You are on page 1of 232

Administrative Guide Diego Gagliardo Raphael Lechner Marco Sondermann Raphael Vallazza Peter Warasin Christian Graffer Copyright

2002, 2003, 2004, 2005, 2006 Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, Peter Walker, Marco Sondermann, Endian srl Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no FrontCover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled Appendix A, GNU Free Documentation License. 2006-05-24 Revision History Revision 1.1rc7 DocBook Edition Revision 2.0 DocBook Edition Revision 2.1 DocBook Edition Abstract A comprehensive documentation for the Administrator of an Endian Firewall. 2006-11-17 2006-05-24 2005-10-09

Table of Contents Preface Rights and Disclaimers Conventions used in this book Typographic Conventions Icons Organization of this book This Book is Free Acknowledgments 1. Introduction What Is Endian Firewall? Features 2. System Web pages Introduction Home Administrative Window

Network Configuration Choose type of RED interface Choose network zones Network preferences Internet Access preferences RED type: NONE RED type: ADSL RED type: ISDN RED type: ETHERNET STATIC RED type: ETHERNET DHCP RED type: PPPoE Configure DNS resolver Apply configuration EN registration Passwords SSH Access SSH Options SSH Host Keys GUI Settings Backup Web Page Your Backup list Create a new Backup file Encrypt Backup files Export Backup files Import Backup files Restore a Backup Schedule Backups Reset configuration to factory defaults Shutdown or Restart Endian Firewall 3. Status Menu Introduction System Status Services Memory Disk Usage Uptime and Users Loaded Modules Kernel Version Network Status Interfaces RED DHCP configuration Current Dynamic Leases Routing Table Entries ARP Table Entries System Graphs Traffic Graphs Proxy Graphs Connections SMTP Mail Statistics Mail Queue IPTables Rules 4. Network Menu Introduction Host configuration (Edit Hosts) Aliases 5. Services Menu Introduction DHCP Administrative Web Page DHCP Server Parameters Add a new fixed lease

Current fixed leases Current dynamic leases Error messages Dynamic DNS Administrative Web Page Add a host Current hosts Forcing a Manual Update ClamAV Antivirus Time Server Administrative Web Page Traffic Shaping Administrative Web Page Intrusion Detection System Administrative Web Page Linesrv (removed in version 2.1) Server Clients XLC WLC2 Hotspot 6. Firewall Menu Introduction Firewall Port Forwarding Administrative Web Page Port Forwarding Overview Port Forwarding and External Access External Access Administrative Web Page Zone Pinholes Administrative Web Page Outgoing Firewall Administrative Web Page Globally DENY outgoing traffic to RED and explicitely configure outgoing rules Globally ALLOW outgoing traffic to RED 7. Proxy Introduction HTTP Proxy Feature List Web proxy configuration Common settings Upstream proxy Log settings Cache management Network based access control Time restrictions Transfer limits MIME type filter Web browser Authentication configuration Content filter Content filter (Dansguardian) Block pages which contain unallowed phrases Block pages known to have content of the following categories Custom black- and whitelists HTTP Antivirus Max. content scan size Last Update Do not scan the following URLs Enforcing proxy usage Web Proxy standard operation modes Client side Web Proxy configuration Requirements for mandatory proxy usage POP3 Global settings Spamfilter configuration SIP

FTP SMTP General Settings Antivirus AntiSpam General Settings Greylisting Banned File Extension Blacklists/Whitelists Real-time Spam Black Lists (RBL) Custom black/whitelists Domains BCC Advanced settings Smarthost IMAP Server for SMTP Authentication Advanced settings 8. VPN Menu Introduction Virtual Private Networks (VPNs) Net-to-Net (Gateway-to-Gateway) Host-to-Net (Roadwarrior) OpenVPN OpenVPN Web Interface OpenVPN Server Openvpn Net2Net client Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls) Configuration of an OpenVPN client on the roadwarrior side IPSec Methods of Authentication Pre-shared Key X.509 Certificates Global Settings Connection Status and Control Certificate Authorities Generate Root/Host Certificates Upload a CA certificate Reset configuration Add a new connection Connection Type Authentication 9. Logs Introduction Log Settings Administrative Web Page Log Summary Page Proxy Logs Page Firewall Logs Page Intrusion Detection System Log Page Content Filter Logs Page OpenVPN Logs Page System Log Page SMTP Log Page Clamav Log Page SIProxy log page Proxy Analysis Report 10. Hotspot Introduction Hotspot Accounts How to add a new account or edit an existing one

User balance User connections Ticket Rates Add or edit a ticket rate Statistics Active Connections Connection Log Settings Dialin Password Template Editor Printout Template Allowed sites Client connecting to Endian Hotspot Login House guests login Succesful login A. GNU Free Documentation License PREAMBLE APPLICABILITY AND DEFINITIONS VERBATIM COPYING COPYING IN QUANTITY MODIFICATIONS COMBINING DOCUMENTS COLLECTIONS OF DOCUMENTS AGGREGATION WITH INDEPENDENT WORKS TRANSLATION TERMINATION FUTURE REVISIONS OF THIS LICENSE ADDENDUM: How to use this License for your documents List of Figures 2.1. System menu selected 2.2. Home 2.3. Displays the Endian Network Support status 2.4. Online status 2.5. Network wizard step 1: Choose type of RED interface 2.6. Network wizard showing Step2: Choose network zones 2.7. Network wizard showing Step 3: Network preferences 2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE 2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem 2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type 2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE) 2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip) 2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP) 2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences 2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences 2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences 2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences 2.18. Network wizard showing step 5: configure DNS resolver 2.19. Network wizard showing step 6: Apply configuration 2.20. Unregistered Endian Firewall 2.21. Registered Endian Firewall 2.22. Password changing dialogue 2.23. SSH access page 2.24. GUI settings 2.25. Backup to files 2.26. Create new backup 2.27. Encrypt Backups

2.28. Import Backup 2.29. Restore Backup 2.30. Schedule backups 2.31. Reset to factory defaults 2.32. Shutdown / Reboot page 3.1. Status menu selected 3.2. Page which displays the actual running services 3.3. Page which displays the current memory usage 3.4. Page which displays the current disk usage 3.5. Page which displays uptime and current logged in users 3.6. Page which displays the current loaded kernel modules 3.7. Page which displays the kernel version 3.8. Displays interfaces 3.9. Displays current RED DHCP configuration 3.10. Displays current dynamic leases 3.11. Displays current routing table 3.12. Displays ARP table 3.13. Display of CPU graph 3.14. Display disk usage graph 3.15. Display memory usage graph 3.16. Display current swap usage 3.17. Displays traffic graph of the GREEN interface 3.18. Displays traffic graph of the RED interface 3.19. Displays current connections 3.20. Mail Queue 3.21. Displays iptables rules 4.1. Network menu selected 4.2. Current hosts 4.3. Add a new alias 5.1. Services menu selected 5.2. Shows DHCP adminstration page 5.3. Add a fixed lease 5.4. Shows the current fixed leases 5.5. Shows the current dynamic leases 5.6. Shows the dialogue which allows you to create a new DynDNS configuration 5.7. Shows current configured DynDNS configuration 5.8. ClamAV Antivirus 5.9. Shows the Time server administrative web page 5.10. Shows traffic shaping settings 5.11. Shows Type of Service configuration 5.12. Intrusion Detection System adminstrative web page 5.13. Linesrv 5.14. XLC Line down 5.15. XLC initiate a Connection 5.16. XLC main connection initiated 5.17. XLC up manually 5.18. WLC disconnected 5.19. WLC line is up 5.20. WLC connection established 5.21. WLC up manually 5.22. Hotspot Activation 6.1. Firewall menu selected 6.2. Diagram of flow control and its configuration possibilities 6.3. Adding a new portforwarding configuration 6.4. Adds an acl to a portforwarding rule 6.5. Currently configured portforwarding rules 6.6. Add a new external access rule 6.7. Displays currently configured rules 6.8. Adds a new pinhole rule 6.9. Lists all configured pinhole rules

6.10. Adds a new outgoing rule 6.11. Lists all current outgoing rules 6.12. Globally allow outgoing traffic 6.13. Globally deny outgoing traffic 7.1. Proxy menu selected 7.2. Displays HTTP advanced proxy settings 7.3. Displays HTTP advanced proxy upstream proxy configuration 7.4. Displays HTTP advanced proxy log settings 7.5. Displays HTTP advanced proxy cache management configuration 7.6. Displays HTTP advanced proxy network based access control 7.7. Displays HTTP advanced proxy time restrictions configuration 7.8. Displays HTTP advanced proxy transfer limit configuration 7.9. Displays HTTP advanced proxy MIME type filter 7.10. Displays HTTP advanced proxy user agent filter 7.11. Displays HTTP advanced proxy authentication methods 7.12. Displays HTTP advanced proxy global authentication settings 7.13. Displays HTTP advanced proxy local user authentication 7.14. Displays HTTP advanced proxy local user authentication 7.15. Displays local user manager for the HTTP advanced proxy 7.16. Displays editing a user with local user manager of HTTP advanced proxy 7.17. Change it yourself page, allowing user to change their local HTTP proxy password 7.18. Displays LDAP authentication page of HTTP advanced proxy 7.19. Common LDAP settings of HTTP advanced proxy 7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy 7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy 7.22. HTTP advanced proxy authentication against Windows 7.23. Common domain settings of Windows authentication on HTTP advanced proxy 7.24. Authentication mode of windows authentication on HTTP advanced proxy 7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy 7.26. Integrated windows authentication with HTTP advanced proxy 7.27. Explicit authentication with HTTP advanced proxy 7.28. Displays RADIUS authentication configuration of HTTP advanced proxy 7.29. Displays common RADIUS settings of HTTP advanced proxy authentication 7.30. Displays user based access restrictions of HTTP advanced proxy 7.31. General contentfilter configuation 7.32. Selection of disallowed phrases which pages may contain 7.33. Selection of categories of url lists which should be blocked by the HTTP contentfilter 7.34. Custom black- and whitelists for the HTTP contentfilter 7.35. HTTP Antivirus configuration page 7.36. HTTP proxy disabled 7.37. Figure which displays traffic with will not be directed through the HTTP proxy 7.38. HTTP proxy enabled 7.39. Figure which displays traffic with will not be directed through the HTTP proxy 7.40. Figure which displays traffic which will be redirected through the HTTP proxy. 7.41. HTTP proxy enabled as transparent proxy 7.42. Figure that displays traffic which will be transparently redirected through the HTTP proxy. 7.43. Shows POP3 proxy global settings 7.44. Spamfilter configuration of POP3 proxy 7.45. SIP Proxy Settings 7.46. FTP proxy administration page 7.47. General Settings 7.48. SMTP Antivirus 7.49. SMTP Antispam 7.50. Greylisting 7.51. banned files 7.52. Real-time Black Lists 7.53. black/whitelists 7.54. Domains 7.55. BCC 7.56. Smarthost

7.57. IMAP Server for SMTP Authentication 7.58. Advanced Settings 8.1. VPN menu selected 8.2. Figure of a Net-to-Net VPN 8.3. Figure of a Host-to-Net VPN 8.4. Figure of a VPN using OpenVPN as mixed VPN combining a Host-to-Net VPN (the Roadwarrior) and Net-to-Net VPNs in a hub-and-spoke topology 8.5. Global Settings 8.6. Users which are allowed to connect to openvpn 8.7. Add Account 8.8. Connection status and control 8.9. VPN tunnel and control 8.10. Add a VPN tunnel 8.11. Openvpn Server 8.12. Users which are allowed to connect to openvpn 8.13. Add a new user 8.14. List of allowed users 8.15. Openvpn Server CA Certificate 8.16. Configure Office 1 Endian Firewall 8.17. Add Office 0 tunnel 8.18. Connected to Office 0 tunnel 8.19. Connected Office 1 and 2 clients 8.20. VPN global settings 8.21. VPN connection status and control window: initial view 8.22. VPN certificate authorities window: initial view 8.23. VPN connection type selection 8.24. VPN Host-to-Net connection input 8.25. VPN Net-to-Net connection input 8.26. VPN authentication input 9.1. Logs menu selected 9.2. Generic navigation items 9.3. Configuration of log viewer 9.4. Configuration of log summaries 9.5. Configuration of remote logging 9.6. Configuration of firewall logging 9.7. Displays log summaries 9.8. Displays firewall log 9.9. Display of system logs 9.10. Displays clamav log viewer 9.11. Proxy Analysis Report 10.1. The Endian Hotspot 10.2. Account management 10.3. Add a new account 10.4. User balance 10.5. User connections 10.6. Ticket Rates 10.7. Add or edit a ticket rate 10.8. Statistics 10.9. Active Connections 10.10. Connection Log 10.11. Settings 10.12. Dialin 10.13. Password 10.14. Template Editor 10.15. Printout template 10.16. Allowed sites 10.17. Endian Hotspot Client start page 10.18. Normal login 10.19. Login for house guests 10.20. Successful login

List of Examples 5.1. Example of a custom confguration line 7.1. Add this MIME type if you want to block the download of PDF files: 7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files: 7.3. Windows Update To allow access to Windows Update without authentication add these domains to the list: 7.4. Base DN for Active Directory 7.5. Base DN for eDirectory 7.6. Base DN containing spaces 7.7. User based access control lists using integrated authentication 7.8. User based access control lists using explicit authentication 7.9. Example spam info headers 7.10. Example spam info headers 7.11. Allow or deny a complete domain 7.12. Allow or deny only the subdomains of a domain 7.13. Allow or deny single email addresses or user names. 7.14. Allow or deny a complete domain 7.15. Allow or deny only the subdomains of a domain 7.16. Allow or deny single email addresses or user names. 7.17. Allow or deny ip block. 8.1. An example command line to start openvpn on your roadwarrior 8.2. An example configuration file for openvpn on your roadwarrior 8.3. Example plain text certificate output. 8.4. Example content of an exported CA. 9.1. Log line of the OpenVPN server 9.2. Log line of an OpenVPN client 10.1. Specifying hourly prices Preface Table of Contents Rights and Disclaimers Conventions used in this book Typographic Conventions Icons Organization of this book This Book is Free Acknowledgments Rights and Disclaimers Endian Firewall is Copyright of Endian srl. Endian Firewall is published under the GNU General Public License. For more information please visit our web site at http://www.efw.it .You may copy it in whole or in part as long as the copies retain this copyright statement. The information contained within this document may change from one version to the next. All programs and details contained within this document have been created to the best of our knowledge and tested carefully. However, errors cannot be completely ruled out. Therefore Endian does not express or imply any guarantees for errors within this document or consequent damage arising from the availability, performance or use of this or related material. The use of names in general use, names of firms, trade names, etc. in this document, even without special notation, does not imply that such names can be considered as free in terms of trademark legislation and that they can be used by anyone. All trade names are used without a guarantee of free usage and might be registered trademarks. As a general rule, Endian adheres to the notation of the manufacturer. Other products mentioned here could be trademarks of the respective manufacturer.

This document is based on IpCop Admin Guide 1.4 4th Edition. See http://www.ipcop.org for more info. Conventions used in this book This section covers the various conventions used in this book. Typographic Conventions Constant width Used for commands, command output, program names. Constant width italic Used for replaceable items in code and text. Italic Used for names, (file, interface, directory names, ...). asdljasldjasljd Used for user input Icons Tip This icon designates a tip to the surrounding text. Note This icon designates a note relating to the surrounding text. Warning This icon designates a warning relating to the surrounding text. Organization of this book The chapters that follow and their contents are listed here: Chapter 1, Introduction Gives an introduction to the Endian Firewall and it's features. Chapter 2, System Web pages Covers the System menu with it's features and configuration possibilities, including first step network configuration and system tools. Chapter 3, Status Menu Describes the Status menu and it's system monitoring and visualizing functionalities.

Chapter 4, Network Menu Explains how to configure network related parts of Endian Firewall. Chapter 5, Services Menu Gives information about additional services Endian Firewall ships with, including DHCP, NTP and DDNS service, Intrusion detection and Traffic Shaping (QoS). Chapter 6, Firewall Menu Explains the firewall functionalities and Endian Firewall's security concept. Chapter 7, Proxy Describes in depth Endian Firewall's application proxies, which includes HTTP, FTP, SIP and SMTP proxies with a bunch of configuration possibilities. Chapter 8, VPN Menu Help on creating Virtual Private Networks for both possibilities, OpenVPN and IPSec. Chapter 9, Logs Gives an overview about the log viewer menu and it's facilities to visualize and configure all the services logs. Chapter 10, Hotspot This chapter contains a detailed description of the Endian Hotspot. This Book is Free This document is based on IpCop Admin Guide 1.4 4th Edition. See http://www.ipcop.org for more info. This book started out as an administration guide for IpCop 1.4. written by the IpCop people. Since Endian Firewall forked from IpCop, Endian rewrote much parts and added the new parts which reflects Endian Firewalls new functionality. As such, it has always been under a free license. (See Appendix A, GNU Free Documentation License.). This means, You can distribute and make changes to this book however you wishit's under a free license. Of course, rather than distribute your own private version of this book, we'd much rather you send feedback and patches to Endian. Acknowledgments Without the great work of the Smoothwall and then the IPCop team Endian Firewall would not be exist and in turn this documentation would not exist at all. Therefore we would like to thank them all for their hard work. Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility. You are really helping us very much! Finally, we thank the following people for helping us out with work on screenshots and xslt: Elisabeth Warasin, Thomas Lukasser. Chapter 1. Introduction Table of Contents

What Is Endian Firewall? Features What Is Endian Firewall? Endian Firewall is a turn-key linux security distribution that turns every system into a fully featured security appliance. The software has been designed with usability in mind and is very easy to install, use and manage, without losing its flexibility. The features include a stateful packet inspection firewall, application-level proxies for various protocols (HTTP, POP3, SMTP, SIP) with antivirus support, virus and spamfiltering for email traffic (POP and SMTP), content filtering of Web traffic and a hassle free VPN solution (based on OpenVPN). The main advantage of Endian Firewall is that it is a pure Open Source solution that is commercially supported by Endian (for a full-featured list see below). Features This needs a rewrite!! Base Module - Endian Firewall 1.1 - Firewall (stateful inspection) - Outgoing Firewall - IPSec Gateway to gateway VPN - IPSec Remote client to gateway VPN (roadwarrior) - NAT - Multi-IP address support (aliases) - Dynamic DNS - DMZ support HTTPS Web Interface - Detailed network traffic graphs - View currently active connections - Event log management - Log redirection to external server - Server DHCP - Server NTP - Traffic Shaping / QoS - Transparent POP3 antivirus/antispam proxy - Transparent HTTP proxy - Web Proxy with local users, windows domain, samba, LDAP, radius server management Intrusion Detection System - ADSL modem support - Configuration backup and restore - Remote update - SIP VoIP Proxy *NEW!* Advanced Antivirus Module - Endian Firewall 1.1 - HTTP Antivirus - Endian Security Tools for Windows Desktop Transparent SMTP antivirus/antispam proxy VPN Gateway Module - Endian Firewall 1.1 - Gateway to gateway VPN with OpenVPN - Remote client to gateway VPN (roadwarrior) with OpenVPN - Bridged and Routed VPN mode - Endian Client VPN Windows, Linux, MacOSX Web Content Filter Module - Endian Firewall 1.1 - URL filter - Web content analysis/filter - Whitelists and blacklists management - Web surfing time limits Advanced Antivirus Module - Endian Firewall 1.1 - HTTP Antivirus - Endian Security Tools for Windows Desktop - Transparent SMTP antivirus/antispam proxy Chapter 2. System Web pages Table of Contents Introduction Home Administrative Window Network Configuration Choose type of RED interface Choose network zones Network preferences Internet Access preferences RED type: NONE RED type: ADSL RED type: ISDN RED type: ETHERNET STATIC RED type: ETHERNET DHCP RED type: PPPoE Configure DNS resolver Apply configuration EN registration Passwords SSH Access SSH Options SSH Host Keys

GUI Settings Backup Web Page Your Backup list Create a new Backup file Encrypt Backup files Export Backup files Import Backup files Restore a Backup Schedule Backups Reset configuration to factory defaults Shutdown or Restart Endian Firewall Introduction Figure 2.1. System menu selected

This group of web pages is designed to help you to administer and control the Endian Firewall itself. To get to these web pages, select System from the menu bar at the top of the screen. The following choices will appear in a submenu on the left side of the screen: Home Returns to the home page. Network Configuration Allows you to configure the network and the NIC of your EFW Endian Network Allows you to register your EFW within Endian Network. This menu item is not available within Endian Firewall Community version. ('EN registration' before version 2.1) Passwords Allows you to set the admin password. SSH Access Allows you to enable and configure Secure Shell, SSH, access to Endian Firewall. GUI Settings Allows you to set the language of the web display. Backup Backs up/restore your EFW settings to/from files. You can also restore your settings to factory default. Shutdown Shutdown or restart your Endian Firewall from this web page. Credits Our thank to all contributors.

Home Administrative Window Figure 2.2. Home

To access the Endian Firewall GUI is as simple as starting your browser and entering the IP address (of the green EFW interface) or hostname of your Endian Firewall along with a port director of either 10443 (https/secure) or 80 (redirected to 10443). The system will ask you for username and password: user: "Admin", password:"the password that you set during the installation process" You should now be looking at the Home Page of your Endian Firewall GUI. You can immediately start exploring the different options and the information available to you through this interface. Below, we have listed the Main Configuration/Administration Options available through the GUI. When you have acquainted yourself sufficiently with the system, please continue with the next section. Endian Firewall's Administrative web pages are available via the menu the top of the screen. System: System configuration and utility functions associated with Endian Firewall itself. Status Displays detailed information on the status of various portions of your Endian Firewall. Network Used for the configuration/administration of your dial-up/PPP settings. Services: Configuration/Administration of your Endian Firewall Services options. Firewall: Configuration/Administration of Endian Firewall's firewall options. Proxy: Configuration/Administration of Endian Firewall's HTTP and POP3 proxy (also antivirus, antispam and content filter configuration). VPNs: Configuration/Administration of your Endian Firewall Virtual Private Network settings and options. Logs: View all your Endian Firewall logs (firewall, IDS, proxy, etc.)

Figure 2.3. Displays the Endian Network Support status

In the first page section, you see the Endian Commercial Support Status. This is only available for Endian Firewall Enterprise version. To get more information about the Endian support program, visit our Homepage on http://www.endian.it. (This box is not displayed in version 2.1) Figure 2.4. Online status

In the following box you will see information about the system status. The first part gives short global information about the connection status, while the second part gives more precise information about each uplink. After the connection status you can see short information about the systems health. Note You will not see an active connection until you have finished configuring your Endian Firewall. Short connection status display The current connection status of the Firewall will be displayed here, followed by the connection time. The connection status can be one of the following: Idle - No connection to the Internet and not trying to connect. Dialing - Attempting to connect to the Internet. Connected - Currently connected to the Internet.

If you are currently connected to the Internet you will see a Connection status line in the following format: Connection status Connected ( #d #h #m #s) d=Days connected h=Hours connected m=Minutes connected s=Seconds connected

In the following table you will see the actual connection status of each uplink respectively. The first cell shows you the name of the uplink. Normaly you will see only one uplink which then is called "main", since it is the primary uplink. The second cell shows you the connection status of respective uplink. Below we will describe the different status possibilities which you may find here. In the third cell you have the possibility to manually connect the uplink if it is disconnected or the contrary. Once you have pressed the respective connect or disconnect button you will need to wait until the connection has been connected/disconnected sucessfully. During this process you may reload the page using the refresh button on the right. You will notice that the connection status field will change it's content. Values for the connection status: Connected The uplink is connected and fully operational. Stopped The uplink is not connected. Dead link The uplink is connected but the following gateways could not be reached, so in fact the uplink is not operational. Endian Firewall tries to ping the following gateways and announces if the link gets back working. Failure There was a failure while connecting to the uplink. Failure. Reconnection There was a failure while connecting to the uplink. Endian Firewall will try to reconnect within the time interval which will be printed out. Disconnecting The uplink is actually disconnecting. Connecting The uplink is actually connecting. System health line Below your connection status line you will see a line similar to the following: 19:07:10 up 1 day, 7:21, 0 users, load average: 0.03, 0.01, 0.00 This line is basically the output of the Linux uptime command and displays the current time, the days/hours/minutes that Endian Firewall has been running without a reboot, number of users logged in, and the load average.

Network Configuration Endian Firewall provides a Network Setup Wizard for easy and fast configuration of your network interfaces and your uplink. The Wizard is divided into steps with intuitive dialogues. Some steps may have substeps. The first line of each dialogue window will display the actual step or substep, how many you need to go through and a short description about the actual page. You can go forth or back with the buttons next (>>>) and back (<<<) during network wizard as you wish and you can always abort the configuration process by hitting the Cancel button. On the last dialogue window you will be asked if you really want to save the configuration you created using the wizard. If you decide to proceed the configuration will be stored and Endian Firewall will reconfigure it's interfaces. This takes some time and over this period of time you will not be able to reach the web interface anymore. Choose type of RED interface Figure 2.5. Network wizard step 1: Choose type of RED interface

The RED interface is supposed to be the interface which connects your Firewall to the "outside", the untrusted network, which normaly of course is the internet, or the uplink to your internet provider. Endian Firewall does support the following types of RED interfaces. Some may be network interfaces, other may be PCI cards or USB devices: NONE Your firewall has no RED interface. This is unusual since a firewall normaly need to have two interfaces as minimum. But for some scenarios this possibility does make sense. For example if you want to use only a specific service of the firewall. If you choose this you will be able later to set a default gateway which does not lie within RED network. ADSL If you have a USB or PCI ADSL modem you are right with this option.

