Chapter 6: Firewall Implementation

Chapter Overview

This chapter explains how firewalls protect networks and demonstrates how to implement one using pfSense in a lab environment. The focus is on understanding filtering logic, configuring interfaces, testing connectivity, and aligning configurations with a written security policy.

As you prepare for the lab, pay special attention to:

  • How firewall rules are structured and processed

  • How pfSense manages interfaces and traffic

  • How to test and troubleshoot connectivity

  • How configurations must follow documented policy

Firewall Filtering Concepts

Core Principle

Firewalls operate on a “deny by default, allow by exception” model. This means:

  • All traffic is blocked unless explicitly permitted.

  • Administrators must define rules that allow specific traffic.

Rule Components

Firewall rules are typically based on:

  • Source IP address

  • Destination IP address

  • Port number

  • Protocol (TCP, UDP, ICMP)

Rule Processing

  • Rules are processed top-down.

  • The first matching rule is applied.

  • Rule order directly affects behavior.

  • Misordered rules can unintentionally block or allow traffic.

Network Zones

In the lab, you will configure multiple interfaces:

LAN

Trusted internal network.

WAN

Untrusted external network (Internet-facing).

DMZ

Semi-trusted zone for public-facing systems such as web servers.

Each interface requires its own rule set based on security needs.

pfSense Capabilities

Overview

pfSense is an open-source, GUI-driven firewall and routing platform. It provides centralized management through a web interface.

Core Features

  • Firewall rule management

  • Network Address Translation (NAT)

  • DHCP services (automatic IP address assignment)

  • Interface configuration (LAN, WAN, DMZ)

  • Traffic logging and monitoring

Lab Tasks Using pfSense

In your Cloud Lab, you will:

  • Assign IP addresses to interfaces

  • Configure LAN, WAN, and DMZ networks

  • Create firewall rules

  • Enable secure internal communication

  • Verify routing and filtering behavior

Testing and Troubleshooting Tools

ping

  • Uses ICMP to test connectivity.

  • Confirms whether one host can reach another.

  • Helps verify that firewall rules allow expected traffic.

traceroute

  • Displays the path packets take through a network.

  • Identifies where communication fails.

  • Useful for diagnosing routing or rule misconfigurations.

Testing Strategy

After applying new rules:

  • Test connectivity between LAN devices.

  • Test LAN to WAN communication.

  • Test LAN to DMZ and WAN to DMZ scenarios.

  • Use results to adjust rules if necessary.

Security Policy Alignment

Policy-Driven Configuration

Firewall rules must reflect a written security policy. The policy defines:

  • What traffic is permitted

  • What traffic is denied

  • The justification for access decisions.

Lab Documentation

In the lab, this alignment is demonstrated by:

  • Completing the planning worksheet

  • Documenting IP addressing decisions

  • Justifying rule creation

  • Ensuring configurations meet stated security objectives

Key Takeaways

  • Firewalls enforce security through structured rule sets.

  • Rule order and interface placement matter.

  • pfSense provides a powerful and flexible firewall platform.

  • Testing tools like ping and traceroute are essential for validation.

  • Effective firewall implementation must align with documented security policy.