BO CO THUYT TRNH LINUX TI: 01 TM HIU FIREWALL PFSENSE V SMOOTHWALL
GVHD: L Ngc Sn. Nhm Trnh By: Nguyn Ch Tm-0964125. ng Quang Tn-0964127. Phn Cng Cng Vic: Mssv H Tn Cng vic 0964125 Nguyn Ch Tm Tm hiu Smoothwall 0964127 ng Quang Tn Tm hiu Pfsense Mc Lc I. Firmewall l g? ....................................................................................................... 1 1. nh ngha. ............................................................................................................ 1 3. Cc thnh phn ca Firemwall ............................................................................... 2 4. Nhng hn ch ca Firewall................................................................................... 2 II. Firewall pfSense. ..................................................................................................... 3 1.Gii thiu Firewall Pfsense:....................................................................................... 3 2. Mt s chc nng chnh ca Firewall Pfsense: 2.1: Aliases. ............................................................................................................. 3 2.2: Rules (Lut). ..................................................................................................... 4 2.3: Firewall Schedules. ........................................................................................... 5 2.4: NAT. ................................................................................................................. 6 2.5: Traffic shaper (Qun l bng thng). . ............................................................... 7 2.6: Virtual Ips. ......................................................................................................... 9 3.Mt s dch v ca pfsense 3.1: captive portal ................................................................................................... 10 3.2: DHCP Server. ................................................................................................. 11 3.3: DHCP Relay. ................................................................................................ 12 3.4: Load Balancing. .............................................................................................. 13 3.5: VPN PPTP. s dng chc nng ny bn vo VPN => PPTP. ..................... 13 3.6: Mt s chc nng khc. .................................................................................... 15 4. M Hnh. .............................................................................................................. 15 5. Ci t Fimrewall pfsense, Cu hnh interface v DHCP server. ............................. 16 5.1: Ci t Pfsense. ............................................................................................... 16 5.2: Cu hnh card mng cho my Pfsense. ............................................................ 26 5.3: t IP v thit lp DHCP cp pht vo bn trong mng LAN.......................... 27 5.4: My Client xin IP do PFSENSE cp pht ........................................................ 29 6. Tin hnh cu hnh mt s dch v trong Pfsense:31 6.1: Cu hnh pfsense v cn bng ti( load balancer)31 6.2: Cu hnh VPN server ...................................................................................... 43 6.3. Qun l bng thng vi Traffic Sharper .......................................................... 53 7. nh gi...63 III. FIREWALL SMOOTHWALL. ........................................................................... 63 1. Gii thiu Firewall Smoothwall. ........................................................................ 63 2. Smoothwall Express c 3 mode hot ng lc ci t. ......................................... 64 3. Cc loi cu hnh Network. .................................................................................. 64 4. u im. .............................................................................................................. 64 5. Hn ch................................................................................................................ 65 6. Mt s chc nng trong Smoothwall. ................................................................... 65 6.1. Ip block: .......................................................................................................... 65 6.2 . WebProxy: ...................................................................................................... 66 6.3. Outgoing: ....................................................................................................... 67 6.4. IDS: ................................................................................................................ 68 6.5. Remote Access: .............................................................................................. 69 6.6. DHCP: ............................................................................................................ 70 6.7. Timed Access: ................................................................................................ 71 6.8. Pop3 proxy: ..................................................................................................... 72 6.9. Interface: ......................................................................................................... 73 6.10. Time. .............................................................................................................. 74 6.11. Static dns: ....................................................................................................... 75 6.12. IM proxy. ....................................................................................................... 76 7. Ci t v Cu hnh Smoothwall: ........................................................................ 77 7.1. Ci t: Cho a cd hoc file iso Smoothwall Express vo. .............................. 77 7.2.Cu hnh Smoothwall. ....................................................................................... 89 7.3. Cu hnh DHCP. .............................................................................................. 91 7.4. Cu hnh web proxy. ........................................................................................ 93 7.5. Cu hnh IDS(snort): ....................................................................................... 95 7.6. Bt tnh nng SSH remote access. ............................................................... 96 7.7. Ci t thm mt s chc nng cho Smoothwall.............................................. 98 i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 1
I. Firmewall l g? 1. nh ngha. Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu Firewall l mt c ch (mechanism) bo v mng tin tng (Trusted network) khi cc mng khng tin tng (Untrusted network). Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty, t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet. Internet FireWall l mt tp hp thit b (bao gm phn cng v phn mm) gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet: 2. Chc nng. Chc nng chnh ca Firewall l kim sot lung thng tin gia Intranet v Internet.
