Firewall Pfsense Và Smoothwall(Linux)

I HC QUC GIA THNH PH H CH MINH

TRNG I HC KHOA HC T NHIN

KHOA CNG NGH THNG TIN

=======0o0=======

BO CO THUYT TRNH LINUX

TI: 01

TM HIU FIREWALL PFSENSE V SMOOTHWALL

GVHD: L Ngc Sn.

Nhm Trnh By:

Nguyn Ch Tm-0964125.

ng Quang Tn-0964127.

Phn Cng Cng Vic:

Mssv H Tn Cng vic

0964125 Nguyn Ch Tm Tm hiu Smoothwall

0964127 ng Quang Tn Tm hiu Pfsense

Mc Lc I. Firmewall l g? ....................................................................................................... 1

1. nh ngha. ............................................................................................................ 1

3. Cc thnh phn ca Firemwall ............................................................................... 2

4. Nhng hn ch ca Firewall................................................................................... 2

II. Firewall pfSense. ..................................................................................................... 3

1.Gii thiu Firewall Pfsense:....................................................................................... 3

2. Mt s chc nng chnh ca Firewall Pfsense:

2.1: Aliases. ............................................................................................................. 3

2.2: Rules (Lut). ..................................................................................................... 4

2.3: Firewall Schedules. ........................................................................................... 5

2.4: NAT. ................................................................................................................. 6

2.5: Traffic shaper (Qun l bng thng). . ............................................................... 7

2.6: Virtual Ips. ......................................................................................................... 9

3.Mt s dch v ca pfsense

3.1: captive portal ................................................................................................... 10

3.2: DHCP Server. ................................................................................................. 11

3.3: DHCP Relay. ................................................................................................ 12

3.4: Load Balancing. .............................................................................................. 13

3.5: VPN PPTP. s dng chc nng ny bn vo VPN => PPTP. ..................... 13

3.6: Mt s chc nng khc. .................................................................................... 15

4. M Hnh. .............................................................................................................. 15

5. Ci t Fimrewall pfsense, Cu hnh interface v DHCP server. ............................. 16

5.1: Ci t Pfsense. ............................................................................................... 16

5.2: Cu hnh card mng cho my Pfsense. ............................................................ 26

5.3: t IP v thit lp DHCP cp pht vo bn trong mng LAN.......................... 27

5.4: My Client xin IP do PFSENSE cp pht ........................................................ 29

6. Tin hnh cu hnh mt s dch v trong Pfsense:31

6.1: Cu hnh pfsense v cn bng ti( load balancer)31

6.2: Cu hnh VPN server ...................................................................................... 43

6.3. Qun l bng thng vi Traffic Sharper .......................................................... 53

7. nh gi...63

III. FIREWALL SMOOTHWALL. ........................................................................... 63

1. Gii thiu Firewall Smoothwall. ........................................................................ 63

2. Smoothwall Express c 3 mode hot ng lc ci t. ......................................... 64

3. Cc loi cu hnh Network. .................................................................................. 64

4. u im. .............................................................................................................. 64

5. Hn ch................................................................................................................ 65

6. Mt s chc nng trong Smoothwall. ................................................................... 65

6.1. Ip block: .......................................................................................................... 65

6.2 . WebProxy: ...................................................................................................... 66

6.3. Outgoing: ....................................................................................................... 67

6.4. IDS: ................................................................................................................ 68

6.5. Remote Access: .............................................................................................. 69

6.6. DHCP: ............................................................................................................ 70

6.7. Timed Access: ................................................................................................ 71

6.8. Pop3 proxy: ..................................................................................................... 72

6.9. Interface: ......................................................................................................... 73

6.10. Time. .............................................................................................................. 74

6.11. Static dns: ....................................................................................................... 75

6.12. IM proxy. ....................................................................................................... 76

7. Ci t v Cu hnh Smoothwall: ........................................................................ 77

7.1. Ci t: Cho a cd hoc file iso Smoothwall Express vo. .............................. 77

7.2.Cu hnh Smoothwall. ....................................................................................... 89

7.3. Cu hnh DHCP. .............................................................................................. 91

7.4. Cu hnh web proxy. ........................................................................................ 93

7.5. Cu hnh IDS(snort): ....................................................................................... 95

7.6. Bt tnh nng SSH remote access. ............................................................... 96

7.7. Ci t thm mt s chc nng cho Smoothwall.............................................. 98

i hc Khoa Hc T Nhin

Khoa Cng Ngh Thng Tin

FIREWALL TRN LINUX

Firewall Trn Linux Page 1

I. Firmewall l g?

1. nh ngha.

Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn

chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut

c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc

ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng.

Cng c th hiu Firewall l mt c ch (mechanism) bo v mng tin tng

(Trusted network) khi cc mng khng tin tng (Untrusted network).

Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty,

t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin,

ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy

nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet.

Internet FireWall l mt tp hp thit b (bao gm phn cng v phn mm) gia

mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet:

2. Chc nng.

Chc nng chnh ca Firewall l kim sot lung thng tin gia Intranet v Internet.

Intranet firewall Internet

C th:

Cho php hoc cm nhng dch v t bn trong truy nhp ra ngoi.

Kim sot ngi s dng v vic truy nhp ca ngi s dng.

Cho php hoc cm nhng dch v bn ngoi truy nhp vo trong .

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Kim sot a ch truy nhp, cm a ch truy nhp.

Theo di lung d liu mng gia bn trong (Intranet) v bn ngoi

(Internet).

3. Cc thnh phn ca Firemwall

Firewall chun bao gm mt hay nhiu cc thnh phn sau y:

B lc packet (packet-filtering router)

Cng ng dng (application-level gateway hay proxy server)

Cng mch (circuite level gateway)

4. Nhng hn ch ca Firewall.

Firewall khng thng minh nh- con ng-i c th c hiu tng loi thng

tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm

nhp ca nhng ngun thng tin khng mong mun nh-ng phi xc nh r cc

thng s a ch.

Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i

qua" n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt

-ng dial-up, hoc s r r thng tin do d liu b sao chp bt hp php ln a

mm.

Firewall cng khng th chng li cc cuc tn cng bng d liu (data-

driven attack). Khi c mt s ch-ng trnh -c chuyn theo thin t, v-t qua

firewall vo trong mng -c bo v v bt u hot ng y.

Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus

trn cc d liu -c chuyn qua n, do tc lm vic, s xut hin lin tc ca

cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim

sot ca firewall.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


II. Firewall pfSense.

1. Gii thiu Firewall Pfsense:

Pfsense l mt phin bn m ngun m, min ph, c ty chnh cho bn phn

phi FreeBSD s dng nh firewall hay router .

Pfsense c th c qun tr d dng bng giao din web.

Pfsense bao gm rt nhiu tnh nng v c ng dng rng ri t SOHO cho ti

cc t

PfSense l mt gi phn mm firewall hon chnh, n c th c ci t trn mt

PC hay mt embedded PC.Vi phn mm min ph c pht trin trn phin bn

ca FreeBSD, Pfsense c ci t n gin, tng thch vi mt PC cu hnh thp.

c im cng kh quan trng l cu hnh ci t v s dng phn mm Pfsense

khng i hi phi cao nh nhng phn mm mi hin nay. Chng ta ch cn mt

my tnh P3, Ram 128, HDD 1GB th cng dng nn mt tng la Pfsense

bo v mng bn trong

2. Mt s chc nng chnh ca Firewall Pfsense:

2.1: Aliases.

Vi tnh nng ny chng ta c th gom nhm cc ports, hosts hoc Network(s)

khc nhau v t cho chng mt ci tn chung thit lp nhng quy tc

c d dng v nhanh chng hn. vo Aliases ca pfsense vo Firewall

Aliases.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Cc thnh phn trong Aliases:

- Hosts : to nhm cc a ch IP

- Network : to nhm cc mng

- Port : Cho php gom nhm cc port nhng khng cho php to nhm

cc protocol. Cc protocol c s dng trong cc rule

2.2: Rules (Lut).

Ni lu cc rules (Lut) ca Firewall. vo Rules ca pfsense vo Firewall

Rules.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Mc nh pfsense cho php mi trafic ra/vo h thng .Bn phi to ra cc rules

qun l mng bn trong firewall.

