Firewall Pfsense Và Smoothwall (Linux)

I HC QUC GIA THNH PH H CH MINH
TRNG I HC KHOA HC T NHIN

KHOA CNG NGH THNG TIN
=======0o0=======

BO CO THUYT TRNH LINUX
TI: 01
TM HIU FIREWALL PFSENSE V SMOOTHWALL

GVHD: L Ngc Sn.
Nhm Trnh By:
Nguyn Ch Tm-0964125.
ng Quang Tn-0964127.
Phn Cng Cng Vic:
Mssv H Tn Cng vic
0964125 Nguyn Ch Tm Tm hiu Smoothwall
0964127 ng Quang Tn Tm hiu Pfsense
Mc Lc
I. Firmewall l g? ....................................................................................................... 1
1. nh ngha. ............................................................................................................ 1
3. Cc thnh phn ca Firemwall ............................................................................... 2
4. Nhng hn ch ca Firewall................................................................................... 2
II. Firewall pfSense. ..................................................................................................... 3
1.Gii thiu Firewall Pfsense:....................................................................................... 3
2. Mt s chc nng chnh ca Firewall Pfsense:
2.1: Aliases. ............................................................................................................. 3
2.2: Rules (Lut). ..................................................................................................... 4
2.3: Firewall Schedules. ........................................................................................... 5
2.4: NAT. ................................................................................................................. 6
2.5: Traffic shaper (Qun l bng thng). . ............................................................... 7
2.6: Virtual Ips. ......................................................................................................... 9
3.Mt s dch v ca pfsense
3.1: captive portal ................................................................................................... 10
3.2: DHCP Server. ................................................................................................. 11
3.3: DHCP Relay. ................................................................................................ 12
3.4: Load Balancing. .............................................................................................. 13
3.5: VPN PPTP. s dng chc nng ny bn vo VPN => PPTP. ..................... 13
3.6: Mt s chc nng khc. .................................................................................... 15
4. M Hnh. .............................................................................................................. 15
5. Ci t Fimrewall pfsense, Cu hnh interface v DHCP server. ............................. 16
5.1: Ci t Pfsense. ............................................................................................... 16
5.2: Cu hnh card mng cho my Pfsense. ............................................................ 26
5.3: t IP v thit lp DHCP cp pht vo bn trong mng LAN.......................... 27
5.4: My Client xin IP do PFSENSE cp pht ........................................................ 29
6. Tin hnh cu hnh mt s dch v trong Pfsense:31
6.1: Cu hnh pfsense v cn bng ti( load balancer)31
6.2: Cu hnh VPN server ...................................................................................... 43
6.3. Qun l bng thng vi Traffic Sharper .......................................................... 53
7. nh gi...63
III. FIREWALL SMOOTHWALL. ........................................................................... 63
1. Gii thiu Firewall Smoothwall. ........................................................................ 63
2. Smoothwall Express c 3 mode hot ng lc ci t. ......................................... 64
3. Cc loi cu hnh Network. .................................................................................. 64
4. u im. .............................................................................................................. 64
5. Hn ch................................................................................................................ 65
6. Mt s chc nng trong Smoothwall. ................................................................... 65
6.1. Ip block: .......................................................................................................... 65
6.2 . WebProxy: ...................................................................................................... 66
6.3. Outgoing: ....................................................................................................... 67
6.4. IDS: ................................................................................................................ 68
6.5. Remote Access: .............................................................................................. 69
6.6. DHCP: ............................................................................................................ 70
6.7. Timed Access: ................................................................................................ 71
6.8. Pop3 proxy: ..................................................................................................... 72
6.9. Interface: ......................................................................................................... 73
6.10. Time. .............................................................................................................. 74
6.11. Static dns: ....................................................................................................... 75
6.12. IM proxy. ....................................................................................................... 76
7. Ci t v Cu hnh Smoothwall: ........................................................................ 77
7.1. Ci t: Cho a cd hoc file iso Smoothwall Express vo. .............................. 77
7.2.Cu hnh Smoothwall. ....................................................................................... 89
7.3. Cu hnh DHCP. .............................................................................................. 91
7.4. Cu hnh web proxy. ........................................................................................ 93
7.5. Cu hnh IDS(snort): ....................................................................................... 95
7.6. Bt tnh nng SSH remote access. ............................................................... 96
7.7. Ci t thm mt s chc nng cho Smoothwall.............................................. 98
i hc Khoa Hc T Nhin
Khoa Cng Ngh Thng Tin
FIREWALL TRN LINUX

