Hey guys, your friendly neighbor spiderman here to guide you on how to complete Prof M's firewall project before Monday! Fun Fact: this project took me approx. 6 hours to complete but this also includes troubleshooting that you shouldn't have to do since I'm giving you the answers.
Caution
For now, forget everything you had and everything the PDF said to minimize confusion. Instead, pay very close attention to everything written in this document because it will explain everything step-by-step. This is NOT something you can just fly through because you will miss a small detail and something will break because of it.
Like I said before, we're starting from SCRATCH. That means don't hold onto anything you've already configured because it's probably wrong. Don't worry though since we're going to all be on the same page and everyones configuration should be exactly the same.
Tip
For those of you not using VirtualBox on a Windows OS your steps may be slightly differently, you can DM me if you get lost or need personal help. I'll also include pretty pictures for all my visual learners out there 😉
Before anything we need to make sure our Host-Only adapters are created and ready to go before we assign them out to our VMs.
Once you open VirtualBox, there will be a list of miniture icons on the left hand side. You're going to click the button that says Network and create 2 adapters.
Pictures speak a thousand words right?
You should see a Adapter and DHCP Server tab. If you don't, make sure you click the "Properties" button next to create to show this sub menu.
Select the Adapter tab if it's not already selected and it should've assigned you a subnet already.
Important
You can keep this subnet but ensure your 4th octet ends with .1! So IPv4 Address should be 192.168.X.1
Next, click on the DHCP Server tab. This is where our VM's will get their dynamically assigned addresses.
Important
Ensure your Server Address is 192.168.X.2, following the same subnet as your IPv4 address. Ensure your Lower Address Bound for DHCP to 192.168.X.11 to give enough space for static addressing.
Since we're using 2 different Host-Only adapters, they should both be on different subnets but the last octet should be the same on both.
You're going to open up your VirtualBox Manager and configure your network adapters for your OPNsense VM:
Click on your OPNsense VM and click on settings. Then go to the network tab and ensure you have network adapters 1 thru 3 enabled.
Here is the list of what to configure for each adapter:
Adapter 1
Attached To: Bridged Adapter
Name: Leave it to whatever it automatically selects, this is likely the correct NIC that gives you host device internet access.
Adapter Type: Intel PRO/1000 MT Desktop
Promiscuous Mode: Allow All
Adapter 2
Attached To: Host-Only Adapter
Name: VirtualBox Host-Only Ethernet Adapter
Adapter Type: Intel PRO/1000 MT Desktop
Promiscuous Mode: Allow All
Adapter 3
Attached To: Host-Only Adapter
Name: VirtualBox Host-Only Ethernet Adapter #2
Adapter Type: Intel PRO/1000 MT Desktop
Promiscuous Mode: Allow All
Tip
If you don't see the options for Adapter 2 & 3, you can check if you have the "Basic" tab selected in the top left of the settings window. If you don't see this option you will have to redownload the Expension Pack off VirtualBox's Website here.
You're going to open up your VirtualBox Manager and configure your network adapters for your Ubuntu & Windows VMs: The configurations will both be the same so you will repeat this for both.
Adapter 1
Attached to: Host-only Adapter
Name: VirtualBox Host-Only Ethernet Adapter
Adapter Type: Intel PRO/1000 MT Desktop
Promiscuous Mode: Allow VMs
Tip
You don't HAVE to use Windows and/or Ubuntu, as long as you have 2 host machines it can still work but this guide is based on a Linux and Windows OS so some commands may be different for you down the line.
Now that we know our interfaces are properly configured on your VMs, we can continue to properly assign our interfaces and IP addresses for our LAN, OPT1, and WAN.
Don't fret if you don't see your OPT1 interface appearing or if your GUI doesn't work because that's what were here to fix.
Note
You should've already successfully installed OPNsense, if you haven't none of your configurations past this point will save and you will just waste a bunch of time. If you need help installing just DM me for help because I won't cover how to do the install here
Now, you're probably missing your OPT1 interface and your LAN and WAN are assigned incorrectly. If so, you will login as root / opnsense and type 1 to Assign Interfaces. Once you press enter you will say N to both LAGGs and VLANs (We don't need them for this exercise).
It will then let you assign the 3 adapters you created for your OPNsense VM. The correct assignments should be:
WAN -> em0
LAN -> em1
OPT1 -> em2
If you've done this correctly, you should see once you press enter to exit the interface assignments:
Press Y to exit this configuration.
The next thing we need to do is assign the IP addresses for our LAN and OPT1 interfaces. Our WAN interface doesn't need to be assigned because it's been properly assigned an IP from your routers DHCP which is why it matches your hosts subnet.
