Differences
This shows you the differences between two versions of the page.
|
sred:milestone_2 [2023/11/17 00:21] horia.stoenescu Week 4 |
sred:milestone_2 [2025/01/14 17:56] (current) horia.stoenescu |
||
|---|---|---|---|
| Line 16: | Line 16: | ||
| 5. Create a new Linux node (like done previously here: https://ocw.cs.pub.ro/courses/sred/setup_lab_remote#virtual_machine_access) and connect it to e1 from pfsense. | 5. Create a new Linux node (like done previously here: https://ocw.cs.pub.ro/courses/sred/setup_lab_remote#virtual_machine_access) and connect it to e1 from pfsense. | ||
| - | 6. Look over the commands from console menu: https://docs.netgate.com/pfsense/en/latest/config/console-menu.html. Go to shell and find the ip address for interface vtnet0 (it should be in subnet 10.6.0.0/16). | + | 6. Look over the commands from console menu: https://docs.netgate.com/pfsense/en/latest/config/console-menu.html. Go to shell and find the ip address for interface vtnet0 (it should be in subnet configured for Cloud1 - remember step 6 from here: https://ocw.cs.pub.ro/courses/sred/setup_lab_openstack). |
| 7. Change the mac address to a custom one, from cli: | 7. Change the mac address to a custom one, from cli: | ||
| Line 33: | Line 33: | ||
| 10. Go to Interfaces > WAN > MAC Address, add also there the mac address from above, then Save and apply changes. This way your mac will be permanently saved. | 10. Go to Interfaces > WAN > MAC Address, add also there the mac address from above, then Save and apply changes. This way your mac will be permanently saved. | ||
| - | 11. Add a new rule to permit traffic to WAN interface from your tunnel ip address (check GlobalProtect). Revert steps done previously, on step 6 (hint: use again shell and same binary). | + | 11. Add a new rule to permit traffic to WAN interface from your ip address (check eve-ng pnet0). Revert steps done previously, on step 6 (hint: use again shell and same binary). |
| - | 12. Start Linux machine and make sure it receives a private ip from ''192.168.1.0/24''. | + | 12. Start Linux machine and make sure it receives a private ip from range ''192.168.1.0/24''. |
| - | 13. At last, add a new NAT rule to have Internet access from that computer. | + | 13. At last, add a new NAT rule to have Internet access for that internal computer. |
| ======= Week 4 ======= | ======= Week 4 ======= | ||
| Line 43: | Line 43: | ||
| 1. Anti-lockout rule : enable ssh on LAN gateway ip and test connection from client inside LAN. | 1. Anti-lockout rule : enable ssh on LAN gateway ip and test connection from client inside LAN. | ||
| - | 2. Do not permit ping to firewall machine (ip 192.168.1.1) from the internal network (drop icmp echo requests). | + | 2. Change settings to permit access using public key (hint: authorized key for admin user). |
| - | 3. Block access to ''facebook.com''. The rest of urls should be permitted (check sites like ''digi24.ro'' or ''x.com''). **Hint**: dns resolver | + | 3. Do not permit ping to firewall machine (ip 192.168.1.1) from the internal network (drop icmp echo requests). |
| - | 4. Create a custom DNS entry in firewall for apache2 service from server (created on milestone 1). Use as subdomain: ''web'' and as domain: ''sred.com''. | + | 4. Block access to ''facebook.com''. The rest of urls should be permitted (check sites like ''digi24.ro'' or ''x.com''). **Hint**: dns resolver |
| - | 5. Check from the client in LAN that it can access the webserver using: ''web.sred.com'' | + | 5. Create a custom DNS entry in firewall for apache2 service from server (created on milestone 1). Use as subdomain: ''web'' and as domain: ''sred.com''. |
| - | 6. Do the same steps from above for ftp service and test in cli the access: ''ftp ftp.sred.com 21'' | + | 6. Check from the client in LAN that it can access the webserver using: ''web.sred.com'' |
| - | 7. Start an additional apache2 service on server (port 81) and block access from network 192.168.1.1 to it. Test using url: ''http://web.sred.com:81'' | + | 7. Do the same steps from above for ftp service and test in cli the access: ''ftp ftp.sred.com 21'' |
| + | |||
| + | 8. Start an additional apache2 service on server (port 81) and block access from network 192.168.1.1 to it. Test using url: ''http://web.sred.com:81'' | ||
