DOCSLIB.ORG

Opnsense:The “Open” Firewall for Your Datacenter

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Opnsense:The “Open” Firewall for Your Datacenter OPNsense: the “open” firewall for your datacenter @wefinet Werner Fischer DENOG10, 2018/11/21 Have you already tested an Open Source firewall? If yes, which? Feel free to vote, too :-) OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ Mobile WAN / WAN failover _ High availability _ Plugins _ pfSense or OPNsense? OPNsense started as a fork of pfSense® (Copyright © 2004-2014 Electric Sheep Fencing, LLC. All rights reserved.) a fork from m0n0wall® (Copyright © 2002-2013 Manuel Kasper). IPFire 2.21 pfSense® 2.4 OPNsense® 18.7 Based on Linux® Kernel 4.14 FreeBSD® 11.2 FreeBSD® 11.1 Stateful firewall ✔ ✔ ✔ Proxy cache ✔ ✔ Also for mobile ✔ LTE backup VPN ✔ ✔ ✔ with 4G modem IDS ✔ Also for VPN ✔ ✔ HA cluster roadwarrior ✔ ✔ (eg. Google Auth.) Multi-WAN ✔ ✔ Layer 2 (transparent) ✔ ✔ Two-factor auth. ()✔ ✔ pfSense® 2.4 OPNsense® 18.7 License AGPL 2.0 BSD Clause-2 IPS Snort, Suricata, no real inline mode multi-threaded Two-factor auth. mOTP available Native integrated via plugin via TOTP AES-NI CPU feature Yes, starting v2.5 No, never required Source: https://techcorner.max-it.de/wiki/OPNsense_vs._pfSense_-_Im_Vergleich OPNsense Versions 2018: UTM plugins anti-virus/-spam/..., ZFS 2017: PHP7, Let's Encrypt, application hardening 2016: Plugin support, 2-factor, HardenendBSD 2015: initial release, code cleanup, LibreSSL OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? 1969 Unnamed PDP-7 operating system 1969 Open source 1971 to 1973 Unix 1971 to 1973 Version 1 to 4 Mixed/shared source 1974 to 1975 Unix 1974 to 1975 Version 5 to 6 PWB/Unix Closed source 1978 1978 BSD 1.0 to 2.0 Unix 1979 Version 7 1979 Unix/32V 1980 1980 BSD 3.0 to 4.1 1981 Xenix System III 1981 1.0 to 2.3 1982 1982 Xenix 3.0 1983 BSD 4.2 SunOS 1983 1 to 1.1 System V R1 to R2 1984 SCO Xenix 1984 Unix 1985 Version 8 SCO Xenix 1985 AIX V/286 System V 1986 Unix-like systems BSD 4.3 1.0 R3 HP-UX 1986 SunOS 1.0 to 1.2 1.2 to 3.0 SCO Xenix 1987 Unix 1987 9 and 10 V/386 (last versions HP-UX 1988 BSD 4.3 System V 2.0 to 3.0 1988 from Tahoe R4 1989 Bell Labs) SCO Xenix 1989 BSD Net/1 V/386 BSD 4.3 1990 Reno 1990 BSD Net/2 1991 Linux 0.0.1 1991 SunOS 4 Minix 386BSD 1.x NexTSTEP/ 1992 OPENSTEP HP-UX 1992 1.0 to 4.0 NetBSD 6 to 11 Linux BSD 0.8 to 1.0 1993 SCO UNIX UnixWare 1993 0.95 to 1.2.x 4.4-Lite 3.2.4 1.x to 2.x 1994 FreeBSD & (System V 1994 1.0 to Lite Release 2 R4.2) 1995 2.2.x NetBSD 1995 OpenBSD OpenServer 1.1 to 1.2 1.0 to 2.2 Solaris 1996 5.0 to 5.04 2.1 to 9 1996 1997 1997 NetBSD 1.3 1998 FreeBSD 1998 3.0 to 3.2 OpenServer 1999 Minix Mac OS X 1999 2.x AIX m0n0wall5.0.5 to 5.0.7 → pfSense Server 2000 3.0-7.2 2000 2001 to 2004 2001 to 2004 Linux 2005 2.x UnixWare 2005 →7.x OPNsense 2006 to 2007 (System V 2006 to 2007 OpenBSD R5) 2008 2.3-6.1 Solaris 2008 Mac OS X, FreeBSD NetBSD 10 OS X, 3.3-11.x 1.3-7.1 OpenServer HP-UX 2009 macOS 6.x 11i+ 2009 10.0 to 10.12 DragonFly 2010 Minix BSD 2010 3.1.0-3.4.0 (Darwin 1.2.1 to 17) 1.0 to 4.8 OpenSolaris 2011 & derivatives 2011 (illumos, etc.) 2012 to 