Mt s la chn trong Destination v Source.

- Any : tt c

- Single host or alias: Mt a ch ip hoc l mt b danh.

- Lan subnet: ng mng Lan

- Network : a ch mng

- Lan address: Tt c a ch mng ni b

- Wan address: Tt c a ch mng bn ngoi

- PPTP clients: Cc clients thc hin kt ni VPN s dng giao thc PPTP

- PPPoE clients: Cc clients thc hin kt ni VPN s dng giao thc PPPoE

2.3: Firewall Schedules.

Cc Firewall rules c th c sp xp n c ch hot ng vo cc thi im

nht nh trong ngy hoc vo nhng ngy nht nh c th hoc cc ngy trong

tun.

y l mt c ch rt hay v n thc t vi nhng yu cu ca cc

doanh nghip mun qun l nhn vin s dng internet trong gi hnh chnh.

to mt Schedules mi vo Firewall => Schedules : Nhn du +

v d: y To lch tn GioLamViec ca thng 11 T th hai n th by v thi

gian t 7gi n 17 gi.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Sau khi to xong nhn Add Time => Save.

2.4: NAT.

Trong Firewall bn cng c th cu hnh cc thit lp NAT nu cn s dng cng chuyn tip cho cc dch v hoc cu hnh NAT tnh (1:1) cho cc host c th.

Thit lp mc nh ca NAT cho cc kt ni outbound l Automatic outboundt NAT, tuy nhin bn c th thay i kiu Manual outboundt NAT nu cn.

V d: y ta NAT qua port 1723(PPTP) cho cu hnh VPN vi IP NAT l:

192.168.2.100

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


2.5: Traffic shaper (Qun l bng thng).

Vi tnh nng Traffic Sharper gip bn theo di v qun l bng thng mng d dng v hiu qu hn.

cu hnh Traffic Sharper ta chn Firewall => Traffic Sharper =>Next

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Trong Traffic Sharper H tr Voice IP.

H tr H tr mng ngang hng nh BitTorent , CuteMX,.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


H tr mng chi game nh BattleNET , Battlefield2,v mt s game trc tuyn

2.6: Virtual Ips.

Virtual IP c s dng cho php pfSense ng cch chuyn tip lu lng cho

nhng vic nh chuyn tip cng NAT, NAT Outbound, v NAT 1:1. H cng cho php

cc tnh nng nh failover, v c th cho php cc dch v trn router gn kt vi a

ch IP khc nhau.

CARP.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


C th c s dng bi cc bc tng la chnh n chy cc dch v hoc c chuyn tip

To ra lp 2 traffic cho cc VIP

C th c s dng cho clustering (tng la v tng la ch failover ch ch)

Cc VIP c trong cng mt subnet IP ca giao din thc

S tr li ICMP ping nu c php theo cc quy tc tng la.

Proxy ARP.

Khng th c s dng bi cc bc tng la chnh n, nhng c th c chuyn tip

To ra lp 2 giao thng cho cc VIP

Cc VIP c th c trong mt subnet khc vi IP ca giao din thc

Khng tr li gi tin ICMP ping.

Other.

C th c s dng nu cc tuyn ng cung cp cho bn VIP ca bn d sao m khng cn thng bo lp 2

Khng th c s dng bi cc bc tng la chnh n, nhng c th c chuyn tip

Cc VIP c th c trong mt subnet khc vi cc giao din IP

Khng tr li ICMP Ping.

3. Mt s dch v ca pfsense

3.1: captive portal

Captive portal cho php admin c th chuyn hng client ti mt trang web khc, t

trang web ny client c th phi chng thc trc khi kt ni ti internet. Tnh nng

captive portal nm mc Services/captive portal

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Captive portal: Tinh chnh cc chc nng ca Captive Portal.

- Enable captive portal: nh du chn nu mun s dng captive portal. - Maximum concurrent connections:Gii hn cc connection trn mi

ip/user/mac

- Idle timeout:Nu mi ip khng cn truy cp mng trong 1 thi gian xc nh th s ngt kt ni ca ip/user/mac.

