Endian Firewall Reference Manual r. 2.2.0.2

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 1: The System Menu

Select System from the menu bar at the top of the screen.

The following links will appear in a submenu on the left side of the screen. They allow for basic administration and monitoring of your Endian Firewall.

Each link will be explained individually in the following sections.

Home

Select System from the menu bar at the top of the screen, then select Home from the submenu on the left side of the screen.

This page displays an overview of the uplink connection(s) and general system health.

A table is displayed, detailing the connection status of each uplink. Usually you will see just a single uplink called main, since it is the primary uplink. Of particular interest is the status field of the individual uplink:

Stopped - The uplink is not connected.
Connecting - The uplink is currently connecting.
Connected - The uplink is connected and fully operational.
Disconnecting - The uplink is currently disconnecting. Endian Firewall keeps pinging the gateway and announces when it becomes available.
Failure - There was a failure while connecting the uplink.
Failure, reconnecting - There was a failure while connecting to the uplink. Endian Firewall is trying again.
Dead link - The uplink is connected, but the gateway could not be reached, so the uplink is in fact not operational.

Each uplink can be operated in either managed mode (default) or manual mode. In managed mode Endian Firewall monitors and restarts the uplink automatically when needed. If managed mode is disabled, the uplink can be activated or deactivated manually.

Finally, after the uplink table, you can find a system health line, which looks similar to the following example:

 efw-1203950372.localdomain - 13:45:49 up 1 min, 0 users, load average: 4.84, 1.89, 0.68

This is basically the output of the Linux uptime command. It shows the current time, the days/hours/minutes that Endian Firewall has been running without a reboot, the number of console logins and the load averages for the past 1, 5, and 15 minutes.

Network configuration

Select System from the menu bar at the top of the screen, then select Network configuration from the submenu on the left side of the screen.

Network and interface configuration is fast and easy with the wizard provided in this section. The wizard is divided into steps: you can navigate back and forth using the <<< and >>> buttons. You can freely navigate all steps and decide to cancel your actions at any moment. Only in the last step you will be asked to confirm the new settings. If you confirm, the new settings will be applied. This might take some time during which the web interface might not respond.

Following is a detailed list of each wizard step.

Choose type of RED interface

When Endian Firewall was installed, the trusted network interface (called the GREEN interface) has already been chosen and set up.

This screen allows to choose the untrusted network interface (called the RED interface): the one that connects your Endian Firewall to the "outside" (typically the uplink to your internet provider). Endian Firewall does support the following types of RED interfaces:

ETHERNET STATIC - You want to operate an Ethernet adapter and you need to setup network information (IP address and netmask) manually. This is typically the case when you connect your RED interface to a simple router using an Ethernet crossover cable.
ETHERNET DHCP - You want to operate an Ethernet adapter that gets network information through DHCP. This is typically the case when you connect your RED interface to a cable modem/router or ADSL/ISDN router using an Ethernet crossover cable.
PPPoE - You want to operate a Ethernet adapter that is connected via an Ethernet crossover cable to an ADSL modem. Note that this option is only needed if your modem uses bridging mode and requires your firewall to use PPPoE to connect to your provider. Pay attention not to confuse this option with the ETHERNET STATIC or ETHERNET DHCP options used to connect to ADSL routers that handle the PPPoE themselves.
ADSL (USB, PCI) - You want to operate an ADSL modem (USB or PCI devices).
ISDN - You want to operate an ISDN adapter.
ANALOG/UMTS Modem - You want to operate an ADSL an analog (dial-up) or UMTS (cell-phone) modem.
GATEWAY - Your Endian Firewall has no RED interface. This is unusual since a firewall normally needs to have two interfaces as a minimum - for some scenarios this does make sense though. For example, if you want to use only a specific service of the firewall. If you choose this option, later you will need to set a default gateway.

Choose network zones

Endian Firewall borrows IPCop's idea of different zones. At this point you've already encountered the two most important zones:

GREEN - is the trusted network segment.
RED - is the untrusted network segment.

This step allows you to add one or two additional zones, provided you have enough interfaces. Available zones are:

ORANGE - is the demilitarized zone (DMZ). If you host servers, it is wise to connect them on a different network than your GREEN network. If some attacker manages to break into one of your servers, he or she is trapped within the DMZ and can't gain sensible information from local machines from your GREEN zone.
BLUE - is the wireless zone (WLAN). You can attach a hotspot or WiFi access point to an interface assigned to this zone. Wireless networks are often not secure - so the purpose is to trap all wirelessly connected machines into their own zone with no default access to any other zone except RED.

