Endian Firewall Administrators Guide

Administrative GuideDiego Gagliardo

Raphael Lechner

Marco Sondermann

Raphael Vallazza

Peter Warasin

Christian Graffer

Copyright © 2002, 2003, 2004, 2005, 2006 Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, Peter Walker, Marco Sondermann, Endian srl

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled Appendix   A, GNU Free Documentation License .

2006-05-24

Revision History

Revision 1.1rc7 2005-10-09

DocBook Edition

Revision 2.0 2006-05-24

DocBook Edition

Revision 2.1 2006-11-17

DocBook Edition

Abstract

A comprehensive documentation for the Administrator of an Endian Firewall™.

Table of Contents

PrefaceRights and DisclaimersConventions used in this bookTypographic Conventions

IconsOrganization of this bookThis Book is FreeAcknowledgments

1. IntroductionWhat Is Endian Firewall?Features

2. System Web pagesIntroductionHome Administrative WindowNetwork ConfigurationChoose type of RED interfaceChoose network zonesNetwork preferencesInternet Access preferencesRED type: NONERED type: ADSLRED type: ISDNRED type: ETHERNET STATICRED type: ETHERNET DHCPRED type: PPPoEConfigure DNS resolverApply configurationEN registrationPasswordsSSH AccessSSH OptionsSSH Host KeysGUI SettingsBackup Web PageYour Backup listCreate a new Backup fileEncrypt Backup filesExport Backup filesImport Backup filesRestore a BackupSchedule BackupsReset configuration to factory defaultsShutdown or Restart Endian Firewall

3. Status MenuIntroductionSystem StatusServicesMemoryDisk UsageUptime and UsersLoaded ModulesKernel VersionNetwork StatusInterfacesRED DHCP configuration

Current Dynamic LeasesRouting Table EntriesARP Table EntriesSystem GraphsTraffic GraphsProxy GraphsConnectionsSMTP Mail StatisticsMail QueueIPTables Rules

4. Network MenuIntroductionHost configuration (Edit Hosts)Aliases

5. Services MenuIntroductionDHCP Administrative Web PageDHCP Server ParametersAdd a new fixed leaseCurrent fixed leasesCurrent dynamic leasesError messagesDynamic DNS Administrative Web PageAdd a hostCurrent hostsForcing a Manual UpdateClamAV AntivirusTime Server Administrative Web PageTraffic Shaping Administrative Web PageIntrusion Detection System Administrative Web PageLinesrv (removed in version 2.1)ServerClientsXLCWLC2Hotspot

6. Firewall MenuIntroductionFirewallPort Forwarding Administrative Web PagePort Forwarding OverviewPort Forwarding and External AccessExternal Access Administrative Web PageZone Pinholes Administrative Web PageOutgoing Firewall Administrative Web PageGlobally DENY outgoing traffic to RED and explicitely configure outgoing rulesGlobally ALLOW outgoing traffic to RED

7. ProxyIntroductionHTTP ProxyFeature List

Web proxy configurationCommon settingsUpstream proxyLog settingsCache managementNetwork based access controlTime restrictionsTransfer limitsMIME type filterWeb browserAuthentication configurationContent filterContent filter (Dansguardian)Block pages which contain unallowed phrasesBlock pages known to have content of the following categoriesCustom black- and whitelistsHTTP AntivirusMax. content scan sizeLast UpdateDo not scan the following URLsEnforcing proxy usageWeb Proxy standard operation modesClient side Web Proxy configurationRequirements for mandatory proxy usagePOP3Global settingsSpamfilter configurationSIPFTPSMTPGeneral SettingsAntivirusAntiSpamGeneral SettingsGreylistingBanned File ExtensionBlacklists/WhitelistsReal-time Spam Black Lists (RBL)Custom black/whitelistsDomainsBCCAdvanced settingsSmarthostIMAP Server for SMTP AuthenticationAdvanced settings

8. VPN MenuIntroductionVirtual Private Networks (VPNs)Net-to-Net (Gateway-to-Gateway)Host-to-Net (Roadwarrior)OpenVPN

OpenVPN Web InterfaceOpenVPN ServerOpenvpn Net2Net clientNet-to-Net Step by Step Connection (between 2 or more Endian Firewalls)Configuration of an OpenVPN client on the roadwarrior sideIPSecMethods of AuthenticationPre-shared KeyX.509 CertificatesGlobal SettingsConnection Status and ControlCertificate AuthoritiesGenerate Root/Host CertificatesUpload a CA certificateReset configurationAdd a new connectionConnection TypeAuthentication

9. LogsIntroductionLog Settings Administrative Web PageLog Summary PageProxy Logs PageFirewall Logs PageIntrusion Detection System Log PageContent Filter Logs PageOpenVPN Logs PageSystem Log PageSMTP Log PageClamav Log PageSIProxy log pageProxy Analysis Report

10. HotspotIntroductionHotspotAccountsHow to add a new account or edit an existing oneUser balanceUser connectionsTicket RatesAdd or edit a ticket rateStatisticsActive ConnectionsConnection LogSettingsDialinPasswordTemplate EditorPrintout TemplateAllowed sitesClient connecting to Endian Hotspot

LoginHouse guests loginSuccesful login

A. GNU Free Documentation LicensePREAMBLEAPPLICABILITY AND DEFINITIONSVERBATIM COPYINGCOPYING IN QUANTITYMODIFICATIONSCOMBINING DOCUMENTSCOLLECTIONS OF DOCUMENTSAGGREGATION WITH INDEPENDENT WORKSTRANSLATIONTERMINATIONFUTURE REVISIONS OF THIS LICENSEADDENDUM: How to use this License for your documents

List of Figures

2.1. System menu selected2.2. Home2.3. Displays the Endian Network Support status2.4. Online status2.5. Network wizard step 1: Choose type of RED interface2.6. Network wizard showing Step2: Choose network zones2.7. Network wizard showing Step 3: Network preferences2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE)2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences2.18. Network wizard showing step 5: configure DNS resolver2.19. Network wizard showing step 6: Apply configuration2.20. Unregistered Endian Firewall2.21. Registered Endian Firewall2.22. Password changing dialogue2.23. SSH access page2.24. GUI settings2.25. Backup to files2.26. Create new backup2.27. Encrypt Backups2.28. Import Backup2.29. Restore Backup

2.30. Schedule backups2.31. Reset to factory defaults2.32. Shutdown / Reboot page3.1. Status menu selected3.2. Page which displays the actual running services3.3. Page which displays the current memory usage3.4. Page which displays the current disk usage3.5. Page which displays uptime and current logged in users3.6. Page which displays the current loaded kernel modules3.7. Page which displays the kernel version3.8. Displays interfaces3.9. Displays current RED DHCP configuration3.10. Displays current dynamic leases3.11. Displays current routing table3.12. Displays ARP table3.13. Display of CPU graph3.14. Display disk usage graph3.15. Display memory usage graph3.16. Display current swap usage3.17. Displays traffic graph of the GREEN interface3.18. Displays traffic graph of the RED interface3.19. Displays current connections3.20. Mail Queue3.21. Displays iptables rules4.1. Network menu selected4.2. Current hosts4.3. Add a new alias5.1. Services menu selected5.2. Shows DHCP adminstration page5.3. Add a fixed lease5.4. Shows the current fixed leases5.5. Shows the current dynamic leases5.6. Shows the dialogue which allows you to create a new DynDNS configuration5.7. Shows current configured DynDNS configuration5.8. ClamAV Antivirus5.9. Shows the Time server administrative web page5.10. Shows traffic shaping settings5.11. Shows Type of Service configuration5.12. Intrusion Detection System adminstrative web page5.13. Linesrv5.14. XLC Line down5.15. XLC initiate a Connection5.16. XLC main connection initiated5.17. XLC up manually5.18. WLC disconnected5.19. WLC line is up5.20. WLC connection established5.21. WLC up manually5.22. Hotspot Activation6.1. Firewall menu selected6.2. Diagram of flow control and its configuration possibilities

6.3. Adding a new portforwarding configuration6.4. Adds an acl to a portforwarding rule6.5. Currently configured portforwarding rules6.6. Add a new external access rule6.7. Displays currently configured rules6.8. Adds a new pinhole rule6.9. Lists all configured pinhole rules6.10. Adds a new outgoing rule6.11. Lists all current outgoing rules6.12. Globally allow outgoing traffic6.13. Globally deny outgoing traffic7.1. Proxy menu selected7.2. Displays HTTP advanced proxy settings7.3. Displays HTTP advanced proxy upstream proxy configuration7.4. Displays HTTP advanced proxy log settings7.5. Displays HTTP advanced proxy cache management configuration7.6. Displays HTTP advanced proxy network based access control7.7. Displays HTTP advanced proxy time restrictions configuration7.8. Displays HTTP advanced proxy transfer limit configuration7.9. Displays HTTP advanced proxy MIME type filter7.10. Displays HTTP advanced proxy user agent filter7.11. Displays HTTP advanced proxy authentication methods7.12. Displays HTTP advanced proxy global authentication settings7.13. Displays HTTP advanced proxy local user authentication7.14. Displays HTTP advanced proxy local user authentication7.15. Displays local user manager for the HTTP advanced proxy7.16. Displays editing a user with local user manager of HTTP advanced proxy7.17. Change it yourself page, allowing user to change their local HTTP proxy password7.18. Displays LDAP authentication page of HTTP advanced proxy7.19. Common LDAP settings of HTTP advanced proxy7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy7.22. HTTP advanced proxy authentication against Windows7.23. Common domain settings of Windows authentication on HTTP advanced proxy7.24. Authentication mode of windows authentication on HTTP advanced proxy7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy7.26. Integrated windows authentication with HTTP advanced proxy7.27. Explicit authentication with HTTP advanced proxy7.28. Displays RADIUS authentication configuration of HTTP advanced proxy7.29. Displays common RADIUS settings of HTTP advanced proxy authentication7.30. Displays user based access restrictions of HTTP advanced proxy7.31. General contentfilter configuation7.32. Selection of disallowed phrases which pages may contain7.33. Selection of categories of url lists which should be blocked by the HTTP contentfilter7.34. Custom black- and whitelists for the HTTP contentfilter7.35. HTTP Antivirus configuration page7.36. HTTP proxy disabled7.37. Figure which displays traffic with will not be directed through the HTTP proxy7.38. HTTP proxy enabled7.39. Figure which displays traffic with will not be directed through the HTTP proxy7.40. Figure which displays traffic which will be redirected through the HTTP proxy.

7.41. HTTP proxy enabled as transparent proxy7.42. Figure that displays traffic which will be transparently redirected through the HTTP proxy.7.43. Shows POP3 proxy global settings7.44. Spamfilter configuration of POP3 proxy7.45. SIP Proxy Settings7.46. FTP proxy administration page7.47. General Settings7.48. SMTP Antivirus7.49. SMTP Antispam7.50. Greylisting7.51. banned files7.52. Real-time Black Lists7.53. black/whitelists7.54. Domains7.55. BCC7.56. Smarthost7.57. IMAP Server for SMTP Authentication7.58. Advanced Settings8.1. VPN menu selected8.2. Figure of a Net-to-Net VPN8.3. Figure of a Host-to-Net VPN8.4. Figure of a VPN using OpenVPN as mixed VPN combining a Host-to-Net VPN (the Roadwarrior) and Net-to-Net VPNs in a hub-and-spoke topology8.5. Global Settings8.6. Users which are allowed to connect to openvpn8.7. Add Account8.8. Connection status and control8.9. VPN tunnel and control8.10. Add a VPN tunnel8.11. Openvpn Server8.12. Users which are allowed to connect to openvpn8.13. Add a new user8.14. List of allowed users8.15. Openvpn Server CA Certificate8.16. Configure Office 1 Endian Firewall8.17. Add Office 0 tunnel8.18. Connected to Office 0 tunnel8.19. Connected Office 1 and 2 clients8.20. VPN global settings8.21. VPN connection status and control window: initial view8.22. VPN certificate authorities window: initial view8.23. VPN connection type selection8.24. VPN Host-to-Net connection input8.25. VPN Net-to-Net connection input8.26. VPN authentication input9.1. Logs menu selected9.2. Generic navigation items9.3. Configuration of log viewer9.4. Configuration of log summaries9.5. Configuration of remote logging9.6. Configuration of firewall logging

9.7. Displays log summaries9.8. Displays firewall log9.9. Display of system logs9.10. Displays clamav log viewer9.11. Proxy Analysis Report10.1. The Endian Hotspot10.2. Account management10.3. Add a new account10.4. User balance10.5. User connections10.6. Ticket Rates10.7. Add or edit a ticket rate10.8. Statistics10.9. Active Connections10.10. Connection Log10.11. Settings10.12. Dialin10.13. Password10.14. Template Editor10.15. Printout template10.16. Allowed sites10.17. Endian Hotspot Client start page10.18. Normal login10.19. Login for house guests10.20. Successful login

List of Examples

5.1. Example of a custom confguration line7.1. Add this MIME type if you want to block the download of PDF files:7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files:7.3. Windows Update To allow access to Windows Update without authentication add these domains to the list:7.4. Base DN for Active Directory7.5. Base DN for eDirectory7.6. Base DN containing spaces7.7. User based access control lists using integrated authentication7.8. User based access control lists using explicit authentication7.9. Example spam info headers7.10. Example spam info headers7.11. Allow or deny a complete domain7.12. Allow or deny only the subdomains of a domain7.13. Allow or deny single email addresses or user names.7.14. Allow or deny a complete domain7.15. Allow or deny only the subdomains of a domain7.16. Allow or deny single email addresses or user names.7.17. Allow or deny ip block.8.1. An example command line to start openvpn on your roadwarrior8.2. An example configuration file for openvpn on your roadwarrior8.3. Example plain text certificate output.8.4. Example content of an exported CA.

9.1. Log line of the OpenVPN server9.2. Log line of an OpenVPN client10.1. Specifying hourly prices

Preface

Preface

Table of Contents

Rights and Disclaimers

Conventions used in this book

Typographic Conventions

Icons

Organization of this book

This Book is Free

Acknowledgments

Rights and Disclaimers

Endian Firewall™ is Copyright of Endian srl.

Endian Firewall™ is published under the GNU General Public License. For more information please visit our web site at http://www.efw.it .You may copy it in whole or in part as long as the copies retain this copyright statement. The information contained within this document may change from one version to the next.

All programs and details contained within this document have been created to the best of our knowledge and tested carefully. However, errors cannot be completely ruled out. Therefore Endian does not express or imply any guarantees for errors within this document or consequent damage arising from the availability, performance or use of this or related material.

The use of names in general use, names of firms, trade names, etc. in this document, even without special notation, does not imply that such names can be considered as “free” in terms of trademark legislation and that they can be used by anyone.

All trade names are used without a guarantee of free usage and might be registered trademarks. As a general rule, Endian adheres to the notation of the manufacturer. Other products mentioned here could be trademarks of the respective manufacturer.

This document is based on IpCop Admin Guide 1.4 4th Edition. See http://www.ipcop.org for more info.

Conventions used in this book

Conventions used in this book

This section covers the various conventions used in this book.

Typographic Conventions

Constant width

Used for commands, command output, program names.

Constant width italic

Used for replaceable items in code and text.

Italic

Used for names, (file, interface, directory names, ...).

asdljasldjasljd

Used for user input

Icons

Tip

This icon designates a tip to the surrounding text.

Note

This icon designates a note relating to the surrounding text.

Warning

This icon designates a warning relating to the surrounding text.

Organization of this book

Organization of this book

The chapters that follow and their contents are listed here:

Chapter 1, Introduction

Gives an introduction to the Endian Firewall and it's features.

Chapter 2, System Web pages

Covers the System menu with it's features and configuration possibilities, including first step network configuration and system tools.

Chapter 3, Status Menu

Describes the Status menu and it's system monitoring and visualizing functionalities.

Chapter 4, Network Menu

Explains how to configure network related parts of Endian Firewall.

Chapter 5, Services Menu

Gives information about additional services Endian Firewall ships with, including DHCP, NTP and DDNS service, Intrusion detection and Traffic Shaping (QoS).

Chapter 6, Firewall Menu

Explains the firewall functionalities and Endian Firewall's security concept.

Chapter 7, Proxy

Describes in depth Endian Firewall's application proxies, which includes HTTP, FTP, SIP and SMTP proxies with a bunch of configuration possibilities.

Chapter 8, VPN Menu

Help on creating Virtual Private Networks for both possibilities, OpenVPN and IPSec.

Chapter 9, Logs

Gives an overview about the log viewer menu and it's facilities to visualize and configure all the services logs.

Chapter 10, Hotspot

This chapter contains a detailed description of the Endian Hotspot.

This Book is Free

This Book is Free

This document is based on IpCop Admin Guide 1.4 4th Edition. See http://www.ipcop.org for more info.

This book started out as an administration guide for IpCop 1.4. written by the IpCop people. Since Endian Firewall™ forked from IpCop, Endian rewrote much parts and added the new parts which reflects Endian Firewall™s new functionality. As such, it has always been under a free license. (See Appendix   A, GNU Free Documentation License.). This means, You can distribute and make changes to this book however you wish—it's under a free license. Of course, rather than distribute your own private version of this book, we'd much rather you send feedback and patches to Endian.

Acknowledgments

Acknowledgments

Without the great work of the Smoothwall and then the IPCop team Endian Firewall would not be exist and in turn this documentation would not exist at all. Therefore we would like to thank them all for their hard work.

Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility. You are really helping us very much!

Finally, we thank the following people for helping us out with work on screenshots and xslt: Elisabeth Warasin, Thomas Lukasser.

Chapter 1. Introduction

Chapter 1. Introduction

Table of Contents

What Is Endian Firewall?

Features

What Is Endian Firewall?

Endian Firewall™ is a “turn-key” linux security distribution that turns every system into a fully featured security appliance. The software has been designed with “usability in mind” and is very easy to install, use and manage, without losing its flexibility. The features include a stateful packet inspection firewall, application-level proxies for various protocols (HTTP, POP3, SMTP, SIP) with antivirus support, virus and spamfiltering for email traffic (POP and SMTP), content filtering of Web traffic and a “hassle free” VPN solution (based on OpenVPN). The main advantage of Endian Firewall™ is that it is a pure “Open Source” solution that is commercially supported by Endian (for a full-featured list see below).

Features

Features

This needs a rewrite!!

Base Module - Endian Firewall 1.1 - Firewall (stateful inspection) - Outgoing Firewall - IPSec Gateway to gateway VPN - IPSec Remote client to gateway VPN (roadwarrior) - NAT - Multi-IP address support (aliases) - Dynamic DNS - DMZ support - HTTPS Web Interface - Detailed network traffic graphs - View currently active connections - Event log management - Log redirection to external server - Server DHCP - Server NTP - Traffic Shaping / QoS - Transparent POP3 antivirus/antispam proxy - Transparent HTTP proxy - Web Proxy with local users, windows domain, samba, LDAP, radius server management - Intrusion Detection System - ADSL modem support - Configuration backup and restore - Remote update - SIP VoIP Proxy *NEW!* Advanced Antivirus Module - Endian Firewall 1.1 - HTTP Antivirus - Endian Security Tools for Windows Desktop - Transparent SMTP antivirus/antispam proxy

VPN Gateway Module - Endian Firewall 1.1 - Gateway to gateway VPN with OpenVPN - Remote client to gateway VPN (roadwarrior) with OpenVPN - Bridged and Routed VPN mode - Endian Client VPN – Windows, Linux, MacOSX

Web Content Filter Module - Endian Firewall 1.1 - URL filter - Web content analysis/filter - Whitelists and blacklists management - Web surfing time limits

Advanced Antivirus Module - Endian Firewall 1.1 - HTTP Antivirus - Endian Security Tools for Windows Desktop - Transparent SMTP antivirus/antispam proxy

Chapter 2. System Web pages

Chapter 2. System Web pages

Table of Contents

Introduction

Home Administrative Window

Network Configuration

Choose type of RED interface

Choose network zones

Network preferences

Internet Access preferences

RED type: NONE

RED type: ADSL

RED type: ISDN

RED type: ETHERNET STATIC

RED type: ETHERNET DHCP

RED type: PPPoE

Configure DNS resolver

Apply configuration

EN registration

Passwords

SSH Access

SSH Options

SSH Host Keys

GUI Settings

Backup Web Page

Your Backup list

Create a new Backup file

Encrypt Backup files

Export Backup files

Import Backup files

Restore a Backup

Schedule Backups

Reset configuration to factory defaults

Shutdown or Restart Endian Firewall

Introduction

Figure 2.1. System menu selected

This group of web pages is designed to help you to administer and control the Endian Firewall itself. To get to these web pages, select System from the menu bar at the top of the screen. The following choices will appear in a submenu on the left side of the screen:

Home — Returns to the home page. Network Configuration — Allows you to configure the network and the NIC of your EFW Endian Network — Allows you to register your EFW within Endian Network. This menu item is

not available within Endian Firewall Community version. ('EN registration' before version 2.1) Passwords — Allows you to set the admin password. SSH Access — Allows you to enable and configure Secure Shell, SSH, access to Endian Firewall. GUI Settings — Allows you to set the language of the web display.

Backup — Backs up/restore your EFW settings to/from files. You can also restore your settings to factory default.

Shutdown — Shutdown or restart your Endian Firewall from this web page. Credits — Our thank to all contributors.

Home Administrative Window

Home Administrative Window

Figure 2.2. Home

To access the Endian Firewall GUI is as simple as starting your browser and entering the IP address (of the green EFW interface) or hostname of your Endian Firewall along with a port director of either 10443 (https/secure) or 80 (redirected to 10443).

The system will ask you for username and password: user: "Admin", password:"the password that you set during the installation process"

You should now be looking at the Home Page of your Endian Firewall GUI. You can immediately start exploring the different options and the information available to you through this interface. Below, we have listed the Main Configuration/Administration Options available through the GUI. When you have acquainted yourself sufficiently with the system, please continue with the next section.

Endian Firewall's Administrative web pages are available via the menu the top of the screen.

System: System configuration and utility functions associated with Endian Firewall itself. Status Displays detailed information on the status of various portions of your Endian Firewall. Network Used for the configuration/administration of your dial-up/PPP settings. Services: Configuration/Administration of your Endian Firewall Services options. Firewall: Configuration/Administration of Endian Firewall's firewall options. Proxy: Configuration/Administration of Endian Firewall's HTTP and POP3 proxy (also antivirus,

antispam and content filter configuration). VPNs: Configuration/Administration of your Endian Firewall Virtual Private Network settings

and options. Logs: View all your Endian Firewall logs (firewall, IDS, proxy, etc.)

Figure 2.3. Displays the Endian Network Support status

In the first page section, you see the Endian Commercial Support Status. This is only available for Endian Firewall Enterprise version. To get more information about the Endian support program, visit our Homepage on http://www.endian.it. (This box is not displayed in version 2.1)

Figure 2.4. Online status

In the following box you will see information about the system status. The first part gives short global information about the connection status, while the second part gives more precise information about each uplink. After the connection status you can see short information about the systems health.

Note

You will not see an active connection until you have finished configuring your Endian Firewall.

Short connection status display

The current connection status of the Firewall will be displayed here, followed by the connection time. The connection status can be one of the following:

Idle - No connection to the Internet and not trying to connect. Dialing - Attempting to connect to the Internet. Connected - Currently connected to the Internet.

If you are currently connected to the Internet you will see a Connection status line in the following format:

Connected ( #d #h #m #s) d=Days connected h=Hours connected

m=Minutes connected s=Seconds connected

Connection status

In the following table you will see the actual connection status of each uplink respectively.

The first cell shows you the name of the uplink. Normaly you will see only one uplink which then is called "main", since it is the primary uplink.

The second cell shows you the connection status of respective uplink. Below we will describe the different status possibilities which you may find here. In the third cell you have the possibility to manually connect the uplink if it is disconnected or the contrary. Once you have pressed the respective connect or disconnect button you will need to wait until the connection has been connected/disconnected sucessfully. During this process you may reload the page using the refresh button on the right. You will notice that the connection status field will change it's content.

Values for the connection status:

Connected

The uplink is connected and fully operational.

Stopped

The uplink is not connected.

Dead link

The uplink is connected but the following gateways could not be reached, so in fact the uplink is not operational. Endian Firewall tries to ping the following gateways and announces if the link gets back working.

Failure

There was a failure while connecting to the uplink.

Failure. Reconnection

There was a failure while connecting to the uplink. Endian Firewall will try to reconnect within the time interval which will be printed out.

Disconnecting

The uplink is actually disconnecting.

Connecting

The uplink is actually connecting.

System health line

Below your connection status line you will see a line similar to the following:

19:07:10 up 1 day, 7:21, 0 users, load average: 0.03, 0.01, 0.00

This line is basically the output of the Linux uptime command and displays the current time, the days/hours/minutes that Endian Firewall has been running without a reboot, number of users logged in, and the load average.

Network Configuration

Network Configuration

Endian Firewall provides a Network Setup Wizard for easy and fast configuration of your network interfaces and your uplink. The Wizard is divided into steps with intuitive dialogues. Some steps may have substeps. The first line of each dialogue window will display the actual step or substep, how many you need to go through and a short description about the actual page. You can go forth or back with the buttons next (>>>) and back (<<<) during network wizard as you wish and you can always abort the configuration process by hitting the Cancel button. On the last dialogue window you will be asked if you really want to save the configuration you created using the wizard. If you decide to proceed the configuration will be stored and Endian Firewall will reconfigure it's interfaces. This takes some time and over this period of time you will not be able to reach the web interface anymore.

Choose type of RED interface

Figure 2.5. Network wizard step 1: Choose type of RED interface

The RED interface is supposed to be the interface which connects your Firewall to the "outside", the untrusted network, which normaly of course is the internet, or the uplink to your internet provider.

Endian Firewall does support the following types of RED interfaces. Some may be network interfaces, other may be PCI cards or USB devices:

NONE

Your firewall has no RED interface. This is unusual since a firewall normaly need to have two interfaces as minimum. But for some scenarios this possibility does make sense. For example if you want to use only a specific service of the firewall. If you choose this you will be able later to set a default gateway which does not lie within RED network.

ADSL

If you have a USB or PCI ADSL modem you are right with this option.

ISDN

Select this if you have an ISDN USB device or PCI card.

ETHERNET STATIC

Select this if your RED interface is a simple ethernet card and you need to setup network information like IP address, Netmask and so on manually. If your need to connect your RED interface to a simple router so this may be the right choice. Remember that in most cases you will need a crossover cable in order to connect it correctly.

ETHERNET DHCP

Select this if your RED interface is a simple ethernet card which needs to get network information through DHCP. Most Cable modems, ADSL/ISDN router provide this possibility.

PPPoE

If your RED interface is a simple ethernet card connected to a device which needs you to use PPPoE in order to connect to your provider, then select this. Pay attention to not confuse this option with the ETHERNET DHCP or ADSL option. This is only needed if your modem uses bridging mode and does not connect itself via PPPoE to the internet provider. Some ADSL routers let you connect using DHCP or STATIC and establish the ADSL connections themselves using PPPoE. Also this is the wrong option if you have a USB or PCI ADSL modem and want the modem to connect using PPPoE.

If you do not want your red interface to connect to your uplink while booting you have to tick the Do not automatically connect on boot checkbox.

On this page you will find also a box which displays the amount of network cards which could be found. Depending of this value and if you already have exhaused a network card selecting a RED type which needs a network card, the following step let's you configure more or less zones.

Choose network zones

Figure 2.6. Network wizard showing Step2: Choose network zones

With this step you can decide which zones you want to configure on your firewall. Endian Firewall assumed IPCops idea of different zones. The following zones are available:

GREEN

is the trusted network. This is supposed to be your LAN from where you connect to the administration interface. This is the mandatory zone and one network interface is reserved for it.

ORANGE

is the demilitarized zone (DMZ). If you host servers it is wise to have them on a different network than your local network. If someone manages it to break in to one of your servers, this attacker does not automatically compromise the local network, but it is trapped within the DMZ and can't gain sensible information from your local network. Note that it makes no sense to use ORANGE if the servers behind ORANGE and the workstations behind GREEN share the same switch or hub!

BLUE

is the wireless zone. You can attach a hotspot or Wifi access point to an interface assigned to this zone. There is only a logical difference between this zone and ORANGE. Since wireless networks normally are not really secure you may prefer to put them into a separate zone since they have no access to the local network behind GREEN and cannot reach hosts behind ORANGE without configuration.

RED

As already described, the RED zone stands for the uplink to the internet provider or to another untrusted network - basically most of the times all the other zones have to be protected from intruders from this zone. You automatically have this zone unless you selected NONE on the dialogue before.

You need to have at least one network card per zone so some options may not be visible for you if you do not have enough network cards. Note that one network card is reserved for the GREEN zone and one may be already assigned to the RED zone if you have selected a RED type which needs a network card.

You can choose between the following options:

NONE

Choose this if you do not need additional zones. You live with GREEN and RED.

ORANGE

You want to have only the ORANGE zone in addition to GREEN and RED.

BLUE

You want to have only the BLUE zone in addition to GREEN and RED.

