pfsense dmz setting - alternatif

Setting up a DMZ in PFSense

• Aim: provide a DMZ segment isolated from your production environment.
• Environment tested: PFSense 1.2

Recently, a neighbour of mine asked for help with their family computer. The PC had become extremely sluggish, kids had putzed around with the configuration and, to make matters worse, it had become infected with a bunch of spyware, malware and viruses.

Obviously, I wasn't about to let that thing loose on my internal network, so I instead decided to set up a DMZ interface. Since I'd recently upgraded my PFSense server to a more recent machine (from a Compaq desktop running a 600 mhz celeron to a Dell PE1650 server running a 1.2 Ghz pentium III with 512 mb of RAM to which I added two NIC cards to the available PCI slots), I basically had enought ports for my LAN, WAN and DMZ interfaces. I even have a spare for bridging some of my IPs, I'll post something on this later on.

Requirements:

A working PFSense server with at least three network ports.

THE ACTUAL RECIPE


STEP 1 - Configuring the DMZ interface

At this point, I am assuming you have the basic PFSense configuration running, and that you've defined your LAN, WAN and OPT interface. You'll need to configure the IP address and subnet mask for your OPT/DMZ interface.

Go to the Interfaces menu in PFSense, select the interface you've chosen for the DMZ, enter a descriptive name in the Description box and assign it an address different from the subnet your regular network uses. In my case, I used 192.168.2.1 with a subnet mask of 24 (255.255.255.0). This allows 253 machines on the network (254 addresses minus the 192.168.2.1 address used as the gateway). You can use a smaller subnet mask to accomodate your needs. If you only plan to put a single host on the DMZ, specify 30 as your subnet mask.

Here is a screenshot of mine:


Fig. A DMZ interface configuration screen

Note that I leave the gateway interface blank. I have a single WAN connection going to my bridged DSL modem, so the system uses the default route.

STEP 2 - Creating firewall rules for the DMZ interface

Now that we've configured the interface, it's time to set up some rules to allow traffic from the DMZ while protecting our private network. Go to the Firewall: Rules menu, and create rules that will deny DMZ traffic to the LAN but allow DMZ traffic to the the web.

First, create a new rule to block traffic to the Lan:

• Action: select Block
• Disabled: leave unchecked
• Interface: select DMZ
• Protocol: select TCP
• Source: select any ( this effectively block all systems that will connect through the DMZ interface)
• Source OS: any
• Destination: select LAN subnet in type.
• Destination port range: select any in the from: and to: fields
• Gateway: select default, which uses the system routing table
• Description: type a description for your rule. Then save.

Here is a sample shot of mine:


Figure b. DMZ to LAN block rule

Next, we'll need to create a new rule to allow all traffic from the DMZ to the internet:

• Action: select Pass
• Disabled: leave unchecked
• Interface: select DMZ
• Protocol: select any
• Source: select DMZ subnet
• Destination: click the not box and select LAN Subnet in the Type: field
• Gateway: set to default
• Description: type a description for your rule. Then save.

Here is a screenshot of mine:


Figure c. Allow from DMZ to WAN

Once you've saved your rules, apply the changes to PFSense and you'll have a working DMZ interface.

Going further...

I run internal DNS and DHCP servers, therefore I wanted to allow traffic from the DMZ to the internal DNS for name resolving. Hence, I added rules to pass DNS queries (UDP port 53) from the DMZ subnet to the single host addresses of my DNS servers.

Here is my sample configuration:


Figure d. DMZ to DNS

You may want to add other rules if you need to access an internal anti-virus or update server from the machine(s) on the DMZ. One practical example would be to open up a port to a NAS machine on your network to retrieve updates or install software. However, this is not recommended, since as a best practice you really want to keep the DMZ segment isolated from your production environment.