- Hard timeout: Gii hn thi gian kt ni ca mi ip/users/mac. - Logout popup windows: Xut hin 1 popup thng bo cho ip/user/mac - Redirect URL: a ch URL m ngi dng s c direct ti sau khi ng

nhp

Pass-though MAC: Cc MAC address c cu hnh trong mc ny s c b

qua,khng authentication.

Allowed IP address: Cc IP address c cu hnh s khng authentication.

Users: To local user dng kiu authentication: local user

File Manager: Upload trang qun l ca Captive portal ln pfsense.

C 3 kiu chng thc client:

No authentication: pfsense s iu hng ngi dng ti 1 trang nht nh m

khng chng thc.

Local user manager: pfsense h tr to user chng thc.

Radius authentication: Chng thc bng radius server (Cn ch ra a ch ip ca

radius, port, ...)

3.2: DHCP Server.

Dch v ny cho php pfSense cp a ch IP v cc thng tin cu hnh cho cc client

trong mng LAN.

Tnh nng ny nm trong Services => DHCP server

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Bt tnh nng cp IP ng cho cc my client.

Ta c th gn a ch IP vnh vin cho bt c my tnh no trn mng.

3.3 : DHCP Relay.

Dch v ny cho php pfSense forward yu cu cp IP ca client nm trong mt

subnet no ti mt DHCP server cho trc.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Ch c php chy mt trong dch v DHCP server v DHCP relay

3.4: Load Balancing.

Vi chc nng ny bn c th iu phi mng hay cn gi l cn bng ti mng

C 2 loi load balacing trn pfSense:

Gateway load balancing: c dng khi c nhiu kt ni WAN. Client bn trong

LAN khi mun kt ni ra ngoi Internet th pfSense la chon card WAN

chuyn packet ra card gip cho vic cn bng ti cho ng truyn.

Server load balancing: cho php cn bng ti cho cc server ca mnh. c dng ph bin cho cc web server, mail server v server ko hot ng na th s b remove.

3.5: VPN PPTP.

s dng chc nng ny bn vo VPN => PPTP.

Chn Enable PPTP server bt tnh nng VPN

Server address : a ch server m client s kt ni vo

Remote address range :Di a ch IP s cp khi VPN Client kt ni

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


RADIUS : Chng thc qua RADIUS

Chn Save v chuyn qua tab User to ti khon

Cn To Rules cho php VPN client truy cp vo mng

Cui cng trn VPN Client ta to mt connect connect n VPN server.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


3.6: Mt s chc nng khc.

System Log: theo di mi hot ng ca h thng pfSense v cc dch v m

pfsense cung cp. Mi hot ng ca h thng v dch v u c ghi lai.

System Status: Lit k cc thng tin v tnh trng ca h thng.

Service Status: Hin th trng thi ca tt c cc service co trong h thng. Mi

service c hai trng thi l: running, stopped

Interface Status: hin th thng tin ca tt c card mng.

RRD Graph: Hin th cc thng tin di dng th.Cc thng tin m RRD Graph

s th hin l: System,Traffic,Packets,Quality,Queues.

4. M Hnh.

m hnh ny ta gi lp hai ROUTER ADSL1 v ROTER ADSL2 l 2 my

win2k3.

Nhnh LAN thuc ng mng : 10.0.0.0/24.

Ta c 2 nhnh WAN l: 192.168.1.0/24 v 192.168.2.0/24.

My Firewall Pfsense c 3 card mng: 1 card eth0 (host-only) dng trong giao tip

LAN (mng bn trong) v 2 card Bright (eth1 v eth2) dng giao tip WAN ( mng

bn ngoi)

Router ADSL1: 192.168.1.200

Router ADSL2: 192.168.2.200

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


eth0: 10.0.0.10/24

eth1: 192.168.1.100/24

eth2: 192.168.2.100/24

5. Ci t Fimrewall pfsense, Cu hnh interface v DHCP server.

5.1: Ci t Pfsense.