ORANGE & BLUE

You want to have both, ORANGE and BLUE and will continue with a full featured firewall.

Network preferences

This step asks you for configuration of all the ethernet zones you enabled on the previous page (GREEN, ORANGE and/or BLUE). Each zone has to be configured in the same way - on our screenshot below you can see the configuration of the green and orange interfaces. At the bottom of this page it is also possible to configure the hostname and domainname of your firewall.

Figure 2.7. Network wizard showing Step 3: Network preferences

You need to configure the following fields for each zones:

IP address

Provide the IP address which you'd like to use for the interface of the respective zone. For example: 10.1.1.1. Pay attention to use an IP address which is not already used within your network, especially if you would like to change the IP address of your GREEN zone. Note that

you need to use different subnet's for different zones. For example if you use 10.1.1.1 in GREEN, you may use 10.2.2.1 for ORANGE, but not an IP address of the same network, like 10.1.1.2! The network wizard will not allow you to go forth if networks will overlap or if you do not fill out all necessary fields. It is suggested to follow the standards described in RFC1918 and use only IP addresses which are reserved for private networks. The following blocks of IP address space have been reserved for private networks by the Internet Assigning Numbers Authority (IANA):

10.0.0.0 - 10.255.255.255 (10.0.0.0/8) 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) 192.168.0.0 - 192.168.255.255 ( 192.168.0.0/16)

Note

It may also be wise to follow some conventions and always assign the first ip address to the firewall. For example 192.168.0.1.

Note

IP addresses ending in .0 (example: 192.168.0.0) and in .255 (example: 192.168.0.255) are reserved for network address and broadcast address. You shall not assign them to any device.

Note

Pay attention if you reconfigure Endian Firewall and change some ip addresses, then you need to change the ip address also within configuration of some services like the HTTP proxy, which is descibed later in efw.proxy.http.

Network mask

Provide the network mask which you like to use for the interface of the respective zone and the network behind it. For example: 255.255.255.0.

Note

Pay attention to use the same network mask on all of your computers behind the same zone or some may not be able to pass the firewall.

Interface

Each zone needs to have at least one interface assigned. The network wizards gives you a suggestion about interface assignement. You certainly may change this. One interface can be assigned only to one zone. The network wizard does not allow you to go forth if you choose the same interfaces on different zones. You can assign multiple interfaces per zone. Multiple interfaces can be added by pressing Ctrl and clicking on the desired interfaces. The interfaces will then internally bridged together, so they have the same functionality like a switch.

The interface list shows you all necessary information to identify your network card:

consecutive numbers: The interface list will be sorted on the basis of the PCI slot identification number. Therefore you are save to give your PCI mounted network cards an index counting from the first to the last. The first network card in your computer should be the card with number 1. The second with number 2, and so forth.

device description: We use lspci to read out this description. If your device is not included within our pci devices list because it is to new or to exotic, the description will be something like "Unknown device".

MAC address: The original MAC address of the device. This address should be worldwide unique (In reality it's not always). Most devices have printed their MAC address somewhere on the card or within manual.

Note

Interfaces which are not supported by ethtool will not be supported by the network wizard because the necessary information cannot be gathered.

Note

Note that each of this zones will be internally handled as bridges, regardless of the amount of assigned interfaces. Remember this if you find any interface names. The interface name of a zone is always called brX and not ethX. ethX is just the name of the physical interface which is part of the respective zone.

Internet Access preferences

During this step you can configure the preferences needed to connect to the internet or your untrusted network outside your firewall. You will find different configuration options on this page, depending on the type of RED interface you have chosen on the first page of this connection wizard. Some RED types need more configuration steps than others, therefore you may find substeps. The following section will descibe every step for each RED interface type.

RED type: NONE

If you have choosen NONE as RED type on the first wizard page, you probably want to read this.

Figure 2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE

Since you have no RED, you do not need to configure it. Wow, how impressive.

In order to allow your Security Device (In this case I do not dare to speak of a firewall) to access other networks like the internet you need to configure a default gateway. Here you can set this up. In this only case you can use each ip address as default gateway, which belongs to a network of your other zones (GREEN, ORANGE or BLUE). Normally you want to use an IP address belonging to the GREEN network, which probably may be another firewall and gateway to the internet.

RED type: ADSL

If you have chosen ADSL as RED type then this will be of interest to you.

Since ADSL modems need a bunch of information this step is divided into three substeps.

Selection of the modem

Figure 2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem

Within the first substep you need to select which modem you like to use. The box on this page shows you all the modems which will be actually supported by the Endian Firewall. If you can't find your modem then it obviously will not be supported and will not work. If your modem is already plugged in, Endian Firewall will try to recognize it automatically and preselects the first detected modem. The following string will be displayed on each modem which has been detected automatically:

--> detected <--

The following modems are actually be supported:

ADSL modems with Conexant chipset. Fritz!Card DSL Fritz!Card DSL v2 Fritz!Card DSL SL Fritz!Card DSL SL USB Fritz!Card DSL USB Fritz!Card DSL USB Analog

Choose ADSL connection type

Figure 2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type

Endian Firewall supports four different possibilites to connect to an ADSL concentrator. You need to know which connectio type is supported by your internet provider and use the respective type. Often internet provider allows you to choose between PPPoA and PPPoE. Should this be the case you can choose between those 2 options. Keep in mind that PPPoE causes a little more traffic overhead compared to PPPoA, if this is of importance for you. The four possibilities are:

PPPoA

PPP over ATM. You can find further information about this protocol on Wikipedia.

PPPoE

PPP over Ethernet. You can find further information about this protocol on Wikipedia

RFC1483 static IP

Basically this is a protocol which allows you to handle your modem like an ethernet device to which you assign an IP address manually which you negotiated with your provider before. If you have a real static IP you may need to use this option. You can find further information about this protocol on RFC Editor. http://www.rfc-editor.org/rfc/rfc1483.txt

RFC1483 dhcp

Basically this is the same as RFC1483 except that the provider assigns your ip address using DHCP.

Supply connection information

This substep depends on the decision you made during the previous substep. Depending on the selected ADSL connection type this substep will show you different configuration options. Most of the needed information will be provided by your internet service provider. The following fields are common for each ADSL type. They depend on the infrastructure of your ISP so you need to fill in the values you get from your provider:

VPI number VCI number Encapsulation

PPPoA/PPPoE

Figure 2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE)

Configuration for PPPoA and PPPoE are quite the same, therefore only PPPoE will be described here. The following fields do exist additionally to the common fields described above:

Username

Provide the username which you got from your ISP.

Password

Provide the password which you got from your ISP.

Authentication method

Different protocols can be used to authenticate against the providers system. The following authentication methods are supported:

PAP - Password Authentication Method CHAP - Challenge Handshake Authentication Protocol PAP or CHAP - both authentication methods are implemented.

Some providers may support only one authentication method. In that case you should get that information from your provider. Most providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers do not work correctly.

RFC1483 static ip

Figure 2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)

If you got a real static IP from your provider, then normally this type will be used. This type does not know any authentication or protocols to establish the connection. Therefore the providers system cannot automatically send you configuration parameters (like IP address, DNS, ...) during connection establishment. You need to ask your provider for this information and need to configure everything manually here. Once configured there is no system that changes these parameters automatically like with the other ADSL types. The following fields do exist additionally to the common fields descibed above:

Static IP

Fill in your public IP address your provider assigned to you. If you do not have this information ask your provider. If you use the wrong IP address you may not be able to use the connection.

Netmask

The network mask you got from your provider. For example: 255.255.255.0

Gateway

The IP address of the gateway located on your provider's side which should be used as your default gateway.

RFC1483 DHCP

Figure 2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)

This ADSL type is the same as RFC1483 static ip, except that you do not need to provide IP address, netmask and gateway because that information will be automatically retrieved using DHCP. The following fields do exist additionally to the common fields described above:

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolver do not work correctly.

RED type: ISDN

If you chose ISDN as RED type you will see the following dialogue page within the fourth step.

Figure 2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences

The following section will describe each of the fields:

Please select the driver of your modem

Here you need to select the type of modem you are using. The selection box shows you all the modems that are actually supported by the Endian Firewall. If you can't find your modem then unfortunately it is not supported and will not work. If your modem is already plugged in, Endian Firewall will try to recognize it automatically and preselects the first detected modem. The following string will be displayed next to each modem that has been automatically detected:

--> detected <--

The following modems will actually be supported:

AVM GmbH, Fritz Card USB2 (Version 3.0) AVM GmbH, Fritz Card USB2 (Version 2.0) HFC-S PCI (Billion and compatible) HFC-S USB TA (Billion, Trust or compatible) AVM GmbH, Fritz Card PCI AVM GmbH, Fritz Card USB

Phonenumber to dial

Fill in the telephone number of your Internet Service Provider, that you need to dial to connect to the Internet.

Your phone number to be used to dial out

Fill in the telephone number of your telephone which you want to be used when you dial out. This number may be also known as MSN.

Username

Provide the username you got from your ISP.

Password

Provide the password you got from your ISP.

Authentication method

Different protocols can be used to authenticate against the providers system. The following authentication methods are supported:

PAP - Password Authentication Method CHAP - Challenge Handshake Authentication Protocol PAP or CHAP - both authentication methods are implemented.

Some providers may support only one authentication method. In that case you should get that information from your provider. Most providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

Use both B-Channels

Enable this if you want to use both ISDN channels bundled in order to double your bandwith. Your provider must support this.

Hang up after minutes of inactivity

If you want the modem to close the connection to your internet service provider if no data will be sent through it you may enable this. If you select a value different to off, the modem will close the connection after the selected minutes of inactivity.

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers do not work correctly.

RED type: ETHERNET STATIC

This dialogue page will be shown if you chose ETHERNET STATIC as your RED type.

Figure 2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences

Configuration is pretty the same as described before in the section called “Network preferences”. Actually you can have only one RED device, therefore you cannot select multiple interfaces. Additionally you need to configure a default gateway. That is the IP address of your remote host to which the firewall is connected to and which will be used as gateway to the internet. This IP address must be located within the RED network. The network wizard does not allow you to provide a default gateway which is not within the RED network. For example if you use 192.168.0.1 as IP address and 255.255.255.0 as network mask, the default gateway cannot be 192.168.1.1. A possible value would be 192.168.0.2.

RED type: ETHERNET DHCP

This dialogue page will be shown if you chose ETHERNET DHCP as RED type.

Figure 2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences

ETHERNET DHCP is pretty the same as ETHERNET STATIC, except that there is no need to configure the device, since all necessary information will be retrieved from the DHCP server. You only need to select which interface you would like to use for your RED zone. Since there is actually no possibility to have more than one RED interface, you can not select multiple interfaces. The following configuration options exist:

Interface

Select the interface you want to use as RED interface as already described above.

DNS

The DHCP server will also send you the IP addresses of your DNS servers. If you select automatic these addresses will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your DHCP server sends wrong information or if the supplied DNS resolvers do not work correctly.

RED type: PPPoE

This dialogue page will be shown if you chose PPPoE as RED type.

Figure 2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences

As already mentioned before, you use this type if you have an ADSL modem with a simple ethernet connection to your Endian Firewall.

Note

This cable in most of the cases has to be crossover!

The following configuration options are supported for this type:

Interface

Select the interface you want to use as RED interface and to which you connected the ADSL ethernet modem.

ADSL type

This option will disappear. It makes no difference what you select here.

Username

Fill in the username you got from your internet service provider

Password

Fill in the password you got from your internet serivce provider

Authentication method

Different protocols can be used to authenticate against the providers system. The following authentication methods are supported:

PAP - Password Authentication Method CHAP - Challenge Handshake Authentication Protocol PAP or CHAP - both authentication methods are implemented.

Some providers may support only one authentication method. In that case you should get that information from your provider. Most providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP.

DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolvers. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers do not work correctly.

Service

Some ISPs provide different services, therefore you may insert the service name here in order to select which one you want to use if it is necessary. In most cases this option is meaningless.

Concentrator name

Specifies the desired access concentrator name. In most cases you should not specify this option. Use it only if you know that there are multiple access concentrators and your ISP wants you to specify a particular one.

Configure DNS resolver

This step is only needed if the RED connection type does not automatically provide the addresse of the DNS resolvers which should be used or if you have selected in the previous step that you want to set the DNS resolvers manually. If DNS resolvers are retrieved automatically then no configuration fields will be shown here. You can safely go ahead. Otherwise you will see two fields labeled DNS 1 and DNS 2.

Figure 2.18. Network wizard showing step 5: configure DNS resolver

Fill the both fields with the DNS servers you want to use as resolvers. If you have only one then it is safe to fill in the same value in both fields but this is not recommended since you will not be able to resolve names anymore if that nameserver will not answer temporarily. You need a working DNS resolver in order to resolve names. If resolving does not work you may not be able to access internet sites.

Apply configuration

This is the last step of the network wizard. It only asks you to confirm the modifications.

Figure 2.19. Network wizard showing step 6: Apply configuration

Click the button OK, apply configuration to go ahead. Once you did this, the network wizard will write down the data, reconfigure all necessary devices and restart all depending services. This may take up to 20 seconds. During the restarting process you may not be able to connect to the administration interface and for a short time no connections through the firewall are possible. So no worries, that's normal. The administration interface will automatically reload after 20 seconds.

If you changed the ip address of the GREEN zone you will be redirected to the new IP address, after the 20 seconds of course. In this case and/or if you have changed the hostname a new SSL certificate will be generated.

Note

There is an issue when managing more than one Endian Firewalls. The browser will refuse the new certificate because it finds that the certificate is corrupt. You can solve this issue by removing all accepted certificates from the browser cache or closing all running browser windows and then restart the browser.

EN registration

EN registration

This menu item is not available in the Community version.

The Endian Firewall Enterprise version has the ability to register to the Endian Network. The registration to the Endian Network allows you to monitor and manage your Firewalls using Endian Network. Your registered Endian Firewalls can also be collectively updated automatically or manually through Endian Network with just a few clicks. In order to be able to get those updates you need to register. The following describes how to register and below you will find the same page of a successfully registered Firewall.

Figure 2.20. Unregistered Endian Firewall

In order to register to the Endian Network supply the following information within registration form:

Endian network username

Fill in the username of your user account on Endian Network.

Endian network password

Fill in your Endian Network user password. These credentials will only be used to authenticate yourself on Endian Network in order to register. The credentials will not be saved.

Activation key

Fill in the activation key you got from your Endian Reseller. It is a one way key consisting of 12 characters. The activation key can be used only once.

System name

Give a name. It may be wise to use the systems hostname. With this name you can identify the firewall on Endian Network. Especially if you have multiple firewalls it would be wise to choose a name which contains information about where this system is located, like the customers name or anything like that. This value can be changed on Endian Network after registration.

Short description

Here you can add a short description about the installation. For example information about where you can find the firewall geographically. This value can be changed on Endian Network after registration.

Figure 2.21. Registered Endian Firewall

The page is divided into two parts.

Registration information

The first part displays your registration information:

System name - Displays the name of the system which you supplied on registration. You can use this label to identify this firewall on Endian Network.

Registered for - Displays the name of the responsable person or organisation for which this system has been registered.

Short description - Displays the short description which you supplied on registration. System ID - Every system gets a worldwide unique identification number during

registration. We use this number to identify your hardware within Endian Network. You may be asked for this number if you need to get support.

Last update - Displays the date of the last update.

Note

If you change any of those information fields on the Endian Network your firewall will be synchronized within one hour.

Activation Keys

You need a valid activation key for each maintainance channel provided by the Endian Network if you like to get the updates provided by the respective channel. An installation may use more than one activation key if you need to subscribe to more than one channel. Normaly you will have only one. The following information will be provided for each activation key:

Channel

Displays the name of the Endian Network channel for which the respective activation key is valid. For example Endian Firewall.

Valid from

The subscription to the respective channel is valid from this date on.

Valid until

The subscrption to the respective channel is valid until this date.

Days

Displays how many days the subscription will still be valid.

Passwords

Passwords

Figure 2.22. Password changing dialogue

The Passwords subsection of this AW is present to allow you to change the Admin passwords or the password of the dial user, as you deem necessary. Simply enter the desired password once in each field for the User you wish to update and click on Save.

Note

You have to relogin with the new password if you change the admin user password.

SSH Access

Prev Chapter 2. System Web pages Next

SSH Access

The SSH subsection of this AW allows you to decide if remote SSH access is available on your Endian Firewall or not. By placing a checkmark in the box you will activate remote SSH access. It is also possible to configure several SSH daemon parameters from this web page. The SSH option is disabled by default and we would advise enabling it only as needed and then disabling it afterwards.

Figure 2.23. SSH access page

Note

The SSH port on the EFW machine is the standard 22 (not switched to 222 like in IpCop).

SSH Options

The following SSH options are available from the web page:

Enabled:

Checking this box enables SSH. Unless you use external access, SSH will only be available from the GREEN network. With SSH enabled it is possible for anyone with the Endian Firewall root password to log into your firewall at the command prompt.

Support SSH protocol version 1 (required only for old clients)

Checking this box enables support of SSH version 1 clients. Use of this option is strongly discouraged. There are known vulnerabilities with SSH version 1. Use this option only for temporary access, if you only have SSH version 1 clients and there is no way to upgrade to SSH version 2. Most, if not all, of the current SSH clients support version 2. Upgrade your clients if at all possible.

Allow TCP Forwarding

Checking this box, allows you to create SSH encrypted tunnels between machines inside your firewall and external users.

What use is this when EFW already has a VPN?

You are on the road and something goes wrong with one of your servers. You haven't set up a road warrior VPN connection. If you know your EFW root password you can use SSH port forwarding to get through your firewall and get access to a server on one of your protected networks. These next few paragraphs will discuss how to do this, assuming you have a Telnet server running on an internal computer at 10.0.0.20. It also assumes your remote machine is a Linux machine. The putty SSH command on Windows has the same capabilities, but they are accessed via dialog boxes. You may already have done one or more of the first two steps.

1. Enable or have someone else enable external access for port 10443, the HTTPS port.2. Use the EFW web pages to enable SSH access, port forwarding and external access for

port 22.3. Create an SSH tunnel between your remote machine and the internal server running an

SSH daemon by issuing the command:4. $ ssh -N -f -L 12345:10.0.0.20:23 root@efw

-N

in conjunction with -f, tells SSH to run in the background without terminating. If you use this option, you will have to remember to use kill to terminate the SSH process. As an alternative, you may want to add the command sleep 100 to the end of the command line, and not use the -N option. If you do this the SSH invoked by the ssh command will terminate after 100 seconds, but the telnet session and its tunnel will not terminate.

-f

option to run SSH in the background.

-L

tells SSH to build a port forwarding tunnel as specified by the next parameters.

12345

The local port that will be used to tunnel to the remote service. This should be greater than 1024, otherwise you must be running as root to bind to well known ports.

10.0.0.20

This is the GREEN address of the remote server.

23

This specifies the remote port number to be used, Telnet.

root@efw

Finally, this specifies you will be using your Endian Firewall as the port forwarding agent. You need a user ID to log in as, and the only one available is root. You will be prompted for EFW's root password.

5. Finally, log into the remote Telnet using the tunnel.6. $ telnet localhost 12345

localhost is the machine you are running on. The loopback address 127.0.0.1 is defined as localhost. 12345 is the local tunnel port specified on the previous command.

There is a tutorial on SSH port forwarding at Dev Shed.

Allow password based authentication

Allows users to log into the Endian Firewall using the root password. If you decide to turn this off, set up your SSH key files, first and then verify you can log in using your key files.

Allow public key based authentication

By checking this box, public key authentication can be used by SSH. This is the preferred method of securing EFW using SSH. This article has a discussion about using SSH-keygen to generate RSA keys and how to use them with SSH.

SSH Host Keys

This section lists the host key fingerprints used by SSH on EFW to verify you are opening a session with the right machine. The first time a session is opened, one of the fingerprints will be displayed by SSH and you will be asked to verify it's correct. If you wish, you can verify it by looking at this web page.

GUI Settings

Prev Chapter 2. System Web pages Next

GUI Settings

This web page governs how the Endian Firewall web pages function and appear.

Figure 2.24. GUI settings

Display hostname in window title:

This checkbox will turn on the display of an Endian Firewall host's name at the top of each web page. If you are maintaining more than one Endian Firewall machine, this will be advantageous, since you will be able to tell which machine your browser is currently displaying.

Select the language you wish EFW to display in:

This drop down menu will let you choose which one of the languages currently available for EFW web pages will be displayed.

Backup Web Page

Prev Chapter 2. System Web pages Next

Backup Web Page

In this section you can create "snapshots" of your EFW configuration, and restore the system to one of these snapshots when needed.

These snapshots can be saved on your EFW machine or exported to your computer.

Inis also possible to reset the configuration to factory defaults and to create fully automated backups.

Your Backup list

On this site you can manage the creation, export, import and restoration of your EFW backups. You will be presented with a list of all the backups you have made so far. The backups are sorted by date where the latest backup is on top of the list.

Figure 2.25. Backup to files

The Creation Date column contains the creation date, while the Content column shows a list of flags that will tell you more about your backup:

S

This flag means that this specific backup contains your settings.

D

D tells you that this backup contains a database dump.

E

This archive is encrypted.

L

This backup contains log files.

A

Older log file backups have been saved with this backup.

!

There was a problem when trying to send this file.

C

This backup was created automatically by the backup scheduler.

The disk in the Action columns will let you store the backup file on your computer. By clicking the garbage bin you can delete this backup file. If you click the last symbol this backup will be restored.

Create a new Backup file

By clicking on the Create new Backup button, Endian Firewall will open a new window in which you can configure your new backup.

Figure 2.26. Create new backup

The following options can be specified before the creation of the backup fule:

Remark

This field gives you the possibility to add some personal information which will later let you remember the reason for this backup.

Include configuration

This option lets you include the configuration of your Endian Firewall - This is the content of the /var/efw directory.

Include database dumps

If you want to include dumps of your database tick this checkbox.

Include log files

If you want to include your log files this checkbox should be checked.

Include log archives

If you also want to include the backups of your old log files tick this checkbox.

Create new Backup

By hitting this button the new backup file will be created and saved. You can now find it in the list of your backup sets.

Encrypt Backup files

Figure 2.27. Encrypt Backups

You also have the possibility to encrypt your backups if you want to. To do this you need to do the following:

1. Select your public key by clicking on the Browse... button and then selecting the key file.2. Make sure the Encrypt backup archives checkbox is ticked.3. Upload the key file by clicking the Save button.

Export Backup files

You can export backup files to your computer by:

1. Choosing the set you want to export.2. Clicking on the disk image (Export) and saving the file on your computer.

Import Backup files

Figure 2.28. Import Backup

If you want to import a backup file from your computer you have to do the following:

1. Choose a name for the backup and write it into the Remark field.2. Browse your local folders and select the backup file you want to import.3. Finally click the Import button - your backup will be saved on the Endian Firewall and then show

up in the list of backup sets.

Note

By importing your backup it will not automatically be restored. Read here how you can restore your backup.

Restore a Backup

Figure 2.29. Restore Backup

To restore the system from exported backup files:

1. import your backup file2. choose the new set in your backup list3. click the Restore button

To restore the system from a backup set on your EFW:

1. choose the set you want to restore2. click the Restore button

Note

The Restore button is the button with the blue circle orbitted by a grey arrow.

Schedule Backups

Figure 2.30. Schedule backups

If you want to schedule automatic backups you will be presented with two windows. The first window is used to configure the scheduling itself while the second window gives you the opportunity to automatically send the created backup files to you via e-mail.

Scheduling your backups is very easy and the options regarding the backup content are the same as when creating manual backups. New options are:

Enabled

Check this if you want automatic backups.

Keep # of archives

This number lets you decide how many automatic backups you want to save on your Endian Firewall.

Schedule for automatic backups

Choose here how often you want to create a backup of your firewall.

Save

Click this button to save the configuration.

Note

If you move the mouse cursor over the question marks you will see detailed information about the schedules.

If you want to receive an e-mail for every automatic backup you'll have to have a look at the second window.

Enabled

Tick this if you want e-mails with your backup files.

E-Mail Address of Recipient

Here you need to enter the address you want the backups sent to.

E-Mail Address of Sender

Here you can specify a sender-address for the automatic e-mails.

Address of Smarthost to be used

If your e-mails are considered spam by many mail servers because you are using a dynamic IP address you'll probably want to enter the address of your internet service provider's mail server here. All backups will then be sent through this mail gateway.

Save

Click here to save your options.

Send a backup now

If you want to save a backup now and have your settings stored click this button.

Note

If you enable mailing, logfile archives will not be sent to keep the backup files at a reasonable size.

Reset configuration to factory defaults

Figure 2.31. Reset to factory defaults

The button Factory defaults allows you to reset the configuration of your Endian Firewall to factory defaults. In fact a backup which has been created on first boot will be restored if you do this.

Shutdown or Restart Endian Firewall

Prev Chapter 2. System Web pages Next

Shutdown or Restart Endian Firewall

In this section you can shutdown or reboot your Endian Firewall by clicking the "Shutdown" or "Reboot" button respectively.

Figure 2.32. Shutdown / Reboot page

This page was last modified on: $Date: 2006-11-14 16:46:10 +0100 (Tue, 14 Nov 2006) $.

Chapter 3. Status Menu

Prev Next

Chapter 3. Status Menu

Table of Contents

Introduction

System Status

Services

Memory

Disk Usage

Uptime and Users

Loaded Modules

Kernel Version

Network Status

Interfaces

RED DHCP configuration

Current Dynamic Leases

Routing Table Entries

ARP Table Entries

System Graphs

Traffic Graphs

Proxy Graphs

Connections

SMTP Mail Statistics

Mail Queue

IPTables Rules

Introduction

Figure 3.1. Status menu selected

This group of web pages provides you with information and statistics from the Endian Firewall. To get to these web pages, select Status from the menu bar at the top of the screen. The following choices will appear in the left menu:

System Status Network Status System Graphs Traffic Graphs Proxy Graphs Connections SMTP Mail Statistics Mail Queue IPTable Rules

System Status

Prev Chapter 3. Status Menu Next

System Status

The Status pages present you with a VERY thorough list of information regarding the current status of your Endian Firewall. The first subsection, System Status, displays the following in top-down order:

Services

Services - Displays which services are currently running. You may use this display to control if all services which you enabled are currently really up and running. Services which are not enabled are listed as stopped services, so no worries about them. If you find services which in fact should be running then it may solve the problem if you simply restart that service.

Figure 3.2. Page which displays the actual running services

Memory

Displays the memory/swapfile usage on your EFW box.

Figure 3.3. Page which displays the current memory usage

This is the formatted output of the tool free. Basically it displays the amount of existing (Size) physical (RAM) and virtual (Swap) memory. The amount of existing memory actually reflects the memory which is available for user applications. For both, physical and virtual memory, you can see the amount of currently used and free memory. The percentage helps you to better figure out the numbers.

You may notice that after the system has been running for a while it reports a really small amount of free memory. To explain this it is needed to strike out a bit and explain basically how the kernel manages the memory. Since disk I/O access is really slow compared to memory I/O access and since files normally get read multiple times, the kernel tries to cache the read data within the disk cache within RAM. The chance is quite high to read out the same data again from the faster cache instead from the slow disk - if the data actually exists in the cache of course. Therefore the kernel fills up all your free memory with disk cache to never waste free RAM. You can see the amount of disk cache as cached in the screenshot above. But no worries, the kernel dynamically frees memory which is used as disk cache as soon as applications need it. To get a clue about how much memory really will be left as free memory to applications you have the line -/+ buffers/cache. That line shows you the amount of used and free memory without the amount of kernel buffers and disk cache. If that line shows you that you have no more free memory, then your machine begins to heavily use the swap and probably may get into performance problems. In this case it may be better to add some additional RAM chips. You may find additional information on Linux System Administrator's Guide.

Disk Usage

Disk Usage - Displays the output of df, which reports the amount of total (Size), used and free disk space on your Endian Firewall.

Figure 3.4. Page which displays the current disk usage

Note

The mountpoint /dev shows up as it was mounted twice. This is a known issue but has no side-effects.

Uptime and Users

Uptime and Users - Displays the output of the w command which reports the current time, information about how long your system has been running without reboot, the number of users that are currently logged in and the system load averages for the past 1, 5 and 15 minutes.

Figure 3.5. Page which displays uptime and current logged in users

If any user is currently logged in, which normaly should not be the case if you are not logged in, you will see a table with information for each user, including his/her login name (USER), the tty name which has been used for login (TTY), the IP address of the remote host from which he/she is logged in (FROM), the timestamp of the login (LOGIN@), the amount of time the user was idle (IDLE), the CPU time used by all processes of the logged in user on this tty (JCPU), the CPU time used by the current process which the user actually runs (PCPU), the process which the user currently is runnning (WHAT).

Loaded Modules

Loaded Modules - This displays all modules currently loaded and in use by the kernel.

Figure 3.6. Page which displays the current loaded kernel modules

Kernel Version

Kernel Version - This displays information on the EFW Kernel itself. This is the output of uptime -a. It displays the kernel name, the hostname, the kernel version with release information, the timestamp from when it has been built, the architecture for which it has been built and the name of the operating system.