Firewall Trn Linux Page 1

I. Firmewall l g?
1. nh ngha.
Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn
chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut
c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc
ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng.
Cng c th hiu Firewall l mt c ch (mechanism) bo v mng tin tng
(Trusted network) khi cc mng khng tin tng (Untrusted network).
Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty,
t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin,
ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy
nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet.
Internet FireWall l mt tp hp thit b (bao gm phn cng v phn mm) gia
mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet:
2. Chc nng.
Chc nng chnh ca Firewall l kim sot lung thng tin gia Intranet v Internet.

Intranet
firewall Internet

C th:
Cho php hoc cm nhng dch v t bn trong truy nhp ra ngoi.
Kim sot ngi s dng v vic truy nhp ca ngi s dng.
Cho php hoc cm nhng dch v bn ngoi truy nhp vo trong .
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Kim sot a ch truy nhp, cm a ch truy nhp.
Theo di lung d liu mng gia bn trong (Intranet) v bn ngoi
(Internet).

3. Cc thnh phn ca Firemwall
Firewall chun bao gm mt hay nhiu cc thnh phn sau y:
B lc packet (packet-filtering router)
Cng ng dng (application-level gateway hay proxy server)
Cng mch (circuite level gateway)

4. Nhng hn ch ca Firewall.
Firewall khng thng minh nh- con ng- i c th c hiu tng loi thng
tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm
nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc
thng s a ch.
Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i
qua" n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt
- ng dial-up, hoc s r r thng tin do d liu b sao chp bt hp php ln a
mm.
Firewall cng khng th chng li cc cuc tn cng bng d liu (data-
driven attack). Khi c mt s chng trnh - c chuyn theo thin t, v- t qua
firewall vo trong mng - c bo v v bt u hot ng y.
Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus
trn cc d liu - c chuyn qua n, do tc lm vic, s xut hin lin tc ca
cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim
sot ca firewall.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


II. Firewall pfSense.
1. Gii thiu Firewall Pfsense:
Pfsense l mt phin bn m ngun m, min ph, c ty chnh cho bn phn
phi FreeBSD s dng nh firewall hay router .

Pfsense c th c qun tr d dng bng giao din web.
Pfsense bao gm rt nhiu tnh nng v c ng dng rng ri t SOHO cho ti
cc t
PfSense l mt gi phn mm firewall hon chnh, n c th c ci t trn mt
PC hay mt embedded PC.Vi phn mm min ph c pht trin trn phin bn
ca FreeBSD, Pfsense c ci t n gin, tng thch vi mt PC cu hnh thp.
c im cng kh quan trng l cu hnh ci t v s dng phn mm Pfsense
khng i hi phi cao nh nhng phn mm mi hin nay. Chng ta ch cn mt
my tnh P3, Ram 128, HDD 1GB th cng dng nn mt tng la Pfsense
bo v mng bn trong

2. Mt s chc nng chnh ca Firewall Pfsense:
2.1: Aliases.

Vi tnh nng ny chng ta c th gom nhm cc ports, hosts hoc Network(s)
khc nhau v t cho chng mt ci tn chung thit lp nhng quy tc
c d dng v nhanh chng hn. vo Aliases ca pfsense vo Firewall
Aliases.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Cc thnh phn trong Aliases:
- Hosts : to nhm cc a ch IP
- Network : to nhm cc mng
- Port : Cho php gom nhm cc port nhng khng cho php to nhm
cc protocol. Cc protocol c s dng trong cc rule
2.2: Rules (Lut).
Ni lu cc rules (Lut) ca Firewall. vo Rules ca pfsense vo Firewall
Rules.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Mc nh pfsense cho php mi trafic ra/vo h thng .Bn phi to ra cc rules
qun l mng bn trong firewall.
Mt s la chn trong Destination v Source.
- Any : tt c
- Single host or alias: Mt a ch ip hoc l mt b danh.
- Lan subnet: ng mng Lan
- Network : a ch mng
- Lan address: Tt c a ch mng ni b
- Wan address: Tt c a ch mng bn ngoi
- PPTP clients: Cc clients thc hin kt ni VPN s dng giao thc PPTP
- PPPoE clients: Cc clients thc hin kt ni VPN s dng giao thc PPPoE