Intranet firewall Internet
C th: Cho php hoc cm nhng dch v t bn trong truy nhp ra ngoi. Kim sot ngi s dng v vic truy nhp ca ngi s dng. Cho php hoc cm nhng dch v bn ngoi truy nhp vo trong . i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 2
Kim sot a ch truy nhp, cm a ch truy nhp. Theo di lung d liu mng gia bn trong (Intranet) v bn ngoi (Internet).
3. Cc thnh phn ca Firemwall Firewall chun bao gm mt hay nhiu cc thnh phn sau y: B lc packet (packet-filtering router) Cng ng dng (application-level gateway hay proxy server) Cng mch (circuite level gateway)
4. Nhng hn ch ca Firewall. Firewall khng thng minh nh- con ng- i c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nh- ng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt - ng dial-up, hoc s r r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu (data- driven attack). Khi c mt s ch- ng trnh - c chuyn theo th- in t, v- t qua firewall vo trong mng - c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus trn cc d liu - c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca firewall.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 3
II. Firewall pfSense. 1. Gii thiu Firewall Pfsense: Pfsense l mt phin bn m ngun m, min ph, c ty chnh cho bn phn phi FreeBSD s dng nh firewall hay router .
Pfsense c th c qun tr d dng bng giao din web. Pfsense bao gm rt nhiu tnh nng v c ng dng rng ri t SOHO cho ti cc t PfSense l mt gi phn mm firewall hon chnh, n c th c ci t trn mt PC hay mt embedded PC.Vi phn mm min ph c pht trin trn phin bn ca FreeBSD, Pfsense c ci t n gin, tng thch vi mt PC cu hnh thp. c im cng kh quan trng l cu hnh ci t v s dng phn mm Pfsense khng i hi phi cao nh nhng phn mm mi hin nay. Chng ta ch cn mt my tnh P3, Ram 128, HDD 1GB th cng dng nn mt tng la Pfsense bo v mng bn trong
2. Mt s chc nng chnh ca Firewall Pfsense: 2.1: Aliases.
Vi tnh nng ny chng ta c th gom nhm cc ports, hosts hoc Network(s) khc nhau v t cho chng mt ci tn chung thit lp nhng quy tc c d dng v nhanh chng hn. vo Aliases ca pfsense vo Firewall Aliases. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 4
Cc thnh phn trong Aliases: - Hosts : to nhm cc a ch IP - Network : to nhm cc mng - Port : Cho php gom nhm cc port nhng khng cho php to nhm cc protocol. Cc protocol c s dng trong cc rule 2.2: Rules (Lut). Ni lu cc rules (Lut) ca Firewall. vo Rules ca pfsense vo Firewall Rules.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 5
Mc nh pfsense cho php mi trafic ra/vo h thng .Bn phi to ra cc rules qun l mng bn trong firewall. Mt s la chn trong Destination v Source. - Any : tt c - Single host or alias: Mt a ch ip hoc l mt b danh. - Lan subnet: ng mng Lan - Network : a ch mng - Lan address: Tt c a ch mng ni b - Wan address: Tt c a ch mng bn ngoi - PPTP clients: Cc clients thc hin kt ni VPN s dng giao thc PPTP - PPPoE clients: Cc clients thc hin kt ni VPN s dng giao thc PPPoE
2.3: Firewall Schedules. Cc Firewall rules c th c sp xp n c ch hot ng vo cc thi im nht nh trong ngy hoc vo nhng ngy nht nh c th hoc cc ngy trong tun. y l mt c ch rt hay v n thc t vi nhng yu cu ca cc doanh nghip mun qun l nhn vin s dng internet trong gi hnh chnh. to mt Schedules mi vo Firewall => Schedules : Nhn du + v d: y To lch tn GioLamViec ca thng 11 T th hai n th by v thi gian t 7gi n 17 gi.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 6
Sau khi to xong nhn Add Time => Save.
2.4: NAT. Trong Firewall bn cng c th cu hnh cc thit lp NAT nu cn s dng cng chuyn tip cho cc dch v hoc cu hnh NAT tnh (1:1) cho cc host c th. Thit lp mc nh ca NAT cho cc kt ni outbound l Automatic outboundt NAT, tuy nhin bn c th thay i kiu Manual outboundt NAT nu cn.
V d: y ta NAT qua port 1723(PPTP) cho cu hnh VPN vi IP NAT l: 192.168.2.100 i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 7
2.5: Traffic shaper (Qun l bng thng).
Vi tnh nng Traffic Sharper gip bn theo di v qun l bng thng mng d dng v hiu qu hn. cu hnh Traffic Sharper ta chn Firewall => Traffic Sharper =>Next
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 8
Trong Traffic Sharper H tr Voice IP.
H tr H tr mng ngang hng nh BitTorent , CuteMX,.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 9
H tr mng chi game nh BattleNET , Battlefield2,v mt s game trc tuyn
2.6: Virtual Ips.
Virtual IP c s dng cho php pfSense ng cch chuyn tip lu lng cho nhng vic nh chuyn tip cng NAT, NAT Outbound, v NAT 1:1. H cng cho php cc tnh nng nh failover, v c th cho php cc dch v trn router gn kt vi a ch IP khc nhau. CARP. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 10
C th c s dng bi cc bc tng la chnh n chy cc dch v hoc c chuyn tip To ra lp 2 traffic cho cc VIP C th c s dng cho clustering (tng la v tng la ch failover ch ch) Cc VIP c trong cng mt subnet IP ca giao din thc S tr li ICMP ping nu c php theo cc quy tc tng la.
Proxy ARP.
Khng th c s dng bi cc bc tng la chnh n, nhng c th c chuyn tip To ra lp 2 giao thng cho cc VIP Cc VIP c th c trong mt subnet khc vi IP ca giao din thc Khng tr li gi tin ICMP ping.
Other.
C th c s dng nu cc tuyn ng cung cp cho bn VIP ca bn d sao m khng cn thng bo lp 2 Khng th c s dng bi cc bc tng la chnh n, nhng c th c chuyn tip Cc VIP c th c trong mt subnet khc vi cc giao din IP Khng tr li ICMP Ping.
3. Mt s dch v ca pfsense 3.1: captive portal Captive portal cho php admin c th chuyn hng client ti mt trang web khc, t trang web ny client c th phi chng thc trc khi kt ni ti internet. Tnh nng captive portal nm mc Services/captive portal
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 11
Captive portal: Tinh chnh cc chc nng ca Captive Portal. - Enable captive portal: nh du chn nu mun s dng captive portal. - Maximum concurrent connections:Gii hn cc connection trn mi ip/user/mac - I dle timeout:Nu mi ip khng cn truy cp mng trong 1 thi gian xc nh th s ngt kt ni ca ip/user/mac. - Hard timeout: Gii hn thi gian kt ni ca mi ip/users/mac. - Logout popup windows: Xut hin 1 popup thng bo cho ip/user/mac - Redirect URL: a ch URL m ngi dng s c direct ti sau khi ng nhp
Pass-though MAC: Cc MAC address c cu hnh trong mc ny s c b qua,khng authentication. Allowed IP address: Cc IP address c cu hnh s khng authentication. Users: To local user dng kiu authentication: local user File Manager: Upload trang qun l ca Captive portal ln pfsense. C 3 kiu chng thc client: No authentication: pfsense s iu hng ngi dng ti 1 trang nht nh m khng chng thc. Local user manager: pfsense h tr to user chng thc. Radius authentication: Chng thc bng radius server (Cn ch ra a ch ip ca radius, port, ...)
3.2: DHCP Server. Dch v ny cho php pfSense cp a ch IP v cc thng tin cu hnh cho cc client trong mng LAN. Tnh nng ny nm trong Services => DHCP server
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 12
Bt tnh nng cp IP ng cho cc my client.
Ta c th gn a ch IP vnh vin cho bt c my tnh no trn mng.
3.3 : DHCP Relay.
Dch v ny cho php pfSense forward yu cu cp IP ca client nm trong mt subnet no ti mt DHCP server cho trc. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 13
Ch c php chy mt trong dch v DHCP server v DHCP relay
3.4: Load Balancing.
