PfSense
Contents
pfsense-tools
hardware
update
http://www.firewallhardware.it/en/pfsense_selection_and_sizing.html
http://pfsense.firewallhardware.it/en/tuning_and_troubleshooting_network_cards.html
- atom?
- how many cores
- ssd
http://mikelococo.com/2011/08/snort-capacity-planning/
http://en.wikipedia.org/wiki/Suricata_%28software%29
pfsense console access to switch
pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/net/kermit-9.0.302.tbz rehash
kermit -l /dev/ttyu0 -b 115200 -p n -C "set stop-bits 1,set flow none,SET CARRIER-WATCH OFF"
Escape Char
ctl-\ then c
Hardware
An embedded system, small, has features.
Freeradius2
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
Install
- http://www.smallnetbuilder.com/wireless/wireless-howto/30213-how-to-setting-up-freeradius-for-wpa-a-wpa2-enterprise-part-2
- http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
- http://wiki.freeradius.org/Mac-Auth
- http://wiki.freeradius.org/FAQ#FreeRADIUS+Frequently+Asked+Questions
- http://forum.pfsense.org/index.php/topic,43675.255.html
WPA2+EAP-TLS
- After the freeradius2 install
- Configure interfaces, users, and NAS/clients
- Configure EAP
- http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#EAP-TLS
- Use the pfsense cert manager when configuring
- You need to download the CA.crt, the client.crt, the client private key.
- Convert all of them to pem files for wpa_supplicant Cert Authority#Convert crt to PEM, http://www.gridsite.org/wiki/Convert_p12, http://linux.die.net/man/5/wpa_supplicant.conf, http://support.citrix.com/article/CTX106631
- Configure WPA Supplicant: http://linux.die.net/man/5/wpa_supplicant.conf
wpa_supplicant.conf
network={ ssid="work" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP eap=TLS identity="username" password="password" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" }
Disable Weaker EAP Types
If you disable "Weak EAP types" then you disable MD5, GTC and LEAP. Then you there should only be three strong types available:
EAP-TLS which is very secure and the strongest encryption EAP-TTLS Protected EAP (PEAP)
EAP-TTLS and PEAP could be clasified as secure, too, but less than EAP-TLS.
Because all the three types are secure types and so I didn't implement any option in the GUI to disable them. If you would like to disable this just go to Code:
/usr/local/etc/raddb/eap.conf
and delete/comment the TTLS and PEAP blocks and restart freeradius.
EAP/WPA2/ETC
LEAP
Crap created by Cisco and is proprietary. Native support in Win = No. 3rd party/Cisco clients = Yes. Widely adopted means that lots of equipment supports it. Exploit tool ASLEAP. Uses MS-CHAP which is shit in the first place. Recommend only using if need to with really long passwords.
EAP-TLS
Highly 'touted' TLS+PKI. Something about overhead of client side certs being bad. Original wireless EAP makes it natively supported in a majority of os's. Client side cert has to be distributed? (It's a private key)
EAP-MD5
Insecure MD5 hashes. Does not verify EAP server. (vulrn to man in the middle) Works in 2k and depreciated in Vista.
EAP-TTLS
Extends TLS. No native support in Win. Can use CA and PKI but does not require it. Server auth to client via CA, optionally client to server. Server can then use tunnel to auth. Not even username in cleartext. EAP-TTLSv0/EAP-TTLSv1 -v1 = Draft.
EAP-IKEv2
Internet Key Exchange - Asymmetric key pairs, Passwords, Symmetric keys. You can pick and choose auth methods.
EAP-FAST
Cisco makes after LEAP. Optional server certs. PAC (client cert) provisioning can be automatic. Attackers can intercept PAC file or spoof AP to get user/pass (cleartxt or MSCHAPv2). PAC issued to each user. Can issue to devices. Windows Vista and up with Cisco Module. No PAC file?: Falls back to TLS.
EAP-SIM
For GSM networks. http://tools.ietf.org/html/rfc4186
EAP-AKA/EAP-AKA'
UMTS/3GPP
EAP-GTC
Cisco alternative to PEAPv0/EAP-MSCHAPv2. Allows generic authentication to a number of databases: NDS + LDAP. Onetime pass too.
EAP-EKE
Short passwords and uses no PKI, uses Diffie-Hellman variant.
Encapsulation
EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages.
