Documentos de Académico
Documentos de Profesional
Documentos de Cultura
All praise to ALLAH, the most merciful, kind and beneficent, and the source of all knowledge,
wisdom within and beyond my comprehension.
Heart full thanks for prof. Driss El Ouadghiri, the responsible of the professional license on
systems and networks management, at Science Faculty of Meknes, and hes my Project
supervisor.
Special thanks go to all the members of jury, Prof. Khalid EL YASSINI, Prof. Abdeslam EL
FERGOUGUI, Prof. Rachid ELOUAHBI and the engineer Mohammed GHALLALI, for agreeing
to lend us their attention and evaluate our work. The thanks also go to all of my Teachers in
science faculty of Meknes.
I am very grateful to M.Ismail Azzouzi and M.Abdelhakim Mesbahi; they guided and helped me
through timely suggestions, valuable advices and specially the sympathetic attitude, which
always inspired me for hard work.
I would also like to thank everyone shared valuable information that helped in the successful
completion of this project.
Finally, I would like to thank my Mother Zoubida Mestari, my brother and sisters and all my big
family members.
Mohamed Loughmari
List of Figures
Figure 1. Organization chart of the Court of Appeal Taza ......................................................................... 13
Figure 2. Versions of pfSense ....................................................................................................................... 17
Figure 3. Compact Flash .............................................................................................................................. 19
Figure 4. WRAP ........................................................................................................................................... 20
Figure 5. ALIX ............................................................................................................................................. 20
Figure 6. Soekris ........................................................................................................................................... 20
Figure 7. Asking to set up VLANs ............................................................................................................... 23
Figure 9. Finishing steps of installation ....................................................................................................... 24
Figure 10. Shell menue ................................................................................................................................. 24
Figure 11. option 99 ...................................................................................................................................... 25
Figure 12. The configure console ................................................................................................................. 25
Figure 13. Selecting the simple installation .................................................................................................. 26
Figure 14. Confirmation step ....................................................................................................................... 26
Figure 15. Transferring the system to the media ........................................................................................ 27
Figure 16. asking for reboot ......................................................................................................................... 27
Figure 17. Enabling SSH .............................................................................................................................. 28
Figure 18. Generating RSA key ................................................................................................................... 28
Figure 19. The public Key ............................................................................................................................ 29
Figure 20. Disabling password login ............................................................................................................ 29
Figure 21. Pasting the client public RSA ..................................................................................................... 30
Figure 22. Client configuration .................................................................................................................... 30
Figure 23. Crating ALIAS ............................................................................................................................ 31
Figure 24. Types of ALIAS........................................................................................................................... 31
Figure 25. Using ALIAS ............................................................................................................................... 32
Figure 26. Creating a NAT port forward rule ............................................................................................. 33
Figure 27. Creating a schedule ..................................................................................................................... 34
Figure 28. Schedule repeat ........................................................................................................................... 34
Figure 29. Firewall rule ................................................................................................................................ 35
Figure 30. DMZ rules ................................................................................................................................... 36
Figure 31. Creating a VIP ............................................................................................................................ 38
Figure 32. VIP created ................................................................................................................................. 38
Figure 33. Configuring 1:1 NAT .................................................................................................................. 39
Figure 34. Creating gateway ........................................................................................................................ 40
4
Abstract
This is a graduation project prepared by Mohamed LOUGHMARI student of the professional license on
systems and networks management, at the science faculty of Meknes. Its the result of two months
traineeship exerted at Court of Appeal in TAZA.
It aims to elaborate PfSense that is an Open Source Firewall Solution.
This report covers the theoretical part and the practical part of pfSense.
Rsum
Ce travail s'inscrit dans le cadre du projet de fin dtude, labor par Mohamed LOUGHMARI tudiant de
la licence professionnelle en gestion des systmes et rseaux, de la facult des sciences de Mekns. Cest le
fruit dun stage de deux mois la cour dappel de Taza.
Il consiste la mise en uvre dune solution Firewall Open Source PfSense .
Ce rapport couvre la partie thorique et la partie pratique de pfSense.
Table Of Contents
Acknowledgments ........................................................................................................................................... 3
List of Figures ................................................................................................................................................. 4
List of Acronyms & Abbreviations ................................................................................................................ 6
Abstract .......................................................................................................................................................... 7
Rsum ............................................................................................................................................................ 7
General Introduction .................................................................................................................................... 11
Part I : Presentation of the Courts of Appeal Taza ..................................................................................... 12
1.