2.3: Firewall Schedules.
Cc Firewall rules c th c sp xp n c ch hot ng vo cc thi im
nht nh trong ngy hoc vo nhng ngy nht nh c th hoc cc ngy trong
tun.
y l mt c ch rt hay v n thc t vi nhng yu cu ca cc
doanh nghip mun qun l nhn vin s dng internet trong gi hnh chnh.
to mt Schedules mi vo Firewall => Schedules : Nhn du +
v d: y To lch tn GioLamViec ca thng 11 T th hai n th by v thi
gian t 7gi n 17 gi.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Sau khi to xong nhn Add Time => Save.

2.4: NAT.
Trong Firewall bn cng c th cu hnh cc thit lp NAT nu cn s dng cng
chuyn tip cho cc dch v hoc cu hnh NAT tnh (1:1) cho cc host c th.
Thit lp mc nh ca NAT cho cc kt ni outbound l Automatic outboundt
NAT, tuy nhin bn c th thay i kiu Manual outboundt NAT nu cn.

V d: y ta NAT qua port 1723(PPTP) cho cu hnh VPN vi IP NAT l:
192.168.2.100
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


2.5: Traffic shaper (Qun l bng thng).

Vi tnh nng Traffic Sharper gip bn theo di v qun l bng thng mng d dng v
hiu qu hn.
cu hnh Traffic Sharper ta chn Firewall => Traffic Sharper =>Next

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Trong Traffic Sharper H tr Voice IP.

H tr H tr mng ngang hng nh BitTorent , CuteMX,.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


H tr mng chi game nh BattleNET , Battlefield2,v mt s game trc tuyn

2.6: Virtual Ips.

Virtual IP c s dng cho php pfSense ng cch chuyn tip lu lng cho
nhng vic nh chuyn tip cng NAT, NAT Outbound, v NAT 1:1. H cng cho php
cc tnh nng nh failover, v c th cho php cc dch v trn router gn kt vi a
ch IP khc nhau.
CARP.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


C th c s dng bi cc bc tng la chnh n chy cc dch v hoc
c chuyn tip
To ra lp 2 traffic cho cc VIP
C th c s dng cho clustering (tng la v tng la ch failover ch
ch)
Cc VIP c trong cng mt subnet IP ca giao din thc
S tr li ICMP ping nu c php theo cc quy tc tng la.

Proxy ARP.

Khng th c s dng bi cc bc tng la chnh n, nhng c th c
chuyn tip
To ra lp 2 giao thng cho cc VIP
Cc VIP c th c trong mt subnet khc vi IP ca giao din thc
Khng tr li gi tin ICMP ping.

Other.

C th c s dng nu cc tuyn ng cung cp cho bn VIP ca bn d sao
m khng cn thng bo lp 2
Khng th c s dng bi cc bc tng la chnh n, nhng c th c
chuyn tip
Cc VIP c th c trong mt subnet khc vi cc giao din IP
Khng tr li ICMP Ping.

3. Mt s dch v ca pfsense
3.1: captive portal
Captive portal cho php admin c th chuyn hng client ti mt trang web khc, t
trang web ny client c th phi chng thc trc khi kt ni ti internet. Tnh nng
captive portal nm mc Services/captive portal

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Captive portal: Tinh chnh cc chc nng ca Captive Portal.
- Enable captive portal: nh du chn nu mun s dng captive portal.
- Maximum concurrent connections:Gii hn cc connection trn mi
ip/user/mac
- I dle timeout:Nu mi ip khng cn truy cp mng trong 1 thi gian xc nh
th s ngt kt ni ca ip/user/mac.
- Hard timeout: Gii hn thi gian kt ni ca mi ip/users/mac.
- Logout popup windows: Xut hin 1 popup thng bo cho ip/user/mac
- Redirect URL: a ch URL m ngi dng s c direct ti sau khi ng
nhp

