Você está na página 1de 42

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.

448-88

PFSense: Firewall, VPN e


Proxy Integrados

Curso: 4517
PfSense: Firewall, VPN e
Proxy Integrados

Verso 3.0
1

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

PFSense: Firewall, VPN e Proxy Integrados

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
2

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

It Experience

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
3

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Introduo ao pfSense
Objetivos da Aula

Fazer uma introduo ao pfSense;


Instalar o pfSense;
Configurar o menu de configuraes bsicas;
Configurar o menu de configuraes avanadas.

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
4

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Introduo ao pfSense
O pfSense foi desenvolvido por Chris Buechler e Scott Ullrich em 2004.
Ele foi baseado no firewall M0n0wall e sua maior motivao era que o
projeto M0n0wall. Este era um appliance fechado, ou seja, no era
possvel customizar, sendo mais lenta sua atualizao.

J o pfSense, tendo como base o FreeBSD, faz com que qualquer


pacotes do FreeBSD funcione nele, apenas necessitando criar uma
interface grfica, porm, o seu intuito que no seja necessrio utilizar a
interface texto.

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
5

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Download do pfSense
Para realizar o download do pfSense necessrio acessar a url:

https://www.pfsense.org/download/
Podemos escolher as opes install, AMD64 e CD Image (ISO):

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
6

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense
Com a ISO na mquina iremos:

Abrir o VirtualBox.

Ligar a mquina, Firewall Filial.

Adicionar a imagem para bot e, ento, realizar a instalao


do pfSense.

Visualize estes passos nos prximos slides.


7

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
7

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
8

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense

Caso o contador comece no 9 quer dizer que temos uma mdia inicializavl e, caso
aparea 3 segundos, quer dizer que apenas possui o HD para boot.

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense
Nesta tela vemos os modos de instalao em que temos o modo de
recuperao R. Caso o sistema j instalado esteja danificado ser o
modo de instalao I que ir instalar o sistema na mquina.

10

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
10

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense
Como estamos em um ambiente simples, iremos realizar a
instalao padro, mas recomendado realizar a instalao
customizada para que, principalmente o particionamento de disco,
esteja correto.

11

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
11

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense
Iremos utilizar a instalao do
kernel padro, pois estamos em
uma mquina virtual. A segunda
opo s utilizada em casos
em

que o equipamento no

possui entrada VGA.

12

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
12

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense

13

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
13

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense

14

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
14

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense
Agora que terminamos a instalao iremos precisar remover a
imagem. Para isso, acesse Configuraes>Armazenamento.

15

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
15

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense
Agora podemos ligar o pfSense normalmente. Ao trmino do boot,
entraremos no menu abaixo:

16

O pfsense por padro pega o endereo IP da WAN como DHCP, e de LAN


192.168.1.1.
Assim, necessrio configurar a interface LAN com o IP configurado padro.

16

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense
No menu anterior temos elementos muito relevantes como:
Configure a interface LAN

Reconhecimento de interfaces;
Configurao de endereos IP;

para que possamos


acessar sua interface
Web. Para isso utilize a
opo Set Interfaces IP

Reset de senha;

Address (2).

Desligar ou reiniciar o pfSense;


.
Voltar uma configurao
feita e restaurar o padro de fbrica.

17

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
17

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense

18

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
18

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Instalando o pfSense

19

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
19

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Acessando o pfSense
Com esta configurao podemos prosseguir com o acesso ao
firewall. Para isso, acesse a mquina Desktop Filial com as
seguintes credenciais:
Usurio:suporte
Senha:4linux

Abra um navegador e acesse:


http://172.21.31.1

Utilize as credenciais:
Usurio:admin
Senha:pfsense
20

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
20

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Acessando o pfSense

21

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
21

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Bsicas
Ao logar a primeira vez ir aparecer um Wizard, que uma
espcie de ajudante de configurao inicial. Iremos pular sua
configurao.

22

H diversos servios no pfSense que possuem o Wizard, que facilita a


configurao de servios no firewall, como de QoS e VP, mas todas as
configuraes podem ser feitas manualmente.

22

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Bsicas
Agora que estamos no Dashboard inicial do pfSense, podemos
visualizar algumas informaes e status do sistema. Antes de
configurarmos, iremos at a aba System>General Setup e realizaremos
as configuraes bsicas do firewall.

23

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
23

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Bsicas
1

Configurando o Menu System > General Setup:


Configurao de nome da mquina e domnio:

Configurao de Resoluo de nome DNS:

24

Podemos utilizar um DNS para Gateways especficos.