Organization ......................................................................................................................................... 13
2.
Attributions ........................................................................................................................................... 13
3.
4.
IT Service .............................................................................................................................................. 14
10
General Introduction
"Nothing ever becomes REAL until it is experienced." - John Keats
Internships have become an important part of a college student's education. Through internships
students gain experience in different fields, test career interests, establish contacts that can assist with
networking. Under my studies in professional license on systems and networks management at the faculty
of Meknes, I passed two Month of internship on the Court of Appeal of Taza, as a project I had worked on
a theme that belongs to the security IT topic.
Security IT is vital for protecting the confidentiality, integrity, and availability of computer
systems, resources, and data. Without confidentiality, trade secrets or personally identifying information
can be lost. Without integrity, we can not be sure that the data we have is the same data that was initially
sent without availability, we may be denied access to computing resources.
To ensure the Security IT there is many elements, one of the main elements is Firewall, its one of
the more important elements that can achieve the goals of security. A firewall can be a hardware device or
a software application and generally is placed at the perimeter of the network to act as the gatekeeper for
all incoming and outgoing traffic.
Considering of what we had said about the importance of Security and how the firewall is the
primary tool for the security, I decide to make an implementation of pfSense which is an open source
firewall solution.
Along this report, I will deploy my work that I have done during the training period in three main
parts:
The first Part will focus on an overview of the Court of Appeal of Taza, where I spent the internship.
The second part is about the theory of pfSense, basic information and its features.
The third part is the practical part of pfSense it will cover the installation and some important
configuration.
Finally this work will close by a general conclusion.
11
Part I
Presentation of the
Courts of Appeal Taza
12
1. Organization
The Courts of Appeal include is a regional sub direction, under the authority of the Prime President,
a number of specialized chambers including a staff room and criminal division.
However, any chamber can properly investigate and prosecute, regardless of the nature of the cases
before these courts.
They also have a public ministry composed of a Prosecutor General of the King and substitutes, one
or more magistrates of the investigation, one or more magistrates of minors, a registry and secretariat of the
Prosecutor General.
In all matters, the audience is held and judgments by a panel of three consultants assisted by a clerk,
unless the law provides otherwise.
The criminal division headquarters, due to the seriousness of the cases entrusted with five
counselors, a chamber president and four councilors.
2. Attributions
The courts of appeal, courts of second instance, examine previous cases in the first instance by the
trial court a second time.
They then treat appeals of decisions rendered by the courts and appeals from orders made by their
presidents.
The criminal chambers Courts of Appeal are competent specific training, to judge crimes.
Abdellatif
ELGHBAR
IT Service
Budget and
Equipment
Service
human
resource
Service
Technical
service
13
4. IT Service
The IT has become essential in the organism; in fact it has many tasks for the purchase of computer
equipment, its installation and management of passing information.
Indeed, the IT department hasnt in any case the right to make mistakes, it is vital for the body. This
is explained by the fact that it who is responsible for managing the emails so communication with the
outside and inside of the body.
It must also deal with the receipt of information from partners and must be converted and integrated
into their databases.
Indeed if the IT department is no longer operational, no further communication could be done and it
would be simply impossible to manage the company (delivery, order, inventory management, data backup
....).
As we see in the organization chart, the IT department of the SDR is composed of two people:
Mr. Abdelhakim Mesbahi IT manager whose mission is to optimize the treatment and computer systems
by providing technical assistance to users. It is responsible for:
-Maintenance of computer equipment in the legal district.
- Monitoring the state of hardware.
- Market monitoring installation of electrical and computer networks.
- Receiving hardware by companies.
- Control of the company in case work.
- support all IT projects of the company and ensure reliability, consistency and evolution of
information systems technically and functionally.
- Advise the Department when considering new solutions (software selection, equipment, network
architecture ...).
- Define the needs of the region and monitoring technology.
Mr. Ismail el Azzouzi Training Officer and host student:
- Training people.
- Monitoring computer programs minister of justice.
- The coaching officials in IT for the Judicial District.
-Other administrative tasks.
14
Part II
Theory of pfSene
15
Introduction
PfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and
router, entirely managed in an easy to use web interface. This web interface is known as the web-based
GUI configurator or WebGUI for short. No FreeBSD knowledge is required to deploy and use pfSense.
PfSense is an open source operating system used to turn a computer into a firewall, router, or a
variety of other application-specific network appliances.
PfSense is a customized FreeBSD distribution based on the m0n0wall project, a powerful but lightweight firewall distribution.