Vi chc nng ny bn c th iu phi mng hay cn gi l cn bng ti mng
C 2 loi load balacing trn pfSense: Gateway load balancing: c dng khi c nhiu kt ni WAN. Client bn trong LAN khi mun kt ni ra ngoi Internet th pfSense la chon card WAN chuyn packet ra card gip cho vic cn bng ti cho ng truyn. Server load balancing: cho php cn bng ti cho cc server ca mnh. c dng ph bin cho cc web server, mail server v server ko hot ng na th s b remove. 3.5: VPN PPTP.
s dng chc nng ny bn vo VPN => PPTP. Chn Enable PPTP server bt tnh nng VPN Server address : a ch server m client s kt ni vo Remote address range :Di a ch IP s cp khi VPN Client kt ni i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 14
RADIUS : Chng thc qua RADIUS
Chn Save v chuyn qua tab User to ti khon
Cn To Rules cho php VPN client truy cp vo mng
Cui cng trn VPN Client ta to mt connect connect n VPN server. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 15
3.6: Mt s chc nng khc. System Log: theo di mi hot ng ca h thng pfSense v cc dch v m pfsense cung cp. Mi hot ng ca h thng v dch v u c ghi lai. System Status: Lit k cc thng tin v tnh trng ca h thng. Service Status: Hin th trng thi ca tt c cc service co trong h thng. Mi service c hai trng thi l: running, stopped I nterface Status: hin th thng tin ca tt c card mng. RRD Graph: Hin th cc thng tin di dng th.Cc thng tin m RRD Graph s th hin l: System,Traffic,Packets,Quality,Queues.
4. M Hnh.
m hnh ny ta gi lp hai ROUTER ADSL1 v ROTER ADSL2 l 2 my win2k3. Nhnh LAN thuc ng mng : 10.0.0.0/24. Ta c 2 nhnh WAN l: 192.168.1.0/24 v 192.168.2.0/24. My Firewall Pfsense c 3 card mng: 1 card eth0 (host-only) dng trong giao tip LAN (mng bn trong) v 2 card Bright (eth1 v eth2) dng giao tip WAN ( mng bn ngoi) Router ADSL1: 192.168.1.200 Router ADSL2: 192.168.2.200 i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
5. Ci t Fimrewall pfsense, Cu hnh interface v DHCP server.
5.1: Ci t Pfsense. Trn my tnh ci Pfsense chng ta b a pfSense-1.2.3-LiveCD.iso vo ci t Mn hnh Welcom to FreeBSD! Cho n chng ta n vi m ngun m Firewall Pfsense.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 17
chn 99 bt u qu trnh ci t
Chn Accept these settings Chp nhn vic ci t Pfsense.
Chn install pfsense bt u ci pfsense vo cng.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 18
chn <Ad0:> cng m Pfsense cn ci t.
Chn Format this Disk nh dng li cng bng chnh chng trnh Pfsense.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 19
Chn Use this geometry nh dng Cylinders, Heads, Sectors theo chun Pfsense.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 20
Format Ad0 Bt u tin hnh nh dng theo thit lp trn
Chn Partition Disk To Partiton cho cng.
Chn Accept and Create Chp nhn qu trnh to Partition.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 22
chn ok
Chn Accept and Create.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 23
chn <Symmetric .>
Chn Accept and Install Bootblocks Chp nhn to bootBlocks ln cng.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 24
chn ok
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 25
chn reboot khi ng li my
Qu trnh ci t Pfsense ln my tnh hon tt
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 26
5.2: Cu hnh card mng cho my Pfsense. Enter an Option : 1 Chn s 1 bt u thit lp cc Interface.
Do you want to setup VLANs now -> g n -> Enter.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 27
G eM0 thit lp Interface LAN
G eM1 thit lp Interface WAN
G eM1 thit lp Interface opt1 (Interface WAN2)
Sau khi thit lp Interface Chng ta trng Enter. Chon Y tin hnh qu trnh thit lp card mng
5.3: t IP v thit lp DHCP cp pht vo bn trong mng LAN Enter an Option Chn 2 Thit lp IP cho Interface.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 28
t IP cho Interface LAN : 10.0.0.10 IP Pfsense kt ni vi Internel. Enter the new LAN subnet bit count : 24 Enter.
Chn Y thit lp DHCP cp pht IP cho cc my Client (Network Internal).