24

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Bsicas
A opo DNS Server Override permite que, em casos em que temos
uma interface configurada DHCP ou PPP, o servidor DNS configurado
seja o padro da mquina. J a opo Disable DNS Forwarder
desabilita a consulta padro de DNS pelo pfSense, que por padro
vem como o servio configurado.

25

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
25

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Bsicas
3

Configurao de localizao:

Nota: A linguagem no foi alterada, pois existem


alguns bugs na traduo, que podem ocorrer em
diversas configuraes.
26

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
26

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Bsicas
4

Configurao do DashBoard:

27

As opes acima iro habilitar todas as configuraes possveis, mesmo que elas
no estejam disponveis.

27

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Editando o DashBoard
Podemos salvar as configuraes e voltar ao DashBoard e iremos
clicar no + situado no final da aba Available Widget:

Iremos adicionar os Widgets Gateways, Interface Statistics,


Service Status e Traffic Graphs.
28

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
28

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Editando o DashBoard

29

O DashBoard pode ser customizado de acordo com suas necessidades, garantindo


informaes rpidas e necessrias ao seu ambiente.

29

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
Uma outra tela com configuraes muito importantes no pfSense a
System>Advanced, onde possui configuraes de acesso Web,
terminal e remoto. Assim, como a forma de tratar pacotes, variveis do
kernel, tempo de conexo e outras diversas customizaes.

30

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
30

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
1

Configuraes do Web Gui:

Nota: podemos alterar a porta padro de acesso a interface


Web e remover a regra de redirecionamento de porta, sendo
obrigatrio saber a porta da interface para conectar.

31

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
31

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas

Nota: No muito interessante deixar o auto complete no login. A


regra Anti-lockout responsvel por sempre conseguirmos
acessar o pfsense pela interface LAN.

32

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
32

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas

Configurando o SSH:

33

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
33

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
3

Restringindo o acesso no terminal do pfSense:

Nota: O terminal fsico do pfSense possui uma gama de


ferramentas descritas anteriormente, porm no possui
nenhuma autenticao padro, ou seja, qualquer um que
estiver presente no terminal fsico pode realizar aquelas
aes.
34

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
34

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
Ao salvar as configuraes, aparecer no canto esquerdo um cone em
vermelho. Clicando nele veremos avisos dizendo que a chave ssh foi
criada.

35

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
35

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
Na aba Firewall e Nat temos opes de compatibilidade de pacotes e
tratativas de conexo, vpn e negociao das flags TCP. Assim como a
configurao padro de NAT tanto de entrada quanto de sada.
Na aba Networking temos opes de protocolos IP e configuraes
de interface, onde iremos marcar a opo de ignorar mensagens de
ARP, pois ela causar problemas em casos de dois endereos IP's na
mesma rede na mesma interface como o caso de alta disponibilidade.

36

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
36

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
Na aba Miscellaneous temos configuraes de proxy, balanceamento e
troca de links padro, alm de reduo de consumo de energia,
criptografia e manipulao de conexes.
Neste menu possvel tambm configurar o disco em memria,
garantindo que o sistema fique mais rpido, porm caso o firewall seja
desligado repentinamente, no estaro salvos os logs mais atuais.
Em System Tunables possvel alterar variveis padres do kernel,
muito utilizadas em redes de mdio e grande porte, pois por proteo o
pfSense limita valores de conexo.

37

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
37

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
Em Notifications possvel adicionar envio de php-growl e e-mails,
onde podemos configurar uma conta para envio de e-mails.
4

Configurando envio de e-mail:

38

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
38

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas

39

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
39

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Configuraes Avanadas
Salve as configuraes e clique no boto Test SMTP Settings:

Desabilitando udio de inicializao:

40

Esta configurao poder ser utilizada pra o envio de estatsticas atravs do


pacotes mail report.

40

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

Introduo ao pfSense

Nesta aula vimos:


Recapitulando

Uma introduo ao pfSense;


Instalao do pfSense;
Configurao do menu de configuraes
bsicas;
Configurao o menu de configuraes
avanadas.

41

Anotaes:
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
41

Fabio Fraga Lameu / fragalameu@gmail.com / 19-983494548 / 379.564.448-88

PFSense: Firewall, VPN e


Proxy Integrados

Curso: 4517
PfSense: Firewall, VPN e
Proxy Integrados

Verso 3.0
42