ensure correct ports are opened”

From the Firewall menu, select Aliases. Use the ‘+’ on the right. To implement HTTP and HTTP together, give it a name like Web_browsing_ports – ensure it is descriptive. Select ports from the Type drop-down. Hit the

05

All rules are added in the same way; just add and modify each rule to fi t the requirements. Click the bottom left ‘+’ symbol from the Firewall Rules page to start creating one. Now we can add web browsing. Set action to pass (unless you wish to set up a rule to drop traffi c). Choose your source interface (LAN/WIRELESS). Follow this by selecting your protocol to use (usually TCP, but things like DNS require UDP port 53), On the next item, select the destination. Usually this will be the any address for external traffi c and WIRELESS or LAN subnet or address, depending on requirements.

Destination port is straightforward enough: you can select a range of ports by either using the drop-down menus or entering your own ranges (for now, just select HTTP). Using multiple ports is covered later in the article.

One set of rules defi nitely needed for both networks is basic HTTP and HTTPS rules for browsing. You will also want to implement a ‘drop all’ rule. As the name implies, this drops all traffi c. This makes sure no traffi c escapes out of your network that you intended. To do this, just set up a rule that has drop for the action, networks and port ranges set to any TCP/UDP on the protocol. Do this for both networks.

Confi gure the time servers and click Next. On the next page you can confi gure any extra setup information if your ISP requires it. Click Next to go to the LAN page. Lastly, change the admin password to a secure one of your choice. At this point the fi rewall will reload its rules. Enable the third network, click Interfaces>OPT1 and select ‘enable interface’ and click Save. Rename OPT1 to LAN by clicking on Interfaces>OPT1 and renaming it LAN.

‘+’ button below the ports and add 80 in the port and HTTP in description. To add HTTPS, click the ‘+’ button, but use port 443. Save and apply changes. Aliases are not limited to ports, but can also be used for hosts and networks. To implement an alias in a rule (assuming the alias has been created beforehand) go to the Rules Port drop-down, select Other and begin to type the name of the alias. It should pop up a list. Just click on the alias needed and accept. Apply the changes once the rule is created. Similar rules can be created between networks. An example would be SSH. Implement this rule the same way

“No need for multiple rules – just one alias can be used to

07

Now that you understand how basic rules work, it is time to group together a more enhanced rule set. As a minimum, set up both networks to have the following fl owing out the internet. HTTP and HTTPS (remember to use an alias here!), include FTP, DNS (using UDP) as well as SSH if needed. However, box clever here. If you only use SSH to talk to a specifi c number of hosts, use an alias with the Hosts drop-down and enter the IP addresses into the alias. That way, should a machine be compromised, it will

08

Now we can look at some other features such as bandwidth management. PfSense makes it easy to block fi le-sharing platforms such as BitTorrent, WinMX and similar. It can also split the bandwidth between the two networks. Do this by going to Firewall>Traffi c Shaper. Click the Wizards tab. There are a number of different scenarios; select the ‘Single WAN, Multi LAN’ option. Enter number of LANs (two in this case) and press Next. Fill in your available download and upload speeds. Leave the other components and click Next. Unless you use SIP, click Next. Penalty box can be used to restrict specifi c groups or alias groups of machines to a percentage of the capacity if needed. Click Next. Use this page to lower the priority or even block P2P traffi c completely.

09

Sometimes, rules don’t actually do what you planned, but there are a number of tools for logging and manipulating rules. It’s wise to be able to review the logs to see exactly what’s going on. To turn logs on, simply go back into the Rules menu, fi nd the rule that you think may be problematic, and tick the ‘Log this rule’ box. Don't forget that rules are evaluated on a fi rst- match basis; so, for example, having the drop all rule before the rule trying to be tested would mean the rule would never get evaluated.

Backing up is also an important exercise and very simple to execute. Go to the menu, select Diagnostics>Backup/Restore. The options on this page are simple enough. It is recommended to tick the box to encrypt the backups. Give it a good password that you will remember. We also suggest you leave the box ‘Do not backup RRD data’ selected. This is just performance data and isn’t really needed day-to-day.

Should the fi rewall ever need rebuilding from scratch, you will have to redo the steps right up until you have the GUI. The Restore menu, found in the Diagnostics menu, has the tickbox to restore from backup, but also the option to only restore parts, such as the rule base.

not be able to talk SSH on port 22 to anything but those boxes defi ned in the alias. The more specifi c the rules, the more secure they are. You will also need to repeat the process on the LAN, assuming you want the same rights. To prevent a network talking to another on a certain port and protocol, use the NOT option in the rule base. An example would be to change the web browser rule to say destination NOT LAN – you will then fi nd you can no longer browse any web server on the test network, but can browse the internet.

Click Enable on the Traffi c Shaper wizard and then select any protocols to allow/block. Edit to the preferred setup and then click Next. On this page, confi gure traffi c shaping for games, with preconfi gured optimal setups if needed. Finally you can do the same for applications if you wish to, such as RDP, VNC etc. Click Finish. To remove the shaping, go back to the Firewall Traffi c Shaper menu and select ‘Remove shaper’.