0 ratings0% found this document useful (0 votes) 530 views9 pagesHướng Dẫn Tạo Và Cấu Hình Rule Trong pfSense - An ninh mạng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content,
claim it here.
Available Formats
Download as PDF or read online on Scribd
1012612018 Hung Din Teo Va Cu Hin Rule Tong ptSense | An rinh mang
Hung Dan Tao Va Cau Hinh Rule Trong pfSense
i Khang
yjsense
FEATURES: FIREWALL RULES.
O bai truéc, ching ta d& dugc lam quen vdi menu cAu hinh cia pfSense théng qua
giao dién Web. Tiép theo chting ta sé bat dau tién hanh nhiing cau hinh co ban
nhat danh cho Firewall.
Firewall pfSense hoat déng dua vao nhifng rule ma ngudi quan tri da qui dinh.
Nhéfng rule nay gitip pfSense higu du¢e géi tin nao sé bi chan lai, gdi tin nao sé
dugc théng qua. Vi vay céng viéc cau hinh rule trong pfSense [a mét cong viéc
co ban ma ngudi quan tri nao cting phai théng thao.
Dé trién khai pfSense vdi nhiing rule hoat déng tét, trudc hét ching ta can nam
duge nhting khai nim sau :
Alias : hay con goi [a bi danh, higu don gian Alias la mét gid tri ( ten ) ma ngudi
quan tri gan cho mét IP/URL/NETWORK. VD : d&t tén Alias : google, Alias nay gan
cho IP : 172,217.25.14,
Vao menu Firewall -> Alias dé tién hanh tao.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense! 19�1012612018 Hugg Diin Tao Va Cu Hinh Rule Trong pfSense | An ninh mang
Rveeet
“he ru fe sas rayon one fhe chance ae: AZ. 0 and"
Weosanert 26028
Ngoai ra pfSense cdn cé ty chon URL Table, cho phép ngudi dung luu trif dia chi
IP vao mét danh sch 6 xa, sau dé tién hanh tao Alias cho bang IP nay. Danh séch
URL Table nay ciing cé thé dude cap nhat ty déng vao nhiing thai diém nhat dinh
48 duge cu hinh.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense! 218�1012612018 Hugg Diin Tao Va Cu Hinh Rule Trong pfSense | An ninh mang
type Un Tobe =
om.
Thera angle RL cortarrg ape nunber of sadn Subnas.Abw sang pane wl Gourd the Ut
ath ontann thao nares, Tea wk wo ve lege rows of wene (30.0000)
“ we
i
ANTM FY boc sch Trg Quoc o
(Seve | Canes |
Hinh 23: URL Table Alias
# Copyright 2013 Country IP Blocks LLC
reserved.
may not be redistr
cludes network d:
uted in any form.
on the following cc
Hinh 24; Danh muc IP Trung Quéc
NAT : co ché NAT ( Network Address Translation ) la co ché quen thuéc va khéng
thé thi&u trong b&t ki hé théng mang nao dé ra ngoai Internet. Vdi sé ludng IP
Public han ché, cd ché NAT gitip cdc may con trong mang néi bé chuyén déi tr IP
Private sang IP Public dé truy cap Internet. Cé hai co ché Nat chinh do la :
- Nat Inbound : chuyén déi dia chi IP tiy Public thanh Private.
- Nat outbound : chuyén déi dia chi IP tir Private thanh Public.
Port Forward :
Day [a mét hinh thtfe cua Nat inbound. Tai menu Firewall - > Nat - > Port
Forward. O vi du nay chung ta sé tao mét rule Port Forward dé Nat Inbound cho
phép cdc may ngoai Internet truy cp vao Server.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense! a9�1012612018
Hugng Diin Tao Va Cu Hinh Rule Trong pfSense | An ninh mang
|
port range
target iP
I
Ranges port
ate the nie
‘seh ot 8 aie thr whos remoung fom the Wt
rang ts ote wt onan ore fr trac rant a.
eth at wey ratte di tha yu kno a you a
wan =
hoon whch tertace i de soos
ts sot cam, you ver une WI Dre
hoon whch peta! th mie en man
a mos ce, you shoud wach TO tre.
nn
ot
‘eth oft vert the sere the match
ee VISE
= aw >
- = =
Sowcf a2 ovat ange eth cetraton of te ouch fr the rae
ts you cn eave tbe To feld ergy fou oy wart Zomay 2 sng pot
Spach he por onthe racine wth he W adres enced ove. mas oF 3 pa
‘ot othe ange (the end prt wl be cacuted atom
"Yeu my eter a escent fr You erence (tsar).
Het: Th rents the re on Master om eutematiay syncing to other CARP a
revert he fae fom bee overran on Sie
‘Ue ten deft =
Nat 1:1:
PFSENSE NAT
SERVER 172.16.10.20
Cau hinh nay ding cho trudng hop ban muén gan cting mot IP Private vdi mét IP
Public.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense! 49�1012612018 Hugg Diin Tao Va Cu Hinh Rule Trong pfSense | An ninh mang
Firewall: NAT: 1:1: Edit
Disabled 1 kde thie eke
Set this option to sable ths role withoct removing from t
antertace wan =
Choose whch terface ths rue apie to.