The order of rules is important; since you are going to be blocking DMZ to LAN traffic, the Pass rules must apply before the block ones. The final DMZ rules look like this:


Figure E. Completed DMZ firewall rules

pfsense dmz setting

Port forward problems with pfSense and host within DMZ

port forward on WAN

WAN rules

DMZ rules

I'm having difficulty making port forward work for a web server setup within an OPT1 designated as a DMZ. Probably a simple solution where I am totally missing a key element. I need help. What I want is to be able to access the web server from the internet using a public IP.

Here's my setup: comcast SMC D3G modem ---> pfSense box with 3 nics. 1 nic to LAN and the other to OPT1 designated as DMZ. DMZ is hooked up to an 8 port switch to which is attached the webserver with ports 80 and 22 open. A laptop connected to this switch is able to verify that both ports are open and that sshd and httpd are active.

comcast has allocated the following:
Gateway 173.X.X.94
Subnet 255.255.55.240 (/28)
Static IPs 173.X.X.81 through 173.X.X.93
Currently, all services on the comcast modem is turned off, including NAT, allowing all traffic to flow thru.

Here are my settings for the interface:
WAN 173.X.X.93/28 with gateway set as 173.X.X.94
LAN 192.168.1.1/24 with gateway = none
DMZ 192.168.2.1/24 with gateway = none

The webserver is has a fix IP of 192.168.2.10
I setup a proxy arp VIP as 173.X.X.92/32 which will be for this webserver.

I have port forward, WAN and DMZ rules above as my new starting basis and need to know where my problem might be fixed.

I've tried many different rules noted in other post on this board and others, but still no luck. What I have above is just the basic after deleted all my trials. I realize that I may be missing a much needed rule or two. Can you help?

w8 leak

MICROSOFT.WINDOWS.8.PROFESSIONAL.RTM.X86.ENGLISH.D VD-WZT
BUILD: 6.2.9200.16384.WIN8_RTM.120725-1247
FILE: Windows_8_Pro_EN-US_x86.ISO
SIZE: 2,632,460,288 byte
SHA-1: B30B7D770F047CF427E836ABC048501EFF8A1FAC
MD5: 99C94934E53B4E28E955D4FCB06CAAA8
CRC: A13474A9

Magnet

MICROSOFT.WINDOWS.8.PROFESSIONAL.RTM.X64.ENGLISH.D VD-WZT
BUILD: 6.2.9200.16384.WIN8_RTM.120725-1247
FILE: Windows_8_Pro_EN-US_x64.ISO
SIZE: 3,581,853,696 byte
SHA-1: E63C1D3733532ABC7AB28F3D61526E361E80271A
MD5: 7A10316A79A543F2BF4953A4332B4323
CRC: 5D7BB5F4

Magnet


Retail
Core = FB4WR-32NVD-4RW79-XQFWH-CYQG3
Professional = XKY4K-2NRWR-8F6P2-448RF-CRYQH - retail key
ProfessionalWMC = RR3BN-3YY9P-9D7FC-7J4YF-QGJXW (Upgrade only, can't be used on WinPE) - retail key for Windows Media Center


Volume
gvlkCore=BN3D2-R7TKB-3YPBD-8DRP2-27GG4
gvlkProfessional=NG4HW-VH26C-733KW-K6F98-J8CK4
gvlkProfessionalWMC=GNBB8-YVD74-QJHX6-27H4K-8QHDG

Enable Remote Access To MySQL Database Server

How Do I Enable Remote Access To MySQL Database Server?

by Vivek Gite on March 31, 2006 · 131 comments· Last updated June 29, 2012

By default remote access to the MySQL database server is disabled for security reasons. However, some time you need to provide remote access to database server from home or a web server. If you want to remotely access to the database server from the web server or home, follow this quick tutorial.

Task: MySQL Server Remote Access

You need type the following commands which will allow remote connections.

Step # 1: Login Using SSH (if server is outside your data center)

First, login over ssh to remote MySQL database server:

ssh user@server1.cyberciti.biz

Step # 2: Edit my.cnf File

Once connected you need to edit the MySQL server configuration file my.cnf using a text editor such as vi.