2015 Linux 2012 to 2015 3.x Solaris 2016 11.0-11.3 2016 Linux 2017 4.x OpenServer 2017 10.x ASLR / SEGVGUARD _ Fork from FreeBSD / Goal: Mitigation of exploits _ Address Space Layout Randomization (ASLR) _ Address space no longer predictable → Increases protection against buffer overflows _ Blind Return Oriented Programming (BROP) _ ASLR can be leveraged under certain circumstances _ BROP can generate ROP malicious code / Needs several attempts _ Application crashes if BROP is not successful and then restarts _ SEGVGUARD _ Fixes the above mentioned brute force method of BROP _ Prevents the restart of the attacked application Link: https://hardenedbsd.org/content/projects OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? STEP 1 Default settings: LAN → WAN all allowed STEP 2 Alias for IP lists like FireHOL, Spamhaus STEP 2 STEP 3 Create LAN → WAN rule, prevent access to malicious IPs STEP 4 prepare for IPS STEP 4 STEP 4 STEP 4 STEP 5 STEP 5 STEP 5 STEP 5 OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? Configure when backup link should get active OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? Common Address Red. Prot. pfSync (direct cabling) XMLRPC sync (conf. sync) Tip: configure HA, configure Firewall afterwards OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? OPNsense _ History and architecture _ FreeBSD / HardenedBSD _ Initial configuration and secure system _ WAN failover _ High availability _ Plugins _ pfSense or OPNsense? Open source, Development in NL + DE no license fee Based on FreeBSD & Modern design HardenedBSD Tombola Win a Low Energy Server / SSD / Laptop bag Drawing tomorrow (last coffee break) Have fun with OPNsense! “Real” Open Source rocks ;-).
Load more

Recommended publications
  • Proceedings of the Bsdcon 2002 Conference
    USENIX Association Proceedings of the BSDCon 2002 Conference San Francisco, California, USA February 11-14, 2002 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION © 2002 by The USENIX Association All Rights Reserved For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Flexible Packet Filtering: Providing a Rich Toolbox Kurt J. Lidl Deborah G. Lidl Paul R. Borman Zero Millimeter LLC Wind River Systems Wind River Systems Potomac, MD Potomac, MD Mendota Heights, MN [email protected] [email protected] [email protected] Abstract The BSD/OS IPFW packet filtering system is a well engineered, flexible kernel framework for filtering (accepting, rejecting, logging, or modifying) IP packets. IPFW uses the well understood, widely available Berkeley Packet Filter (BPF) system as the basis of its packet matching abilities, and extends BPF in several straightforward areas. Since the first implementation of IPFW, the system has been enhanced several times to support additional functions, such as rate filtering, network address translation (NAT), and traffic flow monitoring. This paper examines the motivation behind IPFW and the design of the system. Comparisons with some contemporary packet filtering systems are provided. Potential future enhancements for the IPFW system are discussed. 1 Packet Filtering: An Overview might choose to copy only this data.
