Documente Academic
Documente Profesional
Documente Cultură
Content
Firewall ........................................................................................................................................................................................................ 6
State Table .................................................................................................................................................................................................. 7
Network Address Translation (NAT) .............................................................................................................................................. 8
Limitations............................................................................................................................................................................................. 8
High Availability....................................................................................................................................................................................... 8
Limitations............................................................................................................................................................................................. 8
Server Load Balancing ........................................................................................................................................................................... 8
Virtual Private Network (VPN) .......................................................................................................................................................... 9
IPsec ......................................................................................................................................................................................................... 9
OpenVPN ................................................................................................................................................................................................ 9
PPTP Server .......................................................................................................................................................................................... 9
Limitations............................................................................................................................................................................................. 9
Reporting and Monitoring ................................................................................................................................................................... 9
RRD Graphs ........................................................................................................................................................................................... 9
Real Time Information...................................................................................................................................................................... 9
Dynamic DNS ...........................................................................................................................................................................................10
Captive Portal ..........................................................................................................................................................................................10
Limitations...........................................................................................................................................................................................11
Web Proxy ................................................................................................................................................................................................11
DHCP Server and Relay .......................................................................................................................................................................11
Bandwidth HD.........................................................................................................................................................................................11
HAVP Antivirus .......................................................................................................................................................................................12
NTOP NG....................................................................................................................................................................................................12
PF Blocker .................................................................................................................................................................................................12
SARG Reports ..........................................................................................................................................................................................12
IPS/IDS .......................................................................................................................................................................................................13
Hardware Components .......................................................................................................................................................................15
Web GUI Login ........................................................................................................................................................................................15
Dashboard ................................................................................................................................................................................................17
Traffic Graphs .....................................................................................................................................................................................17
System Information .........................................................................................................................................................................18
License
SafeAccess is Copyright 2005 2015 by NewCom International, Inc.
All rights reserved.
pfSense is Copyright 2004 - 2015 by Electric Sheep Fencing LLC
All rights reserved.
m0n0wall is Copyright 2002-2015 by Manuel Kasper (mk@neon1.net).
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED "AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Introduction
NewCom's SafeAccess security appliance is ideal for corporate networks, rural
locations, small branches and cybercafs that want to optimize their browsing
experience while providing firewall security and intrusion detection/prevention for
their users.
SafeAccess shares your existing NewCom Internet access with your Local Area
Network providing enterprise-class network perimeter protection and exceptional
data throughput in an easy-to-manage, plug-and-protect security appliance.
This user manual is focused on the pfSense version of SafeAccess, a customized
firewall software, with features and configuration scripts fine-tuned to fit NewCom
International customers needs and network architecture.
The manual is divided in three sections: Features, which introduces the reader to
the language behind SafeAccess security and networking functionality; Getting
Started, which shows how to perform basic configuration and reporting operations;
and Troubleshooting, which guide the reader throughout diagnosis, identification
and resolution of most common issues, whether they are a result of the normal
operations of a network, or derived from hardware or software malfunction.
Features
pfSense software includes the features typical in expensive commercial firewalls,
and more in some cases. The following is a list of features currently available in the
pfSense 2.1 release. All of these things are possible in the web interface, without
touching anything at the command line.
In addition to features, this page also includes all limitations of the system of which
we are aware. From our experience and the contributed experiences of thousands of
our users, we understand very well what the software can and cannot do. Every
software package has limitations. Where we differ from most is we clearly
communicate them. We also welcome people to contribute to help eliminate these
limitations. Many of the listed limitations are common to numerous open source and
commercial firewalls.
The following is a list of basic features that gets expanded using packages to
increase options and functionality
FIREWALL
STATE TABLE
The firewall's state table maintains information on your open network connections.
The pfSense software is a stateful firewall, by default all rules are stateful.
Most firewalls lack the ability to finely control your state table. The pfSense software
has numerous features allowing granular control of your state table, thanks to the
abilities of OpenBSD's pf.
Port forwards including ranges and the use of multiple public IPs
1:1 NAT for individual IPs or entire subnets.
Outbound NAT
o Default settings NAT all outbound traffic to the WAN IP. In multiple
WAN scenarios, the default settings NAT outbound traffic to the IP of
the WAN interface being used.
o Advanced Outbound NAT allows this default behavior to be disabled,
and enables the creation of very flexible NAT (or no NAT) rules.
