Building personal Firewall
It is becoming more and more important to maintain our digital security. In the world,where most people gladly give away their personal info for free via facebook of google is hard to find some digital security improvements worldwide. There are efforts such as letsencrypt however to secure the web at least. The problem is not the web itself, but rather in the people choosing weak passwords and not caring about their digital security anymore. Everybody is getting used to the fact,that “everything is on the web”. We use Cloud Synchronization services (OneDrive,Google Drive,DropBox …) and hardly ever create anything such as backup. There are threats, such as the recent discovery of the WPA-2 vulnerability, which cannot be solved immediately just because its used already in millions on devices all over the world and because there is not really anything extra better (Probably only 802.11.x standard with Radius Client Authentication). Nevertheless, I am not a security expert. I just want to keep my files secured.
If you look up the various products and firewalls,you will find,that its not exactly cheap to use a device such a firewall to your network (One among the cheapest is likely Ubiquiti USG). I have always hated firewalls when I was young. The reason was simple,I was having problems to play network games with my friends from time to time. Players were not visible on the network and it took usually quite a while to figure out,who is using the bloody firewall. But nowdays, I would say the firewalls smartened and gained on functionality (As well as I gained more important things to do), while their purpose still remains the same – block unwanted network connections. This comes quite handy especially when I read, that some kind of ransomwares try to connect to specific addresses before locking up your entire computer.
I will not tell,that setting up a personal firewall is an easy task for everybody. But surely everybody with at least some kind of network & PC knowledge is capable of configuring it. I have decided to build my own firewall for 2 reasons: I wanted the firewall to be fully customizable multi-purpose component, where another OS or server will be located. This comes handy for example if you are about to build your own personal cloud via Seafile or OwnCloud or whatever. Given these requirements,there is nothing on the market except for a computer running custom OS and virtual OS, that will likely be some kind of firewall / NAT solution. Also because I have the PC (Server) right under my bed, another important point was, that it should be completely quiet. Small PC with silent components, passive cooling and SSD HDD. Given these requirements, you can find plenty of such devices on the market. At the time of choosing, I went for the ZOTAC NANO CI323, which is a small metal box with PC components and 2x Gbit connectivity. What is really great form the perspective of monthly electricity bills is that it consumes at most 20W at full performance, but about 10W on average, which is almost nothing compared to standard PCs. Of course, that when building a firewall,its a must to have multiple network interfaces. I can also assure, that every modern processor is capable of handling this kind of connectivity with ease. The CPU went to about 10% at full BW utilization of our Internet downlink (20Mbit). Please note that this is just an estimate,I had no time testing CPU usage so far,but again,I can guarantee,that any CPU above 400MHz will do just fine.
To the firewall itself however, at first, I came to an idea,of running something like VmWare VSphere,which is even free for use. The idea was that I could possibly install several Operating systems simultaneously at the same computer (Firewall,Mail Server,OwnCloud …). But the problem with vSphere is (or was!, please check for current release notes) just that it runs under linux and linux doesn’t have graphics drivers for Intel Cherry-Trail platform (Neither for Bay-Trail). You can lookup plenty of hate against linux regarding these platforms. The Setup is stucked always at some intro install screen and unless you love to configure everything from the CMD, this is not a good way to go. Another option was to install windows server. I tried the Hyper-V Windows server, which is free as well (I wonder how is that possible,but it really is). Nevertheless the system doesn’t have a GUI as well, so I angrily formated the drive and installed standard edition of Windows, which is likely the only choice on this platform. So far however, everything works as expected and the only problem is a bit slower performance of the virtual systems running under Windows.
