.. include:: global.rst *********************************** Chapter 6: Firewall Implementation *********************************** Chapter Overview ================ This chapter explains how firewalls protect networks and demonstrates how to implement one using pfSense in a lab environment. The focus is on understanding filtering logic, configuring interfaces, testing connectivity, and aligning configurations with a written security policy. As you prepare for the lab, pay special attention to: * How firewall rules are structured and processed * How pfSense manages interfaces and traffic * How to test and troubleshoot connectivity * How configurations must follow documented policy Firewall Filtering Concepts ============================ Core Principle -------------- Firewalls operate on a **"deny by default, allow by exception"** model. This means: * All traffic is blocked unless explicitly permitted. * Administrators must define rules that allow specific traffic. Rule Components --------------- Firewall rules are typically based on: * Source IP address * Destination IP address * Port number * Protocol (TCP, UDP, ICMP) Rule Processing --------------- * Rules are processed top-down. * The first matching rule is applied. * Rule order directly affects behavior. * Misordered rules can unintentionally block or allow traffic. Network Zones ------------- In the lab, you will configure multiple interfaces: **LAN** Trusted internal network. **WAN** Untrusted external network (Internet-facing). **DMZ** Semi-trusted zone for public-facing systems such as web servers. Each interface requires its own rule set based on security needs. pfSense Capabilities ==================== Overview -------- pfSense is an open-source, GUI-driven firewall and routing platform. It provides centralized management through a web interface. Core Features ------------- * Firewall rule management * Network Address Translation (NAT) * DHCP services (automatic IP address assignment) * Interface configuration (LAN, WAN, DMZ) * Traffic logging and monitoring Lab Tasks Using pfSense ----------------------- In your Cloud Lab, you will: * Assign IP addresses to interfaces * Configure LAN, WAN, and DMZ networks * Create firewall rules * Enable secure internal communication * Verify routing and filtering behavior Testing and Troubleshooting Tools ================================== ping ---- * Uses ICMP to test connectivity. * Confirms whether one host can reach another. * Helps verify that firewall rules allow expected traffic. traceroute ---------- * Displays the path packets take through a network. * Identifies where communication fails. * Useful for diagnosing routing or rule misconfigurations. Testing Strategy ---------------- After applying new rules: * Test connectivity between LAN devices. * Test LAN to WAN communication. * Test LAN to DMZ and WAN to DMZ scenarios. * Use results to adjust rules if necessary. Security Policy Alignment ========================== Policy-Driven Configuration --------------------------- Firewall rules must reflect a written security policy. The policy defines: * What traffic is permitted * What traffic is denied * The justification for access decisions. Lab Documentation ----------------- In the lab, this alignment is demonstrated by: * Completing the planning worksheet * Documenting IP addressing decisions * Justifying rule creation * Ensuring configurations meet stated security objectives Key Takeaways ============= * Firewalls enforce security through structured rule sets. * Rule order and interface placement matter. * pfSense provides a powerful and flexible firewall platform. * Testing tools like ping and traceroute are essential for validation. * Effective firewall implementation must align with documented security policy.