desired changed
we made as follows:
This concludes our initial PfSense console menu configuration.
We thus far have configured LAN/WAN connection in the console menu. We will now
see how to get access to the WebGUI of the PfSense and configure the basic set up
and get familiarize with the Web Console.

Introduction to PfSense Web-based Interfaces:

From the Ubuntu or windows 7 pc if we fire up any web browser and type in the LAN
address of the pfSense which is 192.168.0.3 we will at first be prompted with security
warning. We have to accept the warning and make exception of that certificate. After
that we will come to login page of WebGUI of pfSense.The default login and password
for pfSense are admin and pfsense.

After the login we will see the Dashboard. Where we can see the statistics/systems
information’s the present WAN/LAN connection state which in our case is up. It can also
include other information if we want to.
Now from the upper leftmost option on the menu bar we hover over system and select
setup wizard.
We will then select next to get to the General information screen where we can change
the Hostname/Domain name if we want to.
Here we will change the Primary DNS server to the google DNS server 8.8.8.8 mad the
secondary DNS server to be 4.4.4.4
After that we select next.
On the next screen we can change the Timeserver according to the time zone we might
be in. Here we select America/Chicago from the dropdown list and click next.

The next screen we will see the WAN interface pages where we can select the DHCP
address to be static address or DHCP leased from our ISP.
We will select static.
Then we go down and we see our WAN address is as we configured in the initial
console menu as 192.168.1.105/1

As we discussed earlier we want pfSense to pass the internet traffic to our home router
so we type in 192.168.1.1 as the upstream gateway.
We leave the PPTP configuration blank as we not going to set up VPN now.
Also as we are not going to get authenticated by our ISP as required for DSL modem
only. As this pfSense will not provide the WAN connection we do not need to feel in the
PPoE configuration parts.

The configurations are as follows:

In the next screen we can setup the LAN interface address if we did not configured in
the console menu earlier. As we see in the page our LAN interface is been configured
correctly. So we confirm and click next.

In the next screen is where we can change the Default login and password for the web
console login page.
We type in whatever we want but make sure we make the password and login id mixed
with numbers with letters. Then we click next.
Now the pfsense will ask for reload to save all the configuration is made.

After the reload the setup wizard completion message will confirm that the setup wizard
has been successfully completed.

After that we will see the Dashboard again. From the menu up we can go to the
interfaces option from there we can change the LAN/WAN interfaces configuration if we
need to.
To see our Internal ‘LAN’ network on em0 that we set up as leasing address within
192.168.0.4-192.168.0.245 is configured properly we can select service option and
select DHCP server and select LAN we see its configured properly.
And also to confirm our two machine Ubuntu and windows 7 is getting the IP address
from the LAN interface DHCP lease ranges we select status option and select DHCP
lease. We see the matching windows 7 IP in the DHCP leases status as well as another
machine which happens to be Ubuntu which are logged off also got the address from
the DHCP lease.
We can also see our WAN gateway is working by clicking status and selecting
Gateways. In our case our WAN link is online.

We can also see the System logs/services currently on run and Traffic graph from this
Status Dropdown menu.
For Administration purposes if we want to get the notification mail of any information of
our pfSense system we can set up the notification SMTP mail server under the system
dropdown menu and selectin advanced and notifications.
If we want to save the configuration that we made so far we can save it as XML file for
restoring it in case of disaster or for configuring another pfSense with same
configuration.
We can do it under Diagnostics dropdown menu and selecting Backup/Restore, and
clicking Download Configuration.
Restoring a configuration is done by clicking Browse and locating the XML file saved
previously and loading it.

Adding Firewall Rules in pfSense

In this section we will get to know how to make Firewall rules and Alias as well as we
will demonstrate how to open SSH server incorporating making firewall rules in
pfSense.
pfSense Firewall:
At first we login to the pfSense web GUI from our host machine windows 7 or Ubuntu by
typing in the LAN IP address 192.168.0.3 in the web browser.
Then we login to the pfSense page with our username and the password.
On the top menu we hover over the firewall menu and we select Alias from the drop
down menu.

Here we see there is three option URL/Ports/IP.

