In order to celebrate this completion of the book, I am making available the Introduction available here on the HeuristicSecurity website for those who want to find out more about the book and it’s contents.
This book is intended for those consumers who want to protect their security and privacy from all the threats that the internet brings, and are wanting more something more effective than the consumer-grade protection that most people get with their internet router/WiFi. For almost all consumers, the router/WiFi that they purchase or which is supplied by the internet service provider (ISP) is the only network security device that they have.
In many cases, these products are nothing more than primitive routers doing network address translation (NAT) to hide the devices on the consumer’s local network from the internet. Their functionality is limited, their performance abysmal, and their security even worse. When bugs are detected in these products, the consumer is unlikely to even be informed of their existence, assuming the vendor even bothers to release a patch.
There are alternatives that provide true professional-grade capabilities for the more technical and hands-on consumer, and that does not cost an arm and a leg. These are the software and hardware appliances from Netgate. Netgate’s pfSense® firewall is the industry leader in Open Source firewall software, with over 1 million deployments worldwide to consumers, businesses, educational institutions, and governments. There is a robust free support community available to help individuals learn how to configure and use the pfSense® software, as well as paid support and professional services available for companies.
In this book, I will be describing how to setup Netgate’s SG-1100 appliance to secure a typical consumer network (or small business). While I will be discussing my recommendations assuming that you have an SG-1100 appliance, all of these recommendations are just as applicable to any other Netgate appliance or even if you have built your firewall using an old PC and the free pfSense® community edition software.
How this book is structured
This book is organized as a series of “recipes”. Each recipe is a solution to a particular security or privacy problem. After you have setup your SG-1100 following the instructions under “Recipe 1 – The basic ingredients”, which recipe you choose to apply next is up to you based on your needs. If a recipe has a dependency on another recipe being performed first, I will let you know.
About the SG-1100
The SG-1100 is Netgate’s lowest end appliance, yet even at that is still delivers more performance than practically all consumer routers. It is compact, silent, and power-efficient, and for internet connections up to around 500Mbs, it will be all that you need. Please note, that if you are running a gigabit fiber connection into your home, or if you wish to run more packages than are described in this book, you will need to upgrade to a more powerful appliance in Netgate’s product line, or build your own firewall using the pfSense® community edition software.
Out of the box, the SG-1100 with a basic NAT configuration is far ahead of most consumer-grade routers in terms of performance and security capabilities. If you are worried that the SG-1100 is not powerful enough, rest assured that it is perfectly capable of supporting all of the recipes in this book at the same time.
Who this book is for
This book is for you those familiar with IP networking, who like to get their hands dirty, and who are willing to experiment. If this is not you, don’t feel bad, as this describes the vast majority of electronics consumers.
In that case, a good consumer router, as insufficient as I believe them to be, is your best choice. My recommendation for anyone, in this case, is to look at the products from eero.com. While Eero’s products have nowhere near the capabilities of pfSense® as firewalls or routers, for most consumers, they are plug and play and will serve their needs.
There are tons of configuration options in pfSense® to choose from, and in this book, we will just be scratching the surface of what you can do. To make it easier to understand what you need to do executing my instructions, I will use the following convention when I am describing navigation within pfSense®, as well as for entering information.
Navigation within the pfSense® webpage will following the following convention: <Top Menubar Item> / <Sub Menu Item from Dropdown> / <Option on page>. For example, if I wanted you to go to the firewall rules page to enter a particular rule for the WAN interface, I would show the navigation path you need to follow as Firewall / Rules / WAN.
Once you are on a page and I need you to either enter information or select an option in a field, I will refer to the field name on the page by displaying it in bold, for example, Bandwidth. The information or option itself that I want you to enter into that field I will show in quotes, such as “100”. Enter the information without the quotes.
A final word of warning
I ASSUME NO LIABILITY FOR ANY COSTS OR DAMAGES THAT MAY OCCUR FROM YOUR FOLLOWING (OR NOT FOLLOWING) THE INSTRUCTIONS IN THIS BOOK, OR FOR ANY ERRORS IN THESE INSTRUCTIONS. IF YOU DON’T UNDERSTAND IT, DON’T DO IT.
While all my advice in this book regarding configurations is based on my personal experience with my SG-1100, since I am not there configuring your device, I cannot guarantee your success. Likewise, I cannot guarantee that what worked for me in the current version of pfSense® (v2.4.5 as of this writing) will work with future pfSense® versions.
The power of pfSense® lies in its configurability, however, this is also its downside until you become familiar with the product. If you don’t understand what you are doing, it is possible to lock yourself out of the firewall, block your access to the internet, or cause strange network behavior. The bottom line is, **don’t mess with any settings other than what I describe unless you understand what you are doing**. If you do happen to find yourself in this situation, I’d suggest trying the excellent Netgate support forums(fn) for assistance as well as referring to the comprehensive pfSense® documentation available at [https://docs.netgate.com/pfsense/en/latest/book/]. If you do find an error in my instructions, please write to me via the contact information on my Leanpub page so that I can update the book as appropriate.