Note that one network interface is reserved for the GREEN zone and one may be already assigned to the RED zone if you have selected a RED interface type which needs a network card. This might limit your choices here to the point that you cannot chose a ORANGE or BLUE zone because you're lacking the number of network adapters.

Network Preferences

This step allows you to configure the GREEN zone and any additional zones you might have set up in the previous step (ORANGE or BLUE).

There is a similar section for each zone with the following options:

IP address - Specify one IP address (such as 192.168.0.1). Pay attention to use only addresses that are not already used elsewhere on you're network. Pay special attention to the interfaces in the GREEN zone to avoid locking yourself out of the web interface! If you change IP addresses of an Endian Firewall in production, you might need to adjust settings elsewhere, for example regarding the HTTP proxy.
Network mask - Specify the CIDR / network mask from a selection of possible masks (such as /24 - 255.255.255.0). It is important to use the same mask on all devices on the same subnet.
Additional addresses - You can add additional IP addresses to the interface here.
Interfaces - Specify the association of interfaces to zones. Each interface can be assigned to only one zone and each zone must have at least one interface. You might, however, assign more than one interface to the same zone in which case the multiple interfaces are bridged together and act as if they were part of a switch.
All interfaces shown are labeled with their PCI identification number, the device description as returned by lspci and their MAC addresses.

Note that Endian Firewall internally handles all zones as bridges, regardless the number of assigned interfaces. Therefore the Linux name of the interfaces is brX, not ethX.

Additionally, the system's host and domain name can be given at the bottom of the screen.

You need to use an IP address in a different network segment for each interface, for example:

IP = 192.168.0.1, network mask = /24 - 255.255.255.0 for GREEN
IP = 192.168.10.1, network mask = /24 - 255.255.255.0 for ORANGE
IP = 10.0.0.1, network mask = /24 - 255.255.255.0 for BLUE

It is suggested to follow the standards described in RFC1918 and use only IP addresses contained in the networks reserved for private use by the Internet Assigning Numbers Authority (IANA):

10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
192.168.0.0 - 192.168.255.255 ( 192.168.0.0/16)

The first and the last IP address of a network segment are the network address and the broadcast address respectively and must not be assigned to any device.

Internet access preferences

This step allows you to configure the RED interface, that connects to the internet or another untrusted network outside Endian Firewall.

You will find different configuration options on this page, depending on which type of interface for RED you had chosen earlier. Some types need more configuration steps than others. Following is a description for each type.

ETHERNET STATIC - You need to enter the IP address and network mask of the RED interface, as well as the IP address of your default gateway - that is, the IP address of the gateway that connects your Endian Firewall to the internet or other untrusted network. Optionally, you can also specify the MTU (maximum transmission unit) and the Ethernet hardware address (MAC address) of the interface - this is typically not needed.
ETHERNET DHCP - You just need to specify whether you want the IP address of the DNS (domain name server) be assigned automatically, via DHCP or you want to set it manually.
PPPoE - You need to enter the username and password assigned to you by your provider, the authentication method (if you don't know whether PAP or CHAP applies, leave the default PAP or CHAP) and whether you want the IP address of the DNS (domain name server) be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) and your provider's service and concentrator name - this is typically not needed.
ADSL (USB, PCI) - There are 3 sub-screens for this choice.
First you need to select the appropriate driver for your modem.
Then you need to select the ADSL type: PPPoA, PPPoE, RFC 1483 static IP or RFC 1483 DHCP.
Finally, you need to provide some of the following informations (depending on ADSL type not all of them are present): the VPI/VCI numbers as well as encapsulation type; the username and password assigned to you by your provider and the authentication method (if you don't know whether PAP or CHAP applies, leave the default PAP or CHAP); the IP address and network mask of the RED interface, as well as the IP address of your default gateway (RFC 1483 static IP only); whether you want the IP address of the DNS (domain name server) be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) - this is typically not needed.
ISDN - You need to select your modem driver, phone numbers (your provider's number and the number used to dial out), as well as the username and password assigned to you by your provider and the authentication method (if you don't know whether PAP or CHAP applies, leave the default PAP or CHAP). Also specify whether you want the IP address of the DNS (domain name server) be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) - this is typically not needed.
ANALOG/UMTS Modem - There are 2 sub-screens for this choice.
First you need to specify the serial port your modem is connected to and whether it's a simple analog modem or a UMTS/HSDPA modem. Note that /dev/ttyS0 is normally used as serial console and is therefore not available for modems.
Then you need to specify the modem's bit-rate, the dial-up phone number or access point name, the username and password assigned to you by your provider and the authentication method (if you don't know whether PAP or CHAP applies, leave the default PAP or CHAP). Also specify whether you want the IP address of the DNS (domain name server) be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) - this is typically not needed.
GATEWAY - You just need to specify the IP address of your default gateway - that is, the IP address of the gateway that connects your Endian Firewall to the internet or other untrusted network.

