Scribd Logo
Upload

Welcome to Scribd!

  • PF Sense

    Uploaded by

    Reino Animal
    93 views7 pages
    como configurar pfsense para un firewall

    Original Title

    PfSense

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    como configurar pfsense para un firewall

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    93 views7 pages

    PF Sense

    Uploaded by

    Reino Animal
    como configurar pfsense para un firewall

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    ---> pfSense <---

    pfSense es una distribución personalizada de


    FreeBSD adaptado para su uso como
    Firewall y Router.

    Requerimientos:
    ISO pfsense
    Maquina Virtual cliente (win 7)
    Maquina Virtual Windows Server (Active Directory)

    Maquina Virtual pfSense:


    1er Adaptador = WAN -> NAT / Bridge
    2do Adaptador = LAN

    Maquina Cliente:
    Un solo adaptador = Segmento de red LAN

    Maquina Windows Seerver:


    En segmento de red LAN

    -------------------------------------------------------

    * INSTALACION *

    Maquina pfSense:

    Condiciones pfsense = Acept


    Welcome Install = Install pfsense
    keymap = continue (idioma elegido)
    partitioning = Auto (UFS)
    Manual Configuracion = NO
    Complete Instalation = reboot

    Configurar red LAN:

    opcion 2 - set interfaces


    elegir interfaz correspondiente - 2
    ingresar ip seleccionada (192.168.14.1)
    ingresar mascara de red - 24
    <enter> - se selecciona LAN
    <enter> - sin ipv6
    se habilita dhcp server - marcar " Y "
    ingresar primer ip del rango (192.168.14.2)
    ingresar ultima ip del rango (192.168.14.20)
    revert to http = " Y "
    se observa LAN con nueva IP

    Maquina Cliente:

    Instalacion tradicional

    Configurar adaptador VMware en Segmento


    de red local

    -----------------------------------------------------
    * CONFIGURACION *

    Maquina Cliente:

    opcion 1 = se configura red automatica


    dns = 8.8.8.8
    dns = 8.8.4.4

    opcion 2 = ip del rango del servidor pfsense (1ra del rango)


    mascara = 255.255.255.0
    gateway = ip de servidor pfsense
    dns = 8.8.8.8
    dns = 8.8.4.4

    Configurar Servidor pfSense:

    Abrir en Explorador de Internet


    en maquina cliente

    sign in:
    usuario = admin
    pass = pfsense
    <sign in>

    <next>
    <next>
    hostname = (iniciales)
    domain = (iniciales.com)
    primary DNS = 8.8.8.8
    secondary DNS = 8.8.4.4
    <next>
    timezone = america/mexico_city
    <next>
    <next> - configuracion WAN
    <next> - configuracion LAN (verificaion de IP)
    ingresar NUEVA contraseña
    <next>
    <reload>

    Click HERE to continue on to pfSense webConfigurator


    (click en "here")

    System
    Advanced
    Firewall & NAT
    firewall maximun table entries = 400000
    <save>
    System
    General Setup
    DNS servers - elegir WAN con ip de wan-pfsense
    <save>

    Instalacion de squid y squidguard:

    System
    Package Manager
    Available Packages (tienda)
    Search term = squid
    <search>
    instalar 2 paquetes
    SQUID <install> <confirm>
    SQUIDGUARD <install> <confirm>

    ----------------------------
    POsible error:
    No permite instalar por ser mayor version de php
    Solucion:
    System
    Update
    -----------------------------

    nota:
    al terminar de instalar aparece barra superior en verde y
    "success" al final del detalle de instalacion

    nota 2:
    Verificar en System -Advanced -Firewall & NAT
    el valor firewall maximun table entries = 400000

    <-->
    Configuracion squid:

    Services
    Squid Proxy Server
    Local Cache
    Hard Disk Cache Size = 1000
    <Save>

    General
    Enable Squid Proxy = <Habilitar Casilla>

    Transparent HTTP proxy = <Habilitar casilla>

    Bypass proxy for private Address Destination = <Habilitar


    casilla>

    Enable access Logging = <Habilitar Casilla>

    Error LAnguaje = seleccionar EN o ES


    (idioma de mensaje error)

    Suppress Squid Version = <Habilitar Casilla>

    <SAVE>

    Configuracion SquidGuard:

    Services
    SquidGuard Proxy Filter
    General Settings
    Enable GUI log <Habilitar casilla>
    Enable log <Habilitar casilla>
    Enable log rotation <Habilitar casilla>

    Blacklist <Habilitar casilla>


    Blacklist URL
    www.squidguard.org (buscar en internet)
    Blacklist
    Shalla´s Blacklist
    Download (copiar direccion de
    enlace)
    <SAVE>

    Blacklist
    Download - hasta que barra de estado sea verde

    *******************************************************
    Creacion de Categorias:

    Services
    SquidGuard Proxy Filter
    Target Categories
    <Add>
    Name = nombre de su categoria
    Domain list = lista de paginas a bloquear
    redrect mode = none
    Redirect = MEsaje que deseen mostrar
    log = <habilitar casilla>
    <SAVE>

