24 Jul

Safeguarding Family Internet – Firewalls

Yep.  Jack Bauer uses them all the time.  Every movie, TV show, novel, and newspaper article talks about them.  Apparently, they exist as some magical device that at one time both renders a “server” impenetrable and throws open secret files to terrorists.  Depending on the character in our little drama, there seems to always hide some trick or pathway around this “firewall” thing, and the description usually relies on pseudo-technical jargon to explain it away.

By the way, this is article #2 – Check out the first post in the series to get some background.

“I’ll just use the subnet and reconfigure the port server to back-door the web client terminal.”

In case you don’t know, the statement above doesn’t make any sense.  It’s mostly just random words…like a lot of Hollywood dialogue.  Here, I can do it too:  “Simply constitution the document and declare the bill of rights Hancock independent.”  I’ll let you in on a little secret–firewalling and networking comes in with about the same “mysterious” quotient as plumbing with a little understanding.  And yet that won’t let a person run into a hardware store without some knowledge of the terms.  Elbow, Wye, Street-Ell, and so on all possess specific meanings in plumbing, and are necessary unless you want to end up like this.

So, let’s talk about what a firewall is, and most importantly, what they can and cannot do.

  • They CAN help secure a network against intrusion
    • A good firewall goes far in protecting the edge or border of a network
    • Careful configuration remains key
  • They CAN’T read your mind
    • A firewall will follow the rules actually set by the administrator
    • Poor configuration brings disaster

A lot of firewall mis-configurations stem from the classic differences of the words “accurate” and “precise”.  To say that I live “over a mile away” from Paris, France is completely accurate, but it is hardly precise.  On the other hand, to say that I live exactly “twenty-two billion three hundred sixty-two point four five six miles” is terribly precise (down to three decimal places), but also not accurate (in fact, it’s totally wrong).

For instance, if you created an amusement park ride that causes enough thrills to warrant an age restriction, you would likely place a sign at the gate.  However, this amusement park lives on a little world I like to call “Literal World,” where they only do EXACTLY what the sign says.  Now, here on Literal World, what if the sign contained “mis-configured” rules?  So, a sign that says “No Eleven Year Old Children” only filters out potential riders that are exactly eleven years old.  Not the desired results, any ten-year-olds or even two-year-old toddlers can walk right through.  So you change the sign to say “No Children Below Eleven.”  Great, but “eleven” what?  Eleven in number?  In Height?  It may sound silly, but on Literal World that rule would not apply to anyone because it did not contain enough qualifying information, so everyone would walk through.  So, changing the sign again will help but still not get us all the way there – “No Children Below Age Eleven.”  Now we filter adequately anyone who is zero, one, two, and so forth all the way up to age ten.  But if we wanted the eleven-year-olds to stop, then we failed–because the rule did not include them.  The rule said “below” eleven.

OK, so you give up and just put out a rule that should stop them all, right?  “No Children Allowed”.  Well…remember, this is Literal World.  Now there are NO riders (unless Adam and Eve are visiting the park that day).  After all, all of us have parents of some sort.

Firewalls are just like that.  Extremely powerful and configurable, but also just as easy to mess up with the best intentions.

Rethinking

I believe am moving to a slightly simpler configuration for the home network than my original drawing.  A few new options came to light in my research, and it is always good to limit complexity where possible.  I won’t bother redrawing the diagram yet–still have a few questions–but the DansGuarding and FreeNAS box will likely combine to a single ClearOS server.  But for now, let me focus on the border firewall, which will still be PFSense.

However, turns out that I can do it without putting out much in the way of cash.  Mainly because I’ve had this guy sitting around my basement for the last 10 years.

This is an old WatchGuard Firebox II, which wasn’t a bad firewall in it’s day.  Just a little hokey to configure (required a Windows client to manage).  It was also an odd height, like 2 1/2 spaces, which messed up many a neat-freak’s rack.  However, on the inside is just a simple Socket 7 motherboard.  It is essentially a computer board with some extra network ports built in.

From Craigslist

Ok, so let me back up a bit.  I am not recommending that anyone specifically go this route.  This is a bit more complex than buying an old PC from craigslist and installing PFSense on it.  I’ll cover that specifically right now.  It is essentially the same process as this one for Smoothwall, which is an alternative to PFSense.  The steps are fairly simple:

  1. Get a working computer together.  I suggest craigslist.
    • Don’t worry about a monitor or keyboard, you can use ones you already.  Monitor and keyboard will only be needed during the initial setup.
    • Remember, this isn’t a program we are installing here–this will WIPE OUT anything that is currently on the PC and it will not be usable for anything else but serving the purpose of firewall.  This is NOT something you do to your ONLY computer.  You have been warned! :)
    • Get a computer only a few years old–a PC capable of running Windows XP or Vista will work fine.  No truly old 486s or anything like that.  No Macs, unless they are Intel based, and if you have one of those extra, sell it and buy several old PCs. :)  They are worth money to people.
  2. Download the current version of PFSense.
    • Click on the mirrors link under the New Install section.
    • Pick a location close by, but don’t stress, it probably won’t matter much–just download time.  They are all the same (hence the name “mirror”)
    • Just use the 32-bit ISO version.  Even if you are sure you have a 64-bit system, the 32-bit code is more mature right now and likely more stable.
    • The file name at the time of this writing was pfSense-2.0.1-RELEASE-i386.iso.gz (see picture below)
    • If you feel confident in your ability to do so, the Memory Stick version will save you some time over burning a CD-ROM.
  3. Burn the image to CD-ROM
    • The file may be archived and require extraction.  Download and install the free 7Zip if you do not already have a tool for this.
    • Most computers with a disc burner will have a tool already installed for burning an ISO image.  Right click on the extracted file and move to the Open with | Windows Disc Image Burner option.
    • Load the disc into The Computer That Shall Become a Firewall(tm) and turn on the power.
  4. Install the system
    • Follow any number of the already created guides to install your PFSense appliance.
    • Use these screenshots to walk through.  These are somewhat dated, but you should get the idea.
    • Basically-let it do whatever it wants.  Probably no reason to go with anything but the defaults.

