Endian Firewall Reference Manual r. 2.2.0.2

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 4: The Services Menu

Select Services from the menu bar at the top of the screen.

Endian Firewall can provide a number of useful services that can be configured in this section. In particular, these include services used by the various proxies, such as the Clamav antivirus.
Intrusion detection, high availability and traffic monitoring can be enabled here as well.
Following is a list of links that appear in the submenu on the left side of the screen:

Each link will be explained individually in the following sections.

DHCP server

Select Services from the menu bar at the top of the screen, then select DHCP server from the submenu on the left side of the screen.

The DHCP (Dynamic Host Configuration Protocol) service allows you to control the TCP/IP configuration of all your network devices from Endian Firewall in a centralized way.

When a client (host or other device such as networked printer, etc.) joins your network it will automatically get a valid IP address from a range of addresses and other settings from the DHCP service. The client must be configured to use DHCP - this is something called "automatic network configuration" and is often the factory default setting. You may choose to provide this service to clients on your GREEN zone only, or include devices on the ORANGE (DMZ) or BLUE (WLAN) zone. Just tick the check boxes labeled Enabled accordingly.

Click on the Settings link to define the following DHCP parameters:

Start address / End address - specify the range of addresses to be handed out within the subnet assigned to each zone. If there are some hosts with manually assigned IP addresses or fixed IP addresses (see below), be sure to define a range that does not include those addresses to avoid conflicts. If you intend to use fixed leases only (see below), leave these fields empty.
Default / Max lease time - default / max time in minutes before the IP assignment expires and the client is supposed to issue a new request to the DHCP server.
Domain name suffix - the default domain name suffix passed to the clients. When the client looks up a host name, it will first try to resolve the requested name. If that is not possible, the client will append this domain name suffix and try again.
Example: if the fully qualified domain name of your local file server is earth.example.com and this suffix is "example.com", the clients will be able to resolve the server by the name "earth".
Primary / Secondary DNS - specify the domain name servers (DNS) to be used by your clients. Since Endian Firewall contains a caching DNS server, the default value is the firewall's own GREEN interface address.
Primary / Secondary NTP server - specify the Network Time Protocol (NTP) servers to be used by your clients (to keep synchronized clocks on all clients).
Primary / Secondary WINS server - specify the Windows Internet Name Service (WINS) servers to be used by your clients (for Microsoft Windows networks that use WINS).

Advanced users might wish to add custom configuration lines to be added to dhcpd.conf in the text area after the parameters form. Pay attention that the Endian Firewall's interface does not perform any syntax check on these lines: if you make a mistake here, the DHCP server might refuse to start!

Example:
The following extra lines may be used to handle VoIP telephones that need to retrieve their configuration files from a HTTP server at boot time:

    option tftp-server-name "http://$GREEN_ADDRESS";    
    option bootfile-name "download/snom/{mac}.html";    

Note the use of $GREEN_ADDRESS which is a macro that is replaced with the firewall's own GREEN interface address.

Fixed leases

Sometimes it is necessary that a given device is always assigned the same IP address by the DHCP server. Clicking on the Add a fixed lease link allows to assign static IP addresses to devices identified by their MAC address. Note that this is still different from setting up manual addresses on the devices, since each device will still contact the DHCP server to get its address.

A typical use case for this is the case of thin clients on your network that boot the operating system image from a network server using PXE (Preboot Execution Environment).

The following parameters can be set to define fixed leases:

MAC address - the client's MAC address
IP address - the IP address always to be assigned to this client
Description - optional description
Next address - the address of the TFTP server (only for thin clients / network boot)
Filename - the boot image file name (only for thin clients / network boot)
Root path - the boot image file's path (only for thin clients / network boot)

List of current dynamic leases

The DHCP sections ends with a list of currently assigned dynamic IP addresses.

Dynamic DNS

Select Services from the menu bar at the top of the screen, then select Dynamic DNS from the submenu on the left side of the screen.

Dynamic DNS providers such as DynDNS offer a service that allows assigning a globally available domain name even to IP addresses that are changing dynamically such as those offered by residential ADSL connections. For this to work, each time the IP address changes, the update must be actively propagated to the dynamic DNS provider.