Trn my tnh ci Pfsense chng ta b a pfSense-1.2.3-LiveCD.iso vo ci t

Mn hnh Welcom to FreeBSD! Cho n chng ta n vi m ngun m

Firewall Pfsense.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


chn 99 bt u qu trnh ci t

Chn Accept these settings Chp nhn vic ci t Pfsense.

Chn install pfsense bt u ci pfsense vo cng.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


chn cng m Pfsense cn ci t.

Chn Format this Disk nh dng li cng bng chnh chng trnh Pfsense.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Use this geometry nh dng Cylinders, Heads, Sectors theo chun

Pfsense.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Format Ad0 Bt u tin hnh nh dng theo thit lp trn

Chn Partition Disk To Partiton cho cng.

Chn Accept and Create Chp nhn qu trnh to Partition.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Yes, Partition ad0 Xc nhn vic to Partition.

Chn OK.

Chn Thit lp Primary cho Partition.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


chn ok

Chn Accept and Create.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


chn

Chn Accept and Install Bootblocks Chp nhn to bootBlocks ln cng.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


chn ok

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


chn reboot khi ng li my

Qu trnh ci t Pfsense ln my tnh hon tt

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


5.2: Cu hnh card mng cho my Pfsense.

Enter an Option : 1 Chn s 1 bt u thit lp cc Interface.

Do you want to setup VLANs now -> g n -> Enter.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


G eM0 thit lp Interface LAN

G eM1 thit lp Interface WAN

G eM1 thit lp Interface opt1 (Interface WAN2)

Sau khi thit lp Interface Chng ta trng Enter.

Chon Y tin hnh qu trnh thit lp card mng

5.3: t IP v thit lp DHCP cp pht vo bn trong mng LAN

Enter an Option Chn 2 Thit lp IP cho Interface.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


t IP cho Interface LAN : 10.0.0.10 IP Pfsense kt ni vi Internel.

Enter the new LAN subnet bit count : 24 Enter.

Chn Y thit lp DHCP cp pht IP cho cc my Client (Network

Internal).

To Range IP bt u IP bt u cp pht cho Client : 10.0.0.50

To Range IP kt thc IP kt thc cp pht cho Client : 10.0.0.100

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Sau khi hn tt ta c IP card LAN l 10.0.0.10 v DHCP cp range IP :

10.0.0.50 n 10.10.10.100 cho cc my Client bn trong.

5.4: My Client xin IP do PFSENSE cp pht

Thc hin lnh : ipconfig/release

Thc hin lnh : ipconfig/renew

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6. Tin hnh cu hnh mt s dch v trong Pfsense:

6.1: Cu hnh pfsense v cn bng ti( load balancer).

a. Cu hnh Pfsense

Ti my Client -> Cu hnh Pfsen bng giao din web

Tn ng nhp/ mt khu l: admin/pfsense

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Next

Khai bo DNS Server cho my Pfsense -> Next.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Next.

Thit lp Static IP cho Interface WAN1.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


t IP cho Interface WAN1.=> Chn Next.

Chn Next.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Thit lp li pass cho admin WebGui => Chn Next

Chn Reload

Chn vo Pfsense -> Vo giao din cu hnh Pfsense.

Giao din cu hnh Pfsense.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn OTP1 -> Thit lp IP cho Interface WAN2

Chn Enable Optional 1 Interface => Description: WAN2 => type: Static

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


t IP cho Interface WAN2.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


b. Cu hnh cn bng ti

Trong Services =>Chn Load Balancer

Chn +

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Name => Load balancer. Type -> chn Gateway. Ti Behavior => Chn vo Load

Balancing

a dang sch WAN vo danh sch Load balancing

Monitor IP => Wans Gateway. Interface => WAN. Sau nhp Add to Pool

Tng t a dang sch WAN2 vo danh sch Load balancing. Sau chn Save

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Hai Default Gateway c a vo danh sch

Thit lp Rule cho qu trnh Load Balancing. Vo Firewall => Rules

Chn +

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Interface : WAN

Gateway -> Chn LOAD BALANCER. Destination : WAN1. Chn Save

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Apply Changes

Tng t thit lp cho WAN2

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Kim tra li trng thi Load Balancing va mi thit lp. Vo Status => Load

balancer

C ch Loab Balancing ang hot ng tt. Hai Line Internet ang ch

Online.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.2: Cu hnh VPN server

a. Cu hnh VPN server

Vo VNP => PPTP

Chn Enable PPTP server.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Server address : 192.168.2.100. Remote address range : 192.168.2.208/28

Chn Save.