Figure 3.7. Page which displays the kernel version

Network Status

Prev Chapter 3. Status Menu Next

Network Status

The Network Status subsection displays the following in top-down order:

Interfaces

Interfaces - This section displays information about all your network devices. This includes PPP, OpenVPN, IPSec, Loopback, etc. Basically this is the output of ifconfig

Figure 3.8. Displays interfaces

You will find each interface name colored with the appropriate zones color. The purple color identifies interfaces which belongs to a VPN. Since each zone in reality is a bridge to which all assigned interfaces are joined, you need to take a look at the interfaces beginning with br. They are the real zone interfaces which are holding the IP addresses you configured, however they are virtual interfaces. The interfaces beginning with eth are the physically existing network cards. The interface called lo is the loopback interface. This one is needed to allow communication with the machine itself without leaving any real network card. You may also find interfaces beginning with tap. That interfaces will be used for openvpn tunnels.

Each interface shows a bunch of information at the right side. If you want to know more then it would probably be better to read the Network Administrators Guide. Here you will find a short description about the most important values:

Link encap

Specifies the link type. Values like Ethernet, Local Loopback, Point-to-Point Protocol may appear here.

HWaddr

The hardware address (MAC) of the respective interface

inet addr

The IP address which has been assigned to the interface. You may notice that the interfaces which are part of a bridge do not have an IP address.

Bcast

The broadcast address which has been assigned to the interface.

Mask

The network mask which has been assigned to the interface.

RX/TX packets

This lines shows how many packets have been received or transmitted errorfree, how many errors occurred, how many packets were dropped - probably because of low memory - and how many were lost because of an overrun. Receiver overruns usually happen when packets come in faster than the kernel can service the last interrupt.

RX/TX bytes

This lines show the data volume which has been received or transmitted by this interface.

Between the lines descibed above you find a line with information about the status and options set for the respective interface. You probably may be concerned about the PROMISC option which is set for most of the interfaces. Most physically mounted network cards are put into promiscuous mode since they are all part of a bridge and therefore need to be in this mode.

RED DHCP configuration

Displays the DHCP configuration on your RED interfaces if the DHCP is required by your internet connection.

Figure 3.9. Displays current RED DHCP configuration

Current Dynamic Leases

Displays the contents of the /var/state/dhcp/dhcpd.leases file if the DHCP server is enabled. The current dynamic leases are listed, with hostnames if available, and expiry dates.

Leases that have expired are stroke through.

Figure 3.10. Displays current dynamic leases

Note

This section will only be visible if DHCP is enabled. Refer to the section on the DHCP Server for details.

Routing Table Entries

This is the output of route -n, which shows the kernel routing table. The routing table lets the kernel know which block of IP addresses it can find behind which interface. Most of the lines which you see in the output contain information about your local networks. But since you need the firewall to have connections to the internet, which in fact are all destinations with IP addresses which are not directly known to the kernel, an entry which sends all packets to a specific IP address in hope that that host knows more about the delivery, is needed. That specific host is called default gateway. Within your output you may identify this configuration in the line with destination network address 0.0.0.0, which means all destinations.

Figure 3.11. Displays current routing table

Besides, each line shows you the following information:

Destination

Specifies the destination network address. The kernel compares the destination ip address of each packet passing through it with this destination network address and so searches an entry to which network the ip address may belong to.

Gateway

Specifies the gateway, which is the host to which the packet should be sent. 0.0.0.0 means, put it on the media (LAN) and do not send it to a specific host.

Genmask

The network mask of the respective network.

Flags

The only interesting flags would be the following:

U - means that the route is up. G - means that the route uses the gateway address specified by gateway. H - means that the route entry is a host route, which is true only for a host instead of a

whole network. You may notice that the netmask in this case is 255.255.255.255.

Iface

Specifies the interface through which the kernel will send the packets if the respective routing entry applies.

ARP Table Entries

This is the output of arp -n, which displays the ARP cache. In LANs on the deepest layer the network interfaces will not be addressed by an IP addres, but by the MAC address instead. In order to let the kernel know which IP address is assigned to which MAC address, the kernel sends an ARP request which basically is a broadcast packet which asks all connected network interfaces if they have the desired IP address. The one who has the relevant IP address, responds with an ARP response including its MAC address. In order for the kernel not to send ARP requests all the time, responses will be cached in the ARP table for a while.

Figure 3.12. Displays ARP table

The output will show you the actual cached assignements of the ip address (Address) to MAC address (HWaddress). Additionally you see also behind which interface you can find the network card with the respective MAC address (Iface).

You may notice lines with [incomplete] instead of a MAC address. This will happen if someone tried to reach an IP address which is currently not available because it is wrong or the device with the assigned IP address is currently down or not connected.

System Graphs

Prev Chapter 3. Status Menu Next

System Graphs

Click on one of the four graphs (CPU Usage, Memory Usage, Swap Usage and Disk Access) to get graphs of the usage per Day, Week, Month and Year.

Figure 3.13. Display of CPU graph

Figure 3.14. Display disk usage graph

Figure 3.15. Display memory usage graph

Figure 3.16. Display current swap usage

Traffic Graphs

Prev Chapter 3. Status Menu Next

Traffic Graphs

This page gives a graphic depiction of the incoming and outgoing traffic of the EFW box.

There are sections for each network interface, Green and Red (and Blue and Orange if configured), which show graphs of incoming and outgoing traffic through that interface.

Click on one of the graphs to show more graphs of the traffic on that interface: per Day, Week, Month and Year.

Figure 3.17. Displays traffic graph of the GREEN interface

Figure 3.18. Displays traffic graph of the RED interface

Proxy Graphs

Prev Chapter 3. Status Menu Next

Proxy Graphs

This page shows the traffic that went through the proxy service of the EFW box. The first section gives the date and time the graph was created, the lines analyzed, the duration of the analysis, the speed (lines per second), the start and end date and time of the graph as well as the domain (overall length of the graph in time).

This information is useful in seeing whether the proxy has the correct size for the load being experienced.

Connections

Prev Chapter 3. Status Menu Next

Connections

Endian Firewall uses the Linux Netfilter or IPTables firewall facility to maintain a stateful firewall. Stateful firewalls keep track of connections to and from all GREEN, BLUE and ORANGE network IP addresses, based on both the source and destination IP addresses and ports, as well as the state of the connection itself. After a connection is established involving protected machines, only packets consistent with the current state of the connection are allowed their way through the Endian Firewall.

The IPTables Connection Tracking window shows the IPTables connections. Connection end points are color-coded based on their network location. The color-coding legend is displayed at the top of the page. Information on individual connections is displayed next. Each connection from or to your networks is shown.

Note

Click on an IP Address to do a reverse DNS lookup.

Figure 3.19. Displays current connections

You may notice that connections which will be intercepted by a transparent proxy will be nevertheless shown here instead of both a connection from client to the firewall and from the firewall to the remote host, as one may assume. In fact you will see all of them. The connection from your client to the proxy, the connection from the proxy to the remote host and furthermore the intercepted connection from your client to the remote host, since that is the real connection which has been established.The other two connections are only consequences of the redirect to the proxy which of course will be made by the kernel.

SMTP Mail Statistics

Prev Chapter 3. Status Menu Next

SMTP Mail Statistics

This page shows you statistics graphs about the SMTP Mail proxy.

You get daily, weekly, monthly and yearly graphs. For each category you get two graphs. The first shows you the total amount of sent mails from behind the Endian Firewall going to the outside coloured blue and the total amount of received mails coloured green. Within the graph you will see that information separated for each point of time visualized as graph. For both, the average, minimum and maximum amount of messages per minute will be calculated and shown below.

The second graph visualizes the amount of messages per minute which have been blocked by the SMTP proxy because of one of the following reasons:

Rejected

The mail has been rejected directly during receiving because the mail server was not responsible of the domain or the recipient did nor exist, etc.

Bounced

The mail bounced. This means the mail has been accepted by the mailserver but has been rejected then because of different reasons. For example because the mailserver has no chance to deliver the mail.

Viruses

The mail contained a virus.

Spam

The mail was spam.

Mail Queue

Prev Chapter 3. Status Menu Next

Mail Queue

Displays the current mail queue. In the best case this is always empty. The mail queue contains mails which the mail server has not already delivered for different reasons. You will find the respective reason printed in each line. You can force the mail server to start delivery of the mail queue by pressing the button Flush Mailqueue. Please don't expect that the mail queue turns empty after doing that. This just starts delivery. If the mail server should be unable to deliver some mails again they will stay in the mail queue until expiration.

Figure 3.20. Mail Queue

IPTables Rules

Prev Chapter 3. Status Menu Next

IPTables Rules

This window shows all IPTables rules that are currently configured on your Endian Firewall.

Figure 3.21. Displays iptables rules

This page was last modified on: $Date$.

Chapter 4. Network Menu

Prev Next

Chapter 4. Network Menu

Table of Contents

Introduction

Host configuration (Edit Hosts)

Aliases

Introduction

Figure 4.1. Network menu selected

This group of web pages is designed to help you administer network related configuration. To get to these web pages, select Network from the menu bar at the top of the screen. The following choices will appear in a submenu on the left:

Edit Hosts — Allows you to specify custom host entries for the DNS service. Aliases — Allows you to configure IP aliases to your RED zone in order to set up multiple RED

IP addresses.

Host configuration (Edit Hosts)

Prev Chapter 4. Network Menu Next

Host configuration (Edit Hosts)

This page allows you to configure custom host entries. Endian Firewall is running a DNS proxy called dnsmasq, which forwards all requests to the DNS resolvers of your RED uplink. You can configure the IP address of the Endian firewall interface of the respective zone as DNS resolver on each of your clients. Then the DNS proxy will be used and you will benefit from a number of its features. One of the finest features is, that it will serve names from the hosts file on the firewall. This is very useful if you want to create hostnames which can be resolved only by your clients but can't set them up directly on your DNS server. This page allows you to edit this hosts file.

Below under Current hosts you will see listed (if any) all current host entries. By clicking on the pencil icon you can edit the respective entry. The trash icon removes the entry.

Figure 4.2. Current hosts

To add a new host entry simply click on Add a host in order to open the dialogue. The following fields will appear:

Host IP address

Fill in the ip address to which you want that the new host points to.

Hostname

Fill in the hostname which you want to assign to the ip address above.

Domain name

This field is optional. If you want to have the new hostname on a domain, then add it. However if you like to have only the hostname without domain, for example because it is shorter, then leave this blank.

If you create for instance a new entry with IP address 207.46.19.30, hostname beaten.by and domain samba.org, you will be able to ping beaten.by.samba.org from each of your clients.

Note that you will not become very lucky if you directly edit the /etc/hosts file on the firewall, since it will be overwritten by the web administration interface, during reboot and some other events, since the content of that file will be generated from the configuration you make on this page.

Aliases

Prev Chapter 4. Network Menu Next

Aliases

This page allows you to create IP aliases for your RED interface. This is only possible if your RED type is ETHERNET STATIC. For all the other RED types you do not have the possibility to configure more than one RED IP address. You normally want to do this if you have more than one public IP address in order to make them reachable from the outside.

Figure 4.3. Add a new alias

If you click on Add a new alias, you will be able to create a new IP alias. The following configuration fields are available:

Name

Fill in some name, which allows you to easily identify the alias later. This is only a symbol and has no other meaning. You may refer to this name later within firewall configuration.

Alias IP

The IP address you want to set up. Note that this IP address has to be in the RED subnet, otherwise the configuration wizard will report an error.

Enabled

Toggles the configuration of the respective IP alias on or off.

Below in the box entitled Current aliases you can see a list of already configured IP aliases (if any). On the right you can toggle on/off the respective IP alias by clicking on the checkbox icon. With the pencil icon you can edit the respective IP alias and with the trash icon you may remove one.

For each configured IP alias you can define more precise firewall rules later on the firewall configuration pages. For example you may configure portforwarding of a specific port from a specific IP alias to a server behind ORANGE.

This page was last modified on: $Date$.

Chapter 5. Services Menu

Prev Next

Chapter 5. Services Menu

Table of Contents

Introduction

DHCP Administrative Web Page

DHCP Server Parameters

Add a new fixed lease

Current fixed leases

Current dynamic leases

Error messages

Dynamic DNS Administrative Web Page

Add a host

Current hosts

Forcing a Manual Update

ClamAV Antivirus

Time Server Administrative Web Page

Traffic Shaping Administrative Web Page

Intrusion Detection System Administrative Web Page

Linesrv (removed in version 2.1)

Server

Clients

XLC

WLC2

Hotspot

Introduction

Figure 5.1. Services menu selected

In addition to its core function of Internet firewall, EFW can provide a number of other services that are useful in a small network.

These are:

DHCP Server Dynamic DNS Management Clamav antivirus Time Server Traffic Shaping Intrusion Detection System Linesrv (has been removed in version 2.1) Hotspot

In a larger network it is likely that these services will be provided by dedicated servers and therefore should be disabled here.

DHCP Administrative Web Page

Prev Chapter 5. Services Menu Next

DHCP Administrative Web Page

DHCP (Dynamic Host Configuration Protocol) allows you to control the network configuration of all your computers or other devices from your Endian Firewall. When a computer (or a device like a printer, pda, etc.) joins your network it will automatically be given a valid IP address and its DNS and WINS configuration will be set from the EFW machine. To use this feature the machines must be configured in order to obtain their network configuration automatically.

You can choose if you want to provide this service to your GREEN (private) network and/or your BLUE (wireless) or ORANGE (DMZ) network. Just tick the relevant box.

For a full explanation of DHCP you may want to read Linux Magazine's “ Network Nirvana - How to make Network Configuration as easy as DHCP ”

DHCP Server Parameters

Figure 5.2. Shows DHCP adminstration page

The following DHCP parameters can be set from the web interface:

Start Address (optional)

You can specify the lowest and highest addresses that the server will hand out to other requestors. The default is to hand out all the addresses within the subnet you set up when installing your Endian Firewall. If you have machines on your network that do not use DHCP, and have their IP addresses set manually, you should set the start and end address so that the server will not hand out any of these manually assigned IPs.

Note

You should also make sure that any addresses listed in the fixed lease section (see below) are also outside this range.

End Address (optional)

Specify the highest address you want to handout (see above).

Default lease time

This can be left at its default value unless you want to specify your own value. The default lease time is the time interval that is used before the lease for an assigned IP address expires and your computers will request a renewal of their lease, specifying their current IP address.

Note

If you change your DHCP parameters those changes will be propagated to the machines in your network when they request a new lease. Generally, leases are renewed by the server.

Maximum lease time

This can be left at its default value unless you want to specify your own value. The maximum lease time is the time interval during which the DHCP server will always honor client renewal requests for their current IP addresses. After the maximum lease time, client IP addresses may be changed by the server. If the dynamic IP address range has changed, the server will hand out an IP address in the new dynamic range.

Domain name suffix (optional)

Sets the domain name that the DHCP server will pass to the clients. If a host name cannot be resolved, the client will try again after appending the specified name to the original host name. Many ISP's DHCP servers set the default domain name to their network name and tell customers to get to the web by entering “www” as the default home page on their browser. “www” is not a fully qualified domain name. But the software in your computer will append the domain name suffix supplied by the ISP's DHCP server to it, creating a FQDN for the web server. If you do not want your users to have to unlearn addresses like www, set the Domain name suffix to your ISP's DHCP server specifications.

Note

There should not be a leading dot in this box.

Primary DNS

Specifies what the DHCP server should tell its clients to use as Primary DNS server. Because Endian Firewall runs a DNS proxy, you will probably want to leave the default value here so the Primary DNS server is set to the EFW box's IP address. If you have your own DNS server then specify it here.

Secondary DNS

You can also specify a second DNS server which will be used if the primary is unavailable. This could be another DNS server on your network or that of your ISP.

Primary NTP Server (optional)

If you are using Endian Firewall as an NTP Server, or want to pass the address of another NTP Server to devices on your network, you can put its IP address in this box. The DHCP server will pass this address to all clients when they get their network parameters.

Secondary NTP Server (optional)

If you have a second NTP Server address, put it in this box. The DHCP server will pass this address to all clients when they get their network parameters.

Primary WINS server address (optional)

If you are running a Windows network and have a Windows Naming Service (WINS) server, you can put its IP address in this box. The DHCP server will pass this address to all hosts when they get their network parameters.

Secondary WINS server address (optional)

If you have a second WINS Server, you can put its IP address in this box. The DHCP server will pass this address to all hosts when they get their network parameters.

Below you will find the following global confguration possibility:

Custom configuration lines

In this field you have the possibility to add configuration lines which will then be added to the configuration file of the DHCP server. This certainly is optional.

Warning

Use it only if you know exactly what you are doing, since wrong syntax will cause the DHCP server to refuse to work! Read the documentation of the DHCP server on ISC to be sure if you need to add custom configuration lines.

For example you may use this configuration possibility to send the location of the configuration files of your VoIP telephones to those telephones.

Example 5.1. Example of a custom confguration line

option tftp-server-name "http://%(GREEN_ADDRESS)s";option bootfile-name "download/snom/{mac}.html";

When you press Save, the changes will be applied.

Add a new fixed lease

If you have machines whose IP addresses you would like to manage centrally but require that they always get the same fixed IP address you can tell the DHCP server to assign a fixed address based on the MAC address of the network card in the machine.

This is different from using manual addresses as these machines will still contact the DHCP server to ask for their IP address and will take whatever you have configured for them.

Figure 5.3. Add a fixed lease

You can specify the following fixed lease parameters:

MAC Address

The six octet/byte colon separated MAC address of the machine that the fixed lease is for.

Warning

The format of the MAC address is xx:xx:xx:xx:xx:xx, not xx-xx-xx-xx-xx-xx, as some machines show, i.e. 00:e5:b0:00:02:d2.

IP Address

The static lease IP address that the DHCP server will always hand out for the associated MAC address.

Note

Do not use an address from the server's dynamic address range.

Remark (optional)

If you want, you can include a string of text to identify the device using the fixed lease.

Next Address (optional)

Some machines on your network may be thin clients that need to load a boot file from a network server. You can specify the server here if needed.

File Name (optional)

Specify the boot file for this machine.

Root Path (optional)

If the boot file is not in the default directory then specify the full path to it here.

Enabled

Click on this check box to tell the DHCP server to hand out this static lease. If the entry is not enabled, it will be stored in EFW's files, but the DHCP server will not issue this lease.

Current fixed leases

This section displays current fixed leases and allows editing or deleting them.

You can sort the display of the fixed leases by clicking on the underlined headings MAC Address or IP Address. Another click on the heading will reverse the sort order.

Figure 5.4. Shows the current fixed leases

To edit an existing lease, click on its pencil icon. The fixed leases values will be displayed in the Edit an existing lease section of the page. The fixed lease being edited will be highlighted in yellow. Click the Update button to save any changes.

To remove an existing profile, click on its trash can icon. The lease will be removed.

Current dynamic leases

If DHCP is enabled, this section lists the dynamic leases contained in the /var/lib/dhcp/dhcpd.leases file. The IP Address, MAC Address, hostname (if available) and lease expiry time of each record are shown, sorted by IP Address.

You can sort the display of dynamic leases by clicking on any of the four underlined column headings. A further click will reverse the sort order.

It is easy to cut and paste a MAC Address from here into the fixed lease section (see the section called “Current fixed leases”), if needed.

Figure 5.5. Shows the current dynamic leases

Lease times that have already expired are “struck through”.

Error messages

An error message will appear at the top of the page if a mistake is found in the input data, after you press the Save button.

Dynamic DNS Administrative Web Page

Prev Chapter 5. Services Menu Next

Dynamic DNS Administrative Web Page

Dynamic DNS (DYNDNS) allows you to make your server available to the Internet even though it does not have a static IP address. To use DYNDNS you must first register a subdomain with a DYNDNS provider. Then whenever your server connects to the Internet and is given an IP address by your ISP it must tell the DYNDNS server this IP address. When a client machine wishes to connect to your server it will resolve the address by asking the DYNDNS server, which will answer with the latest value. If this is up to date then the client will be able to contact your server (assuming your firewall rules allow this). EFW makes the process of keeping your DYNDNS address up to date easier by providing automatic updates for many of the DYNDNS providers.

Add a host

Figure 5.6. Shows the dialogue which allows you to create a new DynDNS configuration

The following DYNDNS parameters can be set from the web interface:

Service

Choose a DYNDNS provider from the dropdown. You should have already registered with that provider.

Behind a proxy

This tick box should be ticked only if you are using the no-ip.com service and your Endian Firewall is behind a proxy. This tick box is ignored if you choose any of the other services.

Enable wildcards

Enable Wildcards will allow you to have all the subdomains of your dynamic DNS hostname pointing to the same IP as your hostname (e.g. with this tick box enabled, www.some.dyndns.org will point to the same IP as some.dyndns.org). This tick box is useless with no-ip.com service, as they only allow this to be activated or deactivated directly on their website.

Hostname

Enter the hostname you registered with your DYNDNS provider.

Domain

Enter the domain name you registered with your DYNDNS provider.

Username

Enter the username you registered with your DYNDNS provider.

Password

Enter the password for your username.

behind Router(NAT)

If your Endian Firewall resides behind a device which does NAT, you need to tick this on. In that case the Endian Firewall cannot know the real public IP address which is needed for updating though. In order to get the real IP address Endian Firewall uses checkip.dyndns.org to determine the real public IP address.

Enabled

If this is not ticked then Endian Firewall will not update the information on the DYNDNS server. It will retain the information so you can re-enable DYNDNS updates without reentering the data.

Current hosts

This section shows the DYNDNS entries you have currently configured.

Figure 5.7. Shows current configured DynDNS configuration

To edit an entry click on its pencil icon. The entry's data will be displayed in the form above. Make your changes and click the Save button on the form.

You can also update the Behind a proxy, Use wildcards and Enabled tick boxes directly from the current host's list entry.

Forcing a Manual Update

You can force EFW to refresh the information manually by pressing Force Update, however, it is best to only update when the IP address has actually changed, as dynamic DNS service providers don't like to handle updates that make no changes. Once the host entries have been enabled your IP will automatically be updated each time your IP changes.

ClamAV Antivirus

Prev Chapter 5. Services Menu Next

ClamAV Antivirus

ClamAV is an Open Source virus scanner that can be used to scan all incoming traffic for viruses. Endian Firewall lets you configure the most important features.

Figure 5.8. ClamAV Antivirus

In the Clamav configuration box you can set the way ClamAV will handle incoming archives. The options are:

Max. archive size

This lets you set the maximum archive size in Megabytes that will be scanned by ClamAV.

Max. nested archives

Here you can specify the maximum depth of nested archives ClamAV will scan.

Max. files in archive

ClamAV will not scan archives that contain more files than specified here.

Max compression ratio

Here you can specify the maximum compression ratio of archives that will be scanned by ClamAV.

Handle bad archives

By selecting the Do not scan but pass radiobutton, all archives that fail to comply to any of the parameters described above will not be scanned but will still pass. You can change this behaviour by selecting Block as virus. This will block all archives that do not comply to any of these parameters.

Block encrypted archives

ClamAV can not scan encrypted archives. If you do not want encrypted archives to pass the virus check tick this on.

You can also change the update interval of your clamav signature database by selecting the appropriate interval-type in the Clamav signature update schedule section.

Tip

By moving your mouse cursor over the question marks you will get information on when exactly the updates will happen for the respective interval-type.

Time Server Administrative Web Page

Prev Chapter 5. Services Menu Next

Time Server Administrative Web Page

Endian Firewall can be configured to obtain the time from a known accurate timeserver on the Internet. In addition to this it can also provide this time to other machines on your network.

Figure 5.9. Shows the Time server administrative web page

To configure the time system, make sure that the Enabled box is ticked and enter the full name of the timeserver you want to use in the Primary NTP Server box. You can also enter an optional Secondary NTP Server if you want to.

Endian Firewall will use these NTP Servers to keep its time synchronized. It automatically does an update once every hour. If you do not want your firewall to update itself make sure the Synchronize with time servers box is not checked.

If you want to change your timezone you can do this in the Change the Timezone box. Just select your timezone from the drop-down list and hit the Save button.

To save your configuration click the Save button.

If you choose to not use an Internet timeserver by ticking off Synchronize with time servers you can enter the time manually and click the Instant Update button in the Update the time box.

Note

Before version 2.1 the Synchronize with time servers option was called Disable autoupdate and its functionality was inverted since then.

Note

Before version 2.1 Endian Firewall was using the ntpdate command. Since 2.1 it uses the ntpd daemon to synchronize the time, which is more accurate.

Note

The first time the synching process can take some minutes if the preconfigured time is extremely wrong.

Traffic Shaping Administrative Web Page

Prev Chapter 5. Services Menu Next

Traffic Shaping Administrative Web Page

Traffic Shaping allows you to prioritize IP traffic moving through your firewall. Endian Firewall uses WonderShaper to accomplish this. WonderShaper was designed to minimize ping latency and to ensure that interactive traffic like SSH is responsive while downloading or uploading bulk data.

Figure 5.10. Shows traffic shaping settings

Many ISPs sell speed as download rates, not as latency. To maximize download speeds, they configure their equipment to hold large queues of your traffic. When interactive traffic is mixed into these large queues, their latency shoots way up, as ACK packets must wait in line before they reach you. Endian Firewall takes matters into its own hands and prioritizes your traffic the way you want it. This is done by setting traffic into High, Medium and Low priority categories. Ping traffic always has the highest priority — to let you show how fast your connection is while doing massive downloads.

Figure 5.11. Shows Type of Service configuration

To use Traffic Shaping in Endian Firewall:

1. Use well known fast sites to estimate your maximum upload and download speeds. Fill in the speeds in the corresponding boxes of the Settings portion of the web page.

2. Enable traffic shaping by checking the Enable box.3. Identify what services are used behind your firewall.4. Then sort these into your 3 priority levels. For example:

a. Interactive traffic such as SSH (port 22) and VoIP (voice over IP) go into the high priority group.

b. Your normal surfing and communicating traffic like the web (port 80) and streaming video/audio to into the medium priority group.

c. Put your bulk traffic such as P2P file sharing into the low traffic group.5. Create a list of services and priorities using the Add service portion of the web page.

The services, above, are only examples of the potential Traffic Shaping configuration. Depending on your usage, you will undoubtedly want to rearrange your choices of high, medium and low priority traffic.

Intrusion Detection System Administrative Web Page

Prev Chapter 5. Services Menu Next

Intrusion Detection System Administrative Web Page

Endian Firewall contains a powerful intrusion detection system - Snort - which analyses the content of packets received by the firewall and searches for known signatures of malicious activity.

Figure 5.12. Intrusion Detection System adminstrative web page

EFW can monitor packets on the GREEN, BLUE, ORANGE and RED interfaces. Just tick the relevant boxes and click the Save button.

As more attacks are discovered the rules Snort uses to recognize them will be updated. You can choose between 3 update types:

Community Rules (no subscription needed) Sourcefire VRT rules with subscription Sourcefire VRT rules for registered users

Sourcefire VRT Certified Rules are the official rules of snort.org. Each rule has been rigorously tested against the same standards the VRT uses for Sourcefire customers. These rules are distributed under the new VRT Certified Rules License Agreement that restricts commercial redistribution. There are three ways to obtain these rules:

1. Subscribers receive real-time rules updates as they are available.2. Registered users can access rule updates 5 days after release to subscription users.3. Unregistered users receive a static ruleset at the time of each major Snort Release.

To download the latest version, select your preferred rules type and click the Download new ruleset button. To utilize Sourcefire VRT Certified Rules, you need to register on http://www.snort.org, acknowledge the license, receive your password by email, and connect to the site. Go to USER PREFERENCES, press the 'Get Code' button at the bottom and copy the 40 character Oink Code into the field.

Linesrv (removed in version 2.1)

Prev Chapter 5. Services Menu Next

Linesrv (removed in version 2.1)

Note

LINESRV HAS BEEN COMPLETELY REMOVED IN VERSION 2.1!!

Linesrv is a server to remotely control the internet connection.Clients on other hosts may now talk to this server and say that it should establish a certain line.Then it sends to all connected Clients a message that the connection is established. The connection won't get killed until each client told to do so, had a timeout or has been terminated.

Server

Linesrv is the Server part of the LineControl Tool.You need enable the server if you want use the remote clients.

Figure 5.13. Linesrv

Enabled:

Tick this to enable the LineControl Server.

Save

To save the changes and restart the LineControl server press the save button.

Note

The LineControl Server is frequently used with ISDN Lines and therefore it's desirable that the line not goes automatic up on a reboot.This is default when the linesrv is enabled.

Clients

There exists multiple clients for GNU/Linux/Windows and Clients written in Java(plattform indipendent).The Clients can be downloaded from linecontrol.srf.ch.

XLC

XLC is a linux Linecontrol Client(linux X (gtk)).If your distro don't have the xlc onboard you can obtain the client from linecontrol.srf.ch.

Figure 5.14. XLC Line down

The picture show the XLC Client with a disconnected main line.