Pass-though MAC: Cc MAC address c cu hnh trong mc ny s c b
qua,khng authentication.
Allowed IP address: Cc IP address c cu hnh s khng authentication.
Users: To local user dng kiu authentication: local user
File Manager: Upload trang qun l ca Captive portal ln pfsense.
C 3 kiu chng thc client:
No authentication: pfsense s iu hng ngi dng ti 1 trang nht nh m
khng chng thc.
Local user manager: pfsense h tr to user chng thc.
Radius authentication: Chng thc bng radius server (Cn ch ra a ch ip ca
radius, port, ...)

3.2: DHCP Server.
Dch v ny cho php pfSense cp a ch IP v cc thng tin cu hnh cho cc client
trong mng LAN.
Tnh nng ny nm trong Services => DHCP server

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Bt tnh nng cp IP ng cho cc my client.

Ta c th gn a ch IP vnh vin cho bt c my tnh no trn mng.

3.3 : DHCP Relay.

Dch v ny cho php pfSense forward yu cu cp IP ca client nm trong mt
subnet no ti mt DHCP server cho trc.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Ch c php chy mt trong dch v DHCP server v DHCP relay

3.4: Load Balancing.

Vi chc nng ny bn c th iu phi mng hay cn gi l cn bng ti mng

C 2 loi load balacing trn pfSense:
Gateway load balancing: c dng khi c nhiu kt ni WAN. Client bn trong
LAN khi mun kt ni ra ngoi Internet th pfSense la chon card WAN
chuyn packet ra card gip cho vic cn bng ti cho ng truyn.
Server load balancing: cho php cn bng ti cho cc server ca mnh. c dng
ph bin cho cc web server, mail server v server ko hot ng na th s b
remove.
3.5: VPN PPTP.

s dng chc nng ny bn vo VPN => PPTP.
Chn Enable PPTP server bt tnh nng VPN
Server address : a ch server m client s kt ni vo
Remote address range :Di a ch IP s cp khi VPN Client kt ni
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


RADIUS : Chng thc qua RADIUS

Chn Save v chuyn qua tab User to ti khon

Cn To Rules cho php VPN client truy cp vo mng

Cui cng trn VPN Client ta to mt connect connect n VPN server.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


3.6: Mt s chc nng khc.
System Log: theo di mi hot ng ca h thng pfSense v cc dch v m
pfsense cung cp. Mi hot ng ca h thng v dch v u c ghi lai.
System Status: Lit k cc thng tin v tnh trng ca h thng.
Service Status: Hin th trng thi ca tt c cc service co trong h thng. Mi
service c hai trng thi l: running, stopped
I nterface Status: hin th thng tin ca tt c card mng.
RRD Graph: Hin th cc thng tin di dng th.Cc thng tin m RRD Graph
s th hin l: System,Traffic,Packets,Quality,Queues.

4. M Hnh.

m hnh ny ta gi lp hai ROUTER ADSL1 v ROTER ADSL2 l 2 my
win2k3.
Nhnh LAN thuc ng mng : 10.0.0.0/24.
Ta c 2 nhnh WAN l: 192.168.1.0/24 v 192.168.2.0/24.
My Firewall Pfsense c 3 card mng: 1 card eth0 (host-only) dng trong giao tip
LAN (mng bn trong) v 2 card Bright (eth1 v eth2) dng giao tip WAN ( mng
bn ngoi)
Router ADSL1: 192.168.1.200
Router ADSL2: 192.168.2.200
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


eth0: 10.0.0.10/24
eth1: 192.168.1.100/24
eth2: 192.168.2.100/24

5. Ci t Fimrewall pfsense, Cu hnh interface v DHCP server.

5.1: Ci t Pfsense.
Trn my tnh ci Pfsense chng ta b a pfSense-1.2.3-LiveCD.iso vo ci t
Mn hnh Welcom to FreeBSD! Cho n chng ta n vi m ngun m
Firewall Pfsense.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


chn 99 bt u qu trnh ci t

Chn Accept these settings Chp nhn vic ci t Pfsense.

