December 20, 2010

Block Unwanted Traffic With Packetfence


Packetfence is a very powerful Network Access Control tool. Using Packetfence you can control and block unwanted traffic on your network. Want to block P2P services like BitTorrent, or keep mobile devices like iPhones and Android phones off your wireless network? Packetfence gives you the kind of fine-grained control you're looking for.

Packetfence is officially supported on Red Hat Enterprise Linux (RHEL) and CentOS. With those two distributions you can quickly get Packetfence up and running (Unlike on Ubuntu which I recently outlined in "Install and Configure Packetfence on Ubuntu Linux"). But you are not relegated to command line only (as you will find in Ubuntu). With Red Hat or CentOS you will find a powerful web-based tool at your fingertips. With this tool you can easily manage Packetfence. But not all aspects of Packetfence can be handled from the web-based GUI.


What I want to demonstrate is how to block specific traffic on your Packetfence-enabled network. I will assume just a few items:

  • You already have Packetfence installed and working properly (I will be demonstrating on CentOS 5)
  • You have administrative rights to the machine Packetfence is installed on.

That's all. I am going to demonstrate how to block two types of traffic. First I am going to demonstrate how to block P2P traffic (such as Limewire) which will be followed by how to block iPhone/Android phone access to your network.

Adding the Final Piece: Snort

In order for Packetfence to block specific services or devices you have to enlist the help of Snort. Snort is a network intrusion detection system. In order to install Snort, follow these steps:

  1. Open up a terminal window.
  2. su to the root user or use sudo.
  3. Issue the command yum install snort.

With Snort installed you are almost ready. However, you will need to get rules so that Snort knows what is an intrusion. By default Snort installs without any rules. In order to add rules you have two options:

  • Write your own rules.
  • Download and install pre-configured rules from the Snort Website.

I highly recommend you opt for the latter (as writing your own rules will take a lot of time and effort). To do this you will need to register on the Snort web site. You can sign up for the free account and still download rules. Once you have signed up and activated your account, download the rules and then follow these steps:

  1. Open up a terminal window.
  2. Change to the directory the snortrules-snapshot-XXX.tar.gz file was downloaded to (Where XXX is the release number that matches the Snort release installed on your machine.)
  3. Issue the command tar xvzf snortrules-snapshot-XXX.tar.gz (Where XXX is the release number).
  4. Change into the newly created rules folder.
  5. Issue the command cp * /etc/snort/rules/

You now have all the rules you need for Snort to work. Start up Snort with the command /etc/rc.d/init.d/snortd start. You should now see /var/log/messages starting to fill up with information from Snort. Now it's time to re-configure Packetfence.

Enable Snort

Since you just added Snort, you need to make Packetfence aware. To do this open up the /usr/local/pf/conf/pf.conf file and add the following:



Save the file and restart Packetfence with the command /usr/local/pf/bin/pfcmd service pf restart — Packetfence is now using Snort.

Choosing the Correct Template

Before we can get into the actual configuration and blocking of services/devices, we first have to re-configure Packetfence to run in a mode other than testing. In the first article I illustrated how to configure and start Packetfence in testing mode. This is great for making sure things are working as Packetfence will only log events (not act upon them). In order to get Packetfence to actually act upon a violation, you have to reconfigure it to run using a different template. The templates you can choose from are:

  • Test mode
  • Registration
  • Detection
  • Registration & Detection
  • Registration, Detection & Scanning
  • Session-based Authentication

The template you want to choose is Registration, Detection & Scanning. In order to do that open up a terminal window and do the following:

  1. su to the root user.
  2. Change to the /usr/local/pf directory.
  3. Issue the command ./ .
  4. Select option [5] for Registration, Detection & Scanning.
  5. Answer all of the questions (this will be similar to your initial installation, as shown in the first article).
  6. Now cd into the /usr/local/pf/bin directory.
  7. Issue the command ./pfcmd service pf restart.

Packetfence is now working in the proper mode to act against violations. However, it doesn't know what is a violation. For that we have to turn to the /usr/local/pf/violations.conf file.

Enabling Specific Violations

In the violations.conf file you will see a long laundry list of violations. Each violation section looks like:

desc=P2P (BitTorrent)

The above violation is for BitTorrent connections. As you can see this violation, in its default state, is disabled. To enable this violation all you need to do is change the line:




You will find, listed in the violations, the P2P violation and the Android device violation. Enable both of those, save the file, and restart Packetfence. Now, any device that violates the enabled violations will be denied access and will be logged.

Web Interface

Packetfence node listing As I mentioned, Packetfence does come with a spiffy Web interface that allows you to manage your Packetfence-protected network. To access this tool open up your browser and point it to https://ADDRESS_TO_SERVER:1443. When you arrive at this site you will have to log in with your admin credentials (configured during installation of Packetfence). Upon successful authentication you will find yourself at the Packetfence web interface (see Figure 1). Here you can manager each node on your network, add users (for authentication), start/stop various pieces of Packetfence, and configure Packetfence.

From the Violation tab you can even enable/disable violations using a simple drop-down to select the particular violation you want to enable.

Final Thoughts

As far as Network Access Control goes, you will be hard-pressed to find a more powerful tool than Packetfence. Not only is it powerful, but once installed and configured it is easy to administer and manage. Of course, there is so much more that can be done with Packetfence. For more information read through the outstanding guides offered on the Packetfence Documentation page.