IEEE 802.1x
"EAP over LANs" or EAPOL. Also: When EAP is invoked by an 802.1X enabled Network Access Server (NAS) device such as an IEEE 802.11i-2004 Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session which uses TKIP or CCMP (based on AES) encryption.
PEAP
Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. Cisco, MS, and RSA. PEAPv1+v2+v3 - The protocol only specifies chaining multiple EAP mechanisms and not any specific method. However, use of the EAP-MSCHAPv2 and EAP-GTC methods are the most commonly supported.
PANA
Protocol for Carrying Authentication for Network Access - PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
Notes
Install
http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46
- Installer Mode
- Quick Install
- Command line configure LAN/WAN
- System->Firmware->Autoupdater Settings->Choose Default Autoupdater URLs
- Install Unbound and configure for DNSSEC after disable standard DNS Forwarder
- Make sure LAN ip DNS ip in DHCP server on LAN Interface
- Enable NTP Server
Install BSD Applications
setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/Latest/ pkg_add -r whatever
Custom Build
I would like to build a PFSense install with the right kernel modules for VGA so I can have a graphical log viewer/monitor on the laptop that I use. I would also like to virtualize PFSense and SoleraOS....or find something that does the same thing. One machine, a firewall and monitoring solution in one.
This guide allows one to build their own iso image to install to a system:
One of the VGA modules has to be compiled into the kernel.
http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso
Laptop Lid Fix
I have not tried this but this forum post outlines one members methods of disabling the laptop lid switch:
ACPI Disable
Have to do it on every upgrade
/boot/device.hints hint.acpi.0.disabled="1"
Dual Port EC2000S Expresscard NIC
I still have to try some of this stuff.
DNS
U620L Verizon
curl -O http://pkg.freebsd.org/freebsd:10:x86:64/quarterly/All/usb_modeswitch-2.2.5.txz
pkg install usb_modeswitch-2.2.5
cd /etc/rc.d nano lte.sh
#!/bin/sh sleep 15 /usr/local/sbin/usb_modeswitch -v 0x1410 -p 0x9020 -u 4 sleep 5 /usr/local/sbin/usb_modeswitch -v 0x1410 -p 0x9020 -u 4 sleep 60
chmod +x lte.sh
Then Early Shell CMD:
/etc/rc.d/lte.sh
Reset Script
usbconfig -d ugen1.4 power_off
wait
usbconfig -d ugen1.4 power_on
/etc/rc.d/lte.sh
/usr/local/sbin/pfSctl -c 'interface newip ue0'
Notes
wait
usbconfig -d ugen1.4 suspend
wait
usbconfig -d ugen1.4 resume
Script
#! /bin/tcsh start: set ifaddress = `ifconfig ppp0 | grep "inet " | cut -d ' ' -f 2 ` echo $ifaddress if ( "$ifaddress" == "" ) then echo "Interface does not have address" echo "Resetting" usbconfig -d ugen1.3 reset echo "Sleeping" sleep 20 /usr/local/sbin/pfSctl -c 'interface reload WANVZ' goto waitdown else echo "Interface address: $ifaddress" endif ping -c 1 $ifaddress if ( $? == 0 ) then echo "Interface is up!" goto waitup else echo "Interface is down, Resetting" usbconfig -d ugen1.3 reset echo "Sleeping" sleep 20 /usr/local/sbin/pfSctl -c 'interface reload opt4' goto waitdown endif waitdown: echo "sleeping 30 then check if up" sleep 30 goto start exit
Trim (Do not know if it works)
Enable ahci!
This can now be set manually after the install on 2.1.
touch /root/TRIM_set; /etc/rc.reboot
to remove
touch /root/TRIM_unset; /etc/rc.reboot
Still might be nice to eventually have it in the installer.
Check:
tunefs -p /
Notes
- http://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots
- https://docs.google.com/document/d/1UDg8Rt5wN_pGoepJyKTlAAnQdJgAsNXSrX3vkQu15DE/edit?pli=1
- https://docs.google.com/document/d/1vFa4jCAwEMscJnJLEBZ2wshAwk-JqYh1wv5K1Cjoo5A/edit
- http://www.smallnetbuilder.com/wireless/wireless-howto/30213-how-to-setting-up-freeradius-for-wpa-a-wpa2-enterprise-part-2