• If you are using Debian Linux file is located at /etc/mysql/my.cnf location
• If you are using Red Hat Linux/Fedora/Centos Linux file is located at /etc/my.cnf location
• If you are using FreeBSD you need to create a file /var/db/mysql/my.cnf

Edit /etc/my.cnf, run:
# vi /etc/my.cnf

Step # 3: Once file opened, locate line that read as follows

[mysqld] 

Make sure line skip-networking is commented (or remove line) and add following line

bind-address=YOUR-SERVER-IP

For example, if your MySQL server IP is 65.55.55.2 then entire block should be look like as follows:

[mysqld]
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
language        = /usr/share/mysql/English
bind-address    = 65.55.55.2
# skip-networking
....
..
....

Where,

• bind-address : IP address to bind to.
• skip-networking : Don’t listen for TCP/IP connections at all. All interaction with mysqld must be made via Unix sockets. This option is highly recommended for systems where only local requests are allowed. Since you need to allow remote connection this line should be removed from my.cnf or put it in comment state.

Step# 4 Save and Close the file

If you are using Debian / Ubuntu Linux, type the following command to restart the mysql server:
# /etc/init.d/mysql restart
If you are using RHEL / CentOS / Fedora / Scientific Linux, type the following command to restart the mysql server:
# /etc/init.d/mysqld restart
If you are using FreeBSD, type the following command to restart the mysql server:
# /usr/local/etc/rc.d/mysql-server stop
# /usr/local/etc/rc.d/mysql-server start
OR
# /usr/local/etc/rc.d/mysql-server restart

Step # 5 Grant access to remote IP address

Connect to mysql server:
$ mysql -u root -p mysql

Grant access to a new database

If you want to add a new database called foo for user bar and remote IP 202.54.10.20 then you need to type the following commands at mysql> prompt:mysql> CREATE DATABASE foo;
mysql> GRANT ALL ON foo.* TO bar@'202.54.10.20' IDENTIFIED BY 'PASSWORD';

How Do I Grant Access To An Existing Database?

Let us assume that you are always making connection from remote IP called 202.54.10.20 for database called webdb for user webadmin, To grant access to this IP address type the following command At mysql> prompt for existing database, enter:
mysql> update db set Host='202.54.10.20' where Db='webdb';
mysql> update user set Host='202.54.10.20' where user='webadmin';

Step # 6: Logout of MySQL

Type exit command to logout mysql:mysql> exit

Step # 7: Open port 3306

You need to open TCP port 3306 using iptables or BSD pf firewall.

A sample iptables rule to open Linux iptables firewall

/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 3306 -j ACCEPT

OR only allow remote connection from your web server located at 10.5.1.3:

/sbin/iptables -A INPUT -i eth0 -s 10.5.1.3 -p tcp --destination-port 3306 -j ACCEPT

OR only allow remote connection from your lan subnet 192.168.1.0/24:

/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 3306 -j ACCEPT

Finally save all rules (RHEL / CentOS specific command):
# service iptables save

A sample FreeBSD / OpenBSD pf rule ( /etc/pf.conf)

pass in on $ext_if proto tcp from any to any port 3306

OR allow only access from your web server located at 10.5.1.3:

pass in on $ext_if proto tcp from 10.5.1.3 to any port 3306  flags S/SA synproxy state

Step # 8: Test it

From your remote system or your desktop type the following command:
$ mysql -u webadmin –h 65.55.55.2 –p
Where,

• -u webadmin: webadmin is MySQL username
• -h IP or hostname: 65.55.55.2 is MySQL server IP address or hostname (FQDN)
• -p : Prompt for password

You can also use the telnet or nc command to connect to port 3306 for testing purpose:
$ echo X | telnet -e X 65.55.55.2 3306
OR
$ nc -z -w1 65.55.55.2 3306
Sample outputs:

Connection to 65.55.55.2 3306 port [tcp/mysql] succeeded!