To Range IP bt u IP bt u cp pht cho Client : 10.0.0.50 To Range IP kt thc IP kt thc cp pht cho Client : 10.0.0.100
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 29
Sau khi hn tt ta c IP card LAN l 10.0.0.10 v DHCP cp range IP : 10.0.0.50 n 10.10.10.100 cho cc my Client bn trong.
5.4: My Client xin IP do PFSENSE cp pht Thc hin lnh : ipconfig/release
Thc hin lnh : ipconfig/renew i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 30
6. Tin hnh cu hnh mt s dch v trong Pfsense: 6.1: Cu hnh pfsense v cn bng ti( load balancer). a. Cu hnh Pfsense Ti my Client -> Cu hnh Pfsen bng giao din web Tn ng nhp/ mt khu l: admin/pfsense
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 31
Chn Next
Khai bo DNS Server cho my Pfsense -> Next.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 32
Chn Next.
Thit lp Static IP cho Interface WAN1.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 33
t IP cho Interface WAN1.=> Chn Next.
Chn Next.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 34
Thit lp li pass cho admin WebGui => Chn Next
Chn Reload
Chn vo Pfsense -> Vo giao din cu hnh Pfsense.
Giao din cu hnh Pfsense.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 47
Chn Apply changes.
b. Cu hnh NAT Inbound cho VPN Client kt ni n Pfsense i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 48
Menu Firewall => NAT
Giao din NAT Chn +
Interface : chn PPTP External address : any Protocal : TCP External port range : PPTP i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 49
NAT IP : (IP WAN2 my Pfsense) Destination : t tn cho vic m Port VPN. Chn Save
Chn Apply Changes.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 50
c. Cu hnh VPN cho Client bn ngoi VPN v Pfsense. Trn my Client (VPN Client) to New Connection Wizard
Chn: Connect to the network at my workplace.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 51
Chn : Virtual Private Network Connection
Company Name : VPN
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 52
G IP WAN2 : 192.168.2.100
Chn My use only
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 53
Chn Finish
ng nhp VPN server bng User name/ pass l vpn:/1234
ng nhp thnh cng
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 54
6.3. Qun l bng thng vi Traffic Sharper Menu Firewall -> Traffic Sharper
Chn Next
Chn Inside l Lan => nhp vo tc download ca ng truyn Outside chn Wan =>nhp vo tc Upload ca ng truyn i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 55
Chn Next
Chn Next
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 56
Chn Next
Chn Next
Check vo Prioritize Network gaming traffic Check thm 1 ci Betle-net Chn Next i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 57
Chn Next => Chn Finish Nh vy chng ta ci t xong traffic Sharper v bt u cu hnh
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 58
Chn Firewall -> Traffic Sharper s c hnh sau:
Chn Tab: Queues
Check vo qwandef sau click e
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 59
Check vo Upper limit M2 nhp vo l 70% apply changes lu li. Chn Save
Tip theo ta Check vo qlandef sau click e
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 60
Check vo Upper limit M2 nhp vo l 70% apply changes lu li. Chn Save
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 61
Quay li tab Rules. Click du + thm 1 rules mi cho game Download. v d cho game Kim Th s dng giao thc TCP v cng (port) 6041 -> 6047
Phn Target: Chn qGameDown / qGameUp In Interface: Chn WAN Out Interface: Chn LAN
Destination port range:From: nhp s 6041. To nhp s 6047 vo nh hnh Description: Nhp vo tn game . Save -> Apply changes
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 62
Tng t Click du + thm 1 rules mi cho game upload Phn Target: Chn qGameUp / qGameDown In Interface: Chn LAN Out Interface: Chn WAN
Destination port range: From nhp s 6041. Nhp s 6047 vo To nh hnh Save -> Apply changes
Cc bc cu hnh bng thng xong. Trong bi ny chia bng thng thnh 2 phn, 30% cho game v 70% cho cc dch v khc.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 63
7. nh gi:
a. u im: Cu hnh d dng vi giao din web. Min ph. Cth b sung thm tnh nng bng gi dch v cng thm. b. Hn ch: Khi cu hnh i hi ngi dng phi c mt s kin thc c bn. Vn cha c tnh nng lc URL nh cc thit b thng mi. Phi trang b thm modem.