As the name suggests the IP/Ports group branch of IP’S or Ports under a name instead
of assigning it individually one by one. Especially if you know for example in our case
we will allow our two machine (Ubuntu and Windows 7) to allow SSH access.
So we will make alias of the IP address of those two machines and give it name SSH
Access so when applying firewall rules for those two machines we can use the Alias
name instead of creating same rules for the two machines individually.

So let’s make Alias for the IP’s of the two machines. So we select the IP bar on the
Alias page and on the right hand side we click Add New Alias.
We give it name SSH_access and we fill in the descriptions.
Then we give the IP address of our two machines in the IP box and we click save.
We need to click apply changes to take the effect.
Similarly this way we can create as many alias as we want with IP’s we want to control
under this IP menu.

We will now create Alias for Port now which we will open port 8022 in firewall for SSH
access which we will configure later on.

Under port menu we give the name SSH_port then fill in the description and fill in the
port with 8022 and click save.
Similarly we can make Alias for any ports we want.
Now that we made the Alias we will use it to create firewall rules to open SSH port for our two
machines (Ubuntu and windows 7).
pfSense Firewall Rules( Accessing SSH to pfSense from other machine in the
LAN)

In order to do that we will at first create super user. So in order to do that we click system on the
upper menu and select user manager from the dropdown menu.
We will see we already have admin account created. So on the right side of it we select add
user button and we get to users page where we fill in the user name superuser.
Fill in the password and if we want we can make this users under admin group by dragging the
admin from left to right box under the group memberships.
No we go to the system menu on the top and select advanced option.
Under admin access pages we select HTTPS as our protocol.
Then we scroll down and we check the boxes for the Enable Secure shell and we type in
custom port 8022 for the SSH port.
Then we click save.

Now we need to open port 8022. In order to do that we need to make firewall rule opening the
SSH port for the SSH access with the alias we made earlier.
We hover over to the firewall menu and select Rules this time.
Now if we see under LAN we see the port 8022 is already been opened by the firewall. pfSense
did that automatically for us.
So what if we want to close this port access for our Ubuntu machine from which we are
accessing the web GUI of the pfsense.
So we will create firewall rules at first giving SSH access to only two of our machine in the LAN
net.
In order to do that we click on add rules in the LAN option of the firewall page.
Here we select pass for the action option.
Interface as LAN, protocol as TCP.
In the source option we select single host or alias from the dropdown menu of the Type options
and if we type in SSH in the address field we will see it automatically finds out SSH_access
(192.168.0.200-192.168.0.201) alias we created before which basically is placeholder for the IP
address of our two machines.
Then in the destination option of Address field we type in the LAN I9192.168.0.3) IP of our
pfSense em0 by selecting single host in the type menu.
Now in the destination range we are opening up one custom SSH port only so in destination
port range we fill in 8022 in the from field only.
We can log the packets handled by this rule and click save to finish the rule.
Now we see the rule has been created in the firewall LAN rule page.

Now to test that we can access the SSH server of pfSense from the Ubuntu we fire up putty
client and login as admin from the Ubuntu machine.
We see from the status menu and system log that our machine was logged in as admin via SSH
Now we want to block this same machine from accessing the SSH server.
We will make block rule.
So go firewall then rules drop down menu and select LAN.
Now we choose Block as the action type and from source address we type in the Ubuntu IP
Address (192.168.0.200) and for the destination we type in the pfSense LAN interface IP
address.
And for the Port range we type in 8022.Click save.
We will see that our newly created blocked rule is under the pass rule we made earlier hence
our Ubuntu machine still get access to the SSH server.
As the firewall rules work top down processing one by one as in the pass rule it already give
Ubuntu machines IP(192.168.0.200) access it cannot block it later on.
Here is the screenshot below of Ubuntu still getting access to the SSH server.
So now we have to drag the block rule on top of the pass rule by selecting the checkbox of the
block rule and selecting the hand button of pass rule so that our block rule goes on top of the
pass rule.
Now we apply changes to take its effect.
Now we fire up the putty from the Ubuntu machine and we see we can’t get access to the SSH
server and if we see the firewall system logs we find out it was blocked by our rule.
See the screenshot below

This way we can make use of Alias and create pfsense firewall rules to block out any
hosts/Ports within LAN/WAN.