Chn install pfsense bt u ci pfsense vo cng.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


chn <Ad0:> cng m Pfsense cn ci t.

Chn Format this Disk nh dng li cng bng chnh chng trnh Pfsense.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Use this geometry nh dng Cylinders, Heads, Sectors theo chun
Pfsense.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Format Ad0 Bt u tin hnh nh dng theo thit lp trn

Chn Partition Disk To Partiton cho cng.

Chn Accept and Create Chp nhn qu trnh to Partition.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Yes, Partition ad0 Xc nhn vic to Partition.

Chn OK.

Chn <1: 7.99G ( ) > Thit lp Primary cho Partition.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


chn ok

Chn Accept and Create.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


chn <Symmetric .>

Chn Accept and Install Bootblocks Chp nhn to bootBlocks ln cng.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


chn ok

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


chn reboot khi ng li my

Qu trnh ci t Pfsense ln my tnh hon tt

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


5.2: Cu hnh card mng cho my Pfsense.
Enter an Option : 1 Chn s 1 bt u thit lp cc Interface.

Do you want to setup VLANs now -> g n -> Enter.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


G eM0 thit lp Interface LAN

G eM1 thit lp Interface WAN

G eM1 thit lp Interface opt1 (Interface WAN2)

Sau khi thit lp Interface Chng ta trng Enter.
Chon Y tin hnh qu trnh thit lp card mng

5.3: t IP v thit lp DHCP cp pht vo bn trong mng LAN
Enter an Option Chn 2 Thit lp IP cho Interface.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


t IP cho Interface LAN : 10.0.0.10 IP Pfsense kt ni vi Internel.
Enter the new LAN subnet bit count : 24 Enter.

Chn Y thit lp DHCP cp pht IP cho cc my Client (Network
Internal).

To Range IP bt u IP bt u cp pht cho Client : 10.0.0.50
To Range IP kt thc IP kt thc cp pht cho Client : 10.0.0.100

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Sau khi hn tt ta c IP card LAN l 10.0.0.10 v DHCP cp range IP :
10.0.0.50 n 10.10.10.100 cho cc my Client bn trong.

5.4: My Client xin IP do PFSENSE cp pht
Thc hin lnh : ipconfig/release

Thc hin lnh : ipconfig/renew
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6. Tin hnh cu hnh mt s dch v trong Pfsense:
6.1: Cu hnh pfsense v cn bng ti( load balancer).
a. Cu hnh Pfsense
Ti my Client -> Cu hnh Pfsen bng giao din web
Tn ng nhp/ mt khu l: admin/pfsense

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Next

Khai bo DNS Server cho my Pfsense -> Next.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Next.

Thit lp Static IP cho Interface WAN1.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


t IP cho Interface WAN1.=> Chn Next.

Chn Next.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Thit lp li pass cho admin WebGui => Chn Next

Chn Reload

Chn vo Pfsense -> Vo giao din cu hnh Pfsense.

Giao din cu hnh Pfsense.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn OTP1 -> Thit lp IP cho Interface WAN2

Chn Enable Optional 1 Interface => Description: WAN2 => type: Static

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


t IP cho Interface WAN2.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


b. Cu hnh cn bng ti
Trong Services =>Chn Load Balancer

Chn +

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Name => Load balancer. Type -> chn Gateway. Ti Behavior => Chn vo Load
Balancing

a dang sch WAN vo danh sch Load balancing
Monitor IP => Wans Gateway. Interface => WAN. Sau nhp Add to Pool

Tng t a dang sch WAN2 vo danh sch Load balancing. Sau chn Save

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Hai Default Gateway c a vo danh sch

Thit lp Rule cho qu trnh Load Balancing. Vo Firewall => Rules

Chn +

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Interface : WAN

Gateway -> Chn LOAD BALANCER. Destination : WAN1. Chn Save

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Apply Changes

Tng t thit lp cho WAN2

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Kim tra li trng thi Load Balancing va mi thit lp. Vo Status => Load
balancer

C ch Loab Balancing ang hot ng tt. Hai Line Internet ang ch
Online.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.2: Cu hnh VPN server
a. Cu hnh VPN server
Vo VNP => PPTP

Chn Enable PPTP server.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Server address : 192.168.2.100. Remote address range : 192.168.2.208/28

Chn Save.