III. FIREWALL SMOOTHWALL. 1. Gii thiu Firewall Smoothwall.
SmoSmoothWall Express bt ngun t SmoothWall GPL. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 64
SmoothWall GPL Pht hnh vo thng 8 nm 2000, c pht trin bi Lawrence Manning v Richard Morrell. Smoothwall Express l 1 firewall m ngun m da trn nn tng linux. Smoothwall Express c cu hnh qua giao din Web d s dng v cu hnh. Smoothwall Express cho php bn d dng xy dng 1 firewall bo v 1 h thng my tnh kt ni vi internet. SmoothWall Express c th lm vic vi hu ht mi my tnh trn nn Intel Pentium. c im cng kh quan trng l cu hnh ci t v s dng phn mm Smoothwall khng i hi phi cao nh nhng phn mm mi hin nay.
2. Smoothwall Express c 3 mode hot ng lc ci t.
Open: Smoothwall Express cho php tt c yu cu ra bn ngoi . Half-Open: y l mode mc nh, Smoothwall Express cho php hu ht cc yu cu ra bn ngoi v chn ci yu cu c nguy him tim tang. Closed: Smoothwall chn tt c yu cu ra bn ngoi
3. Cc loi cu hnh Network.
Green: l card mng ni vi ng mng internal cn c bo v. Red: l card mng ni vi Internet hoc mng external . Orange: l card mng ni mi mng DMZ. Purple : l card mng ni vi. mng wireless .
4. u im. Khng i hi cu hnh my cao.(mt PC c 32-bit Intel hoc i386,t mt cu hnh thp nh processor46,Intel Pentium vi 128Mb b nh ram, 2Gb a cng cng c th ci t moothwall) Bo v c cc mng cc b Lan t nhng xm nhp khng cho php t bn ngoi mng v chng virus Trojan i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 65
D ci t(t kin thc v GNU/Linux vn c th ci t ) H tr nhiu loa card mng,modem v cc loi phn cng khc H tr c nhiu cch kt ni mng internet thong qua cc ISP khc nhau Vi SWE,qu trnh thit lp,khi ng ng dng d dng D x dng v qun l thng qua mt giao din web H tr hng lot tnh nng, gm: Proxy Server,IDS,Logging,Trafic Graphs,DHCP,VPN,Dynamic DNS,Port,Forwarding, Server Health and Access Control 5. Hn ch. Ch h tr 1BXL v 1GB dung lng b nh Ram. Smoothwall Express s khng th gip phc hi bt c d liu no mt. D liu trn a cng s b xa ton b khi ci t Thiu s h tr k thut nh cc sn phm thng mi.
6. Mt s chc nng trong Smoothwall. 6.1. Ip block: Cho php bn chn cc a ch IP bn ngoi truy cp vo Smoothwall Server hay cc my tnh bn trong.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 66
Cc ch l Drop packet v Reject Packet v log Drop packet: Packet c a ch IP trong block list s b hy b. Reject packet: Trng hp ny n s hy b packet nhng c thng bo v cho my ngun. Ngoi ra cn h tr ghi log. 6.2 . WebProxy: S dng Web Proxy gip ci thin tc truy cp, lt web an ton v hn ch cc trang web khng mong mun.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 67
6.3. Outgoing:
Bn c th cho php, chn hoc gii hn truy cp Internet da trn cc card mng bn trong . Cc Outgoing rule mc nh c th khc nhau ty theo mode ban u lc ci t bn chn l Open , Half-Open hay Closed i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 68
6.4. IDS:
IDS c nhim v pht hin cc vi phm an ninh bn ngoi mng ca bn. Dch v ny ch pht hin nhng xm nhp nhng n khng ngn chn chng. IDS cng c th phn bit gia nhng tn cng t bn trong (t nhng ngi trong cng ty) hay tn cng t bn ngoi (t cc hacker). i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 69
6.5. Remote Access:
Khi c kch hot, bn c th truy cp SmoothWall Express t xa bng cch s dng dch v SSH. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 70
6.6. DHCP:
Cu hnh v kch hot dch v DHCP ca SmoothWall, t ng phn b a ch IP mng LAN cho cc khch hng mng ca bn. DHCP cung cp cho cc my tnh mt a ch IP, cc thit lp DNS, i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 71
6.7. Timed Access:
Smoothwall cho php thit lp cho/khng cho truy tp Internet trong 1 khong thi gian c th trong ngy i vi 1 nhm ci my c th. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 72
6.8. Pop3 proxy:
SmoothWall Express c th qut virus cc email POP3 khi chng c ti v t mail server. Cc email c cha virus s c thay th bng mt email gii thch, trong c cha thng tin chi tit ca email v bao gm tn ca virus c pht hin i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 73
6.9. Interface:
y l ch bn c th cu hnh v iu chnh a ch ca cc interface Green, Orange, Purple, Red,DNS, Default getway