Note
You can verify your WAN address by opening Command Prompt on your host machine and using ip config to view your "Default Gateway". Both subnets should match. You can also check if you WAN can reach the internet by pressing 7 and typing 8.8.8.8 and you should see replies coming back.
-> To assign the IPs for both your LAN and OPT1, you will type 2 and select the appropriate interface.
-> Select Y to the initial DHCP question. Spam ENTER all the way out until it takes you back to the main menu.
Repeat this for the other interface and you should now have a DHCP address for both your LAN and OPT1.
Caution
Ensure you can connect to your firewall GUI on the host machine. Type the IP you received from your DHCP on the OPNsense CLI. If you cannot connect to your GUI then you did a step wrong and need to fix it before you continue. Ask for help if you need it!
Tip
If you've already completed the Wizard (Since we went over it as a class Yesterday 👀) then you can skip this step.
When you first open OPNsense's GUI, you should be redirected after 5 seconds to the wizard that will let you assign the DNS for your interfaces. Since most of us have already gotten to this stage yours may not default to the wizard. If you are unsure if you've done it yet you can find the wizard by following this path:
System -> Configuration -> Wizard
Click Next to get past the introduction menu until you get to the General Information tab. Here you will set the DNS Servers to what your host Default Gateway address is on your host machine (Your router is whats going to be resolving hostnames for you).
Once you input the DNS you can click Next until you get to the Network [LAN] tab. You will disable Configure DHCP server if it is enabled and your IP address will be your LAN address. You can skip changing the root password and then finish to exit the wizard.
Now that we've changed/edited our Host-Only adapter addresses, your Ubuntu and Windows VMs will no longer connect. This is because your Windows machine is now on a different subnet than your Ubuntu machine which puts them on a separate network. To fix this we need to tell our VMs to forward the traffic to our firewall by setting the Default Route for both.
Open your Command Prompt and type ipconfig. If the IPv4 address you see doesn't match the subnet of the host adapter you added then you will need to do ipconfig /renew to have it retrieve the new IP address. Once this is done, (Make sure it changed to the new subnet), it still won't be able to connect to your Linux machine because a default gateway hasn't be set.
Since we're subnetting our two host machines cannot communicate on their own like before, we have to tell it where to go. The defualt gateway is going to lead it to the firewall which will handle routing it to our other network! To do this, we'll set the default gateway to whatever the interface IP is on OPNsense's CLI (Either OPT1 or LAN) using this command:
route delete 0.0.0.0 | This deletes the old default route if there was one, if not then move onto the next command
route -p add 0.0.0.0 mask 0.0.0.0 192.168.X.X | Assigns the new default route to the IP of the interface on OPNsense
^ You will need to run it as a Administrator
Samething we did for Windows but on Ubuntu. We'll type ifconfig to check the IP address and if it doesn't match the subnet we have for our Host-Only Adapter we will use sudo dhclient -r to have it retrieve the new IP address. Once this is done (Make sure it changed to the new subnet) it still won't be able to connect to your Windows machine because a default gateway hasn't be set.
Note
If you tried to run sudo dhclient -r and it didn't work, it's because you're missing the package for it. You can download it using sudo apt install isc-dhcp-client BUT you have to add 2nd adapter to the machine and make it a bridged adapter with allow all and relaunch the VM to gain internet access first. While you're here also install nmap with sudo apt install nmap since we'll need it later. Make sure to close the VM and disable the 2nd adapter and reopen it or it will bypass your firewall.
We'll repeat the same action we did on Windows but with Ubuntu's command:
sudo ip route add default via 192.168.X.X
If you made a mistake then you can delete the default route by typing:
sudo ip route del default
After this, verify that you can ping between both VMs because you won't be able to move to Step 5 until it does. I also recommend writing down your IPs somewhere so you don't forget it because you will need it.
If you aren't having issues with your VMs pinging each other, you can skip to Step 5! (I'd be surprised if you didn't though)
Now, since we created a new interface that means we also have a new interface to create firewall rules for! Go to your OPNsense GUI and head to Firewall -> Rules -> OPT1. If you remember what prof said about "If theres no rules that means deny EVERYTHING". So our own firewall is blocking our connection to the new subnet. We can fix this by creating a new rule by pressing the + button in the top right.
The only thing you're going to edit here is the Source, change it to OPT1 net. Scroll down if you don't see it. This basically allows our entire OPT1 network through the firewall. You can check the Log option if you like but it isn't necessary.
Remember to save and apply changes for it to take effect.
If you're having issues with pinging Windows from Ubuntu, make sure you disable Windows Firewall as that could also be the reason its blocking traffic.
