Build Your Own IDS Firewall With PFSense

[YeOldeStonecat]

What do you think about Astaro for Home users?

Astaro is nice....it's a whole different league than PFSense. PFSense started out as a high performance distro...focusing on strong QoS/traffic shaping. They've added a couple of very basic UTM packages to it...Snort, Clam...and others. It's a great distro, I've run it many times at home.

However, Astaro is a full blown..very mature UTM, it's been around for years as a professional package. Its competition is more in the line of Untangle. I've been running Astaro for about 1/2 a year now...til I get time to go back to Untangle or whatever other distro I feel like dorking around with at the moment. Have it running on a SuperMicro Atom D510 motherboard with a pair of onboard Intel gigabit NICs, 2 gigs of RAM, a Seagate Pipeline hard drive designed for low power, low heat output, low noise, running 24x7 (basically a DVR hard drive..perfect for a firewall job). All wrapped up in a 1U SuperMicro chassis...a model with front I/O ports.

Overkill for home users? Perhaps..yeah..same with Untangle, and same for many *nix router distros. For computer hobbyists..and those that work in the field that do networking for a living (hey..such as myself)...they're fun. But firewalls, routers, networks, that's what I do for a living, so naturally my home network is going to be miles of overkill. And there are always a few users out there that have a desire to roll up their sleeves and experiment...to get a better product. One thing about these *nix router distros...(assuming you put them on quality hardware)....they are rock stable and can handle tremendous loads. Gone are the many times you have to go reboot that little Stinksys or Nutgear or DStink router, gone are the times of your internet slowing to a crawl because your kid is torrenting away or hogging the bandwidth with something else. And if you select a UTM like Untangle or Astaro...you spend much less time cleaning up the wifes or kids computer that got hosed due to some malware infection...because it was stopped at the gateway!

 

[YeOldeStonecat]

Another thing I forgot to mention: Astaro does not make it at ALL easy to clone a mac address, which is still required for many cable providers. I had to do it temporarily with FIOS and that required SSH access and screwing around with ifconfig. -

MAC cloning has pretty much been gone for years. The cable modems memorize the MAC of the device they're first connected to. When you swap devices (like..a new router)...you simply pull the power on the modem for a few minutes...which will flush its memory...and as it powers up it will memorize the MAC of the new device that its plugged into (your new router). For those with voice bundles...you'll have an MTA instead of a modem..one additional step required...remove the battery from the MTA (little cover on the bottom).

I work with a lot of cable ISPs up here in New England...the only time I see MACs still used are on business accounts..for binding a static IP to, and in those cases a quick 5 minute phone call to their support gets it taken care of correctly...instead of the band aid MAC clone approach.

 

[YeOldeStonecat]

The hardware to run/build *nix distros on is sometimes a show stopper for home users. While many of us may have old computers laying around...we also don't desire a full size computer taking up space, boosting the monthly electric bill, making extra noise, etc.

For many years I used laptops for *nix router/firewall distros. Since we used IBM Thinkpads for many of our clients, I had plenty of leftover piles of older ones, and since IBMs use rock solid trusted business grade components....they're well supported by *nix. (one of the key components to a successful *nix distro...stay with good quality supported components..stay away from cheaper stuff. Especially with network cards...you want good Intels or the partially decent Broadcoms...no realtecs which are more CPU/software driven) I'd just slap in a PCMCIA NIC for the second NIC. Benefits...low power consumption, low noise, small footprint, built in KVM, and built in battery backup! Cool huh?

I recently built a little 1U box to put in my rack at home..the SuperMicro unit...low power (80 watt PS I think), passive heat sink on the CPU..she's nice and quiet.

 

[Cronock]

I've just built nearly the exact same box as this, though my case is smaller and very basic so it won't stand out around my other utility hardware.

I'm having an issue where the WAN port seems to just stall on my build. The cable modem was just replaced also to rule out that as an issue. I've also updated to a beta of pfSense 2 to see if it was a bug that had been resolved in the newer version, to no avail.

Have you had that problem at all with your build?

The new modem seems to blink the link light steadily at all times when everything is operating normally, but stays solid when this is happening. I'm assuming this odd behavior means that there is a physical link, but it's losing the actual data link from either internally on the modem's bridge or in the NIC.

I thought it may be a firmware/bios bug, so I looked for new firmware with no luck, shows I'm current.

 

[GregN]

I've just built nearly the exact same box as this, though my case is smaller and very basic so it won't stand out around my other utility hardware.

I'm having an issue where the WAN port seems to just stall on my build. The cable modem was just replaced also to rule out that as an issue. I've also updated to a beta of pfSense 2 to see if it was a bug that had been resolved in the newer version, to no avail.

Have you had that problem at all with your build?