Configure DNS resolver

This step allows to define up to two addresses for DNS (domain name server), unless they are assigned automatically.

Apply configuration

The last step asks you to confirm the new settings.

Click the OK, apply configuration button to go ahead. Once you did this, the network wizard will write all configuration files to disk, reconfigure all necessary devices and restart all depending services. This may take up to 20 seconds, during which you may not be able to connect to the administration interface and for a short time no connections through the firewall are possible.

The administration interface will then reload automatically. If you have changed the IP address of the GREEN zone's interface, you will be redirected to the new IP address. In this case and/or if you have changed the hostname a new SSL certificate will be generated.

Support

Select System from the menu bar at the top of the screen, then select Support from the submenu on the left side of the screen.

A support request can be created directly from this screen. Fill in all necessary informations and submit your request. A member of the Endian support team will contact you as soon as possible. Please provide a detailed problem description so as to help the support team resolve the issue as quickly as possible.

Optionally, you can allow access to your firewall via SSH (secure shell). This is a secure, encrypted connection that allows support staff to log in to your Endian Firewall to verify settings, etc. This option is off by default. When you turn it on, the support team's public SSH key is copied to your system and access is granted via that key. Your root password is never disclosed in any way.

Endian Network

Select System from the menu bar at the top of the screen, then select Endian Network from the submenu on the left side of the screen.

Your Endian Firewall can connect to Endian Network (EN). Endian Network allows for easy and centralized monitoring, managing and upgrading of all your Endian Firewall systems with just a few clicks.

This screen contains three tabs.

The EN registration tab shows a summary of your Endian Network support status. The last sections lists your activation keys. You need at least one valid activation key (not expired) to receive updates from and participate in Endian Network. There is a key for each support channel (typically just one).

The EN access tab allows to specify whether your Endian Firewall can be reached through Endian Network at all, and if so, through which protocol: HTTPS means the web interface can be reached through Endian Network and SSH means it is possible to login via secure shell through Endian Network.

The Update tab displays and controls the update status of your system. There are three sections.

Firstly, pressing the Check for new updates! button will access your support channels looking for new updates. If any updates are found they will be listed (updates are distributed as RPM packages). Pressing the Start update process NOW! button will install all updated packages.

Secondly - to save you some time - the system retrieves the update list automatically. You may choose the interval to be hourly, daily, weekly (the default) or monthly - do not forget to press Save to save the setting.

Thirdly, by pressing Update signatures now you can update the ClamAV antivirus signatures. This works only if ClamAV is in use, for example in connection with the email or HTTP proxy.

Passwords

Select System from the menu bar at the top of the screen, then select Passwords from the submenu on the left side of the screen.

You can change one or more passwords here. Specify each new password twice and press Save. The following users are available:

Admin - the user that can connect to the web interface for administration.
Root - the user that can login to the shell for administration. Logins can be made locally to the console or remotely via SSH (secure shell) if it has been activated.
Dial - the Endian Firewall Client user.

SSH access

Select System from the menu bar at the top of the screen, then select SSH access from the submenu on the left side of the screen.

This screens allows you to enable remote SSH (secure shell) access to your Endian Firewall. This is disabled by default which is the recommended setting.

Some SSH options can be set:

SSH protocol version 1 - This is only needed for old SSH clients that only support version 1 of the SSH protocol. This is strongly discouraged since there are known vulnerabilities in SSH protocol version 1. Rather upgrade your SSH clients to version 2, if at all possible.
TCP forwarding - Check this if you need to tunnel other protocols through SSH. See the note below for a use case example.
password authentication - Permit logins through password authentication.
public key authentication - Permit logins through public keys. The public keys must be added to /root/.ssh/authorized_keys.

