PfSense

From Hack Sphere Labs Wiki
Jump to: navigation, search

pfsense-tools

hardware

update

http://www.firewallhardware.it/en/pfsense_selection_and_sizing.html

http://pfsense.firewallhardware.it/en/tuning_and_troubleshooting_network_cards.html

  • atom?
  • how many cores
  • ssd

http://mikelococo.com/2011/08/snort-capacity-planning/

http://en.wikipedia.org/wiki/Suricata_%28software%29

pfsense console access to switch

pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/net/kermit-9.0.302.tbz
rehash
kermit -l /dev/ttyu0 -b 115200 -p n -C "set stop-bits 1,set flow none,SET CARRIER-WATCH OFF"

Escape Char

ctl-\
then
c


Hardware

An embedded system, small, has features.

Freeradius2

http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

Install

WPA2+EAP-TLS

wpa_supplicant.conf
network={
    ssid="work"
    scan_ssid=1
    key_mgmt=WPA-EAP
    pairwise=CCMP
    eap=TLS
    identity="username"
    password="password"
    ca_cert="/etc/cert/ca.pem"
    client_cert="/etc/cert/user.pem"
    private_key="/etc/cert/user.prv"
    private_key_passwd="password"
}

Note: You do not need private_key_passwd if you do not have a password

Disable Weaker EAP Types

If you disable "Weak EAP types" then you disable MD5, GTC and LEAP. Then you there should only be three strong types available:

   EAP-TLS which is very secure and the strongest encryption
   EAP-TTLS
   Protected EAP (PEAP)

EAP-TTLS and PEAP could be clasified as secure, too, but less than EAP-TLS.

Because all the three types are secure types and so I didn't implement any option in the GUI to disable them. If you would like to disable this just go to Code:

/usr/local/etc/raddb/eap.conf

and delete/comment the TTLS and PEAP blocks and restart freeradius.

EAP/WPA2/ETC

LEAP

Crap created by Cisco and is proprietary. Native support in Win = No. 3rd party/Cisco clients = Yes. Widely adopted means that lots of equipment supports it. Exploit tool ASLEAP. Uses MS-CHAP which is shit in the first place. Recommend only using if need to with really long passwords.

EAP-TLS

Highly 'touted' TLS+PKI. Something about overhead of client side certs being bad. Original wireless EAP makes it natively supported in a majority of os's. Client side cert has to be distributed? (It's a private key)

EAP-MD5

Note: Not part of the wireless standard. Just here because its part of EAP.

Insecure MD5 hashes. Does not verify EAP server. (vulrn to man in the middle) Works in 2k and depreciated in Vista.

EAP-TTLS

Extends TLS. No native support in Win. Can use CA and PKI but does not require it. Server auth to client via CA, optionally client to server. Server can then use tunnel to auth. Not even username in cleartext. EAP-TTLSv0/EAP-TTLSv1 -v1 = Draft.

EAP-IKEv2

Internet Key Exchange - Asymmetric key pairs, Passwords, Symmetric keys. You can pick and choose auth methods.

EAP-FAST

Cisco makes after LEAP. Optional server certs. PAC (client cert) provisioning can be automatic. Attackers can intercept PAC file or spoof AP to get user/pass (cleartxt or MSCHAPv2). PAC issued to each user. Can issue to devices. Windows Vista and up with Cisco Module. No PAC file?: Falls back to TLS.

EAP-SIM

For GSM networks. http://tools.ietf.org/html/rfc4186

EAP-AKA/EAP-AKA'

UMTS/3GPP

EAP-GTC

Cisco alternative to PEAPv0/EAP-MSCHAPv2. Allows generic authentication to a number of databases: NDS + LDAP. Onetime pass too.

EAP-EKE

Short passwords and uses no PKI, uses Diffie-Hellman variant.

Encapsulation

EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages.

IEEE 802.1x

"EAP over LANs" or EAPOL. Also: When EAP is invoked by an 802.1X enabled Network Access Server (NAS) device such as an IEEE 802.11i-2004 Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session which uses TKIP or CCMP (based on AES) encryption.

PEAP

Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. Cisco, MS, and RSA. PEAPv1+v2+v3 - The protocol only specifies chaining multiple EAP mechanisms and not any specific method. However, use of the EAP-MSCHAPv2 and EAP-GTC methods are the most commonly supported.

PANA

Protocol for Carrying Authentication for Network Access - PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.

Notes

Install

http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46

  • Installer Mode
  • Quick Install
  • Command line configure LAN/WAN
  • System->Firmware->Autoupdater Settings->Choose Default Autoupdater URLs
  • Install Unbound and configure for DNSSEC after disable standard DNS Forwarder
  • Make sure LAN ip DNS ip in DHCP server on LAN Interface
  • Enable NTP Server

Install BSD Applications

setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/Latest/
pkg_add -r whatever

Custom Build

I would like to build a PFSense install with the right kernel modules for VGA so I can have a graphical log viewer/monitor on the laptop that I use. I would also like to virtualize PFSense and SoleraOS....or find something that does the same thing. One machine, a firewall and monitoring solution in one.

This guide allows one to build their own iso image to install to a system:

One of the VGA modules has to be compiled into the kernel.

http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso

Laptop Lid Fix

I have not tried this but this forum post outlines one members methods of disabling the laptop lid switch:

ACPI Disable

Have to do it on every upgrade

/boot/device.hints
hint.acpi.0.disabled="1"

Dual Port EC2000S Expresscard NIC

I still have to try some of this stuff.

DNS

U620L Verizon

curl -O http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/All/usb_modeswitch-2.2.5.txz

pkg install usb_modeswitch-2.2.5

cd /etc/rc.d nano lte.sh

#!/bin/sh
sleep 15
/usr/local/sbin/usb_modeswitch -v 0x1410 -p 0x9020 -u 4
sleep 5
/usr/local/sbin/usb_modeswitch -v 0x1410 -p 0x9020 -u 4
sleep 60
chmod +x lte.sh

Then Early Shell CMD:

/etc/rc.d/lte.sh

Reset Script

usbconfig -d ugen1.4 power_off

wait

usbconfig -d ugen1.4 power_on
/etc/rc.d/lte.sh
/usr/local/sbin/pfSctl -c 'interface newip ue0'


Notes

wait

usbconfig -d ugen1.4 suspend

wait

usbconfig -d ugen1.4 resume


Script

#! /bin/tcsh

start:

set ifaddress = `ifconfig ppp0 | grep "inet " | cut -d ' ' -f 2 `
echo $ifaddress
if ( "$ifaddress" == "" ) then
        echo "Interface does not have address"
        echo "Resetting"
        usbconfig -d ugen1.3 reset
        echo "Sleeping"
        sleep 20
        /usr/local/sbin/pfSctl -c 'interface reload WANVZ'
        goto waitdown
else
        echo "Interface address:  $ifaddress"
endif

ping -c 1 $ifaddress

if ( $? == 0 ) then
        echo "Interface is up!"
        goto waitup
else
        echo "Interface is down, Resetting"
        usbconfig -d ugen1.3 reset
        echo "Sleeping"

        sleep 20
        /usr/local/sbin/pfSctl -c 'interface reload opt4'
        goto waitdown
endif

waitdown:
echo "sleeping 30 then check if up"
sleep 30
goto start
exit

Trim (Do not know if it works)

Enable ahci!

This can now be set manually after the install on 2.1.

touch /root/TRIM_set; /etc/rc.reboot

to remove

touch /root/TRIM_unset; /etc/rc.reboot

Still might be nice to eventually have it in the installer.

Check:

tunefs -p /

Notes