Tab Users Chn +

To User : VPN/1234 cho php my VPN Client kt ni VPN v my

VPN server

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


To Rule m Port 1723

Tab PPTP VPN Chn +

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Interface : PPTP

Gateway : LOAD BALANCER

Description: vpn qua load balancer

Chn Save.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Apply changes.

b. Cu hnh NAT Inbound cho VPN Client kt ni n Pfsense

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Menu Firewall => NAT

Giao din NAT Chn +

Interface : chn PPTP

External address : any

Protocal : TCP

External port range : PPTP

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


NAT IP : (IP WAN2 my Pfsense)

Destination : t tn cho vic m Port VPN.

Chn Save

Chn Apply Changes.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


c. Cu hnh VPN cho Client bn ngoi VPN v Pfsense.

Trn my Client (VPN Client) to New Connection Wizard

Chn: Connect to the network at my workplace.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn : Virtual Private Network Connection

Company Name : VPN

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


G IP WAN2 : 192.168.2.100

Chn My use only

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Finish

ng nhp VPN server bng User name/ pass l vpn:/1234

ng nhp thnh cng

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.3. Qun l bng thng vi Traffic Sharper

Menu Firewall -> Traffic Sharper

Chn Next

Chn Inside l Lan => nhp vo tc download ca ng truyn

Outside chn Wan =>nhp vo tc Upload ca ng truyn

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Next

Chn Next

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Next

Chn Next

Check vo Prioritize Network gaming traffic

Check thm 1 ci Betle-net

Chn Next

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Next => Chn Finish

Nh vy chng ta ci t xong traffic Sharper v bt u cu hnh

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn Firewall -> Traffic Sharper s c hnh sau:

Chn Tab: Queues

Check vo qwandef sau click e

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Check vo Upper limit

M2 nhp vo l 70%

apply changes lu li. Chn Save

Tip theo ta Check vo qlandef sau click e

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Check vo Upper limit

M2 nhp vo l 70%

apply changes lu li. Chn Save

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Quay li tab Rules. Click du + thm 1 rules mi cho game Download.

v d cho game Kim Th s dng giao thc TCP v cng (port) 6041 -> 6047

Phn Target: Chn qGameDown / qGameUp

In Interface: Chn WAN

Out Interface: Chn LAN

Destination port range:From: nhp s 6041. To nhp s 6047 vo nh hnh

Description: Nhp vo tn game .

Save -> Apply changes

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Tng t Click du + thm 1 rules mi cho game upload

Phn Target: Chn qGameUp / qGameDown

In Interface: Chn LAN

Out Interface: Chn WAN

Destination port range: From nhp s 6041. Nhp s 6047 vo To nh

hnh

Save -> Apply changes

Cc bc cu hnh bng thng xong.

Trong bi ny chia bng thng thnh 2 phn, 30% cho game v 70% cho cc

dch v khc.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


7. nh gi:

a. u im:

Cu hnh d dng vi giao din web.

Min ph.

Cth b sung thm tnh nng bng gi dch v cng thm.

b. Hn ch:

Khi cu hnh i hi ngi dng phi c mt s kin thc c bn.

Vn cha c tnh nng lc URL nh cc thit b thng mi.

Phi trang b thm modem.

III. FIREWALL SMOOTHWALL.

1. Gii thiu Firewall Smoothwall.

SmoSmoothWall Express bt ngun t SmoothWall GPL.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


SmoothWall GPL Pht hnh vo thng 8 nm 2000, c pht trin bi

Lawrence Manning v Richard Morrell.

Smoothwall Express l 1 firewall m ngun m da trn nn tng linux.

Smoothwall Express c cu hnh qua giao din Web d s dng v cu

hnh.

Smoothwall Express cho php bn d dng xy dng 1 firewall bo v 1

h thng my tnh kt ni vi internet.