Figure 5.15. XLC initiate a Connection

The picture show how to connect the main line.

Figure 5.16. XLC main connection initiated

The XLC Clients show that the main line is now connected.

Figure 5.17. XLC up manually

The main line is up manually and the LineControl server can not stop/start the connection.This is when connection is initiated through the Web GUI.

Warning

The Linecontrol can only control connection initiated trough the linesrv.If the clients shows the status "up manually",you need disconnect the line trough the Web GUI and start the connection from the LineControl client.

WLC2

WLC2 is a windows client for the LineControl Server.The Client works on Win 9x/Me/2000/XP/2003 and ca be downloaded from linecontrol.srf.ch

Figure 5.18. WLC disconnected

The main line is disconnected and you can connect the line by pressing the online button.

Figure 5.19. WLC line is up

The main connection is established and and you can close the connection by pressing the offline button.If no other user needs the internet connection the line goes down.

Figure 5.20. WLC connection established

Another users is using the internet connection.You can now press the online button and the connection won't get killed until each client told to do so.

Figure 5.21. WLC up manually

The main line is up manually and the LineControl server can not stop/start the connection.This is when connection is initiated through the Web GUI.

Warning

The Linecontrol can only control connection initiated trough the linesrv.If the clients shows the status "up manually",you need disconnect the line trough the Web GUI and start the connection from the LineControl client.

Warning

Please close or disconnect any linecontrol client before restarting the linecontrol server.

Hotspot

Prev Chapter 5. Services Menu Next

Hotspot

Figure 5.22. Hotspot Activation

On this page you can enable the Endian Hotspot on the BLUE zone by ticking on the checkbox labeled Enabled on BLUE and then hitting the Save button. For further configuration options you have to click on the Hotspot administration interface link which will then open a new page.

Note

In order to be able to run the Endian Hotspot you will have to have the BLUE zone enabled. The IP of the BLUE interface must belong to a C-class network and it must end with a trailing .1 e.g. 192.168.20.1/24. The bridge for the BLUE zone does not support more than one port.

Note

Usually the hotspot is intended for use with wireless networks, however this is not mandatory. It is as well possible to connect a normal switch to the BLUE LAN port. Please note also that there is no wireless access point supplied with Endian Firewall.

Tip

If you are running a Community version of Endian Firewall and are wondering where your Endian Hotspot may be just upgrade to Endian Firewall Enterprise Edition.

This page was last modified on: $Date: 2006-11-22 00:47:05 +0100 (Wed, 22 Nov 2006) $.

Chapter 6. Firewall Menu

Prev Next

Chapter 6. Firewall Menu

Table of Contents

Introduction

Firewall

Port Forwarding Administrative Web Page

Port Forwarding Overview

Port Forwarding and External Access

External Access Administrative Web Page

Zone Pinholes Administrative Web Page

Outgoing Firewall Administrative Web Page

Globally DENY outgoing traffic to RED and explicitely configure outgoing rules

Globally ALLOW outgoing traffic to RED

Introduction

Figure 6.1. Firewall menu selected

In the Firewall Menu you can find some of the core functions of EFW which control how traffic will flow through the firewall.

These are:

Port Forwarding

External Access (Controls remote administration of EFW from the Internet) Zone Pinholes Outgoing Firewall

Firewall

Prev Chapter 6. Firewall Menu Next

Firewall

This feature is one of the most important parts of Endian Firewall and most probably the reason for you to use a firewall. Endian Firewall uses a standard netfilter firewall and creates it's firewall rules using iptables. Basically Endian Firewall is configured in a way that the firewall itself is the only point of contact seen from the outside or the internet. The public IP addresses can be assigned only to the RED interface, thus a connection attempt from the internet to one of your public IP addressess will reach only the RED interface of the firewall and cannot pass beyond as this has been made technically impossible by the use of NAT. Routing of public IP addresses to a zone behind the firewall will be prevented since this would circumvent the firewall rules.

Figure 6.2. Diagram of flow control and its configuration possibilities

If not configured otherwise, the firewall's default settings will block all traffic coming from the outside. As default behaviour, traffic from the GREEN zone will be allowed to pass to each of the other zones (BLUE and ORANGE), since GREEN is the trusted network, but for each pass from one zone to another NAT will be performed to obscure the real source-address and - by doing this - hide all information about the network configuration of the GREEN zone. On the other side no access from any of the other zones will be granted to anywhere by default. The only exception is the access to the RED interface, the internet - but still only some standard services (HTTP,FTP,SMTP,DNS) are allowed by default when accessing from the GREEN zone and only DNS when trying to access from the BLUE and ORANGE zones.

Certainly Endian Firewall gives you the possibility to lighten these strong restrictions and let you define access rules from among each zone. In order to allow access to RED - the internet - you will have to configure this in the outgoing firewall submenu. If you need to give access from the outside to the firewall itself, you need to create rules in the External Access menu. Access from BLUE to GREEN and from ORANGE to GREEN or BLUE will be arranged by Zone pinholes.

If you have servers in the DMZ in ORANGE and need to allow access from the internet, you can create a port forwarding rule. You may flexibly forward different ports from the same ip address to different servers within the DMZ or different ports from different ip addresses to the same servers, just as you wish.

Port Forwarding Administrative Web Page

Prev Chapter 6. Firewall Menu Next

Port Forwarding Administrative Web Page

This subsection allows you to configure the Port Forwarding settings for Endian Firewall. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

Port Forwarding Overview

Firewalls prevent externally initiated requests from accessing the protected system. However, sometimes, this may be too strict. For example, if one is running a web server, then any requests to that web server by users outside of the protected network will be blocked by default. This means that only users on the same internal network can use this web server. Obviously this is not the normal situation for web servers. Most people want people from the outside to be able to access the server. This is where Port Forwarding comes in.

Port Forwarding is a service that allows limited access to the internal LANs from the outside. When you set up your server, you can choose the receiving or “listening” ports on the internal network machines. These ports differ for every kind of service that may be hosted. Please refer to the documentation that came with your servers to set up the ports on those servers.

Figure 6.3. Adding a new portforwarding configuration

Once those receiving ports are ready, you can enter the information that is needed into the administration interface on Endian Firewall. The following describes each configuration fields:

Protocol

This drop down list allows you to choose which protocol this rule will follow. Possible values are TCP, UDP and GRE. Most regular servers use TCP. Some game servers and chat servers use UDP. The GRE protocol is used for example in PPTP. If the protocol is not specified in the server documentation, then it usually is TCP.

Source port

This is the port to which the outsiders will connect. In most cases, this will be the standard port for the service being offered (80 for web servers, 20 & 21 for FTP servers, 25 for mail servers, etc.) If you want to you may specify a range of ports to forward. To specify a range use the “:” character between two port numbers, lowest number first.

Note

Port ranges cannot overlap each other.

Destination IP

is the internal IP address of the server (for example, you may have your web server running on 192.168.0.3).

Destination Port

is the port that you have chosen when you set up your server in the first paragraph. You only need to enter the source port, the destination will be filled in for you if it does not differ.

Alias IP

This dropdown menu allows you to choose which RED IP will be affected by this rule. Endian Firewall has the capability of handling more than one RED IP. With the Aliases submenu in the Network main menu you are able to configure them. If you only have one RED IP set up, then choose Default IP.

Remark

This is optional. As the name says this field allows you to add some remark, in order to easier identify the rule in the current rules list.

Enabled

Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.

Endian Firewall automatically creates a NAT rule for each zone for each configured port forwarding rule in order to allow access to ORANGE not only from RED but also from each of the other zones.

Note

If you create a port forwarding rule from an alias IP, Endian Firewall automatically generates NAT rules for outgoing connections started by the machine to which the port has been forwarded. In order to change the source IP address to the respective alias IP. This NAT will occur only for destination ports equal to those forwarded. This is needed for example if you want to run a mail server within the DMZ and therefore forward port 25 to the machine in the ORANGE network. That machine certainly needs to send mails with the alias IP and not with the main RED IP address.

Port Forwarding and External Access

The External Access page has NO effect on the GREEN or ORANGE networks. It is here to allow you to open ports to the EFW box itself and not to the GREEN or ORANGE networks.

How do you allow external access then? It is combined with the Port Forwarding page - there is a field on the page labeled: 'Source IP, or network (blank for "ALL"):'

This is the field that controls external access - if you leave it BLANK, your port forwarding rule will be applied to ALL INTERNET ADDRESSES. Alternatively if you put an address or network in this field access will be restricted to that specified network or internet address.

Figure 6.4. Adds an acl to a portforwarding rule

You can have more than one external address - after you have created the port forwarding entry, it will appear in the table. If you wish to add another external address, click the Red Pencil with the Plus sign next to the entry - the entry screen at the top of the page will change (it will load the values from the port forwarding entry) and allow you to enter an external IP address or network. When added you will now notice that there is a new entry for this forwarded port in the table.

Note

You can have port ranges and wildcards. Valid wildcards are:o * which translates to 1-65535o 85-* which translates into 85-65535o *-500 which translates into 1-500

Reserved ports - on the main Red Address (DEFAULT IP) some ports are reserved for EFW services, they are 67, 68 for doing DHCP on RED and 10443 for the web interface itself.

Figure 6.5. Currently configured portforwarding rules

You already noticed the rules listing below in the Current rules box, since this is the place where you can find the red pencil icon. You can edit a record by clicking on the Yellow Pencil icon in the Action column and until you hit the update button nothing changes and nothing is lost. When you are editing a record you will see the record highlighted in yellow. When you edit a port forwarding rule, there will be an extra check box labeled Override external access to ALL. This is used as a quick and dirty way to open a port to ALL Internet addresses for testing or whatever your reasons may be.

To delete a record, click on the Trash Can icon on the right hand side of the Action column.

Note

If you have a forwarded port with multiple external access rules and delete all of the external access rules, the port becomes open to ALL addresses, be careful.

There is a Shortcut to enable or disable a port forward or external access - click on the “Enabled” icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click on the checkbox to enable it again.

Note

When you disable the port forward, all associated external access rules are disabled, and when you enable the port forward, all associated external access rules are enabled.

External Access Administrative Web Page

Prev Chapter 6. Firewall Menu Next

External Access Administrative Web Page

This subsection allows you to configure the External Access settings for the Endian Firewall machine itself. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

Figure 6.6. Add a new external access rule

External Access only controls access to the Endian Firewall box. It has no affect on the GREEN, BLUE or ORANGE network access. That is controlled in the Port Forwarding section, as described above.

If you wish to maintain your EFW machine remotely, you should enable access on TCP port 10443, https. If you have enabled ssh access, you can also enable TCP port 22, ssh.

The following describes the configuration fields of the Add a new rule box:

Protocol

The drop down list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Most regular servers use TCP. If the protocol is not specified in the server documentation then it is usually TCP.

Source IP, or network (blank for "ALL")

This is the IP address of the external machine(s) you want to give permission to access your firewall. You may leave this blank, which allows any IP address to connect. Although dangerous, this is useful if you want to maintain your machine from anywhere in the world. However, if you can limit the IP addresses for remote maintenance, only these IP addresses or networks should be listed in this box.

Destination Port

This is the external port that they are allowed to access, i.e. 10443.

Destination IP

This dropdown menu allows you to choose which RED IP this rule will affect. Endian Firewall has the capability of handling more than one RED IP. If you only have one RED IP set up then choose Default IP.

Enabled

Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.

Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule.

Current rules lists all the rules that have been created. To remove one, click the Trash Can icon. To edit one, click the Yellow Pencil icon.

To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it.

Figure 6.7. Displays currently configured rules

Note

By default the port 113 will be opened. This is a dirty solution to make connections faster. Since many services use an old unsafe protocol (ident) to fulfill standards, which asks for the remote user who has established the connection to the service and most machines do not support this service anymore, connections need a long time to successfully establish, since the ident request needs to timeout because the firewall drops those packets. This rule opens the ident port, so the kernel can promptly reject the ident packet and there is no need to timeout. Currently this is the only possibility since there is not yet a support to reject packets. Endian Firewall supports only silently dropping them.

Zone Pinholes Administrative Web Page

Prev Chapter 6. Firewall Menu Next

Zone Pinholes Administrative Web Page

This subsection allows you to configure the Zone Pinholes settings for Endian Firewall. This is 100% optional, so you may safely ignore this section if you do not want to make use of this feature.

Note

This page will only be visible if you have enabled the ORANGE and/or the BLUE zone within Network Wizard.

A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the external RED Zone and the internal GREEN zone. The GREEN zone has all your internal machines. The RED zone is the Internet at large. The DMZ allows them to share servers without allowing undue access to the internal LAN by those in the RED Zone.

For example, suppose that your business has a web server. Certainly, you want your customers (those in the RED zone) to be able to access it. But what if you also want your web server to be able to send customer orders to employees in the GREEN zone? In a traditional firewall setup, this wouldn't work, because the request for access to the GREEN zone would be initiating from outside the GREEN zone. You certainly do not want to give all your customers direct access to the machines on the GREEN side, so how can this work? By using the DMZ and zone pinholes.

Figure 6.8. Adds a new pinhole rule

Zone pinholes give machines in the Orange (DMZ) zone (and also BLUE zone) limited access to certain ports on Green machines. Because servers (the machines in the ORANGE zone) have to have relaxed rules with respect for the RED zone, they are more susceptible to hacking attacks. By only allowing limited access from ORANGE to GREEN, this will help to prevent unauthorized access to restricted areas should your server be compromised.

The following describes the configuration fields of Add a new rule:

Protocol

The drop down list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP.

Source Net

This is a drop menu that shows the available source networks on the machine. You will not find the GREEN network here, since GREEN can - being the trusted network - access all zones by default.

Source IP

This is the IP address of the machine that you wish to give permission to access your internal servers.

Destination Net

This is a drop down menu that shows the available destination zones.

Destination IP

Fill in the IP address of the machine of your GREEN or BLUE zone that you want to open. The IP address must be part of the destination zone you selected before.

Destination Port

This is the destination port you want to open. This is optional. If you do not specify a port, access to the machine will not be limited to a port.

Remark

You may add a remark which then helps you to easier identify the rule within the Current rule list.

Enabled

Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.

Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule.

Figure 6.9. Lists all configured pinhole rules

Current rules lists the rules that are in effect. To remove one, click the Trash can icon. To edit one, click the pencil icon. To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it.

Outgoing Firewall Administrative Web Page

Prev Chapter 6. Firewall Menu Next

Outgoing Firewall Administrative Web Page

This subsection allows you to configure the Outgoing Firewall settings for Endian Firewall.

You can globally ALLOW outgoing traffic to RED (Internet) or set the single port for the outgoing traffic.

Globally DENY outgoing traffic to RED and explicitely configure outgoing rules

The following services are allowed by default from the GREEN zone:

HTTP HTTPS FTP SMTP POP3 IMAP DNS

DNS is also allowed by default for all other zones.

Figure 6.10. Adds a new outgoing rule

If you like to add a rule open the Add a new rule dialogue, which will be described below:

Remark

You may add a remark which then helps you to easier identify the rule within the Current rule list.

Enabled

Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.

Protocol

The drop down list allows you to choose which protocol this rule will follow. Possible values are UDP and TCP. Most regular servers use TCP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP.

Policy

Select the policy you set for this rule. Possible values are:

ALLOW - Allows the traffic which applies to the rule. DENY - Silently blocks the traffic which applies to the rule. Dropped connections will be

logged by default. You can toggle that off in the Log main menu.

Source Net

This drop down list allows you to choose a whole zone as source net. You will find listed every zone the firewall knows, except the RED one, since that per design of the outgoing firewall of course always is the destination zone. If you like to define the rule more precisely and allow only an IP address, then select use source IP address.

Source IP address

This is optional if you choose a zone before. You can specify an IP address, for example 10.1.1.3, or a network like 10.1.1.0/24, which you want to allow or disallow to access RED.

Log packets which satisfy this rule

Tick this on if you want the firewall to log all connection attempts which satisfy the rule. This for example is convenient for testing purposes.

Note

In some countries this may be illegal.

MAC address

This is optional. You may fill in the MAC address of a network card which is allowed or disallowed to pass through. If you do not want to specify both, IP address and MAC address, but only the MAC address, then simply select a zone within the source net and leave the source IP address field blank.

Destination IP address

This is optional. If you want to limit or deny access to a specific remote address you may fill in an IP address like 68.163.90.13 or a network like 68.163.75.0/24.

Destination port

This is probably the most important field for you, however it is nevertheless optional. Fill in a destination port if you want this rule to be limited to a remote service. For example you can create a rule which allows access to all HTTP (web) servers, by specifying port 80 and leaving all other fields empty.

Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule.

Figure 6.11. Lists all current outgoing rules

Current rules lists the rules that are in effect. To remove one, click the Trash can icon. To edit one, click the Pencil icon. To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it.

On top of the table there is a checkbox labeled Log accepted outgoing connections. Tick this checkbox on if you want the firewall to log all connections which have been established or tried to and successfully passed the firewall without being blocked.

Note

Enabling this may not be legal in some countries, but in some other countries this is compulsory.

Globally ALLOW outgoing traffic to RED

You can globally allow outgoing traffic from all zones to the Internet by simply answering yes to the question disable outgoing firewall ? in the drop down menu below and then clicking on the save button.

Figure 6.12. Globally allow outgoing traffic

You can go back to the default settings which limit access to RED by answering yes to the question enable outgoing firewall ? in the drop down menu below and then clicking on the save button.

Figure 6.13. Globally deny outgoing traffic

You will notice a single checkbox, labeled Log accepted outgoing connections. Tick this checkbox on if you want the firewall to log all connections which have been established or tried to and successfully passed the firewall without being blocked.

Note

Enabling this may not be legal in some countries, but in some other countries this is compulsory.

This page was last modified on: $Date$.

Chapter 7. Proxy

Prev Next

Chapter 7. Proxy

Table of Contents

Introduction

HTTP Proxy

Feature List

Web proxy configuration

Common settings

Upstream proxy

Log settings

Cache management

Network based access control

Time restrictions

Transfer limits

MIME type filter

Web browser

Authentication configuration

Content filter

Content filter (Dansguardian)

Block pages which contain unallowed phrases

Block pages known to have content of the following categories

Custom black- and whitelists

HTTP Antivirus

Max. content scan size

Last Update

Do not scan the following URLs

Enforcing proxy usage

Web Proxy standard operation modes

Client side Web Proxy configuration

Requirements for mandatory proxy usage

POP3

Global settings

Spamfilter configuration

SIP

FTP

SMTP

General Settings

Antivirus

AntiSpam

General Settings

Greylisting

Banned File Extension

Blacklists/Whitelists

Real-time Spam Black Lists (RBL)

Custom black/whitelists

Domains

BCC

Advanced settings

Smarthost

IMAP Server for SMTP Authentication

Advanced settings

Introduction

Figure 7.1. Proxy menu selected

The proxy server is a service that allows your clients to make indirect network connections to other network services. The client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client's request or the server's response for various purposes (e.g. a mail header will be changed or added if the mail contains spam-content, advertisement will be removed from a website).

This chapter covers the whole proxy menu.

The following submenus will be described in this chapter:

HTTP POP3 SIP FTP SMTP

HTTP Proxy

Prev Chapter 7. Proxy Next

HTTP Proxy

Feature List

User authentication

Local user authentication, including group based user management LDAP authentication, including MS Active Directory, Novell eDirectory and OpenLDAP Windows authentication, including Windows NT4.0 or 2000/2003 domains and Samba RADIUS authentication

Advanced access control

Network based access control over IP and MAC addresses Time based access restrictions Download throttling MIME type filter Blocking of unauthorized browsers or client software Group based access with groups coming from Windows active directory

Web proxy configuration

Common settings

The common settings are essential parameters related to the proxy services

Figure 7.2. Displays HTTP advanced proxy settings

Enabled on zone

This enables the Proxy Server to listen for requests on the selected zone (GREEN or BLUE or ORANGE).

Note

If the proxy service is disabled, all client requests will be forwarded directly to the destination address without passing the proxy service and therefore the requests will bypass all configured ACLs.

Transparent on zone

If the transparent mode is enabled, all requests for the destination port 80 will be forwarded to the Proxy Server without the need of any special configuration changes to your clients.

Warning

Transparent mode works only for destination port 80. All other requests (e.g. port 443 for SSL) will bypass the Proxy Server.

Note

When using any type of authentication, the Proxy may not run in transparent mode.

Note

To enforce the usage of the Proxy Server in non-transparent mode, you will have to block all outgoing ports usually used for http traffic (80, 443, 8000, 8080, etc.).

Proxy Port

This is the port the Proxy Server will listen for client requests. The default is 8080.

Note

In transparent mode, all client requests for port 80 will automatically be redirected to this port.

Warning

In non-transparent mode, make sure that your clients are configured to use this port. Otherwise they will bypass the Proxy Server and all ACLs will be ignored.

Visible hostname

If you want to present a special hostname in error messages or for upstream proxy servers , then define this. Otherwise, the real hostname of your Endian Firewall will be used. This is optional.

Cache administrator e-mail

This e-mail address will be shown on the Proxy Server error messages. This is optional.

Error messages language

Select the language in which the Proxy Server error messages will be displayed to the clients.

Contentfilter enabled

By enabling this feature you can activate different types of filters in the Content filter menu.

Note

This feature will only partially work for SSL connections, as it is not possible to do pattern matching on encrypted data. The URL filtering however will work perfectly.

Antivirus enabled

This enables antivirus protection when browsing through the world wide web.

Warning

It is not possible to scan encrypted connections for viruses.

Allowed ports

Only HTTP connections on one of the specified ports will pass through the proxy. The rest will be blocked

Note

When using transparent mode this feature will not work.

.

Allowed SSL ports

Like the allowed ports option but this time for SSL encrypted HTTP (HTTPS) connections.

Note

When using transparent mode this feature will not work.

Upstream proxy

These settings may be required for chained proxy environments.

Figure 7.3. Displays HTTP advanced proxy upstream proxy configuration

Username forwarding

If any type of authentication is activated for HTTP Proxy, this enables the forwarding of the login name. This can be useful for user based ACLs or logging on remote proxy servers.

Note

This is for ACL or logging purposes only and doesn’t work if the upstream proxy requires a real login.

Note

The forwarding is limited to the username, the password will not be forwarded.

Client IP address forwarding

This enables the HTTP x-forwarded-for header field. If enabled, the internal client IP address will be added to the HTTP header.

x-forwarded-for: 192.168.1.37

This can be useful for source based ACLs or logging on remote proxy servers. Instead of forwarding unknown, this field will be completely suppressed by default.

Note

If the last proxy in chain doesn’t strip this field, it will be forwarded to the destination host!

Upstream proxy (host:port)

If you are using a parent cache, then enter the IP address and port of this upstream Proxy. If no value for port is given, the default port 80 will be used.

Upstream username

Enter the username for the upstream Proxy Server (only if required).

Note

If you enter a password, the username forwarding (described above) will be disabled.

Upstream password

Enter the password for the upstream Proxy Server (only if required).

Note

If you enter a password, the username forwarding (described above) will be disabled.

Log settings

These options are for enabling the HTTP Proxy log files.

Figure 7.4. Displays HTTP advanced proxy log settings

Log enabled

This enables the Web Proxy logging feature. All client requests will be written to a log file and can be viewed within the GUI under Logs > Proxy Logs (See the section called “Proxy Logs Page”).

Warning

Enabling this option may be considered invasion of personal privacy of your clients in some countries and/or break other legal rules.

Before you are using this option make sure that this will be in accordance with the national law or other legal regulations.

In most countries, the user must agree that personal data will be logged. Do not enable this in a business environment without the written agreement of the workers council.

Firewall logs outgoing connections

Tick this on if you want the firewall to log all outgoing connections.

Warning

In most countries this may be illegal!

Log query terms

The part of the URL containing dynamic queries will be stripped by default before logging. Enabling the option Log query terms will turn this off and the complete URL will be logged.

Warning

Enabling this option may be considered invasion of personal privacy in some countries!

Log useragents

Enabling this option will write the useragent string to the log file /var/log/squid/useragent.log. This log file option should only be activated for debugging purposes and the result is not shown within the GUI based log viewer.

Cache management

The cache management settings control the caching parameters for Advanced Proxy.

Figure 7.5. Displays HTTP advanced proxy cache management configuration

Memory cache size

This is the amount of physical RAM to be used for negative-cached and in-transit objects. This value should not exceed more than 50% of installed RAM. The minimum for this value is 1MB, the default is 20 MB.

Note

This parameter does not specify the maximum process size. It only places a limit on how much additional RAM the Web Proxy will use as a cache of objects.

Harddisk cache size

This is the amount of disk space (MB) to use for cached objects. The default is 500 MB. Change this to suit your configuration. Do not put the size of your disk drive here. If you want Squid to use the entire disk drive, subtract 20% of the real disk size and use that value instead.

Min object size

Objects smaller than this size will not be saved on disk. The value is specified in kilobytes, and the default is 0 KB, which means there is no minimum.

Max object size

Objects larger than this size will not be saved on disk. The value is specified in kilobytes, and the default is 4MB (4096KB). If you wish to increase speed at the expense of saving bandwidth you should keep this low.

Do not cache these domains

A list of sites which cause the request not to be satisfied from the cache and the reply not to be cached. In other words, use this to force objects to never be cached. All domains must be entered with a leading dot:

.advproxy.net

.google.comEnable offline mode

Enabling this option will turn off the validation of cached objects. This gives access to more cached information (stale cached versions, where the origin server should have been contacted).

Network based access control

This defines the access control for accessing the Proxy Server based on the client network address.

Figure 7.6. Displays HTTP advanced proxy network based access control

Allowed subnets

All listed subnets are allowed to access the Proxy Server. By default, the subnets for GREEN, BLUE and ORANGE (if available) are listed here.

Warning

If you ever change the network configuration of any zone with the network wizard described in the section called “Network Configuration”, you also need to change the values also in this list, especially if a subnet will be changed.

You can add other subnets like subnets behind GREEN in larger environments to this list.

Note

All subnets not listed here will be blocked for web access.

Sources which bypass the transparent proxy

When using the transparent proxy all subnets, IP adresses and MAC addresses that are specified here will be allowed to connect directly to the requested URLs, instead of using the proxy.

Note

MAC addresses have to be entered in the following form: 00:00:00:00:00:00

Destinations to which the transparent proxy is bypassed

When using the transparent proxy and connecting to the subnets or IP adresses that are specified here, the connection will not go through the proxy but will be established directly.

Unrestricted IP addresses

All client IP addresses in this list will override the following restrictions:

Time restrictions Size limits for download requests Download throttling Browser check MIME type filter Authentication (will be required by default for these addresses, but can be turned off) Concurrent logins per user (only available if authentication is enabled)

Unrestricted MAC addresses

All client MAC addresses in this list will override the following restrictions:

Time restrictions Size limits for download requests Download throttling

Browser check MIME type filter Authentication (will be required by default for these addresses, but can be turned off) Concurrent logins per user (only available if authentication is enabled)

Note

Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without having fixed leases defined.

Note

MAC addresses can be entered in one of these forms:

00-00-00-00-00-00 or 00:00:00:00:00:00

Note

The Proxy Server can only determine MAC addresses from clients configured for the subnets of the GREEN, BLUE or ORANGE interfaces.

Banned IP addresses or subnets

All requests from these clients (IP addresses or subnets) in this list will be blocked.

Banned MAC addresses

All requests from these clients in this list will be blocked. Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without having fixed leases defined.

MAC addresses can be entered in one of these forms:

00-00-00-00-00-00 or 00:00:00:00:00:00

Note

The Proxy Server can only determine MAC addresses from clients configured for the subnets of the GREEN, BLUE or ORANGE interfaces.

Time restrictions

This defines the operational time of the Web Proxy.

Figure 7.7. Displays HTTP advanced proxy time restrictions configuration

The option allow allows web access and the option deny blocks web access within the selected time. The choice of allow or deny will depend on the time rules you want to apply. The default is set to allow access every day around the clock.

Note

Time restrictions will not be effective for these clients.

Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses Members of the group Extended if the Proxy uses Local authentication

Transfer limits

This allows you to enter limitations of the size for each download and/or upload request.

Figure 7.8. Displays HTTP advanced proxy transfer limit configuration

The values are given in KB. A reason for transfer limits could be that you want to prevent downloading large files, such as CD images. The default is set to 0 KB for upload and download. This value turns off any limitation.

Note

This limits refer to each single request. It’s not the total amount for all requests.

Note

Download limits will not be effective for these clients:

Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses

Members of the group Extended if the Proxy uses Local authentication

Note

Upload limits will be effective for all clients except:

Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed

MIME type filter

The MIME type filter can be configured to block content depending on its MIME type.

Figure 7.9. Displays HTTP advanced proxy MIME type filter

If enabled, the filter checks all incoming headers for their MIME type. If the requested MIME type is listed to be blocked, the access to this content will be denied. This way you can block content, no matter of the given file name extension.

Example 7.1. Add this MIME type if you want to block the download of PDF files:

application/pdf

Example 7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files:

application/pdfvideo/quicktime

Note

The MIME types are processed as regular expressions. This means, the entry javascript will block all content with MIME types containing this word, like:

application/x-javascript and text/javascript

Note

MIME type blocking will not be effective for these clients:

Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses Members of the group Extended if the Proxy uses Local authentication

Web browser

This allows you to control which client software may have access to web sites.