Hot: mod cases, youl wat to use WAN har,
‘External subnet 1P 120.72.98.119
Enter the exteral (usually on » WAN) sab’ start adr
‘eidvwss below wil be applied to ths adress
ct thst gener ay an oan crv by He rotor ae
nternal 1 1 not
Use ths opton to nvert the sense cf the match.
Type: Single host +
Address: 10.0.05 ix
Enter the leteral (LAN) subnet forthe 1:1 mapping. The sul
eternal sat,
Destination © not
Use ths opton to vet the sense ofthe match.
Type ey =
Adress: fe
“Te:1 mapping wil only be sed fr comecsons to or ror
et the sum.
Deserpton Ri Computet
‘Youmay erter 9 description here for your reference (not pa
WAT refecton enable .
Nat oubound :
Sau khi da cdu hinh day du cho cdc muc Inbound, ching ta chuyén qua tab
Outbound dé cho phép cdc may con trong hé théng mang néi bé ra dugc Internet.
O pfSense, mac dinh Firewall da cé s&n cdc rule Nat outbound dé chuyén déi IP
Private thanh IP Public, gitip truy cap ra Internet.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense!�1012612018 Hugg Diin Tao Va Cu Hinh Rule Trong pfSense | An ninh mang
Firewall: NAT; Outbound o
CY owtoens
Hote: ® Aulomutic outbound NAT re penerain | Namal thd NA ie geerain
‘vnc patho inde) (io anced tone oa)
(RR ER EE Ec
Nhiing rule mac dinh nay gan nhu da dap ting dugc nhiing mé hinh mang binh
thuding, tuy nhién véi nhiing mé hinh phic tap hon, sé can dén sy tiy bién cua
ngudi quan tri bang viéc chon Manual Outbound Nat.
Sau khi 4 tim hiéu qua cdc khdi niém ké trén, chting ta sé di vao trong tam cla
bai vit, 46 chinh 18 Rule. © pfSense, mic dinh céc ving mang dudc két néi véi
nhau théng qua Rule, tuy nhién tuy theo yéu cau thu té vé tinh bao mat, nha
quan tri mang cn tuy bién lai cdc rule nay cho phu hgp.
Firewall: Rules a
mom
O hung dan tao Port Forward, Itic nay pfSense da tu’ déng tao ra Rule cho phép
traffic ttf vung mang Wan vao may chu ni bé.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense!�1012612018 Hung Din Teo Va Cu Hin Rule Tong ptSense | An rinh mang
Nhifng thuat ng chinh cla Rule ma ngu®i quan tri can nam ré :
Action : tao hanh déng khi géi tin khéng hgp vdi Rule. Mac dinh pfSense cé cdc
tUy chon Action ; Pass/Block ( Huy géi tin di tdi Firewall )/Reject ( tif chdi géi tin
va gan cB, giti lai ngudi dung ).
Disable ; tam thdi tt hiéu Ic cla Rule, khi can sé cé thé Enable lén lai.
TCP/IP Version : phién ban IP ma pfSense lam viéc, dé la IPv4 va IPv6.
Protocol : nhiing giao thifc truy€n dif ligu ma pfSense cé thé sty dung ( ICMP,
TDP...) va nhitng giao thtic dinh tuyén ( OSPF, Eirgp).
Source/ Destination : quy dinh cdc IP nguén/dich
Log : cho phép theo dai va ghi lai hoat déng cla Rule.
Schedules :
Trong mét doanh nghiép, di khi nhitng Rule c&n cé sy’ linh hoat vé thdi gian. Vi du
(cm truy cap Fb trong gid lam viéc, nhuing duge phép trong gid nghi trua ). Chife
nang Schedules sé cho phép Firewall |én lich thuc hién nhiing Rule trong nhiing
khoang théi gian cé dinh.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense! 719�1012612018 -Hugng Diin Tao Va Cu Hinh Rule Trong pfSense | An ninh mang
2
Sau khi da chi dinh va dat tén thdi gian, vao lai cdu hinh Rule dé dp khoang thai
gian nay vao Rule. Luc nay Rule sé chi hoat d6ng trén khoang thdi gian nay.
‘Schedule none ||
to leave the rule enabled al the time.
Hinh 33: Chi dinh thai gian biéu Working
Nhu vay a ching ta da tim higu vé cach trin khai cau hinh cdc Rule trong
pfSense. Véi nhiing rule nay, ngudi dung cé thé linh hoat trong viéc 4p dat luat cho
cdc may trong mang néi bé ( chin Web, cho phép truy cp ) cling nhu kiém soat
dugc lung dif ligu vao ra tir bén ngoai Internet.
hip Janninhmang.edu.wrJauong-dan-lac-cau-ninh-ule-Long-plsense! as�1012612018 Hung Din Teo Va Cu Hin Rule Tong ptSense | An rinh mang
+ Tao rule trong pfSense
+ Rule pfSense
+ Chan web trén pfSense
+ Cu hinh pfSense ra internet
+ C4u hinh firewall pfSense
* Tao alias trong pfSense
+ Trién khai pfSense
+ Cau hinh rule pfSense
* Cau hinh rule trong pfSense
Khang
hip Janninhmang.edu.wrJnuong-dan-lac-cau-ninh-ule-Long-plsense!
99