Tab Users Chn +

To User : VPN/1234 cho php my VPN Client kt ni VPN v my
VPN server
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


To Rule m Port 1723

Tab PPTP VPN Chn +

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Interface : PPTP

Gateway : LOAD BALANCER
Description: vpn qua load balancer
Chn Save.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Apply changes.

b. Cu hnh NAT Inbound cho VPN Client kt ni n Pfsense
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Menu Firewall => NAT

Giao din NAT Chn +

Interface : chn PPTP
External address : any
Protocal : TCP
External port range : PPTP
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


NAT IP : (IP WAN2 my Pfsense)
Destination : t tn cho vic m Port VPN.
Chn Save

Chn Apply Changes.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


c. Cu hnh VPN cho Client bn ngoi VPN v Pfsense.
Trn my Client (VPN Client) to New Connection Wizard

Chn: Connect to the network at my workplace.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn : Virtual Private Network Connection

Company Name : VPN

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


G IP WAN2 : 192.168.2.100

Chn My use only

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Finish

ng nhp VPN server bng User name/ pass l vpn:/1234

ng nhp thnh cng

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.3. Qun l bng thng vi Traffic Sharper
Menu Firewall -> Traffic Sharper

Chn Next

Chn Inside l Lan => nhp vo tc download ca ng truyn
Outside chn Wan =>nhp vo tc Upload ca ng truyn
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Next

Chn Next

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Next

Chn Next

Check vo Prioritize Network gaming traffic
Check thm 1 ci Betle-net
Chn Next
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Next => Chn Finish
Nh vy chng ta ci t xong traffic Sharper v bt u cu hnh

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn Firewall -> Traffic Sharper s c hnh sau:

Chn Tab: Queues

Check vo qwandef sau click e

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Check vo Upper limit
M2 nhp vo l 70%
apply changes lu li. Chn Save

Tip theo ta Check vo qlandef sau click e

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Check vo Upper limit
M2 nhp vo l 70%
apply changes lu li. Chn Save

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Quay li tab Rules. Click du + thm 1 rules mi cho game Download.
v d cho game Kim Th s dng giao thc TCP v cng (port) 6041 -> 6047

Phn Target: Chn qGameDown / qGameUp
In Interface: Chn WAN
Out Interface: Chn LAN

Destination port range:From: nhp s 6041. To nhp s 6047 vo nh hnh
Description: Nhp vo tn game .
Save -> Apply changes

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Tng t Click du + thm 1 rules mi cho game upload
Phn Target: Chn qGameUp / qGameDown
In Interface: Chn LAN
Out Interface: Chn WAN

Destination port range: From nhp s 6041. Nhp s 6047 vo To nh
hnh
Save -> Apply changes

Cc bc cu hnh bng thng xong.
Trong bi ny chia bng thng thnh 2 phn, 30% cho game v 70% cho cc
dch v khc.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


7. nh gi:

a. u im:
Cu hnh d dng vi giao din web.
Min ph.
Cth b sung thm tnh nng bng gi dch v cng thm.
b. Hn ch:
Khi cu hnh i hi ngi dng phi c mt s kin thc c bn.
Vn cha c tnh nng lc URL nh cc thit b thng mi.
Phi trang b thm modem.

III. FIREWALL SMOOTHWALL.
1. Gii thiu Firewall Smoothwall.

SmoSmoothWall Express bt ngun t SmoothWall GPL.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


SmoothWall GPL Pht hnh vo thng 8 nm 2000, c pht trin bi
Lawrence Manning v Richard Morrell.
Smoothwall Express l 1 firewall m ngun m da trn nn tng linux.
Smoothwall Express c cu hnh qua giao din Web d s dng v cu
hnh.
Smoothwall Express cho php bn d dng xy dng 1 firewall bo v 1
h thng my tnh kt ni vi internet.
SmoothWall Express c th lm vic vi hu ht mi my tnh trn nn
Intel Pentium.
c im cng kh quan trng l cu hnh ci t v s dng phn mm
Smoothwall khng i hi phi cao nh nhng phn mm mi hin nay.