Congratulations on making it this far! But we still have a lot to go unfortunately, so lets get into it! Now we're on step 4 of the PDF Prof M gave us (Firewall Rules). Go ahead and head to Firewall -> Rules -> LAN. Now everyone should see the default allow rules here, if you don't I'll attach a screensshot for you to copy them because we'll need those.
Just like how we made our OPT1 rule, we'll do the same here. Only change what I specifically specify below:
Action: Block
Protocol: ICMP
Source: Single host or Network -> Enter the IP of your Ubuntu machine.
Destination: Single host or Network -> Enter the IP of your Window machine.
Enable the Log toggle setting to log the traffic this rule blocks, this helps us ensure our firewall is working and will be necessary for the final submission. Once you do this, make sure to Save and Apply.
Important
By default our rule gets created at the bottom, we need to move it to the top since the allow all rules trump it. Select both default rules and click the little arrow in the top right to shift them to the bottom, putting your block rule at the top.
You might also notice that the IPs we put for the Source and Destination have been automatically assigned the subnet mask of /32, the reason is because were selecting a single host. Using /24 would select the entire network.
Once you've created your rule, you should not be able to ping between your Ubuntu machine to the Windows machine. You can view this by going to Firewall -> Log Files -> Live View.
Tip
You can filter your log view by clicking on the action button in the left top and selecting interface and clicking the plus to add it to the filter list.
Note
If you've added your firewall rule but you're not seeing it being blocked in the Live View, verify that both of your host machines are on different subnets and that they're not sharing the same Host-Only adapter in VirtualBox!
Caution
Being able to show your firewall filter and block ICMP traffic from your Ubuntu is one of the delierables we will have to submit so make sure you take a screenshot of yours working. If yours DOES NOT work, please shoot me a message so we can get it resolved!
If you've made it this far then you're in the final stretch! Now we need to configure our IDS to detect our stealthy nmap scan (hopefully you downlaoded nmap to your Ubuntu earlier). To get started lets head to Services -> Intrusion Detection -> Administration. Once you get there, one thing you might notice is this small toggle button to enable advanced mode. This will allow us access to more advanced settings, which we will need.
Note
You might've noticed the yellow warning in my screenshot, this is something you might get after enabling all the rules and I believe its just there to advise you to a more efficient method to managing a lot of rules but it's not important for the scope of this project so you can ignore it.
Settings we want to change:
Promiscuous mode: Enabled
Interfaces: LAN & OPT1
Pattern Matcher: Hyperscan
Detect Profile: High
Home Networks: You'll insert both of you subnets here, for example 192.168.57.0/24, 192.168.126.0/24 if that is the IP of your LAN and OPT1 interfaces.
This gives us the highest sensitivty to best detect the -sS option of nmap. Once you completed this, head to the Download tab and select ONLY the ET open rules. The easiest way to do this is to select the select all box and uncheck the abuse.ch and OPNsense rules.
Once you select all the ET open based rules, click Enable selected first. You should then see a checkmark under the Enabled column confirming this. Once this is done, reselect the ET open rules and click Download & Update Rules at the bottom to download.
Important
Sometimes the download doesn't work, if this occurs refresh your page and reselect the ET open rules and try to download again. You'll know if your download worked if you see dates under the Last updated column.
Once you complete the download, head to the Rules tab and in the saerch bar type scan. This will sort all of the available rules that are associated with scanning and reconnaissance which is what nmap does.
Tip
There will be an option to change the default amount of rules on the page from 10, I highly recommend you change this to 100 to speed up the process.
Check the box to select all the rules and click on the little checkmark box in the bottom right to enable all selected rules. You'll do this for all 6 pages. Once this is done, search for nmap and repeat the process to make sure everything is enabled. Once you complete this then you are technically done with the IDS as you should see a green play button in the top right of your GUI, but it won't work for the scan we were told to run, sudo nmap -sS -Pn <windows_ip>, the reason being is it's just too stealthy 😵.
So how do we fix this? Well, this is where it gets complicated so pay attention!
While yes, you can just take out the -sS and replace it with -A or add -T5 which all do different things that I won't explain here since we'll learn about nmap next week, those options basically make the scan "louder" and makes it easier for our IDS to detect it. If you actually want to detect the stealth scan, I'll work you through how to accomplish this:
First, head back to your OPNsense CLI. Press 8 for the terminal and type ifconfig | more which will show us our interfaces more in-depth to confirm that the IDS is enabled on those interfaces. The | more lets us press Enter to scroll down since it doesn't support scrolling up.