    [Show full text]
  • Nport 5600 Series User's Manual
    NPort 5600 Series User’s Manual Fifteenth Edition, September 2014 www.moxa.com/product © 2014 Moxa Inc. All rights reserved. NPort 5600 Series User’s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement. Copyright Notice © 2014 Moxa Inc. All rights reserved. Trademarks The MOXA logo is a registered trademark of Moxa Inc. All other trademarks or registered marks in this manual belong to their respective manufacturers. Disclaimer Information in this document is subject to change without notice and does not represent a commitment on the part of Moxa. Moxa provides this document as is, without warranty of any kind, either expressed or implied, including, but not limited to, its particular purpose. Moxa reserves the right to make improvements and/or changes to this manual, or to the products and/or the programs described in this manual, at any time. Information provided in this manual is intended to be accurate and reliable. However, Moxa assumes no responsibility for its use, or for any infringements on the rights of third parties that may result from its use. This product might include unintentional technical or typographical errors. Changes are periodically made to the information herein to correct such errors, and these changes are incorporated into new editions of the publication. Technical Support Contact Information www.moxa.com/support Moxa Americas Moxa China (Shanghai office) Toll-free: 1-888-669-2872 Toll-free: 800-820-5036 Tel: +1-714-528-6777 Tel: +86-21-5258-9955 Fax: +1-714-528-6778 Fax: +86-21-5258-5505 Moxa Europe Moxa Asia-Pacific Tel: +49-89-3 70 03 99-0 Tel: +886-2-8919-1230 Fax: +49-89-3 70 03 99-99 Fax: +886-2-8919-1231 Moxa India Tel: +91-80-4172-9088 Fax: +91-80-4132-1045 Table of Contents 1.
    [Show full text]
  • Xenix* 286 Installation and Configuration Guide
    XENIX* 286 INSTALLATION AND CONFIGURATION GUIDE *XENIX is a trademark of Microsoft Corporation. Copyright@ 1984, Intel Corporation Intel Corporation, 3065 Bowers Avenue. Santa Clara, California 95051 Order Number: 174386-001 XENIX* 286 INSTALLATION AND CONFIGURATION GUIDE Order Number: 174386-001 *XENIX is a trademark of Microsoft Corporation Copyright @ 1984 Intel Corporation I Intel Corporation, 3065 Bowers Avenue, Santa Clara, California 95051 I The information in this document is subject to change without notice. Intel Corporation makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Intel Corporation assumes no responsibility for any errors that may appear in this document. Intel Corporation makes no commitment to update or to keep current the information contained in this document. Intel Corporation assumes no responsibility for the use of any circuitry other than circuitry embodied in an Intel product. No other circuit patent licenses are implied. Intel software products are copyrighted by and shall remain the property oflntel Corporation. Use, duplication or disclosure is subject to restrictions stated in Intel's software license, or as defined in ASPR 7-104.9 (a) (9). No part of this document may be copied or reproduced in any form or by any means without prior written consent of Intel Corporation. The following are trademarks of Intel Corporation and its affiliates and may be used only to identify Intel products: BITBUS im iRMX OpenNET COMMputer iMDDX iSBC Plug-A-Bubble CREDIT iMMX iSBX PROMPT I Data Pipeline Insite iSDM Promware Genius intel iSXM QUEST t::t.
    [Show full text]
  • The Title Title: Subtitle March 2007
    sub title The Title Title: Subtitle March 2007 Copyright c 2006-2007 BSD Certification Group, Inc. Permission to use, copy, modify, and distribute this documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CON- SEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEG- LIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS DOCUMENTATION. NetBSD and pkgsrc are registered trademarks of the NetBSD Foundation, Inc. FreeBSD is a registered trademark of the FreeBSD Foundation. Contents Introduction vii 1 Installing and Upgrading the OS and Software 1 1.1 Recognize the installation program used by each operating system . 2 1.2 Recognize which commands are available for upgrading the operating system 6 1.3 Understand the difference between a pre-compiled binary and compiling from source . 8 1.4 Understand when it is preferable to install a pre-compiled binary and how to doso ...................................... 9 1.5 Recognize the available methods for compiling a customized binary . 10 1.6 Determine what software is installed on a system . 11 1.7 Determine which software requires upgrading . 12 1.8 Upgrade installed software . 12 1.9 Determine which software have outstanding security advisories .