ISDN Select this if you have an ISDN USB device or PCI card. ETHERNET STATIC Select this if your RED interface is a simple ethernet card and you need to setup network information like IP address, Netmask and so on manually. If your need to connect your RED interface to a simple router so this may be the right choice. Remember that in most cases you will need a crossover cable in order to connect it correctly. ETHERNET DHCP Select this if your RED interface is a simple ethernet card which needs to get network information through DHCP. Most Cable modems, ADSL/ISDN router provide this possibility. PPPoE If your RED interface is a simple ethernet card connected to a device which needs you to use PPPoE in order to connect to your provider, then select this. Pay attention to not confuse this option with the ETHERNET DHCP or ADSL option. This is only needed if your modem uses bridging mode and does not connect itself via PPPoE to the internet provider. Some ADSL routers let you connect using DHCP or STATIC and establish the ADSL connections themselves using PPPoE. Also this is the wrong option if you have a USB or PCI ADSL modem and want the modem to connect using PPPoE. If you do not want your red interface to connect to your uplink while booting you have to tick the Do not automatically connect on boot checkbox. On this page you will find also a box which displays the amount of network cards which could be found. Depending of this value and if you already have exhaused a network card selecting a RED type which needs a network card, the following step let's you configure more or less zones. Choose network zones Figure 2.6. Network wizard showing Step2: Choose network zones

With this step you can decide which zones you want to configure on your firewall. Endian Firewall assumed IPCops idea of different zones. The following zones are available: GREEN is the trusted network. This is supposed to be your LAN from where you connect to the administration interface. This is the mandatory zone and one network interface is reserved for it. ORANGE is the demilitarized zone (DMZ). If you host servers it is wise to have them on a different network than your local network. If someone manages it to break in to one of your servers, this attacker does not automatically compromise the local network, but it is trapped within the DMZ and can't gain sensible information from your local network. Note that it makes no sense to use ORANGE if the servers behind ORANGE and the workstations behind GREEN share the same switch or hub! BLUE is the wireless zone. You can attach a hotspot or Wifi access point to an interface assigned to this zone. There is only a logical difference between this zone and ORANGE. Since wireless networks normally are not really secure you may prefer to put them into a separate zone since they have no access to the local network behind GREEN and cannot reach hosts behind ORANGE without configuration. RED As already described, the RED zone stands for the uplink to the internet provider or to another untrusted network - basically most of the times all the other zones have to be protected from intruders from this zone. You automatically have this zone unless you selected NONE on the dialogue before. You need to have at least one network card per zone so some options may not be visible for you if you do not have enough network cards. Note that one network card is reserved for the GREEN zone and one may be already assigned to the RED zone if you have selected a RED type which needs a network card. You can choose between the following options: NONE Choose this if you do not need additional zones. You live with GREEN and RED. ORANGE You want to have only the ORANGE zone in addition to GREEN and RED. BLUE You want to have only the BLUE zone in addition to GREEN and RED. ORANGE & BLUE You want to have both, ORANGE and BLUE and will continue with a full featured firewall. Network preferences This step asks you for configuration of all the ethernet zones you enabled on the previous page (GREEN, ORANGE and/or BLUE). Each zone has to be configured in the same way - on our screenshot below you can see the configuration of the green

and orange interfaces. At the bottom of this page it is also possible to configure the hostname and domainname of your firewall. Figure 2.7. Network wizard showing Step 3: Network preferences

You need to configure the following fields for each zones: IP address Provide the IP address which you'd like to use for the interface of the respective zone. For example: 10.1.1.1. Pay attention to use an IP address which is not already used within your network, especially if you would like to change the IP address of your GREEN zone. Note that you need to use different subnet's for different zones. For example if you use 10.1.1.1 in GREEN, you may use 10.2.2.1 for ORANGE, but not an IP address of the same network, like 10.1.1.2! The network wizard will not allow you to go forth if networks will overlap or if you do not fill out all necessary fields. It is suggested to follow the standards described inRFC1918 and use only IP addresses which are reserved for private networks. The following blocks of IP address space have been reserved for private networks by the Internet Assigning Numbers Authority (IANA): 10.0.0.0 - 10.255.255.255 (10.0.0.0/8) 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) 192.168.0.0 - 192.168.255.255 ( 192.168.0.0/16) Note It may also be wise to follow some conventions and always assign the first ip address to the firewall. For example 192.168.0.1. Note IP addresses ending in .0 (example: 192.168.0.0) and in .255 (example: 192.168.0.255) are reserved for network address and broadcast address. You shall not assign them to any device. Note Pay attention if you reconfigure Endian Firewall and change some ip addresses, then you need to change the ip address also within configuration of some services like the HTTP proxy, which is descibed later in efw.proxy.http. Network mask Provide the network mask which you like to use for the interface of the respective zone and the network behind it. For example: 255.255.255.0. Note Pay attention to use the same network mask on all of your computers behind the same zone or some may not be able to pass the firewall. Interface Each zone needs to have at least one interface assigned. The network wizards gives you a suggestion about interface assignement. You certainly may change this. One interface can be assigned only to one zone. The network wizard does not allow you to go forth if you choose the same interfaces on different zones. You can assign multiple interfaces per zone. Multiple interfaces can be added by pressing Ctrl and clicking on the desired interfaces. The interfaces will then internally bridged together, so they have the same functionality like a switch. The interface list shows you all necessary information to identify your network card:

consecutive numbers: The interface list will be sorted on the basis of the PCI slot identification number. Therefore you are save to give your PCI mounted network cards an index counting from the first to the last. The first network card in your computer should be the card with number 1. The second with number 2, and so forth. device description: We use lspci to read out this description. If your device is not included within our pci devices list because it is to new or to exotic, the description will be something like "Unknown device". MAC address: The original MAC address of the device. This address should be worldwide unique (In reality it's not always). Most devices have printed their MAC address somewhere on the card or within manual. Note Interfaces which are not supported by ethtool will not be supported by the network wizard because the necessary information cannot be gathered.

Note Note that each of this zones will be internally handled as bridges, regardless of the amount of assigned interfaces. Remember this if you find any interface names. The interface name of a zone is always called brX and not ethX. ethX is just the name of the physical interface which is part of the respective zone. Internet Access preferences During this step you can configure the preferences needed to connect to the internet or your untrusted network outside your firewall. You will find different configuration options on this page, depending on the type of RED interface you have chosen on the first page of this connection wizard. Some RED types need more configuration steps than others, therefore you may find substeps. The following section will descibe every step for each RED interface type. RED type: NONE If you have choosen NONE as RED type on the first wizard page, you probably want to read this. Figure 2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE

Since you have no RED, you do not need to configure it. Wow, how impressive. In order to allow your Security Device (In this case I do not dare to speak of a firewall) to access other networks like the internet you need to configure a default gateway. Here you can set this up. In this only case you can use each ip address as default gateway, which belongs to a network of your other zones (GREEN, ORANGE or BLUE). Normally you want to use an IP address belonging to the GREEN network, which probably may be another firewall and gateway to the internet. RED type: ADSL

If you have chosen ADSL as RED type then this will be of interest to you. Since ADSL modems need a bunch of information this step is divided into three substeps. Selection of the modem Figure 2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem

Within the first substep you need to select which modem you like to use. The box on this page shows you all the modems which will be actually supported by the Endian Firewall. If you can't find your modem then it obviously will not be supported and will not work. If your modem is already plugged in, Endian Firewall will try to recognize it automatically and preselects the first detected modem. The following string will be displayed on each modem which has been detected automatically: --> detected <-The following modems are actually be supported: ADSL modems with Conexant chipset. Fritz!Card DSL Fritz!Card DSL v2 Fritz!Card DSL SL Fritz!Card DSL SL USB Fritz!Card DSL USB Fritz!Card DSL USB Analog

Choose ADSL connection type Figure 2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type

Endian Firewall supports four different possibilites to connect to an ADSL concentrator. You need to know which connectio type is supported by your internet provider and use the respective type. Often internet provider allows you to choose between PPPoA and PPPoE. Should this be the case you can choose between those 2 options. Keep in mind that PPPoE causes a little more traffic overhead compared to PPPoA, if this is of importance for you. The four possibilities are: PPPoA PPP over ATM. You can find further information about this protocol on Wikipedia. PPPoE PPP over Ethernet. You can find further information about this protocol on Wikipedia RFC1483 static IP Basically this is a protocol which allows you to handle your modem like an ethernet device to which you assign an IP address manually which you negotiated with your provider before. If you have a real static IP you may need to use this option. You can find further information about this protocol on RFC Editor. http://www.rfceditor.org/rfc/rfc1483.txt RFC1483 dhcp Basically this is the same as RFC1483 except that the provider assigns your ip address using DHCP. Supply connection information This substep depends on the decision you made during the previous substep. Depending on the selected ADSL connection type this substep will show you different configuration options. Most of the needed information will be provided by your internet service provider. The following fields are common for each ADSL type. They depend on the infrastructure of your ISP so you need to fill in the values you get from your provider: PPPoA/PPPoE Figure 2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE) VPI number VCI number Encapsulation

Configuration for PPPoA and PPPoE are quite the same, therefore only PPPoE will be described here. The following fields do exist additionally to the common fields described above: Username Provide the username which you got from your ISP. Password Provide the password which you got from your ISP. Authentication method Different protocols can be used to authenticate against the providers system. The following authentication methods are supported: PAP - Password Authentication Method CHAP - Challenge Handshake Authentication Protocol PAP or CHAP - both authentication methods are implemented.

Some providers may support only one authentication method. In that case you should get that information from your provider. Most providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP. DNS

During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers do not work correctly. RFC1483 static ip Figure 2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)

If you got a real static IP from your provider, then normally this type will be used. This type does not know any authentication or protocols to establish the connection. Therefore the providers system cannot automatically send you configuration parameters (like IP address, DNS, ...) during connection establishment. You need to ask your provider for this information and need to configure everything manually here. Once configured there is no system that changes these parameters automatically like with the other ADSL types. The following fields do exist additionally to the common fields descibed above: Static IP Fill in your public IP address your provider assigned to you. If you do not have this information ask your provider. If you use the wrong IP address you may not be able to use the connection. Netmask The network mask you got from your provider. For example: 255.255.255.0 Gateway The IP address of the gateway located on your provider's side which should be used as your default gateway.

RFC1483 DHCP Figure 2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)

This ADSL type is the same as RFC1483 static ip, except that you do not need to provide IP address, netmask and gateway because that information will be automatically retrieved using DHCP. The following fields do exist additionally to the common fields described above: DNS During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use. If you selectautomatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolver do not work correctly. RED type: ISDN If you chose ISDN as RED type you will see the following dialogue page within the fourth step. Figure 2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences

The following section will describe each of the fields: Please select the driver of your modem Here you need to select the type of modem you are using. The selection box shows you all the modems that are actually supported by the Endian Firewall. If you can't find your modem then unfortunately it is not supported and will not work. If your modem is already plugged in, Endian Firewall will try to recognize it automatically and preselects the first detected modem. The following string will be displayed next to each modem that has been automatically detected: --> detected <-The following modems will actually be supported: AVM GmbH, Fritz Card USB2 (Version 3.0) AVM GmbH, Fritz Card USB2 (Version 2.0) HFC-S PCI (Billion and compatible) HFC-S USB TA (Billion, Trust or compatible) AVM GmbH, Fritz Card PCI AVM GmbH, Fritz Card USB

Phonenumber to dial Fill in the telephone number of your Internet Service Provider, that you need to dial to connect to the Internet. Your phone number to be used to dial out Fill in the telephone number of your telephone which you want to be used when you dial out. This number may be also known as MSN. Username Provide the username you got from your ISP. Password Provide the password you got from your ISP. Authentication method Different protocols can be used to authenticate against the providers system. The following authentication methods are supported: PAP - Password Authentication Method CHAP - Challenge Handshake Authentication Protocol PAP or CHAP - both authentication methods are implemented.

Some providers may support only one authentication method. In that case you should get that information from your provider. Most providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP. Use both B-Channels Enable this if you want to use both ISDN channels bundled in order to double your bandwith. Your provider must support this. Hang up after minutes of inactivity If you want the modem to close the connection to your internet service provider if no data will be sent through it you may enable this. If you select a value different tooff, the modem will close the connection after the selected minutes of inactivity. DNS During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers do not work correctly. RED type: ETHERNET STATIC This dialogue page will be shown if you chose ETHERNET STATIC as your RED type. Figure 2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences

Configuration is pretty the same as described before in the section called Network preferences. Actually you can have only one RED device, therefore you cannot select multiple interfaces. Additionally you need to configure a default gateway. That is the IP address of your remote host to which the firewall is connected to and which will be used as gateway to the internet. This IP address must be located within the RED network. The network wizard does not allow you to provide a default gateway which is not within the RED network. For example if you use 192.168.0.1 as IP address and 255.255.255.0 as network mask, the default gateway cannot be 192.168.1.1. A possible value would be 192.168.0.2. RED type: ETHERNET DHCP This dialogue page will be shown if you chose ETHERNET DHCP as RED type. Figure 2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences

ETHERNET DHCP is pretty the same as ETHERNET STATIC, except that there is no need to configure the device, since all necessary information will be retrieved from the DHCP server. You only need to select which interface you would like to use for your RED zone. Since there is actually no possibility to have more than one RED interface, you can not select multiple interfaces. The following configuration options exist: Interface Select the interface you want to use as RED interface as already described above. DNS The DHCP server will also send you the IP addresses of your DNS servers. If you select automatic these addresses will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your DHCP server sends wrong information or if the supplied DNS resolvers do not work correctly. RED type: PPPoE This dialogue page will be shown if you chose PPPoE as RED type. Figure 2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences

As already mentioned before, you use this type if you have an ADSL modem with a simple ethernet connection to your Endian Firewall. Note This cable in most of the cases has to be crossover! The following configuration options are supported for this type: Interface

Select the interface you want to use as RED interface and to which you connected the ADSL ethernet modem. ADSL type This option will disappear. It makes no difference what you select here. Username Fill in the username you got from your internet service provider Password Fill in the password you got from your internet serivce provider Authentication method Different protocols can be used to authenticate against the providers system. The following authentication methods are supported: PAP - Password Authentication Method CHAP - Challenge Handshake Authentication Protocol PAP or CHAP - both authentication methods are implemented.

Some providers may support only one authentication method. In that case you should get that information from your provider. Most providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by selecting PAP or CHAP. DNS During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you need to use as DNS resolvers. If you select automatic those values will be used. If you wish to configure them manually, then select manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers do not work correctly. Service Some ISPs provide different services, therefore you may insert the service name here in order to select which one you want to use if it is necessary. In most cases this option is meaningless. Concentrator name Specifies the desired access concentrator name. In most cases you should not specify this option. Use it only if you know that there are multiple access concentrators and your ISP wants you to specify a particular one. Configure DNS resolver This step is only needed if the RED connection type does not automatically provide the addresse of the DNS resolvers which should be used or if you have selected in the previous step that you want to set the DNS resolvers manually. If DNS resolvers are retrieved automatically then no configuration fields will be shown here. You can safely go ahead. Otherwise you will see two fields labeled DNS 1 and DNS 2. Figure 2.18. Network wizard showing step 5: configure DNS resolver

Fill the both fields with the DNS servers you want to use as resolvers. If you have only one then it is safe to fill in the same value in both fields but this is not recommended since you will not be able to resolve names anymore if that nameserver will not answer temporarily. You need a working DNS resolver in order to resolve names. If resolving does not work you may not be able to access internet sites. Apply configuration This is the last step of the network wizard. It only asks you to confirm the modifications. Figure 2.19. Network wizard showing step 6: Apply configuration

Click the button OK, apply configuration to go ahead. Once you did this, the network wizard will write down the data, reconfigure all necessary devices and restart all depending services. This may take up to 20 seconds. During the restarting process you may not be able to connect to the administration interface and for a short time no connections through the firewall are possible. So no worries, that's normal. The administration interface will automatically reload after 20 seconds. If you changed the ip address of the GREEN zone you will be redirected to the new IP address, after the 20 seconds of course. In this case and/or if you have changed the hostname a new SSL certificate will be generated. Note There is an issue when managing more than one Endian Firewalls. The browser will refuse the new certificate because it finds that the certificate is corrupt. You can solve this issue by removing all accepted certificates from the browser cache or closing all running browser windows and then restart the browser. EN registration

This menu item is not available in the Community version. The Endian Firewall Enterprise version has the ability to register to the Endian Network. The registration to the Endian Network allows you to monitor and manage your Firewalls using Endian Network. Your registered Endian Firewalls can also be collectively updated automatically or manually through Endian Network with just a few clicks. In order to be able to get those updates you need to register. The following describes how to register and below you will find the same page of a successfully registered Firewall. Figure 2.20. Unregistered Endian Firewall

In order to register to the Endian Network supply the following information within registration form: Endian network username Fill in the username of your user account on Endian Network. Endian network password Fill in your Endian Network user password. These credentials will only be used to authenticate yourself on Endian Network in order to register. The credentials will not be saved. Activation key Fill in the activation key you got from your Endian Reseller. It is a one way key consisting of 12 characters. The activation key can be used only once. System name Give a name. It may be wise to use the systems hostname. With this name you can identify the firewall on Endian Network. Especially if you have multiple firewalls it would be wise to choose a name which contains information about where this system is located, like the customers name or anything like that. This value can be changed on Endian Network after registration. Short description Here you can add a short description about the installation. For example information about where you can find the firewall geographically. This value can be changed on Endian Network after registration. Figure 2.21. Registered Endian Firewall

The page is divided into two parts. Registration information The first part displays your registration information: System name - Displays the name of the system which you supplied on registration. You can use this label to identify this firewall on Endian Network. Registered for - Displays the name of the responsable person or organisation for which this system has been registered. Short description - Displays the short description which you supplied on registration. System ID - Every system gets a worldwide unique identification number during registration. We use this number to identify your hardware within Endian Network. You may be asked for this number if you need to get support. Last update - Displays the date of the last update. Note If you change any of those information fields on the Endian Network your firewall will be synchronized within one hour. Activation Keys You need a valid activation key for each maintainance channel provided by the Endian Network if you like to get the updates provided by the respective channel. An installation may use more than one activation key if you need to subscribe to more than one channel. Normaly you will have only one. The following information will be provided for each activation key:

Channel Displays the name of the Endian Network channel for which the respective activation key is valid. For example Endian Firewall. Valid from The subscription to the respective channel is valid from this date on. Valid until The subscrption to the respective channel is valid until this date. Days Displays how many days the subscription will still be valid. Passwords Figure 2.22. Password changing dialogue

The Passwords subsection of this AW is present to allow you to change the Admin passwords or the password of the dial user, as you deem necessary. Simply enter the desired password once in each field for the User you wish to update and click on Save. Note You have to relogin with the new password if you change the admin user password. SSH Access The SSH subsection of this AW allows you to decide if remote SSH access is available on your Endian Firewall or not. By placing a checkmark in the box you will activate remote SSH access. It is also possible to configure several SSH daemon

parameters from this web page. The SSH option is disabled by default and we would advise enabling it only as needed and then disabling it afterwards. Figure 2.23. SSH access page

Note The SSH port on the EFW machine is the standard 22 (not switched to 222 like in IpCop). SSH Options The following SSH options are available from the web page: Enabled: Checking this box enables SSH. Unless you use external access, SSH will only be available from the GREEN network. With SSH enabled it is possible for anyone with the Endian Firewall root password to log into your firewall at the command prompt. Support SSH protocol version 1 (required only for old clients) Checking this box enables support of SSH version 1 clients. Use of this option is strongly discouraged. There are known vulnerabilities with SSH version 1. Use this option only for temporary access, if you only have SSH version 1 clients and there is no way to upgrade to SSH version 2. Most, if not all, of the current SSH clients support version 2. Upgrade your clients if at all possible. Allow TCP Forwarding

Checking this box, allows you to create SSH encrypted tunnels between machines inside your firewall and external users. What use is this when EFW already has a VPN? You are on the road and something goes wrong with one of your servers. You haven't set up a road warrior VPN connection. If you know your EFW root password you can use SSH port forwarding to get through your firewall and get access to a server on one of your protected networks. These next few paragraphs will discuss how to do this, assuming you have a Telnet server running on an internal computer at 10.0.0.20. It also assumes your remote machine is a Linux machine. The putty SSH command on Windows has the same capabilities, but they are accessed via dialog boxes. You may already have done one or more of the first two steps. 1. Enable or have someone else enable external access for port 10443, the HTTPS port. 2. Use the EFW web pages to enable SSH access, port forwarding and external access for port 22. 3. Create an SSH tunnel between your remote machine and the internal server running an SSH daemon by issuing the command: 4. $ ssh -N -f -L 12345:10.0.0.20:23 root@efw

-N in conjunction with -f, tells SSH to run in the background without terminating. If you use this option, you will have to remember to use kill to terminate the SSH process. As an alternative, you may want to add the command sleep 100 to the end of the command line, and not use the -N option. If you do this the SSH invoked by the ssh command will terminate after 100 seconds, but the telnet session and its tunnel will not terminate. -f option to run SSH in the background. -L tells SSH to build a port forwarding tunnel as specified by the next parameters. 12345 The local port that will be used to tunnel to the remote service. This should be greater than 1024, otherwise you must be running as root to bind to well known ports. 10.0.0.20 This is the GREEN address of the remote server. 23 This specifies the remote port number to be used, Telnet. root@efw

Finally, this specifies you will be using your Endian Firewall as the port forwarding agent. You need a user ID to log in as, and the only one available is root. You will be prompted for EFW's root password. 5. Finally, log into the remote Telnet using the tunnel. 6. $ telnet localhost 12345

localhost is the machine you are running on. The loopback address 127.0.0.1 is defined as localhost. 12345 is the local tunnel port specified on the previous command. There is a tutorial on SSH port forwarding at Dev Shed. Allow password based authentication Allows users to log into the Endian Firewall using the root password. If you decide to turn this off, set up your SSH key files, first and then verify you can log in using your key files. Allow public key based authentication By checking this box, public key authentication can be used by SSH. This is the preferred method of securing EFW using SSH. This article has a discussion about using SSH-keygen to generate RSA keys and how to use them with SSH. SSH Host Keys This section lists the host key fingerprints used by SSH on EFW to verify you are opening a session with the right machine. The first time a session is opened, one of the fingerprints will be displayed by SSH and you will be asked to verify it's correct. If you wish, you can verify it by looking at this web page. GUI Settings This web page governs how the Endian Firewall web pages function and appear. Figure 2.24. GUI settings

Display hostname in window title: This checkbox will turn on the display of an Endian Firewall host's name at the top of each web page. If you are maintaining more than one Endian Firewall machine, this will be advantageous, since you will be able to tell which machine your browser is currently displaying. Select the language you wish EFW to display in:

This drop down menu will let you choose which one of the languages currently available for EFW web pages will be displayed. Backup Web Page In this section you can create "snapshots" of your EFW configuration, and restore the system to one of these snapshots when needed. These snapshots can be saved on your EFW machine or exported to your computer. Inis also possible to reset the configuration to factory defaults and to create fully automated backups. Your Backup list On this site you can manage the creation, export, import and restoration of your EFW backups. You will be presented with a list of all the backups you have made so far. The backups are sorted by date where the latest backup is on top of the list. Figure 2.25. Backup to files

The Creation Date column contains the creation date, while the Content column shows a list of flags that will tell you more about your backup: S This flag means that this specific backup contains your settings. D D tells you that this backup contains a database dump. E This archive is encrypted. L

This backup contains log files. A Older log file backups have been saved with this backup. ! There was a problem when trying to send this file. C This backup was created automatically by the backup scheduler. The disk in the Action columns will let you store the backup file on your computer. By clicking the garbage bin you can delete this backup file. If you click the last symbol this backup will be restored. Create a new Backup file By clicking on the Create new Backup button, Endian Firewall will open a new window in which you can configure your new backup. Figure 2.26. Create new backup

The following options can be specified before the creation of the backup fule: Remark This field gives you the possibility to add some personal information which will later let you remember the reason for this backup. Include configuration This option lets you include the configuration of your Endian Firewall - This is the content of the /var/efw directory. Include database dumps

If you want to include dumps of your database tick this checkbox. Include log files If you want to include your log files this checkbox should be checked. Include log archives If you also want to include the backups of your old log files tick this checkbox. Create new Backup By hitting this button the new backup file will be created and saved. You can now find it in the list of your backup sets. Encrypt Backup files Figure 2.27. Encrypt Backups

You also have the possibility to encrypt your backups if you want to. To do this you need to do the following: 1. Select your public key by clicking on the Browse... button and then selecting the key file. 2. Make sure the Encrypt backup archives checkbox is ticked. 3. Upload the key file by clicking the Save button. Export Backup files You can export backup files to your computer by: 1. Choosing the set you want to export. 2. Clicking on the disk image (Export) and saving the file on your computer. Import Backup files Figure 2.28. Import Backup

If you want to import a backup file from your computer you have to do the following:

1. Choose a name for the backup and write it into the Remark field. 2. Browse your local folders and select the backup file you want to import. 3. Finally click the Import button - your backup will be saved on the Endian Firewall and then show up in the list of backup sets. Note By importing your backup it will not automatically be restored. Read here how you can restore your backup. Restore a Backup Figure 2.29. Restore Backup

To restore the system from exported backup files: 1. import your backup file 2. choose the new set in your backup list 3. click the Restore button To restore the system from a backup set on your EFW: 1. choose the set you want to restore 2. click the Restore button Note The Restore button is the button with the blue circle orbitted by a grey arrow. Schedule Backups Figure 2.30. Schedule backups

If you want to schedule automatic backups you will be presented with two windows. The first window is used to configure the scheduling itself while the second window gives you the opportunity to automatically send the created backup files to you via e-mail. Scheduling your backups is very easy and the options regarding the backup content are the same as when creating manual backups. New options are: Enabled Check this if you want automatic backups. Keep # of archives This number lets you decide how many automatic backups you want to save on your Endian Firewall. Schedule for automatic backups Choose here how often you want to create a backup of your firewall.

Save Click this button to save the configuration. Note If you move the mouse cursor over the question marks you will see detailed information about the schedules. If you want to receive an e-mail for every automatic backup you'll have to have a look at the second window. Enabled Tick this if you want e-mails with your backup files. E-Mail Address of Recipient Here you need to enter the address you want the backups sent to. E-Mail Address of Sender Here you can specify a sender-address for the automatic e-mails. Address of Smarthost to be used If your e-mails are considered spam by many mail servers because you are using a dynamic IP address you'll probably want to enter the address of your internet service provider's mail server here. All backups will then be sent through this mail gateway. Save Click here to save your options. Send a backup now If you want to save a backup now and have your settings stored click this button. Note If you enable mailing, logfile archives will not be sent to keep the backup files at a reasonable size. Reset configuration to factory defaults Figure 2.31. Reset to factory defaults

The button Factory defaults allows you to reset the configuration of your Endian Firewall to factory defaults. In fact a backup which has been created on first boot will be restored if you do this. Shutdown or Restart Endian Firewall

In this section you can shutdown or reboot your Endian Firewall by clicking the "Shutdown" or "Reboot" button respectively. Figure 2.32. Shutdown / Reboot page

This page was last modified on: $Date: 2006-11-14 16:46:10 +0100 (Tue, 14 Nov 2006) $. Chapter 3. Status Menu Table of Contents Introduction System Status Services Memory Disk Usage Uptime and Users Loaded Modules Kernel Version Network Status Interfaces RED DHCP configuration Current Dynamic Leases Routing Table Entries ARP Table Entries System Graphs Traffic Graphs Proxy Graphs Connections SMTP Mail Statistics Mail Queue IPTables Rules Introduction Figure 3.1. Status menu selected

This group of web pages provides you with information and statistics from the Endian Firewall. To get to these web pages, select Status from the menu bar at the top of the screen. The following choices will appear in the left menu: System Status The Status pages present you with a VERY thorough list of information regarding the current status of your Endian Firewall. The first subsection, System Status, displays the following in top-down order: Services System Status Network Status System Graphs Traffic Graphs Proxy Graphs Connections SMTP Mail Statistics Mail Queue IPTable Rules

Services - Displays which services are currently running. You may use this display to control if all services which you enabled are currently really up and running. Services which are not enabled are listed as stopped services, so no worries about them. If you find services which in fact should be running then it may solve the problem if you simply restart that service. Figure 3.2. Page which displays the actual running services

Memory Displays the memory/swapfile usage on your EFW box. Figure 3.3. Page which displays the current memory usage

This is the formatted output of the tool free. Basically it displays the amount of existing (Size) physical (RAM) and virtual (Swap) memory. The amount of existing memory actually reflects the memory which is available for user applications. For both, physical and virtual memory, you can see the amount of currently used and free memory. Thepercentage helps you to better figure out the numbers. You may notice that after the system has been running for a while it reports a really small amount of free memory. To explain this it is needed to strike out a bit and explain basically how the kernel manages the memory. Since disk I/O access is really slow compared to memory I/O access and since files normally get read multiple times, the kernel tries to cache the read data within the disk cache within RAM. The chance is quite high to read out the same data again from the faster cache instead from the slow disk - if the data actually exists in the cache of course. Therefore the kernel fills up all your free memory with disk cache to never waste free RAM. You can see the amount of disk cache as cached in the screenshot above. But no worries, the kernel dynamically frees memory which is used as disk cache as soon as applications need it. To get a clue about how much memory really will be left as free memory to applications you have the line -/+ buffers/cache. That line shows you the amount of used and freememory without the amount of kernel buffers and disk cache. If that line shows you that you have no more free memory, then your machine begins to heavily use the swap and probably may get into performance problems. In this case it may be better to add some additional RAM chips. You may find additional information on Linux System Administrator's Guide. Disk Usage Disk Usage - Displays the output of df, which reports the amount of total (Size), used and free disk space on your Endian Firewall. Figure 3.4. Page which displays the current disk usage

Note The mountpoint /dev shows up as it was mounted twice. This is a known issue but has no side-effects. Uptime and Users Uptime and Users - Displays the output of the w command which reports the current time, information about how long your system has been running without reboot, the number of users that are currently logged in and the system load averages for the past 1, 5 and 15 minutes. Figure 3.5. Page which displays uptime and current logged in users

If any user is currently logged in, which normaly should not be the case if you are not logged in, you will see a table with information for each user, including his/her login name (USER), the tty name which has been used for login (TTY), the IP address of the remote host from which he/she is logged in (FROM), the timestamp of the login (LOGIN@), the amount of time the user was idle (IDLE), the CPU time used by all processes of the logged in user on this tty (JCPU), the CPU time used by the current process which the user actually runs (PCPU), the process which the user currently is runnning (WHAT). Loaded Modules Loaded Modules - This displays all modules currently loaded and in use by the kernel. Figure 3.6. Page which displays the current loaded kernel modules

Kernel Version Kernel Version - This displays information on the EFW Kernel itself. This is the output of uptime -a. It displays the kernel name, the hostname, the kernel version with release information, the timestamp from when it has been built, the architecture for which it has been built and the name of the operating system. Figure 3.7. Page which displays the kernel version

Network Status The Network Status subsection displays the following in top-down order: Interfaces Interfaces - This section displays information about all your network devices. This includes PPP, OpenVPN, IPSec, Loopback, etc. Basically this is the output ofifconfig Figure 3.8. Displays interfaces

You will find each interface name colored with the appropriate zones color. The purple color identifies interfaces which belongs to a VPN. Since each zone in reality is a bridge to which all assigned interfaces are joined, you need to take a look at the interfaces beginning with br. They are the real zone interfaces which are holding the IP addresses you configured, however they are virtual interfaces. The interfaces beginning with eth are the physically existing network cards. The interface called lo is the loopback interface. This one is needed to allow communication with the machine itself without leaving any real network card. You may also find interfaces beginning withtap. That interfaces will be used for openvpn tunnels.

