Seminario Ditedi pfSense - parte 2

Michele Della Marina - Dario Tion pfSense - soluzione firewall opensource

pfSensesoluzione firewall opensource

Michele Della MarinaMichele Della MarinaDario TionDario Tion

Settembre, 2012Settembre, 2012



pfSense is a free, open source customized distribution of pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and routerFreeBSD tailored for use as a firewall and router

www.pfsense.orgwww.pfsense.org

FreeBSD



http://doc.pfsense.org/

DOCUMENTAZIONEDOCUMENTAZIONE

pfSense: The Definitive Guide



INSTALLARE PFSENSEINSTALLARE PFSENSE

Live CDLive CDFull InstallFull InstallEmbeddedEmbeddedVirtual ApplianceVirtual Appliance



REQUISITI HARDWARE

Funzionalità richiesteThroughput necessario



CPU - 100 MHz Pentium

RAM - 128 MB

1 GB hard drive

512 MB Compact Flash

Serial port for console

REQUISITI MINIMI DI SISTEMAREQUISITI MINIMI DI SISTEMA



STATI RAM (MB)

100.000 97

500.000 488

1.000.000 976

3.000.000 2.900

1 STATO ~ 1KB RAM

REQUISITI HARDWAREREQUISITI HARDWAREStateful InspectionStateful Inspection



REQUISITI HARDWAREREQUISITI HARDWAREThroughput vs CPU/NICThroughput vs CPU/NIC

MMX 200 MHz II 350 MHz III 700 MHz IV 1.7 GHz0

50

100

150

200

250

300

350

400

Realtek

Intel Pro/1000

CPU

Th

rou

gh

pu

t (M

bp

s)

A snippet of a comment in the source code for this driver tells the story "The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is probably the worst PCI Ethernet controller ever made, with the possible exception of the FEAST chip made by SMC."



REQUISITI HARDWAREREQUISITI HARDWAREVPN (IPSEC) Throughput vs CPUVPN (IPSEC) Throughput vs CPU

CPU 266 MHz CPU 500 MHz CPU XEON 800 FSB MHz0

10

20

30

40

50

60

70

80

90

100

Throughput

Th

rou

gh

pu

t (M

bp

s)



REQUISITI HARDWAREREQUISITI HARDWAREVPN (IPSEC) Throughput vs CPUVPN (IPSEC) Throughput vs CPU



PROCESSI INSTALLAZIONE



ASSEGNAZIONE INTERFACCEASSEGNAZIONE INTERFACCE

OPT

LAN

WAN



ASSEGNAZIONE INTERFACCEASSEGNAZIONE INTERFACCE



PFSENSE CONSOLEPFSENSE CONSOLE



WEB MANAGEMENTWEB MANAGEMENT



WEB MANAGEMENT: INTERFACCEWEB MANAGEMENT: INTERFACCE



ALIAS: variabile per agevolare scrittura delle regole


RULES: DEFINIZIONERULES: DEFINIZIONE

Everything that isn't explicitly passed is blocked by defaultEverything that isn't explicitly passed is blocked by default



NATNAT



ROUTING

Dove devo andare per andaredove voglio andare?


DEFAULT RULES / NATDEFAULT RULES / NAT

LANWAN

NAT





SITE-2-SITESITE-2-SITE

IPsecOpenVPN

IPsecPPTPOpenVPN

ROAD WARRIOR CLIENT 2 SITEROAD WARRIOR CLIENT 2 SITE

VPN: Virtual Private NetworkVPN: Virtual Private Network



VPN: Virtual Private NetworkVPN: Virtual Private Network

Quale VPN?



CA - Certification AuthorityCA - Certification Authority



Traffic Shaping

QOS / BANDWIDTH MANAGEMENTQOS / BANDWIDTH MANAGEMENT



Traffic Shaping

WIZARD: almeno 80 REGOLE QOS WIZARD: almeno 80 REGOLE QOS



Traffic Shaping

LAYER 7 PATTERNLAYER 7 PATTERN

smtp^220[\x09-\x0d -~]* (e?smtp|simple mail)userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)userspace flags=REG_NOSUB REG_EXTENDED

http://l7-filter.sourceforge.net/Pattern-HOWTO



PACKAGES / SERVIZIPACKAGES / SERVIZI

DHCPDHCPDNSDNSCAPTIVE PORTALCAPTIVE PORTALFREERADIUSFREERADIUSIDS/IPS (Snort)IDS/IPS (Snort)BGP ROUTINGBGP ROUTINGINTERNAL CAINTERNAL CA



SYSTEM LOGSYSTEM LOG



HIGH AVAILABILITYHIGH AVAILABILITY



ESEMPIO DI CONFIGURAZIONEESEMPIO DI CONFIGURAZIONE



BIBLIOGRAFIA ed IMMAGINI

Famiglia Simpson :-)http://en.wikipedia.org/wiki/Morris_wormhttp://en.wikipedia.org/wiki/Firewall_(computing)#cite_note-report_unm-2

www.symantec.comwww.malaboadvisoring.itwww.google.comwww.vmware.comwww.laontalk.comwww.guidaacquisti.net/www.wikimedia.orgwww.39italia.comit.123rf.com/www.silhouettesclipart.comwww.thenetworkthinkers.com/www.neomedia.itwww.diablotin.comwww.wired.comwww.cisco.comwww.simonecossu.it

RIFERIMENTIRIFERIMENTI

Date post:	08-May-2015
Category:	Technology
Upload:	dario-tion
View:	1,686 times
Download:	0 times

Seminario Ditedi pfSense - parte 2

Technology