    [Show full text]
  • Active-Active Firewall Cluster Support in Openbsd
    Active-Active Firewall Cluster Support in OpenBSD David Gwynne School of Information Technology and Electrical Engineering, University of Queensland Submitted for the degree of Bachelor of Information Technology COMP4000 Special Topics Industry Project February 2009 to leese, who puts up with this stuff ii Acknowledgements I would like to thank Peter Sutton for allowing me the opportunity to do this work as part of my studies at the University of Queensland. A huge thanks must go to Ryan McBride for answering all my questions about pf and pfsync in general, and for the many hours working with me on this problem and helping me test and debug the code. Thanks also go to Theo de Raadt, Claudio Jeker, Henning Brauer, and everyone else at the OpenBSD network hackathons who helped me through this. iii Abstract The OpenBSD UNIX-like operating system has developed several technologies that make it useful in the role of an IP router and packet filtering firewall. These technologies include support for several standard routing protocols such as BGP and OSPF, a high performance stateful IP packet filter called pf, shared IP address and fail-over support with CARP (Common Address Redundancy Protocol), and a protocol called pfsync for synchronisation of the firewalls state with firewalls over a network link. These technologies together allow the deployment of two or more computers to provide redundant and highly available routers on a network. However, when performing stateful filtering of the TCP protocol with pf, the routers must be configured in an active-passive configuration due to the current semantics of pfsync.
    [Show full text]
  • Campus Networking Best Practices Session 5: Wireless
    Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen Dale Smith NSRC & University of Oregon University of Oregon & NSRC [email protected] [email protected] Wireless LAN • Provide wireless network across your campus that has the following characteristics: – Authentication – only allow your users – Roaming – allow users to start up in one section of your network, then move to another location – Runs on your campus network Firewall/ Border Traffic Shaper Router Wireless REN switch Authentication Core Gateway Router Core Servers Network Access Control (NAC) Enterprise Identity Management • Processes and Documentation of users. – Now you must deal with this. – What to use as the back-end user store? • LDAP • Active Directory • Kerberos • Other? – Will this play nice with future use? • email, student/staff information, resource access, ... Identity Management Cont. • An example of such a project can be seen here: – http://ccadmin.uoregon.edu/idm/ • This is a retrofit on to an already retrofitted system. • Learn from others and try to avoid this situation if possible. A Wireless Captive Portal The Wireless Captive Portal • Previous example was very simple. • A Captive Portal is your chance to: – Explain your Acceptable Use Policies – Decide if you must authenticate, or – Allow users on your network and monitor for problems instead (alternate solution). – Anything else? Branding? What's Happening? • remember our initial network diagrams...? • Do you think our hotel built their own solution? • Probably not... Commercial Solutions • Aruba http://www.arubanetworks.com/ • Bradford Networks – http://www.bradfordnetworks.com/ • Cisco NAC Appliance (Clean Access) – http://www.cisco.com/en/US/products/ps6128/ • Cisco Wireless LAN Controllers – http://www.cisco.com/en/US/products/hw/wireless/ • Enterasys http://www.enterasys.com/ • Vernier http://www.verniernetworks.com Open Source Solutions • CoovaChilli (morphed from Chillispot) – http://coova.org/wiki/index.php/CoovaChilli – Uses RADIUS for access and accounting.
    [Show full text]
  • Opnsense Your Next Open Source Firewall
    OPNsense Your next open source firewall www.rhinolabsinc.com About OPNsense Highlights Businesses ProtEct your businEss nEtwork and sEcurE your connEctions. From thE stateful inspection firewall to thE inline intrusion detection & prevention systEm EvErything is includEd for frEE.UsE thE traffic shaper to EnhancE nEtwork pErformancE and prioritisE Businesses you voicE ovEr ip abovE othEr traffic. Backup your configuration to thE cloud automatically, no nEEd for manual backups anymorE! School Networks Limit and share available bandwidth evenly amongst studEnts and utilisE thE category based web filtering to filtEr unwantEd traffic such as adult contEnt and malicious wEbsitEs. Its Easy to sEtup as no additional plugins nor packagEs arE School Networks rEquirEd. TEach about sEcurity or usE our dEvElopmEnt documEntation to show how an ModEl ViEwEr ControllEr works. You and your studEnts arE invitEd to join thE Effort and OPNsEnsE community! About OPNsense Highlights Hotels & Campings Hotels and campIngs usually utIlIse a captIve portal to allow guests (paId) access to Internet for a lImIted duratIon. Guests need to logIn usIng a voucher that they can eIther buy or Hotels and Camping obtaIn for free at the receptIon. OPNsense has a buIlt-In captive portal wIth voucher support and can easIly create them on the fly. On The Road Even on the road OPNsense Is a great asset to your busIness as It offers OpenVPN and IPSec VPN solutIon wIth road warrior support. The easy client exporter make On The Road configurIng your OpenVPN SSL clIent setup a breeze. Remote Offices & SOHO UtIlIse the Integrated sIte to sIte VPN (IPsec or SSL VPN) to create a secure network connectIon to and from your remote offices.