Figure 7.10. Displays HTTP advanced proxy user agent filter

Enable Browser check

If this option is enabled, only the selected clients will be able to pass the Proxy Server. All other requests will be blocked.

Note

Browser based access control will not be effective for these clients:

Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses Members of the group Extended if the Proxy uses Local authentication

Client definitions

The most important web clients are already listed. You can create your own definitions by editing the file /var/efw/proxy/advanced/useragents and adding the browser specific information there.

Adding custom clients could be necessary if you want to allow your AntiVirus software to download updated definitions. If you don’t know the useragent of this software, you can enable the useragent logging in the section Log settings and watch the file /var/log/squid/useragent.log.

The syntax for client definitions is:

name,display,(regexp)

name

is required for internal processing of the Advanced Proxy and should be a short name in alphanumeric capital letters without spaces.

display

is the string which appears in the GUI list and should contain the common name for this client.

(regexp)

is a regular expression which matches the browser useragent string and must always be enclosed by parentheses.

The values are separated by commas.

Authentication configuration

Warning

When using authentication and enabling the web proxy log files, the requesting user name will be logged in addition to the requested URL. Before enabling log files while using authentication, make sure not to violate existing laws.

Note

Authentication will not work with the transparent proxy turned on.

Authentication methods overview

The Advanced Proxy offers a variety of methods for user authentication.

Figure 7.11. Displays HTTP advanced proxy authentication methods

None

Authentication is disabled. Users don’t need to authenticate when accessing web sites.

Local Authentication

This authentication method is the preferred solution for SOHO environments. Users need to authenticate when accessing web sites by entering a valid username and password. The user management resides on the Endian Firewall Proxy Server. Users are categorized into three groups: Extended, Standard and Disabled.

Authentication using LDAP

This authentication method is the preferred solution for medium and large network environments. Users will have to authenticate when accessing web sites by entering a valid username and password. The credentials are verified against an external Server using the Lightweight Directory Access Protocol (LDAP).

LDAP authentication will be useful if you already have a directory service in your network and don’t want to maintain additional user accounts and passwords for web access.

The HTTP Proxy works with these types of LDAP Servers:

Active Directory (Windows 2000 and 2003 Server) Novell eDirectory (NetWare 5.x und NetWare 6) LDAP Version 2 and 3 (OpenLDAP)

As an option, membership for a certain group can be required.

Note

The protocol LDAPS (Secure LDAP) is not supported.

Windows authentication

This authentication method is one of the preferred solutions for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external Server acting as a Domain Controller. This can be a:

Windows NT 4.0 Server or Windows 2000/2003 Server (even with Active Directory enabled)

Samba 2.x / 3.x Server (running as Domain Controller)

Advanced Proxy works with Windows integrated authentication (transparent) or with standard authentication (explicit with username and password). You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist).

Note

Workgroup based authentication may probably work, but is neither recommended nor supported.

RADIUS authentication

This authentication method is another good solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external RADIUS server. You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist).

Global authentication settings

The global authentication settings are available for all authentication methods.

Figure 7.12. Displays HTTP advanced proxy global authentication settings

Number of authentication processes

The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication.

Authentication cache TTL

Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session.

Note

If the user opens a new session, the credentials must always be entered, even if the TTL has not expired for another session.

Limit of IP addresses per user

Number of source IP addresses a user can be logged in at a time. The IP address will be released after the time defined at User/IP cache TTL.

Note

This has no effect if running Local authentication and the user is a member of the Extended group.

User/IP cache TTL

Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0 (disabled). A value greater than 0 is only reasonable when using a limit for concurrent IP addresses per user.

Require authentication for unrestricted source addresses

By default authentication is required even for unrestricted IP addresses. If you don’t want to require authentication for these addresses, untick this box.

Authentication realm prompt

This text will be shown in the authentication dialog.

Domains without authentication

This allows you to define a list of domains that can be accessed without authentication.

Note

These domains are destination DNS domains and not source Windows NT domains.

Note

This works only for DNS domain names and not for IP addresses.

Example 7.3. Windows Update To allow access to Windows Update without authentication add these domains to the list:

.download.microsoft.com

.windowsupdate.com

.windowsupdate.microsoft.com

Note

All listed domains require a leading dot.

Local user authentication

The Local user authentication lets you manage user accounts locally without the need for external authentication servers.

Figure 7.13. Displays HTTP advanced proxy local user authentication

User management

The integrated user manager can be executed from the main settings page.

Figure 7.14. Displays HTTP advanced proxy local user authentication

Min password length

Enter the minimum required length for passwords. The default is set to 6 alphanumeric characters.

User management

This button opens the local user manager.

Local user manager

The user manager is the interface for creating, editing and deleting user accounts.

Figure 7.15. Displays local user manager for the HTTP advanced proxy

Within the user manager page, all available accounts are listed in alphabetical order.

Group definitions

You can select between three different groups:

Standard

The default for all users. All given restrictions apply to this group.

Extended

Use this group for unrestricted users. Members of this group will bypass any time- and filter-restrictions.

Disabled

Members of this group are blocked. This can be useful if you want to disable an account temporarily without losing the password.

Proxy service restart requirements

The following changes to user accounts will require a restart of the proxy service:

a new user account was added and the user is not a member of the Standard group the group membership for a certain user has been changed

The following changes to user accounts will not require a restart of the proxy service:

a new user account was added and the user is a member of the Standard group the password for a certain user has been changed an existing user account has been deleted

Create user accounts

Username

Enter the username for the user. If possible, the name should contain only alphanumeric characters.

Group

Select the group membership for this user.

Password

Enter the password for the new account.

Password (confirm)

Confirm the previously entered password.

Create user

This button creates a new user account. If this username already exists, the account for this username will be updated with the new group membership and password.

Back to main page

This button closes the user manager and returns to the Advanced Proxy main page.

Edit user accounts

A user account can be edited by clicking on the pencil icon. When editing an user account, only the group membership or password can be changed.

While editing an account, the referring entry will be marked with a yellow bar.

Figure 7.16. Displays editing a user with local user manager of HTTP advanced proxy

To save the changed settings, use the button Update user.

Note

The username cannot be modified. This field is read-only. If you need to rename a user, delete this user and create a new account.

Delete user accounts

A user account can be deleted by clicking the trash can icon. The account will be deleted immediately.

Client side password management

Users may change their passwords if needed. The interface can be invoked by entering this URL:

https://efw:10443/cgi-bin/chpasswd.cgi

Note

Replace efw with the GREEN IP address of your Endian Firewall.

The web page dialog requires the username, the current password and the new password (twice for confirmation):

Figure 7.17. Change it yourself page, allowing user to change their local HTTP proxy password

LDAP authentication

This authentication method uses an existing directory infrastructure for user authentication.

Figure 7.18. Displays LDAP authentication page of HTTP advanced proxy

If you are unsure about your internal directory structure, you can examine your LDAP server using the command line based ldapsearch tool.

Windows clients can use the free and easy to use Softerra LDAP browser for this: http://www.ldapbrowser.com.

Common LDAP settings

Figure 7.19. Common LDAP settings of HTTP advanced proxy

Base DN

This is the base where to start the LDAP search. All subsequent Organizational Units (OUs) will be included. Refer to your LDAP documentation for the required format of the base DN.

Example 7.4. Base DN for Active Directory

cn=users,dc=ads,dc=local

This will search for users in the group users in the domain ads.local.

Example 7.5. Base DN for eDirectory

ou=users,o=acme

This will search for users in the Organizational Unit users (and below) in the Organization acme.

Note

If the Base DN contains spaces, you must escape these spaces using a backslash.

Example 7.6. Base DN containing spaces

cn=internet\ users,dc=ads,dc=localLDAP type

You can select between different types of LDAP implementations:

Active Directory (ADS) Novell eDirectory (NDS) LDAP v2 and v3

LDAP Server

Enter the IP address of your LDAP Server.

Port

Enter the port on which your LDAP Server is listening for LDAP requests. The default is 389.

Note

The protocol LDAPS (Secure LDAP, port 636) is not supported.

Bind DN settings

Figure 7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy

Bind DN username

Enter the full distinguished name for a Bind DN user.

Note

A Bind DN user is required for Active Directory and eDirectory.

Note

The Bind DN user must be allowed to browse the directory and read all user attributes.

Note

If the Bind DN username contains spaces, you must escape these spaces using a backslash.

Bind DN password

Enter the password for the Bind DN user.

Group based access control

Figure 7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy

Required group (optional)

Enter the full distinguished name of a group for authorized Internet users. In addition to a correct authentication, a membership within this group will be required for web access.

Note

If the group name contains spaces, you must escape these spaces using a backslash.

Advanced Group Selections

Windows authentication

This authentication method uses an existing windows domain environment for user authentication.

Figure 7.22. HTTP advanced proxy authentication against Windows

In addition to the authentication you can define positive or negative user based access control lists.

Common domain settings

Figure 7.23. Common domain settings of Windows authentication on HTTP advanced proxy

Domain

Enter the name of the domain you want to use for authentication. If you are running a Windows 2000 or Windows 2003 Active Directory, you’ll have to enter the NetBIOS domain name.

PDC hostname

Enter the NetBIOS hostname of the Primary Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller.

Note

For Windows 2000 and above the Primary Domain Controller is not assigned to a specific server. The Active Directory PDC emulator is a logical role and can be assigned to any server.

Warning

The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the hostname at Network > Edit Hosts (See the section called “Host configuration (Edit Hosts)”).

BDC hostname (optional)

Enter the NetBIOS hostname of the Backup Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller. If the PDC doesn’t respond to authentication requests, the authentication process will ask the BDC instead.

Warning

The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the hostname at Network > Edit Hosts (See the section called “Host configuration (Edit Hosts)”).

Authentication mode

Figure 7.24. Authentication mode of windows authentication on HTTP advanced proxy

Enable Windows integrated authentication

If enabled, the user will not be asked for username and password. The credentials of the currently logged in user will automatically be used for authentication. This option is enabled by default. If integrated authentication is disabled, the user will be requested explicitly for username and password.

User based access restrictions

Figure 7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy

Enabled

Enables access control lists for authorized or unauthorized users.

Use positive access control / Authorized domain users

These listed users will be allowed for web access. For all other users, access will be denied.

Use negative access control / Unauthorized domain users

These listed users will be blocked for web access. For all other users, access will be allowed.

Note

If Windows integrated authentication is enabled, the username must be entered with the domain name as a prefix for the username, separated by a backslash.

Example 7.7. User based access control lists using integrated authentication

Figure 7.26. Integrated windows authentication with HTTP advanced proxy

Note

When using integrated authentication, the user must be logged into the domain, otherwise the name of the local workstation instead of the domain name will be added to the username.

Example 7.8. User based access control lists using explicit authentication

Figure 7.27. Explicit authentication with HTTP advanced proxy

Note

Explicit authentication grants access to the user, even if the user is not logged into the domain, as long as the username will be the same and the local workstation password and the domain password match.

RADIUS authentication

This authentication method uses an existing RADIUS server for user authentication.

Figure 7.28. Displays RADIUS authentication configuration of HTTP advanced proxy

In addition to the authentication you can define positive or negative user based access control lists.

Note

This authentication method cannot handle encrypted connections. If you are running a Microsoft IAS for RADIUS you’ll have to turn off any type of encryption at your IAS.

Common RADIUS settings

Figure 7.29. Displays common RADIUS settings of HTTP advanced proxy authentication

RADIUS Server

Enter the IP address of the RADIUS Server you want to use for authentication.

Port

Enter the port that will be used to communicate with the RADIUS Server. The default is port 1645, some RADIUS servers may use port 1812 instead.

Identifier

This is an optional field and can be used to identify your Endian Firewall for the RADIUS Server. If this is left empty, the IP address of your Endian Firewall will be used for identification.

Shared secret

This is the shared secret for the authentication of your Endian Firewall against the RADIUS Server. This must be the same password that you have entered at your RADIUS Server.

User based access restrictions

Figure 7.30. Displays user based access restrictions of HTTP advanced proxy

Enabled

Enables access control lists for authorized or unauthorized users.

Use positive access control / Authorized users

These listed users will be allowed for web access. For all other users, access will be denied.

Use negative access control / Unauthorized users

These listed users will be blocked for web access. For all other users, access will be allowed.

Advanced Group Selections

Content filter

Note

Requests from users in the extended group won't be affected by the filter as well as those from users that are allowed to bypass the proxy.

Content filter (Dansguardian)

Figure 7.31. General contentfilter configuation

Max. score for phrases

With this option you can customize the amount of pages that are blocked by the content filter. If many children will connect to the internet through your Endian Firewall you should set this to a lower value as more dangerous content will be filtered out then.

Enable logging

This will turn on logging for blocked requests.

Note

If you want to see the clients' IP addresses you will have to turn on client IP address forwarding in the upstream proxy section.

PICS

This will enable the support for the Platform for Internet Content Selection (PICS: http://www.w3.org/PICS/). PICS enables labels to be assigned with Internet content and was

initially designed to help parents and teachers control their children. Today many other rating services and filtering softwares are built on PICS.

Save

To save your settings click here.

Block pages which contain unallowed phrases

Figure 7.32. Selection of disallowed phrases which pages may contain

Block pages with content from the ticked categories

When turned on all pages will be parsed and checked for patterns that correspond to the ticked categories. If one of those patterns matches, the site will be blocked.

Save

Click here to save your settings.

Note

This feature is not available for the mini edition of Endian Firewall.

Note

This won't affect users from the extended group as well as users that bypass the proxy.

Block pages known to have content of the following categories

Figure 7.33. Selection of categories of url lists which should be blocked by the HTTP contentfilter

Block pages that are known to have content of the ticked categories

By checking the boxes corresponding to the displayed categories, it will be impossible to load URLs that appear in URL list for one of the checked categories.

Save

To save your settings click here.

Note

This won't affect users from the extended group as well as users that bypass the proxy.

Custom black- and whitelists

Figure 7.34. Custom black- and whitelists for the HTTP contentfilter

Allow the following sites

Access to sites that are specified here will always be allowed.

Block the following sites

Access to sites that are listed here will always be denied.

Note

This will not affect users that bypass the proxy and users in the extended group.

HTTP Antivirus

Figure 7.35. HTTP Antivirus configuration page

Max. content scan size

Only requests that return less than the specified size in megabytes will be scanned for viruses.

Last Update

Displays the date of the last update of the virii-database.

Do not scan the following URLs

The URLs that are entered here will not be scanned for viruses. Please enter only URL per line.

Enforcing proxy usage

For different reasons, it may be required that all clients should be enforced to use the proxy service. The reasons could be mandatory logging, filtering or authentication.

Web Proxy standard operation modes

Proxy service disabled

Endian Firewall proxy settings:

Figure 7.36. HTTP proxy disabled

Client access: Disabling the proxy service gives direct access for all clients.

Figure 7.37. Figure which displays traffic with will not be directed through the HTTP proxy

Result: The proxy service will never be used. Logging, filtering and authentication will not be available.

Proxy service enabled, running in non-transparent mode

Endian Firewall proxy settings:

Figure 7.38. HTTP proxy enabled

Client access: All clients without explicit proxy configuration will bypass the proxy service.

Figure 7.39. Figure which displays traffic with will not be directed through the HTTP proxy

Client access: All clients configured for proxy usage will use the proxy for all destination ports (80, 443, 8080, etc.) and even for browser based FTP access.

Figure 7.40. Figure which displays traffic which will be redirected through the HTTP proxy.

Result: It depends on the client configuration whether the proxy service will be used or not. Unconfigured clients will bypass logging, filtering and authentication.

Proxy service enabled, running in transparent mode

Endian Firewall proxy settings:

Figure 7.41. HTTP proxy enabled as transparent proxy

Client access: All requests with destination port 80 will be internally redirected to the proxy service. Requests with other destination ports (e.g. 443 for https) will bypass the proxy service.

Figure 7.42. Figure that displays traffic which will be transparently redirected through the HTTP proxy.

Result: Not all but most requests will pass the proxy service. Therefore filtering, logging and authentication will not be reliable.

Client side Web Proxy configuration

There are different ways to configure the clients to use the Web Proxy service. Some of them are described in this section

Manual client configuration

Configuring clients by applying all proxy settings manually:

Time-consuming and unreliable Configuration required per user

Client pre-configuration

Distributing pre-configured browser clients:

Only reasonable for medium to large environments Works only for the configured client software

IEAK for IE 6: http://www.microsoft.com/windows/ieak/

CCK for Mozilla: http://www.mozilla.org/projects/cck/

Client configuration via DNS / DHCP

Centralized client configuration using DNS and/or DHCP:

Complex implementation Require custom proxy.pac or wpad.dat files (dynamically created by Endian Firewall)

Flexible configuration Most browsers support this configuration method

More info: http://www.web-cache.com/Writings/Internet-Drafts/draft-ietf-wrec-wpad-01.txt

Client configuration using group policies

Centralized client configuration using group policies:

Complex implementation Only reasonable for medium to large environments Requires a centralized network management system (Active Directory, ZENworks, etc.) Flexible and mandatory configuration Works only for Win32 clients and certain browser types

Requirements for mandatory proxy usage

To enforce proxy usage, these requirements must be met:

Proper client configuration

The client must be configured to use the proxy service.

Correct proxy operation mode

The proxy must operate in non-transparent mode.

Blocking of direct web access

All direct web access needs to be blocked. See the section called “Outgoing Firewall Administrative Web Page”.

POP3

Prev Chapter 7. Proxy Next

POP3

Global settings

Figure 7.43. Shows POP3 proxy global settings

Enabled on zone

This enables the E-Mail POP Scanner to listen for requests on the selected zone (GREEN or BLUE or ORANGE). All requests for the destination port 110(POP3) will automatically be intercepted and forwarded to the POP3 Scanner without the need of any special configuration changes to your clients.

Virus scanner

This option enables the virus scanner for the incoming mails using the POP3 protocol.

Spam filter

When activated this will turn on the spam filter for incoming mails.

Firewall logs outgoing connections

By enabling this feature the firewall will log every successful connection to an external POP3 server.

Spamfilter configuration

Figure 7.44. Spamfilter configuration of POP3 proxy

Spam subject tag

If an incoming e-mail will be recognized as spam this value will be prepended to the original e-mail subject.

Required hits

Spamassassin uses hits to rate incoming emails. This value tells spamassassin how many hits are required for an incoming e-mail to be recognised as spam. Values like 5 or 6 should be reasonable.

White list

E-mails coming from these addresses or domains (using *@domain.com) will never be treated like spam.

Black list

E-mails coming from these addresses are always treated like spam.

Note

Black list and white list for the POP3 proxy will NOT be used by the SMTP proxy.

SIP

Prev Chapter 7. Proxy Next

SIP

The SIP Proxy is a proxy/masquerading daemon for the SIP and RTP protocol. The SIP (Session Initiation Protocol, RFC3261) and RTP (Real-time Transport Protocol) are used by Voice over IP (VoIP) devices to establish telephone calls and carry voice streams. The proxy handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections possible through the firewall and therefore make SIP clients (like x-lite, kphone, linphone or VoIP hardware) able to work behind NAT. Without this proxy, connections between clients are not possible at all if both are behind NAT, since one client can't reach the other directly and therefore no RTP connection can be established between them.

Figure 7.45. SIP Proxy Settings

Enabled on zone

This enables the SIP Proxy to listen for requests on the selected port (default: 5060)

Transparent on zone

If transparent mode is enabled, all requests for the destination port 5060 will be forwarded to the SIP Proxy without the need of any special configuration changes on your clients.

SIP Port

Port to listen on for incoming SIP messages.(default:5060)

RTP Port low / RTP Port high

UDP Port range which the SIP proxy will use for incoming and outgoing RTP traffic. By default the range 7070 up to (and including) 7090 is used. This allows up to 10 simultaneous calls (2 ports per call). If you need more simultaneous calls, increase the range.

Autosave Registration

This allows the SIP proxy to remember registration across a restart.

Time

Save the registration file after every amount of seconds specified by this field.

Outbound Proxy Host/Port

The SIP Proxy itself can be told to send all traffic to another outbound proxy.

Log Calls

This enables logging of established calls. You will see the logging entries within siproxy logviewer. (See the section called “SIProxy log page”)

Firewall logs outgoing connections

Tick this on if you want the firewall to log all outgoing connection. Note that in some countries this may be illegal.

Save and Restart

Save the settings and restart the SIP proxy by clicking the Save and restart button.

Note

Some VoIP devices need special configuration in order to be able to cooperate with the SIP proxy. We noticed especially on snom phones the necessity to enable Support for broken registrars in order to have it fully functional.

FTP

Prev Chapter 7. Proxy Next

FTP

The FTP proxy is only available as transparent proxy. As such it intercepts each ftp connection on port 21 made to the outside, scans the received contents against virii and handles it instead of the client.

Warning

If you configure your FTP clients or browsers to use the HTTP proxy also for the FTP protocol, this FTP proxy will be bypassed!

Note

The FTP proxy does not support tickling. This means that the proxy needs to download the entire file before the virus scanner can scan it. The FTP client will get data on the control connection in order not to time out, but get no data on the data connection. The effect is, that the user does not see any progress during download and gets all the data at once after the file has been scanned by the proxy.

Figure 7.46. FTP proxy administration page

Since the FTP proxy is supported only basically you do not have many configuration options. They are:

Enabled on zone

This enables the FTP proxy on the specified zone.

Firewall logs outgoing connections

Tick this on if you want the firewall to log all outgoing connections made through the proxy. Note that in some countries this may be illegal.

Warning

With some FTP clients such as Web browsers, the FTP proxy can have some trouble with the authentication. If you need to authenticate against external FTP servers, use real FTP clients or disable the FTP proxy.

SMTP

Prev Chapter 7. Proxy Next

SMTP

The scope of the SMTP proxy is to control and optimize SMTP traffic in general and to protect your network from threats when using the SMTP protocol. The SMTP (Simple Mail Transport Protocol) protocol is used whenever you send an e-mail through your mail client to a remote mail server (outgoing mail). It will also be used if you have your own mail server running on your LAN (GREEN interface) or your DMZ (ORANGE interface) and are allowing mails to be sent from the outside of your network (incoming requests) through your mail server.

Warning

In order to download mail from a remote mailserver with your local mail clients, the POP3 or IMAP protocol will be used. If you want to protect that traffic too, you have to use the POP3 proxy. Scanning of IMAP traffic is currently not supported.

With the mail proxy functionality, both sorts of traffic (incoming and outgoing mail) can be scanned for virii, spam and other threats. Mail will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers in order to remove the necessity to have SMTP connections from the outside within your local networks.

The following is a complete feature list, which will be described in detail in the following sections:

Multi-domain support Configurable relaying policy per domain Spool visualiation & managment External authentication support TLS Email Transport Encryption support Mail statistics

o Day, Week, Month, Year graphso Spam, Virus, Bounced, Rejected

Configurable maximum mail data size Spam blocking

o Spam notificationo Local/Remote Quarantineo Realtime Blacklist (RBL) supporto Custom Client/Sender/Recipient black/whitelistso Content-matching rules, DNS-based, checksum-based and statistical filteringo Auto learning / Trainingo Subject and header modification on spamo Greylisting support

Virus scanningo Virus notificationo Local/Remote Quarantine

Extension blockingo Notification

o Block banned fileso Double extension blocking

General Settings

Figure 7.47. General Settings

Enabled

This enables the SMTP proxy in order to accept requests on port 25.

Note

Relaying is disabled without authentication in non transparent mode.

Transparent on zone

If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need of any special configuration changes on your clients.

Antivirus is enabled

Tick this on if you'd like to enable the antivirus. If you enable the antivirus, you can configure the antivirus by clicking on the Antivirus link. See the section called “Antivirus” for a detailed description.

Spamcheck is enabled

Tick this on if you'd like to enable the antispam. If you enable the spam filter, you may configure it by clicking on the Spam link. See the section called “AntiSpam” for a detailed description.

File Extension are blocked

Tick this on if you like to enable the file extension blocker. With this you may specify a list of file extensions which are not allowed as attachement. If you enable it, configure it by clicking on the File Extensions link. See the section called “Banned File Extension” for a detailed description.

Incoming Mail enabled

If you have an internal Mailserver and would like the SMTP proxy to forward incoming mails to your internal server you need to tick this checkbox on.

Note

You need to configure the e-mail domains for which it should be responsable. List the responsable domains within the page you reach by clicking on the Domains link. See the section called “Domains” for a detailed description.

Firewall logs outgoing connections

Tick this on if you want the firewall to log all established outgoing connections. Note that in some countries this may be illegal.

Save changes and restart

Save the settings and restart the SMTP proxy by pushing this button.

Antivirus

The Antivirus is a core functionality of the SMTP proxy module. It knows four different possibilities to handle mail containing a virus. You have also the possibility to configure an email address for notification of the recognized and handled threat.

Figure 7.48. SMTP Antivirus

The antivirus section provides the following configuration options:

Mode

This allows you to select the mode of handling infected emails. The following possibilities exist:

DISCARD

In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a virus quarantine is defined a copy of the original e-mail will be sent or copied to the virus quarantine.

Note

In most cases this is the best way of handling infected mails.

BOUNCE

In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a virus quarantine is defined a copy of the original email will be sent or copied to the virus quarantine.

Warning

Sending notification mails to the sender is insofar not really helpful as worms normally use spoofed sender addresses. Therefore such notifications mostly will reach anyone but the right person. The SMTP proxy does not send bounces back to the sender if a worm, of which the SMTP proxy knows that it normally spoofs the sender address, will be recognized. Nevertheless the benefit may be less than the problems caused by this mode.

REJECT

The email will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1)

PASS

Mail will pass to its recipients, regardless of bad content.

Virus Admin

Gives you the possibility to specify a (fully qualified) administrator email address where virus notifications should be sent. (Default is empty)

Virus Quarantine

Location to put infected mail into. The following possibilites are valid:

leave empty

Disables the quarantine

virus-quarantine

Set this if you would like to store infected mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.

Warning

There is no possibility to control and manage the quarantine if you use this possibility.

any email address

You can specify any valid e-mail address, to which infected e-mails will be forwarded to. With this variant you can forward all infected mails to a POP3 or an IMAP account where you may manage them easily.

Note

The email address must contain a @.

Warning

This email address must not have any virus scanner, otherwise the quarantined mail will be blocked by that server.

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

AntiSpam

The antispam module knows several different possibilities to protect you against spam. In general spamassassin and amavisd-new are used to filter out spam. SpamAssassin incorporates several means of detecting spam. It has a “score tally” system where large numbers of inter-related rules fire off and total up a score to determine if a message is spam or not. In this system each rule affects the proper score of every other rule in the ruleset and the system tries to balance the most spam and nonspam each on the right side of the tolerance mark.

While much of the rules block much of simplier spam, well known spam and spam sent by known spam hosts, spammer always adapt their messages in order to knock out spam filters. Therefore it is necessary to also always train the spam filter in order to reach a personalized and stronger statistical filter (bayes).

Note

While the spam filter blocks much spam it never will block all of your spam.

Note

The spamassassin rules will not be updated automatically like the virus signatures. Here you can read why.

General Settings

Figure 7.49. SMTP Antispam

Spam destination

This allows you to define what should be happen to spam mails. The following possibilities do exist:

DISCARD

In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a spam quarantine is defined a copy of the original e-mail will be sent or copied to the spam quarantine.

Note

In most cases this is not very useful, since it is possible that the spam filter may block also regular mail (false positives) if it is configured to restrictive.

Warning

Check your local law. In most countries it is illegal to delete mail without the permission of the recipient.

BOUNCE

In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a spam quarantine is defined a copy of the original email will be send or copied to the spam quarantine.

Warning

Sending notification mails to the sender of spam is insofar not really helpful as spammers then more than ever know that they hit a real e-mail address. Furthermore, spammers mostly do not use their real sender addresses. They nearly always use spoofed sender addresses, therefore such notifications always reach anyone but the right person.

REJECT

The email will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1)

PASS

Mail will pass to its recipients, regardless of bad content.

Note

In most cases, this is the best mode you can use. The spam filter adds spam headers and changes the subject of the mail if it recognizes the mail as spam. The recipients then may use their mail clients to filter those mails themselves.

Spam admin

Gives you the possibility to specify a (fully qualified) administrator e-mail address to which spam notifications should be sent. (Default is empty)

Spam quarantine

Location to put spam mail into. The following possibilities are valid:

leave empty

Disables the quarantine

spam-quarantine

Set this if you would like to store spam mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.

Warning

There is no possibility to control and manage the quarantine if you use this possibility.

any email address

You can specify any valid email address, to which spam mail will be forwarded. With this variant you can forward all spam mails to a POP3 or IMAP account where you may manage them easily.

Note

The email address must contain a @.

Warning

This email address must not have any blocking spam filter, otherwise the quarantined mail will be blocked by that server.

SPAM TAG Level:

If spam score is greater or equal to this level add spam info e-mail headers. You will find them as X-Spam-Status and X-Spam-Level headers.

