pfSense on a Firebox Part 2: Snort

The main reason I wanted to install pfSense was for Snort. It turns your firewall into an IPS/IDS system which will utilize Snort's signature database for detection, and the best thing is it's all open-source! Snort is actually now owned by Cisco after their acquisition of Sourcefire last year - hopefully we'll be seeing it pay off when they update their IPS line.

First things first, we need to install the packages, luckily pfSense has a package-manager built in. Navigate to System> Packages and select the Available Packages tab, peruse through the list and find snort and hit install.

While it's installing head over to snort.org and sign up as you need to register to get access to it's signature database. Once you've confirmed your email, click on your username at the top right and go to Oinkcode, you'll see a long hash; keep this tab open as you'll need it once snort is done installing.

After it's done, the first thing you want to do is update it's signature database, to do this go to Services> Snort then select the Global Settings tab. Here you can put your Oinkcode in the corresponding field, select your type of update (snort VRT rules), you can also select update check intervals, I left mine on manual as this isn't a production box - if it was, you'd want it at about once per day. Now go to the Update tab and check for updates; it should take a few minutes to download everything.

Now that you have your updated signature database, you need to bind an interface. This tells snort which interfaces on your box to listen to for signature matches.

Go to Snort Interfaces and select new; you'll see a new list of options come up. Keep your interface as your WAN (unless you want to sniff internal traffic, which isn't always a bad thing, especially when you have a DMZ)

Select Block offenders; an easy practice to tune this is to drop the shun time down to something manageable; if you have perma-blocks on you'll be constantly having to go in and reviewing blocks, this way you can block signature matches and check them later for further investigation - this gives you a bit of peace of mind without being overly paranoid. Back in Global Settings you can select "Remove blocked hosts interval" - I set mine to 1hr as suggested. I left my search method as AC-BNFA because I am definitely using a low end system (1.6GHz Celeron!)

Everything else I also kept as default - for now.

In the WAN Categories tab you can select your IPS policy, or specific rules. I opted to use a pre-defined policy - Balanced. Once you enabled that you can see a list of rules in the WAN Rules tab - balanced enables just over 1500 and disable them as you please.

In the Preproc tab, you can enable Portscan Detection if you so desire - I'm going to leave this blank as I intend on installing Strikeback.

In the Pass Lists tab you can specify your white lists; hosts or subnets which snort will ignore.

Theres a million other settings you can go through that I honestly don't care about for this small project - but if you stop here like I did you should have more than enough protection for a SOHO network :)

You can see any signature detection under the Alerts tab and blocked hosts in the Blocked tab - unfortunately it doesn't look like snort on pfSense can do packet captures like Cisco's IPS's can with Wireshark being built-in.

Hacking a Watchguard Firebox into a pfSense firewall

The more I work with Fortigates, the more I like the idea of a UTM - they're streamlined and everything is in one place, managed from a easy-to-access webGUI. I was poking around on eBay for stuff and stumbled upon a Watchguard Firebox x1250e for a reasonable $50 price tag; I thought to myself why not!?. When I got it I fiddled around with Fireware 10.2 which was on it already, and quickly learned why the company I work for doesn't touch these devices - they're terrible to manage. Quickly disappointed, I decided to get pfSense up and running on it - this way I can do whatever I want and indulge the Lego-builder inside me - RAM/CPU upgrades and open source software! Woo!

I found discrepancies between different walkthroughs online on how to go about doing this so I thought it'd be a good idea to jot it all down here; for both your and my benefit.

You can use a 2.5'' HDD or a CF card to boot pfSense - I'm only going to be going over the CF card bit as I didn't have any 2.5's laying around.

On that note, the stock BIOS has an issue where it won't boot CF cards larger than 512MB; unfortunately for me the smallest card I had that I was willing to spare for this project was 1GB. To remedy this, we flash a new BIOS using FreeDOS!

So lets get started!

Rip open the case by removing the 14 screws from the sides/back of the chassis. Remove the stock CF card (mine was a 256MB SanDisk), image the default CF card with FreeDOS (which you can find here.) using the software of your liking; I used Win32DiskImager.

This would be a good time to plug in your USB-to-Serial & Null Modem cables to the Console port on the front of the Firebox - you need a DB9 cross-over cable (aka null modem); female serial will not work. The default settings for most terminal emulators should be fine at this point (I use Tera Term) however the settings you'll need are:

Baud rate: 9600
Date: 8 bit
Parity: none
Stop: 1 bit
Flow control: none

Insert the CF card back into Firebox and power it on

Should see a C:\> prompt

Change to the BIOS directory

Flash the new BIOS with the following command: awdflash x750eb7.bin /py /sn /cc /e

The x750e model is identical to the x1250e
Once the prompt returns, you can power off the device.

While it's powered off , go to the pfSense directory  and download the appropriate and newest image for pfSense, For my 1GB card I downloaded pfSense-2.1.5-RELEASE-1g-i385-nanobsd.img.gz (note the card size referenced in the image name). You can swap out the CF card once you image it.

While it's booting press Tab to enter the BIOS as we're going to need to change some settings (yes it says to hit del but we're going through a terminal emulator, trust me, hit Tab). Select Standard CMOS Features, from here select IDE Channel 0 Master [SanDisk SDCFJ-256] and change the following settings:

IDE Channel 0 Master [Manual]
Access Mode                  [CHS]
Head        [2]

This BIOS does not support thermal-control for the three really noisy fans you might've noticed at the back of the chassis; if you would like to make them a little bit quieter select PC Health Status and set CPU Fan PWM value to [AA] (do not set it to lower than 0xAA [0x00-99] as it wouldn't POST for me and you'll have to reset the CMOS and do everything over again). Caution: adjusting the fans may lead to over-heating if your delta temperatures are already above average.

After you're happy with your settings hit Save and Exit from the main menu.

It should now re-POST then boot straight into pfSense's main menu! Hooray! If you get something that says "Empty or corrupt config.xml" the imaging didn't work or you have a bad CF card. In my case, I had to re-image the disk and it worked the second time around (that's what happens when you're too lazy to check hashes!)

You can go through the small menu to set up the initial interfaces, a note though: it will say you can access the web GUI through the WAN port - this is incorrect, by default it is not allowed for security reasons and you'll have to go in through a trust port (LAN).