PfSense builds upon m0n0wall's foundation and takes its functionality several steps further by
adding a variety of other popular networking services.
1.2. Versions
Each version of pfSense is based on a specific -RELEASE version of FreeBSD. Below is a table that lists
recent versions of pfSense and the underlying FreeBSD version upon which they are based.
pfSense
Version
pfSense
Branch
FreeBSD Version
FreeBSD
Branch
Release Status
1.2
RELENG_1_2
6.2-RELEASEp11
RELENG_6_2
1.2.1
1.2.2
1.2.3
2.0
Outdated, no longer
supported. Includes
fixes/enhancements from after 2.0.
2.0.1
16
RELENG_2_0
8.1-RELEASEp13
Outdated, no longer
RELENG_8_1
supported. Includes
fixes/enhancements from after 2.0.1.
2.0.3
RELENG_2_0
8.1-RELEASEp13
2.1
HEAD
(master)
2.2
(future)
2.0.2
RELENG_9
2. Common Deployments
PfSense is used in about every type and size of network environment imaginable, and is almost
certainly suitable for your network whether it contains one computer, or thousands. This section will
outline the most common deployments.
- LAN Router
In larger networks utilizing multiple internal network segments, pfSense is a proven solution to
connect these internal segments. This is most commonly deployed via the use of VLANs with 802.1Q
trunking. Multiple Ethernet interfaces are also used in some environments.
- WAN Router
For WAN services providing an Ethernet port to the customer, pfSense is a great solution for
private WAN routers. It offers all the functionality most networks require and at a much lower price point
than big name commercial offerings.
- VPN Appliance
Some users drop in pfSense as a VPN appliance behind an existing firewall, to add VPN
capabilities without creating any disruption in the existing firewall infrastructure. Most pfSense VPN
deployments also act as a perimeter firewall, but this is a better fit in some circumstances.
- Sniffer Appliance
One user was looking for a sniffer appliance to deploy to a number of branch office locations.
Commercial sniffer appliances are available with numerous bells and whistles, but at a very significant cost
especially when multiplied by a number of branch locations. PfSense offers a web interface for tcpdump
that allows the downloading of the resulting pcap file when the capture is finished. This enables to capture
packets on a branch network, download the resulting capture file, and open it in Wireshark for analysis.
PfSense is not nearly as fancy as commercial sniffer appliances, but offers adequate functionality
for many purposes at a vastly lower cost.
- WAN
The WAN interface is used for the Internet connection, or primary Internet connection in a multiWAN deployment. Short for Wide Area Network, it is the untrusted public network outside of the router.
Connections from the Internet will come in through the WAN interface.
- OPT
OPT or Optional interfaces refer to any interfaces connected to local networks other than LAN.
OPT interfaces are commonly used for second LAN segments, DMZ segments, wireless networks and
more.
- OPT WAN
OPT WAN refers to Internet connections using an OPT interface, either those configured for DHCP
or specifying a gateway IP address. It will used for the Multiple WAN Connections.
18
- DMZ
Short for demilitarized zone. The term was borrowed from its military meaning, which refers to a
sort of buffer between a protected area and a war zone. In networking, it is an area where your public
servers reside that is reachable from the Internet via the WAN, but is also isolated from the LAN so that a
compromise in the DMZ does not endanger systems in other segments.
4. Hardware
4.1. Hardware Architectures
pfSense is supported only on the x86 architecture. The types of devices supported range from
standard PCs to a variety of embedded devices. It is targeted at x86-based PCs 300 MHz or faster.
- Compact Flash
- WRAP
A cost effective Device for special Network appliance such as Wireless Routers, VPN, VOIP
19
Figure 4. WRAP
- ALIX
A higher performance replacement for the WRAP series.
Figure 5. ALIX
- Soekris
Open source software optimized to provide maximum flexibility and functionality for many
different applications and industries.
Figure 6. Soekris
20
5. Features List
-
Firewall /Router.
Edit information via the web GUI.
Installation Set up Wizard.
Wireless Accessibility Factor (wifi interface).
Traffic Shaping.
State Table.
NAT.
Redundancy.
CARP: CARP from OpenBSD allows for components failover. Two or more firewalls can be
designed as a failover team. If one interface isn't able on the main or the main goes off-line
entirely, the additional becomes effective. PfSense also contains settings synchronization
abilities, so you create your settings changes on the main and they instantly connect to the
additional software.