Note

This level will not block the mail regardless what you defined as spam destination.

Example 7.9. Example spam info headers

X-Spam-Status: No, score=-1.54 tagged_above=-4 required=6.31 tests=[AWL=-0.723, BAYES_00=-2.599, HTML_80_90=0.146, HTML_FONT_SIZE_NONE=0.033, HTML_FONT_SIZE_TINY=0.533, HTML_FONT_TINY=0.964, HTML_IMAGE_RATIO_04=0.105, HTML_MESSAGE=0.001]X-Spam-Score: -1.54X-Spam-Level:

SPAM MARK level

If spam score is greater or equal to this level, mark the mail as spam by tagging the subject line with *** SPAM *** and add the X-Spam-Flag header.

Note

This level will not block the mail regardless what you defined as spam destination.

Example 7.10. Example spam info headers

X-Spam-Status: Yes, hits=12.4 tagged_above=-10.0 required=5.3 tests=BAYES_99,RCVD_HELO_IP_MISMATCH, RCVD_IN_XBL, RCVD_NUMERIC_HELO, SARE_FWDLOOK,SARE_MONEYTERMS, SARE_OEM_FAKE_YEARX-Spam-Level: ************X-Spam-Flag: YES

Note

Users may use X-Spam-Flag: YES as search string for their mail client filter.

SPAM quarantine level

If spam score is greater or equal to this level then the spam evasive action which you selected in spam destination will be used.

Note

This is the level which may delete spam mail if you selected to DISCARD spam mail.

Sendernotification only below level

If spam score is greater than this level no notification mails will be sent to the administrator.

SPAM subject

String to prepend to the subject header field when message exceeds SPAM MARK level.

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Greylisting

Greylisting is a simple method of defending electronic mail users against e-mail spam. In short, a mail transfer agent which uses greylisting will temporarily reject any e-mail from a sender it does not recognize. The sender will be delayed for the configured time. If the mail is legitimate, the originating server will try again to send it later. If the delay time is elapsed, the destination will accept it. Spammers normaly will not retry to send temporarily rejected mails, since this is cost effective. However, even spam sources which re-transmit later are more likely to be listed in DNSBLs and distributed signature systems such as pyzor.

Figure 7.50. Greylisting

greylisting activated

Tick this on if you want to enable greylisting.

delay(sec)

You can change the delay from 30 secs to maximum 3600 (1 hour).

Whitelist recipient

With this you can whitelist an address or a complete domain (one entry per line).

Whitelist client

You can exclude a Mailserver address in order to bypass greylisting for this mail server (one entry per line).

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button

Banned File Extension

This allows you to block files with certain file extensions which may be attached to mails. Mails which contain such attachements will be recognized and the selected action will be performed for the respective mail.

Figure 7.51. banned files

Blocked File Extensions

You can select one or more file extensions. In order to select multiple files press the control key and select the desired entries with your mouse.

Note

File Extension Block must be enabled in gereral settings.

Banned files destination

This allows you to define what should happen to e-mails containing files with banned extensions. The following possibilities do exist:

DISCARD

In this mode the e-mail will not be delivered to its recipients and deleted without sending a notification to the sender. If a quarantine for banned files is defined a copy of the original e-mail will be sent or copied to that quarantine.

BOUNCE

In this mode the e-mail will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a quarantine for banned files is defined a copy of the original e-mail will be sent or copied to that quarantine.

Note

Normaly it may be wise to use this variant, since senders then know what they are doing wrong.

REJECT

The e-mail will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1)

PASS

Mail will pass to its recipients, regardless of bad content.

Banned files quarantine

Location to put mail with banned files into. The following possibilites are valid:

leave empty

Disables the quarantine

spam-quarantine

Set this if you would like to store bad mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.

Warning

There is no possibility to control and manage the quarantine if you use this possibility.

any email address

You can specify any valid e-mail address, to which bad mail will be forwarded. With this variant you can forward all bad mail to a POP3 or an IMAP account where you may manage it easily.

Note

The e-mail address must contain a @.

Admin notification

Gives you the possibility to specify a (fully qualified) administrator e-mail address where notifications about bad attachements should be sent. (Default is empty)

Block double extension:

tick this if you want block attachements which have one of the following double extensions.

filename.XXX.exe filename.XXX.vbs filename.XXX.pif filename.XXX.scr filename.XXX.bat filename.XXX.cmd filename.XXX.com filename.XXX.dll

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Blacklists/Whitelists

An often used method to block certain types of spam e-mails are so called real-time blacklists (RBL). Those have been created by many different organisations and will be managed, administrated and actualised by them. If a domain or a sender ip address is listed within one of those blacklists, the mail will be refused promptly and without the need and possibility to gather more information about it. This saves more bandwith in comparison to the RBL of the antispam module, since the mail will not be accepted and then handled, but refused as soon as a listed ip address will be recognized.

This dialogue gives also the possibility to explicitely block (blacklist) or explicitely allow (whitelist) certain sender, recipients, ip addresses or networks.

Real-time Spam Black Lists (RBL)

A DNS-based Blackhole List (DNSBL, Real-time Blackhole List or RBL), is a published list of IP addresses, in a format that can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming.

Warning

It may happen that IP addresses have been wrongly listed by the RBL operator. If this should happen, it may negatively impact your communication, to the effect that mail will be refused without the possibility to recover it. You also have no direct influence on the RBLs.

Figure 7.52. Real-time Black Lists

bl.spamcop.net

RBL based on user submission.(www.spamcop.net)

sbl-xbl.spamhaus.org

The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help e-mail administrators to better manage incoming e-mail streams.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits (www.spamhaus.org).

cbl.abuseat.org

The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.

The CBL does NOT list open SMTP relays (cbl.abuseat.org).

dul.dnsbl.sorbs.net

This contains a list of Dynamic IP Address ranges (www.au.sorbs.net).

list.dsbl.org

DSBL is the Distributed Sender Blackhole List, it publishes the IP addresses of hosts which have sent special test email to listme@listme.dsbl.org or another listing address.The main delivery mechanism of spammers is the abuse of non-secure servers. For this reason, many people want to know which servers are non-secure so they can refuse email from these servers. DSBL is intended as a place to publish whether a server is non-secure (www.dsbl.org).

relays.ordb.org

ORDB.org is the Open Relay Database. ORDB.org is a non-profit organisation which stores a IP-addresses of verified open SMTP relays. These relays are, or are likely to be, used as conduits for sending unsolicited bulk email, also known as spam. By accessing this list, system administrators are allowed to choose to accept or deny email exchange with servers at these addresses (www.ordb.org).

opm.blitzed.org

OPM is designed to list IPs confirmed to be running insecure proxies. These can be present because of misconfiguration of legitimately-installed software, or they can be due to the installation of trojans, viruses and other malware. OPM differs from other open proxy DNSBLs in that it tries not to proxy test remote hosts unless they are implicated in reports of abuse, and it aggressively expires old IPs, especially those known to be used for dynamic leases, such as dialup customers.

The opm.blized.org does NOT list open SMTP relays (wiki.blitzed.org/OPM). (This list has been removed in version 2.1)

dsn.rfc-ignorant.org

The dsn.rfc-ignorant.org is a list which contain domains or IP networks whose administrators choose not to obey the RFCs, the building block “rules” of the net (www.rfc-ignorant.org).

blackhole.securitysage.com

This list is comparable to the dsn.rfc-ignorant.org list - it contains a list of domain names (as opposed to IP addresses) that can be checked against the client domain of an email, as well as the domain portion (after the @) of the sender and recipient addresses. (www.securitysage.com). (New in version 2.1)

save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Note

advanced users can modify the list by editing the file /var/efw/smtpd/default/RBL.

Custom black/whitelists

You have full control and can blacklist, whitelist specific sender/recipient or client.

Figure 7.53. black/whitelists

Sender Whitelist/Blacklist

There are multiple ways to deny (blacklist) or allow (whitelist) a sender or domain (one per line).

The addresses in these listings will be compared to the senders' e-mail address of each incoming mail.

Domain (with subdomains)

Allow or deny a complete domain with all its subdomains.

Example 7.11. Allow or deny a complete domain

endian.itsub.example.com

This will cover each e-mail address under both domains and its subdomains, like mail@sub.endian.it.

Subdomains

Allow or deny only the subdomains of the specified domain. In order to achieve this, add a leading dot to the domain name.

Example 7.12. Allow or deny only the subdomains of a domain

.endian.it

.sub.example.com

This will cover each e-mail address under each subdomain of both domains. For instance it will include mail@test.endian.it but exclude info@endian.it.

Address

Allow or deny a single fully qualified e-mail address or any e-mail address having the specified user part.

Example 7.13. Allow or deny single email addresses or user names.

info@endian.itpostmaster@abuse@

This will cover the single e-mail address info@endian.it of course, and each e-mail address with postmaster or abuse as user part, like postmaster@riaa.org.

Recipient Whitelist/Blacklist

There are multiple ways to deny or allow a single recipient or domain (one per line).

These addresses covered by this listings will be compared with the recipient's email address of each incoming mail.

Domain (with subdomains)

Allow or deny a complete domain with all it's subdomains.

Example 7.14. Allow or deny a complete domain

endian.itsub.example.com

This will cover each email address under both domains and its subdomains, like mail@sub.endian.it.

Subdomains

Allow or deny only the subdomains of the specified domain. In order to achieve this, add a leading dot to the domain name.

Example 7.15. Allow or deny only the subdomains of a domain

.endian.it

.sub.example.com

This will cover each e-mail address under each subdomain of both domains. For instance it will include mail@test.endian.it but exclude info@endian.it.

Address

Allow or deny a single fully qualified e-mail address or any e-mail address having the specified user part.

Example 7.16. Allow or deny single email addresses or user names.

info@endian.itpostmaster@abuse@

This will cover the single email address info@endian.it of course, and each email address with postmaster or abuse as user part, like postmaster@riaa.org.

Warning

If the SMTP proxy runs in transparent mode, each IP address of subnets known to the Endian Firewall will be allowed automatically. Therefore it is not possible to blacklist a recipient which has one of those ip addresses.

Client Whitelist/Blacklist

You can also block or allow a single IP address or subnet from which mail will be sent (one per line).

Example 7.17. Allow or deny ip block.

80.190.233.14380.190.233.0/24

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Note

The whitelist overwrites the blacklists. You can blacklist a whole subnet and then whitelist a single address.

Domains

If you have enabled incoming mail and would like to forward that mail to a mail server behind the Endian Firewall - usually set up in the GREEN or ORANGE zone - you need to declare the domains which will be accepted by the SMTP proxy and to which of your mail servers the incoming mail should be forward to. It is possible to specify multiple mail servers behind Endian Firewall for different domains. It is also easily possible to use Endian Firewall as a backup MX.

Figure 7.54. Domains

Note

Incoming mail must be enabled to activate this functionality.

BCC

Enable this if you would like to have a copy of certain mails that go through the SMTP proxy - being it to a certain recipient or from a certain sender. Specify if you want to check the e-mail for a recipient- or a sender-address. Then type that e-mail address into the Mail address field and finally add the address that should get the copy in the BCC (Blind Carbon Copy) address field.

Figure 7.55. BCC

Note

The sender and the recipient of the e-mail will not know that their messages have been copied unless you tell them.

Warning

In most countries of this planet it is highly illegal to read other people's private messages. Do not abuse this feature.

Advanced settings

This section covers advanced settings of the SMTP proxy.

Smarthost

If you have a dynamic IP address because you are using an ISDN or ADSL dialup internet connection, you will get problems sending mails to other mail servers. More and more mail servers compare DNS with it's reverse DNS, while other mail servers check if your ip address is listed as a dynamic IP address and refuse to accept your e-mail. Therefore it could be necessary to use a smarthost for sending emails.

A smarthost is a mail server which your smtp proxy will use as outgoing SMTP. The smarthost needs to accept your e-mail and relays it for you. Normally you may use your providers SMTP as smart host, since it will accept to relay your e-mails and other mail servers may not.

Figure 7.56. Smarthost

Smarthost enabled for delivery

Tick this on to send all outgoing mail through the smarthost.

Address of Smarthost

Outgoing mailserver for final delivery.

Note

Normally you may use your providers SMTP as smart host, since it will accept to relay your mails and other mail servers may not.

Authentication required

Some mail servers require authentication. Tick this on if your mail server requires authentication.

Username

Username to use for the authentication.

Password

Password to use for the authentication.

Authentication method

Choose the authentication method for your smarthost. Supported types are PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5.

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

IMAP Server for SMTP Authentication

The SMTP Proxy can query a remote IMAP Server to authenticate users. This way it is possible to use the SMTP Proxy from remote with the authentication relayed to any external domain.

Figure 7.57. IMAP Server for SMTP Authentication

Authentication enabled

Tick this on to enable the remote authentication.

IMAP Server

Address of the remote IMAP Server.

Number authentication daemons

If you have many concurrent users you can increase the number of authentication daemons (default 5).

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Advanced settings

There are even more advanced configuration possibilities for the SMTP proxy. You may change the maximal size of a single email address, change the language of smtp proxy mails, or make the mail server more restrictive and strictly RFC compliant in order to fight against spam.

Figure 7.58. Advanced Settings

Smtpd helo required

If this is enabled the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session (default enabled).

Note

Enabling this will stop some UCE malware.

Reject invalid hostname

Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname (default enabled).

Reject non fqdn sender

Reject the connecting client when the hostname supplied within the client HELO or EHLO command is not a fully-qualified domain name, as required by the RFC (default enabled).

Reject non fqdn recipient

Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC.

Reject unknown sender domain

Reject the connected client when the sender mail address has no DNS A or MX record (default enabled).

Reject unknown recipient domain

Reject the connected client when the recipient mail address has no DNS A or MX record (default enabled).

SMTP Helo Name

The hostname to send with the SMTP EHLO or HELO command. The default value is the IP of RED. Specify a hostname or IP address.

Always BCC Address

Optional address that receives a blind carbon copy of each message that is received by the SMTP proxy system.

Note

If the e-mail to the BCC address bounces it will be returned to the sender.

Smtpd hard error limit

The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The SMTP Proxy server disconnects when the limit is exceeded (default 20).

Language E-Mail Templates

Allows to specify the language for the error messages (default English).

Maximal E-Mail size

The maximal allowed size (in MBytes) a message can have (default 10MB).

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

This page was last modified on: $Date: 2006-11-23 19:30:06 +0100 (Thu, 23 Nov 2006) $.

Chapter 8. VPN Menu

Prev Next

Chapter 8. VPN Menu

Table of Contents

Introduction

Virtual Private Networks (VPNs)

Net-to-Net (Gateway-to-Gateway)

Host-to-Net (Roadwarrior)

OpenVPN

OpenVPN Web Interface

OpenVPN Server

Openvpn Net2Net client

Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls)

Configuration of an OpenVPN client on the roadwarrior side

IPSec

Methods of Authentication

Pre-shared Key

X.509 Certificates

Global Settings

Connection Status and Control

Certificate Authorities

Generate Root/Host Certificates

Upload a CA certificate

Reset configuration

Add a new connection

Connection Type

Authentication

Introduction

Figure 8.1. VPN menu selected

Virtual Private Networks (VPNs)

Prev Chapter 8. VPN Menu Next

Virtual Private Networks (VPNs)

Virtual Private Networks or VPNs allow two networks to connect directly to each other over another network such as the Internet. All data is transmitted securely over an encrypted tunnel, hidden from prying eyes. Similarly, a single computer can also connect to another network using the same facilities. In Endian Firewall both OpenVPN and IPSec protocols are used to create VPNs.

Endian Firewall can easily establish VPNs to other Endian Firewalls. EFW can also inter-operate with just about any VPN product that supports OpenVPN, IPSec and standard encryption technologies such as 3DES. VPN connections in Endian Firewall are defined as Net-to-Net or Host-to-Net. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

Most modern operating systems have support for IPSec. This includes Windows, Macintosh OSX, Linux and most Unix variants. Unfortunately, the tools needed to provide this support vary greatly and may be difficult to set up. OpenVPN setup is way easier than IPSec. It runs on Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.

In the commercial version of Endian Firewall a user friendly OpenVPN client for Windows, Linux and MacOSX is available.

Net-to-Net (Gateway-to-Gateway)

Figure 8.2. Figure of a Net-to-Net VPN

Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by creating a crypted “tunnel”. In a net-to-net VPN, at least one of the networks involved must be connected to the Internet with an Endian Firewall. The other network(s) can be connected to an Endian Firewall or another IPSec or OpenVPN enabled router or firewall. These router/firewalls have public IP addresses assigned by an ISP and are most likely using Network Address Translation (NAT), hence the term Net-to-Net.

If desired, a VPN can be created between wireless machines on your BLUE network and Endian Firewall. This ensures that traffic on your BLUE network cannot be intercepted with wireless sniffers.

Host-to-Net (Roadwarrior)

We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and a remote or mobile user is on the other end. The mobile user is most likely to be a laptop user with a dynamic public IP address assigned by an ISP, hence the terms Host-to-Net or Roadwarrior.

Figure 8.3. Figure of a Host-to-Net VPN

OpenVPN

Prev Chapter 8. VPN Menu Next

OpenVPN

OpenVPN is an SSL/TLS based virtual private network solution. It uses the industry standard SSL/TLS protocol to create the encrypted tunnel which can transmit packets of OSI layer 2 or 3. Pay attention to not confuse OpenVPN with what many vendors call SSL VPN. Most of them only claim to be real SSL VPNs, instead they actually are just application level gateways that tunnel only application streams of certain services through an encrypted tunnel without implementing a whole VPN, which in fact is a site-to-site tunnel. As a real SSL VPN, OpenVPN has the ability to tunnel all your traffic from OSI layer 2 on, so even ARP traffic can be transmitted to the remote endpoint.

The main advantage of this type of VPN is the ease of use. Since OpenVPN is an application on both sides of the tunnel, it runs of course in user-space instead of kernel space. Therefore it does not even need modifications of the kernel and furthermore minimizes the probability of a catastrophic failure which is certainly higher for software which runs in kernel space. This makes the whole A LOT easier to introduce in a network. In fact wherever you manage to establish a normal TCP or UDP connection, like from a browser to a server, you can use OpenVPN. There is no need for NAT traversal or the like. We strongly encourage you to use OpenVPN instead of IPSec if you can choose. The only argument which comes to our mind for using IPSec is interoperability to other vendors.

Figure 8.4. Figure of a VPN using OpenVPN as mixed VPN combining a Host-to-Net VPN (the Roadwarrior) and Net-to-Net VPNs in a hub-and-spoke topology

Endian Firewall implements both OpenVPN server and client. The administration interface is divided in two main parts Openvpn Server and Openvpn Net2Net client. Basically the OpenVPN server opens a virtual interface (the interface name begins with tap) whose function is to send bits to the OpenVPN server instead to the wire. The tap interface is joined with the GREEN bridge, so each connected client is - from the sight of the other machines behind GREEN - also directly part of the GREEN network. For the OpenVPN server it makes no difference at all if the client connects a whole net (Net-to-Net) or just a roadwarrior (Net-to-Host) and it makes no difference if there are connected one, two or many clients.

Another advantage compared to IPSec is the fact that the OpenVPN server acts like a switch (hub-and-spoke). Communication between the VPN endpoints is possible and communication between the connected OpenVPN clients is kept within the tunnel and goes always through the server process. It must not leave the tap interface on the server side and therefore must not be decrypted and then re-encrypted on the server.

OpenVPN Web Interface

As mentioned before, the OpenVPN web interface is split into two parts. The Openvpn Server and the Openvpn Net2Net client menu, which you can select on top of the page as a submenu of Virtual Private Networking. If you like to create a simple tunnel from one EFW to another, simlpy choose one side as server and configure it through the OpenVPN server page. The other side acts as a client and is configured on the client page. On the client's side there is certainly no need to start the server. If you have one side with dynamic IP's, use that one as client, since the client establishes the connection and may reconnect if the IP address changes. If you have NAT between the endpoints on the clients side, there is no problem at all. If you have NAT on the server side, simply forward the UDP port 1194 to the EFW.

OpenVPN Server

The following describes the OpenVPN Server admin interface which you can find by clicking on the OpenVPN Server tab on top of the page.

Global Settings

Figure 8.5. Global Settings

This box contains common configuration for the OpenVPN server.

OpenVPN Server enabled

Tick this on if you like to enable the OpenVPN server on this machine.

IP Pool

Fill in the start and end ip address of an ip range from GREEN network which you like to assign to the OpenVPN clients connecting to this server. Note that with Net-to-Net topology, only the remote EFW will get an IP from this range and not the workstations behind.

Port

This is the port on which the OpenVPN Server will listen for incoming requests.

Protocol

This option allows you to change your protocol from UDP to TCP.

Warning

Do not select TCP as protocol, unless you know exactly what you are doing!

Block DHCP responses coming from tunnel

Since the virtual tap device of the OpenVPN server is joined with the GREEN bridge, broadcast packets of your GREEN zone will pass the tunnel. This includes DHCP requests from your workstations. If the client on the other side is in bridged mode, DHCP responses will return from it if the remote side has a DHCP server running. This may cause problems - if you do not want the remote DHCP server to assign IP addresses to your local workstations within GREEN tick this option to block the responses.

Note

Pay attention, this will not block the DHCP responses which come from your local DHCP and go to the remote network! You need to block them on the remote side.

CA Certificate

This is the text representation of your Certification Authority Certificate. This is needed on every OpenVPN client that wants to connect to your OpenVPN server.

Download CA Certificate

By clicking this link you can download the CA Certificate which is needed by each OpenVPN client in order to be able to connect to your OpenVPN server.

Users which are allowed to connect to openvpn

Figure 8.6. Users which are allowed to connect to openvpn

Below the global settings box, you will find the possibility to manage accounts which can connect to the OpenVPN server.

All known users will be listed within a table. Each line has the following action icons which will apply for the respective user:

Configure Networks

When clicking this button you will be redirected to a new window where you can administer this user's network settings.

Enabled icon

If this appears as a ticked on checkbox, the user is enabled and can connect. Click on it to disable or enable the user. Note that disabling an already connected user does not kick it, it just refuses reconnecting.

Trash can icon

Click on it to remove the account.

Pencil icon

Click on it to edit the respective account. This will open a new page which will be described later in Add Account.

Below, you will find a single button, Add Account, which allows you to add a new account. This button will open a new page which will be described later in the Add Account section.

Add Account

Figure 8.7. Add Account

If you create a new account, you find the following configuration fields:

Username

Fill in the username to be created

Password

Choose a password for the new account.

Verify Password

Fill in the same password as above. This is only for verification purposes in order to ensure that you typed the password correctly.

Remote network

This is not needed if the remote client which uses to connect with this new account, is in bridge mode. Otherwise you need to specify the network address of the remote GREEN network in order to let the Endian Firewall create correct routing entries on both sides.

Remote Network Mask

Fill in the netmask of the remote client if it is configured to be in routing mode.

use this firewall as default gateway

Tick this on of you'd like to have the remote client to create routing entries in order to redirect all the traffic of the remote side through the VPN tunnel to your EFW, where it then can leave the RED interface. You normally want this on roadwarriors in order to enforce security policies, otherwise the remote side certainly has its own internet connection and a possible intruder may come in through the VPN and compromise the local GREEN network. Basically this option does the following on the remote side:

1. Creates a host route which sends all traffic with our RED IP address as destination to the IP address which is used as default gateway.

2. Removes the default route entry.3. Creates a new default route entry with our GREEN IP address as gateway.

push route to blue zone

This option will grant the new user access to your BLUE zone.

Note

This option is only available if you have configured your BLUE zone.

push route to orange zone

This option will grant the new user access to your ORANGE zone.

Note

This option is only available if you have configured your ORANGE zone.

Connection status and control

The following is below the box Users which are allowed to connect to openvpn and shows you all currently connected users.

Figure 8.8. Connection status and control

The table shows you the following information:

User

The name of the user that is connected to the server.

Assigned IP

The IP address which has been assigned to the client by the server. This IP address belongs to the GREEN IP range configured above.

Real IP

The real public IP address of the connected client.

RX

The data volume that has been received through this tunnel.

TX

The data volume that has been transmitted through this tunnel.

Connected since

The timestamp when the client has connected.

Uptime

The amount of time the respective client is already connected.

The following actions can be performed on each connected user:

Kill

Kills the connection immediately. The user can reconnect and this will happen since the openvpn client on the remote side will automatically reconnect as soon as it recognizes the disconnect, which will take up to a couple of minutes.

Ban

Bans the user. In fact this deactivates and then kicks the user in a row. The user cannot reconnect.

Openvpn Net2Net client

This section describes the configuration of the OpenVPN client shipped with Endian Firewall. With this client, you can have the Endian Firewall connect to a remote OpenVPN server. Normally you will use this if you would like to create a Net-to-Net connection to another EFW. A client configuration needs the following information to be able to successfully connect to a remote OpenVPN server:

Username Password CA Certificate of the remote server.

You will get the CA certificate from the server if you push the Download CA Certificate link on Openvpn Server configuration page - on the remote Endian Firewall of course. This is needed to add an additional random information which one must have. In this manner it is not possible for attackers to connect to the VPN by only gathering the username and the password. They also need the certificate in order to be able to connect.

VPN tunnel and control

This page lists status-reports for the configured tunnels. You will notice that this page reloads every five seconds in order to update the status display if the status of some clients changes.

Figure 8.9. VPN tunnel and control

The following describes the displayed configuration items of each client and your action possibilites:

Status

Displays the connection status of the respective tunnel. The following values do exist:

closed

The tunnel is closed. There is no connection to the remote host.

established

The tunnel to the remote host is established and working.

connecting...

The client is actually trying to connect to the remote host.

resolve error

The client could not resolve the remote's hostname. Probably the hostname does not exist or you have a problem with your DNS resolver.

invalid ca cert

The CA certificate is invalid. Maybe you supplied the wrong certificate. Another possibility could be that the date on your host is wrong, so that the certificate is not yet valid.

authentication failed

The client could not authenticate to the remote host. You may have supplied the wrong username or password.

Remote Address

The remote host to which the client should connect.

Options

Displays configuration options if they are set. Possibly values are:

bridged

The client is in bridged mode.

drop DHCP

The client blocks DHCP responses coming from the tunnel.

Remark

Optional connection description.

Action

To edit an existing tunnel, click on its pencil icon. The VPN tunnel values will be displayed in the add vpn tunnel settings section of the page.

To remove an existing tunnel, click on its trash can icon. You will be asked if you really want to remove the tunnel, and if you choose Yes, the tunnel configuration will be removed.

To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a tunnel is disabled. Click on the checkbox to enable it again

Below you find a single button Add tunnel configuration, which allows you to create a new client configuration in order to connect to a remote Endian firewall or another sort of OpenVPN server.

Add a VPN tunnel

If you push the button Add tunnel configuration you will reach this page.

Figure 8.10. Add a VPN tunnel

In order to create a new tunnel configuration you need to provide the following information:

Connect to

IP address or public host name (FQDN) of the remote Endian Firewall (or other OpenVPN server).

Username and Password

Username and password of the OpenVPN account created on the remote host.

Bridged/routed

The OpenVPN client can run in either routed or bridged mode. The difference is in which OSI layer the client will act. If you specify bridged mode, the clients virtual tap device will be joined to the bridge of the GREEN zone (br0). As a member of the bridge, all traffic created within the GREEN network will also be passed through the tunnel to the remote side. This includes ARP traffic and other protocols which are below TCP. In this manner, the tunnel acts like a switchport. You can use this for example if you need to be able to browse the remote's Microsoft Windows servers. In order to access hosts on the remote side you certainly must use the same GREEN network address on both sides, since in fact those two GREEN networks will really be part of the same physical network.

Note

But pay attention, this option does not scale well and sends much unneeded traffic through the tunnel! Use it only if you really need it.

With routed mode the clients tap device will remain alone and will not be joined to the GREEN bridge. The device will obtain an IP address assigned by the remote OpenVPN server which selects it from the IP its configured pool. The two GREEN zones are splitted and the two networks will be routed. This all happens within a higher OSI layer. In order to make this work, you need to

have different GREEN network addresses, since the two networks in this mode are not the same and need to be distinctable. You also need to specify your local GREEN network and network mask on the remote OpenVPN server in order to let the client set the needed routes.

block DHCP responses coming from the tunnel

If you selected routed mode, this does not interest you at all. Otherwise, if you have selected bridged mode, the virtual tap device of the OpenVPN client is joined to the GREEN bridge. Therefore broadcast packets of your GREEN zone will pass through the tunnel. This includes DHCP requests from your workstations. Since the server on the other side is also part of this GREEN bridge, DHCP responses will return from it if the remote runs a DHCP server. This may cause problems - if you do not want the remote DHCP server to assign IP addresses to your local workstations in the GREEN zone. Tick this on if you would like to block these responses.

Note

Pay attention, this will not block the DHCP responses which come from your local DHCP and go to the remote network! You need to block them on the remote side.

Remark

An optional connection description.

CA certificate

Endian Firewall OpenVPN server CA certificate. You get this certificate by pressing the Download CA Certificate link on the remote OpenVPN server configuration page.