NAT Reflection - NAT reflection is possible so services can be accessed by
public IP from internal networks.
Limitations
PPTP / GRE Limitation - The state tracking code in pf for the GRE protocol can only
track a single session per public IP per external server. This means if you use PPTP
VPN connections, only one internal machine can connect simultaneously to a PPTP
server on the Internet. A thousand machines can connect simultaneously to a
thousand different PPTP servers, but only one simultaneously to a single server. The
only available work around is to use multiple public IPs on your firewall, one per
client, or to use multiple public IPs on the external PPTP server. This is not a
problem with other types of VPN connections. PPTP is insecure and should no
longer be used.
HIGH AVAILABILITY
CARP from OpenBSD allows for hardware failover. Two or more firewalls can be
configured as a failover group. If one interface fails on the primary or the primary
goes offline entirely, the secondary becomes active. The pfSense software also
includes configuration synchronization capabilities, so you make your configuration
changes on the primary and they automatically synchronize to the secondary
firewall.
pfsync ensures the firewall's state table is replicated to all failover configured
firewalls. This means your existing connections will be maintained in the case of
failure, which is important to prevent network disruptions.
Limitations
Only works with static public IPs, does not work with stateful failover using DHCP,
PPPoE, or PPTP type WANs.
IPsec
IPsec allows connectivity with any device supporting standard IPsec. This is most
commonly used for site to site connectivity to other pfSense installations, other
open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions
(Cisco, Juniper, etc.). It can also be used for mobile client connectivity.
OpenVPN
OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client
operating systems. See the OpenVPN website for details on its abilities.
PPTP Server
PPTP was a popular VPN option because nearly every OS has a built in PPTP client,
including every Windows release since Windows 95 OSR2. However, it's now
considered insecure and should not be used. See this Wikipedia article for more
information on the PPTP protocol.
Limitations
Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients
cannot use the same public IP for outbound PPTP connections. This means if you
have only one public IP, and use the PPTP Server, PPTP clients inside your network
will not work. The work around is to use a second public IP with Advanced
Outbound NAT for your internal clients. See also the PPTP limitation under NAT on
this page.
CPU utilization
Total throughput
Firewall states
Individual throughput for all interfaces
Packets per second rates for all interfaces
WAN interface gateway(s) ping response times
Traffic shaper queues on systems with traffic shaping enabled
DYNAMIC DNS
A Dynamic DNS client is included to allow you to register your public IP with a
number of dynamic DNS service providers.
A client is also available for RFC 2136 dynamic DNS updates, for use with DNS
servers like BIND which support this means of updating.
CAPTIVE PORTAL
Captive portal allows you to force authentication, or redirection to a click through
page for network access. This is commonly used on hot spot networks, but is also
widely used in corporate networks for an additional layer of security on wireless or
Internet access. For more information on captive portal technology in general, see
the Wikipedia article on the topic. The following is a list of features in the pfSense
Captive Portal.
10
MAC filtering - by default, pfSense filters using MAC addresses. If you have a
subnet behind a router on a captive portal enabled interface, every machine
behind the router will be authorized after one user is authorized. MAC
filtering can be disabled for these scenarios.
Authentication options - There are three authentication options available.
o No authentication - This means the user just clicks through your
portal page without entering credentials.
o Local user manager - A local user database can be configured and
used for authentication.
o RADIUS authentication - This is the preferred authentication method
for corporate environments and ISPs. It can be used to authenticate
from Microsoft Active Directory and numerous other RADIUS
servers.
RADIUS capabilities
o Forced re-authentication
o Able to send Accounting updates
o RADIUS MAC authentication allows captive portal to authenticate to
a RADIUS server using the client's MAC address as the user name
and password.
o Allows configuration of redundant RADIUS servers.
HTTP or HTTPS - The portal page can be configured to use either HTTP or
HTTPS.
Pass-through MAC and IP addresses - MAC and IP addresses can be white
listed to bypass the portal. Any machines with NAT port forwards will need
to be bypassed so the reply traffic does not hit the portal. You may wish to
exclude some machines for other reasons.
File Manager - This allows you to upload images for use in your portal pages.
Limitations
"Reverse" portal, i.e. capturing traffic originating from the Internet and entering
your network, is not possible.
Only entire IP and MAC addresses can be excluded from the portal, not individual
protocols and ports.