    [Show full text]
  • Introduzione Al Mondo Freebsd
    Introduzione al mondo FreeBSD Corso avanzato Netstudent Netstudent http://netstudent.polito.it E.Richiardone [email protected] maggio 2009 CC-by http://creativecommons.org/licenses/by/2.5/it/ The FreeBSD project - 1 ·EÁ un progetto software open in parte finanziato ·Lo scopo eÁ mantenere e sviluppare il sistema operativo FreeBSD ·Nasce su CDROM come FreeBSD 1.0 nel 1993 ·Deriva da un patchkit per 386BSD, eredita codice da UNIX versione Berkeley 1977 ·Per problemi legali subisce un rallentamento, release 2.0 nel 1995 con codice royalty-free ·Dalla release 5.0 (2003) assume la struttura che ha oggi ·Disponibile per x86 32 e 64bit, ia64, MIPS, ppc, sparc... ·La mascotte (Beastie) nasce nel 1984 The FreeBSD project - 2 ·Erede di 4.4BSD (eÁ la stessa gente...) ·Sistema stabile; sviluppo uniforme; codice molto chiaro, ordinato e ben commentato ·Documentazione ufficiale ben curata ·Licenza molto permissiva, spesso attrae aziende per progetti commerciali: ·saltuariamente esterni collaborano con implementazioni ex-novo (i.e. Intel, GEOM, atheros, NDISwrapper, ZFS) ·a volte no (i.e. Windows NT) ·Semplificazione di molte caratteristiche tradizionali UNIX Di cosa si tratta Il progetto FreeBSD include: ·Un sistema base ·Bootloader, kernel, moduli, librerie di base, comandi e utility di base, servizi tradizionali ·Sorgenti completi in /usr/src (~500MB) ·EÁ giaÁ abbastanza completo (i.e. ipfw, ppp, bind, ...) ·Un sistema di gestione per software aggiuntivo ·Ports e packages ·Documentazione, canali di assistenza, strumenti di sviluppo ·i.e. Handbook,
    [Show full text]
  • Microkernels in a Bit More Depth • Early Operating Systems Had Very Little Structure • a Strictly Layered Approach Was Promoted by Dijkstra
    Motivation Microkernels In a Bit More Depth Early operating systems had very little structure A strictly layered approach was promoted by Dijkstra THE Operating System [Dij68] COMP9242 2007/S2 Week 4 Later OS (more or less) followed that approach (e.g., Unix). UNSW Such systems are known as monolithic kernels COMP9242 07S2 W04 1 Microkernels COMP9242 07S2 W04 2 Microkernels Issues of Monolithic Kernels Evolution of the Linux Kernel E Advantages: Kernel has access to everything: all optimisations possible all techniques/mechanisms/concepts implementable Kernel can be extended by adding more code, e.g. for: new services support for new harwdare Problems: Widening range of services and applications OS bigger, more complex, slower, more error prone. Need to support same OS on different hardware. Like to support various OS environments. Distribution impossible to provide all services from same (local) kernel. COMP9242 07S2 W04 3 Microkernels COMP9242 07S2 W04 4 Microkernels Approaches to Tackling Complexity Evolution of the Linux Kernel Part 2 A Classical software-engineering approach: modularity Software-engineering study of Linux kernel [SJW+02]: (relatively) small, mostly self-contained components well-defined interfaces between them Looked at size and interdependencies of kernel "modules" enforcement of interfaces "common coupling": interdependency via global variables containment of faults to few modules Analysed development over time (linearised version number) Doesn't work with monolithic kernels: Result 1:
    [Show full text]
  • Building Performance Measurement Tools for the MINIX 3 Operating System
    Building Performance Measurement Tools for the MINIX 3 Operating System Rogier Meurs August 2006 Contents 1 INTRODUCTION 1 1.1 Measuring Performance 1 1.2 MINIX 3 2 2 STATISTICAL PROFILING 3 2.1 Introduction 3 2.2 In Search of a Timer 3 2.2.1 i8259 Timers 3 2.2.2 CMOS Real-Time Clock 3 2.3 High-level Description 4 2.4 Work Done in User-Space 5 2.4.1 The SPROFILE System Call 5 2.5 Work Done in Kernel-Space 5 2.5.1 The SPROF Kernel Call 5 2.5.2 Profiling using the CMOS Timer Interrupt 6 2.6 Work Done at the Application Level 7 2.6.1 Control Tool: profile 7 2.6.2 Analyzing Tool: sprofalyze.pl 7 2.7 What Can and What Cannot be Profiled 8 2.8 Profiling Results 8 2.8.1 High Scoring IPC Functions 8 2.8.2 Interrupt