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 74
6.10. Time.
Bn c th cu hnh SmoothWall Express vi ngy thng v thi gian, ng b ha thi gian vi server trong mng. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 75
6.11. Static dns:
SmoothWall Express c th to mt bng local hostname m c th c s dng bi SmoothWall Express v cc my tnh trn mng Green v Purple. Dch v DNS ca SmoothWall Express phn gii hostname cho tt c cc my s dng dch v, bao gm chnh SmoothWall Express. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 76
6.12. IM proxy.
SmoothWall Expresss Instant Messenger (IM) proxy service cho php bn ng nhp trao i qua IM v chuyn file trn mng Green v mng Purple nu n c bt.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 77
8. Ci t v Cu hnh Smoothwall: 7.1. Ci t: Cho a cd hoc file iso Smoothwall Express vo. mng hnh giao din Smoothwall Express .
Nhn enter tip tc. chn ok bt u ci t
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 78
Thng bo chn cd smoothwall vao cdrom.
Cc chng trnh ci t s phn vng cng v ci file h thng ln chng
Cnh bo s xo tt c d liu trn cng,chn ok tip tc ci t
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 79
vic ci t s c thc hin, nu thnh cng s hin ra bn thng bo sau y
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 80
Nu chn yes, ngha l ta s nng cp moothwall t mt bn smoothwall ci t sn.Chng ta chn NO bt u cu hnh cho smoothwall va c ci t.
Chn ngn ng.
Nhp hostname. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 81
Ch mc nh, Smoothwall Express cho php hu ht cc yu cu ra bn ngoi v chn ci yu cu c nguy him tim tng.
Chn loai network cu hnh mng,chon ok
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 82
Chn loi giao din Green v Red.
Cu hnh card mng: Cu hnh a ch IP cho card GREEN.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 83
Cu hnh IP cho card REED.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 84
Bt tnh nng DHCP card RED t xin IP.
Yu cu thay i,chon ok.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 85
Chn probe.
Chn ok.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 86
in DNS v gateway sau chn ok.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 87
Bt tnh nng DHCP.
t pass cho admin.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 88
t pass cho root.
Ci t hon thnh. Ok reboot. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 89
Dng lnh ifconfig kim tra ip cu eth0, eth1.
Ping ra mng th.
7.2.Cu hnh Smoothwall. Dng a ch 172.29.0.10:81 thao tc vi smoothwall . i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 90
user name /pass l: admin /1234.
Giao din cu hnh Smoothwall.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 91
7.3. Cu hnh DHCP. Range: 172.29.0.100-172.29.0.200 DNS: 172.29.1.1
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 92
Bn my Client.
Thc hin xin IP.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 93
7.4. Cu hnh web proxy. Ta cn Enabled chc nng ny ln.
Bn my client ta tin hnh cu hnh LAN.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 94
Test th.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 95
7.5. Cu hnh IDS(snort):
Ta cn c oink code update rules. ly oink code bn phi ng k 1 ti khong ti trang www.snort.org => ng nhp sau copy oink code v.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 96
in oink code vo update rules.
7.6. Bt tnh nng SSH remote access. Ta ch cn check vo 2 mc nh trong hnh v Save li. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 97
Bn Client dng remote vo Smoothwall bng PUTTY.
ng nhp vi ti khong root/12345.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 98
7.7. Ci t thm mt s packet (gi) cho Smoothwall. Ci thm mt s tnh nng nh: advanced proxy, url filter, ci t thm nhng tnh nng ny ta vo trang: http://www.advproxy.net/download.html
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 99
a. Dowload URL filter. Nhp vo Dowload URL filter nh trong hnh.
Nhp chut phi vo I agree with these terms. Chn copy link location copy link. i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX
Firewall Trn Linux Page 100
Thc hin lnh nh trong hnh download URL filter.
Tin hnh gii nn.
Install gi URL filter.
b. Tng t cho gi Advanced proxy.
i hc Khoa Hc T Nhin Khoa Cng Ngh Thng Tin FIREWALL TRN LINUX