WEB PROXY
Based on Squid, it is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and
more. It reduces bandwidth and improves response times by caching and reusing
frequently-requested web pages. Squid has extensive access controls and makes a
great server accelerator.
BANDWIDTH HD
BandwidthD tracks usage of TCP/IP network subnets and builds html files with
graphs to display utilization. Charts are built by individual IPs, and by default
display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each
11
HAVP ANTIVIRUS
HAVP (HTTP Antivirus Proxy) is a proxy with a ClamAV anti-virus scanner. The
main aims are continuous, non-blocking downloads and smooth scanning of
dynamic and password protected HTTP traffic. Havp antivirus proxy has a parent
and transparent proxy mode. It can be used with squid or standalone. And File
Scanner for local files.
NTOP NG
ntopng is a network probe that shows network usage in a way similar to what top
does for processes. It acts as a Web server, creating an HTML dump of the network
status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface
for creating ntop-centric monitoring applications, and RRD for persistently storing
traffic statistics.
What ntopng can do for me?
PF BLOCKER
Introduce Enhanced Aliastable Feature to pfsense. Assign many IP urls lists from
sites like I-blocklist to a single alias and then choose rule action to take.
This package also Block countries and IP ranges.
SARG REPORTS
Sarg - Squid Analysis Report Generator - is a tool that generates reports about
where your users are going on the Internet.
12
IPS/IDS
PFSense uses Snort, an open source network intrusion prevention and detection
system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based
inspection.
13
Getting Started
SafeAccess can be set to protect your network without further intervention due to
its highly automatized functions. It is set as a border security appliance, transparent
to the users and ready to use. Once it has been deployed properly, the administrator
should only perform regular checks to the GUI via web access to verify status of
services. End users should never interact with the web interface.
Troubleshooting procedures can be reviewed in the section Troubleshooting
SafeAccess later in this manual.
14
HARDWARE COMPONENTS
Desktop V ersion
15
16
DASHBOARD
The dashboard is displayed right after login. You can access the dashboard at any
time by clicking on the SafeAccess icon at the top left corner of your browser:
The dashboard shows your most used widgets for information display and
immediate visualization:
Traffic Graphs
Show real time Input and Output
traffic per interface. You may select
which interface you want to visualize
and which refresh rate from 1 to 10
seconds. The scale can also be
adjusted. For long term graphs you
will need to use RRD graphs from the
status menu
17
System Information
This may be your best source of first glance information. It tells you the system
information and resources utilization. The four last items suggest system health
based on use of memory, storage and CPU.
Notice the current version. The latest stable fine-tuned version is 2.1.5-Release.
Although new versions are available, they will break some components such as
proxy reports, anti-virus protection and other web proxy functions.
Services Status
SafeAccess comes preconfigured with several key services to help enhance your
users web experience and provide you the tools to diagnose and identify issues
18
Interfaces
This simple widget shows the IP Addresses and speed configurations of all your
SafeAccess interfaces.
19
SYSTEM MENU
Your SafeAccess appliance has been fine-tuned to match your specific network
architecture. Advanced System Parameters allow more advanced adjustments of
your system. Do not make changes if you dont know what you are doing. These
settings can affect and potentially cripple your system.
20
General Setup
The General Setup page allows changing you system name, time settings and DNS
servers. Unless you want to change your time settings, you should not need to
change these parameters when running on NewCom International Networks
INTERFACES
From this menu you can
enable, disable and configure
the behavior of your LAN
and WAN interfaces. By
default, your WAN interface
should block traffic from
private and bogon IP Blocks. Bogon is also an informal name for an IP packet on the
21
FIREWALL
Aliases
Aliases act as placeholders for real hosts, networks or ports. They can be used to
minimize the number of changes that have to be made if a host, network or port
changes. You can enter the name of an alias instead of the host, network or port in
all fields that have a red background. If an alias cannot be resolved (e.g. because you
deleted it), the corresponding element (e.g. filter/NAT/shaper rule) will be
considered invalid and skipped.
You may create an alias for a group of critical news sites and then use the alias for
firewall rules instead of having to use all the URLs in the alias. It enables
resourcefulness and simplifies more complex configurations.