CA certificate

you can paste your CA certifcate content (text) in this box or...

upload CA file

...you can upload the CA certificate file.

Save

Click "save" to add your configuration.

Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls)

Situation: you have three branch offices with three Endian Firewall and you need to connect the offices in a unique network as star topology (hub-and-spoke) with encrypted tunnels.

Note

The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN, otherwise the connection may not be established if the CA certificate is not yet valid because of a wrong clock.

Configure Endian Firewall OpenVPN server

One of the three Endian firewall must act as OpenVPN server (the hub):

1. Go to the OpenVPN server section (VPN > Openvpn Server)

Figure 8.11. Openvpn Server

2. Set an IP address range which will be used to assign an internal (GREEN) IP address to the other two Endian Firewalls.

3. Tick on the Enabled box.4. Now add 2 users, office1 and office2 (one for each Endian Firewall that will be connected

to our Endian Firewall OpenVPN server) pressing on Add Account button in the Users which are allowed to connect to openvpn section.

Figure 8.12. Users which are allowed to connect to openvpn

5. Fill in the information in the add new user form items. In this case we assume that it is enough to use routed mode. You need to specify the GREEN network address and network mask of the respective branch office. (office1 and office2). If you want the new user to be able to connect to your BLUE or ORANGE zone you have to tick the respective push route to blue/orange zone checkbox.

Figure 8.13. Add a new user

6. Repeat step 4 and 5 for the second user.

Figure 8.14. List of allowed users

7. Ok. The Endian Firewall in office0 is ready to receive VPN connections from the other offices.

8. Download the CA certificate file by clicking the link Download CA Certificate. You will need this file on both other Firewalls.

Warning

Pay attention to keep this file private.

Figure 8.15. Openvpn Server CA Certificate

Configure the Endian Firewall OpenVPN Net2Net client

Now we have to configure the Endian Firewall of office1 and office2.

1. Go to the office1 Endian Firewall web interface, to the Openvpn Net2Net client section (VPN > Openvpn Net2Net client).

Figure 8.16. Configure Office 1 Endian Firewall

2. Click the button add tunnel configuration.

Figure 8.17. Add Office 0 tunnel

Supply the following information:

o Connect to: insert the office0 Endian Firewall RED interface IP address, or the fully qualified host name (Eg. office0.endian.it)

o Username: the username created on office0 Endian Firewall (see "Configure Endian Firewall OpenVPN server" point 4 and 5) (in this case: office1)

o Password: the password for the usero Routed: in this case it probably would be better to choose routed.o Remark: insert a connection description (optional)o Upload CA file: click on the Browse button and choose the file which you saved

before within step 8.3. Click on Save button.4. Repeat step 1 to 4 for the office2 Endian Firewall.5. If all is ok, the page VPN > OpenVPN Server > Openvpn Net2Net client on your office1

and office2 firewall should show you this:

Figure 8.18. Connected to Office 0 tunnel

and the office0 Endian Firewall should show you the following on the VPN > OpenVPN Server page:

Figure 8.19. Connected Office 1 and 2 clients

With this configuration your workstations in the office1 and office2 nets should be able to reach the GREEN network of your office0.

Configuration of an OpenVPN client on the roadwarrior side

In order to connect to the Endian Firewall OpenVPN server you can choose from a list of free projects which implement an openvpn client with a graphical user interface. One you can find on Mathias Sundman's OpenVPN GUI site. You can also download openvpn from the OpenVPN Homepage, which does provide the sourcecode package or a packaged Microsoft Windows Installer. Each major Linux distribution should have an own package of it and it has also been ported to other unix derivates.

Tip

Endian Firewall Enterprise Edition has a Linux package as well as a Windows package of the OpenVPN client available for download in the VPN > OpenVPN > Download section.

Next you need a valid and most notably Endian Firewall compatible configuration file. The OpenVPN server on the Endian Firewall:

runs as server of course, so your openvpn installation must act as client (--client) in order to successfully establish a connection.

listens on the standard port 1194 (--port 1194). uses the UDP protocol (--proto udp). encapsulates ethernet 802.3, therefore uses tap devices (--dev tap). uses static key mode (--auth-user-pass). uses fast LZO compression (--comp-lzo).

Example 8.1. An example command line to start openvpn on your roadwarrior

openvpn --client --pull --comp-lzo --nobind --dev tap --ca /path/to-the-ca-certificate.pem --auth-user-pass --remote your.remote.efw

Example 8.2. An example configuration file for openvpn on your roadwarrior

clientdev tapproto udpremote your.remote.efwresolv-retry infinite

nobindpersist-keypersist-tunca path-to-the-ca-certificate.pemauth-user-passcomp-lzo

Note

Download the CA certificate using the appropriate link on the OpenVPN server configuration page and copy the certificate file to the location to which you point with the --ca parameter.

IPSec

Prev Chapter 8. VPN Menu Next

IPSec

IPSec (IP Security) is a generic standardized VPN solution. Compared to OpenVPN, encryption and authentication are already done on the OSI layer 3 as an extension to the IP protocol. Therefore IPsec must be implemented in the IP stack which is part of the kernel. Since IPSec is a standardized protocol it is compatible to most vendors that implement IPSec. Compared to OpenVPN IPSec's configuration and administration is due to its complexity usually quite difficult and due to it's design some situations are impossible to handle compared to OpenVPN, especially if you have to cope with NAT. However, Endian Firewall implements an easy to use adminstration interface with different authentication possibilities. We strongly encourage you to use IPSec only if you need to because of interoperability purposes. Use OpenVPN wherever you can, especially if NAT is in the game.

Methods of Authentication

It is necessary to have a pre-shared key/password/pass phrase or an X.509 certificate before trying to configure a Roadwarrior or Net-to-Net VPN connection. These are methods of authentication, which identify the user trying to access the VPN. They will be required in the VPN configuration stage.

Pre-shared Key

The pre-shared key authentication method or PSK is a very simple method that allows VPN connections to be set up quickly. For this method, you enter an authentication phrase. This can be any character string — similar to a password. This phrase must be available for authentication on Endian Firewall and on the VPN client.

The PSK method involves less steps than certificate authentication. It can be used to test connectivity of a VPN and to become familiar with the procedure of establishing a VPN connection. Experienced users may wish to progress straight to the section called “Generate Root/Host Certificates” before trying to configure a roadwarrior or a net-to-net VPN connection.

The pre-shared key method should not be used with Roadwarrior connections as all roadwarriors must use the same pre-shared key.

Note

The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN.

X.509 Certificates

X.509 certificates are a very secure way of connecting VPN servers. To implement X.509 certificates you must either generate or setup the certificates on Endian Firewall or use another certification authority on your network.

X.509 Terminology

X.509 certificates on Endian Firewall and many other implementations are manipulated and controlled by OpenSSL. SSL, or the Secure Sockets Layer, has its own terminology.

X.509 certificates, depending on their type, may contain public and private encryption keys, pass phrases and information about the entity they refer to. These certificates are meant to be validated by Certification Authorities (Certificate Authorities) or CAs. When used by web browsers, the CA certificates of major, pay for, CAs are compiled into the browsers. To validate a host certificate, the certificate is passed to the appropriate CA to perform validation. On private networks or unique hosts, the CA may reside on a local host. In EFWs case, this is the Endian Firewall, itself.

Certification signing requests are requests for signing unsigned X.509 certificates that are passed to CAs. The CAs in turn generate an X.509 certificate by signing the request. These are returned to the requesting entity as valid X.509 certificates. These signed certificates will then obviously be known to the CA.

You will see that X.509 certificates and requests can be stored on your hard drive in three different formats, usually identified by their extensions. PEM format is the default for OpenSSL. It can contain all the information associated with certificates in printable format. DER format contains just the key information and no extra X.509 information. This is the default format for most browsers. PEM format wraps headers around DER format keys. PKCS#12, PFK or P12 certificates contain the same information as PEM files in binary format. Using the openssl command, PEM and PKCS#12 files can be transformed into the respectively other format.

To use a certificate, you must import it into the other side's CA, too. The IPSec implementation on Endian Firewall contains its own built in CA. CAs may run on roadwarrior's machines too.

If the roadwarrior's IPSec implementation does not have CA capabilities, you can generate a certificate request, import it into EFW so that EFW's CA can sign it. Then you have to export the resulting certificate and import it into the originating roadwarrior's IPSec software.

Global Settings

Figure 8.20. VPN global settings

Enter the VPN server details, either its fully qualified domain name or the public IP address of the RED interface. If you are using a dynamic DNS service, you should use your dynamic DNS name here.

VPNs and Dynamic DNS

If your ISP changes your IP address, be aware that Net-to-Net VPNs may have to be restarted from both ends of the tunnel. Roadwarriors will also have to restart their connections in this case.

Enable the VPN on Endian Firewall by selecting Local VPN Hostname/IP and click on the Save button. The VPN on Blue option will only be visible if you have configured a BLUE network interface card. To enable a VPN over your BLUE wireless connection click on the VPN on BLUE Enabled check box and then click on the Save button.

Connection Status and Control

Figure 8.21. VPN connection status and control window: initial view

This box lists each configured connection and its status. For each connection you will see the following information:

Name

The name of the respective connection

Type

The connection type (Net-to-Net or Net-to-Host) with it's authentication type.

Common Name

This field is filled only if certificate authentication will be used. It does contain the value which has been inserted into the remote certificate as common name. Normally this is the hostname of the remote host.

Remark

A short remark to make it easier to identify the connection.

Status

Shows the status of the respective connection. The following values are possible:

CLOSED

the connection is closed.

OPEN

the connection is established.

The next items symbolise the Actions you can do for each respective connection:

Restart icon

By clicking on this icon the connection will be restarted. Use this on both sides if your ip address changes for example.

Enabled checkbox

To enable or disable a connection - click on the Enabled icon for the particular entry you want to enable or disable. The icon changes to an empty box when a connection is disabled. Click on the checkbox to enable it again.

Pencil icon

Click on this icon if you want to edit that particular connection entry.

Trash can icon

By clicking on this icon the connection will be removed.

Warning

The administration interface does not ask you if you really want to remove the connection!

To create a VPN connection use the Add button. The VPN connection page will appear (see the section called “Connection Type”).

Certificate Authorities

This part is needed to create or import Root CA Certificates. The box shows two special marked lines with information about the existing certificates. If you already created or imported the certificates you will see the lines filled with information. On the right you will find two symbols in the Actions column. By clicking the blue information icon you will load a page with the certificate printed out as plain text and as ascii armored output.

Example 8.3. Example plain text certificate output.

Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=AF, O=endian, CN=endian CA Validity Not Before: Apr 30 16:21:28 2006 GMT Not After : Mar 11 06:56:08 2022 GMT Subject: C=AF, O=endian, CN=endian CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c2:9f:79:09:84:88:6e:8f:9f:be:50:36:62:2e:

25:63:ac:1d:e4:ff:7e:b1:f0:f1:42:c8:a0:a6:33: 32:43:56:d0:5a:e1:77:14:ec:ba:f8:44:22:e9:aa: e8:70:19:e1:38:50:28:56:48:a8:7f:a7:eb:0e:a8: 27:9a:ba:a4:0a:fb:59:7f:1f:4c:d4:20:78:05:2e: 06:2a:5c:f2:6f:70:ee:c2:d2:3b:34:35:80:e8:da: dc:c8:32:34:95:cb:f0:0a:75:04:f6:0b:26:d6:9b: ab:0e:01:60:f0:fe:2a:a6:40:e6:a7:47:e2:71:11: 25:71:c4:03:99:d8:fd:07:00:7e:e6:28:12:97:29: 3f:ad:68:54:01:8d:ed:26:97:c9:85:8c:32:bf:0b: 58:82:2e:38:71:26:58:3c:75:96:27:df:4b:35:0d: f5:aa:c5:5a:e7:f1:73:a1:f0:5e:a2:ab:4b:3f:a7: 60:6f:36:55:d6:c5:76:71:23:b6:9b:44:b3:2c:bf: 83:b3:cc:17:05:7d:0a:ea:1e:83:28:91:8a:79:6b: ec:45:65:c5:40:cd:e5:43:ec:72:77:74:6c:28:31: fa:b1:49:e8:41:94:93:93:8a:57:14:88:e2:b0:e1: 3d:d2:7c:a2:ce:35:85:cc:7b:c9:37:61:47:1d:85: db:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C7:EE:A4:68:68:A7:A9:4B:1E:95:09:66:84:50:94:0F:7A:FA:B4:62 X509v3 Authority Key Identifier: keyid:C7:EE:A4:68:68:A7:A9:4B:1E:95:09:66:84:50:94:0F:7A:FA:B4:62 DirName:/C=AF/O=endian/CN=endian CA serial:00

X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 35:a7:2e:5d:66:ef:23:37:36:fe:3a:18:4f:3b:1f:e0:76:bd: 07:85:6b:06:33:f5:56:15:6b:3b:08:81:0a:5a:f6:32:bb:e1: 3a:c6:76:94:ac:09:30:6c:82:32:6d:a0:dd:14:a4:5a:27:57: 6b:86:81:ec:c9:bb:78:cc:79:8b:db:4a:71:8f:94:f8:59:c5: 8a:a6:f4:9c:c6:c5:8b:24:5d:cd:a8:c6:f1:15:ed:1a:d9:49: 56:6c:08:9b:8e:d0:08:85:ca:3e:d9:27:70:e2:d4:53:4a:89: ce:79:47:c0:2a:7f:96:fc:87:20:11:86:c4:bd:72:a0:f3:50: 89:d3:a8:3d:0d:90:1e:67:8e:15:02:7b:a4:46:46:20:8c:eb: 25:cf:d5:1b:25:98:2c:9c:38:90:68:e1:d2:b1:3c:d1:ea:24: f9:c0:6b:0d:38:d1:65:73:94:30:9b:a5:ce:d9:c5:86:ca:79: b2:bd:9f:82:1a:37:3b:54:2b:72:b5:55:44:ff:ec:f0:f7:6c: 50:c2:ca:35:f5:86:a3:41:70:46:df:06:ce:5e:3f:07:fa:79: a9:01:be:f9:21:ff:a7:e2:bc:ad:9f:a7:04:36:67:ff:19:32: e7:47:c7:eb:3e:2d:73:22:31:0c:4d:07:c0:7a:f8:3d:81:e2: da:68:1c:48

The blue discette icon allows you to download the certificate as pem encoded file, which you then can import on other devices.

Example 8.4. Example content of an exported CA.

-----BEGIN CERTIFICATE-----MIIDbDCCAlSgAwIBAgIBADANBgkqhkiG9w0BAQQFADAyMQswCQYDVQQGEwJBRjEPMA0GA1UEChMGZW5kaWFuMRIwEAYDVQQDEwllbmRpYW4gQ0EwHhcNMDYwNDMwMTYyMTI4WhcNMjIwMzExMDY1NjA4WjAyMQswCQYDVQQGEwJBRjEPMA0GA1UEChMGZW5kaWFuMRIwEAYDVQQDEwllbmRpYW4gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCn3kJhIhuj5++UDZiLiVjrB3k/36x8PFCyKCmMzJDVtBa4XcU7Lr4RCLpquhwGeE4UChWSKh/p+sOqCeauqQK+1l/H0zUIHgFLgYqXPJvcO7C0js0NYDo2tzIMjSVy/AKdQT2CybWm6sOAWDw/iqmQOanR+JxESVxxAOZ2P0HAH7mKBKXKT+taFQBje0ml8mFjDK/C1iCLjhxJlg8dZYn30s1DfWqxVrn8XOh8F6iq0s/p2BvNlXWxXZxI7abRLMsv4OzzBcFfQrqHoMokYp5a+xFZcVAzeVD7HJ3dGwoMfqxSehBlJOTilcUiOKw4T3SfKLONYXMe8k3YUcdhdvRAgMBAAGjgYwwgYkwHQYDVR0OBBYEFMfu

pGhop6lLHpUJZoRQlA96+rRiMFoGA1UdIwRTMFGAFMfupGhop6lLHpUJZoRQlA96+rRioTakNDAyMQswCQYDVQQGEwJBRjEPMA0GA1UEChMGZW5kaWFuMRIwEAYDVQQDEwllbmRpYW4gQ0GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEANacuXWbvIzc2/joYTzsf4Ha9B4VrBjP1VhVrOwiBClr2MrvhOsZ2lKwJMGyCMm2g3RSkWidXa4aB7Mm7eMx5i9tKcY+U+FnFiqb0nMbFiyRdzajG8RXtGtlJVmwIm47QCIXKPtkncOLUU0qJznlHwCp/lvyHIBGGxL1yoPNQidOoPQ2QHmeOFQJ7pEZGIIzrJc/VGyWYLJw4kGjh0rE80eok+cBrDTjRZXOUMJulztnFhsp5sr2fgho3O1QrcrVVRP/s8PdsUMLKNfWGo0FwRt8Gzl4/B/p5qQG++SH/p+K8rZ+nBDZn/xky50fH6z4tcyIxDE0HwHr4PYHi2mgcSA==-----END CERTIFICATE-----

Generate Root/Host Certificates

Figure 8.22. VPN certificate authorities window: initial view

To create an EFW Certificate Authority or CA, enter your CA's name in the CA Name box. The name should be different than the Endian Firewall machine's host name to avoid confusion. For example, efwa for the CA and efw for the hostname. Then click on the Generate Root/Host Certificates button. The Generate Root/Host Certificates page will appear. Fill out the form and both a X.509 root and host certificate will be generated.

The following describes the items in the form:

Organization Name

The organization name you want to use in the certificate. For example, if your VPN is tying together schools in a school district, you may want to use something like “Some School District.”

Endian Firewall's Hostname

This should be the fully qualified domain name of your Endian Firewall. If you are using a dynamic DNS service (see the section called “Dynamic DNS Administrative Web Page”), use it.

Your E-mail Address

Your E-mail address, so that folks can get hold of you.

Your Department

This is the department or suborganization name. Continuing the school district example, this could be XX Elementary School. This is optional.

City

The city or mailing address for your machine. This is optional.

State of Province

The state or province associated with the mailing address.

Country

This pull down selection menu contains every ISO recognized country name. Use it to select the country associated with the certificate.

After completing the form, click on the Generate Root/Host Certificates button to generate the certificates.

If desired, you can generate several root and host certificates on a single Endian Firewall, and then export them to PKCS12 format files, encrypted with a password. You can then email them as attachments to your other sites. Using the Upload PKCS12 file portion of this web page, you can upload and decrypt the certificates on a local Endian Firewall machine. You generate the PKCS12 file on the remote Endian Firewall which owns the CA by creating the connection which is intended for the tunnel to your local Firewall as described in the section called “Host-to-Net Connection”, later in this document. If you select Generate a certificate on the remote side as described in the section called “Authentication”, it will create the file you need here.

Upload a CA certificate

If you already have created a CA certificate on another machine, you can simply upload the certificate file in order to give the local Endian Firewall the chance to verify remote certificates. Simply push the Browse button and choose the CA certificate file. Then finally push the Upload CA Certificate button. Thereafter the CA will be visible within the box above.

Reset configuration

By pressing the Reset button on the front page you will delete the entire VPN configuration from Endian Firewall. This could be necessary for example if you need to remove the CA because you want to create a new one.

Warning

This removes the entire IPSec configuration including Certificates, Keys and Connection configurations.

Add a new connection

Once you pushed the Add button, a page will appear which asks you for the desired connection type. The following describes the further procedure.

Connection Type

Figure 8.23. VPN connection type selection

Select either Host-to-Net (Roadwarrior) for mobile users who need access to the GREEN network or Net-to-Net to grant users on another network access to your GREEN network and to allow users on your GREEN network to access the other network.

Choose the connection type you want to create and click on the Add button.

The next web page that appears contains two sections. The Connection section will differ depending on the connection type you are adding. The Authentication section will be the same.

Host-to-Net Connection

Figure 8.24. VPN Host-to-Net connection input

The following descibes each field of the connection configuration box if you selected Host-to-Net connection:

Name

Choose a simple name (lower case only, no spaces) to identify this connection.

Interface

Select the Endian Firewall network interface the roadwarrior will be connecting on, either RED or BLUE. Selecting the RED interface will allow the roadwarrior to connect from the Internet. Selecting the BLUE interface will allow the roadwarrior to connect to the GREEN network from a local wireless network.

Local Subnet

defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your GREEN network. Example for this field: 10.1.1.0/255.255.255.0.

Remark

allows you to add an optional remark that will appear in the Endian Firewall VPNs connection window for this connection.

Enabled

Click on the Enabled check box to enable this connection.

Edit advanced settings when done.

Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec.

Net-to-Net Connection

Figure 8.25. VPN Net-to-Net connection input

Note on IPSec Terminology

IPSec uses the terms right and left for the two sides of a connection or tunnel. These terms have no real meaning. IPSec will orient itself based on network addresses and routes. Once it determines which network connection, left or right, to use to get to the other side of a connection, all other right or left

parameters follow. Many folks use left for the local side of a connection and right for the remote side. This is not necessary. It is best to think of the terms as “side 1” and “side A” of an old LP record.

The following descibes each field of the connection configuration box if you selected Host-to-Net connection:

Name

Choose a simple name (lower case only with no spaces) to identify this connection.

Endian Firewall side

Choose a side for this Endian Firewall, right or left, that will be used in the IPSec configuration files to identify this Endian Firewall's side of the connection on this machine. The side is a symbolic identification for one side of the vpn tunnel. You are free to choose a side for the local end of the vpn tunnel as long as you use the same side to identify the local firewall on the remote machines configuration.

Local Subnet

defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your GREEN network. Example for this field: 10.1.1.0/255.255.255.0.

Remote Host/IP

Enter the static Internet IP address of the remote network's IPSec server. You can also enter the fully qualified domain name of the remote server. If the remote server is using a dynamic DNS service, you may have to restart the VPN if its IP address changes.

Remote subnet

Enter the remote network's network address and subnet mask in the same format as the Local Subnet field. This network must be different from the Local Subnet since IPSec sets up routing table entries to send IP packets to the correct remote network.

Remark

allows you to add an optional remark that will appear in the Endian Firewall VPN's connection window for this connection.

Enabled

Click on the Enabled check box to enable this connection.

Edit advanced settings when done.

Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec.

Authentication

The second section of the web page deals with authentication. In other words, this is how this Endian Firewall will make sure the tunnel established by both sides of the interface is talking to its opposite number. Endian Firewall has made every effort to support both PSKs and X.509 certificates.

Figure 8.26. VPN authentication input

There are four mutually exclusive choices that can be used to authenticate a connection:

Use a Pre-Shared Key

Enter a pass phrase to be used to authenticate the other side of the tunnel. Choose this if you wish a simple Net-to-Net VPN. You can also use PSKs while experimenting in setting up a VPN. Do not use PSKs to authenticate tunnels to roadwarriors.

Upload certificate request

Some roadwarrior IPSec implementations do not have their own CA. If they wish to use IPSec's built in CA, they can generate what is a so called certificate request. This is a partial X.509 certificate that must be signed by CA to be a complete certificate. During certificate request

upload, the request is signed and the new certificate will become available on the VPN's main web page.

Upload a certificate

In this case, the peer IPSec has a CA available for use. Both the peer's CA certificate and host certificate must be uploaded.

Generate a certificate

In this case, the IPSec peer will be able to provide an X.509 certificate, but lacks the capacity to even generate a certificate request. In this case, complete the required fields. Optional fields are indicated by red dots. If this certificate is for a Net-to-Net connection, the User's Full Name or System Hostname field may have to be the Internet fully qualified domain name of the peer. The optional organization name is meant to isolate different portions of an organization from access to EFW's full GREEN network by subnetting the Local Subnet in the connection definition portion of this web page. The PKCS12 File Password fields ensure that the host certificates generated cannot be intercepted and compromised while being transmitted to the IPSec peer.

This page was last modified on: $Date: 2006-11-22 23:32:04 +0100 (Wed, 22 Nov 2006) $.

Chapter 9. Logs

Prev Next

Chapter 9. Logs

Table of Contents

Introduction

Log Settings Administrative Web Page

Log Summary Page

Proxy Logs Page

Firewall Logs Page

Intrusion Detection System Log Page

Content Filter Logs Page

OpenVPN Logs Page

System Log Page

SMTP Log Page

Clamav Log Page

SIProxy log page

Proxy Analysis Report

Introduction

Figure 9.1. Logs menu selected

The Logs administration page consists of these sub-pages:

Log Summary Log Settings Proxy Logs Firewall Logs IDS Logs Content Filter Logs Openvpn Log System Logs SMTP Log ClamAV Log SIProxy log viewer Proxy Analysis Report (new in version 2.1)

The log viewer pages share a common set of interface features to select the log information to be displayed and to export that information to your local machine. By default the log viewer always shows you the most actual log lines as they appear in the log files. The information is shown as a list (usually labeled log) of all log entries in the main section of the window. If that list is too long to fit into a reasonably sized window, only the latest logs entries are displayed. In that situation, the Older and Newer links at the top and bottom of this section of the window become active and you may use these to page through the list of Logs data.

Since the amount of data created by the log files can become literally huge, log files are rotated weekly in order to keep the actual file small. During a rotation the logfile will be moved away, compressed in order to save disk space and and a new one will be created. Therefore you will have a log file for each week and each log file may contain more or less data then the last one. The so archived log files will remain on the disk for 52 weeks until they will be deleted.

The log viewer enables you to navigate through the entire amount of log lines. If you reach the end of one file the next file will be automatically used. In order to know where exactly you stand within the log lines the following informational line displays some information:

Total number of lines matching selected criteria: 1054 - File: 1/14 - Offset: 1/8

As the line says, the first number shows you the total amount of lines which match the selected criteria. It can be that the lines are split within more different log files, so in some situations you need to jump back nevertheless there where enough space to fit all lines within the page.

The numbers after the label File informs you about the actual logfile you are showing and of the total number of archived and not archived log files for the current service.

The next numbers after the label Offset, shows you the current position within the log file. The first number informs about the page number you are currently displaying while the second stands for the total pages which the current log file contains.

Figure 9.2. Generic navigation items

The following desribes the common interface elements which you can use to take affect to the displayed log lines:

Filter

The Filter edit field lets you define a search term which will be searched in the log files. The viewer then displays only those lines which contain the search term. This field accepts also perl compatible regular expressions. After you changed the value in this field you need to press the Update button in order to reflect the changes in the logviewer output.

Older

This button allows you to cronologically jump back within the log entries. The button will disappear if there are no older log entries.

Newer

This button allows you to cronologically jump forth within the log entries. The button will disappear if there are no newer log entries.

Jump to offset

Instead of pushing the Older or Newer buttons as long as you need to reach a desired page, you can simply jump directly to a specific page if you know the exact position. You can certainly also jump to an estimated position and then use the Older/Newer buttons to reach the desired position.

Jump to file

Enables you to directly jump to a specific archived file. Pressing the Older button again and again, lets you jump back page by page. If you reached the last page of the current file, the next elder log file will be opened if you push the Older button again. Using Jump to file is just a faster possibility to reach a desired place within the whole amount of data.

Export

Pressing the Export button downloads a text-format file (log.dat), containing the information from the current Logs page, from the Endian Firewall to your computer. Depending on how your computer is set up, pressing the Export button will initiate a file download dialogue on your computer, show the contents of log.dat in your web browser window, or open the file in a text editor. In the latter cases, you can save log.dat as a text-format file if required.

Log Settings Administrative Web Page

Prev Chapter 9. Logs Next

Log Settings Administrative Web Page

In this section you can configure some useful options.

The page is divided in four sections. Each of them are described below:

Log viewing options

Figure 9.3. Configuration of log viewer

Lets you take effect on the output of the log lines:

Number of lines to display

Specifies how many log lines you want the log viewer to display on one page.

Sort in reverse chronological order

Tick this on if you'd like the log viewer to display chronologically newer log lines first.

Log summaries

Figure 9.4. Configuration of log summaries

This lets you configure the summary page, which will be described later in this document:

Log summaries for xxx days

Lets you define for how many days you would like to save the daily summaries on disk.

Detail level

Lets you decide the detail level of the log summary. You can choose from the following possibilities: Low, Medium, High. Due to this configuration the summary will provide you with less, more or much information.

Remote logging

Figure 9.5. Configuration of remote logging

It is possible to let Endian firewall log all its log files also to a remote syslog server. This is very useful if you would like to have all the logs of your company on one centralized log server and it is useful for example to have access to log files in case of a fatal disaster. In order to enable remote logging you need to provide the hostname or ip address of the remote syslog server in the text field labeled Syslog server and then tick on the checkbox Enabled. Endian Firewall then will log as well to the remote syslog server as to local log files.

Note

Currently not every service is able to use syslog. Therefore some can only write down to log files and cannot log to a remote syslog server. Services which currently cannot use syslog are: all sort of HTTP services (administration web server, HTTP proxy, HTTP content filter, HAVP), FTP proxy, IDS (snort).