Default Modem Password

ZTE modem:
IP Address: 192.168.1.1
Username: ADSL
Password: expert03
Username: ZXDSL
Password: ZXDSL
Username: admin
Password: telekomst
KASDA modem:
IP Address: 192.168.1.1
Username: admin
Password: telekomst
ArtNet modem:
IP Address: 192.168.1.1
Username: admin
Password: telekomst
Username: admin
Password: admin
Username: admin
Password: password
Triz modem:
IP Address: 192.168.1.1
Username: admin
Password: aaaaaaaa
Aztech modem:
IP Address: 10.0.0.2 OR 192.168.1.1
Username: admin
Password: blank
Username: admin
Password: password
Username: admin
Password: admin
Billion modem:
IP Address: 192.168.1.254
Username: admin
Password: password
Huawei modem:
IP Address: 192.168.1.1
Username: admin
Password: admin
Hyundai HSE-220 Modem:
IP Address: 192.168.1.1
Username: ADSL
Password: ADSL
Username: admin
Password: ADSL
Username: root
Password: root
Riger DB102:
IP Address: 192.168.1.1
Username: tmadmin
Password: tmadmin
TP-LINK MODEM / ADSL2 / ROUTER:
IP Address: 192.168.1.1
Username: admin
Password: admin

host file under ms windws

Windows 95/98/Me c:\windows\hosts Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts Windows XP Home c:\windows\system32\drivers\etc\hosts

Uploding big file in php

Uploading larger/bigger files is difficult using http because it uses UDP protocol. However in shared hosting environment it is difficult to upload just 3-4 MB files. In order to uplaod larger document you can set upload_max_filesize and post_max_size in your htaccess file. But in order to update seamlessly you need to increase the execution time as well.

Set the following values according to your choice.

php_value upload_max_filesize 10M
php_value post_max_size 11M
php_value max_execution_time 600
php_value max_input_time 200

Note: Please make sure to use this .htaccess file in the same directory.
Note: Always mention greater upload_max_size than post_max_size because a post contain additional data also. However it is totally based on your wish to use.
Upload files using HTTP:

Here goes the script

move_uploaded_file($_FILES['userfile']['tmp_name'], 'path_to_directory/'.$_FILES['userfile']['name']);

If this does not solve your problem then probably you need to “upload your file using ftp”. Here I am providing a simple code to upload your file using ftp.
Upload files using FTP:

Here goes the script

$path = "path_to_directory/";
$ftp_server = "ftp.example.com";
$ftp_user   = "USER";
$ftp_pass   = "PASSWORD";
$file=$_FILES['userfile']['tmp_name'];
$name=$_FILES['userfile']['name'];

// set up a connection to ftp server
$conn_id = ftp_connect($ftp_server);

//check for connection error
if(!$conn_id){
 echo “connection failed”;
}

// ftp login with username and password
$login_result = ftp_login($conn_id, $ftp_user, $ftp_pass);

// check for login
if (!$login_result) {
       echo "Attempted to connect to $ftp_server for user $ftp_user.... failed";
} 

// upload the file to the path specified
$upload = ftp_put($conn_id, $paths.'/'.$name, $file, FTP_BINARY);

ftp_close($conn_id);

If you are having a shared hosting environment than probably your outbound ftp is disabled. In that case you need to upload using cURL. Yes cURL is a great library with great power. Almost all big site using cURL in some way. Check the following script.
Upload files using cURL:

Here is the simplest script

$ch = curl_init();
$file = $_FILES['userfile']['tmp_name'];
$fp = fopen($file, 'r');
curl_setopt($ch, CURLOPT_URL, 'ftp://USER:PASSWORD@ftp.example.com/'.$_FILES['userfile']['name']);
curl_setopt($ch, CURLOPT_UPLOAD, 1);
curl_setopt($ch, CURLOPT_INFILE, $fp);
curl_setopt($ch, CURLOPT_INFILESIZE, filesize($file));
curl_exec ($ch);

if you need to change the file permission after upload use chmod. As,

chmod("path_to_file" ,0755);

Upload checking could be done using php inbuilt funtion file_exists. As,

file_exist($_SERVER[DOCUMENT_ROOT].'/path_to_file')