NAT
The most common function is port forward, which allow a device in the private LAN
to be a server to the public WAN through specific ports. You will need to determine:
Interface
Protocol
Source (WAN IPs allowed to use this port forward rule)
Redirect Target IP
Redirect Target Port
pfBlocker
One of the most popular and used packages added to SafeAcces is pfBlocker, a
simplified but powerful firewall add-on that enables global filtering of traffic based
on its origin IP. IP blocks are grouped by country regions, so that if you want to
22
23
Rules
SafeAccess comes with preconfigured firewall rules to allow common traffic and
troubleshooting remote access from NewCom International NOC. These rules are
shown as follows:
If you need to create a new rule to allow or prevent certain type of traffic to go
through or towards your SafeAcess appliance, you need to understand these basic
concepts of pfSense firewalls:
1. Traffic can be passed (allowed), blocked (dropped) or rejected (reported as
not allowed to the sender). Use blocked instead of rejected unless you need
to actively tell the sender you cannot receive this type of traffic (very rare).
2. A rule affects only one protocol. Identify what protocol you want to pass or
block in the rule.
3. Unless you have advanced Layer 7 regular expressions to let the firewall
process a packet based on its content, you need to specify the type of traffic
via ports.
4. You can categorize traffic based on a combination of parameters such as
schedules, regular expressions, ports, protocols, IP flags, etc., that can create
thousands of possibilities.
5. There is an intrinsic block everything else rule at the end of the rules list.
Traffic Shaper
SafeAccess provides traffic shaping based on queues. If you want to prioritize
certain type of traffic you need to understand the basics of traffic QoS and shaping.
A regular queue set will look like this, where there are certain traffic types being
processed and allowed based on their priority.
24
Traffic Shaping and queuing in pfSense can be accomplished in several ways. The
easiest to implement is ALTQ-based shaping with the Traffic Shaping Wizard.
Traffic Shaping configuration is based at Firewall > Traffic Shaping.
Traffic shaping (also known as "packet shaping") is the control of computer network
traffic in order to optimize or guarantee performance, lower latency, and/or
increase usable bandwidth by delaying packets that meet certain criteria. More
specifically, traffic shaping is any action on a set of packets (often called a stream or
a flow) which imposes additional delay on those packets such that they conform to
some predetermined constraint (a contract or traffic profile).
Limitations
Use of The Traffic Shaping Wizard is recommended to create a default set of rules
from which to start. The rules created by the wizard cope well with VOIP traffic, but
may need tweaking to accommodate other traffic not covered by the wizard.
There are several wizards available, the exact choices depend on the version in use.
As an example, look at shaping P2P traffic. Assuming the wizard was used, qP2P will
exist under WAN(s) and LAN(s). When a P2P app is launched, traffic will show in
these queues if it was matched by the rules created by the wizard. These queues are
designed to carry the bulk P2P traffic, which normally slows a connection down.
Other generic traffic, like web pages (HTTP), email, IM, VOIP etc. will go into other
queues.
Queue sizes and bandwidths are sized appropriately for most configurations by the
wizard, unlike older versions. In some cases they may need to be manually adjusted,
but for the majority of cases it is unnecessary.
Virtual IPs
If your WAN interface may handle more than one IP because you have been assigned
a block, you will need to declare them here and use them for NAT or other rules.
25
SERVICES
Antivirus
The antivirus is a transparent process that runs on all files being downloaded via
http (not https) and uses CLAM Antivirus as engine.
26
BandwidthHD
This service nests itself under the https port so it can be used remotely. It drops
your top 20 IPs in a list for easy inspection and it breaks the traffic down into
individual graphs for a variety of services.
BandwidthD tracks usage of TCP/IP network subnets and builds html files with
graphs to display utilization. Charts are built by individual IPs, and by default
display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each
ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1
hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP,
ICMP, VPN, and P2P traffic are color coded.
Captive Portal
Captive portal is configured throughout a wizard-like process in which you
determine which users will require authentication before being granted access to
the Internet
You can specify authorization via
The html content for the captive portal must be created elsewere and uploaded into
the portal page
27
DHCP Server
By default, SafeAccess is configured as DHCP server for the LAN 192.168.88.0/24;
and providing addresses in the range from IPs 1 through 254
IGMP Proxy
SafeAccess can act as multicast proxy for specific applications. This allows relaying
multicast traffic among interfaces based on IP addresses and TTL (time to live)
numbers.