The new modem seems to blink the link light steadily at all times when everything is operating normally, but stays solid when this is happening. I'm assuming this odd behavior means that there is a physical link, but it's losing the actual data link from either internally on the modem's bridge or in the NIC.

I thought it may be a firmware/bios bug, so I looked for new firmware with no luck, shows I'm current.

Not a single issue, the build is rock solid, and I grind on it pretty hard. I've seen Snort create some problems on my old build, but that was a resource issue.

Few things to check, check the log files in /var/log, system.log is quite long and using pfsense's log viewer only gives you a window on it.

check the console screen when problems occur, you might see a device issue that is not being logged.

Last one, you've probably already tried, but what the hell. Verify your network cable, in and out, I've seen grown men launch pieces of equipment through windows in frustration that was due to a hinky cable.

Hope that helps

 

[Cronock]

I'll try to watch console, but I'm starting to get a bit discouraged. I'm now on my third modem trying to attack this issue from both angles. I'm very glad to hear you're not having issues as that rules out motherboard/driver incompatibility, and I really like this board. I have swapped all cables, and even have a new gigabit LAN switch on the way because its been acting a little flakey also, though I'd really doubt a LAN switch would have anything to do with the wan port on the pfsense box seeming to freeze up. It's slightly possible that it's a firmware issue on the modem, though I have no way to tell.

 

[Cronock]

Well, I thought I had my issue resolved, but it jumped out at me yet again. I changed the ACPI settings to v2.0 in the BIOS which helped (some reason it was set to v3), but apparently just made the intervals between outages much longer. Week+ now instead of 6hrs. I guess I keep digging, but no errors or messages of any kind show up anywhere, bizarre.

 

[YeOldeStonecat]

Since this PFSense article is wrapped up, it would be interesting to see the same hardware be used to benchmark other more contemporary (and better IMO) UTM products.

On the SuperMicro Atom D510 unit I mentioned above, I've run Astaro, as well as Untangle on it. They are both stronger in anti-malware functions than PFSense with it's basic plug-ins. I'm sure either of those distros would be slower than PFSense, but it would be interesting to see them against each other in regards to routing throughput and simultaneous sessions.

 

[sk1939]

Comparison..

Since this PFSense article is wrapped up, it would be interesting to see the same hardware be used to benchmark other more contemporary (and better IMO) UTM products.

On the SuperMicro Atom D510 unit I mentioned above, I've run Astaro, as well as Untangle on it. They are both stronger in anti-malware functions than PFSense with it's basic plug-ins. I'm sure either of those distros would be slower than PFSense, but it would be interesting to see them against each other in regards to routing throughput and simultaneous sessions.

The other think you have to do is compare apples to apples, and compare oranges to oranges. I doubt that any of the Linux based distros can come close to matching a Cisco ASA 55X0 or any of the Tipping Points. That would also be an unfair comparison as both of those costing at least $5k, and the Tipping Point costing as much as a new Benz (overkill by 10000 miles for a home network).

 

[YeOldeStonecat]

The other think you have to do is compare apples to apples, and compare oranges to oranges. I doubt that any of the Linux based distros can come close to matching a Cisco ASA 55X0 or any of the Tipping Points. That would also be an unfair comparison as both of those costing at least $5k, and the Tipping Point costing as much as a new Benz (overkill by 10000 miles for a home network).

True....and I think we're talking about purely the *nix distros here...building your own appliance (which is what I was talking about, not comparing against Ciscos, Junipers, Sonicwalls, etc). Naturally the hardware you install these on affects the performance, and in order to compete against an ASA 5500 series with 10 or 20 gigs of throughput or whatever...we'd need to up the horsepower. I've read about Untangle being installed on quad Xeon boxes with 8 WAN interfaces feeding a network of 10,000+ users.

 

[billgatesjr24]

hmmm would be interesting i have a tyan board with a e3-1230 and 16gb ram with 4 intel gbe and 2 onboard gbe would be fun to see how fast it would run wth either pfsense or astro. Server has no use right now loaded with esxi 4.1 would be interesting if I could use it as a dual purpose machine with either pfsense or astro and a low level app or data server?

 

[GregN]

hmmm would be interesting i have a tyan board with a e3-1230 and 16gb ram with 4 intel gbe and 2 onboard gbe would be fun to see how fast it would run wth either pfsense or astro. Server has no use right now loaded with esxi 4.1 would be interesting if I could use it as a dual purpose machine with either pfsense or astro and a low level app or data server?

Quote from Aliens, "Only way to be sure is Nuke'em from Orbit"

I think this may qualify.

 

[billgatesjr24]

I know its extreme overkill but if I could use for dual purposeness (not a real word) I could justify it. I know it isn't wise to use a utm box for anything other then it's main purpose but can anyone think of a dual purpose usefulness for the box? If not I will be plenty happy just messing around with until I find a final home for the box.