2. Smoothwall Express c 3 mode hot ng lc ci t.

Open: Smoothwall Express cho php tt c yu cu ra bn ngoi .
Half-Open: y l mode mc nh, Smoothwall Express cho php hu ht
cc yu cu ra bn ngoi v chn ci yu cu c nguy him tim tang.
Closed: Smoothwall chn tt c yu cu ra bn ngoi

3. Cc loi cu hnh Network.

Green: l card mng ni vi ng mng internal cn c bo v.
Red: l card mng ni vi Internet hoc mng external .
Orange: l card mng ni mi mng DMZ.
Purple : l card mng ni vi. mng wireless .

4. u im.
Khng i hi cu hnh my cao.(mt PC c 32-bit Intel hoc i386,t mt
cu hnh thp nh processor46,Intel Pentium vi 128Mb b nh ram, 2Gb
a cng cng c th ci t moothwall)
Bo v c cc mng cc b Lan t nhng xm nhp khng cho php t
bn ngoi mng v chng virus Trojan
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


D ci t(t kin thc v GNU/Linux vn c th ci t )
H tr nhiu loa card mng,modem v cc loi phn cng khc
H tr c nhiu cch kt ni mng internet thong qua cc ISP khc nhau
Vi SWE,qu trnh thit lp,khi ng ng dng d dng
D x dng v qun l thng qua mt giao din web
H tr hng lot tnh nng, gm: Proxy Server,IDS,Logging,Trafic
Graphs,DHCP,VPN,Dynamic DNS,Port,Forwarding, Server Health and
Access Control
5. Hn ch.
Ch h tr 1BXL v 1GB dung lng b nh Ram.
Smoothwall Express s khng th gip phc hi bt c d liu no mt.
D liu trn a cng s b xa ton b khi ci t
Thiu s h tr k thut nh cc sn phm thng mi.

6. Mt s chc nng trong Smoothwall.
6.1. Ip block:
Cho php bn chn cc a ch IP bn ngoi truy cp vo Smoothwall Server
hay cc my tnh bn trong.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Cc ch l Drop packet v Reject Packet v log
Drop packet: Packet c a ch IP trong block list s b hy b.
Reject packet: Trng hp ny n s hy b packet nhng c
thng bo v cho my ngun.
Ngoi ra cn h tr ghi log.
6.2 . WebProxy:
S dng Web Proxy gip ci thin tc truy cp, lt web an ton v hn
ch cc trang web khng mong mun.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.3. Outgoing:

Bn c th cho php, chn hoc gii hn truy cp Internet da trn cc card
mng bn trong .
Cc Outgoing rule mc nh c th khc nhau ty theo mode ban u lc
ci t bn chn l Open , Half-Open hay Closed
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.4. IDS:

IDS c nhim v pht hin cc vi phm an ninh bn ngoi mng ca bn.
Dch v ny ch pht hin nhng xm nhp nhng n khng ngn chn
chng.
IDS cng c th phn bit gia nhng tn cng t bn trong (t nhng ngi
trong cng ty) hay tn cng t bn ngoi (t cc hacker).
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.5. Remote Access:

Khi c kch hot, bn c th truy cp SmoothWall Express t xa bng cch s
dng dch v SSH.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.6. DHCP:

Cu hnh v kch hot dch v DHCP ca SmoothWall, t ng phn b a ch
IP mng LAN cho cc khch hng mng ca bn.
DHCP cung cp cho cc my tnh mt a ch IP, cc thit lp DNS,
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.7. Timed Access:

Smoothwall cho php thit lp cho/khng cho truy tp Internet trong 1 khong
thi gian c th trong ngy i vi 1 nhm ci my c th.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.8. Pop3 proxy:

SmoothWall Express c th qut virus cc email POP3 khi chng c ti v t
mail server.
Cc email c cha virus s c thay th bng mt email gii thch, trong c
cha thng tin chi tit ca email v bao gm tn ca virus c pht hin
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.9. Interface:

y l ch bn c th cu hnh v iu chnh a ch ca cc interface Green,
Orange, Purple, Red,DNS, Default getway

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.10. Time.