Pfsync: pfsync guarantees the firewall's condition desk is duplicated to all failover designed
fire walls. This implies your current relationships will be managed in the situation of failing,
which is essential to avoid system interruptions.
NTP server.
Load Controlling both Confident and Inbound.
nmap, called ping, traceroute via the GUI.
VPN - IPsec, OpenVPN, PPTP.
PPPoE Server.
RRD Charts Reporting.
Real Time Details.
Dynamic DNS.
Captive Portal.
DHCP Hosting server and Relay.
Packages list.
Wake on LAN.
Proxy Server.
Sniffer.
Ability to back-up and reinstate your software settings via the web GUI.
Ability to upgrade the Firmware.
21
Part III
Instalation and
Configuration
22
1. Installation
1.1. Downloading pfSense
Browse to www.pfsense.org and click the Downloads link. On the Downloads page, click the link
for new installations. This will lead to the mirror selection page. Pick a close geographically mirror for best
performance. Once a mirror has been selected, a directory listing will appear with the current pfSense
release files for new installations.
For Live CD or full installations, download the .iso file. The 1.2.3 release file name is pfSense1.2.3-LiveCD-Installer.iso. There is also a MD5 file available by the same name, but ending in .md5. This
file contains a hash of the ISO, which can be used to ensure the download completed properly.
For embedded installations, download the .img.gz file. The 1.2.3 release file name is pfSense-1.2.3nanobsd-size.img.gz, where size is one of 512M, 1G, 2G, or 4G, to reflect the size of CF card for which
that image was intended (sizes are in M for megabyte and G for gigabyte).
If there is no more interfaces left just hit enter without entering a NIC name and apply the settings by
confirming them with "y".
After it went through the configuration it will end up with a shell menu and a number of options. PfSense
now is ready to be accessed at the interface you assigned as LAN with the webgui.
WAN is configured as DHCP client; all incoming connections are blocked by default.
OPTx interfaces are disabled, you have to enable and configure them at the webgui.
SSH is disabled.
This Configure Console is to change the keyboard or change the consol apparence, after changing its go
on by accepting the setting.
25
Next pfSense will present a list of tasks; Quick/Easy install for a Simple installation.
Now the point of no return, we must Only hit "Ok" if we really sure there is no valuable data left at
this media!
26
Asking to remove the CD and reboot the system to boot your new install.
2. Initial Configuration
After finishing the installation lets make one of the most important initial Configuration.
2.
3.
4.
Open PuTTYGen and generate a public/private key pair by clicking the Generate button.
2.
Enter a passphrase.
3.
28
4.
Highlight the public key that was generated in the textbox and copy and paste it into a
new file, let's say C:\MyPublicKey.txt.
3.
Edit the user we will associate with the client's public key from System | User
Manager | Edit admin.
4. Select Click to paste an authorized key and paste the client's public RSA key here.
When pasted, the key should appear as a single line. Be sure your text editor didn't
insert any line feed characters or authentication may fail.
29
3.1. ALIAS
Aliases provide a degree of separation between our rules and values that may change in the
future (for example, IP addresses, ports, and so on). It's best to use aliases whenever possible.
3.1.1. Creating an ALIAS
These steps describe how to use, create, edit, and delete aliases.
1. Browse to Firewall | Aliases.
2. Click the "plus" button to add a new alias.
3. Add a Name for the alias.
4. Add an optional Description.
5. Select an alias Type and finish the configuration based on that selection.
Host alias
Selecting Host(s) as an alias Type allows creating an alias that holds one or more IP addresses.
31
Network alias
Selecting Network(s) as an alias Type allows creating an alias that holds one or more networks (that
is ranges of IP addresses).
-
Port alias
Selecting Port(s) as an alias Type allows creating an alias that holds one or more ports.
-
URL alias
Selecting URL as an alias Type allows creating an alias that holds one or more URLs.
-
Selecting URL Table as an alias Type allows you to create an alias that holds a single URL pointing
to a large list of addresses. This can be especially helpful when we need to import a large list of IPs
and/or subnets.
32
3.3. Schedule
Schedules allow us to specify when rules are enabled. They are primarily used with firewall
rules, but their generic design allows them to be used with other existing and future pfSense features.
If a firewall rule specifies a schedule, the rule is only enabled during that time period. In the
following example, we'll define a schedule for our normal 9am-5pm work hours.
3.3.1. Creating a schedule
This recipe describes how to create a schedule.