Endian Firewall contains a dynamic DNS client for 14 different providers - if enabled, it will automatically connect to the dynamic DNS provider and let it know the new IP address whenever there was a change.

For each account (you might use more than one) click on the Add a host link, then specify the following parameters:

Service - choose the dynamic DNS provider
Behind a proxy - (only applies if you use the no-ip.com service) check this box if your Endian Firewall is separated from the internet by a proxy
Enable wildcards - some dynamic DNS providers allow having all sub domains of your domain point to your IP address, i.e. www.example.dyndns.org and example.dyndns.org will both resolve to the same IP address: by checking this box you enable this feature (if supported by your dynamic DNS provider)
Hostname and Domain - the hostname and domain as registered with your dynamic DNS provider, for instance "example" and "dyndns.org"
Username and Password - as given to you by your dynamic DNS provider
behind Router (NAT) - check this if your Endian Firewall is not directly connected to the internet, i.e. behind another router / gateway: in this case the service at http://checkip.dyndns.org is used to find out what your external IP address is
Enabled - check to enable (default)

Please note that you still have to export a service to the RED zone if you want to be able to use you domain name to connect to your home/office system from the internet. The dynamic DNS provider just does the domain name resolution part for you. Exporting a service might typically involve setting up port forwarding (see the "Port forwarding / NAT" section in "The Firewall Menu" chapter).

ClamAV antivirus

Select Services from the menu bar at the top of the screen, then select Clamav antivirus from the submenu on the left side of the screen.

The mail proxy (POP and SMTP) and web proxy (HTTP) components of Endian Firewall use the well known ClamAV antivirus service. This sections lets you configure how ClamAV should handle archive bombs (see the next paragraph for an explanation) and how often informations about new viruses are downloaded ("signature update schedule"). You can also verify the last scheduled update or start an update manually.

Anti archive bomb configuration

Archive bombs are archives that use a number of tricks to load antivirus software to the point that they hog most of the firewall's resources (denial of service attack). Tricks include sending small archives made of large files with repeated content that compress well (for example, a file of 1 GB containing only zeros compresses down to just 1 MB using zip), or archives that are nested many levels (zip files inside zip files) or archives that contain large numbers of empty files, etc...).

To avoid these types of attack, ClamAV is preconfigured to not scan archives that have certain attributes, as configured here:

Max. archive size - archives larger than this size in MB are not scanned
Max. nested archives - archives containing archives are not scanned if the nesting exceeds this many levels
Max. files in archive - archives are not scanned if they contain more than this number of files
Max compression ratio - archives that would uncompress to files this many times larger are not scanned, the default is 1000 times larger - note that normal files typically uncompress to no more than 10 times larger
Handle bad archives - what should happen to archives that are not scanned because of the above settings: choose between "Do not scan but pass" and "Block as virus"
Block encrypted archives - since it's technically impossible to scan encrypted (password protected) archives, they might constitute a security risk and you might want to block them by checking this box

ClamAV signature update schedule configuration

Another important aspect of running ClamAV are the antivirus signatures updates: informations about new viruses need to be downloaded from a ClamAV server periodically. The configuration pane (top right) lets you choose how often these updates are performed - the default is every hour.
Tip: move the mouse over the question marks to see when exactly the updates are performed in each case - the default is one minute past the full hour.

ClamAV virus signatures

This section shows when the last update happened and what the latest version of ClamAV's antivirus signatures is.

Click on Update signatures now to perform an update right now (regardless scheduled updates) - this might take some time.
There's also a link to ClamAV's online virus database in case you looking for informations about a specific virus.

Time server

Select Services from the menu bar at the top of the screen, then select Time server from the submenu on the left side of the screen.

Endian Firewall keeps the system time synchronized to time server hosts on the internet using the network time protocol (NTP).

A number of time server hosts on the internet are preconfigured and used by the system. Click on Override default NTP servers to specify your own time server hosts. This might be necessary if your running a setup that doesn't allow Endian Firewall to reach the internet.

Your current time zone setting can also be changed in this section.

The last form in this section allows for immediate, manual update of the system's time. This makes sense if the system clock is way off and you would like to speed up synchronization (since automatic synchronization using time servers is not instant).

Traffic shaping

Select Services from the menu bar at the top of the screen, then select Traffic shaping from the submenu on the left side of the screen.