Firewall logging

Figure 9.6. Configuration of firewall logging

Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are very much packets that will be blocked by the firewall. Not all of these are hostile attempts of attackers, but will nevertheless be logged and create much data. Here you have the possibility to globally configure what you would like to have logged and what not:

Log packets with BAD constellation of TCP flags

TCP allows everybody to set flags in constellations which make no sense at all. Such constellations may confuse firewalls and/or computers in general and allow an attacker to gather

more information than you would like to share. Especially portscanners do this. Endian Firewall blocks such attempts. Tick this on if you want to have it logged. You will find such attempts in the firewall log resulting as packets which passed the chain BADTCP.

Log portscans

You may enable portscan detection by ticking this checkbox on. The portscan detection will be performed using the netfilter psd match. You will find the logged portscans in the firewall log resulting as packets which passed the chain PORTSCAN.

Note

Portscans will never be blocked! They will only be logged! If you have not configured any ports to be forwarded a portscan of an Endian Firewall will not reveal anything of interest to the attacker since there is nothing open.

Log NEW connections without SYN flag

Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is not sane. Endian Firewall will block such packets and you can log the attempts if you tick this checkbox on.

Log refused packets

If you tick this on, Endian Firewall will log all connection attempts which have been denied by Endian Firewall. Since Endian Firewall as default denies all connection attempts and allows only what you have defined, this certainly will lead to a bunch of unneeded data, so you may toggle this off. It may be useful to check which ports you need to open for applications that are using ports you don't know.

Log accepted outgoing connections

Tick this on if you would like to globally log all connections which have successfully passed Endian Firewall without being dropped. You can use this to test if your newly created rules are correct as this allows you to see the connections made by your applications.

Note

Check your local law! Enabling this may be prohibited by privacy law in most countries! But some countries may enforce you by law to enable this (For example the antiterror law in Italy). If you need to enable it, think about to backup your logs since you probably also need them after a case of fatal disaster! Ensure that nobody has access to backups and log files (privacy law)!

Log Summary Page

Prev Chapter 9. Logs Next

Log Summary Page

In this section you can have an overlook on the logs of the selected day

Figure 9.7. Displays log summaries

Note

The summaries will be generated daily during night hours. Therefore Endian Firewall must be up and running over night in order to have the summaries of each day.

Note

In version 2.1 there are four more types of summaries that are not shown on this screenshot to keep it at a reasonable size. They are:

Clamav DHCP Server Kernel SSHD

Proxy Logs Page

Prev Chapter 9. Logs Next

Proxy Logs Page

This page provides you with the facility to see the files that have been cached by the web proxy server of Endian Firewall. The web proxy is inactive after first installation of EFW, and may be activated (and deactivated) through a specific administration page (Proxy > HTTP > Log settings).

Note

Due to the large amount of information that has to be processed, the Web Proxy page can take an appreciable time to appear after its initial selection or an Update.

There are several controls on this page in addition to the controls described in the introduction section:

Source IP

This dropdown box allows you to selectively look at web proxy activity belonging to individual IP addresses on the local network, or the activity related to ALL machines that have used the proxy.

Ignore filter

The box allows you to type in a regular expression text string to define which file types should be omitted from the web proxy logs. The default string hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and JavaScript files (.js).

Enable ignore filter

Tick this on to enable the Ignore filter: or tick it off to disable it.

Restore defaults

This button allows you to restore factory settings for the above controls and filters.

For this page, the information appearing in the Log: section of the window consists of:

The Time when the file was requested and cached. The Source IP address of the local system requesting the file. The Username, if applicable, of the authenticated user which retrieved the file. This shows a dash

if users do not need not to authenticate in order to have access to the cache. The Website - or more precisely the URL for each of the requested and cached files.

Note

The Website URL entries in these logs are also hyperlinks to the referenced web pages or files.

Firewall Logs Page

Prev Chapter 9. Logs Next

Firewall Logs Page

This page shows data packets that have been logged by the EFW firewall.

Note

Not all denied packets are hostile attempts by crackers to gain access to your machine. Blocked packets commonly occur for a number of harmless reasons and many can be safely ignored. Among these may be attempted connections to the "ident/auth" port (113), which are blocked by default in Endian Firewall.

The controls on this page are the basic elements that are described in detail in the introduction.

Figure 9.8. Displays firewall log

The Log: section of this page contains an entry for each of the packets that were dropped by the firewall. Included is:

the time of the event the firewall Chain which was responsible for the log entry the interface (iface) through which the packet came in the protocol (Proto) used for that packet. the source ip address the source port (src port) the MAC address of the sender

Note

This will be blank if the respective interface does not support MAC. For example all types of PPP connections.

the Destination ip address the destination port (dst port) to which the client connected.

You can obtain information about the listed IP addresses by clicking on an IP Address. Endian Firewall performs a DNS lookup and reports any available information about its registration, ownership and geographical position. By clicking on a port number you will get some information about the service which normally uses this port.

Intrusion Detection System Log Page

Prev Chapter 9. Logs Next

Intrusion Detection System Log Page

This page shows incidents detected by the EFW Intrusion Detection System (IDS). The IDS system is inactive by default after the installation of Endian Firewall and may be activated (and deactivated) through a specific administration page (Services > Intrusion Detection).

The controls on this page are the basic elements that are described in detail in the Introduction section. These Logs consist of a number of items for each detected incident:

The Date: and time of the incident. Name: - a description of the incident. Priority: (if available). This is the severity of the incident, graded as 1 ("bad"), 2 ("not too bad"),

& 3 ("possibly bad"). Type: - a general description of the incident (if available). IP Info: - the IP identities (address & port) of the source and target involved in the incident. Each

IP address is a hyperlink, which you can use to perform a DNS lookup for that IP address and to obtain any available information about its registration and ownership.

References: - hyperlinked URLs to any available source of information for this type of incident. SID: - the Snort ID number (if available). "Snort" is the software module used by EFW to provide

the IDS function, and SID is the ID code used by the Snort module to identify a particular pattern of attack. This parameter is hyperlinked to a web page carrying the relevant entry on the Snort database of intrusion signatures.

Content Filter Logs Page

Prev Chapter 9. Logs Next

Content Filter Logs Page

This page gives you the possibility to see which pages have been blocked by the HTTP content filter. The content filter is inactive by default after the installation of EFW, and may be activated (and deactivated) through a specific administration page (Proxy > HTTP -Proxy) and may be configured in the Proxy > HTTP > Content Filter section.

Note

Due to the large amount of information that has to be processed, the Content Filter page can take a considerable amount of time to load after its initial selection or an Update.

There are several controls on this page in addition to the common controls described at the beginning of this Section:

Source IP

This dropdown box allows you to selectively look at web proxy activity related to single IP addresses on the local network, or the activity related to ALL machines that have used the proxy.

Ignore filter

The box allows you type in a regular expressions text string to define which file types should be omitted from the web proxy logs. The default string hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and JavaScript files (.js).

Enable ignore filter

Tick this on to enable the Ignore filter: or tick it off to disable it.

Restore defaults

This button allows you to restore the factory settings for this section.

For this page, the information appearing in the Log: section of the window consists of:

The Time the file was requested. The Source IP address of the local system requesting the file. The Website - or more precisely the URL for each requested and cached file.

Note

The Website URL entries in these logs are also hyperlinks to the referenced web pages or files.

The Status - denied. Which currently can be only DENIED, since requests to allowed pages will not be logged here. (before version 2.1 blocked was used instead of denied)

Prev Chapter 9. Logs Next

OpenVPN Logs Page

This page allows you to see the log file of the OpenVPN server and the OpenVPN clients.

For this page, the information appearing in the Log: section of the window consists of:

The Time the event has happened. The name of the Tunnel, on which the event occurred. This field shows local, if the line is related

to the local OpenVPN server running on the Endian Firewall.

Example 9.1. Log line of the OpenVPN server

May 16 20:34:03 local TUN/TAP device tap1 opened

If it is related to a OpenVPN client running on the Endian Firewall, this field shows the name of the remote host to which it is connected and the Process ID of the local OpenVPN client process in square brackets.

Example 9.2. Log line of an OpenVPN client

May 11 05:20:03 solaria.endian.it[3827] Initialization Sequence Completed

The data which openvpn wants to show you.

This log is very useful to debug OpenVPN connections which do not work as they are supposed to. Please take a look on the OpenVPN Homepage to find some more specific information.

System Log Page

Prev Chapter 9. Logs Next

System Log Page

Figure 9.9. Display of system logs

This page allows you to view the system and other miscellaneous logs. (See the Introduction on how to use the common controls). There are eleven different categories, selected via the Section dropdown list:

Endian Firewall (default) - general EFW events like PPP profile saving and connection and disconnection of dialup modem links.

RED - traffic sent over the interface that is providing the PPP interface for EFW. This includes the data strings sent to, and received from modems and other network interfaces. This can be a very useful resource in troubleshooting "failure to connect" situations.

DNS - shows a log of activity for dnsmasq, the domain name service utility. DHCP server - shows a log of activity for the DHCP Server function of Endian Firewall. SSH - provides a record of users who have logged in to, and out of the Endian Firewall over a

network via the SSH interface. NTP - shows a log of activity for the ntpd Server function. Cron - provides a record of activity of the cron daemon. Login/Logout- provides a record of users who have logged in to and out of the Endian Firewall.

This includes both local log-ins and logins over a network via the SSH interface. Kernel - is a record of kernel activity in the Endian Firewall. Backup - whenever a backup is created (or tried to) it will be logged. IPSec - is a record of every activity of the VPN software module used by Endian Firewall.

MTP Log Page

Prev Chapter 9. Logs Next

SMTP Log Page

This page shows the log files concerning processes beyond the SMTP proxy, including the postfix Mail Transmission Agent and the content filter amavis.

For this page, the information appearing in the Log: section of the window consists of:

The Time the event has happened. The data that the services write to the logfile.

Clamav Log Page

Prev Chapter 9. Logs Next

Clamav Log Page

This page shows the log files of the antivirus daemon clamav and the virii signature updater freshclam.

Figure 9.10. Displays clamav log viewer

For this page, the information appearing in the Log: section of the window consists of:

The Time the event has happened. The data that the services write to the logfile.

Clamav itself normally does not have to log really much, since the services that make use of clamav log to their logfiles themselves if they find a virus. This logfile is useful to see information about clamav signature updates.

As you can see below the lines show when the update process started and what was done. On Endian Firewall ClamAV automatically updates each full hour, therefore you will see these lines appear every hour. The last two lines show the currently installed signature base version and how many virus signatures they contain.

May 16 08:01:00 freshclam[27206]: Daemon started.May 16 08:01:00 freshclam[27206]: ClamAV update process started at Tue May 16 08:01:00 2006May 16 08:01:00 freshclam[27206]: main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm)

May 16 08:01:00 freshclam[27206]: daily.cvd is up to date (version: 1463, sigs: 4343, f-level: 8, builder: ccordes)

If new signatures are ready to install they will be automatically downloaded, installed and then the ClamAV daemon will automatically reload its signature database. You will find such a log like the one below if this happens:

May 15 13:01:00 freshclam[12157]: Daemon started.May 15 13:01:00 freshclam[12157]: ClamAV update process started at Tue May 15 13:01:00 2006May 15 13:01:00 freshclam[12157]: main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm)May 15 13:01:08 freshclam[12157]: daily.cvd updated (version: 1463, sigs: 4343, f-level: 8, builder: ccordes)May 15 13:01:08 freshclam[12157]: Database updated (55549 signatures) from db.local.clamav.net (IP: 213.92.8.5)May 15 13:01:08 clamd[27017]: SelfCheck: Database modification detected. Forcing reload.May 15 13:01:08 clamd[27017]: Reading databases from /usr/share/clamavMay 15 13:01:08 freshclam[12157]: Clamd successfully notified about the update.May 15 13:01:08 clamd[27017]: Database correctly reloaded (55549 viruses)

As the log lines show you, after the download of the new signaturefile daily.cvd, the update daemon freshclam notifies the antivirus daemon clamd about the modification who immediatly reloads all its virus signatures.

Note

Each line shows you process information after the timestamp. This is the name of the process and the Process ID in square brackets.

SIProxy log page

Prev Chapter 9. Logs Next

SIProxy log page

This page shows the log files of the SIP proxy siproxd.

For this page, the Logs information appearing in the Log: section of the window consists of:

The Time the event has happened. The data that the services write to the logfile.

Proxy Analysis Report

Prev Chapter 9. Logs Next

Proxy Analysis Report

Figure 9.11. Proxy Analysis Report

This page shows the log files of the Squid Analysis Proxy Generator (SARG). You are presented with two options:

Enable

This turns SARG on if the checkbox is ticked on.

Respect your users privacy and anonymize their IP addresses

Tick this on if you want to hide your users' IP addresses.

Note

In some countries it may be illegal to show your users' IP addresses.

On this page you will not find the generic navigation items as this special logs will be shown in a completely new page. By clicking on the Daily/Weekly/Monthly Report links a new page with the respective analysis will pop up.

This page was last modified on: $Date: 2006-11-16 05:15:57 +0100 (Thu, 16 Nov 2006) $.

Chapter 10. Hotspot

Prev Next

Chapter 10. Hotspot

Table of Contents

Introduction

Hotspot

Accounts

How to add a new account or edit an existing one

User balance

User connections

Ticket Rates

Add or edit a ticket rate

Statistics

Active Connections

Connection Log

Settings

Dialin

Password

Template Editor

Printout Template

Allowed sites

Client connecting to Endian Hotspot

Login

House guests login

Succesful login

Introduction

Figure 10.1. The Endian Hotspot

The Endian Hotspot is a powerful hotspot. It can be used for wireless connections as well as for normal LAN connections. This means you can easily connect a wireless access point to the BLUE interface or just a normal switch. With Endian Hotspot you can manage users and their allowed access-time based on pre-paid or post-paid tickets. It is also possible to specify websites that are available without having to log in.

Note

In order to be able to run the Endian Hotspot you will have to have the BLUE zone enabled. The IP of the BLUE interface must belong to a C-class network and it must end with a trailing .1 e.g. 192.168.20.1/24. The bridge for the BLUE zone does not support more than one port.

Note

Usually the hotspot is intended for use with wireless networks, however this is not mandatory. It is as well possible to connect a normal switch to the BLUE LAN port. Please note also that there is no wireless access point supplied with Endian Firewall.

Tip

If you are running a Community version of Endian Firewall and are wondering where your Endian Hotspot may be just upgrade to Endian Firewall Enterprise Edition.

Hotspot

Prev Chapter 10. Hotspot Next

Hotspot

This is the main menu of the Endian Hotspot. Almost all settings are configured in this menu. You have to use this menu if you want to manage accounts, specify ticket rates, modify your settings or have a look at the log files or at the statistics.

Accounts

Figure 10.2. Account management

By clicking on the Accounts link in the submenu of this page you will be presented with a list of all enabled accounts for this hotspot. If you want to show the disabled accounts to, you will have to tick the Show disabled users checkbox which will reload the page and show both enabled and disabled users. If you want to display any users that match certain search criteria you can enter your filter in the appropriate textfield and then hit enter.

The list itself consists of five columns:

Username

This column displays the username of the user.

Name

This column shows you the real name of the user.

Active

Shows if the user is still active or not - if you did not choose to show disabled users you will see Yes here for every user.

Valid until

Will display the date until the current user is valid.

Actions

In this menu you can find three links for every user. If you want to edit the current user you have to click on the Edit link. By clicking on the Balance link you will be presented with a page of the user's credit balance while by clicking on the Connections link you will see a list of all connections of the current user.

If you want to add a new user you can do this by clicking on the Add new account link on top of the list.

Note

It is not possible to delete users. Disable them instead.

How to add a new account or edit an existing one

Figure 10.3. Add a new account

This is the User Information dialog which is shown if you want to add a new account or edit an existing one (then of course with all the known values alread filled in). Most of the fields should be self-explanatory but we will describe them anyway.

Username

In this field you have to enter the username. This is the only mandatory field.

Password

In this field you can enter the password for the new account. This is shown in plain text. If you do not have the time to think of an adequate password just leave this field empty and the password will be autogenerated.

Valid until

The date until the account will be valid. If you want to change it you can either enter the new date manually or click on the ... button and select the new date from the calendar popup.

Enabled

This checkbox specifies if the account is enabled or not. If this is ticked on the account is active. If you want to disable a user tick this checkbox off.

Title

The user's title. A good example would be Dr.

Firstname

The user's first name.

Lastname

The user's last name.

Language

Here you can select the user's native language if available. Otherwise English should be a good choice.

City of Birth

The user's city of birth.

Birthdate

Here you can enter the user's birth date.

Document type

This lets you specify the document type you used to identify the user.

Document issued by

Here you can specify the issuer of the document that was used to identify the user.

Document ID

This field lets you specify the document's identification number.

Save

By hitting this button you will save the entered information.

Print

This option is only available when editing an already existing account. By hitting this button a dialog will be opened to print the user information.

On the right side of the screen you will notice the Tickets section. If you want to add a new ticket to the user just select the appropriate ticket-type and hit the Add button. Below you will notice a list of all tickets for this user with the following information:

Ticket type

The type of ticket.

Creation date

The on which this ticket has been created.

Action

If the ticket has not been used yet you will be able to Delete it here by clicking on the appropriate link.

Note

If the ticket has already been used no Delete link will be available.

Note

If a user has both pre-paid and post-paid tickets when logging in he will automatically use his pre-paid ticket first and only if that ticket(s) expire(s) the post-paid ticket will be charged. If however the user does not have a post-paid ticket and the pre-paid ticket runs out of money the connection will be stopped.

User balance

Figure 10.4. User balance

The user balance window is split horizontally into two main sections. The bottom section shows a list of all tickets for the current user containing the following:

Ticket name

This is the name of the ticket-type.

Amount

The amount of money that has been used or paid.

Note

If the amount is positive this will represent a payment.

Date / Time

The date and time when the ticket has been issued.

Duration

The duration of the session.

Note

Payments do not have a duration.

Traffic

The traffic that has been used during this session.

Note

Payments do not use any traffic.

Processed

Here you can see if this ticket has been processed by ASA.

Note

This feature is only available if ASA is enabled. ASA is a hotel management software written especially for South Tyrolean hotels. We will not go into details of ASA here.

Retries

This field will show the number of retries when connecting to ASA.

Note

This feature is only available if ASA is enabled. ASA is a hotel management software written especially for South Tyrolean hotels. We will not go into details of ASA here.

Message

Here you will find the ASA return message if any.

Note

This feature is only available if ASA is enabled. ASA is a hotel management software written especially for South Tyrolean hotels. We will not go into details of ASA here.

On the top section of the window you can find some more information split up into 3 parts. In the left part you will find some information about the user, containing the name as well as the username, the city of birth, the birthdate, the document identification number and the issuing party of the document.

The central part contains information about the Account balance. The available surf time is first, followed by the used surf time. In the third line you can see the amount of money that this user has already paid - this will be displayed in the currency you set in the settings page. The fourth line shows how much of this money has been spent so far. Finally the last line shows the amount of money that is still due to pay. This bigger box will be displayed in green if everything has already been paid.

In the Payment column on the right you can either see a message that everything has already been paid or you can choose the amount of money the user wants to pay and bill that amount by clicking on the Bill button.

User connections

Figure 10.5. User connections

In this window you can see all the connections of the user you specified. The window is split into two parts - at the top you can see the user information, while the bottom part shows all the data regarding the connections. The list with all the connections has six columns:

Username

The username of this user.

IP address

The IP address the user had during the respective connection.

MAC address

The MAC address from which the user was connecting.

Connection start

The start time and date of the connection.

Connection stop

The time and date when the connection wos stopped.

Duration

The amount of time how long this connection lasted.

Ticket Rates

Endian Firewall gives you the possibility to specify more than one ticket rate. You can even specify if you want a rate to be post-paid or pre-paid. You can create different rates for both types. This is mostly useful

if you want to sell different pre-paid types e.g. 4 pre-paid 15 minutes tickets should be more expensive than 1 pre-paid 1 hour ticket.

Figure 10.6. Ticket Rates

In this list you can see the different ticket rates, the following are the columns:

Name

The name you gave to the ticket rate.

Code

This is the ASA code for your ticket rate. Although this can be used only for the ASA hotel management system the field is mandatory.

Hourly price

This is the hourly price you specify.

Actions

Here you can choose to Edit or Delete a ticket rate by clicking on the respective link.

Add or edit a ticket rate

Figure 10.7. Add or edit a ticket rate

There are four configuration options for every ticket rate:

Name

The name you want for this ticket rate.

Code

This is useful just for the ASA hotel management.

Note

This field is mandatory nevertheless.

Unit Length

This option lets you specify how long one unit of this ticket rate will last. The available options are:

15 minutes 30 minutes 45 minutes 1 hour 2 hours 3 hours postpaid

While the first 6 entries show you the amount of time that has to be paid in advance (pre-paid), the postpaid length will be paid after the user has used the hotspot and is therefore not limiting the user a priori.

Hourly Price

Here you can specify the hourly price for a the actual ticket rate. This is useful if e.g. you want the hourly price for 3 hours to be cheaper than the hourly price for 15 minutes. This example will show you how to set hourly prices. The amount after the unit length is the money you will get when selling a ticket of this rate.

Example 10.1. Specifying hourly prices

15 minutes: 3 Euro => hourly price has to be set to 12 Euro.

3 hours: 21 Euro => hourly price has to be set to 7 Euro.

Save

By hitting this button you will save the ticket rate.

Statistics

Figure 10.8. Statistics

On this page you can see an overview of the connections grouped by user as well as a summary at the bottom of the table. The following columns will be displayed:

Username

The name of the user.

Note

The username is linked. By clicking on this link you will be redirected to the balance page for that user.

Amount used

Here you can see how much money each user spent while using the hotspot.

Paid

This shows how much has been paid by the user.

Duration

In this column you can see how long the user was connected.

Traffic

This column shows the traffic the user made during his connection time.

You can choose two different viewing types: Filter Period and Open Accounting Items.

When using Filter Period you can set a start and an end date respectively in the From and Until textfields. Alternatively you can use the ... buttons to use the calendar-popup to enter the dates. When using Open Accounting items all still open payments will be displayed.

Active Connections

Figure 10.9. Active Connections

On this page you can see all actually active connections on the hotspot. The list contains the following columns:

Username

The username of the user that is connected.

Connection Start

The start date and time of the connection.

Duration

The amount of time the user is already connected.

IP Address

The IP address that was assigned to the interface which is connected to the hotspot.

MAC Address

The MAC address of the interface that was used to connect to the hotspot.

Action

For every active connection you will see a Close connection link. By clicking on this link you can kill the respective connection.

Connection Log

Figure 10.10. Connection Log

On this site you can see the connection log. The log is display in a table with six columns:

Username

The username of the user.

IP Address

The IP address that was used for the connection.

MAC Address

The MAC address that was used to connect to the Hotspot.

Connection Start

The start date and time of the connection.

Connection Stop

The end date and time of the connection.

Duration

The duration of the connection.

On the top of the page there is a Export as CSV link. Clicking on this link will download a text file containing the log entries in CSV (comma separated values) format.

Settings

Figure 10.11. Settings

This page consists of two main sections, the Global settings and the ASA jHotel settings. ASA jHotel is a South Tyrolean hotel management platform and will not be described here.

The Global settings contain three configuration variables:

Homepage after successful login

This homepage will be displayed after a successful user login.

Currency

Here you can specify your local currency symbol.

Logout user on Idle-Timeout

After how many should a user be logged out, when doing nothing.

Save

Click this button to save your settings.

Dialin

Prev Chapter 10. Hotspot Next

Dialin

Figure 10.12. Dialin

This page shows the connection status of the Endian Firewall. A description of this status window can be seen here.

Password

Prev Chapter 10. Hotspot Next

Password

Figure 10.13. Password

On this page you can set the password for the hotspot user. To do this you have to enter the new password twice in the Password and Again fields and then hit the Save button.

emplate Editor

Prev Chapter 10. Hotspot Next

Template Editor

Figure 10.14. Template Editor

On this page you can modify the message that will be shown to your clients before logging in. Endian Hotspot provides a fully featured graphical user interface to edit this message. To save this message you just have to hit the disc icon in the top-left corner of the editor window.

If you want to edit another language just click on the appropriate flag symbol on the left side of your screen. The page will be reloaded with the new language settings - again hit the disc icon to save the text.

Note

You do not necessarily have to enter just plain text. You can format this page however you like as long as the information that you supply will be conform to the laws of your country.

Printout Template

Prev Chapter 10. Hotspot Next

Printout Template

Figure 10.15. Printout template

On this page it is possible to edit the information sheet that will be printed and handed out to a user after he has been registered for the Endian Hotspot. Please note that you will have to use placeholders for the information to be complete. Valid placeholders are:

$title - this will be replaced by the user's title. $firstname - this will be replaced by the user's first name. $lastname - this will be replaced by the user's last name. $username - this will be replaced by the user's new username. $password - this will be replaced by the user's password.

To save your printout sheet click on the disk icon in the top-left corner of the editor window. You can change this text for all available languages by clicking on the appropriate flag symbol.

Allowed sites

Prev Chapter 10. Hotspot Next

Allowed sites

Figure 10.16. Allowed sites

This is the page where you can specify websites, IP addresses and subnets that are accessible without authentification. You just have to add one entry per line. Access will be allowed to every page and subnet that are specified here and saved by clicking the Save button.

Client connecting to Endian Hotspot

Prev Chapter 10. Hotspot Next

Client connecting to Endian Hotspot

Now that we have talked about the server-side of Endian Hotspot lets speak about the connection on the clientside. What exactly does a user have to do to be able to use Endian Hotspot? Actually it couldn't be any easier...

Figure 10.17. Endian Hotspot Client start page

First of all the client has to go to a terminal that is connected to Endian Hotspot. He will be presented with a welcome screen that shows the content of the page that has been specified in the Template Editor section. By clicking on the appropriate flag symbol the user can choose the language he wants. If ASA is activated every house guest can login by using the Login for house guests link which can be found in the menu on the left just above the normal Login link which is the way to go if either ASA is disabled or the user is not a house guest.

Login

Figure 10.18. Normal login

Every normal user can connect to Endian Hotspot by supplying his username and password in this form and then hitting the Login button. After entering a valid username and password a popup will show up.

House guests login

Figure 10.19. Login for house guests

If ASA is enabled every house guest can login by clicking on login for house guests here and then providing his last name and first name as well as his birthdate and finally hitting the Send button. Hit Close if you want to close the window. After successful login another popup will show up.

Note

Please note that the last name has to be entered in the first text field.

Succesful login

Figure 10.20. Successful login

If you see this popup you are successfully logged in. Provided the fact that you are using a pre-paid ticket the displayed timer will be a countdown. If you are using post-paid payment the timer will start with 00:00:00 and count upwards.

If you wish to logout you can do this by simply clicking on the Logoff link.

This page was last modified on: $Date: 2006-11-21 09:19:11 +0100 (Tue, 21 Nov 2006) $.

Appendix A. GNU Free Documentation License

Prev Next

Appendix A. GNU Free Documentation License

Version 1.2, November 2002

Copyright © 2000,2001,2002 Free Software Foundation, Inc.

Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Version 1.2, November 2002

Table of Contents

PREAMBLE

APPLICABILITY AND DEFINITIONS

VERBATIM COPYING

COPYING IN QUANTITY

MODIFICATIONS

COMBINING DOCUMENTS

COLLECTIONS OF DOCUMENTS

AGGREGATION WITH INDEPENDENT WORKS

TRANSLATION

TERMINATION

FUTURE REVISIONS OF THIS LICENSE

ADDENDUM: How to use this License for your documents

PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

APPLICABILITY AND DEFINITIONS

Prev Appendix A. GNU Free Documentation License Next

APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

VERBATIM COPYING

Prev Appendix A. GNU Free Documentation License Next

VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

COPYING IN QUANTITY

Prev Appendix A. GNU Free Documentation License Next

COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

MODIFICATIONS

Prev Appendix A. GNU Free Documentation License Next

MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

GNU FDL Modification Conditions

A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.

C. State on the Title page the name of the publisher of the Modified Version, as the publisher.D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. F. Include, immediately after the copyright notices, a license notice giving the public permission to use the

Modified Version under the terms of this License, in the form shown in the Addendum below. G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the

Document's license notice.H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title,

year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant

Section. O. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

COMBINING DOCUMENTS

Prev Appendix A. GNU Free Documentation License Next

COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".

COLLECTIONS OF DOCUMENTS

Prev Appendix A. GNU Free Documentation License Next

COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

GGREGATION WITH INDEPENDENT WORKS

Prev Appendix A. GNU Free Documentation License Next

AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

TRANSLATION

Prev Appendix A. GNU Free Documentation License Next

TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

TERMINATION

Prev Appendix A. GNU Free Documentation License Next

TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

FUTURE REVISIONS OF THIS LICENSE

Prev Appendix A. GNU Free Documentation License Next

FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

ADDENDUM: How to use this License for your documents

Prev Appendix A. GNU Free Documentation License

ADDENDUM: How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

Sample Invariant Sections list

Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the "with...Texts." line with this:

Sample Invariant Sections list

with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

http://docs.endian.com/archive/2.1/gfdl-addendum.html