SmoothWall Express c th lm vic vi hu ht mi my tnh trn nn

Intel Pentium.

c im cng kh quan trng l cu hnh ci t v s dng phn mm

Smoothwall khng i hi phi cao nh nhng phn mm mi hin nay.

2. Smoothwall Express c 3 mode hot ng lc ci t.

Open: Smoothwall Express cho php tt c yu cu ra bn ngoi .

Half-Open: y l mode mc nh, Smoothwall Express cho php hu ht

cc yu cu ra bn ngoi v chn ci yu cu c nguy him tim tang.

Closed: Smoothwall chn tt c yu cu ra bn ngoi

3. Cc loi cu hnh Network.

Green: l card mng ni vi ng mng internal cn c bo v.

Red: l card mng ni vi Internet hoc mng external .

Orange: l card mng ni mi mng DMZ.

Purple : l card mng ni vi. mng wireless .

4. u im.

Khng i hi cu hnh my cao.(mt PC c 32-bit Intel hoc i386,t mt

cu hnh thp nh processor46,Intel Pentium vi 128Mb b nh ram, 2Gb

a cng cng c th ci t moothwall)

Bo v c cc mng cc b Lan t nhng xm nhp khng cho php t

bn ngoi mng v chng virus Trojan

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


D ci t(t kin thc v GNU/Linux vn c th ci t )

H tr nhiu loa card mng,modem v cc loi phn cng khc

H tr c nhiu cch kt ni mng internet thong qua cc ISP khc nhau

Vi SWE,qu trnh thit lp,khi ng ng dng d dng

D x dng v qun l thng qua mt giao din web

H tr hng lot tnh nng, gm: Proxy Server,IDS,Logging,Trafic

Graphs,DHCP,VPN,Dynamic DNS,Port,Forwarding, Server Health and

Access Control

5. Hn ch.

Ch h tr 1BXL v 1GB dung lng b nh Ram.

Smoothwall Express s khng th gip phc hi bt c d liu no mt.

D liu trn a cng s b xa ton b khi ci t

Thiu s h tr k thut nh cc sn phm thng mi.

6. Mt s chc nng trong Smoothwall.

6.1. Ip block:

Cho php bn chn cc a ch IP bn ngoi truy cp vo Smoothwall Server

hay cc my tnh bn trong.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Cc ch l Drop packet v Reject Packet v log

Drop packet: Packet c a ch IP trong block list s b hy b.

Reject packet: Trng hp ny n s hy b packet nhng c

thng bo v cho my ngun.

Ngoi ra cn h tr ghi log.

6.2 . WebProxy:

S dng Web Proxy gip ci thin tc truy cp, lt web an ton v hn

ch cc trang web khng mong mun.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.3. Outgoing:

Bn c th cho php, chn hoc gii hn truy cp Internet da trn cc card

mng bn trong .

Cc Outgoing rule mc nh c th khc nhau ty theo mode ban u lc

ci t bn chn l Open , Half-Open hay Closed

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.4. IDS:

IDS c nhim v pht hin cc vi phm an ninh bn ngoi mng ca bn.

Dch v ny ch pht hin nhng xm nhp nhng n khng ngn chn

chng.

IDS cng c th phn bit gia nhng tn cng t bn trong (t nhng ngi

trong cng ty) hay tn cng t bn ngoi (t cc hacker).

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.5. Remote Access:

Khi c kch hot, bn c th truy cp SmoothWall Express t xa bng cch s

dng dch v SSH.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.6. DHCP:

Cu hnh v kch hot dch v DHCP ca SmoothWall, t ng phn b a ch

IP mng LAN cho cc khch hng mng ca bn.

DHCP cung cp cho cc my tnh mt a ch IP, cc thit lp DNS,

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.7. Timed Access:

Smoothwall cho php thit lp cho/khng cho truy tp Internet trong 1 khong

thi gian c th trong ngy i vi 1 nhm ci my c th.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.8. Pop3 proxy:

SmoothWall Express c th qut virus cc email POP3 khi chng c ti v t

mail server.