Each interface shows a bunch of information at the right side. If you want to know more then it would probably be better to read the Network Administrators Guide. Here you will find a short description about the most important values: Link encap Specifies the link type. Values like Ethernet, Local Loopback, Point-to-Point Protocol may appear here. HWaddr The hardware address (MAC) of the respective interface inet addr The IP address which has been assigned to the interface. You may notice that the interfaces which are part of a bridge do not have an IP address. Bcast The broadcast address which has been assigned to the interface. Mask The network mask which has been assigned to the interface. RX/TX packets This lines shows how many packets have been received or transmitted errorfree, how many errors occurred, how many packets were dropped - probably because of low memory - and how many were lost because of an overrun. Receiver overruns usually happen when packets come in faster than the kernel can service the last interrupt. RX/TX bytes This lines show the data volume which has been received or transmitted by this interface. Between the lines descibed above you find a line with information about the status and options set for the respective interface. You probably may be concerned about thePROMISC option which is set for most of the interfaces. Most physically mounted network cards are put into promiscuous mode since they are all part of a bridge and therefore need to be in this mode. RED DHCP configuration Displays the DHCP configuration on your RED interfaces if the DHCP is required by your internet connection. Figure 3.9. Displays current RED DHCP configuration

Current Dynamic Leases Displays the contents of the /var/state/dhcp/dhcpd.leases file if the DHCP server is enabled. The current dynamic leases are listed, with hostnames if available, and expiry dates. Leases that have expired are stroke through.

Figure 3.10. Displays current dynamic leases

Note This section will only be visible if DHCP is enabled. Refer to the section on the DHCP Server for details. Routing Table Entries This is the output of route -n, which shows the kernel routing table. The routing table lets the kernel know which block of IP addresses it can find behind which interface. Most of the lines which you see in the output contain information about your local networks. But since you need the firewall to have connections to the internet, which in fact are all destinations with IP addresses which are not directly known to the kernel, an entry which sends all packets to a specific IP address in hope that that host knows more about the delivery, is needed. That specific host is called default gateway. Within your output you may identify this configuration in the line with destination network address 0.0.0.0, which means all destinations. Figure 3.11. Displays current routing table

Besides, each line shows you the following information: Destination Specifies the destination network address. The kernel compares the destination ip address of each packet passing through it with this destination network address and so searches an entry to which network the ip address may belong to. Gateway Specifies the gateway, which is the host to which the packet should be sent. 0.0.0.0 means, put it on the media (LAN) and do not send it to a specific host. Genmask The network mask of the respective network. Flags

The only interesting flags would be the following: U - means that the route is up. G - means that the route uses the gateway address specified by gateway. H - means that the route entry is a host route, which is true only for a host instead of a whole network. You may notice that the netmask in this case is255.255.255.255.

Iface Specifies the interface through which the kernel will send the packets if the respective routing entry applies. ARP Table Entries This is the output of arp -n, which displays the ARP cache. In LANs on the deepest layer the network interfaces will not be addressed by an IP addres, but by the MAC address instead. In order to let the kernel know which IP address is assigned to which MAC address, the kernel sends an ARP request which basically is a broadcast packet which asks all connected network interfaces if they have the desired IP address. The one who has the relevant IP address, responds with an ARP response including its MAC address. In order for the kernel not to send ARP requests all the time, responses will be cached in the ARP table for a while. Figure 3.12. Displays ARP table

The output will show you the actual cached assignements of the ip address (Address) to MAC address (HWaddress). Additionally you see also behind which interface you can find the network card with the respective MAC address (Iface). You may notice lines with [incomplete] instead of a MAC address. This will happen if someone tried to reach an IP address which is currently not available because it is wrong or the device with the assigned IP address is currently down or not connected. System Graphs Click on one of the four graphs (CPU Usage, Memory Usage, Swap Usage and Disk Access) to get graphs of the usage per Day, Week, Month and Year. Figure 3.13. Display of CPU graph

Figure 3.14. Display disk usage graph

Figure 3.15. Display memory usage graph

Figure 3.16. Display current swap usage

Traffic Graphs This page gives a graphic depiction of the incoming and outgoing traffic of the EFW box. There are sections for each network interface, Green and Red (and Blue and Orange if configured), which show graphs of incoming and outgoing traffic through that interface. Click on one of the graphs to show more graphs of the traffic on that interface: per Day, Week, Month and Year. Figure 3.17. Displays traffic graph of the GREEN interface

Figure 3.18. Displays traffic graph of the RED interface

Proxy Graphs This page shows the traffic that went through the proxy service of the EFW box. The first section gives the date and time the graph was created, the lines analyzed, the duration of the analysis, the speed (lines per second), the start and end date and time of the graph as well as the domain (overall length of the graph in time). This information is useful in seeing whether the proxy has the correct size for the load being experienced. Connections Endian Firewall uses the Linux Netfilter or IPTables firewall facility to maintain a stateful firewall. Stateful firewalls keep track of connections to and from all GREEN, BLUE and ORANGE network IP addresses, based on both the source and destination IP addresses and ports, as well as the state of the connection itself. After a connection is established involving protected machines, only packets consistent with the current state of the connection are allowed their way through the Endian Firewall.

The IPTables Connection Tracking window shows the IPTables connections. Connection end points are color-coded based on their network location. The color-coding legend is displayed at the top of the page. Information on individual connections is displayed next. Each connection from or to your networks is shown. Note Click on an IP Address to do a reverse DNS lookup. Figure 3.19. Displays current connections

You may notice that connections which will be intercepted by a transparent proxy will be nevertheless shown here instead of both a connection from client to the firewall and from the firewall to the remote host, as one may assume. In fact you will see all of them. The connection from your client to the proxy, the connection from the proxy to the remote host and furthermore the intercepted connection from your client to the remote host, since that is the real connection which has been established.The other two connections are only consequences of the redirect to the proxy which of course will be made by the kernel. SMTP Mail Statistics This page shows you statistics graphs about the SMTP Mail proxy. You get daily, weekly, monthly and yearly graphs. For each category you get two graphs. The first shows you the total amount of sent mails from behind the Endian Firewall going to the outside coloured blue and the total amount of received mails coloured green. Within the graph you will see that information separated for each point of time visualized as graph. For both, the average, minimum and maximum amount of messages per minute will be calculated and shown below. The second graph visualizes the amount of messages per minute which have been blocked by the SMTP proxy because of one of the following reasons: Rejected The mail has been rejected directly during receiving because the mail server was not responsible of the domain or the recipient did nor exist, etc. Bounced The mail bounced. This means the mail has been accepted by the mailserver but has been rejected then because of different reasons. For example because the mailserver has no chance to deliver the mail. Viruses The mail contained a virus. Spam The mail was spam. Mail Queue Displays the current mail queue. In the best case this is always empty. The mail queue contains mails which the mail server has not already delivered for different reasons. You will find the respective reason printed in each line. You can force the mail server to start delivery of the mail queue by pressing the button Flush Mailqueue. Please don't expect that the mail queue turns empty after doing that. This just starts delivery. If the mail server should be unable to deliver some mails again they will stay in the mail queue until expiration. Figure 3.20. Mail Queue

IPTables Rules

This window shows all IPTables rules that are currently configured on your Endian Firewall. Figure 3.21. Displays iptables rules

This page was last modified on: $Date$. Chapter 4. Network Menu Table of Contents Introduction Host configuration (Edit Hosts) Aliases Introduction Figure 4.1. Network menu selected

This group of web pages is designed to help you administer network related configuration. To get to these web pages, select Network from the menu bar at the top of the screen. The following choices will appear in a submenu on the left: Edit Hosts Allows you to specify custom host entries for the DNS service. Aliases Allows you to configure IP aliases to your RED zone in order to set up multiple RED IP addresses.

Host configuration (Edit Hosts) This page allows you to configure custom host entries. Endian Firewall is running a DNS proxy called dnsmasq, which forwards all requests to the DNS resolvers of your RED uplink. You can configure the IP address of the Endian firewall interface of the respective zone as DNS resolver on each of your clients. Then the DNS proxy will be used and you will benefit from a number of its features. One of the finest features is, that it will serve names from the hosts file on the firewall. This is very useful if you want to create hostnames which can be resolved only by your clients but can't set them up directly on your DNS server. This page allows you to edit this hosts file. Below under Current hosts you will see listed (if any) all current host entries. By clicking on the pencil icon you can edit the respective entry. The trash icon removes the entry. Figure 4.2. Current hosts

To add a new host entry simply click on Add a host in order to open the dialogue. The following fields will appear: Host IP address Fill in the ip address to which you want that the new host points to. Hostname Fill in the hostname which you want to assign to the ip address above. Domain name This field is optional. If you want to have the new hostname on a domain, then add it. However if you like to have only the hostname without domain, for example because it is shorter, then leave this blank. If you create for instance a new entry with IP address 207.46.19.30, hostname beaten.by and domain samba.org, you will be able to ping beaten.by.samba.org from each of your clients. Note that you will not become very lucky if you directly edit the /etc/hosts file on the firewall, since it will be overwritten by the web administration interface, during reboot and some other events, since the content of that file will be generated from the configuration you make on this page. Aliases This page allows you to create IP aliases for your RED interface. This is only possible if your RED type is ETHERNET STATIC. For all the other RED types you do not have the possibility to configure more than one RED IP address. You normally want to do this if you have more than one public IP address in order to make them reachable from the outside. Figure 4.3. Add a new alias

If you click on Add a new alias, you will be able to create a new IP alias. The following configuration fields are available: Name Fill in some name, which allows you to easily identify the alias later. This is only a symbol and has no other meaning. You may refer to this name later within firewall configuration. Alias IP The IP address you want to set up. Note that this IP address has to be in the RED subnet, otherwise the configuration wizard will report an error. Enabled Toggles the configuration of the respective IP alias on or off. Below in the box entitled Current aliases you can see a list of already configured IP aliases (if any). On the right you can toggle on/off the respective IP alias by clicking on the checkbox icon. With the pencil icon you can edit the respective IP alias and with the trash icon you may remove one. For each configured IP alias you can define more precise firewall rules later on the firewall configuration pages. For example you may configure portforwarding of a specific port from a specific IP alias to a server behind ORANGE. This page was last modified on: $Date$. Chapter 5. Services Menu Table of Contents Introduction DHCP Administrative Web Page DHCP Server Parameters Add a new fixed lease Current fixed leases

Current dynamic leases Error messages Dynamic DNS Administrative Web Page Add a host Current hosts Forcing a Manual Update ClamAV Antivirus Time Server Administrative Web Page Traffic Shaping Administrative Web Page Intrusion Detection System Administrative Web Page Linesrv (removed in version 2.1) Server Clients XLC WLC2 Hotspot Introduction Figure 5.1. Services menu selected

In addition to its core function of Internet firewall, EFW can provide a number of other services that are useful in a small network. These are: DHCP Server Dynamic DNS Management Clamav antivirus Time Server Traffic Shaping Intrusion Detection System Linesrv (has been removed in version 2.1) Hotspot

In a larger network it is likely that these services will be provided by dedicated servers and therefore should be disabled here.

DHCP Administrative Web Page DHCP (Dynamic Host Configuration Protocol) allows you to control the network configuration of all your computers or other devices from your Endian Firewall. When a computer (or a device like a printer, pda, etc.) joins your network it will automatically be given a valid IP address and its DNS and WINS configuration will be set from the EFW machine. To use this feature the machines must be configured in order to obtain their network configuration automatically. You can choose if you want to provide this service to your GREEN (private) network and/or your BLUE (wireless) or ORANGE (DMZ) network. Just tick the relevant box. For a full explanation of DHCP you may want to read Linux Magazine's Network Nirvana - How to make Network Configuration as easy as DHCP DHCP Server Parameters Figure 5.2. Shows DHCP adminstration page

The following DHCP parameters can be set from the web interface: Start Address (optional) You can specify the lowest and highest addresses that the server will hand out to other requestors. The default is to hand out all the addresses within the subnet you set up when installing your Endian Firewall. If you have machines on your network that do not use DHCP, and have their IP addresses set manually, you should set the start and end address so that the server will not hand out any of these manually assigned IPs. Note You should also make sure that any addresses listed in the fixed lease section (see below) are also outside this range.

End Address (optional) Specify the highest address you want to handout (see above). Default lease time This can be left at its default value unless you want to specify your own value. The default lease time is the time interval that is used before the lease for an assigned IP address expires and your computers will request a renewal of their lease, specifying their current IP address. Note If you change your DHCP parameters those changes will be propagated to the machines in your network when they request a new lease. Generally, leases are renewed by the server. Maximum lease time This can be left at its default value unless you want to specify your own value. The maximum lease time is the time interval during which the DHCP server will always honor client renewal requests for their current IP addresses. After the maximum lease time, client IP addresses may be changed by the server. If the dynamic IP address range has changed, the server will hand out an IP address in the new dynamic range. Domain name suffix (optional) Sets the domain name that the DHCP server will pass to the clients. If a host name cannot be resolved, the client will try again after appending the specified name to the original host name. Many ISP's DHCP servers set the default domain name to their network name and tell customers to get to the web by entering www as the default home page on their browser. www is not a fully qualified domain name. But the software in your computer will append the domain name suffix supplied by the ISP's DHCP server to it, creating a FQDN for the web server. If you do not want your users to have to unlearn addresses like www, set the Domain name suffix to your ISP's DHCP server specifications. Note There should not be a leading dot in this box. Primary DNS Specifies what the DHCP server should tell its clients to use as Primary DNS server. Because Endian Firewall runs a DNS proxy, you will probably want to leave the default value here so the Primary DNS server is set to the EFW box's IP address. If you have your own DNS server then specify it here. Secondary DNS You can also specify a second DNS server which will be used if the primary is unavailable. This could be another DNS server on your network or that of your ISP. Primary NTP Server (optional) If you are using Endian Firewall as an NTP Server, or want to pass the address of another NTP Server to devices on your network, you can put its IP address in this box. The DHCP server will pass this address to all clients when they get their network parameters. Secondary NTP Server (optional)

If you have a second NTP Server address, put it in this box. The DHCP server will pass this address to all clients when they get their network parameters. Primary WINS server address (optional) If you are running a Windows network and have a Windows Naming Service (WINS) server, you can put its IP address in this box. The DHCP server will pass this address to all hosts when they get their network parameters. Secondary WINS server address (optional) If you have a second WINS Server, you can put its IP address in this box. The DHCP server will pass this address to all hosts when they get their network parameters. Below you will find the following global confguration possibility: Custom configuration lines In this field you have the possibility to add configuration lines which will then be added to the configuration file of the DHCP server. This certainly is optional. Warning Use it only if you know exactly what you are doing, since wrong syntax will cause the DHCP server to refuse to work! Read the documentation of the DHCP server on ISC to be sure if you need to add custom configuration lines. For example you may use this configuration possibility to send the location of the configuration files of your VoIP telephones to those telephones. Example 5.1. Example of a custom confguration line option tftp-server-name "http://%(GREEN_ADDRESS)s"; option bootfile-name "download/snom/{mac}.html"; When you press Save, the changes will be applied. Add a new fixed lease If you have machines whose IP addresses you would like to manage centrally but require that they always get the same fixed IP address you can tell the DHCP server to assign a fixed address based on the MAC address of the network card in the machine. This is different from using manual addresses as these machines will still contact the DHCP server to ask for their IP address and will take whatever you have configured for them. Figure 5.3. Add a fixed lease

You can specify the following fixed lease parameters: MAC Address The six octet/byte colon separated MAC address of the machine that the fixed lease is for. Warning The format of the MAC address is xx:xx:xx:xx:xx:xx, not xx-xx-xx-xx-xx-xx, as some machines show, i.e. 00:e5:b0:00:02:d2. IP Address The static lease IP address that the DHCP server will always hand out for the associated MAC address. Note Do not use an address from the server's dynamic address range. Remark (optional) If you want, you can include a string of text to identify the device using the fixed lease. Next Address (optional) Some machines on your network may be thin clients that need to load a boot file from a network server. You can specify the server here if needed. File Name (optional) Specify the boot file for this machine. Root Path (optional) If the boot file is not in the default directory then specify the full path to it here. Enabled Click on this check box to tell the DHCP server to hand out this static lease. If the entry is not enabled, it will be stored in EFW's files, but the DHCP server will not issue this lease. Current fixed leases

This section displays current fixed leases and allows editing or deleting them. You can sort the display of the fixed leases by clicking on the underlined headings MAC Address or IP Address. Another click on the heading will reverse the sort order. Figure 5.4. Shows the current fixed leases

To edit an existing lease, click on its pencil icon. The fixed leases values will be displayed in the Edit an existing lease section of the page. The fixed lease being edited will be highlighted in yellow. Click the Update button to save any changes. To remove an existing profile, click on its trash can icon. The lease will be removed. Current dynamic leases If DHCP is enabled, this section lists the dynamic leases contained in the /var/lib/dhcp/dhcpd.leases file. The IP Address, MAC Address, hostname (if available) and lease expiry time of each record are shown, sorted by IP Address. You can sort the display of dynamic leases by clicking on any of the four underlined column headings. A further click will reverse the sort order. It is easy to cut and paste a MAC Address from here into the fixed lease section (see the section called Current fixed leases), if needed. Figure 5.5. Shows the current dynamic leases

Lease times that have already expired are struck through. Error messages An error message will appear at the top of the page if a mistake is found in the input data, after you press the Save button. Dynamic DNS Administrative Web Page Dynamic DNS (DYNDNS) allows you to make your server available to the Internet even though it does not have a static IP address. To use DYNDNS you must first register a subdomain with a DYNDNS provider. Then whenever your server connects to the Internet and is given an IP address by your ISP it must tell the DYNDNS server this IP address. When a client machine

wishes to connect to your server it will resolve the address by asking the DYNDNS server, which will answer with the latest value. If this is up to date then the client will be able to contact your server (assuming your firewall rules allow this). EFW makes the process of keeping your DYNDNS address up to date easier by providing automatic updates for many of the DYNDNS providers. Add a host Figure 5.6. Shows the dialogue which allows you to create a new DynDNS configuration

The following DYNDNS parameters can be set from the web interface: Service Choose a DYNDNS provider from the dropdown. You should have already registered with that provider. Behind a proxy This tick box should be ticked only if you are using the no-ip.com service and your Endian Firewall is behind a proxy. This tick box is ignored if you choose any of the other services. Enable wildcards Enable Wildcards will allow you to have all the subdomains of your dynamic DNS hostname pointing to the same IP as your hostname (e.g. with this tick box enabled, www.some.dyndns.org will point to the same IP as some.dyndns.org). This tick box is useless with no-ip.com service, as they only allow this to be activated or deactivated directly on their website. Hostname Enter the hostname you registered with your DYNDNS provider. Domain Enter the domain name you registered with your DYNDNS provider. Username Enter the username you registered with your DYNDNS provider. Password Enter the password for your username.

behind Router(NAT) If your Endian Firewall resides behind a device which does NAT, you need to tick this on. In that case the Endian Firewall cannot know the real public IP address which is needed for updating though. In order to get the real IP address Endian Firewall uses checkip.dyndns.org to determine the real public IP address. Enabled If this is not ticked then Endian Firewall will not update the information on the DYNDNS server. It will retain the information so you can re-enable DYNDNS updates without reentering the data. Current hosts This section shows the DYNDNS entries you have currently configured. Figure 5.7. Shows current configured DynDNS configuration

To edit an entry click on its pencil icon. The entry's data will be displayed in the form above. Make your changes and click the Save button on the form. You can also update the Behind a proxy, Use wildcards and Enabled tick boxes directly from the current host's list entry. Forcing a Manual Update You can force EFW to refresh the information manually by pressing Force Update, however, it is best to only update when the IP address has actually changed, as dynamic DNS service providers don't like to handle updates that make no changes. Once the host entries have been enabled your IP will automatically be updated each time your IP changes. ClamAV Antivirus ClamAV is an Open Source virus scanner that can be used to scan all incoming traffic for viruses. Endian Firewall lets you configure the most important features. Figure 5.8. ClamAV Antivirus

In the Clamav configuration box you can set the way ClamAV will handle incoming archives. The options are: Max. archive size This lets you set the maximum archive size in Megabytes that will be scanned by ClamAV. Max. nested archives Here you can specify the maximum depth of nested archives ClamAV will scan. Max. files in archive ClamAV will not scan archives that contain more files than specified here. Max compression ratio Here you can specify the maximum compression ratio of archives that will be scanned by ClamAV.

Handle bad archives By selecting the Do not scan but pass radiobutton, all archives that fail to comply to any of the parameters described above will not be scanned but will still pass. You can change this behaviour by selecting Block as virus. This will block all archives that do not comply to any of these parameters. Block encrypted archives ClamAV can not scan encrypted archives. If you do not want encrypted archives to pass the virus check tick this on. You can also change the update interval of your clamav signature database by selecting the appropriate interval-type in the Clamav signature update schedule section. Tip By moving your mouse cursor over the question marks you will get information on when exactly the updates will happen for the respective interval-type. Time Server Administrative Web Page Endian Firewall can be configured to obtain the time from a known accurate timeserver on the Internet. In addition to this it can also provide this time to other machines on your network. Figure 5.9. Shows the Time server administrative web page

To configure the time system, make sure that the Enabled box is ticked and enter the full name of the timeserver you want to use in the Primary NTP Server box. You can also enter an optional Secondary NTP Server if you want to.

Endian Firewall will use these NTP Servers to keep its time synchronized. It automatically does an update once every hour. If you do not want your firewall to update itself make sure the Synchronize with time servers box is not checked. If you want to change your timezone you can do this in the Change the Timezone box. Just select your timezone from the drop-down list and hit the Save button. To save your configuration click the Save button. If you choose to not use an Internet timeserver by ticking off Synchronize with time servers you can enter the time manually and click the Instant Update button in the Update the time box. Note Before version 2.1 the Synchronize with time servers option was called Disable autoupdate and its functionality was inverted since then. Note Before version 2.1 Endian Firewall was using the ntpdate command. Since 2.1 it uses the ntpd daemon to synchronize the time, which is more accurate. Note The first time the synching process can take some minutes if the preconfigured time is extremely wrong. Traffic Shaping Administrative Web Page Traffic Shaping allows you to prioritize IP traffic moving through your firewall. Endian Firewall uses WonderShaper to accomplish this. WonderShaper was designed to minimize ping latency and to ensure that interactive traffic like SSH is responsive while downloading or uploading bulk data. Figure 5.10. Shows traffic shaping settings

Many ISPs sell speed as download rates, not as latency. To maximize download speeds, they configure their equipment to hold large queues of your traffic. When interactive traffic is mixed into these large queues, their latency shoots way up, as ACK packets must wait in line before they reach you. Endian Firewall takes matters into its own hands and prioritizes your traffic the way you want it. This is done by setting traffic into High, Medium and Low priority categories. Ping traffic always has the highest priority to let you show how fast your connection is while doing massive downloads. Figure 5.11. Shows Type of Service configuration

To use Traffic Shaping in Endian Firewall: 1. Use well known fast sites to estimate your maximum upload and download speeds. Fill in the speeds in the corresponding boxes of the Settings portion of the web page. 2. Enable traffic shaping by checking the Enable box. 3. Identify what services are used behind your firewall. 4. Then sort these into your 3 priority levels. For example: a. Interactive traffic such as SSH (port 22) and VoIP (voice over IP) go into the high priority group. b. Your normal surfing and communicating traffic like the web (port 80) and streaming video/audio to into the medium priority group. c. Put your bulk traffic such as P2P file sharing into the low traffic group. 5. Create a list of services and priorities using the Add service portion of the web page. The services, above, are only examples of the potential Traffic Shaping configuration. Depending on your usage, you will undoubtedly want to rearrange your choices of high, medium and low priority traffic. Intrusion Detection System Administrative Web Page Endian Firewall contains a powerful intrusion detection system - Snort - which analyses the content of packets received by the firewall and searches for known signatures of malicious activity. Figure 5.12. Intrusion Detection System adminstrative web page

EFW can monitor packets on the GREEN, BLUE, ORANGE and RED interfaces. Just tick the relevant boxes and click the Save button. As more attacks are discovered the rules Snort uses to recognize them will be updated. You can choose between 3 update types: Community Rules (no subscription needed) Sourcefire VRT rules with subscription Sourcefire VRT rules for registered users

Sourcefire VRT Certified Rules are the official rules of snort.org. Each rule has been rigorously tested against the same standards the VRT uses for Sourcefire customers. These rules are distributed under the new VRT Certified Rules License Agreement that restricts commercial redistribution. There are three ways to obtain these rules: 1. Subscribers receive real-time rules updates as they are available. 2. Registered users can access rule updates 5 days after release to subscription users. 3. Unregistered users receive a static ruleset at the time of each major Snort Release. To download the latest version, select your preferred rules type and click the Download new ruleset button. To utilize Sourcefire VRT Certified Rules, you need to register on http://www.snort.org, acknowledge the license, receive your password by email, and connect to the site. Go to USER PREFERENCES, press the 'Get Code' button at the bottom and copy the 40 character Oink Code into the field. Linesrv (removed in version 2.1) Note LINESRV HAS BEEN COMPLETELY REMOVED IN VERSION 2.1!!