As we can see from my image, we're looking for SIMPLEX as apart of the flags of our em1 and em2 interfaces, which should be our LAN and OPT1 if you've followed my instructions. This confirms that our IDS is actively scanning both interfaces which is a good sign. ✔️
Note
A lot of the stuff we're going to be doing for this IDS is beyond the scope of the class in my opinion so I won't be explaining every single setting and configuration as I just want all of us to get to the end of this project together.
Next we want to head back to our Firewall GUI and go to Interfaces -> Settings to ensure that Hardware CRC, Hardware TSO, and Hardware LRO are all checked to disable checksum offload and segmentation offload.
Note
Now I didn't mention it before, but I also downloaded the OPNsense-App-detect/test rule and enabled it by searching for eicar in the rules tab. I don't know if this actually helped with the detection or not so you can do this as well if you want to but I won't say you "have to" unless it doesn't work after everything else!
What I believe to be the main fix for the IDS was actually creating a custom rule that detected -sS scans since the ones we downloaded didn't feel like working today. If you didn't know the IDS built into OPNsense is Suricata, which is a popular IDS so be sure to put it on your skills list by the way 😉. But because of this a lot of the features we need to access to do this aren't available in the GUI so we will be editing it through the OPNsense terminal.
With that being said, type 8 and press Enter. Once were in the terminal were going to type:
sed -i '' 's/checksum-validation: yes/checksum-validation: no/g' /usr/local/etc/suricata/suricata.yaml && configctl ids restartThis is going to disable (you guessed it) checksum validation which basically means Suricata won't be checking is the packet is valid. This will prevent nmap from bypassing scans through sending intentionally malformed/incomplete packets which is critial.
Caution
Make sure you type the following command EXACTLY how I've written it here, a single typo will corrupt your file and the earth will crumble under your feet!
echo 'alert tcp any any -> any any (msg:"Smart NMAP Stealth Scan Detected"; flow:stateless; flags:S; threshold:type threshold, track by_src, count 20, seconds 5; sid:1000001; rev:1;)' > /usr/local/etc/suricata/rules/local.rules && configctl ids reloadJokes aside, if you made a typo you won't know about it unless you dig through log files and I really don't feel like doing that with any of you so please make sure you type it correctly. Now if you remember any of us bash scripting some of this will look familiar, I won't waste time trying to break it down but it does create a custom rule and reload the IDS configuration and it should reflect immediately in your Firewall GUI without having to reboot the firewall (you may have to refresh the Firewall GUI page).
Once you've done that head to Services -> Intrusion Detection -> Administration -> Rules and you should see a 'local.rules' rule added (the one we just created).
Once you confirm the rule exists, click on the Alerts tab and go to your Ubuntu machine and type sudo nmap -sS -Pn <windows_ip> to start the scan. Once the scan completes, click the Refresh button and you should see Alerts. If you don't then let God be with you because this was such a pain in the ass to figure out.
You've hopefully completed the most difficult part of this project. The next step is to open up Wireshark on your host machine and select the Host-Only adapter as the interface.
But cybermichael, how do I know which interface is my Host-Only adapter??
Well young padawan, I just repeated the nmap scan and clicked refresh on the Alerts page and watched whichever line spiked with network activity. But if you can't figure out which one it is, just start a ping on Ubuntu and go through them till you see those packets being transmitted. Once you do that you should be able to follow the last page of the PDF Prof M gave us to figure out what you need to screenshot for your deliverables.
Yes I know it says you should've made a Allow firewall rule but you don't need too since you have the default allows, just disable your block rule
Anyways, thanks for reading all this guys. My hands hurt, my arm hurts, and I really wish I just chatGPT'd this but I hope all of you can actually finish this project now!
Some extra notes for those who run into issues after rebooting or what not:
Tip
When you reboot your firewall, your web GUI will no longer work. This is not a OPNsense issue (surprisingly) it's a Windows problem with how it handles the interfaces, the easy fix for this to reassign the IP to something else. For example run 2 and make it a random static up within the subnet, save it, then do it again and return it back to its original IP and it'll work.
Tip
If you notice your VMs can no longer communicate after a restart, you probably have to set the default gateway again. There are methods to make it permenant (like the Windows command with -p) but I don't remember if Ubuntu stays so just in case you run into that issue thats probably what it is.
Tip
If you run into ANY other problems, the best resource out there is AI. Utilize it to help you troubleshoot because you WILL need it through your career.
Anyways, I'm tired and I didn't bother proof reading this so if you find typos or stuff that doesn't make sense or something that's just completely wrong let me know so I can update it. Oh, before I go though here is what the deliverables should look like (as proof this works also):
Firewall Block
Firewall Pass
IDS Detect
Wireshark Capture (I forgot to filter)