Finally there is a section detailing the public SSH keys of this Endian Firewall as generated at the first boot.

Assume you have a service such as telnet (or other service that can be tunneled through SSH) on a computer inside your GREEN zone, say port 23 on host 10.0.0.20.

This is how you can setup a SSH tunnel through your Endian Firewall to access the service securely from outside of your LAN.

1. Enable SSH and make sure it can be accessed (see Firewall, System access).

2. From the outside connect to your Endian Firewall using

    ssh -N -f -L 12345:10.0.0.20:23 root@endian_firewall    

where -N tells SSH not to execute commands, but just to forward traffic, -f means to run in background and -L 12345:10.0.0.20:23 means to connect the local port 12345 on the outside system to port 23 on host 10.0.0.20 as seen from Endian Firewall.

3. There is now a SSH tunnel opened from port 12345 of the outside system to port 23 on host 10.0.0.20. In this example you can now telnet to 12345 on localhost to reach 10.0.0.20.

GUI settings

Select System from the menu bar at the top of the screen, then select GUI settings from the submenu on the left side of the screen.

Two options about the web interface can be set in this screen: whether to display the hostname in the browser window title and the language of the web interface (English, German and Italian are currently supported).

Backup

Select System from the menu bar at the top of the screen, then select Backup from the submenu on the left side of the screen.

In this section you can create backups of your Endian Firewall configuration and restore the system to one of these backups when needed. Backups can be saved locally on the Endian Firewall host or downloaded to your computer. It is also possible to reset the configuration to factory defaults and to create fully automated backups.

Backup sets

By clicking on the Create new Backup button you can configure a new snapshot:

configuration - include all configurations and settings you have made, that is the content of the directory /var/efw.
database dumps - include database dump, the database includes for example hotspot accounting information.
log files - include log files
log archives - include older log files
remark - your comment

Click on the Create new Backup button again to go ahead and create the backup.

Following is the list of available backups (initially empty): you can choose to download them, delete them or restore them by clicking on the appropriate icon in this list. Each backup is annotated with zero or more of the following flags:

S - Settings. The backup contains your configurations and settings.
D - Database. The backup contains a database dump.
E - Encrypted. The backup file is encrypted.
L - Log files. The backup contains log files.
A - Archive. The backup contains older log files.
! - Error! The backup file is corrupt.
C - Created automatically. The backup has been created automatically by a scheduled backup.

Encrypt backup

You can provide a GPG public key that will be used to encrypt all backups. Select your public key by clicking on the Browse button and selecting the key file from your local file system. Make sure Encrypt backup archives is checked. Confirm and upload the key file by clicking Save.

Import Backup files

You can upload a previously downloaded backup. Select your backup by clicking on the Browse button and selecting the backup file from your local file system. Fill in the Remark field in order to name the backup and upload it by clicking Save.

The backup now appears in the backup list above where you can choose to restore it by clicking the restore icon.

Reset to factory defaults

Clicking the Factory defaults button allows you to reset the configuration of your Endian Firewall to factory defaults and reboot the system immediately after. All your configurations and settings will be lost!

Scheduled backups

Select the Scheduled backups tab if you wish to enable and configure automatic backups.

First, enable and configure automatic backups. You can choose what elements the backup should cover: the configuration, database dumps, log files and old log files as seen in the Backup Sets section. You can also choose how many backups you want to keep (2-10) and the backup interval (hourly, daily, weekly or monthly). When you're done click the Save button.

Next, you can tell the system whether or not you want backups emailed to you. Enable this feature and select the email address of the recipient if you wish to receive backups by email. You can then Save the settings. There is also a Send a backup now button that will save the settings and try to email a backup right now, so you can immediately test the system. Optionally you can also give a sender email address and the address of a smarthost to be used (in case you want all outgoing email go through your companies SMTP server, rather than be sent directly by your Endian Firewall).

Shutdown

Select System from the menu bar at the top of the screen, then select Shutdown from the submenu on the left side of the screen.

In this screen you can shutdown or reboot your Endian Firewall by clicking the Shutdown or the Reboot button respectively.

Credits

Select System from the menu bar at the top of the screen, then select Credits from the submenu on the left side of the screen.

This screen displays the list of people that brought Endian Firewall to you.