Linesrv is a server to remotely control the internet connection.Clients on other hosts may now talk to this server and say that it should establish a certain line.Then it sends to all connected Clients a message that the connection is established. The connection won't get killed until each client told to do so, had a timeout or has been terminated. Server Linesrv is the Server part of the LineControl Tool.You need enable the server if you want use the remote clients. Figure 5.13. Linesrv

Enabled: Tick this to enable the LineControl Server. Save To save the changes and restart the LineControl server press the save button. Note The LineControl Server is frequently used with ISDN Lines and therefore it's desirable that the line not goes automatic up on a reboot.This is default when the linesrv is enabled. Clients There exists multiple clients for GNU/Linux/Windows and Clients written in Java(plattform indipendent).The Clients can be downloaded from linecontrol.srf.ch. XLC XLC is a linux Linecontrol Client(linux X (gtk)).If your distro don't have the xlc onboard you can obtain the client from linecontrol.srf.ch. Figure 5.14. XLC Line down

The picture show the XLC Client with a disconnected main line. Figure 5.15. XLC initiate a Connection

The picture show how to connect the main line. Figure 5.16. XLC main connection initiated

The XLC Clients show that the main line is now connected. Figure 5.17. XLC up manually

The main line is up manually and the LineControl server can not stop/start the connection.This is when connection is initiated through the Web GUI. Warning The Linecontrol can only control connection initiated trough the linesrv.If the clients shows the status "up manually",you need disconnect the line trough the Web GUI and start the connection from the LineControl client. WLC2 WLC2 is a windows client for the LineControl Server.The Client works on Win 9x/Me/2000/XP/2003 and ca be downloaded from linecontrol.srf.ch Figure 5.18. WLC disconnected

The main line is disconnected and you can connect the line by pressing the online button. Figure 5.19. WLC line is up

The main connection is established and and you can close the connection by pressing the offline button.If no other user needs the internet connection the line goes down. Figure 5.20. WLC connection established

Another users is using the internet connection.You can now press the online button and the connection won't get killed until each client told to do so. Figure 5.21. WLC up manually

The main line is up manually and the LineControl server can not stop/start the connection.This is when connection is initiated through the Web GUI. Warning The Linecontrol can only control connection initiated trough the linesrv.If the clients shows the status "up manually",you need disconnect the line trough the Web GUI and start the connection from the LineControl client. Warning Please close or disconnect any linecontrol client before restarting the linecontrol server. Hotspot Figure 5.22. Hotspot Activation

On this page you can enable the Endian Hotspot on the BLUE zone by ticking on the checkbox labeled Enabled on BLUE and then hitting the Save button. For further configuration options you have to click on the Hotspot administration interface link which will then open a new page. Note In order to be able to run the Endian Hotspot you will have to have the BLUE zone enabled. The IP of the BLUE interface must belong to a C-class network and it must end with a trailing .1 e.g. 192.168.20.1/24. The bridge for the BLUE zone does not support more than one port. Note Usually the hotspot is intended for use with wireless networks, however this is not mandatory. It is as well possible to connect a normal switch to the BLUE LAN port. Please note also that there is no wireless access point supplied with Endian Firewall.

Tip If you are running a Community version of Endian Firewall and are wondering where your Endian Hotspot may be just upgrade to Endian Firewall Enterprise Edition. This page was last modified on: $Date: 2006-11-22 00:47:05 +0100 (Wed, 22 Nov 2006) $. Chapter 6. Firewall Menu Table of Contents Introduction Firewall Port Forwarding Administrative Web Page Port Forwarding Overview Port Forwarding and External Access External Access Administrative Web Page Zone Pinholes Administrative Web Page Outgoing Firewall Administrative Web Page Globally DENY outgoing traffic to RED and explicitely configure outgoing rules Globally ALLOW outgoing traffic to RED Introduction Figure 6.1. Firewall menu selected

In the Firewall Menu you can find some of the core functions of EFW which control how traffic will flow through the firewall. These are: Firewall This feature is one of the most important parts of Endian Firewall and most probably the reason for you to use a firewall. Endian Firewall uses a standard netfilter firewall and creates it's firewall rules using iptables. Basically Endian Firewall is Port Forwarding External Access (Controls remote administration of EFW from the Internet) Zone Pinholes Outgoing Firewall

configured in a way that the firewall itself is the only point of contact seen from the outside or the internet. The public IP addresses can be assigned only to the RED interface, thus a connection attempt from the internet to one of your public IP addressess will reach only the RED interface of the firewall and cannot pass beyond as this has been made technically impossible by the use of NAT. Routing of public IP addresses to a zone behind the firewall will be prevented since this would circumvent the firewall rules. Figure 6.2. Diagram of flow control and its configuration possibilities

If not configured otherwise, the firewall's default settings will block all traffic coming from the outside. As default behaviour, traffic from the GREEN zone will be allowed to pass to each of the other zones (BLUE and ORANGE), since GREEN is the trusted network, but for each pass from one zone to another NAT will be performed to obscure the real source-address and by doing this - hide all information about the network configuration of the GREEN zone. On the other side no access from any of the other zones will be granted to anywhere by default. The only exception is the access to the RED interface, the internet but still only some standard services (HTTP,FTP,SMTP,DNS) are allowed by default when accessing from the GREEN zone and only DNS when trying to access from the BLUE and ORANGE zones. Certainly Endian Firewall gives you the possibility to lighten these strong restrictions and let you define access rules from among each zone. In order to allow access to RED - the internet - you will have to configure this in the outgoing firewall submenu. If you need to give access from the outside to the firewall itself, you need to create rules in the External Access menu. Access from BLUE to GREEN and from ORANGE to GREEN or BLUE will be arranged by Zone pinholes. If you have servers in the DMZ in ORANGE and need to allow access from the internet, you can create a port forwarding rule. You may flexibly forward different ports from the same ip address to different servers within the DMZ or different ports from different ip addresses to the same servers, just as you wish. Port Forwarding Administrative Web Page This subsection allows you to configure the Port Forwarding settings for Endian Firewall. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature. Port Forwarding Overview Firewalls prevent externally initiated requests from accessing the protected system. However, sometimes, this may be too strict. For example, if one is running a web server, then any requests to that web server by users outside of the protected network will be blocked by default. This means that only users on the same internal network can use this web server. Obviously this is not the normal situation for web servers. Most people want people from the outside to be able to access the server. This is where Port Forwarding comes in. Port Forwarding is a service that allows limited access to the internal LANs from the outside. When you set up your server, you can choose the receiving or listening ports on the internal network machines. These ports differ for every kind of service that may be hosted. Please refer to the documentation that came with your servers to set up the ports on those servers.

Figure 6.3. Adding a new portforwarding configuration

Once those receiving ports are ready, you can enter the information that is needed into the administration interface on Endian Firewall. The following describes each configuration fields: Protocol This drop down list allows you to choose which protocol this rule will follow. Possible values are TCP, UDP and GRE. Most regular servers use TCP. Some game servers and chat servers use UDP. The GRE protocol is used for example in PPTP. If the protocol is not specified in the server documentation, then it usually is TCP. Source port This is the port to which the outsiders will connect. In most cases, this will be the standard port for the service being offered (80 for web servers, 20 & 21 for FTP servers, 25 for mail servers, etc.) If you want to you may specify a range of ports to forward. To specify a range use the : character between two port numbers, lowest number first. Note Port ranges cannot overlap each other. Destination IP is the internal IP address of the server (for example, you may have your web server running on 192.168.0.3). Destination Port is the port that you have chosen when you set up your server in the first paragraph. You only need to enter the source port, the destination will be filled in for you if it does not differ. Alias IP This dropdown menu allows you to choose which RED IP will be affected by this rule. Endian Firewall has the capability of handling more than one RED IP. With theAliases submenu in the Network main menu you are able to configure them. If you only have one RED IP set up, then choose Default IP. Remark This is optional. As the name says this field allows you to add some remark, in order to easier identify the rule in the current rules list.

Enabled Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off. Endian Firewall automatically creates a NAT rule for each zone for each configured port forwarding rule in order to allow access to ORANGE not only from RED but also from each of the other zones. Note If you create a port forwarding rule from an alias IP, Endian Firewall automatically generates NAT rules for outgoing connections started by the machine to which the port has been forwarded. In order to change the source IP address to the respective alias IP. This NAT will occur only for destination ports equal to those forwarded. This is needed for example if you want to run a mail server within the DMZ and therefore forward port 25 to the machine in the ORANGE network. That machine certainly needs to send mails with the alias IP and not with the main RED IP address. Port Forwarding and External Access The External Access page has NO effect on the GREEN or ORANGE networks. It is here to allow you to open ports to the EFW box itself and not to the GREEN or ORANGE networks. How do you allow external access then? It is combined with the Port Forwarding page - there is a field on the page labeled: 'Source IP, or network (blank for "ALL"):' This is the field that controls external access - if you leave it BLANK, your port forwarding rule will be applied to ALL INTERNET ADDRESSES. Alternatively if you put an address or network in this field access will be restricted to that specified network or internet address. Figure 6.4. Adds an acl to a portforwarding rule

You can have more than one external address - after you have created the port forwarding entry, it will appear in the table. If you wish to add another external address, click the Red Pencil with the Plus sign next to the entry - the entry screen at the top of the page will change (it will load the values from the port forwarding entry) and allow you to enter an external IP address or network. When added you will now notice that there is a new entry for this forwarded port in the table. Note You can have port ranges and wildcards. Valid wildcards are: o * which translates to 1-65535 o 85-* which translates into 85-65535 o *-500 which translates into 1-500 Reserved ports - on the main Red Address (DEFAULT IP) some ports are reserved for EFW services, they are 67, 68 for doing DHCP on RED and 10443 for the web interface itself.

Figure 6.5. Currently configured portforwarding rules

You already noticed the rules listing below in the Current rules box, since this is the place where you can find the red pencil icon. You can edit a record by clicking on theYellow Pencil icon in the Action column and until you hit the update button nothing changes and nothing is lost. When you are editing a record you will see the record highlighted in yellow. When you edit a port forwarding rule, there will be an extra check box labeled Override external access to ALL. This is used as a quick and dirty way to open a port to ALL Internet addresses for testing or whatever your reasons may be. To delete a record, click on the Trash Can icon on the right hand side of the Action column. Note If you have a forwarded port with multiple external access rules and delete all of the external access rules, the port becomes open to ALL addresses, be careful. There is a Shortcut to enable or disable a port forward or external access - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click on the checkbox to enable it again. Note When you disable the port forward, all associated external access rules are disabled, and when you enable the port forward, all associated external access rules are enabled. External Access Administrative Web Page This subsection allows you to configure the External Access settings for the Endian Firewall machine itself. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature. Figure 6.6. Add a new external access rule

External Access only controls access to the Endian Firewall box. It has no affect on the GREEN, BLUE or ORANGE network access. That is controlled in the Port Forwarding section, as described above. If you wish to maintain your EFW machine remotely, you should enable access on TCP port 10443, https. If you have enabled ssh access, you can also enable TCP port22, ssh. The following describes the configuration fields of the Add a new rule box: Protocol The drop down list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Most regular servers use TCP. If the protocol is not specified in the server documentation then it is usually TCP. Source IP, or network (blank for "ALL") This is the IP address of the external machine(s) you want to give permission to access your firewall. You may leave this blank, which allows any IP address to connect. Although dangerous, this is useful if you want to maintain your machine from anywhere in the world. However, if you can limit the IP addresses for remote maintenance, only these IP addresses or networks should be listed in this box. Destination Port This is the external port that they are allowed to access, i.e. 10443. Destination IP This dropdown menu allows you to choose which RED IP this rule will affect. Endian Firewall has the capability of handling more than one RED IP. If you only have one RED IP set up then choose Default IP. Enabled Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off. Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule. Current rules lists all the rules that have been created. To remove one, click the Trash Can icon. To edit one, click the Yellow Pencil icon. To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it. Figure 6.7. Displays currently configured rules

Note By default the port 113 will be opened. This is a dirty solution to make connections faster. Since many services use an old unsafe protocol (ident) to fulfill standards, which asks for the remote user who has established the connection to the service and most machines do not support this service anymore, connections need a long time to successfully establish, since the ident request needs to timeout because the firewall drops those packets. This rule opens the ident port, so the kernel can promptly reject the ident packet and there is no need to timeout. Currently this is the only possibility since there is not yet a support to reject packets. Endian Firewall supports only silently dropping them. Zone Pinholes Administrative Web Page This subsection allows you to configure the Zone Pinholes settings for Endian Firewall. This is 100% optional, so you may safely ignore this section if you do not want to make use of this feature. Note This page will only be visible if you have enabled the ORANGE and/or the BLUE zone within Network Wizard. A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the external RED Zone and the internal GREEN zone. The GREEN zone has all your internal machines. The RED zone is the Internet at large. The DMZ allows them to share servers without allowing undue access to the internal LAN by those in the RED Zone. For example, suppose that your business has a web server. Certainly, you want your customers (those in the RED zone) to be able to access it. But what if you also want your web server to be able to send customer orders to employees in the GREEN zone? In a traditional firewall setup, this wouldn't work, because the request for access to the GREEN zone would be initiating from outside the GREEN zone. You certainly do not want to give all your customers direct access to the machines on the GREEN side, so how can this work? By using the DMZ and zone pinholes. Figure 6.8. Adds a new pinhole rule

Zone pinholes give machines in the Orange (DMZ) zone (and also BLUE zone) limited access to certain ports on Green machines. Because servers (the machines in the ORANGE zone) have to have relaxed rules with respect for the RED zone, they are more susceptible to hacking attacks. By only allowing limited access from ORANGE to GREEN, this will help to prevent unauthorized access to restricted areas should your server be compromised. The following describes the configuration fields of Add a new rule: Protocol The drop down list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP. Source Net This is a drop menu that shows the available source networks on the machine. You will not find the GREEN network here, since GREEN can - being the trusted network - access all zones by default. Source IP This is the IP address of the machine that you wish to give permission to access your internal servers. Destination Net This is a drop down menu that shows the available destination zones. Destination IP Fill in the IP address of the machine of your GREEN or BLUE zone that you want to open. The IP address must be part of the destination zone you selected before. Destination Port This is the destination port you want to open. This is optional. If you do not specify a port, access to the machine will not be limited to a port. Remark You may add a remark which then helps you to easier identify the rule within the Current rule list. Enabled Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off. Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule. Figure 6.9. Lists all configured pinhole rules

Current rules lists the rules that are in effect. To remove one, click the Trash can icon. To edit one, click the pencil icon. To enable or disable a rule - click on the Enabledicon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it. Outgoing Firewall Administrative Web Page This subsection allows you to configure the Outgoing Firewall settings for Endian Firewall. You can globally ALLOW outgoing traffic to RED (Internet) or set the single port for the outgoing traffic. Globally DENY outgoing traffic to RED and explicitely configure outgoing rules The following services are allowed by default from the GREEN zone: HTTP HTTPS FTP SMTP POP3 IMAP DNS

DNS is also allowed by default for all other zones. Figure 6.10. Adds a new outgoing rule

If you like to add a rule open the Add a new rule dialogue, which will be described below: Remark You may add a remark which then helps you to easier identify the rule within the Current rule list. Enabled Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off. Protocol The drop down list allows you to choose which protocol this rule will follow. Possible values are UDP and TCP. Most regular servers use TCP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP. Policy Select the policy you set for this rule. Possible values are: ALLOW - Allows the traffic which applies to the rule. DENY - Silently blocks the traffic which applies to the rule. Dropped connections will be logged by default. You can toggle that off in the Log main menu.

Source Net This drop down list allows you to choose a whole zone as source net. You will find listed every zone the firewall knows, except the RED one, since that per design of the outgoing firewall of course always is the destination zone. If you like to define the rule more precisely and allow only an IP address, then select use source IP address. Source IP address This is optional if you choose a zone before. You can specify an IP address, for example 10.1.1.3, or a network like 10.1.1.0/24, which you want to allow or disallow to access RED. Log packets which satisfy this rule Tick this on if you want the firewall to log all connection attempts which satisfy the rule. This for example is convenient for testing purposes. Note In some countries this may be illegal. MAC address This is optional. You may fill in the MAC address of a network card which is allowed or disallowed to pass through. If you do not want to specify both, IP address and MAC address, but only the MAC address, then simply select a zone within the source net and leave the source IP address field blank. Destination IP address This is optional. If you want to limit or deny access to a specific remote address you may fill in an IP address like 68.163.90.13 or a network like68.163.75.0/24.

Destination port This is probably the most important field for you, however it is nevertheless optional. Fill in a destination port if you want this rule to be limited to a remote service. For example you can create a rule which allows access to all HTTP (web) servers, by specifying port 80 and leaving all other fields empty. Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule. Figure 6.11. Lists all current outgoing rules

Current rules lists the rules that are in effect. To remove one, click the Trash can icon. To edit one, click the Pencil icon. To enable or disable a rule - click on the Enabledicon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it. On top of the table there is a checkbox labeled Log accepted outgoing connections. Tick this checkbox on if you want the firewall to log all connections which have been established or tried to and successfully passed the firewall without being blocked. Note

Enabling this may not be legal in some countries, but in some other countries this is compulsory. Globally ALLOW outgoing traffic to RED You can globally allow outgoing traffic from all zones to the Internet by simply answering yes to the question disable outgoing firewall ? in the drop down menu below and then clicking on the save button. Figure 6.12. Globally allow outgoing traffic

You can go back to the default settings which limit access to RED by answering yes to the question enable outgoing firewall ? in the drop down menu below and then clicking on the save button. Figure 6.13. Globally deny outgoing traffic

You will notice a single checkbox, labeled Log accepted outgoing connections. Tick this checkbox on if you want the firewall to log all connections which have been established or tried to and successfully passed the firewall without being blocked. Note Enabling this may not be legal in some countries, but in some other countries this is compulsory. This page was last modified on: $Date$. Chapter 7. Proxy Table of Contents

Introduction HTTP Proxy Feature List Web proxy configuration Common settings Upstream proxy Log settings Cache management Network based access control Time restrictions Transfer limits MIME type filter Web browser Authentication configuration Content filter Content filter (Dansguardian) Block pages which contain unallowed phrases Block pages known to have content of the following categories Custom black- and whitelists HTTP Antivirus Max. content scan size Last Update Do not scan the following URLs Enforcing proxy usage Web Proxy standard operation modes Client side Web Proxy configuration Requirements for mandatory proxy usage POP3 Global settings Spamfilter configuration SIP FTP SMTP General Settings Antivirus AntiSpam General Settings Greylisting Banned File Extension Blacklists/Whitelists Real-time Spam Black Lists (RBL) Custom black/whitelists Domains BCC Advanced settings Smarthost IMAP Server for SMTP Authentication Advanced settings Introduction Figure 7.1. Proxy menu selected

The proxy server is a service that allows your clients to make indirect network connections to other network services. The client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client's request or the server's response for various purposes (e.g. a mail header will be changed or added if the mail contains spam-content, advertisement will be removed from a website). This chapter covers the whole proxy menu. The following submenus will be described in this chapter: HTTP Proxy Feature List User authentication Local user authentication, including group based user management LDAP authentication, including MS Active Directory, Novell eDirectory and OpenLDAP Windows authentication, including Windows NT4.0 or 2000/2003 domains and Samba RADIUS authentication HTTP POP3 SIP FTP SMTP

Advanced access control

Network based access control over IP and MAC addresses Time based access restrictions Download throttling MIME type filter Blocking of unauthorized browsers or client software Group based access with groups coming from Windows active directory

Web proxy configuration Common settings The common settings are essential parameters related to the proxy services Figure 7.2. Displays HTTP advanced proxy settings

Enabled on zone This enables the Proxy Server to listen for requests on the selected zone (GREEN or BLUE or ORANGE). Note If the proxy service is disabled, all client requests will be forwarded directly to the destination address without passing the proxy service and therefore the requests will bypass all configured ACLs. Transparent on zone If the transparent mode is enabled, all requests for the destination port 80 will be forwarded to the Proxy Server without the need of any special configuration changes to your clients. Warning

Transparent mode works only for destination port 80. All other requests (e.g. port 443 for SSL) will bypass the Proxy Server. Note When using any type of authentication, the Proxy may not run in transparent mode. Note To enforce the usage of the Proxy Server in non-transparent mode, you will have to block all outgoing ports usually used for http traffic (80, 443, 8000, 8080, etc.). Proxy Port This is the port the Proxy Server will listen for client requests. The default is 8080. Note In transparent mode, all client requests for port 80 will automatically be redirected to this port. Warning In non-transparent mode, make sure that your clients are configured to use this port. Otherwise they will bypass the Proxy Server and all ACLs will be ignored. Visible hostname If you want to present a special hostname in error messages or for upstream proxy servers , then define this. Otherwise, the real hostname of your Endian Firewall will be used. This is optional. Cache administrator e-mail This e-mail address will be shown on the Proxy Server error messages. This is optional. Error messages language Select the language in which the Proxy Server error messages will be displayed to the clients. Contentfilter enabled By enabling this feature you can activate different types of filters in the Content filter menu. Note This feature will only partially work for SSL connections, as it is not possible to do pattern matching on encrypted data. The URL filtering however will work perfectly. Antivirus enabled This enables antivirus protection when browsing through the world wide web. Warning It is not possible to scan encrypted connections for viruses.

Allowed ports Only HTTP connections on one of the specified ports will pass through the proxy. The rest will be blocked Note When using transparent mode this feature will not work. . Allowed SSL ports Like the allowed ports option but this time for SSL encrypted HTTP (HTTPS) connections. Note When using transparent mode this feature will not work. Upstream proxy These settings may be required for chained proxy environments. Figure 7.3. Displays HTTP advanced proxy upstream proxy configuration

Username forwarding If any type of authentication is activated for HTTP Proxy, this enables the forwarding of the login name. This can be useful for user based ACLs or logging on remote proxy servers. Note This is for ACL or logging purposes only and doesnt work if the upstream proxy requires a real login. Note The forwarding is limited to the username, the password will not be forwarded. Client IP address forwarding This enables the HTTP x-forwarded-for header field. If enabled, the internal client IP address will be added to the HTTP header. x-forwarded-for: 192.168.1.37

This can be useful for source based ACLs or logging on remote proxy servers. Instead of forwarding unknown, this field will be completely suppressed by default. Note If the last proxy in chain doesnt strip this field, it will be forwarded to the destination host! Upstream proxy (host:port) If you are using a parent cache, then enter the IP address and port of this upstream Proxy. If no value for port is given, the default port 80 will be used. Upstream username Enter the username for the upstream Proxy Server (only if required). Note If you enter a password, the username forwarding (described above) will be disabled. Upstream password Enter the password for the upstream Proxy Server (only if required). Note If you enter a password, the username forwarding (described above) will be disabled. Log settings These options are for enabling the HTTP Proxy log files. Figure 7.4. Displays HTTP advanced proxy log settings

Log enabled This enables the Web Proxy logging feature. All client requests will be written to a log file and can be viewed within the GUI under Logs > Proxy Logs (See the section called Proxy Logs Page). Warning Enabling this option may be considered invasion of personal privacy of your clients in some countries and/or break other legal rules. Before you are using this option make sure that this will be in accordance with the national law or other legal regulations.

In most countries, the user must agree that personal data will be logged. Do not enable this in a business environment without the written agreement of the workers council. Firewall logs outgoing connections Tick this on if you want the firewall to log all outgoing connections. Warning In most countries this may be illegal! Log query terms The part of the URL containing dynamic queries will be stripped by default before logging. Enabling the option Log query terms will turn this off and the complete URL will be logged. Warning Enabling this option may be considered invasion of personal privacy in some countries! Log useragents Enabling this option will write the useragent string to the log file /var/log/squid/useragent.log. This log file option should only be activated for debugging purposes and the result is not shown within the GUI based log viewer. Cache management The cache management settings control the caching parameters for Advanced Proxy. Figure 7.5. Displays HTTP advanced proxy cache management configuration

Memory cache size This is the amount of physical RAM to be used for negative-cached and in-transit objects. This value should not exceed more than 50% of installed RAM. The minimum for this value is 1MB, the default is 20 MB. Note

This parameter does not specify the maximum process size. It only places a limit on how much additional RAM the Web Proxy will use as a cache of objects. Harddisk cache size This is the amount of disk space (MB) to use for cached objects. The default is 500 MB. Change this to suit your configuration. Do not put the size of your disk drive here. If you want Squid to use the entire disk drive, subtract 20% of the real disk size and use that value instead. Min object size Objects smaller than this size will not be saved on disk. The value is specified in kilobytes, and the default is 0 KB, which means there is no minimum. Max object size Objects larger than this size will not be saved on disk. The value is specified in kilobytes, and the default is 4MB (4096KB). If you wish to increase speed at the expense of saving bandwidth you should keep this low. Do not cache these domains A list of sites which cause the request not to be satisfied from the cache and the reply not to be cached. In other words, use this to force objects to never be cached. All domains must be entered with a leading dot: .advproxy.net .google.com Enable offline mode Enabling this option will turn off the validation of cached objects. This gives access to more cached information (stale cached versions, where the origin server should have been contacted). Network based access control This defines the access control for accessing the Proxy Server based on the client network address. Figure 7.6. Displays HTTP advanced proxy network based access control

Allowed subnets All listed subnets are allowed to access the Proxy Server. By default, the subnets for GREEN, BLUE and ORANGE (if available) are listed here. Warning If you ever change the network configuration of any zone with the network wizard described in the section called Network Configuration, you also need to change the values also in this list, especially if a subnet will be changed. You can add other subnets like subnets behind GREEN in larger environments to this list. Note

All subnets not listed here will be blocked for web access. Sources which bypass the transparent proxy When using the transparent proxy all subnets, IP adresses and MAC addresses that are specified here will be allowed to connect directly to the requested URLs, instead of using the proxy. Note MAC addresses have to be entered in the following form: 00:00:00:00:00:00 Destinations to which the transparent proxy is bypassed When using the transparent proxy and connecting to the subnets or IP adresses that are specified here, the connection will not go through the proxy but will be established directly. Unrestricted IP addresses All client IP addresses in this list will override the following restrictions: Time restrictions Size limits for download requests Download throttling Browser check MIME type filter Authentication (will be required by default for these addresses, but can be turned off) Concurrent logins per user (only available if authentication is enabled)

Unrestricted MAC addresses All client MAC addresses in this list will override the following restrictions: Time restrictions Size limits for download requests Download throttling Browser check MIME type filter Authentication (will be required by default for these addresses, but can be turned off) Concurrent logins per user (only available if authentication is enabled) Note Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without having fixed leases defined. Note MAC addresses can be entered in one of these forms: 00-00-00-00-00-00 or 00:00:00:00:00:00 Note The Proxy Server can only determine MAC addresses from clients configured for the subnets of the GREEN, BLUE or ORANGE interfaces.

Banned IP addresses or subnets All requests from these clients (IP addresses or subnets) in this list will be blocked. Banned MAC addresses All requests from these clients in this list will be blocked. Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without having fixed leases defined. MAC addresses can be entered in one of these forms: 00-00-00-00-00-00 or 00:00:00:00:00:00 Note The Proxy Server can only determine MAC addresses from clients configured for the subnets of the GREEN, BLUE or ORANGE interfaces. Time restrictions This defines the operational time of the Web Proxy. Figure 7.7. Displays HTTP advanced proxy time restrictions configuration

The option allow allows web access and the option deny blocks web access within the selected time. The choice of allow or deny will depend on the time rules you want to apply. The default is set to allow access every day around the clock. Note Time restrictions will not be effective for these clients. Transfer limits This allows you to enter limitations of the size for each download and/or upload request. Figure 7.8. Displays HTTP advanced proxy transfer limit configuration Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses Members of the group Extended if the Proxy uses Local authentication

The values are given in KB. A reason for transfer limits could be that you want to prevent downloading large files, such as CD images. The default is set to 0 KB for upload and download. This value turns off any limitation. Note This limits refer to each single request. Its not the total amount for all requests. Note Download limits will not be effective for these clients: Note Upload limits will be effective for all clients except: MIME type filter The MIME type filter can be configured to block content depending on its MIME type. Figure 7.9. Displays HTTP advanced proxy MIME type filter Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses Members of the group Extended if the Proxy uses Local authentication

If enabled, the filter checks all incoming headers for their MIME type. If the requested MIME type is listed to be blocked, the access to this content will be denied. This way you can block content, no matter of the given file name extension.