Cc email c cha virus s c thay th bng mt email gii thch, trong c

cha thng tin chi tit ca email v bao gm tn ca virus c pht hin

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.9. Interface:

y l ch bn c th cu hnh v iu chnh a ch ca cc interface Green,

Orange, Purple, Red,DNS, Default getway

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.10. Time.

Bn c th cu hnh SmoothWall Express vi ngy thng v thi gian, ng b

ha thi gian vi server trong mng.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.11. Static dns:

SmoothWall Express c th to mt bng local hostname m c th c s dng

bi SmoothWall Express v cc my tnh trn mng Green v Purple.

Dch v DNS ca SmoothWall Express phn gii hostname cho tt c cc my s

dng dch v, bao gm chnh SmoothWall Express.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


6.12. IM proxy.

SmoothWall Expresss Instant Messenger (IM) proxy service cho php bn ng

nhp trao i qua IM v chuyn file trn mng Green v mng Purple nu n

c bt.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


8. Ci t v Cu hnh Smoothwall:

7.1. Ci t:

Cho a cd hoc file iso Smoothwall Express vo.

mng hnh giao din Smoothwall Express .

Nhn enter tip tc.

chn ok bt u ci t

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Thng bo chn cd smoothwall vao cdrom.

Cc chng trnh ci t s phn vng cng v ci file h thng ln chng

Cnh bo s xo tt c d liu trn cng,chn ok tip tc ci t

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


vic ci t s c thc hin, nu thnh cng s hin ra bn thng bo sau y

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Nu chn yes, ngha l ta s nng cp moothwall t mt bn smoothwall ci t

sn.Chng ta chn NO bt u cu hnh cho smoothwall va c ci t.

Chn ngn ng.

Nhp hostname.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Ch mc nh, Smoothwall Express cho php hu ht cc yu cu ra bn ngoi

v chn ci yu cu c nguy him tim tng.

Chn loai network cu hnh mng,chon ok

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn loi giao din Green v Red.

Cu hnh card mng:

Cu hnh a ch IP cho card GREEN.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Cu hnh IP cho card REED.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Bt tnh nng DHCP card RED t xin IP.

Yu cu thay i,chon ok.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Chn probe.

Chn ok.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


in DNS v gateway sau chn ok.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Bt tnh nng DHCP.

t pass cho admin.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


t pass cho root.

Ci t hon thnh. Ok reboot.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Dng lnh ifconfig kim tra ip cu eth0, eth1.

Ping ra mng th.

7.2.Cu hnh Smoothwall.

Dng a ch 172.29.0.10:81 thao tc vi smoothwall .

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


user name /pass l: admin /1234.

Giao din cu hnh Smoothwall.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


7.3. Cu hnh DHCP.

Range: 172.29.0.100-172.29.0.200

DNS: 172.29.1.1

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Bn my Client.

Thc hin xin IP.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


7.4. Cu hnh web proxy.

Ta cn Enabled chc nng ny ln.

Bn my client ta tin hnh cu hnh LAN.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Test th.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


7.5. Cu hnh IDS(snort):

Ta cn c oink code update rules. ly oink code bn phi ng k 1 ti

khong ti trang www.snort.org => ng nhp sau copy oink code v.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


in oink code vo update rules.

7.6. Bt tnh nng SSH remote access.

Ta ch cn check vo 2 mc nh trong hnh v Save li.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Bn Client dng remote vo Smoothwall bng PUTTY.

ng nhp vi ti khong root/12345.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


7.7. Ci t thm mt s packet (gi) cho Smoothwall.

Ci thm mt s tnh nng nh: advanced proxy, url filter, ci t

thm nhng tnh nng ny ta vo trang:

http://www.advproxy.net/download.html

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


a. Dowload URL filter. Nhp vo Dowload URL filter nh trong hnh.

Nhp chut phi vo I agree with these terms. Chn copy link location

copy link.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


Thc hin lnh nh trong hnh download URL filter.

Tin hnh gii nn.

Install gi URL filter.

b. Tng t cho gi Advanced proxy.

i hc Khoa Hc T Nhin


FIREWALL TRN LINUX


c. Kim tra qu trnh ci t.

Documents

Firewall Pfsense Và Smoothwall(Linux)