Delay 9 2.8.3 Profiling Runs on Simulator and Other CPU Models 12 2.9 Side-effect of Using the CMOS Clock 12 3 CALL PROFILING 13 3.1 Introduction 13 3.1.1 Compiler-supported Call Profiling 13 3.1.2 Call Paths, Call and Cycle Attribution 13 3.2 High-level Description 14 3.3 Work Done in User-Space 15 3.3.1 The CPROFILE System Call 15 3.4 Work Done in Kernel-Space 16 3.4.1 The PROFBUF and CPROF Kernel Calls 16 3.5 Work Done in Libraries 17 3.5.1 Profiling Using Library Functions 17 3.5.2 The Procentry Library Function 17 3.5.3 The Procexit Library Function 20 3.5.4 The Call Path String 22 3.5.5 Testing Overhead Elimination 23 3.6 Profiling Kernel-Space/User-Space Processes 24 3.6.1 Differences in Announcing and Table Sizes 24 3.6.2 Kernel-Space Issue: Reentrancy 26 3.6.3 Kernel-Space Issue: The Call Path 26 3.7 Work Done at the Application
    [Show full text]
  • Firewall and Proxy Server HOWTO Firewall and Proxy Server HOWTO
    Firewall and Proxy Server HOWTO Firewall and Proxy Server HOWTO Table of Contents Firewall and Proxy Server HOWTO................................................................................................................1 Mark Grennan, mark@grennan.com.......................................................................................................1 1. Introduction..........................................................................................................................................1 2. Understanding Firewalls......................................................................................................................1 3. Firewall Architecture ..........................................................................................................................1 4. Setting up the Linux Filtering Firewall ...............................................................................................1 5. Software requirements.........................................................................................................................1 6. Preparing the Linux system.................................................................................................................1 7. IP filtering setup (IPFWADM)............................................................................................................2 8. IP filtering setup (IPCHAINS).............................................................................................................2 9. Installing a Transparent SQUID
    [Show full text]
  • The Pfsense Book Release
    The pfSense Book Release The pfSense Team May 10, 2017 CONTENTS 1 Preface 1 1.1 Acknowledgements...........................................1 1.2 Feedback.................................................3 1.3 Typographic Conventions........................................3 1.4 Authors..................................................4 2 Foreword 7 3 Introduction 9 3.1 What does pfSense stand for/mean?...................................9 3.2 Why FreeBSD?..............................................9 3.3 Common Deployments.......................................... 10 3.4 Interface Naming Terminology..................................... 11 3.5 Finding Information and Getting Help.................................. 12 3.6 Project Inception............................................. 13 4 Networking Concepts 15 4.1 Understanding Public and Private IP Addresses............................. 15 4.2 IP Subnetting Concepts......................................... 16 4.3 IP Address, Subnet and Gateway Configuration............................. 16 4.4 Understanding CIDR Subnet Mask Notation.............................. 17 4.5 CIDR Summarization.......................................... 18 4.6 Broadcast Domains............................................ 19 4.7 IPv6.................................................... 19 4.8 Brief introduction to OSI Model Layers................................. 32 5 Hardware 33 5.1 Minimum Hardware Requirements................................... 33 5.2 Hardware Selection........................................... 33
    [Show full text]