The purpose of traffic shaping is to prioritize the IP traffic moving through your firewall according to service. A typical application is to prioritize interactive services such as Secure Shell (SSH) or voice over IP (VoIP) with respect to bulk traffic such as downloads.

Traffic shaping per uplink

Click on the icons on the right side of the table to enable or disable traffic shaping on a per-uplink basis. For traffic shaping to work properly it is also very important to specify the actual values for the down and up bandwidth for each uplink: click on the pencil icon (edit), then fill in the down and up bandwidth expressed in kbit per second.

Traffic shaping services

Add your traffic shaping rules: click on Create a service to add a new rule, specifying:

Enabled - check to enable (default)
Protocol - whether the service to be prioritized is a TCP or UDP service (example: SSH is a TCP service)
Priority - give a priority: "high", "medium" or "low"
Port - the destination port of the service to be prioritized (example: SSH uses port 22)

Click on Create service to apply and save the new rule.

Spam Training

Select Services from the menu bar at the top of the screen, then select Spam Training from the submenu on the left side of the screen.

This section of the reference guide will be added in a future update.

Intrusion detection

Select Services from the menu bar at the top of the screen, then select Intrusion detection from the submenu on the left side of the screen.

Endian Firewall includes the well known intrusion detection (IDS) and prevention (IPS) system Snort, directly built into the IP-firewall (Snort inline). At this time no rules can be added through the web interface, hence Snort is usable only for advanced users interested to load their own rules through the command line. This will be fixed in a future update.

High availability

Endian Firewall can be easily run in high availability (HA) mode. At least 2 Endian Firewall machines are required for HA mode: one assumes the role of the active (master) firewall while the others are standby (slave) firewalls.

If the master firewall fails, an election between the slaves will take place and one of them will be promoted to the new master, providing for transparent failover.

Master setup

To set up such a HA configuration, first set up the firewall that is going to be the master:

  1. Execute the setup wizard, filling in all needed informations.

  2. Log into the administration web interface, select Services from the menu bar at the top of the screen, then select High availability from the submenu on the left side of the screen.

  3. Set Enable High Availability to Yes and set High Availability side to Master.

  4. At this point an extra panel appears where the master-specific settings can be performed:
    The Management network is the special subnet to which all Endian Firewalls that are part of a HA setup must be connected (either via the GREEN interface or via a dedicated physical network). The default is 192.168.177.0/24. Unless this subnet is already used for other purposes there is no need to change this.
    The Master IP Address is the first IP address of the management network.
    The Management port is the network port that connects this firewall (the master) to the slave or slaves. This can either be the GREEN zone (i.e. the management network is physically the same as the GREEN network) or it can be a dedicated network port (eth0, eth1, ...), provided the firewall has an interface not yet used otherwise and you are planning to have a dedicated physical network for the management network.
    Next, there are some fields that you can fill in if you wish to be notified by email if a failover event takes place.
    Finally, click on Save, then Apply to activate the settings.

Slave setup

Setup the the firewall that is going to be the slave:

  1. Execute the setup wizard, filling in all needed informations. It is not necessary to perform network settings, configure services etc, since this information will be synchronized from the master. It is, however, necessary to register the slave with Endian Network.

  2. Log into the administration web interface, select Services from the menu bar at the top of the screen, then select High availability from the submenu on the left side of the screen.

  3. Set Enable High Availability to Yes and set High Availability side to Slave.

  4. At this point an extra panel appears where the slave-specific settings can be performed:
    Choose the management network option according to the master: either GREEN zone or a dedicated network port.
    Fill in the Master IP address (CIDR) field: 192.168.177.1/24 unless you choose a non-standard management network address for the master.
    Fill in the Master root password (the slave needs this to synchronize its configuration to the master's).
    Finally, click on Save, then Apply to activate the settings.

At this point the slave cannot be reached anymore via its old IP address (factory default or previous GREEN address), since it is in standby mode, connected only through the management network to the master.

If you log in to the master again, you will see in the HA page there is now a list of connected slaves. If you click on the Go to Management GUI link you can open the slave's administration web interface via the management network (routed via the master firewall).

Traffic Monitoring

Select Services from the menu bar at the top of the screen, then select Traffic Monitoring from the submenu on the left side of the screen.

This section of the reference guide will be added in a future update.