 

[GregN]

I know its extreme overkill but if I could use for dual purposeness (not a real word) I could justify it. I know it isn't wise to use a utm box for anything other then it's main purpose but can anyone think of a dual purpose usefulness for the box? If not I will be plenty happy just messing around with until I find a final home for the box.

Not Sure, take a look at ClearOS Enterprise, their functionality ( some say overloaded functionality ) beyond UTM includes:

Windows Networking with PDC Support
File and Print Services
Flexshares
Groupware with Outlook Connector
Mail Server - POP, IMAP, SMTP, Webmail, Retrieval
Mail Archiving
Database with MySQL
Web Server with PHP Support
Integrated LDAP for User and Group Management
User Security Certificate Manager

In such an aggressive box, within scope, would be aggressive countermeasures such as HoneyD, SpamD and La Brea all come to mind

 

[billgatesjr24]

I will look into it.

Thanks Greg

 

[clarknova]

hmmm would be interesting i have a tyan board with a e3-1230 and 16gb ram with 4 intel gbe and 2 onboard gbe would be fun to see how fast it would run wth either pfsense or astro. Server has no use right now loaded with esxi 4.1 would be interesting if I could use it as a dual purpose machine with either pfsense or astro and a low level app or data server?

I did a pfsense 2.0 build on a Core i3 550. Single Intel GBE on a vlan switch. It averaged 950 Mbps WAN-LAN throughput on iperf over 8 hours well under 50% CPU utilization. Of course real world throughput varies, especially once you start adding packages such as snort or squid, but it makes a decent benchmark for comparing systems anyway.

My own firewall is pfsense 2.0 on a SM X7SPA-H D510 and the iperf WAN-LAN testing was between 350 and 450 Mbps. I then discovered the net.inet.ip.fastforwarding sysctl and it will do better than 600 Mbps on iperf.

So yeah, I expect your Xeon would handle multiple gig streams with any package you might want to throw at it.

 

[GregN]

My own firewall is pfsense 2.0 on a SM X7SPA-H D510 and the iperf WAN-LAN testing was between 350 and 450 Mbps. I then discovered the net.inet.ip.fastforwarding sysctl and it will do better than 600 Mbps on iperf.

Care should be taken with setting fastforwarding in sysctl.conf, it can cause problems with SAMBA and CaptivePortal.

That said, it can offer a more than 25% bump in performance, depending on your network.

For those considering PFSense 2.0 RC3, Snort is not yet a choice. I'd recommend sticking to 1.2.3 until the kinks are worked out.

 

[spooony]

firewall---->proxy---->network

 

[GregN]

firewall---->proxy---->network

What does that mean?

 

[spooony]

What does that mean?

There are two kinds of proxies. Your company uses a forward proxy to limit where your employees are permitted to surf. ISPs use proxies to limit the options that their members have. They don't limit destination web sites (although they could exclude known porn sites), but they limit their members to HTTP and FTP. This limits some of their hacking options. Also, the queries to the remote web sites appear to be coming from the proxy instead of from the individuals user's terminal because the proxy masks the user address by replacing it with its own.

A reverse proxy is used as a frontend for a web server. (A large server farm would implement an array of proxies.) Requests to www.anywhere.com are routed to our proxy that forwards the request to server content_server (the keeper of the real web page). The surfer thinks it is talking to server www for all requests. This makes it nice for the webmaster, who is in the process of replacing content_server with bigger_server. All of our user's links remain the same; we just change where the proxy points. As previously, we can limit which URLs the proxy permits. So we could have two web servers, but only the content of one is visible to the outside world. The proxy (both forward and reverse) also helps reduce network traffic and content_server load.
The proxy caches every requested web page. The next request to that same server, whether it is from the same or a different source, is satisfied out of cache without having to go back to the content_server. If the ISP has a proxy array, it will eventually contain all the popular web pages, thus minimizing the number of requests sent out across the Internet. The reverse proxies at the content provider's location also cache popular pages. The rules as to how much to cache and when to go back to the content_server for the latest version of the page may be set up in the proxy server.
In fact, at a large site with a large array of servers, the popular pages are downloaded into the proxies at low traffic time, and they serve the web requesters. This improves site reliability and flexibility.

Simplistically, you may think of a proxy as an application−level firewall. In the case of web proxies, it
can serve to direct, redirect, or limit access through the proxy to servers and specific URLs. Although the proxy may be placed in parallel with the firewall, its preference is to put it behind the firewall. Remember, we may use several firewalls in parallel to handle the traffic load. Extreme care must be taken to make sure that you have a consistent rule set across all firewalls