For the final part of my network I am moving my IIS server into a Screened Subnet . I need to change the IP address of the web server and place it between a Wingate Firewall and pfSense Firewall (acting as a firewall this time as opposed to the router only function from earlier). I’ve discussed installing and configuring pfSense in a earlier post.
I contact the web server in the diagram via the IP address 192.168.1.7 which is the IP address issued by the DHCP on my Wireless Network piped into my home by my ISP. The URL looks something like this, http://192.168.1.7/mywebsite. This URL is entered into a browser from my physical PC.
The URL hits the Wingate Firewall where I have a redirect rule to redirect to the IIS web server (192.168.100.10). The Web server then contacts the MySQL Server on the Ubuntu machine (10.0.10.10). It does this via a TCP rule on port 3306 (3306 is the default TCP port for MySQL) opened up on the pfSense Firewall. No other communication is permitted from the DMZ web server to the internal network.
I can now probe, attack and map this network from my host PC (18.104.22.168). A good lab to work with. As it happens I won’t be doing that just yet!
Going back to my Hands-On goals I’m diverting to the New York Polytechnic online resources and Webgoat tutorials. I’ll be posting my progress through both of these areas as I go.
One last thing. The Windows XP machines on my internal network do not currently have internet access. In the coming weeks I’ll come back and correct this when I deploy a web proxy to my internal network and open up communication through my DMZ to allow these machines contact the web.
Hope this was of interest and use to anyone reading this!
1. Download WinGate from here
2. I’ll leave the WinGate guys show you how to install the firewall
3. If you are using this for lab purposes it comes with a single free licence. Ideal for this purpose.
4. Set up your two network interfaces. One should be your external connection (e.g. internet). The other should be your protected internal network.
Create A Redirect Rule on WinGate
1. Open WinGate admin console
2. Go to Control Panel>Extended Networking>Port Security
3. Because this is a redirect from an external network to the DMZ, select Internet Computes to the Wingate PC checkbox
4. Select the TCP checkbox
5. We are directing a HTTP request so enter 80 in the Ports to textbox
6 Enter the IP address you are redirecting to in the Redirect Packet to IP Address textbox
7. Click the Dont translate source IP address checkbox
8. Click OK to exit and save your settings
Open a TCP port on pfSense
1. Open the pfSense web console
2. Default user name and password: admin/pfsense
3. Select Firewall>Rules from the drop down menu
4. Click the WAN interface (this will be your DMZ IIS server)
5. Select the + sign to add a new rule
6 Select WAN as the Interface
7. Select TCP as the Protocol
8. Select single host or alias in the Source
9. Still in Source enter the IP address of your DMZ IIS server
10. Select single host or alias in the Destination
11. Still in Destination enter the IP address of your MySQL server on your secure internal network
12. In Destination port range select from other and enter 3306
13. In Destination port range select to other and enter 3306
14. Tick Log if you want to log your packets over this rule
15. Hit Save and wait for pfSense to apply your changes
16. Once changes are applied your rule is active