Example 7.1. Add this MIME type if you want to block the download of PDF files: application/pdf Example 7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files: application/pdf video/quicktime Note The MIME types are processed as regular expressions. This means, the entry javascript will block all content with MIME types containing this word, like: application/x-javascript and text/javascript Note MIME type blocking will not be effective for these clients: Web browser This allows you to control which client software may have access to web sites. Figure 7.10. Displays HTTP advanced proxy user agent filter Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses Members of the group Extended if the Proxy uses Local authentication

Enable Browser check

If this option is enabled, only the selected clients will be able to pass the Proxy Server. All other requests will be blocked. Note Browser based access control will not be effective for these clients: Client definitions The most important web clients are already listed. You can create your own definitions by editing the file /var/efw/proxy/advanced/useragents and adding the browser specific information there. Adding custom clients could be necessary if you want to allow your AntiVirus software to download updated definitions. If you dont know the useragent of this software, you can enable the useragent logging in the section Log settings and watch the file /var/log/squid/useragent.log. The syntax for client definitions is: name,display,(regexp) name is required for internal processing of the Advanced Proxy and should be a short name in alphanumeric capital letters without spaces. display is the string which appears in the GUI list and should contain the common name for this client. (regexp) is a regular expression which matches the browser useragent string and must always be enclosed by parentheses. The values are separated by commas. Authentication configuration Warning When using authentication and enabling the web proxy log files, the requesting user name will be logged in addition to the requested URL. Before enabling log files while using authentication, make sure not to violate existing laws. Note Authentication will not work with the transparent proxy turned on. Authentication methods overview The Advanced Proxy offers a variety of methods for user authentication. Sources which bypass the transparent proxy Destinations to which the transparent proxy is bypassed Unrestricted source IP addresses Unrestricted source MAC addresses Members of the group Extended if the Proxy uses Local authentication

Figure 7.11. Displays HTTP advanced proxy authentication methods

None Authentication is disabled. Users dont need to authenticate when accessing web sites. Local Authentication This authentication method is the preferred solution for SOHO environments. Users need to authenticate when accessing web sites by entering a valid username and password. The user management resides on the Endian Firewall Proxy Server. Users are categorized into three groups: Extended, Standard and Disabled. Authentication using LDAP This authentication method is the preferred solution for medium and large network environments. Users will have to authenticate when accessing web sites by entering a valid username and password. The credentials are verified against an external Server using the Lightweight Directory Access Protocol (LDAP). LDAP authentication will be useful if you already have a directory service in your network and dont want to maintain additional user accounts and passwords for web access. The HTTP Proxy works with these types of LDAP Servers: Active Directory (Windows 2000 and 2003 Server) Novell eDirectory (NetWare 5.x und NetWare 6) LDAP Version 2 and 3 (OpenLDAP)

As an option, membership for a certain group can be required. Note The protocol LDAPS (Secure LDAP) is not supported. Windows authentication This authentication method is one of the preferred solutions for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external Server acting as a Domain Controller. This can be a: Windows NT 4.0 Server or Windows 2000/2003 Server (even with Active Directory enabled) Samba 2.x / 3.x Server (running as Domain Controller)

Advanced Proxy works with Windows integrated authentication (transparent) or with standard authentication (explicit with username and password). You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist). Note Workgroup based authentication may probably work, but is neither recommended nor supported.

RADIUS authentication This authentication method is another good solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external RADIUS server. You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist). Global authentication settings The global authentication settings are available for all authentication methods. Figure 7.12. Displays HTTP advanced proxy global authentication settings

Number of authentication processes The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication. Authentication cache TTL Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session. Note If the user opens a new session, the credentials must always be entered, even if the TTL has not expired for another session. Limit of IP addresses per user Number of source IP addresses a user can be logged in at a time. The IP address will be released after the time defined at User/IP cache TTL. Note This has no effect if running Local authentication and the user is a member of the Extended group.

User/IP cache TTL Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0 (disabled). A value greater than 0 is only reasonable when using a limit for concurrent IP addresses per user. Require authentication for unrestricted source addresses By default authentication is required even for unrestricted IP addresses. If you dont want to require authentication for these addresses, untick this box. Authentication realm prompt This text will be shown in the authentication dialog. Domains without authentication This allows you to define a list of domains that can be accessed without authentication. Note These domains are destination DNS domains and not source Windows NT domains. Note This works only for DNS domain names and not for IP addresses. Example 7.3. Windows Update To allow access to Windows Update without authentication add these domains to the list: .download.microsoft.com .windowsupdate.com .windowsupdate.microsoft.com Note All listed domains require a leading dot. Local user authentication The Local user authentication lets you manage user accounts locally without the need for external authentication servers. Figure 7.13. Displays HTTP advanced proxy local user authentication

User management The integrated user manager can be executed from the main settings page. Figure 7.14. Displays HTTP advanced proxy local user authentication

Min password length Enter the minimum required length for passwords. The default is set to 6 alphanumeric characters.

User management This button opens the local user manager. Local user manager The user manager is the interface for creating, editing and deleting user accounts. Figure 7.15. Displays local user manager for the HTTP advanced proxy

Within the user manager page, all available accounts are listed in alphabetical order. Group definitions You can select between three different groups: Standard The default for all users. All given restrictions apply to this group. Extended Use this group for unrestricted users. Members of this group will bypass any time- and filter-restrictions. Disabled Members of this group are blocked. This can be useful if you want to disable an account temporarily without losing the password. Proxy service restart requirements

The following changes to user accounts will require a restart of the proxy service: a new user account was added and the user is not a member of the Standard group the group membership for a certain user has been changed

The following changes to user accounts will not require a restart of the proxy service: a new user account was added and the user is a member of the Standard group the password for a certain user has been changed an existing user account has been deleted

Create user accounts Username Enter the username for the user. If possible, the name should contain only alphanumeric characters. Group Select the group membership for this user. Password Enter the password for the new account. Password (confirm) Confirm the previously entered password. Create user This button creates a new user account. If this username already exists, the account for this username will be updated with the new group membership and password. Back to main page This button closes the user manager and returns to the Advanced Proxy main page. Edit user accounts A user account can be edited by clicking on the pencil icon. When editing an user account, only the group membership or password can be changed. While editing an account, the referring entry will be marked with a yellow bar. Figure 7.16. Displays editing a user with local user manager of HTTP advanced proxy

To save the changed settings, use the button Update user. Note The username cannot be modified. This field is read-only. If you need to rename a user, delete this user and create a new account. Delete user accounts A user account can be deleted by clicking the trash can icon. The account will be deleted immediately. Client side password management Users may change their passwords if needed. The interface can be invoked by entering this URL: https://efw:10443/cgi-bin/chpasswd.cgi Note Replace efw with the GREEN IP address of your Endian Firewall. The web page dialog requires the username, the current password and the new password (twice for confirmation): Figure 7.17. Change it yourself page, allowing user to change their local HTTP proxy password

LDAP authentication This authentication method uses an existing directory infrastructure for user authentication. Figure 7.18. Displays LDAP authentication page of HTTP advanced proxy

If you are unsure about your internal directory structure, you can examine your LDAP server using the command line based ldapsearch tool. Windows clients can use the free and easy to use Softerra LDAP browser for this: http://www.ldapbrowser.com. Common LDAP settings Figure 7.19. Common LDAP settings of HTTP advanced proxy

Base DN

This is the base where to start the LDAP search. All subsequent Organizational Units (OUs) will be included. Refer to your LDAP documentation for the required format of the base DN. Example 7.4. Base DN for Active Directory cn=users,dc=ads,dc=local This will search for users in the group users in the domain ads.local. Example 7.5. Base DN for eDirectory ou=users,o=acme This will search for users in the Organizational Unit users (and below) in the Organization acme. Note If the Base DN contains spaces, you must escape these spaces using a backslash. Example 7.6. Base DN containing spaces cn=internet\ users,dc=ads,dc=local LDAP type You can select between different types of LDAP implementations: LDAP Server Enter the IP address of your LDAP Server. Port Enter the port on which your LDAP Server is listening for LDAP requests. The default is 389. Note The protocol LDAPS (Secure LDAP, port 636) is not supported. Bind DN settings Figure 7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy Active Directory (ADS) Novell eDirectory (NDS) LDAP v2 and v3

Bind DN username Enter the full distinguished name for a Bind DN user. Note A Bind DN user is required for Active Directory and eDirectory. Note The Bind DN user must be allowed to browse the directory and read all user attributes. Note If the Bind DN username contains spaces, you must escape these spaces using a backslash. Bind DN password Enter the password for the Bind DN user. Group based access control Figure 7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy

Required group (optional) Enter the full distinguished name of a group for authorized Internet users. In addition to a correct authentication, a membership within this group will be required for web access. Note If the group name contains spaces, you must escape these spaces using a backslash. Advanced Group Selections Windows authentication This authentication method uses an existing windows domain environment for user authentication. Figure 7.22. HTTP advanced proxy authentication against Windows

In addition to the authentication you can define positive or negative user based access control lists. Common domain settings Figure 7.23. Common domain settings of Windows authentication on HTTP advanced proxy

Domain Enter the name of the domain you want to use for authentication. If you are running a Windows 2000 or Windows 2003 Active Directory, youll have to enter the NetBIOS domain name. PDC hostname

Enter the NetBIOS hostname of the Primary Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller. Note For Windows 2000 and above the Primary Domain Controller is not assigned to a specific server. The Active Directory PDC emulator is a logical role and can be assigned to any server. Warning The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the hostname at Network > Edit Hosts (Seethe section called Host configuration (Edit Hosts)). BDC hostname (optional) Enter the NetBIOS hostname of the Backup Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller. If the PDC doesnt respond to authentication requests, the authentication process will ask the BDC instead. Warning The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the hostname at Network > Edit Hosts (Seethe section called Host configuration (Edit Hosts)). Authentication mode Figure 7.24. Authentication mode of windows authentication on HTTP advanced proxy

Enable Windows integrated authentication If enabled, the user will not be asked for username and password. The credentials of the currently logged in user will automatically be used for authentication. This option is enabled by default. If integrated authentication is disabled, the user will be requested explicitly for username and password. User based access restrictions Figure 7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy

Enabled Enables access control lists for authorized or unauthorized users. Use positive access control / Authorized domain users These listed users will be allowed for web access. For all other users, access will be denied. Use negative access control / Unauthorized domain users These listed users will be blocked for web access. For all other users, access will be allowed. Note If Windows integrated authentication is enabled, the username must be entered with the domain name as a prefix for the username, separated by a backslash. Example 7.7. User based access control lists using integrated authentication Figure 7.26. Integrated windows authentication with HTTP advanced proxy

Note When using integrated authentication, the user must be logged into the domain, otherwise the name of the local workstation instead of the domain name will be added to the username. Example 7.8. User based access control lists using explicit authentication Figure 7.27. Explicit authentication with HTTP advanced proxy

Note Explicit authentication grants access to the user, even if the user is not logged into the domain, as long as the username will be the same and the local workstation password and the domain password match. RADIUS authentication This authentication method uses an existing RADIUS server for user authentication.

Figure 7.28. Displays RADIUS authentication configuration of HTTP advanced proxy

In addition to the authentication you can define positive or negative user based access control lists. Note This authentication method cannot handle encrypted connections. If you are running a Microsoft IAS for RADIUS youll have to turn off any type of encryption at your IAS. Common RADIUS settings Figure 7.29. Displays common RADIUS settings of HTTP advanced proxy authentication

RADIUS Server Enter the IP address of the RADIUS Server you want to use for authentication. Port Enter the port that will be used to communicate with the RADIUS Server. The default is port 1645, some RADIUS servers may use port 1812 instead. Identifier This is an optional field and can be used to identify your Endian Firewall for the RADIUS Server. If this is left empty, the IP address of your Endian Firewall will be used for identification. Shared secret This is the shared secret for the authentication of your Endian Firewall against the RADIUS Server. This must be the same password that you have entered at your RADIUS Server. User based access restrictions Figure 7.30. Displays user based access restrictions of HTTP advanced proxy

Enabled Enables access control lists for authorized or unauthorized users. Use positive access control / Authorized users These listed users will be allowed for web access. For all other users, access will be denied.

Use negative access control / Unauthorized users These listed users will be blocked for web access. For all other users, access will be allowed. Advanced Group Selections Content filter Note Requests from users in the extended group won't be affected by the filter as well as those from users that are allowed to bypass the proxy. Content filter (Dansguardian) Figure 7.31. General contentfilter configuation

Max. score for phrases With this option you can customize the amount of pages that are blocked by the content filter. If many children will connect to the internet through your Endian Firewall you should set this to a lower value as more dangerous content will be filtered out then. Enable logging This will turn on logging for blocked requests. Note If you want to see the clients' IP addresses you will have to turn on client IP address forwarding in the upstream proxy section. PICS This will enable the support for the Platform for Internet Content Selection (PICS: http://www.w3.org/PICS/). PICS enables labels to be assigned with Internet content and was initially designed to help parents and teachers control their children. Today many other rating services and filtering softwares are built on PICS. Save To save your settings click here.

Block pages which contain unallowed phrases Figure 7.32. Selection of disallowed phrases which pages may contain

Block pages with content from the ticked categories When turned on all pages will be parsed and checked for patterns that correspond to the ticked categories. If one of those patterns matches, the site will be blocked. Save Click here to save your settings. Note This feature is not available for the mini edition of Endian Firewall. Note This won't affect users from the extended group as well as users that bypass the proxy. Block pages known to have content of the following categories Figure 7.33. Selection of categories of url lists which should be blocked by the HTTP contentfilter

Block pages that are known to have content of the ticked categories By checking the boxes corresponding to the displayed categories, it will be impossible to load URLs that appear in URL list for one of the checked categories. Save To save your settings click here. Note This won't affect users from the extended group as well as users that bypass the proxy. Custom black- and whitelists Figure 7.34. Custom black- and whitelists for the HTTP contentfilter

Allow the following sites Access to sites that are specified here will always be allowed. Block the following sites Access to sites that are listed here will always be denied. Note This will not affect users that bypass the proxy and users in the extended group. HTTP Antivirus Figure 7.35. HTTP Antivirus configuration page

Max. content scan size Only requests that return less than the specified size in megabytes will be scanned for viruses. Last Update Displays the date of the last update of the virii-database. Do not scan the following URLs The URLs that are entered here will not be scanned for viruses. Please enter only URL per line. Enforcing proxy usage For different reasons, it may be required that all clients should be enforced to use the proxy service. The reasons could be mandatory logging, filtering or authentication. Web Proxy standard operation modes Proxy service disabled Endian Firewall proxy settings: Figure 7.36. HTTP proxy disabled

Client access: Disabling the proxy service gives direct access for all clients. Figure 7.37. Figure which displays traffic with will not be directed through the HTTP proxy

Result: The proxy service will never be used. Logging, filtering and authentication will not be available. Proxy service enabled, running in non-transparent mode Endian Firewall proxy settings: Figure 7.38. HTTP proxy enabled

Client access: All clients without explicit proxy configuration will bypass the proxy service. Figure 7.39. Figure which displays traffic with will not be directed through the HTTP proxy

Client access: All clients configured for proxy usage will use the proxy for all destination ports (80, 443, 8080, etc.) and even for browser based FTP access. Figure 7.40. Figure which displays traffic which will be redirected through the HTTP proxy.

Result: It depends on the client configuration whether the proxy service will be used or not. Unconfigured clients will bypass logging, filtering and authentication. Proxy service enabled, running in transparent mode Endian Firewall proxy settings: Figure 7.41. HTTP proxy enabled as transparent proxy

Client access: All requests with destination port 80 will be internally redirected to the proxy service. Requests with other destination ports (e.g. 443 for https) will bypass the proxy service. Figure 7.42. Figure that displays traffic which will be transparently redirected through the HTTP proxy.

Result: Not all but most requests will pass the proxy service. Therefore filtering, logging and authentication will not be reliable. Client side Web Proxy configuration

There are different ways to configure the clients to use the Web Proxy service. Some of them are described in this section Manual client configuration Configuring clients by applying all proxy settings manually: Time-consuming and unreliable Configuration required per user

Client pre-configuration Distributing pre-configured browser clients: Only reasonable for medium to large environments Works only for the configured client software

IEAK for IE 6: http://www.microsoft.com/windows/ieak/ CCK for Mozilla: http://www.mozilla.org/projects/cck/ Client configuration via DNS / DHCP Centralized client configuration using DNS and/or DHCP: Complex implementation Require custom proxy.pac or wpad.dat files (dynamically created by Endian Firewall) Flexible configuration Most browsers support this configuration method

More info: http://www.web-cache.com/Writings/Internet-Drafts/draft-ietf-wrec-wpad-01.txt Client configuration using group policies Centralized client configuration using group policies: Complex implementation Only reasonable for medium to large environments Requires a centralized network management system (Active Directory, ZENworks, etc.) Flexible and mandatory configuration Works only for Win32 clients and certain browser types

Requirements for mandatory proxy usage To enforce proxy usage, these requirements must be met: Proper client configuration The client must be configured to use the proxy service. Correct proxy operation mode The proxy must operate in non-transparent mode. Blocking of direct web access

All direct web access needs to be blocked. See the section called Outgoing Firewall Administrative Web Page. POP3 Global settings Figure 7.43. Shows POP3 proxy global settings

Enabled on zone This enables the E-Mail POP Scanner to listen for requests on the selected zone (GREEN or BLUE or ORANGE). All requests for the destination port 110(POP3) will automatically be intercepted and forwarded to the POP3 Scanner without the need of any special configuration changes to your clients. Virus scanner This option enables the virus scanner for the incoming mails using the POP3 protocol. Spam filter When activated this will turn on the spam filter for incoming mails. Firewall logs outgoing connections By enabling this feature the firewall will log every successful connection to an external POP3 server. Spamfilter configuration Figure 7.44. Spamfilter configuration of POP3 proxy

Spam subject tag If an incoming e-mail will be recognized as spam this value will be prepended to the original e-mail subject. Required hits Spamassassin uses hits to rate incoming emails. This value tells spamassassin how many hits are required for an incoming e-mail to be recognised as spam. Values like 5 or 6 should be reasonable. White list E-mails coming from these addresses or domains (using *@domain.com) will never be treated like spam. Black list E-mails coming from these addresses are always treated like spam. Note

Black list and white list for the POP3 proxy will NOT be used by the SMTP proxy. SIP The SIP Proxy is a proxy/masquerading daemon for the SIP and RTP protocol. The SIP (Session Initiation Protocol, RFC3261) and RTP (Real-time Transport Protocol) are used by Voice over IP (VoIP) devices to establish telephone calls and carry voice streams. The proxy handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections possible through the firewall and therefore make SIP clients (like x-lite, kphone, linphone or VoIP hardware) able to work behind NAT. Without this proxy, connections between clients are not possible at all if both are behind NAT, since one client can't reach the other directly and therefore no RTP connection can be established between them. Figure 7.45. SIP Proxy Settings

Enabled on zone This enables the SIP Proxy to listen for requests on the selected port (default: 5060) Transparent on zone If transparent mode is enabled, all requests for the destination port 5060 will be forwarded to the SIP Proxy without the need of any special configuration changes on your clients. SIP Port Port to listen on for incoming SIP messages.(default:5060) RTP Port low / RTP Port high UDP Port range which the SIP proxy will use for incoming and outgoing RTP traffic. By default the range 7070 up to (and including) 7090 is used. This allows up to 10 simultaneous calls (2 ports per call). If you need more simultaneous calls, increase the range. Autosave Registration

This allows the SIP proxy to remember registration across a restart. Time Save the registration file after every amount of seconds specified by this field. Outbound Proxy Host/Port The SIP Proxy itself can be told to send all traffic to another outbound proxy. Log Calls This enables logging of established calls. You will see the logging entries within siproxy logviewer. (See the section called SIProxy log page) Firewall logs outgoing connections Tick this on if you want the firewall to log all outgoing connection. Note that in some countries this may be illegal. Save and Restart Save the settings and restart the SIP proxy by clicking the Save and restart button. Note Some VoIP devices need special configuration in order to be able to cooperate with the SIP proxy. We noticed especially on snom phones the necessity to enable Support for broken registrars in order to have it fully functional. FTP The FTP proxy is only available as transparent proxy. As such it intercepts each ftp connection on port 21 made to the outside, scans the received contents against virii and handles it instead of the client. Warning If you configure your FTP clients or browsers to use the HTTP proxy also for the FTP protocol, this FTP proxy will be bypassed! Note The FTP proxy does not support tickling. This means that the proxy needs to download the entire file before the virus scanner can scan it. The FTP client will get data on the control connection in order not to time out, but get no data on the data connection. The effect is, that the user does not see any progress during download and gets all the data at once after the file has been scanned by the proxy. Figure 7.46. FTP proxy administration page

Since the FTP proxy is supported only basically you do not have many configuration options. They are: Enabled on zone This enables the FTP proxy on the specified zone. Firewall logs outgoing connections Tick this on if you want the firewall to log all outgoing connections made through the proxy. Note that in some countries this may be illegal. Warning With some FTP clients such as Web browsers, the FTP proxy can have some trouble with the authentication. If you need to authenticate against external FTP servers, use real FTP clients or disable the FTP proxy. SMTP The scope of the SMTP proxy is to control and optimize SMTP traffic in general and to protect your network from threats when using the SMTP protocol. The SMTP (Simple Mail Transport Protocol) protocol is used whenever you send an e-mail through your mail client to a remote mail server (outgoing mail). It will also be used if you have your own mail server running on your LAN (GREEN interface) or your DMZ (ORANGE interface) and are allowing mails to be sent from the outside of your network (incoming requests) through your mail server. Warning In order to download mail from a remote mailserver with your local mail clients, the POP3 or IMAP protocol will be used. If you want to protect that traffic too, you have to use the POP3 proxy. Scanning of IMAP traffic is currently not supported. With the mail proxy functionality, both sorts of traffic (incoming and outgoing mail) can be scanned for virii, spam and other threats. Mail will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers in order to remove the necessity to have SMTP connections from the outside within your local networks. The following is a complete feature list, which will be described in detail in the following sections: Multi-domain support Configurable relaying policy per domain Spool visualiation & managment External authentication support TLS Email Transport Encryption support Mail statistics

o Day, Week, Month, Year graphs o Spam, Virus, Bounced, Rejected Configurable maximum mail data size Spam blocking o Spam notification o Local/Remote Quarantine o Realtime Blacklist (RBL) support o Custom Client/Sender/Recipient black/whitelists o Content-matching rules, DNS-based, checksum-based and statistical filtering o Auto learning / Training o Subject and header modification on spam o Greylisting support Virus scanning o Virus notification o Local/Remote Quarantine Extension blocking o Notification o Block banned files o Double extension blocking

General Settings Figure 7.47. General Settings

Enabled This enables the SMTP proxy in order to accept requests on port 25. Note Relaying is disabled without authentication in non transparent mode. Transparent on zone

If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need of any special configuration changes on your clients. Antivirus is enabled Tick this on if you'd like to enable the antivirus. If you enable the antivirus, you can configure the antivirus by clicking on the Antivirus link. See the section called Antivirus for a detailed description. Spamcheck is enabled Tick this on if you'd like to enable the antispam. If you enable the spam filter, you may configure it by clicking on the Spam link. See the section called AntiSpam for a detailed description. File Extension are blocked Tick this on if you like to enable the file extension blocker. With this you may specify a list of file extensions which are not allowed as attachement. If you enable it, configure it by clicking on the File Extensions link. See the section called Banned File Extension for a detailed description. Incoming Mail enabled If you have an internal Mailserver and would like the SMTP proxy to forward incoming mails to your internal server you need to tick this checkbox on. Note You need to configure the e-mail domains for which it should be responsable. List the responsable domains within the page you reach by clicking on the Domains link. See the section called Domains for a detailed description. Firewall logs outgoing connections Tick this on if you want the firewall to log all established outgoing connections. Note that in some countries this may be illegal. Save changes and restart Save the settings and restart the SMTP proxy by pushing this button. Antivirus The Antivirus is a core functionality of the SMTP proxy module. It knows four different possibilities to handle mail containing a virus. You have also the possibility to configure an email address for notification of the recognized and handled threat. Figure 7.48. SMTP Antivirus

The antivirus section provides the following configuration options: Mode This allows you to select the mode of handling infected emails. The following possibilities exist: DISCARD In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a virus quarantine is defined a copy of the original e-mail will be sent or copied to the virus quarantine. Note In most cases this is the best way of handling infected mails. BOUNCE In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a virus quarantine is defined a copy of the original email will be sent or copied to the virus quarantine. Warning Sending notification mails to the sender is insofar not really helpful as worms normally use spoofed sender addresses. Therefore such notifications mostly will reach anyone but the right person. The SMTP proxy does not send bounces back to the sender if a worm, of which the SMTP proxy knows that it normally spoofs the sender address, will be recognized. Nevertheless the benefit may be less than the problems caused by this mode. REJECT The email will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1) PASS Mail will pass to its recipients, regardless of bad content. Virus Admin

Gives you the possibility to specify a (fully qualified) administrator email address where virus notifications should be sent. (Default is empty) Virus Quarantine Location to put infected mail into. The following possibilites are valid: leave empty Disables the quarantine virus-quarantine Set this if you would like to store infected mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default. Warning There is no possibility to control and manage the quarantine if you use this possibility. any email address You can specify any valid e-mail address, to which infected e-mails will be forwarded to. With this variant you can forward all infected mails to a POP3 or an IMAP account where you may manage them easily. Note The email address must contain a @. Warning This email address must not have any virus scanner, otherwise the quarantined mail will be blocked by that server. Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button. AntiSpam The antispam module knows several different possibilities to protect you against spam. In general spamassassin and amavisd-new are used to filter out spam. SpamAssassin incorporates several means of detecting spam. It has a score tally system where large numbers of inter-related rules fire off and total up a score to determine if a message is spam or not. In this system each rule affects the proper score of every other rule in the ruleset and the system tries to balance the most spam and nonspam each on the right side of the tolerance mark. While much of the rules block much of simplier spam, well known spam and spam sent by known spam hosts, spammer always adapt their messages in order to knock out spam filters. Therefore it is necessary to also always train the spam filter in order to reach a personalized and stronger statistical filter (bayes). Note While the spam filter blocks much spam it never will block all of your spam. Note

The spamassassin rules will not be updated automatically like the virus signatures. Here you can read why. General Settings Figure 7.49. SMTP Antispam

Spam destination This allows you to define what should be happen to spam mails. The following possibilities do exist: DISCARD In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a spam quarantine is defined a copy of the original e-mail will be sent or copied to the spam quarantine. Note In most cases this is not very useful, since it is possible that the spam filter may block also regular mail (false positives) if it is configured to restrictive. Warning Check your local law. In most countries it is illegal to delete mail without the permission of the recipient. BOUNCE In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a spam quarantine is defined a copy of the original email will be send or copied to the spam quarantine.

