Endian Firewall Reference Manual r. 2.2.0.2

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Preface

Endian Firewall is an Open Source Unified Threat Management (UTM) appliance software. This document is a concise reference to the Endian Firewall web interface.

Accessing the Endian Firewall GUI

To access the Endian Firewall GUI is as simple as starting your browser and entering the IP address of the internal (GREEN) interface or the hostname of your Endian Firewall.

Your browser will be redirected to a secure HTTPS connection (port 10443). Since Endian Firewall uses a self-signed HTTPS certificate, your browser might ask you to accept the certificate at first connection time. The system will then ask for username and password. Specify "admin" as the username and provide the password you set up during installation or, if you bought an appliance, the one you got from your reseller.

You should now be looking at the start page of your Endian Firewall GUI. You can immediately start exploring the different options and the information available to you through this interface. The rest of this guide follows the layout of the main navigation bar - each chapter corresponds to a main navigation item.

Features and enhancements in version 2.2

Web Interface
Completely redesigned web interface; Many usability enhancements

Enhanced management of WAN/RED connections
Support for multiple uplinks; multiple IPs/networks on each WAN/RED interface; uplink monitoring with automatic failover (ISP failover); easy editing/management of uplinks; support for new uplink types: UMTS, PPTP

Networking
VLAN support (IEEE 802.1Q trunking); policy routing: routing based on user, interface, mac, protocol or port

Port Forwarding / NAT
Multiple uplink support, allowing different rules per uplink; port forwarding of traffic coming from VPN endpoints; source NAT management; option for rule based Logging

System Access
External access has now been enhanced and renamed to system access; fine grained management of permissions regarding access to the system from LAN, WAN, DMZ and VPN endpoints; default policy for firewall/system access is now set to DENY; firewall services automatically define ports required for their proper function, but access can be restricted; support for ICMP protocol

Outgoing Firewall
Support for ICMP protocol; handling of multiple sources/ports/protocols per rule

Zone Firewall
DMZ pinholes has been enhanced and renamed to zone firewall; fine grained filtering of local network traffic; rules based on zones, physical interfaces, MAC addresses; support for ICMP protocol; handling of multiple sources/ports/protocols per rule

Intrusion Detection
New version of Snort IDS with reduced RAM usage and enhanced performance; support for inline intrusion detection

High Availability
Multi-node appliance cluster; hot standby (active/passive); automatic node data synchronization; process monitoring/watchdog

HTTP Proxy
Time based access control with multiple time intervals; group based web access policies; zone based operation mode: transparent, authentication or no authentication

Content Filter
Better handling of content filter categories; enhanced performance

SMTP Proxy
Enhanced performance; optional setting for smarthost port; additionally secures SMTP traffic coming from VPNs (roadwarrior and gateway to gateway)

DNS Proxy
Route specific domains to a custom DNS

Hotspot
Better account listing, with pagination, sorting and search; per user and global bandwidth limiting; MAC-address based user accounts; user accounts import/export per CSV; single-click ticket generation (quick ticket); automatic client network configuration (support for DHCP and static IP); enhanced user/client portal; generic JSON-API for external accounting and third party integration (like hotel management software); support for multiple network interfaces

OpenVPN
X.509 and 2 factor based authentication; pushing of DNS settings to clients; pushing of global or per client routes; support for NATed VPN endpoints; support for VPN over HTTP proxy; automatic connection failover; every VPN endpoint is resolvable through DNS (vpn.<username>.domain)

Endian VPN Client
Downloadable from Endian Network; works with Microsoft Windows (Vista, XP, 2000), MacOS X, Linux; multiple connections at once; encrypted configuration profiles; PSK, X509 based and 2 factor authentication; runs as service and allows unprivileged users to start a connection; can start the connection automatically on boot / on user logon; supports openvpn server fallback, when primary server fails

IPsec
Rewrite of the base; added debugging possibilities; IPsec on orange; default MTU can be overridden; simplified GUI by removing side (left/right) configuration and swapped completely to local/remote labeling; added ID fields; added dead peer detection options

Live Log Viewer
Realtime log viewer with filtering and highlighting; displays all the logfiles you are interested in at the same time

Logs
Every service supports remote logging; daily log rotation

Backup
Zero-configuration backups to USB stick: plug in an USB stick and it "just works"; restore from any USB stick

Support
One click to grant access to Endian support team; integrated ticketing support

Legal notice

The Endian Firewall Reference Manual 2.2 ("this document") is copyright (c) 2008 Endian srl, Italy ("Endian"). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

This document was written by (alphabetical order) Andreas Ender, Diego Gagliardo, Christian Graffer, Raphael Lechner, Chris Mair, Raphael Vallazza and Peter Warasin. Some parts of this document are based on the IPCop Administrative Guide by Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, Peter Walker. Some parts of this document are based on the IPCop Advanced Proxy Administrative Guide by Marco Sondermann.

The information contained within this document may change from one version to the next. All programs and details contained within this document have been created to the best of our knowledge and tested carefully. However, errors cannot be completely ruled out. Therefore Endian does not express or imply any guarantees for errors within this document or consequent damage arising from the availability, performance or use of this or related material.

The use of names in general use, names of firms, trade names, etc. in this document, even without special notation, does not imply that such names can be considered as free in terms of trademark legislation and that they can be used by anyone. All trade names are used without a guarantee of free usage and might be registered trademarks. As a general rule, Endian adheres to the notation of the manufacturer. Other products mentioned here could be trademarks of the respective manufacturer.

Acknowledgments

Without the great work of the Smoothwall and then the IPCop team Endian Firewall or this document would not exit. Therefore we would like to thank them all for their hard work.

Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility. You are really helping us very much!

Endian web site

For more information please visit Endian's web site at http://www.endian.com.