    *********************************************************

    Habilitar Targets / otros contenidos:

    Services
    SquidGuard Proxy Filter
    Common ACL
    Target Rule List
    (+) - para expandir vista de listas
    seleccionar permisos
    whitelist
    blacklist
    allow
    default access (all) = allow

    Do not allow ip addresses in url = <habilitar>


    Redirect mode = int error page
    redirect info = mensaje a mostrar
    log = <habilitar casilla>
    <SAVE>

    ******************************************************
    Activar Servicio:

    Services
    SquidGuard Proxy Filter
    Enable = <Habilitar Casilla>
    <Apply>

    *******************************************************
    Vinculacion (Active Directory) + pfSense
    Maquina Server ofsense:
    Configurar para dejar 1 ip libre para windows server

    Maquina Cliente: (explorador)

    System
    User MAnager
    Authentication Server
    <Add>

    Descriptive Name = (Elegir nombre)


    Type = LDAP
    Hostname o ip = ip de windows server
    Port value = 389
    Transport = TCP-Standard
    Protocol version = 3
    Server Timeout = 25
    Search scope = level -> Entire Subtree
    Base DN: (buscar)

    --------------------------------------------
    *Win Server - ADSI - Aciones -Conectar a
    <Aceptar> - expandir contexto

    *Obtener :
    DC=ccc,DC=com (ejemplo)

    *CN = Users -> obtener nombre destino


    CN=Administrador,CN=Users,DC=ccc,DC=com (ejemplo)
    -----------------------------------------

    Authentication COntainers =
    CN=Administrador,CN=Users,DC=(dominio),DC=com

    Bind credentials = dominiowinserver\Administrador


    2da casilla = contraseña de win server

    User naming attrbute = sAMAccountName

    Group naming atribute = cn

    group member attribute = memberOf

    <SAVE>

    Settings
    Authentication Server = elegir conexion a AD
    <Save & Test>
    *aparecen 3 ok
    <Save>

    Services
    Squid Proxy Server
    General
    Transparent HTTP proxy = <deshabilitar casilla>
    <Save>

    Local Cache
    cache dynamic content = <Habilitar casilla>
    <Save>

    ACLs
    Allowed Subnets = (red servidor pfsense/24)

    Authentication
    Authentication Method = LDAP
    Authentication server = ip widows server
    Authentication server port = 389
    Authentication processes = 1
    Authentication TTL = 480

    LDAP version = 3
    LDAP server users DN =
    CN=Administrador,CN=Users,DC=(dominio),DC=com

    LDAP password = password windows server


    LDAP base domain = DC=dominio,DC=com
    LDAP username DN Atribute = sAMAccountName
    LDAP search filter = (sAMAccountName=%s)
    <save>

    Services
    SquidGuard Proxy Filter
    General Settings
    Enable LDAP filter = <habilitar casilla>
    LDAP DN : CN=Administrador,CN=Users,DC=(dominio),DC=com
    LDAP DN pasww = (contraseña win server)
    Strip NT domain name: <habilitar casilla>
    Strip kerberos : <habilitar casilla>
    LDAP version = version 3
    Enable log rotation <deshabilitar casilla>
    <SAVE>

    *************************************************************
    COnfigurar acceso por usuario:

    Services
    SquidGuard Proxy Filter
    Groups ACL --> aqui se crean los grupos de reglas

    <Add>
    Name = nombre de regla
    client(source) = rango ip (10.1.1.1-10.2.2.2)
    'usuario'

    Do not allow ip addresses in url = <habilitar>


    Redirect mode = none
    log = <habilitar casilla>
    <SAVE>

    Services
    SquidGuard Proxy Filter
    General Settings
    <Apply>
    Nota: Ante cualquier cambio en reglas, dar <APPLY>
    Tarda en Aplicarse de 3 a 10 min
    dependiendo de recursos de pc

    *********************************************************
    Maquina CLiente:

    Configurar opciones de internet:


    Centro de redes y recursos compartidos
    opciones de internet
    conexiones
    configuracion de LAN
    Se desabilitan las 2 casillas de configuracion automatica
    se habilita casilla de servidor proxy
    direccion = ip de servidor
    puerto = 3128
    NO usar servidor proxy = <Habilitar casilla>
    Opciones Avanzadas
    Excepciones = ip server pfsense
    <Aceptar>
    <Aceptar>

    *******************************************************

    Uso de pfsense:

    Opcion 1 : Proxy (Squid)

    Services
    Squid Proxy Server
    ACL´s
    Allowed Subnets = ip_servidor/24
    Blacklist = paginas a bloquear (dominio)
    <Save>

    Opcion 2 : Filtrado de Contenido (SquidGuard)

    **********************************************************

    Blacklist = lista de denegados


    Whitelist = lista de permitidos
    CIDR = ip/wildcard
    proxy transparente
    sAMAccountName = id de protocolo LDAP

    You might also like