Warning Sending notification mails to the sender of spam is insofar not really helpful as spammers then more than ever know that they hit a real e-mail address. Furthermore, spammers mostly do not use their real sender addresses. They nearly always use spoofed sender addresses, therefore such notifications always reach anyone but the right person. REJECT The email will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1) PASS Mail will pass to its recipients, regardless of bad content. Note In most cases, this is the best mode you can use. The spam filter adds spam headers and changes the subject of the mail if it recognizes the mail as spam. The recipients then may use their mail clients to filter those mails themselves. Spam admin Gives you the possibility to specify a (fully qualified) administrator e-mail address to which spam notifications should be sent. (Default is empty) Spam quarantine Location to put spam mail into. The following possibilities are valid: leave empty Disables the quarantine spam-quarantine Set this if you would like to store spam mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default. Warning There is no possibility to control and manage the quarantine if you use this possibility. any email address You can specify any valid email address, to which spam mail will be forwarded. With this variant you can forward all spam mails to a POP3 or IMAP account where you may manage them easily. Note The email address must contain a @. Warning

This email address must not have any blocking spam filter, otherwise the quarantined mail will be blocked by that server. SPAM TAG Level: If spam score is greater or equal to this level add spam info e-mail headers. You will find them as X-SpamStatus and X-Spam-Level headers. Note This level will not block the mail regardless what you defined as spam destination. Example 7.9. Example spam info headers X-Spam-Status: No, score=-1.54 tagged_above=-4 required=6.31 tests=[AWL=-0.723, BAYES_00=-2.599, HTML_80_90=0.146, HTML_FONT_SIZE_NONE=0.033, HTML_FONT_SIZE_TINY=0.533, HTML_FONT_TINY=0.964, HTML_IMAGE_RATIO_04=0.105, HTML_MESSAGE=0.001] X-Spam-Score: -1.54 X-Spam-Level: SPAM MARK level If spam score is greater or equal to this level, mark the mail as spam by tagging the subject line with *** SPAM *** and add the X-Spam-Flag header. Note This level will not block the mail regardless what you defined as spam destination. Example 7.10. Example spam info headers X-Spam-Status: Yes, hits=12.4 tagged_above=-10.0 required=5.3 tests=BAYES_99, RCVD_HELO_IP_MISMATCH, RCVD_IN_XBL, RCVD_NUMERIC_HELO, SARE_FWDLOOK, SARE_MONEYTERMS, SARE_OEM_FAKE_YEAR X-Spam-Level: ************ X-Spam-Flag: YES Note Users may use X-Spam-Flag: YES as search string for their mail client filter.

SPAM quarantine level If spam score is greater or equal to this level then the spam evasive action which you selected in spam destination will be used. Note This is the level which may delete spam mail if you selected to DISCARD spam mail. Sendernotification only below level If spam score is greater than this level no notification mails will be sent to the administrator. SPAM subject String to prepend to the subject header field when message exceeds SPAM MARK level. Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button. Greylisting Greylisting is a simple method of defending electronic mail users against e-mail spam. In short, a mail transfer agent which uses greylisting will temporarily reject any e-mail from a sender it does not recognize. The sender will be delayed for the configured time. If the mail is legitimate, the originating server will try again to send it later. If the delay time is elapsed, the destination will accept it. Spammers normaly will not retry to send temporarily rejected mails, since this is cost effective. However, even spam sources which re-transmit later are more likely to be listed in DNSBLs and distributed signature systems such as pyzor. Figure 7.50. Greylisting

greylisting activated Tick this on if you want to enable greylisting. delay(sec) You can change the delay from 30 secs to maximum 3600 (1 hour). Whitelist recipient With this you can whitelist an address or a complete domain (one entry per line). Whitelist client You can exclude a Mailserver address in order to bypass greylisting for this mail server (one entry per line). Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button Banned File Extension This allows you to block files with certain file extensions which may be attached to mails. Mails which contain such attachements will be recognized and the selected action will be performed for the respective mail.

Figure 7.51. banned files

Blocked File Extensions You can select one or more file extensions. In order to select multiple files press the control key and select the desired entries with your mouse. Note File Extension Block must be enabled in gereral settings. Banned files destination This allows you to define what should happen to e-mails containing files with banned extensions. The following possibilities do exist: DISCARD In this mode the e-mail will not be delivered to its recipients and deleted without sending a notification to the sender. If a quarantine for banned files is defined a copy of the original e-mail will be sent or copied to that quarantine.

BOUNCE In this mode the e-mail will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a quarantine for banned files is defined a copy of the original e-mail will be sent or copied to that quarantine. Note Normaly it may be wise to use this variant, since senders then know what they are doing wrong. REJECT The e-mail will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1) PASS Mail will pass to its recipients, regardless of bad content. Banned files quarantine Location to put mail with banned files into. The following possibilites are valid: leave empty Disables the quarantine spam-quarantine Set this if you would like to store bad mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default. Warning There is no possibility to control and manage the quarantine if you use this possibility. any email address You can specify any valid e-mail address, to which bad mail will be forwarded. With this variant you can forward all bad mail to a POP3 or an IMAP account where you may manage it easily. Note The e-mail address must contain a @. Admin notification Gives you the possibility to specify a (fully qualified) administrator e-mail address where notifications about bad attachements should be sent. (Default is empty) Block double extension: tick this if you want block attachements which have one of the following double extensions. filename.XXX.exe filename.XXX.vbs

filename.XXX.pif filename.XXX.scr filename.XXX.bat filename.XXX.cmd filename.XXX.com filename.XXX.dll

Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button. Blacklists/Whitelists An often used method to block certain types of spam e-mails are so called real-time blacklists (RBL). Those have been created by many different organisations and will be managed, administrated and actualised by them. If a domain or a sender ip address is listed within one of those blacklists, the mail will be refused promptly and without the need and possibility to gather more information about it. This saves more bandwith in comparison to the RBL of the antispam module, since the mail will not be accepted and then handled, but refused as soon as a listed ip address will be recognized. This dialogue gives also the possibility to explicitely block (blacklist) or explicitely allow (whitelist) certain sender, recipients, ip addresses or networks. Real-time Spam Black Lists (RBL) A DNS-based Blackhole List (DNSBL, Real-time Blackhole List or RBL), is a published list of IP addresses, in a format that can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming. Warning It may happen that IP addresses have been wrongly listed by the RBL operator. If this should happen, it may negatively impact your communication, to the effect that mail will be refused without the possibility to recover it. You also have no direct influence on the RBLs. Figure 7.52. Real-time Black Lists

bl.spamcop.net RBL based on user submission.(www.spamcop.net) sbl-xbl.spamhaus.org The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help e-mail administrators to better manage incoming e-mail streams. The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits (www.spamhaus.org). cbl.abuseat.org The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or stealth spamware, without doing open proxy tests of any kind. The CBL does NOT list open SMTP relays (cbl.abuseat.org). dul.dnsbl.sorbs.net This contains a list of Dynamic IP Address ranges (www.au.sorbs.net). list.dsbl.org DSBL is the Distributed Sender Blackhole List, it publishes the IP addresses of hosts which have sent special test email to listme@listme.dsbl.org or another listing address.The main delivery mechanism of spammers is the abuse of non-secure servers. For this reason, many people want to know which servers are non-secure so they can refuse email from these servers. DSBL is intended as a place to publish whether a server is non-secure (www.dsbl.org).

relays.ordb.org ORDB.org is the Open Relay Database. ORDB.org is a non-profit organisation which stores a IP-addresses of verified open SMTP relays. These relays are, or are likely to be, used as conduits for sending unsolicited bulk email, also known as spam. By accessing this list, system administrators are allowed to choose to accept or deny email exchange with servers at these addresses (www.ordb.org). opm.blitzed.org OPM is designed to list IPs confirmed to be running insecure proxies. These can be present because of misconfiguration of legitimately-installed software, or they can be due to the installation of trojans, viruses and other malware. OPM differs from other open proxy DNSBLs in that it tries not to proxy test remote hosts unless they are implicated in reports of abuse, and it aggressively expires old IPs, especially those known to be used for dynamic leases, such as dialup customers. The opm.blized.org does NOT list open SMTP relays (wiki.blitzed.org/OPM). (This list has been removed in version 2.1) dsn.rfc-ignorant.org The dsn.rfc-ignorant.org is a list which contain domains or IP networks whose administrators choose not to obey the RFCs, the building block rules of the net (www.rfc-ignorant.org). blackhole.securitysage.com This list is comparable to the dsn.rfc-ignorant.org list - it contains a list of domain names (as opposed to IP addresses) that can be checked against the client domain of an email, as well as the domain portion (after the @) of the sender and recipient addresses. (www.securitysage.com). (New in version 2.1) save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button. Note advanced users can modify the list by editing the file /var/efw/smtpd/default/RBL. Custom black/whitelists You have full control and can blacklist, whitelist specific sender/recipient or client. Figure 7.53. black/whitelists

Sender Whitelist/Blacklist There are multiple ways to deny (blacklist) or allow (whitelist) a sender or domain (one per line). The addresses in these listings will be compared to the senders' e-mail address of each incoming mail. Domain (with subdomains) Allow or deny a complete domain with all its subdomains. Example 7.11. Allow or deny a complete domain endian.it sub.example.com This will cover each e-mail address under both domains and its subdomains, like mail@sub.endian.it.

Subdomains Allow or deny only the subdomains of the specified domain. In order to achieve this, add a leading dot to the domain name. Example 7.12. Allow or deny only the subdomains of a domain .endian.it .sub.example.com This will cover each e-mail address under each subdomain of both domains. For instance it will include mail@test.endian.it but excludeinfo@endian.it. Address Allow or deny a single fully qualified e-mail address or any e-mail address having the specified user part. Example 7.13. Allow or deny single email addresses or user names. info@endian.it postmaster@ abuse@ This will cover the single e-mail address info@endian.it of course, and each e-mail address with postmaster or abuse as user part, likepostmaster@riaa.org. Recipient Whitelist/Blacklist There are multiple ways to deny or allow a single recipient or domain (one per line). These addresses covered by this listings will be compared with the recipient's email address of each incoming mail. Domain (with subdomains) Allow or deny a complete domain with all it's subdomains. Example 7.14. Allow or deny a complete domain endian.it sub.example.com This will cover each email address under both domains and its subdomains, like mail@sub.endian.it. Subdomains Allow or deny only the subdomains of the specified domain. In order to achieve this, add a leading dot to the domain name.

Example 7.15. Allow or deny only the subdomains of a domain .endian.it .sub.example.com This will cover each e-mail address under each subdomain of both domains. For instance it will include mail@test.endian.it but excludeinfo@endian.it. Address Allow or deny a single fully qualified e-mail address or any e-mail address having the specified user part. Example 7.16. Allow or deny single email addresses or user names. info@endian.it postmaster@ abuse@ This will cover the single email address info@endian.it of course, and each email address with postmaster or abuse as user part, likepostmaster@riaa.org. Warning If the SMTP proxy runs in transparent mode, each IP address of subnets known to the Endian Firewall will be allowed automatically. Therefore it is not possible to blacklist a recipient which has one of those ip addresses. Client Whitelist/Blacklist You can also block or allow a single IP address or subnet from which mail will be sent (one per line). Example 7.17. Allow or deny ip block. 80.190.233.143 80.190.233.0/24 Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button. Note The whitelist overwrites the blacklists. You can blacklist a whole subnet and then whitelist a single address. Domains If you have enabled incoming mail and would like to forward that mail to a mail server behind the Endian Firewall - usually set up in the GREEN or ORANGE zone - you need to declare the domains which will be accepted by the SMTP proxy and to

which of your mail servers the incoming mail should be forward to. It is possible to specify multiple mail servers behind Endian Firewall for different domains. It is also easily possible to use Endian Firewall as a backup MX. Figure 7.54. Domains

Note Incoming mail must be enabled to activate this functionality. BCC Enable this if you would like to have a copy of certain mails that go through the SMTP proxy - being it to a certain recipient or from a certain sender. Specify if you want to check the e-mail for a recipient- or a sender-address. Then type that e-mail address into the Mail address field and finally add the address that should get the copy in the BCC (Blind Carbon Copy) address field. Figure 7.55. BCC

Note The sender and the recipient of the e-mail will not know that their messages have been copied unless you tell them. Warning In most countries of this planet it is highly illegal to read other people's private messages. Do not abuse this feature. Advanced settings This section covers advanced settings of the SMTP proxy. Smarthost If you have a dynamic IP address because you are using an ISDN or ADSL dialup internet connection, you will get problems sending mails to other mail servers. More and more mail servers compare DNS with it's reverse DNS, while other mail servers check if your ip address is listed as a dynamic IP address and refuse to accept your e-mail. Therefore it could be necessary to use a smarthost for sending emails. A smarthost is a mail server which your smtp proxy will use as outgoing SMTP. The smarthost needs to accept your e-mail and relays it for you. Normally you may use your providers SMTP as smart host, since it will accept to relay your e-mails and other mail servers may not. Figure 7.56. Smarthost

Smarthost enabled for delivery Tick this on to send all outgoing mail through the smarthost. Address of Smarthost Outgoing mailserver for final delivery. Note Normally you may use your providers SMTP as smart host, since it will accept to relay your mails and other mail servers may not. Authentication required Some mail servers require authentication. Tick this on if your mail server requires authentication. Username Username to use for the authentication. Password Password to use for the authentication. Authentication method Choose the authentication method for your smarthost. Supported types are PLAIN, LOGIN, CRAMMD5 and DIGEST-MD5. Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

IMAP Server for SMTP Authentication The SMTP Proxy can query a remote IMAP Server to authenticate users. This way it is possible to use the SMTP Proxy from remote with the authentication relayed to any external domain. Figure 7.57. IMAP Server for SMTP Authentication

Authentication enabled Tick this on to enable the remote authentication. IMAP Server Address of the remote IMAP Server. Number authentication daemons If you have many concurrent users you can increase the number of authentication daemons (default 5). Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button. Advanced settings There are even more advanced configuration possibilities for the SMTP proxy. You may change the maximal size of a single email address, change the language of smtp proxy mails, or make the mail server more restrictive and strictly RFC compliant in order to fight against spam. Figure 7.58. Advanced Settings

Smtpd helo required If this is enabled the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session (default enabled). Note Enabling this will stop some UCE malware. Reject invalid hostname Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname (default enabled). Reject non fqdn sender Reject the connecting client when the hostname supplied within the client HELO or EHLO command is not a fully-qualified domain name, as required by the RFC (default enabled). Reject non fqdn recipient Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC. Reject unknown sender domain Reject the connected client when the sender mail address has no DNS A or MX record (default enabled). Reject unknown recipient domain Reject the connected client when the recipient mail address has no DNS A or MX record (default enabled).

SMTP Helo Name The hostname to send with the SMTP EHLO or HELO command. The default value is the IP of RED. Specify a hostname or IP address. Always BCC Address Optional address that receives a blind carbon copy of each message that is received by the SMTP proxy system. Note If the e-mail to the BCC address bounces it will be returned to the sender. Smtpd hard error limit The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The SMTP Proxy server disconnects when the limit is exceeded (default 20). Language E-Mail Templates Allows to specify the language for the error messages (default English). Maximal E-Mail size The maximal allowed size (in MBytes) a message can have (default 10MB). Save changes and restart Save the settings and restart the SMTP Proxy by clicking the save changes and restart button. This page was last modified on: $Date: 2006-11-23 19:30:06 +0100 (Thu, 23 Nov 2006) $. Chapter 8. VPN Menu Table of Contents Introduction Virtual Private Networks (VPNs) Net-to-Net (Gateway-to-Gateway) Host-to-Net (Roadwarrior) OpenVPN OpenVPN Web Interface OpenVPN Server Openvpn Net2Net client Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls) Configuration of an OpenVPN client on the roadwarrior side IPSec Methods of Authentication Pre-shared Key X.509 Certificates Global Settings Connection Status and Control Certificate Authorities Generate Root/Host Certificates Upload a CA certificate Reset configuration

Add a new connection Connection Type Authentication Introduction Figure 8.1. VPN menu selected

Virtual Private Networks (VPNs) Virtual Private Networks or VPNs allow two networks to connect directly to each other over another network such as the Internet. All data is transmitted securely over an encrypted tunnel, hidden from prying eyes. Similarly, a single computer can also connect to another network using the same facilities. In Endian Firewall both OpenVPN and IPSec protocols are used to create VPNs. Endian Firewall can easily establish VPNs to other Endian Firewalls. EFW can also inter-operate with just about any VPN product that supports OpenVPN, IPSec and standard encryption technologies such as 3DES. VPN connections in Endian Firewall are defined as Net-to-Net or Host-to-Net. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature. Most modern operating systems have support for IPSec. This includes Windows, Macintosh OSX, Linux and most Unix variants. Unfortunately, the tools needed to provide this support vary greatly and may be difficult to set up. OpenVPN setup is way easier than IPSec. It runs on Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. In the commercial version of Endian Firewall a user friendly OpenVPN client for Windows, Linux and MacOSX is available. Net-to-Net (Gateway-to-Gateway) Figure 8.2. Figure of a Net-to-Net VPN

Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by creating a crypted tunnel. In a net-to-net VPN, at least one of the networks involved must be connected to the Internet with an Endian Firewall. The other network(s) can be connected to an Endian Firewall or another IPSec or OpenVPN enabled router or firewall. These router/firewalls have public IP addresses assigned by an ISP and are most likely using Network Address Translation (NAT), hence the term Net-to-Net. If desired, a VPN can be created between wireless machines on your BLUE network and Endian Firewall. This ensures that traffic on your BLUE network cannot be intercepted with wireless sniffers. Host-to-Net (Roadwarrior) We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and a remote or mobile user is on the other end. The mobile user is most likely to be a laptop user with a dynamic public IP address assigned by an ISP, hence the terms Host-to-Net or Roadwarrior. Figure 8.3. Figure of a Host-to-Net VPN

OpenVPN OpenVPN is an SSL/TLS based virtual private network solution. It uses the industry standard SSL/TLS protocol to create the encrypted tunnel which can transmit packets of OSI layer 2 or 3. Pay attention to not confuse OpenVPN with what many vendors call SSL VPN. Most of them only claim to be real SSL VPNs, instead they actually are just application level gateways that tunnel only application streams of certain services through an encrypted tunnel without implementing a whole VPN, which in fact is a site-to-site tunnel. As a real SSL VPN, OpenVPN has the ability to tunnel all your traffic from OSI layer 2 on, so even ARP traffic can be transmitted to the remote endpoint. The main advantage of this type of VPN is the ease of use. Since OpenVPN is an application on both sides of the tunnel, it runs of course in user-space instead of kernel space. Therefore it does not even need modifications of the kernel and furthermore minimizes the probability of a catastrophic failure which is certainly higher for software which runs in kernel space. This makes the whole A LOT easier to introduce in a network. In fact wherever you manage to establish a normal TCP or UDP connection, like from a browser to a server, you can use OpenVPN. There is no need for NAT traversal or the like. We strongly encourage you to use OpenVPN instead of IPSec if you can choose. The only argument which comes to our mind for using IPSec is interoperability to other vendors. Figure 8.4. Figure of a VPN using OpenVPN as mixed VPN combining a Host-to-Net VPN (the Roadwarrior) and Net-toNet VPNs in a hub-and-spoke topology

Endian Firewall implements both OpenVPN server and client. The administration interface is divided in two main parts Openvpn Server and Openvpn Net2Net client. Basically the OpenVPN server opens a virtual interface (the interface name begins with tap) whose function is to send bits to the OpenVPN server instead to the wire. The tap interface is joined with the GREEN bridge, so each connected client is - from the sight of the other machines behind GREEN - also directly part of the GREEN network. For the OpenVPN server it makes no difference at all if the client connects a whole net (Net-to-Net) or just a roadwarrior (Net-to-Host) and it makes no difference if there are connected one, two or many clients. Another advantage compared to IPSec is the fact that the OpenVPN server acts like a switch (hub-and-spoke). Communication between the VPN endpoints is possible and communication between the connected OpenVPN clients is kept within the tunnel and goes always through the server process. It must not leave the tap interface on the server side and therefore must not be decrypted and then re-encrypted on the server. OpenVPN Web Interface As mentioned before, the OpenVPN web interface is split into two parts. The Openvpn Server and the Openvpn Net2Net client menu, which you can select on top of the page as a submenu of Virtual Private Networking. If you like to create a simple tunnel from one EFW to another, simlpy choose one side as server and configure it through the OpenVPN server page. The other side acts as a client and is configured on the client page. On the client's side there is certainly no need to start the server. If you have one side with dynamic IP's, use that one as client, since the client establishes the connection and may reconnect if the IP address changes. If you have NAT between the endpoints on the clients side, there is no problem at all. If you have NAT on the server side, simply forward the UDP port 1194 to the EFW. OpenVPN Server The following describes the OpenVPN Server admin interface which you can find by clicking on the OpenVPN Server tab on top of the page. Global Settings Figure 8.5. Global Settings

This box contains common configuration for the OpenVPN server. OpenVPN Server enabled Tick this on if you like to enable the OpenVPN server on this machine. IP Pool Fill in the start and end ip address of an ip range from GREEN network which you like to assign to the OpenVPN clients connecting to this server. Note that with Net-to-Net topology, only the remote EFW will get an IP from this range and not the workstations behind. Port This is the port on which the OpenVPN Server will listen for incoming requests. Protocol This option allows you to change your protocol from UDP to TCP. Warning Do not select TCP as protocol, unless you know exactly what you are doing! Block DHCP responses coming from tunnel Since the virtual tap device of the OpenVPN server is joined with the GREEN bridge, broadcast packets of your GREEN zone will pass the tunnel. This includes DHCP requests from your workstations. If the client on the other side is in bridged mode, DHCP responses will return from it if the remote side has a DHCP server

running. This may cause problems - if you do not want the remote DHCP server to assign IP addresses to your local workstations within GREEN tick this option to block the responses. Note Pay attention, this will not block the DHCP responses which come from your local DHCP and go to the remote network! You need to block them on the remote side. CA Certificate This is the text representation of your Certification Authority Certificate. This is needed on every OpenVPN client that wants to connect to your OpenVPN server. Download CA Certificate By clicking this link you can download the CA Certificate which is needed by each OpenVPN client in order to be able to connect to your OpenVPN server. Users which are allowed to connect to openvpn Figure 8.6. Users which are allowed to connect to openvpn

Below the global settings box, you will find the possibility to manage accounts which can connect to the OpenVPN server. All known users will be listed within a table. Each line has the following action icons which will apply for the respective user: Configure Networks When clicking this button you will be redirected to a new window where you can administer this user's network settings. Enabled icon If this appears as a ticked on checkbox, the user is enabled and can connect. Click on it to disable or enable the user. Note that disabling an already connected user does not kick it, it just refuses reconnecting. Trash can icon Click on it to remove the account. Pencil icon Click on it to edit the respective account. This will open a new page which will be described later in Add Account.

Below, you will find a single button, Add Account, which allows you to add a new account. This button will open a new page which will be described later in the Add Accountsection. Add Account Figure 8.7. Add Account

If you create a new account, you find the following configuration fields: Username Fill in the username to be created Password Choose a password for the new account. Verify Password Fill in the same password as above. This is only for verification purposes in order to ensure that you typed the password correctly. Remote network

This is not needed if the remote client which uses to connect with this new account, is in bridge mode. Otherwise you need to specify the network address of the remote GREEN network in order to let the Endian Firewall create correct routing entries on both sides. Remote Network Mask Fill in the netmask of the remote client if it is configured to be in routing mode. use this firewall as default gateway Tick this on of you'd like to have the remote client to create routing entries in order to redirect all the traffic of the remote side through the VPN tunnel to your EFW, where it then can leave the RED interface. You normally want this on roadwarriors in order to enforce security policies, otherwise the remote side certainly has its own internet connection and a possible intruder may come in through the VPN and compromise the local GREEN network. Basically this option does the following on the remote side: 1. Creates a host route which sends all traffic with our RED IP address as destination to the IP address which is used as default gateway. 2. Removes the default route entry. 3. Creates a new default route entry with our GREEN IP address as gateway. push route to blue zone This option will grant the new user access to your BLUE zone. Note This option is only available if you have configured your BLUE zone. push route to orange zone This option will grant the new user access to your ORANGE zone. Note This option is only available if you have configured your ORANGE zone. Connection status and control The following is below the box Users which are allowed to connect to openvpn and shows you all currently connected users. Figure 8.8. Connection status and control

The table shows you the following information:

User The name of the user that is connected to the server. Assigned IP The IP address which has been assigned to the client by the server. This IP address belongs to the GREEN IP range configured above. Real IP The real public IP address of the connected client. RX The data volume that has been received through this tunnel. TX The data volume that has been transmitted through this tunnel. Connected since The timestamp when the client has connected. Uptime The amount of time the respective client is already connected. The following actions can be performed on each connected user: Kill Kills the connection immediately. The user can reconnect and this will happen since the openvpn client on the remote side will automatically reconnect as soon as it recognizes the disconnect, which will take up to a couple of minutes. Ban Bans the user. In fact this deactivates and then kicks the user in a row. The user cannot reconnect. Openvpn Net2Net client This section describes the configuration of the OpenVPN client shipped with Endian Firewall. With this client, you can have the Endian Firewall connect to a remote OpenVPN server. Normally you will use this if you would like to create a Net-to-Net connection to another EFW. A client configuration needs the following information to be able to successfully connect to a remote OpenVPN server: Username Password CA Certificate of the remote server.

You will get the CA certificate from the server if you push the Download CA Certificate link on Openvpn Server configuration page - on the remote Endian Firewall of course. This is needed to add an additional random information which one must have.