NTP
This service is provided to LAN users. Do not confuse with NTP server settings to
synchronize SafeAccess with an Internet Time Server.
If you have a NMEA compliant GPS unit connected to the serial port you may also
use that as reference in order to provide stratum I Network Time Services
28
hacking
recreation_travel
aggressive
hobby_cooking
recreation_wellness
alcohol
hobby_games-misc
redirector
anonvpn
hobby_games-online
religion
automobile_bikes
hobby_gardening
remotecontrol
automobile_boats
hobby_pets
ringtones
automobile_cars
homestyle
science_astronomy
automobile_planes
hospitals
science_chemistry
chat
imagehosting
searchengines
costtraps
isp
sex_education
dating
jobsearch
sex_lingerie
downloads
library
shopping
drugs
military
socialnet
dynamic
models
spyware
education_schools
movies
tracker
finance_banking
music
updatesites
finance_insurance
news
urlshortener
finance_moneylending
podcasts
violence
finance_other
politics
warez
finance_realestate
porn
weapons
finance_trading
radiotv
webmail
fortunetelling
recreation_humor
webphone
forum
recreation_martialarts
webradio
gamble
recreation_restaurants
webtv
government
recreation_sports
29
Proxy Server
SafeAccess proxy server has been tuned to fit most common proxy and cache
requirements. The proxy service can be restarted from the dashboard and its
settings can be adjusted from this section.
Key parameters:
Transparent Proxy
Bypass for private addresses
Proxy port: 3128
Custom options: regular syntax to allow caching some dynamic content of
frequent use such as antivirus and windows updates
IDS/IPS by Snort
Snort is an intrusion detection and prevention system. It can be configured to simply
log detected network events to both log and block them.
Snort operates using detection signatures called rules. Snort rules can be custom
created by the user, or any of several pre-packaged rule sets can be enabled and
downloaded. The Snort package currently offers support for these pre-packaged
rules:
1.
2.
3.
4.
The Snort GPLv2 Community Rules and the Emerging Threats Open Rules are both
available for free with no registration required. The Snort VRT rules are offered in
two forms. One is a registered-user version which is free, but requires registration
at http://www.snort.org. The registered-user free version only provides access to
rules that are 30-days old or more in age.
30
31
Troubleshooting
SafeAccess works out of the box provided the network (WAN) side delivers IP
addressing via DHCP and the customer has a LAN Switch for their LAN computers
and devices via DHCP as well.
Understand your network topology and even have a diagram of your connections in
order to figure out issues that may sound obvious but will rule out those wiring and
power related issues that often get overlooked.
KEY CONSIDERATIONS
Power
o Outages
o Circuit breakers
o 220v or 110v
CAT-5 wiring
o Are all cables tested and working?
o Extended Ping Test among problematic devices
LAN Access from SafeAccess appliance
o Do devices get an IP address from SafeAccess?
o Can they ping their default gateway 192.168.88.1?
These simple considerations help rapidly pinpoint the culprit and focus your time
on solving the real issue. The following are some advanced tools that will help you
resolve issues related to the proper functioning of SafeAccess
As with any other network service, follow these basic instructions before contacting
your provider:
Restart all equipment in this sequence, waiting 30 seconds between each device: ISP
router/modem, SafeAccess, PC.
33
ARP Table: shows the MAC addresses to IP tables from the SafeAccess
standpoint. This is useful to identify hardware manufacturers for
problematic IPs
DNS Lookup: Helps troubleshoot DNS issues and provides Whois
information on hostnames and IPs from SafeAccess standpoint.
NMAP: Allows port scanning from the SafeAccess standpoint
NTOPng: Shows advanced visualization of network traffic for know
protocols. Blocked by default from the WAN interface. You may need to
temporarily create a rule to allow incoming traffic to destination port 3000
from the WAN interface.
Packet Capture: Allows quick visualization of packets in the selected
interface without having to use tcpdump from the CLI. You may use basic
filters and level of detail.
States: Shows network connections and allows for closing those connections
in real time.
Ping and Traceroute
Reporting Tools
These tools are found under the Status menu
RRD Graphs
o System
o Traffic
o Packets
o Quality
o Queues
o VPN
Sarg Reports
o View reports shows Web Proxy usage reports
Per User
Per Destination
Per Date
Services: shows the status of all services
System Logs
Traffic Graphs: shows traffic in real time, including hosts
34