1. Browse to Firewall | Schedules.
2. Click the "plus" button to create a new schedule.
3. Enter a Schedule Name, such as WorkHours.
4. Enter a Description, such as Regular work week hours.
5. In the Month section, click Mon, Tue, Wed, Thu, and Fri to select all the days of the
work week.
6. Specify a 9 am as the Start Time and 5 pm as the Stop Time.
7. Enter a Time Range Description, such as Monday-Friday 9am-5pm.
8. Click Add Time.
33
35
36
4. Advanced Configuration
4.1. Virtual IP
Virtual IPs adds knowledge of additional IP addresses to the firewall that are different from
the firewall's actual "real" interface addresses. Most often, these are used for NAT, but they can also
be used for other functions such as clustering, binding services such as DNS, load balancing in
packages, and so on.
4.1.1. Types of vierual IPs
There are four types of Virtual IPs available in pfSense: Proxy ARP, CARP, and Other. Each
is useful in different situations:
- CARP
Proxy ARP
Other
IP Alias
38
39
40
41
42
43
44
5. Services
5.1. RIP
RIP stands for Routing Information Protocol, a dynamic routing protocol for local and wide
area networks.
5.1.1. Enabling RIP
Thiese steps describe how to enable RIP in pfSense.
1. Browse to Services | RIP.
2. Check Enable RIP.
3. Select an interface (Ctrl + click to select multiple interfaces).
4. Select a RIP Version.
5. Set a Password in case of using RIP version 2.
45
4.
Click Send.
46
7. Click the MAC address of any of the stored clients to send a magic packet.
6. Maintenance
6.1. Ping
pfSense exposes the ping service that's included on almost all operating systems. This can be
handy for administrators since pfSense can ping on any machine from any specified interface.
6.1.1. Using ping
These steps describe how to use the ping service in pfSense.
1. Browse to Diagnostics | Ping.
2. Set Host to the IP Address or hostname of the machine we're trying to ping.
3. Choose the Interface to initiate the ping from.
4. Select a Count.
5. Press the Ping button.
47
6.2. Traceroute
Traceroute is a useful tool for testing and verifying routes and multi-WAN functionality,
among other uses. It will allow you to view each "hop" along a packet's path as it travels from one
end to the other, along with the latency encountered in reaching that intermediate point.
6.2.1. Using traceroute
1. Browse to Diagnostics | Traceroute.
2. Set Host to the IP Address or hostname of the machine we're trying to trace.
3. Choose the Maximum number of hops for the trace to jump.
4. Optionally check Use ICMP.
48
pfSense configuration files are stored in a plain-text XML format by default, but it also gives you an
option to encrypt them.
1. Browse to Diagnostics | Backup/restore.
2. Select the Backup/Restore tab.
3. Set the Backup area to ALL. For a list of all available areas, see the following Backup
areas section.
4. Leave Do not backup package information unchecked.
5. Leave Do not backup RRD data checked.
49
50
51
Conclusion
As a conclusion, we have shown, first, an overview of the court of appeal of Taza, secondly,
the theory of of pfSense from the history to the features list, Secondly, we start with the necessary
installation and configuration, from the basic one to the service and maintenance configuration.
This project has allowed us to understand the concepts of pfSense firewall. All the Examples
cofigurations had seen is just to know how we must handling with pfSense, and each administrator
can choose its own strategy for his network, that depends on the size, plateforms, the equipment ..., in
the network.
In terms of perspective, I recommend the installation of some usefull package such the
automatic backup , the squidguard, and snort, the first help in the redundancy, the second in the url
filtering plus its free and published under GNU Public License, and the third is an an Intrusion
Detection System(IDS) released under the GNU open source license GPL.
52
References
http://en.wikipedia.org/wiki/PfSense
http://forum.pfsense.org
http://doc.pfsense.org/index.php
http://www.bsdcan.org/2008/schedule/attachments/66_pfSenseTutorial.pdf
http://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions
http://pfsensesolution.blogspot.com/2012/07/pfsense-features.html
http://doc.pfsense.org/smiller/pfSenseQuickStartGuide.pdf
http://doc.pfsense.org/index.php/Captive_Portal
www.pcengines.ch/alix.htm
www.pcengines.ch/wrap.htm
http://www.linuxpedia.fr/doku.php/bsd/pfsense
http://www.mearn.org.ma/3/doc%20telecharger/Portail%20Captif%20khalidibolalan/PFsense.pdf
pfSense 2 Cookbook
pfsense - The definitive guide
53
54