Bn c th cu hnh SmoothWall Express vi ngy thng v thi gian, ng b
ha thi gian vi server trong mng.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.11. Static dns:

SmoothWall Express c th to mt bng local hostname m c th c s dng
bi SmoothWall Express v cc my tnh trn mng Green v Purple.
Dch v DNS ca SmoothWall Express phn gii hostname cho tt c cc my s
dng dch v, bao gm chnh SmoothWall Express.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


6.12. IM proxy.

SmoothWall Expresss Instant Messenger (IM) proxy service cho php bn ng
nhp trao i qua IM v chuyn file trn mng Green v mng Purple nu n
c bt.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


8. Ci t v Cu hnh Smoothwall:
7.1. Ci t:
Cho a cd hoc file iso Smoothwall Express vo.
mng hnh giao din Smoothwall Express .

Nhn enter tip tc.
chn ok bt u ci t

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Thng bo chn cd smoothwall vao cdrom.

Cc chng trnh ci t s phn vng cng v ci file h thng ln chng

Cnh bo s xo tt c d liu trn cng,chn ok tip tc ci t

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


vic ci t s c thc hin, nu thnh cng s hin ra bn thng bo sau y

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Nu chn yes, ngha l ta s nng cp moothwall t mt bn smoothwall ci t
sn.Chng ta chn NO bt u cu hnh cho smoothwall va c ci t.

Chn ngn ng.

Nhp hostname.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Ch mc nh, Smoothwall Express cho php hu ht cc yu cu ra bn ngoi
v chn ci yu cu c nguy him tim tng.

Chn loai network cu hnh mng,chon ok

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn loi giao din Green v Red.

Cu hnh card mng:
Cu hnh a ch IP cho card GREEN.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Cu hnh IP cho card REED.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Bt tnh nng DHCP card RED t xin IP.

Yu cu thay i,chon ok.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Chn probe.

Chn ok.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


in DNS v gateway sau chn ok.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Bt tnh nng DHCP.

t pass cho admin.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


t pass cho root.

Ci t hon thnh. Ok reboot.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Dng lnh ifconfig kim tra ip cu eth0, eth1.

Ping ra mng th.

7.2.Cu hnh Smoothwall.
Dng a ch 172.29.0.10:81 thao tc vi smoothwall .
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


user name /pass l: admin /1234.

Giao din cu hnh Smoothwall.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


7.3. Cu hnh DHCP.
Range: 172.29.0.100-172.29.0.200
DNS: 172.29.1.1

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Bn my Client.

Thc hin xin IP.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


7.4. Cu hnh web proxy.
Ta cn Enabled chc nng ny ln.

Bn my client ta tin hnh cu hnh LAN.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Test th.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


7.5. Cu hnh IDS(snort):

Ta cn c oink code update rules. ly oink code bn phi ng k 1 ti
khong ti trang www.snort.org => ng nhp sau copy oink code v.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


in oink code vo update rules.

7.6. Bt tnh nng SSH remote access.
Ta ch cn check vo 2 mc nh trong hnh v Save li.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Bn Client dng remote vo Smoothwall bng PUTTY.

ng nhp vi ti khong root/12345.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


7.7. Ci t thm mt s packet (gi) cho Smoothwall.
Ci thm mt s tnh nng nh: advanced proxy, url filter, ci t
thm nhng tnh nng ny ta vo trang:
http://www.advproxy.net/download.html

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


a. Dowload URL filter. Nhp vo Dowload URL filter nh trong hnh.

Nhp chut phi vo I agree with these terms. Chn copy link location
copy link.
i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


Thc hin lnh nh trong hnh download URL filter.

Tin hnh gii nn.

Install gi URL filter.

b. Tng t cho gi Advanced proxy.

i hc Khoa Hc T Nhin
FIREWALL TRN LINUX


c. Kim tra qu trnh ci t.

Firewall Pfsense Và Smoothwall (Linux)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firewall Pfsense Và Smoothwall (Linux)

Uploaded by

Copyright:

Available Formats

I HC QUC GIA THNH PH H CH MINH

TRNG I HC KHOA HC T NHIN

You might also like