Once we have a base platform,we can create a new virtual machine on windows, setup the virtual switches on the Hypervisor and install the firewall itself. Important note here: Make sure that windows (The host OS for the Virtual Firewall) Doesn’t have access to the WAN network and that this entire adapter is mapped for the virtual Firewall using virtual network switch. You can check,that the LAN port of the computer is shared for the Host OS (Windows). Otherwise The Firewall will be up and running,but windows will not have access to the internet, which is usually not what you want. There are several firewall operating systems to choose from,here is just a quick list for considerations:
First thing to note: If you have heard about OpenWRT from someone and he recommended it to you, take care. You can easily setup the OpenWRT so that it becomes unavailable at the network. Meaning the noone, not even you would be able to connect to it or through it. I would personally say, that OpenWrt is a NAT/Firewall OS in beta or alpha version and I recommend to avoid it based on my own experience. After some additional reading I ended up with PfSense, which is an amazing system with wide forum support and what the best thing: Easily configurable through a nice web-based UI. The next two systems may or may not suite your needs, but very likely, the PfSense will do just fine for you. Thing not to screw up: There is WAN and LAN, WAN should specify the outbound internet connection, LAN the local home network. Rules can be added into both lists, restricting and managing sources and devices on both networks. Note that rules have their order and are examined per packet rule after rule until a match is found. For example if here is 100 rules and the last rule matches, the overhead of processing the packet will be terrible. It is always a good idea to have highly-used rules on top of the list. The default rule for firewall should be to drop the packet if there is no rule,which is by default at the end of the list and the only reason,why it should be enabled is some initial setup or debug mode for your network. In fact, if you don’t have a public IP, you don’t have to bother yourself with WAN configuration much,as its pretty much useless anyway. The default rule to drop all on WAN would do great. (What this means: Any attempt of connecting from WAN to your home network will be handled such the packed will never reach your home network – will be dropped by the firewall). More interesting part is the LAN section, which describes the rules, that will be managing your computers on your local network. Most likely, you want to open some of the standard ports:
- HTTP (Hyper Text Transfer Protocol) – Port 80
- HTTPS (Hyper Text Transfer Protocol Secure) – Port 443
- POP3 (Post Office Protocol and its Secure Version) – Ports 110 995
- IMAP (Internet Message Access Protocol and its Secure Version) – Ports 143 and 993
- DNS (Domain Name System) – Port 53
- ICMP (Internet Control Message Protocol)
These protocols should be rather configured as allow any to any, otherwise you would likely be unable to reach any website. I strongly suggest to add a rule with destination addresses: 126.96.36.199 and 188.8.131.52. This rule should be set to allow from any port to any port from any source, so that everyone will be able to connect to these servers. These are the google public DNS servers. You should be able to ping them from any computer on the network to check for network connectivity problems. If you find that there is some service, which is not working (such as FTP Transfers, Remote Desktop Connection and so on) you should be able to google for the port the service uses and freely add it to the rule list. If you are about to setup some other server behind the firewall, you will need to add other rules to allow other ports on whihc the server can communicate. You can be more restrictive and allow only some IPs to communicate on some ports, but this is very likely not necessary, unless you are computer maniac and everything taht is not controlled frightens you.
Once rules are setup, you can lookup their usage in the list, PfSense automatically logs the rule usage, so that once you login, you can see how many packets were handled by the rule. This comes also handy if you want to block some specific communication on the network. You can also add a chart on the home screen showing the live traffic passing through the firewall to have better understanding on whats going on. These were the basic firewall features, however there is much more you can do on PfSense, including setting up DHCP server with (possibly) static mappings and VPN server on the firewall itself. VPN is a great way of securely connecting to your home network from any place. Once connected through VPN, the connection acts such that you are connected to the home network itself. In other words, if you have blocked some ports on the WAN (Lets say FTP), once connected via VPN, you can freely use FTP through VPN because of packet encapsulation. Of course a public IP is needed for this purpose. I am still in the phase of testing, but I gave it a few minutes and was able to connect through T-Mobile’s network into my home network via Open VPN server running on the Virtualized PfSense Firewall.
Well I hope I have encouraged some readers to at least think about securing their network and possibly adding some other features to their home :) I would just mention,that one has to be patient setting up the firewall. Especially if you are doing it for the first time. PfSense is by default configured to always allow communication of the pfSense from the local network,but “clicky-users” may remove this rule and setup PfSense, so that it is useless as hell (as in the case of OpenWrt). Fortunately you can always backup the Virtual HDD, which is just a file under windows and restore the whole system later if that is needed. One can however almost always find some help in the forums.