In this manner it is not possible for attackers to connect to the VPN by only gathering the username and the password. They also need the certificate in order to be able to connect. VPN tunnel and control This page lists status-reports for the configured tunnels. You will notice that this page reloads every five seconds in order to update the status display if the status of some clients changes. Figure 8.9. VPN tunnel and control

The following describes the displayed configuration items of each client and your action possibilites: Status Displays the connection status of the respective tunnel. The following values do exist: closed The tunnel is closed. There is no connection to the remote host. established The tunnel to the remote host is established and working. connecting... The client is actually trying to connect to the remote host. resolve error The client could not resolve the remote's hostname. Probably the hostname does not exist or you have a problem with your DNS resolver. invalid ca cert The CA certificate is invalid. Maybe you supplied the wrong certificate. Another possibility could be that the date on your host is wrong, so that the certificate isnot yet valid.

authentication failed The client could not authenticate to the remote host. You may have supplied the wrong username or password. Remote Address The remote host to which the client should connect. Options Displays configuration options if they are set. Possibly values are: bridged The client is in bridged mode. drop DHCP The client blocks DHCP responses coming from the tunnel. Remark Optional connection description. Action To edit an existing tunnel, click on its pencil icon. The VPN tunnel values will be displayed in the add vpn tunnel settings section of the page. To remove an existing tunnel, click on its trash can icon. You will be asked if you really want to remove the tunnel, and if you choose Yes, the tunnel configuration will be removed. To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a tunnel is disabled. Click on the checkbox to enable it again Below you find a single button Add tunnel configuration, which allows you to create a new client configuration in order to connect to a remote Endian firewall or another sort of OpenVPN server. Add a VPN tunnel If you push the button Add tunnel configuration you will reach this page. Figure 8.10. Add a VPN tunnel

In order to create a new tunnel configuration you need to provide the following information: Connect to IP address or public host name (FQDN) of the remote Endian Firewall (or other OpenVPN server). Username and Password Username and password of the OpenVPN account created on the remote host. Bridged/routed The OpenVPN client can run in either routed or bridged mode. The difference is in which OSI layer the client will act. If you specify bridged mode, the clients virtualtap device will be joined to the bridge of the GREEN zone (br0). As a member of the bridge, all traffic created within the GREEN network will also be passed through the tunnel to the remote side. This includes ARP traffic and other protocols which are below TCP. In this manner, the tunnel acts like a switchport. You can use this for example if you need to be able to browse the remote's Microsoft Windows servers. In order to access hosts on the remote side you certainly must use the same GREEN network address on both sides, since in fact those two GREEN networks will really be part of the same physical network. Note But pay attention, this option does not scale well and sends much unneeded traffic through the tunnel! Use it only if you really need it. With routed mode the clients tap device will remain alone and will not be joined to the GREEN bridge. The device will obtain an IP address assigned by the remote OpenVPN server which selects it from the IP its configured pool. The two GREEN zones are splitted and the two networks will be routed. This all happens within a higher OSI layer. In order to make this work, you need to have different GREEN network addresses, since the two networks in this mode are not the same and need to be distinctable. You also need to specify your local GREEN network and network mask on the remote OpenVPN server in order to let the client set the needed routes.

block DHCP responses coming from the tunnel If you selected routed mode, this does not interest you at all. Otherwise, if you have selected bridged mode, the virtual tap device of the OpenVPN client is joined to the GREEN bridge. Therefore broadcast packets of your GREEN zone will pass through the tunnel. This includes DHCP requests from your workstations. Since the server on the other side is also part of this GREEN bridge, DHCP responses will return from it if the remote runs a DHCP server. This may cause problems - if you do not want the remote DHCP server to assign IP addresses to your local workstations in the GREEN zone. Tick this on if you would like to block these responses. Note Pay attention, this will not block the DHCP responses which come from your local DHCP and go to the remote network! You need to block them on the remote side. Remark An optional connection description. CA certificate Endian Firewall OpenVPN server CA certificate. You get this certificate by pressing the Download CA Certificate link on the remote OpenVPN server configuration page. CA certificate you can paste your CA certifcate content (text) in this box or... upload CA file ...you can upload the CA certificate file. Save Click "save" to add your configuration. Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls) Situation: you have three branch offices with three Endian Firewall and you need to connect the offices in a unique network as star topology (hub-and-spoke) with encrypted tunnels. Note The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN, otherwise the connection may not be established if the CA certificate is not yet valid because of a wrong clock. Configure Endian Firewall OpenVPN server One of the three Endian firewall must act as OpenVPN server (the hub): 1. Go to the OpenVPN server section (VPN > Openvpn Server) Figure 8.11. Openvpn Server

2. Set an IP address range which will be used to assign an internal (GREEN) IP address to the other two Endian Firewalls. 3. Tick on the Enabled box. 4. Now add 2 users, office1 and office2 (one for each Endian Firewall that will be connected to our Endian Firewall OpenVPN server) pressing on Add Accountbutton in the Users which are allowed to connect to openvpn section. Figure 8.12. Users which are allowed to connect to openvpn

5. Fill in the information in the add new user form items. In this case we assume that it is enough to use routed mode. You need to specify the GREEN network address and network mask of the respective branch office. (office1 and office2). If you want the new user to be able to connect to your BLUE or ORANGE zone you have to tick the respective push route to blue/orange zone checkbox. Figure 8.13. Add a new user

6. Repeat step 4 and 5 for the second user. Figure 8.14. List of allowed users

7. Ok. The Endian Firewall in office0 is ready to receive VPN connections from the other offices. 8. Download the CA certificate file by clicking the link Download CA Certificate. You will need this file on both other Firewalls. Warning

Pay attention to keep this file private. Figure 8.15. Openvpn Server CA Certificate

Configure the Endian Firewall OpenVPN Net2Net client Now we have to configure the Endian Firewall of office1 and office2. 1. Go to the office1 Endian Firewall web interface, to the Openvpn Net2Net client section (VPN > Openvpn Net2Net client). Figure 8.16. Configure Office 1 Endian Firewall

2. Click the button add tunnel configuration. Figure 8.17. Add Office 0 tunnel

Supply the following information: Connect to: insert the office0 Endian Firewall RED interface IP address, or the fully qualified host name (Eg. office0.endian.it) o Username: the username created on office0 Endian Firewall (see "Configure Endian Firewall OpenVPN server" point 4 and 5) (in this case: office1) o Password: the password for the user o Routed: in this case it probably would be better to choose routed. o Remark: insert a connection description (optional) o Upload CA file: click on the Browse button and choose the file which you saved before within step 8. 3. Click on Save button. 4. Repeat step 1 to 4 for the office2 Endian Firewall. o

5. If all is ok, the page VPN > OpenVPN Server > Openvpn Net2Net client on your office1 and office2 firewall should show you this: Figure 8.18. Connected to Office 0 tunnel

and the office0 Endian Firewall should show you the following on the VPN > OpenVPN Server page: Figure 8.19. Connected Office 1 and 2 clients

With this configuration your workstations in the office1 and office2 nets should be able to reach the GREEN network of your office0. Configuration of an OpenVPN client on the roadwarrior side In order to connect to the Endian Firewall OpenVPN server you can choose from a list of free projects which implement an openvpn client with a graphical user interface. One you can find on Mathias Sundman's OpenVPN GUI site. You can also download openvpn from the OpenVPN Homepage, which does provide the sourcecode package or a packaged Microsoft Windows Installer. Each major Linux distribution should have an own package of it and it has also been ported to other unix derivates. Tip Endian Firewall Enterprise Edition has a Linux package as well as a Windows package of the OpenVPN client available for download in theVPN > OpenVPN > Download section. Next you need a valid and most notably Endian Firewall compatible configuration file. The OpenVPN server on the Endian Firewall:

runs as server of course, so your openvpn installation must act as client (--client) in order to successfully establish a connection. listens on the standard port 1194 (--port 1194). uses the UDP protocol (--proto udp). encapsulates ethernet 802.3, therefore uses tap devices (--dev tap). uses static key mode (--auth-user-pass). uses fast LZO compression (--comp-lzo).

Example 8.1. An example command line to start openvpn on your roadwarrior openvpn --client --pull --comp-lzo --nobind --dev tap --ca /path/to-the-ca-certificate.pem -auth-user-pass --remote your.remote.efw Example 8.2. An example configuration file for openvpn on your roadwarrior client dev tap proto udp remote your.remote.efw resolv-retry infinite nobind persist-key persist-tun ca path-to-the-ca-certificate.pem auth-user-pass comp-lzo Note Download the CA certificate using the appropriate link on the OpenVPN server configuration page and copy the certificate file to the location to which you point with the --ca parameter. IPSec IPSec (IP Security) is a generic standardized VPN solution. Compared to OpenVPN, encryption and authentication are already done on the OSI layer 3 as an extension to the IP protocol. Therefore IPsec must be implemented in the IP stack which is part of the kernel. Since IPSec is a standardized protocol it is compatible to most vendors that implement IPSec. Compared to OpenVPN IPSec's configuration and administration is due to its complexity usually quite difficult and due to it's design some situations are impossible to handle compared to OpenVPN, especially if you have to cope with NAT. However, Endian Firewall implements an easy to use adminstration interface with different authentication possibilities. We strongly encourage you to use IPSec only if you need to because of interoperability purposes. Use OpenVPN wherever you can, especially if NAT is in the game. Methods of Authentication

It is necessary to have a pre-shared key/password/pass phrase or an X.509 certificate before trying to configure a Roadwarrior or Net-to-Net VPN connection. These are methods of authentication, which identify the user trying to access the VPN. They will be required in the VPN configuration stage. Pre-shared Key The pre-shared key authentication method or PSK is a very simple method that allows VPN connections to be set up quickly. For this method, you enter an authentication phrase. This can be any character string similar to a password. This phrase must be available for authentication on Endian Firewall and on the VPN client. The PSK method involves less steps than certificate authentication. It can be used to test connectivity of a VPN and to become familiar with the procedure of establishing a VPN connection. Experienced users may wish to progress straight to the section called Generate Root/Host Certificates before trying to configure a roadwarrior or a net-to-net VPN connection. The pre-shared key method should not be used with Roadwarrior connections as all roadwarriors must use the same preshared key. Note The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN. X.509 Certificates X.509 certificates are a very secure way of connecting VPN servers. To implement X.509 certificates you must either generate or setup the certificates on Endian Firewall or use another certification authority on your network. X.509 Terminology X.509 certificates on Endian Firewall and many other implementations are manipulated and controlled by OpenSSL. SSL, or the Secure Sockets Layer, has its own terminology. X.509 certificates, depending on their type, may contain public and private encryption keys, pass phrases and information about the entity they refer to. These certificates are meant to be validated by Certification Authorities (Certificate Authorities) or CAs. When used by web browsers, the CA certificates of major, pay for, CAs are compiled into the browsers. To validate a host certificate, the certificate is passed to the appropriate CA to perform validation. On private networks or unique hosts, the CA may reside on a local host. In EFWs case, this is the Endian Firewall, itself. Certification signing requests are requests for signing unsigned X.509 certificates that are passed to CAs. The CAs in turn generate an X.509 certificate by signing the request. These are returned to the requesting entity as valid X.509 certificates. These signed certificates will then obviously be known to the CA. You will see that X.509 certificates and requests can be stored on your hard drive in three different formats, usually identified by their extensions. PEM format is the default for OpenSSL. It can contain all the information associated with certificates in printable format. DER format contains just the key information and no extra X.509 information. This is the default format for most browsers. PEM format wraps headers around DER format keys. PKCS#12, PFK or P12 certificates contain the same information as PEM files in binary format. Using the openssl command, PEM and PKCS#12 files can be transformed into the respectively other format. To use a certificate, you must import it into the other side's CA, too. The IPSec implementation on Endian Firewall contains its own built in CA. CAs may run on roadwarrior's machines too. If the roadwarrior's IPSec implementation does not have CA capabilities, you can generate a certificate request, import it into EFW so that EFW's CA can sign it. Then you have to export the resulting certificate and import it into the originating roadwarrior's IPSec software. Global Settings

Figure 8.20. VPN global settings

Enter the VPN server details, either its fully qualified domain name or the public IP address of the RED interface. If you are using a dynamic DNS service, you should use your dynamic DNS name here. VPNs and Dynamic DNS If your ISP changes your IP address, be aware that Net-to-Net VPNs may have to be restarted from both ends of the tunnel. Roadwarriors will also have to restart their connections in this case. Enable the VPN on Endian Firewall by selecting Local VPN Hostname/IP and click on the Save button. The VPN on Blue option will only be visible if you have configured a BLUE network interface card. To enable a VPN over your BLUE wireless connection click on the VPN on BLUE Enabled check box and then click on the Save button. Connection Status and Control Figure 8.21. VPN connection status and control window: initial view

This box lists each configured connection and its status. For each connection you will see the following information: Name The name of the respective connection Type The connection type (Net-to-Net or Net-to-Host) with it's authentication type. Common Name This field is filled only if certificate authentication will be used. It does contain the value which has been inserted into the remote certificate as common name. Normally this is the hostname of the remote host. Remark A short remark to make it easier to identify the connection.

Status Shows the status of the respective connection. The following values are possible: CLOSED the connection is closed. OPEN the connection is established. The next items symbolise the Actions you can do for each respective connection: Restart icon By clicking on this icon the connection will be restarted. Use this on both sides if your ip address changes for example. Enabled checkbox To enable or disable a connection - click on the Enabled icon for the particular entry you want to enable or disable. The icon changes to an empty box when a connection is disabled. Click on the checkbox to enable it again. Pencil icon Click on this icon if you want to edit that particular connection entry. Trash can icon By clicking on this icon the connection will be removed. Warning The administration interface does not ask you if you really want to remove the connection! To create a VPN connection use the Add button. The VPN connection page will appear (see the section called Connection Type). Certificate Authorities This part is needed to create or import Root CA Certificates. The box shows two special marked lines with information about the existing certificates. If you already created or imported the certificates you will see the lines filled with information. On the right you will find two symbols in the Actions column. By clicking the blue information icon you will load a page with the certificate printed out as plain text and as ascii armored output. Example 8.3. Example plain text certificate output. Certificate: Data: Version: 3 (0x2)

Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=AF, O=endian, CN=endian CA Validity Not Before: Apr 30 16:21:28 2006 GMT Not After : Mar 11 06:56:08 2022 GMT Subject: C=AF, O=endian, CN=endian CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c2:9f:79:09:84:88:6e:8f:9f:be:50:36:62:2e: 25:63:ac:1d:e4:ff:7e:b1:f0:f1:42:c8:a0:a6:33: 32:43:56:d0:5a:e1:77:14:ec:ba:f8:44:22:e9:aa: e8:70:19:e1:38:50:28:56:48:a8:7f:a7:eb:0e:a8: 27:9a:ba:a4:0a:fb:59:7f:1f:4c:d4:20:78:05:2e: 06:2a:5c:f2:6f:70:ee:c2:d2:3b:34:35:80:e8:da: dc:c8:32:34:95:cb:f0:0a:75:04:f6:0b:26:d6:9b: ab:0e:01:60:f0:fe:2a:a6:40:e6:a7:47:e2:71:11: 25:71:c4:03:99:d8:fd:07:00:7e:e6:28:12:97:29: 3f:ad:68:54:01:8d:ed:26:97:c9:85:8c:32:bf:0b: 58:82:2e:38:71:26:58:3c:75:96:27:df:4b:35:0d: f5:aa:c5:5a:e7:f1:73:a1:f0:5e:a2:ab:4b:3f:a7:

60:6f:36:55:d6:c5:76:71:23:b6:9b:44:b3:2c:bf: 83:b3:cc:17:05:7d:0a:ea:1e:83:28:91:8a:79:6b: ec:45:65:c5:40:cd:e5:43:ec:72:77:74:6c:28:31: fa:b1:49:e8:41:94:93:93:8a:57:14:88:e2:b0:e1: 3d:d2:7c:a2:ce:35:85:cc:7b:c9:37:61:47:1d:85: db:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C7:EE:A4:68:68:A7:A9:4B:1E:95:09:66:84:50:94:0F:7A:FA:B4: 62 X509v3 Authority Key Identifier: keyid:C7:EE:A4:68:68:A7:A9:4B:1E:95:09:66:84:50:94:0F:7A: FA:B4:62 DirName:/C=AF/O=endian/CN=endian CA serial:00

X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 35:a7:2e:5d:66:ef:23:37:36:fe:3a:18:4f:3b:1f:e0:76:bd: 07:85:6b:06:33:f5:56:15:6b:3b:08:81:0a:5a:f6:32:bb:e1: 3a:c6:76:94:ac:09:30:6c:82:32:6d:a0:dd:14:a4:5a:27:57: 6b:86:81:ec:c9:bb:78:cc:79:8b:db:4a:71:8f:94:f8:59:c5: 8a:a6:f4:9c:c6:c5:8b:24:5d:cd:a8:c6:f1:15:ed:1a:d9:49:

56:6c:08:9b:8e:d0:08:85:ca:3e:d9:27:70:e2:d4:53:4a:89: ce:79:47:c0:2a:7f:96:fc:87:20:11:86:c4:bd:72:a0:f3:50: 89:d3:a8:3d:0d:90:1e:67:8e:15:02:7b:a4:46:46:20:8c:eb: 25:cf:d5:1b:25:98:2c:9c:38:90:68:e1:d2:b1:3c:d1:ea:24: f9:c0:6b:0d:38:d1:65:73:94:30:9b:a5:ce:d9:c5:86:ca:79: b2:bd:9f:82:1a:37:3b:54:2b:72:b5:55:44:ff:ec:f0:f7:6c: 50:c2:ca:35:f5:86:a3:41:70:46:df:06:ce:5e:3f:07:fa:79: a9:01:be:f9:21:ff:a7:e2:bc:ad:9f:a7:04:36:67:ff:19:32: e7:47:c7:eb:3e:2d:73:22:31:0c:4d:07:c0:7a:f8:3d:81:e2: da:68:1c:48 The blue discette icon allows you to download the certificate as pem encoded file, which you then can import on other devices. Example 8.4. Example content of an exported CA. -----BEGIN CERTIFICATE----MIIDbDCCAlSgAwIBAgIBADANBgkqhkiG9w0BAQQFADAyMQswCQYDVQQGE wJBRjEP MA0GA1UEChMGZW5kaWFuMRIwEAYDVQQDEwllbmRpYW4gQ0EwHhcNMDYwN DMwMTYy MTI4WhcNMjIwMzExMDY1NjA4WjAyMQswCQYDVQQGEwJBRjEPMA0GA1UEC hMGZW5k aWFuMRIwEAYDVQQDEwllbmRpYW4gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA 4IBDwAw ggEKAoIBAQDCn3kJhIhuj5++UDZiLiVjrB3k/36x8PFCyKCmMzJDVtBa4 XcU7Lr4 RCLpquhwGeE4UChWSKh/p+sOqCeauqQK+1l/H0zUIHgFLgYqXPJvcO7C0 js0NYDo 2tzIMjSVy/AKdQT2CybWm6sOAWDw/iqmQOanR+JxESVxxAOZ2P0HAH7mK BKXKT+t aFQBje0ml8mFjDK/C1iCLjhxJlg8dZYn30s1DfWqxVrn8XOh8F6iq0s/p 2BvNlXW

xXZxI7abRLMsv4OzzBcFfQrqHoMokYp5a+xFZcVAzeVD7HJ3dGwoMfqxS ehBlJOT ilcUiOKw4T3SfKLONYXMe8k3YUcdhdvRAgMBAAGjgYwwgYkwHQYDVR0OB BYEFMfu pGhop6lLHpUJZoRQlA96+rRiMFoGA1UdIwRTMFGAFMfupGhop6lLHpUJZ oRQlA96 +rRioTakNDAyMQswCQYDVQQGEwJBRjEPMA0GA1UEChMGZW5kaWFuMRIwE AYDVQQD EwllbmRpYW4gQ0GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFA AOCAQEA NacuXWbvIzc2/joYTzsf4Ha9B4VrBjP1VhVrOwiBClr2MrvhOsZ2lKwJM GyCMm2g 3RSkWidXa4aB7Mm7eMx5i9tKcY+U+FnFiqb0nMbFiyRdzajG8RXtGtlJV mwIm47Q CIXKPtkncOLUU0qJznlHwCp/lvyHIBGGxL1yoPNQidOoPQ2QHmeOFQJ7p EZGIIzr Jc/VGyWYLJw4kGjh0rE80eok+cBrDTjRZXOUMJulztnFhsp5sr2fgho3O 1QrcrVV RP/s8PdsUMLKNfWGo0FwRt8Gzl4/B/p5qQG++SH/p+K8rZ+nBDZn/xky5 0fH6z4t cyIxDE0HwHr4PYHi2mgcSA== -----END CERTIFICATE----Generate Root/Host Certificates Figure 8.22. VPN certificate authorities window: initial view

To create an EFW Certificate Authority or CA, enter your CA's name in the CA Name box. The name should be different than the Endian Firewall machine's host name to avoid confusion. For example, efwa for the CA and efw for the hostname. Then click on the Generate Root/Host Certificates button. The Generate Root/Host Certificatespage will appear. Fill out the form and both a X.509 root and host certificate will be generated. The following describes the items in the form:

Organization Name The organization name you want to use in the certificate. For example, if your VPN is tying together schools in a school district, you may want to use something like Some School District. Endian Firewall's Hostname This should be the fully qualified domain name of your Endian Firewall. If you are using a dynamic DNS service (see the section called Dynamic DNS Administrative Web Page), use it. Your E-mail Address Your E-mail address, so that folks can get hold of you. Your Department This is the department or suborganization name. Continuing the school district example, this could be XX Elementary School. This is optional. City The city or mailing address for your machine. This is optional. State of Province The state or province associated with the mailing address. Country This pull down selection menu contains every ISO recognized country name. Use it to select the country associated with the certificate. After completing the form, click on the Generate Root/Host Certificates button to generate the certificates. If desired, you can generate several root and host certificates on a single Endian Firewall, and then export them to PKCS12 format files, encrypted with a password. You can then email them as attachments to your other sites. Using the Upload PKCS12 file portion of this web page, you can upload and decrypt the certificates on a local Endian Firewall machine. You generate the PKCS12 file on the remote Endian Firewall which owns the CA by creating the connection which is intended for the tunnel to your local Firewall as described in the section called Host-to-Net Connection, later in this document. If you select Generate a certificate on the remote side as described in the section called Authentication, it will create the file you need here. Upload a CA certificate If you already have created a CA certificate on another machine, you can simply upload the certificate file in order to give the local Endian Firewall the chance to verify remote certificates. Simply push the Browse button and choose the CA certificate file. Then finally push the Upload CA Certificate button. Thereafter the CA will be visible within the box above. Reset configuration By pressing the Reset button on the front page you will delete the entire VPN configuration from Endian Firewall. This could be necessary for example if you need to remove the CA because you want to create a new one. Warning This removes the entire IPSec configuration including Certificates, Keys and Connection configurations.

Add a new connection Once you pushed the Add button, a page will appear which asks you for the desired connection type. The following describes the further procedure. Connection Type Figure 8.23. VPN connection type selection

Select either Host-to-Net (Roadwarrior) for mobile users who need access to the GREEN network or Net-to-Net to grant users on another network access to your GREEN network and to allow users on your GREEN network to access the other network. Choose the connection type you want to create and click on the Add button. The next web page that appears contains two sections. The Connection section will differ depending on the connection type you are adding. The Authentication section will be the same. Host-to-Net Connection Figure 8.24. VPN Host-to-Net connection input

The following descibes each field of the connection configuration box if you selected Host-to-Net connection: Name

Choose a simple name (lower case only, no spaces) to identify this connection. Interface Select the Endian Firewall network interface the roadwarrior will be connecting on, either RED or BLUE. Selecting the RED interface will allow the roadwarrior to connect from the Internet. Selecting the BLUE interface will allow the roadwarrior to connect to the GREEN network from a local wireless network. Local Subnet defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your GREEN network. Example for this field: 10.1.1.0/255.255.255.0. Remark allows you to add an optional remark that will appear in the Endian Firewall VPNs connection window for this connection. Enabled Click on the Enabled check box to enable this connection. Edit advanced settings when done. Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec. Net-to-Net Connection Figure 8.25. VPN Net-to-Net connection input

Note on IPSec Terminology IPSec uses the terms right and left for the two sides of a connection or tunnel. These terms have no real meaning. IPSec will orient itself based on network addresses and routes. Once it determines which network connection, left or right, to use to get to the other side of a connection, all other right or left parameters follow. Many folks use left for the local side of a connection and right for the remote side. This is not necessary. It is best to think of the terms as side 1 and side A of an old LP record. The following descibes each field of the connection configuration box if you selected Host-to-Net connection:

Name Choose a simple name (lower case only with no spaces) to identify this connection. Endian Firewall side Choose a side for this Endian Firewall, right or left, that will be used in the IPSec configuration files to identify this Endian Firewall's side of the connection on this machine. The side is a symbolic identification for one side of the vpn tunnel. You are free to choose a side for the local end of the vpn tunnel as long as you use the same side to identify the local firewall on the remote machines configuration. Local Subnet defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your GREEN network. Example for this field: 10.1.1.0/255.255.255.0. Remote Host/IP Enter the static Internet IP address of the remote network's IPSec server. You can also enter the fully qualified domain name of the remote server. If the remote server is using a dynamic DNS service, you may have to restart the VPN if its IP address changes. Remote subnet Enter the remote network's network address and subnet mask in the same format as the Local Subnet field. This network must be different from the Local Subnetsince IPSec sets up routing table entries to send IP packets to the correct remote network. Remark allows you to add an optional remark that will appear in the Endian Firewall VPN's connection window for this connection. Enabled Click on the Enabled check box to enable this connection. Edit advanced settings when done. Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec. Authentication The second section of the web page deals with authentication. In other words, this is how this Endian Firewall will make sure the tunnel established by both sides of the interface is talking to its opposite number. Endian Firewall has made every effort to support both PSKs and X.509 certificates. Figure 8.26. VPN authentication input

There are four mutually exclusive choices that can be used to authenticate a connection: Use a Pre-Shared Key Enter a pass phrase to be used to authenticate the other side of the tunnel. Choose this if you wish a simple Net-to-Net VPN. You can also use PSKs while experimenting in setting up a VPN. Do not use PSKs to authenticate tunnels to roadwarriors. Upload certificate request Some roadwarrior IPSec implementations do not have their own CA. If they wish to use IPSec's built in CA, they can generate what is a so called certificate request. This is a partial X.509 certificate that must be signed by CA to be a complete certificate. During certificate request upload, the request is signed and the new certificate will become available on the VPN's main web page. Upload a certificate In this case, the peer IPSec has a CA available for use. Both the peer's CA certificate and host certificate must be uploaded. Generate a certificate In this case, the IPSec peer will be able to provide an X.509 certificate, but lacks the capacity to even generate a certificate request. In this case, complete the required fields. Optional fields are indicated by red

dots. If this certificate is for a Net-to-Net connection, the User's Full Name or System Hostname field may have to be the Internet fully qualified domain name of the peer. The optional organization name is meant to isolate different portions of an organization from access to EFW's full GREEN network by subnetting the Local Subnet in the connection definition portion of this web page. The PKCS12 File Password fields ensure that the host certificates generated cannot be intercepted and compromised while being transmitted to the IPSec peer. This page was last modified on: $Date: 2006-11-22 23:32:04 +0100 (Wed, 22 Nov 2006) $. Chapter 9. Logs Table of Contents Introduction Log Settings Administrative Web Page Log Summary Page Proxy Logs Page Firewall Logs Page Intrusion Detection System Log Page Content Filter Logs Page OpenVPN Logs Page System Log Page SMTP Log Page Clamav Log Page SIProxy log page Proxy Analysis Report Introduction Figure 9.1. Logs menu selected

The Logs administration page consists of these sub-pages: Log Summary

Log Settings Proxy Logs Firewall Logs IDS Logs Content Filter Logs Openvpn Log System Logs SMTP Log ClamAV Log SIProxy log viewer Proxy Analysis Report (new in version 2.1)

The log viewer pages share a common set of interface features to select the log information to be displayed and to export that information to your local machine. By default the log viewer always shows you the most actual log lines as they appear in the log files. The information is shown as a list (usually labeled log) of all log entries in the main section of the window. If that list is too long to fit into a reasonably sized window, only the latest logs entries are displayed. In that situation, the Older and Newer links at the top and bottom of this section of the window become active and you may use these to page through the list of Logs data. Since the amount of data created by the log files can become literally huge, log files are rotated weekly in order to keep the actual file small. During a rotation the logfile will be moved away, compressed in order to save disk space and and a new one will be created. Therefore you will have a log file for each week and each log file may contain more or less data then the last one. The so archived log files will remain on the disk for 52 weeks until they will be deleted. The log viewer enables you to navigate through the entire amount of log lines. If you reach the end of one file the next file will be automatically used. In order to know where exactly you stand within the log lines the following informational line displays some information: Total number of lines matching selected criteria: 1054 - File: 1/14 Offset: 1/8 As the line says, the first number shows you the total amount of lines which match the selected criteria. It can be that the lines are split within more different log files, so in some situations you need to jump back nevertheless there where enough space to fit all lines within the page. The numbers after the label File informs you about the actual logfile you are showing and of the total number of archived and not archived log files for the current service. The next numbers after the label Offset, shows you the current position within the log file. The first number informs about the page number you are currently displaying while the second stands for the total pages which the current log file contains. Figure 9.2. Generic navigation items

The following desribes the common interface elements which you can use to take affect to the displayed log lines: Filter

The Filter edit field lets you define a search term which will be searched in the log files. The viewer then displays only those lines which contain the search term. This field accepts also perl compatible regular expressions. After you changed the value in this field you need to press the Update button in order to reflect the changes in the logviewer output. Older This button allows you to cronologically jump back within the log entries. The button will disappear if there are no older log entries. Newer This button allows you to cronologically jump forth within the log entries. The button will disappear if there are no newer log entries. Jump to offset Instead of pushing the Older or Newer buttons as long as you need to reach a desired page, you can simply jump directly to a specific page if you know the exact position. You can certainly also jump to an estimated position and then use the Older/Newer buttons to reach the desired position. Jump to file Enables you to directly jump to a specific archived file. Pressing the Older button again and again, lets you jump back page by page. If you reached the last page of the current file, the next elder log file will be opened if you push the Older button again. Using Jump to file is just a faster possibility to reach a desired place within the whole amount of data. Export Pressing the Export button downloads a text-format file (log.dat), containing the information from the current Logs page, from the Endian Firewall to your computer. Depending on how your computer is set up, pressing the Export button will initiate a file download dialogue on your computer, show the contents of log.dat in your web browser window, or open the file in a text editor. In the latter cases, you can save log.dat as a text-format file if required. Log Settings Administrative Web Page In this section you can configure some useful options. The page is divided in four sections. Each of them are described below: Log viewing options Figure 9.3. Configuration of log viewer

Lets you take effect on the output of the log lines: Number of lines to display

Specifies how many log lines you want the log viewer to display on one page. Sort in reverse chronological order Tick this on if you'd like the log viewer to display chronologically newer log lines first. Log summaries Figure 9.4. Configuration of log summaries

This lets you configure the summary page, which will be described later in this document: Log summaries for xxx days Lets you define for how many days you would like to save the daily summaries on disk. Detail level Lets you decide the detail level of the log summary. You can choose from the following possibilities: Low, Medium, High. Due to this configuration the summary will provide you with less, more or much information. Remote logging Figure 9.5. Configuration of remote logging

It is possible to let Endian firewall log all its log files also to a remote syslog server. This is very useful if you would like to have all the logs of your company on one centralized log server and it is useful for example to have access to log files in case of a fatal disaster. In order to enable remote logging you need to provide the hostname or ip address of the remote syslog server in the text field labeled Syslog server and then tick on the checkbox Enabled. Endian Firewall then will log as well to the remote syslog server as to local log files. Note Currently not every service is able to use syslog. Therefore some can only write down to log files and cannot log to a remote syslog server. Services which currently cannot use syslog are: all sort of HTTP services (administration web server, HTTP proxy, HTTP content filter, HAVP), FTP proxy, IDS (snort). Firewall logging Figure 9.6. Configuration of firewall logging

Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are very much packets that will be blocked by the firewall. Not all of these are hostile attempts of attackers, but will nevertheless be logged and create much data. Here you have the possibility to globally configure what you would like to have logged and what not: Log packets with BAD constellation of TCP flags TCP allows everybody to set flags in constellations which make no sense at all. Such constellations may confuse firewalls and/or computers in general and allow an attacker to gather more information than you would like to share. Especially portscanners do this. Endian Firewall blocks such attempts. Tick this on if you want to have it logged. You will find such attempts in the firewall log resulting as packets which passed the chain BADTCP. Log portscans You may enable portscan detection by ticking this checkbox on. The portscan detection will be performed using the netfilter psd match. You will find the logged portscans in the firewall log resulting as packets which passed the chain PORTSCAN. Note Portscans will never be blocked! They will only be logged! If you have not configured any ports to be forwarded a portscan of an Endian Firewall will not reveal anything of interest to the attacker since there is nothing open. Log NEW connections without SYN flag Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is not sane. Endian Firewall will block such packets and you can log the attempts if you tick this checkbox on. Log refused packets If you tick this on, Endian Firewall will log all connection attempts which have been denied by Endian Firewall. Since Endian Firewall as default denies all connection attempts and allows only what you have defined, this certainly will lead to a bunch of unneeded data, so you may toggle this off. It may be useful to check which ports you need to open for applications that are using ports you don't know. Log accepted outgoing connections Tick this on if you would like to globally log all connections which have successfully passed Endian Firewall without being dropped. You can use this to test if your newly created rules are correct as this allows you to see the connections made by your applications. Note

Check your local law! Enabling this may be prohibited by privacy law in most countries! But some countries may enforce you by law to enable this (For example the antiterror law in Italy). If you need to enable it, think about to backup your logs since you probably also need them after a case of fatal disaster! Ensure that nobody has access to backups and log files (privacy law)! Log Summary Page In this section you can have an overlook on the logs of the selected day Figure 9.7. Displays log summaries

Note The summaries will be generated daily during night hours. Therefore Endian Firewall must be up and running over night in order to have the summaries of each day. Note In version 2.1 there are four more types of summaries that are not shown on this screenshot to keep it at a reasonable size. They are:

Proxy Logs Page

Clamav DHCP Server Kernel SSHD

This page provides you with the facility to see the files that have been cached by the web proxy server of Endian Firewall. The web proxy is inactive after first installation of EFW, and may be activated (and deactivated) through a specific administration page (Proxy > HTTP > Log settings). Note Due to the large amount of information that has to be processed, the Web Proxy page can take an appreciable time to appear after its initial selection or an Update. There are several controls on this page in addition to the controls described in the introduction section: Source IP This dropdown box allows you to selectively look at web proxy activity belonging to individual IP addresses on the local network, or the activity related to ALLmachines that have used the proxy. Ignore filter The box allows you to type in a regular expression text string to define which file types should be omitted from the web proxy logs. The default string hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and JavaScript files (.js). Enable ignore filter Tick this on to enable the Ignore filter: or tick it off to disable it. Restore defaults This button allows you to restore factory settings for the above controls and filters. For this page, the information appearing in the Log: section of the window consists of: Note The Website URL entries in these logs are also hyperlinks to the referenced web pages or files. Firewall Logs Page This page shows data packets that have been logged by the EFW firewall. Note The Time when the file was requested and cached. The Source IP address of the local system requesting the file. The Username, if applicable, of the authenticated user which retrieved the file. This shows a dash if users do not need not to authenticate in order to have access to the cache. The Website - or more precisely the URL for each of the requested and cached files.

Not all denied packets are hostile attempts by crackers to gain access to your machine. Blocked packets commonly occur for a number of harmless reasons and many can be safely ignored. Among these may be attempted connections to the "ident/auth" port (113), which are blocked by default in Endian Firewall. The controls on this page are the basic elements that are described in detail in the introduction. Figure 9.8. Displays firewall log

The Log: section of this page contains an entry for each of the packets that were dropped by the firewall. Included is: the time of the event the firewall Chain which was responsible for the log entry the interface (iface) through which the packet came in the protocol (Proto) used for that packet. the source ip address the source port (src port) the MAC address of the sender Note

This will be blank if the respective interface does not support MAC. For example all types of PPP connections. the Destination ip address the destination port (dst port) to which the client connected.

You can obtain information about the listed IP addresses by clicking on an IP Address. Endian Firewall performs a DNS lookup and reports any available information about its registration, ownership and geographical position. By clicking on a port number you will get some information about the service which normally uses this port. Intrusion Detection System Log Page This page shows incidents detected by the EFW Intrusion Detection System (IDS). The IDS system is inactive by default after the installation of Endian Firewall and may be activated (and deactivated) through a specific administration page (Services > Intrusion Detection). The controls on this page are the basic elements that are described in detail in the Introduction section. These Logs consist of a number of items for each detected incident: The Date: and time of the incident. Name: - a description of the incident. Priority: (if available). This is the severity of the incident, graded as 1 ("bad"), 2 ("not too bad"), & 3 ("possibly bad"). Type: - a general description of the incident (if available). IP Info: - the IP identities (address & port) of the source and target involved in the incident. Each IP address is a hyperlink, which you can use to perform a DNS lookup for that IP address and to obtain any available information about its registration and ownership. References: - hyperlinked URLs to any available source of information for this type of incident. SID: - the Snort ID number (if available). "Snort" is the software module used by EFW to provide the IDS function, and SID is the ID code used by the Snort module to identify a particular pattern of attack. This parameter is hyperlinked to a web page carrying the relevant entry on the Snort database of intrusion signatures.

Content Filter Logs Page This page gives you the possibility to see which pages have been blocked by the HTTP content filter. The content filter is inactive by default after the installation of EFW, and may be activated (and deactivated) through a specific administration page (Proxy > HTTP -Proxy) and may be configured in the Proxy > HTTP > Content Filtersection. Note Due to the large amount of information that has to be processed, the Content Filter page can take a considerable amount of time to load after its initial selection or an Update. There are several controls on this page in addition to the common controls described at the beginning of this Section: Source IP This dropdown box allows you to selectively look at web proxy activity related to single IP addresses on the local network, or the activity related to ALL machines that have used the proxy. Ignore filter The box allows you type in a regular expressions text string to define which file types should be omitted from the web proxy logs. The default string hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and JavaScript files (.js).

Enable ignore filter Tick this on to enable the Ignore filter: or tick it off to disable it. Restore defaults This button allows you to restore the factory settings for this section. For this page, the information appearing in the Log: section of the window consists of: The Time the file was requested. The Source IP address of the local system requesting the file. The Website - or more precisely the URL for each requested and cached file. Note The Website URL entries in these logs are also hyperlinks to the referenced web pages or files. The Status - denied. Which currently can be only DENIED, since requests to allowed pages will not be logged here. (before version 2.1 blocked was used instead of denied)

OpenVPN Logs Page This page allows you to see the log file of the OpenVPN server and the OpenVPN clients. For this page, the information appearing in the Log: section of the window consists of: The Time the event has happened. The name of the Tunnel, on which the event occurred. This field shows local, if the line is related to the local OpenVPN server running on the Endian Firewall. Example 9.1. Log line of the OpenVPN server May 16 20:34:03 local TUN/TAP device tap1 opened If it is related to a OpenVPN client running on the Endian Firewall, this field shows the name of the remote host to which it is connected and the Process ID of the local OpenVPN client process in square brackets. Example 9.2. Log line of an OpenVPN client May 11 05:20:03 solaria.endian.it[3827] Initialization Sequence Completed The data which openvpn wants to show you.

This log is very useful to debug OpenVPN connections which do not work as they are supposed to. Please take a look on the OpenVPN Homepage to find some more specific information. System Log Page Figure 9.9. Display of system logs

This page allows you to view the system and other miscellaneous logs. (See the Introduction on how to use the common controls). There are eleven different categories, selected via the Section dropdown list: Endian Firewall (default) - general EFW events like PPP profile saving and connection and disconnection of dialup modem links. RED - traffic sent over the interface that is providing the PPP interface for EFW. This includes the data strings sent to, and received from modems and other network interfaces. This can be a very useful resource in troubleshooting "failure to connect" situations. DNS - shows a log of activity for dnsmasq, the domain name service utility. DHCP server - shows a log of activity for the DHCP Server function of Endian Firewall. SSH - provides a record of users who have logged in to, and out of the Endian Firewall over a network via the SSH interface. NTP - shows a log of activity for the ntpd Server function. Cron - provides a record of activity of the cron daemon. Login/Logout- provides a record of users who have logged in to and out of the Endian Firewall. This includes both local log-ins and logins over a network via the SSH interface. Kernel - is a record of kernel activity in the Endian Firewall. Backup - whenever a backup is created (or tried to) it will be logged. IPSec - is a record of every activity of the VPN software module used by Endian Firewall.

SMTP Log Page This page shows the log files concerning processes beyond the SMTP proxy, including the postfix Mail Transmission Agent and the content filter amavis. For this page, the information appearing in the Log: section of the window consists of:

The Time the event has happened. The data that the services write to the logfile.

Clamav Log Page This page shows the log files of the antivirus daemon clamav and the virii signature updater freshclam. Figure 9.10. Displays clamav log viewer

For this page, the information appearing in the Log: section of the window consists of: The Time the event has happened. The data that the services write to the logfile.

Clamav itself normally does not have to log really much, since the services that make use of clamav log to their logfiles themselves if they find a virus. This logfile is useful to see information about clamav signature updates. As you can see below the lines show when the update process started and what was done. On Endian Firewall ClamAV automatically updates each full hour, therefore you will see these lines appear every hour. The last two lines show the currently installed signature base version and how many virus signatures they contain. May 16 08:01:00 freshclam[27206]: Daemon started. May 16 08:01:00 freshclam[27206]: ClamAV update process started at Tue May 16 08:01:00 2006 May 16 08:01:00 freshclam[27206]: main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm)

May 16 08:01:00 freshclam[27206]: daily.cvd is up to date (version: 1463, sigs: 4343, f-level: 8, builder: ccordes) If new signatures are ready to install they will be automatically downloaded, installed and then the ClamAV daemon will automatically reload its signature database. You will find such a log like the one below if this happens: May 15 13:01:00 freshclam[12157]: Daemon started. May 15 13:01:00 freshclam[12157]: ClamAV update process started at Tue May 15 13:01:00 2006 May 15 13:01:00 freshclam[12157]: main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm) May 15 13:01:08 freshclam[12157]: daily.cvd updated (version: 1463, sigs: 4343, f-level: 8, builder: ccordes) May 15 13:01:08 freshclam[12157]: Database updated (55549 signatures) from db.local.clamav.net (IP: 213.92.8.5) May 15 13:01:08 clamd[27017]: SelfCheck: Database modification detected. Forcing reload. May 15 13:01:08 clamd[27017]: Reading databases from /usr/share/clamav May 15 13:01:08 freshclam[12157]: Clamd successfully notified about the update. May 15 13:01:08 clamd[27017]: Database correctly reloaded (55549 viruses) As the log lines show you, after the download of the new signaturefile daily.cvd, the update daemon freshclam notifies the antivirus daemon clamd about the modification who immediatly reloads all its virus signatures. Note Each line shows you process information after the timestamp. This is the name of the process and the Process ID in square brackets. SIProxy log page This page shows the log files of the SIP proxy siproxd. For this page, the Logs information appearing in the Log: section of the window consists of: The Time the event has happened. The data that the services write to the logfile.

Proxy Analysis Report Figure 9.11. Proxy Analysis Report

This page shows the log files of the Squid Analysis Proxy Generator (SARG). You are presented with two options: Enable This turns SARG on if the checkbox is ticked on. Respect your users privacy and anonymize their IP addresses Tick this on if you want to hide your users' IP addresses. Note In some countries it may be illegal to show your users' IP addresses. On this page you will not find the generic navigation items as this special logs will be shown in a completely new page. By clicking on the Daily/Weekly/Monthly Report links a new page with the respective analysis will pop up. This page was last modified on: $Date: 2006-11-16 05:15:57 +0100 (Thu, 16 Nov 2006) $. Chapter 10. Hotspot Table of Contents Introduction Hotspot Accounts How to add a new account or edit an existing one User balance User connections Ticket Rates Add or edit a ticket rate Statistics Active Connections Connection Log Settings Dialin Password

Template Editor Printout Template Allowed sites Client connecting to Endian Hotspot Login House guests login Succesful login Introduction Figure 10.1. The Endian Hotspot

The Endian Hotspot is a powerful hotspot. It can be used for wireless connections as well as for normal LAN connections. This means you can easily connect a wireless access point to the BLUE interface or just a normal switch. With Endian Hotspot you can manage users and their allowed access-time based on pre-paid or post-paid tickets. It is also possible to specify websites that are available without having to log in. Note In order to be able to run the Endian Hotspot you will have to have the BLUE zone enabled. The IP of the BLUE interface must belong to a C-class network and it must end with a trailing .1 e.g. 192.168.20.1/24. The bridge for the BLUE zone does not support more than one port. Note Usually the hotspot is intended for use with wireless networks, however this is not mandatory. It is as well possible to connect a normal switch to the BLUE LAN port. Please note also that there is no wireless access point supplied with Endian Firewall. Tip If you are running a Community version of Endian Firewall and are wondering where your Endian Hotspot may be just upgrade to Endian Firewall Enterprise Edition. Hotspot

This is the main menu of the Endian Hotspot. Almost all settings are configured in this menu. You have to use this menu if you want to manage accounts, specify ticket rates, modify your settings or have a look at the log files or at the statistics. Accounts Figure 10.2. Account management

By clicking on the Accounts link in the submenu of this page you will be presented with a list of all enabled accounts for this hotspot. If you want to show the disabled accounts to, you will have to tick the Show disabled users checkbox which will reload the page and show both enabled and disabled users. If you want to display any users that match certain search criteria you can enter your filter in the appropriate textfield and then hit enter. The list itself consists of five columns: Username This column displays the username of the user. Name This column shows you the real name of the user. Active Shows if the user is still active or not - if you did not choose to show disabled users you will see Yes here for every user. Valid until Will display the date until the current user is valid. Actions

In this menu you can find three links for every user. If you want to edit the current user you have to click on the Edit link. By clicking on the Balance link you will be presented with a page of the user's credit balance while by clicking on the Connections link you will see a list of all connections of the current user. If you want to add a new user you can do this by clicking on the Add new account link on top of the list. Note It is not possible to delete users. Disable them instead. How to add a new account or edit an existing one Figure 10.3. Add a new account

This is the User Information dialog which is shown if you want to add a new account or edit an existing one (then of course with all the known values alread filled in). Most of the fields should be self-explanatory but we will describe them anyway. Username In this field you have to enter the username. This is the only mandatory field. Password In this field you can enter the password for the new account. This is shown in plain text. If you do not have the time to think of an adequate password just leave this field empty and the password will be autogenerated. Valid until

The date until the account will be valid. If you want to change it you can either enter the new date manually or click on the ... button and select the new date from the calendar popup. Enabled This checkbox specifies if the account is enabled or not. If this is ticked on the account is active. If you want to disable a user tick this checkbox off. Title The user's title. A good example would be Dr. Firstname The user's first name. Lastname The user's last name. Language Here you can select the user's native language if available. Otherwise English should be a good choice. City of Birth The user's city of birth. Birthdate Here you can enter the user's birth date. Document type This lets you specify the document type you used to identify the user. Document issued by Here you can specify the issuer of the document that was used to identify the user. Document ID This field lets you specify the document's identification number. Save By hitting this button you will save the entered information. Print This option is only available when editing an already existing account. By hitting this button a dialog will be opened to print the user information.

On the right side of the screen you will notice the Tickets section. If you want to add a new ticket to the user just select the appropriate ticket-type and hit the Add button. Below you will notice a list of all tickets for this user with the following information: Ticket type The type of ticket. Creation date The on which this ticket has been created. Action If the ticket has not been used yet you will be able to Delete it here by clicking on the appropriate link. Note If the ticket has already been used no Delete link will be available. Note If a user has both pre-paid and post-paid tickets when logging in he will automatically use his pre-paid ticket first and only if that ticket(s) expire(s) the post-paid ticket will be charged. If however the user does not have a post-paid ticket and the prepaid ticket runs out of money the connection will be stopped. User balance Figure 10.4. User balance

The user balance window is split horizontally into two main sections. The bottom section shows a list of all tickets for the current user containing the following: Ticket name

This is the name of the ticket-type. Amount The amount of money that has been used or paid. Note If the amount is positive this will represent a payment. Date / Time The date and time when the ticket has been issued. Duration The duration of the session. Note Payments do not have a duration. Traffic The traffic that has been used during this session. Note Payments do not use any traffic. Processed Here you can see if this ticket has been processed by ASA. Note This feature is only available if ASA is enabled. ASA is a hotel management software written especially for South Tyrolean hotels. We will not go into details of ASA here. Retries This field will show the number of retries when connecting to ASA. Note This feature is only available if ASA is enabled. ASA is a hotel management software written especially for South Tyrolean hotels. We will not go into details of ASA here. Message Here you will find the ASA return message if any. Note

This feature is only available if ASA is enabled. ASA is a hotel management software written especially for South Tyrolean hotels. We will not go into details of ASA here. On the top section of the window you can find some more information split up into 3 parts. In the left part you will find some information about the user, containing the nameas well as the username, the city of birth, the birthdate, the document identification number and the issuing party of the document. The central part contains information about the Account balance. The available surf time is first, followed by the used surf time. In the third line you can see the amount of money that this user has already paid - this will be displayed in the currency you set in the settings page. The fourth line shows how much of this money has been spent so far. Finally the last line shows the amount of money that is still due to pay. This bigger box will be displayed in green if everything has already been paid. In the Payment column on the right you can either see a message that everything has already been paid or you can choose the amount of money the user wants to pay and bill that amount by clicking on the Bill button. User connections Figure 10.5. User connections

In this window you can see all the connections of the user you specified. The window is split into two parts - at the top you can see the user information, while the bottom part shows all the data regarding the connections. The list with all the connections has six columns: Username The username of this user. IP address The IP address the user had during the respective connection. MAC address The MAC address from which the user was connecting. Connection start

The start time and date of the connection. Connection stop The time and date when the connection wos stopped. Duration The amount of time how long this connection lasted. Ticket Rates Endian Firewall gives you the possibility to specify more than one ticket rate. You can even specify if you want a rate to be post-paid or pre-paid. You can create different rates for both types. This is mostly useful if you want to sell different pre-paid types e.g. 4 pre-paid 15 minutes tickets should be more expensive than 1 pre-paid 1 hour ticket. Figure 10.6. Ticket Rates

In this list you can see the different ticket rates, the following are the columns: Name The name you gave to the ticket rate. Code This is the ASA code for your ticket rate. Although this can be used only for the ASA hotel management system the field is mandatory. Hourly price This is the hourly price you specify. Actions Here you can choose to Edit or Delete a ticket rate by clicking on the respective link. Add or edit a ticket rate Figure 10.7. Add or edit a ticket rate

There are four configuration options for every ticket rate: Name The name you want for this ticket rate. Code This is useful just for the ASA hotel management. Note This field is mandatory nevertheless. Unit Length This option lets you specify how long one unit of this ticket rate will last. The available options are: 15 minutes 30 minutes 45 minutes 1 hour 2 hours 3 hours postpaid

While the first 6 entries show you the amount of time that has to be paid in advance (pre-paid), the postpaid length will be paid after the user has used the hotspot and is therefore not limiting the user a priori. Hourly Price Here you can specify the hourly price for a the actual ticket rate. This is useful if e.g. you want the hourly price for 3 hours to be cheaper than the hourly price for 15 minutes. This example will show you how to set hourly prices. The amount after the unit length is the money you will get when selling a ticket of this rate. Example 10.1. Specifying hourly prices 15 minutes: 3 Euro => hourly price has to be set to 12 Euro. 3 hours: 21 Euro => hourly price has to be set to 7 Euro. Save

By hitting this button you will save the ticket rate. Statistics Figure 10.8. Statistics

On this page you can see an overview of the connections grouped by user as well as a summary at the bottom of the table. The following columns will be displayed: Username The name of the user. Note The username is linked. By clicking on this link you will be redirected to the balance page for that user. Amount used Here you can see how much money each user spent while using the hotspot. Paid This shows how much has been paid by the user. Duration In this column you can see how long the user was connected. Traffic This column shows the traffic the user made during his connection time. You can choose two different viewing types: Filter Period and Open Accounting Items. When using Filter Period you can set a start and an end date respectively in the From and Until textfields. Alternatively you can use the ... buttons to use the calendar-popup to enter the dates. When using Open Accounting items all still open payments will be displayed.

Active Connections Figure 10.9. Active Connections

On this page you can see all actually active connections on the hotspot. The list contains the following columns: Username The username of the user that is connected. Connection Start The start date and time of the connection. Duration The amount of time the user is already connected. IP Address The IP address that was assigned to the interface which is connected to the hotspot. MAC Address The MAC address of the interface that was used to connect to the hotspot. Action For every active connection you will see a Close connection link. By clicking on this link you can kill the respective connection. Connection Log Figure 10.10. Connection Log

On this site you can see the connection log. The log is display in a table with six columns: Username The username of the user. IP Address The IP address that was used for the connection. MAC Address The MAC address that was used to connect to the Hotspot. Connection Start The start date and time of the connection. Connection Stop The end date and time of the connection. Duration The duration of the connection. On the top of the page there is a Export as CSV link. Clicking on this link will download a text file containing the log entries in CSV (comma separated values) format. Settings Figure 10.11. Settings

This page consists of two main sections, the Global settings and the ASA jHotel settings. ASA jHotel is a South Tyrolean hotel management platform and will not be described here. The Global settings contain three configuration variables: Homepage after successful login This homepage will be displayed after a successful user login. Currency Here you can specify your local currency symbol. Logout user on Idle-Timeout After how many should a user be logged out, when doing nothing. Save Click this button to save your settings. Dialin Figure 10.12. Dialin

This page shows the connection status of the Endian Firewall. A description of this status window can be seen here. Password Figure 10.13. Password

On this page you can set the password for the hotspot user. To do this you have to enter the new password twice in the Password and Again fields and then hit the Savebutton. Template Editor Figure 10.14. Template Editor

On this page you can modify the message that will be shown to your clients before logging in. Endian Hotspot provides a fully featured graphical user interface to edit this message. To save this message you just have to hit the disc icon in the top-left corner of the editor window. If you want to edit another language just click on the appropriate flag symbol on the left side of your screen. The page will be reloaded with the new language settings - again hit the disc icon to save the text. Note You do not necessarily have to enter just plain text. You can format this page however you like as long as the information that you supply will be conform to the laws of your country. Printout Template Figure 10.15. Printout template

On this page it is possible to edit the information sheet that will be printed and handed out to a user after he has been registered for the Endian Hotspot. Please note that you will have to use placeholders for the information to be complete. Valid placeholders are: $title - this will be replaced by the user's title. $firstname - this will be replaced by the user's first name. $lastname - this will be replaced by the user's last name. $username - this will be replaced by the user's new username. $password - this will be replaced by the user's password.

To save your printout sheet click on the disk icon in the top-left corner of the editor window. You can change this text for all available languages by clicking on the appropriate flag symbol. Allowed sites Figure 10.16. Allowed sites

This is the page where you can specify websites, IP addresses and subnets that are accessible without authentification. You just have to add one entry per line. Access will be allowed to every page and subnet that are specified here and saved by clicking the Save button. Client connecting to Endian Hotspot Now that we have talked about the server-side of Endian Hotspot lets speak about the connection on the clientside. What exactly does a user have to do to be able to use Endian Hotspot? Actually it couldn't be any easier... Figure 10.17. Endian Hotspot Client start page

First of all the client has to go to a terminal that is connected to Endian Hotspot. He will be presented with a welcome screen that shows the content of the page that has been specified in the Template Editor section. By clicking on the appropriate flag symbol the user can choose the language he wants. If ASA is activated every house guest can login by using the Login for house guests link which can be found in the menu on the left just above the normal Login link which is the way to go if either ASA is disabled or the user is not a house guest. Login Figure 10.18. Normal login

Every normal user can connect to Endian Hotspot by supplying his username and password in this form and then hitting the Login button. After entering a valid username and password a popup will show up. House guests login Figure 10.19. Login for house guests

If ASA is enabled every house guest can login by clicking on login for house guests here and then providing his last name and first name as well as his birthdate and finally hitting the Send button. Hit Close if you want to close the window. After successful login another popup will show up. Note Please note that the last name has to be entered in the first text field. Succesful login Figure 10.20. Successful login

If you see this popup you are successfully logged in. Provided the fact that you are using a pre-paid ticket the displayed timer will be a countdown. If you are using post-paid payment the timer will start with 00:00:00 and count upwards.

If you wish to logout you can do this by simply clicking on the Logoff link. This page was last modified on: $Date: 2006-11-21 09:19:11 +0100 (Tue, 21 Nov 2006) $. Appendix A. GNU Free Documentation License Version 1.2, November 2002 Copyright 2000,2001,2002 Free Software Foundation, Inc. Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Version 1.2, November 2002 Table of Contents PREAMBLE APPLICABILITY AND DEFINITIONS VERBATIM COPYING COPYING IN QUANTITY MODIFICATIONS COMBINING DOCUMENTS COLLECTIONS OF DOCUMENTS AGGREGATION WITH INDEPENDENT WORKS TRANSLATION TERMINATION FUTURE REVISIONS OF THIS LICENSE ADDENDUM: How to use this License for your documents PREAMBLE The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any

member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law. A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition. The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. VERBATIM COPYING You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies. COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machinereadable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version: GNU FDL Modification Conditions A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement. C. State on the Title page the name of the publisher of the Modified Version, as the publisher. D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. F. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below. G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence. J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section. O. Preserve any Warranty Disclaimers. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements". COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit

the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. TRANSLATION Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail. If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title. TERMINATION You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. ADDENDUM: How to use this License for your documents To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: Sample Invariant Sections list Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the "with...Texts." line with this: Sample Invariant Sections list

with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.