The configuration from this point must wait for another article.

On a Firebox II

So, I’m a nerd.  I’ve been called worse.  But this old firewall is calling my name, it has winky-lights in the front panel that I hope to get working again.

After some research, I ran across a great post on the DD-WRT site that detailed my upgrade path fairly well.  DD-WRT is yet another firewall alternative–and I may check it out more carefully some day.  For now, though, I am thankful for the great reference material.

The first thing I noticed about the old box is that the fans are worn out.  One won’t move and the other chatters like an insane jackhammer.

As you can see I’ll need to either match the fan or do some metal working.  A little quality time with Google and I found my fan.  Now, these are five volt fans, which is a touch odd in the world of computers.  Most use twelve volts.  Several of those who went before me just used a twelve volt fan, however.  It will turn slower and therefore move less air, but it will be a LOT quieter.  I don’t think the cooling will be an issue anyway.  The critical spec here is 52mm x 52mm x 15.5mm.

So, looks like replacing the fans will cost about $12.00 for direct replacements from RS Electronics.  I think I’ll pick the higher RPM version since noise shouldn’t be an issue in my wiring closet.  If this were going in a more populated area, I’d probably go for a lower RPM fan or the higher voltage units.

Secondly, the processor is a piddley little 200Mhz Pentium.

Which comes from a Socket 7 CPU socket and turns out is upgradeable by moving a few jumpers.  Apparently I can upgrade up to a 400Mhz processor.  Here is the jumper map from the DD-WRT forum.

So, an old K6-2 400MHz chip is about $10.00 on ebay.  Seems like it would be worth it for high-usage periods.  The author had this to say:

I was able to install an AMD K-6 2 300MHz in the router, and it actually runs cooler than the Pentium 200 that was originally installed. The main difference I see is when downloading torrents. The GUI no longer slows down while doing so and browsing web pages no longer shows any delays. Again, this is only when doing torrents, other than that and a somewhat-faster bootup, I can’t see any other difference.

In our house, the firewall needs to handle a bunch of streaming school videos, so the horsepower will likely come in handy.

The final upgrade will be the RAM.

Standard PC66/100 RAM from the olden days.  Costs about $5.00 on ebay.  Apparently there is a limit of 256MB, so it might be safer to get two 128MB sticks–it sure seems like I ought to have some of that laying around here somewhere.  The firewall has two RAM slots.

At the end of all that, I should have a pretty capable little box.  I will not rely on it for serious filtering or outgoing rules.  This firewall will simply be providing the hard crunchy outside.  On the inside it will only enforce that traffic must come from the ClearOS box, which will proxy all the rest.  So, the firebox will allow no traffic in and only allow traffic out that originates from the ClearOS server.

Modifications

There are few optional things I could do to this firewall, such as add a video card and a PS/2 keyboard port, but I believe that unnecessary.  I will monitor the box from the serial port if needed.  But there is one addition that must be completed before I can move forward.  I must add boot media large enough to host the PFSense image.  Fortunately for me, WatchGuard added an IDE pin header on the edge of the motherboard.  Now, I could use a small laptop hard drive (2.5″) but that will just add moving parts.  So, I’m going to use a CF media card and an IDE-to-CF adapter.

When I first drew my diagram for the previous article, I thought I would have a stand-alone PFSense box built from a rack-mount case…well…a DIFFERENT stand-alone box in a different case, but anyway… I purchased a 5.25 /3.5″ drive CF Card module for that purpose.

Turns out that with the removal of four small screws, I can have just the circuit board itself free and clear.  Pop in a 4GB card and I’m ready.

There’s just enough room for this guy to sit above the power supply with some double-sided foam tape.  This location also happens to be right by the IDE header on the motherboard.  Trying add stand-offs or something more permanent seems like wasted effort in this case.  It won’t be moving around, unless there’s an earthquake.

Now we get to brass tacks.  The only thing I simply MUST buy to test out this software–a short IDE44 cable.  I have plenty of 40 pin cables, but this is different.  These are smaller and have the four power wires built in to bring the total up to 44 pins.  I will probably need about six to ten inches of cable total because it is off-set slightly.

All the other upgrades will wait until I can prove my concept–this one thing can’t.  I found a lot of three cables on ebay for $10.00, which will give me a spares in case the first fails.

When the cable arrives, I will post part two of this rebuild and we can move forward with configuring the firewalls.

One thought on “Safeguarding Family Internet – Firewalls

  1. Update: Snagged a 44 cable from ebay for $2.79 free shipping. Since it is coming from Hong Kong, it will take about seven days to get here, but that’s no big deal.

Comments are closed.

%d bloggers like this: