Professional Documents
Culture Documents
Diego Gagliardo
Raphael Lechner
Marco Sondermann
Raphael Vallazza
Peter Warasin
Christian Graffer
Copyright 2002, 2003, 2004, 2005, 2006 Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, Peter Walker, Marco
Sondermann, Endian srl
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no
Back-Cover Texts. A copy of the license is included in the section entitled Appendix A, GNU Free Documentation License.
2006-05-24
Revision History
Revision 1.1rc7
DocBook Edition
Revision 2.0
DocBook Edition
Revision 2.1
DocBook Edition
2005-10-09
2006-05-24
2006-11-17
Abstract
A comprehensive documentation for the Administrator of an Endian Firewall.
Table of Contents
Preface
Rights and Disclaimers
Conventions used in this book
Convertido de web en PDF con http://www.htmlapdf.com!
Typographic Conventions
Icons
Organization of this book
This Book is Free
Acknowledgments
1. Introduction
What Is Endian Firewall?
Features
2. System Web pages
Introduction
Home Administrative Window
Network Configuration
Choose type of RED interface
Choose network zones
Network preferences
Internet Access preferences
RED type: NONE
RED type: ADSL
RED type: ISDN
RED type: ETHERNET STATIC
RED type: ETHERNET DHCP
RED type: PPPoE
Configure DNS resolver
Apply configuration
EN registration
Passwords
SSH Access
SSH Options
SSH Host Keys
GUI Settings
Backup Web Page
Your Backup list
Create a new Backup file
Encrypt Backup files
Export Backup files
Import Backup files
Convertido de web en PDF con http://www.htmlapdf.com!
Restore a Backup
Schedule Backups
Reset configuration to factory defaults
Shutdown or Restart Endian Firewall
3. Status Menu
Introduction
System Status
Services
Memory
Disk Usage
Uptime and Users
Loaded Modules
Kernel Version
Network Status
Interfaces
RED DHCP configuration
Current Dynamic Leases
Routing Table Entries
ARP Table Entries
System Graphs
Traffic Graphs
Proxy Graphs
Connections
SMTP Mail Statistics
Mail Queue
IPTables Rules
4. Network Menu
Introduction
Host configuration (Edit Hosts)
Aliases
5. Services Menu
Introduction
DHCP Administrative Web Page
DHCP Server Parameters
Add a new fixed lease
Current fixed leases
Current dynamic leases
Convertido de web en PDF con http://www.htmlapdf.com!
Error messages
Dynamic DNS Administrative Web Page
Add a host
Current hosts
Forcing a Manual Update
ClamAV Antivirus
Time Server Administrative Web Page
Traffic Shaping Administrative Web Page
Intrusion Detection System Administrative Web Page
Linesrv (removed in version 2.1)
Server
Clients
XLC
WLC2
Hotspot
6. Firewall Menu
Introduction
Firewall
Port Forwarding Administrative Web Page
Port Forwarding Overview
Port Forwarding and External Access
External Access Administrative Web Page
Zone Pinholes Administrative Web Page
Outgoing Firewall Administrative Web Page
Globally DENY outgoing traffic to RED and explicitely configure outgoing rules
Globally ALLOW outgoing traffic to RED
7. Proxy
Introduction
HTTP Proxy
Feature List
Web proxy configuration
Common settings
Upstream proxy
Log settings
Convertido de web en PDF con http://www.htmlapdf.com!
Cache management
Network based access control
Time restrictions
Transfer limits
MIME type filter
Web browser
Authentication configuration
Content filter
Content filter (Dansguardian)
Block pages which contain unallowed phrases
Block pages known to have content of the following categories
Custom black- and whitelists
HTTP Antivirus
Max. content scan size
Last Update
Do not scan the following URLs
Enforcing proxy usage
Web Proxy standard operation modes
Client side Web Proxy configuration
Requirements for mandatory proxy usage
POP3
Global settings
Spamfilter configuration
SIP
FTP
SMTP
General Settings
Antivirus
AntiSpam
General Settings
Greylisting
Banned File Extension
Blacklists/Whitelists
Real-time Spam Black Lists (RBL)
Custom black/whitelists
Convertido de web en PDF con http://www.htmlapdf.com!
Domains
BCC
Advanced settings
Smarthost
IMAP Server for SMTP Authentication
Advanced settings
8. VPN Menu
Introduction
Virtual Private Networks (VPNs)
Net-to-Net (Gateway-to-Gateway)
Host-to-Net (Roadwarrior)
OpenVPN
OpenVPN Web Interface
OpenVPN Server
Openvpn Net2Net client
Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls)
Configuration of an OpenVPN client on the roadwarrior side
IPSec
Methods of Authentication
Pre-shared Key
X.509 Certificates
Global Settings
Connection Status and Control
Certificate Authorities
Generate Root/Host Certificates
Upload a CA certificate
Reset configuration
Add a new connection
Connection Type
Authentication
9. Logs
Introduction
Log Settings Administrative Web Page
Convertido de web en PDF con http://www.htmlapdf.com!
MODIFICATIONS
COMBINING DOCUMENTS
COLLECTIONS OF DOCUMENTS
AGGREGATION WITH INDEPENDENT WORKS
TRANSLATION
TERMINATION
FUTURE REVISIONS OF THIS LICENSE
ADDENDUM: How to use this License for your documents
List of Figures
2.1. System menu selected
2.2. Home
2.3. Displays the Endian Network Support status
2.4. Online status
2.5. Network wizard step 1: Choose type of RED interface
2.6. Network wizard showing Step2: Choose network zones
2.7. Network wizard showing Step 3: Network preferences
2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE
2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem
2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type
2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE)
2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)
2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)
2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences
2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences
2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences
2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences
2.18. Network wizard showing step 5: configure DNS resolver
2.19. Network wizard showing step 6: Apply configuration
2.20. Unregistered Endian Firewall
2.21. Registered Endian Firewall
2.22. Password changing dialogue
2.23. SSH access page
2.24. GUI settings
2.25. Backup to files
2.26. Create new backup
2.27. Encrypt Backups
2.28. Import Backup
2.29. Restore Backup
2.30. Schedule backups
2.31. Reset to factory defaults
2.32. Shutdown / Reboot page
3.1. Status menu selected
3.2. Page which displays the actual running services
3.3. Page which displays the current memory usage
3.4. Page which displays the current disk usage
3.5. Page which displays uptime and current logged in users
Convertido de web en PDF con http://www.htmlapdf.com!
Preface
Table of Contents
Rights and Disclaimers
Conventions used in this book
Typographic Conventions
Icons
Organization of this book
This Book is Free
Acknowledgments
Typographic Conventions
Convertido de web en PDF con http://www.htmlapdf.com!
Constant width
Used for commands, command output, program names.
Constant width italic
Used for replaceable items in code and text.
Italic
Used for names, (file, interface, directory names, ...).
asdljasldjasljd
Used for user input
Icons
Tip
This icon designates a tip to the surrounding text.
Note
This icon designates a note relating to the surrounding text.
Warning
This icon designates a warning relating to the surrounding text.
Covers the System menu with it's features and configuration possibilities, including first step network configuration and system
tools.
Chapter 3, Status Menu
Describes the Status menu and it's system monitoring and visualizing functionalities.
Chapter 4, Network Menu
Explains how to configure network related parts of Endian Firewall.
Chapter 5, Services Menu
Gives information about additional services Endian Firewall ships with, including DHCP, NTP and DDNS service, Intrusion
detection and Traffic Shaping (QoS).
Chapter 6, Firewall Menu
Explains the firewall functionalities and Endian Firewall's security concept.
Chapter 7, Proxy
Describes in depth Endian Firewall's application proxies, which includes HTTP, FTP, SIP and SMTP proxies with a bunch of
configuration possibilities.
Chapter 8, VPN Menu
Help on creating Virtual Private Networks for both possibilities, OpenVPN and IPSec.
Chapter 9, Logs
Gives an overview about the log viewer menu and it's facilities to visualize and configure all the services logs.
Chapter 10, Hotspot
This chapter contains a detailed description of the Endian Hotspot.
Acknowledgments
Convertido de web en PDF con http://www.htmlapdf.com!
Without the great work of the Smoothwall and then the IPCop team Endian Firewall would not be exist and in turn this documentation
would not exist at all. Therefore we would like to thank them all for their hard work.
Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility.
You are really helping us very much!
Finally, we thank the following people for helping us out with work on screenshots and xslt: Elisabeth Warasin, Thomas Lukasser.
Chapter 1. Introduction
Table of Contents
What Is Endian Firewall?
Features
Features
This needs a rewrite!!
Base Module - Endian Firewall 1.1 - Firewall (stateful inspection) - Outgoing Firewall - IPSec Gateway to gateway VPN - IPSec Remote
client to gateway VPN (roadwarrior) - NAT - Multi-IP address support (aliases) - Dynamic DNS - DMZ support - HTTPS Web Interface Detailed network traffic graphs - View currently active connections - Event log management - Log redirection to external server - Server
DHCP - Server NTP - Traffic Shaping / QoS - Transparent POP3 antivirus/antispam proxy - Transparent HTTP proxy - Web Proxy with
local users, windows domain, samba, LDAP, radius server management - Intrusion Detection System - ADSL modem support Configuration backup and restore - Remote update - SIP VoIP Proxy *NEW!* Advanced Antivirus Module - Endian Firewall 1.1 - HTTP
Antivirus - Endian Security Tools for Windows Desktop - Transparent SMTP antivirus/antispam proxy
VPN Gateway Module - Endian Firewall 1.1 - Gateway to gateway VPN with OpenVPN - Remote client to gateway VPN (roadwarrior)
with OpenVPN - Bridged and Routed VPN mode - Endian Client VPN Windows, Linux, MacOSX
Web Content Filter Module - Endian Firewall 1.1 - URL filter - Web content analysis/filter - Whitelists and blacklists management - Web
surfing time limits
Advanced Antivirus Module - Endian Firewall 1.1 - HTTP Antivirus - Endian Security Tools for Windows Desktop - Transparent SMTP
antivirus/antispam proxy
Introduction
Figure 2.1. System menu selected
Convertido de web en PDF con http://www.htmlapdf.com!
This group of web pages is designed to help you to administer and control the Endian Firewall itself. To get to these web pages, select
System from the menu bar at the top of the screen. The following choices will appear in a submenu on the left side of the screen:
Home Returns to the home page.
Network Configuration Allows you to configure the network and the NIC of your EFW
Endian Network Allows you to register your EFW within Endian Network. This menu item is not available within Endian Firewall
Community version. ('EN registration' before version 2.1)
Passwords Allows you to set the admin password.
SSH Access Allows you to enable and configure Secure Shell, SSH, access to Endian Firewall.
Convertido de web en PDF con http://www.htmlapdf.com!
GUI Settings Allows you to set the language of the web display.
Backup Backs up/restore your EFW settings to/from files. You can also restore your settings to factory default.
Shutdown Shutdown or restart your Endian Firewall from this web page.
Credits Our thank to all contributors.
To access the Endian Firewall GUI is as simple as starting your browser and entering the IP address (of the green EFW interface) or
hostname of your Endian Firewall along with a port director of either 10443 (https/secure) or 80 (redirected to 10443).
The system will ask you for username and password: user: "Admin", password:"the password that you set during the installation
process"
You should now be looking at the Home Page of your Endian Firewall GUI. You can immediately start exploring the different options and
the information available to you through this interface. Below, we have listed the Main Configuration/Administration Options available
through the GUI. When you have acquainted yourself sufficiently with the system, please continue with the next section.
Endian Firewall's Administrative web pages are available via the menu the top of the screen.
Convertido de web en PDF con http://www.htmlapdf.com!
System: System configuration and utility functions associated with Endian Firewall itself.
Status Displays detailed information on the status of various portions of your Endian Firewall.
Network Used for the configuration/administration of your dial-up/PPP settings.
Services: Configuration/Administration of your Endian Firewall Services options.
Firewall: Configuration/Administration of Endian Firewall's firewall options.
Proxy: Configuration/Administration of Endian Firewall's HTTP and POP3 proxy (also antivirus, antispam and content filter
configuration).
VPNs: Configuration/Administration of your Endian Firewall Virtual Private Network settings and options.
Logs: View all your Endian Firewall logs (firewall, IDS, proxy, etc.)
Figure 2.3. Displays the Endian Network Support status
In the first page section, you see the Endian Commercial Support Status. This is only available for Endian Firewall Enterprise version. To
get more information about the Endian support program, visit our Homepage on http://www.endian.it. (This box is not displayed in version
2.1)
Figure 2.4. Online status
In the following box you will see information about the system status. The first part gives short global information about the connection
status, while the second part gives more precise information about each uplink. After the connection status you can see short information
Convertido de web en PDF con http://www.htmlapdf.com!
Note
You will not see an active connection until you have finished configuring your Endian Firewall.
Short connection status display
The current connection status of the Firewall will be displayed here, followed by the connection time. The connection status can be
one of the following:
Idle - No connection to the Internet and not trying to connect.
Dialing - Attempting to connect to the Internet.
Connected - Currently connected to the Internet.
If you are currently connected to the Internet you will see a Connection status line in the following format:
Connected ( #d #h #m #s)
d=Days connected
h=Hours connected
m=Minutes connected
s=Seconds connected
Connection status
In the following table you will see the actual connection status of each uplink respectively.
The first cell shows you the name of the uplink. Normaly you will see only one uplink which then is called "main", since it is the
primary uplink.
The second cell shows you the connection status of respective uplink. Below we will describe the different status possibilities
which you may find here. In the third cell you have the possibility to manually connect the uplink if it is disconnected or the contrary.
Once you have pressed the respective connect or disconnect button you will need to wait until the connection has been
connected/disconnected sucessfully. During this process you may reload the page using the refresh button on the right. You will
notice that the connection status field will change it's content.
Values for the connection status:
Connected
The uplink is connected and fully operational.
Convertido de web en PDF con http://www.htmlapdf.com!
Stopped
The uplink is not connected.
Dead link
The uplink is connected but the following gateways could not be reached, so in fact the uplink is not operational. Endian
Firewall tries to ping the following gateways and announces if the link gets back working.
Failure
There was a failure while connecting to the uplink.
Failure. Reconnection
There was a failure while connecting to the uplink. Endian Firewall will try to reconnect within the time interval which will be
printed out.
Disconnecting
The uplink is actually disconnecting.
Connecting
The uplink is actually connecting.
System health line
Below your connection status line you will see a line similar to the following:
19:07:10 up 1 day, 7:21, 0 users, load average: 0.03, 0.01, 0.00
This line is basically the output of the Linux uptime command and displays the current time, the days/hours/minutes that Endian
Firewall has been running without a reboot, number of users logged in, and the load average.
Network Configuration
Endian Firewall provides a Network Setup Wizard for easy and fast configuration of your network interfaces and your uplink. The Wizard
is divided into steps with intuitive dialogues. Some steps may have substeps. The first line of each dialogue window will display the
actual step or substep, how many you need to go through and a short description about the actual page. You can go forth or back with
the buttons next (>>>) and back (<<<) during network wizard as you wish and you can always abort the configuration process by hitting
the Cancel button. On the last dialogue window you will be asked if you really want to save the configuration you created using the
wizard. If you decide to proceed the configuration will be stored and Endian Firewall will reconfigure it's interfaces. This takes some time
and over this period of time you will not be able to reach the web interface anymore.
The RED interface is supposed to be the interface which connects your Firewall to the "outside", the untrusted network, which normaly of
course is the internet, or the uplink to your internet provider.
Endian Firewall does support the following types of RED interfaces. Some may be network interfaces, other may be PCI cards or USB
devices:
NONE
Your firewall has no RED interface. This is unusual since a firewall normaly need to have two interfaces as minimum. But for some
scenarios this possibility does make sense. For example if you want to use only a specific service of the firewall. If you choose this
you will be able later to set a default gateway which does not lie within RED network.
ADSL
If you have a USB or PCI ADSL modem you are right with this option.
ISDN
Select this if you have an ISDN USB device or PCI card.
ETHERNET STATIC
Select this if your RED interface is a simple ethernet card and you need to setup network information like IP address, Netmask and
so on manually. If your need to connect your RED interface to a simple router so this may be the right choice. Remember that in
Convertido de web en PDF con http://www.htmlapdf.com!
most cases you will need a crossover cable in order to connect it correctly.
ETHERNET DHCP
Select this if your RED interface is a simple ethernet card which needs to get network information through DHCP. Most Cable
modems, ADSL/ISDN router provide this possibility.
PPPoE
If your RED interface is a simple ethernet card connected to a device which needs you to use PPPoE in order to connect to your
provider, then select this. Pay attention to not confuse this option with the ETHERNET DHCP or ADSL option. This is only needed
if your modem uses bridging mode and does not connect itself via PPPoE to the internet provider. Some ADSL routers let you
connect using DHCP or STATIC and establish the ADSL connections themselves using PPPoE. Also this is the wrong option if
you have a USB or PCI ADSL modem and want the modem to connect using PPPoE.
If you do not want your red interface to connect to your uplink while booting you have to tick the Do not automatically connect on boot
checkbox.
On this page you will find also a box which displays the amount of network cards which could be found. Depending of this value and if
you already have exhaused a network card selecting a RED type which needs a network card, the following step let's you configure
more or less zones.
With this step you can decide which zones you want to configure on your firewall. Endian Firewall assumed IPCops idea of different
zones. The following zones are available:
GREEN
Convertido de web en PDF con http://www.htmlapdf.com!
is the trusted network. This is supposed to be your LAN from where you connect to the administration interface. This is the
mandatory zone and one network interface is reserved for it.
ORANGE
is the demilitarized zone (DMZ). If you host servers it is wise to have them on a different network than your local network. If
someone manages it to break in to one of your servers, this attacker does not automatically compromise the local network, but it is
trapped within the DMZ and can't gain sensible information from your local network. Note that it makes no sense to use ORANGE if
the servers behind ORANGE and the workstations behind GREEN share the same switch or hub!
BLUE
is the wireless zone. You can attach a hotspot or Wifi access point to an interface assigned to this zone. There is only a logical
difference between this zone and ORANGE. Since wireless networks normally are not really secure you may prefer to put them into
a separate zone since they have no access to the local network behind GREEN and cannot reach hosts behind ORANGE without
configuration.
RED
As already described, the RED zone stands for the uplink to the internet provider or to another untrusted network - basically most of
the times all the other zones have to be protected from intruders from this zone. You automatically have this zone unless you
selected NONE on the dialogue before.
You need to have at least one network card per zone so some options may not be visible for you if you do not have enough network
cards. Note that one network card is reserved for the GREEN zone and one may be already assigned to the RED zone if you have
selected a RED type which needs a network card.
You can choose between the following options:
NONE
Choose this if you do not need additional zones. You live with GREEN and RED.
ORANGE
You want to have only the ORANGE zone in addition to GREEN and RED.
BLUE
You want to have only the BLUE zone in addition to GREEN and RED.
ORANGE & BLUE
You want to have both, ORANGE and BLUE and will continue with a full featured firewall.
Network preferences
This step asks you for configuration of all the ethernet zones you enabled on the previous page (GREEN, ORANGE and/or BLUE). Each
Convertido de web en PDF con http://www.htmlapdf.com!
zone has to be configured in the same way - on our screenshot below you can see the configuration of the green and orange interfaces.
At the bottom of this page it is also possible to configure the hostname and domainname of your firewall.
Figure 2.7. Network wizard showing Step 3: Network preferences
Note
It may also be wise to follow some conventions and always assign the first ip address to the
firewall. For example 192.168.0.1.
Note
IP addresses ending in .0 (example: 192.168.0.0) and in .255 (example: 192.168.0.255) are
reserved for network address and broadcast address. You shall not assign them to any device.
Note
Pay attention if you reconfigure Endian Firewall and change some ip addresses, then you need
to change the ip address also within configuration of some services like the HTTP proxy, which
is descibed later in efw.proxy.http.
Convertido de web en PDF con http://www.htmlapdf.com!
Network mask
Provide the network mask which you like to use for the interface of the respective zone and the network behind it. For example:
255.255.255.0.
Note
Pay attention to use the same network mask on all of your computers behind the same zone or some
may not be able to pass the firewall.
Interface
Each zone needs to have at least one interface assigned. The network wizards gives you a suggestion about interface
assignement. You certainly may change this. One interface can be assigned only to one zone. The network wizard does not allow
you to go forth if you choose the same interfaces on different zones. You can assign multiple interfaces per zone. Multiple
interfaces can be added by pressing Ctrl and clicking on the desired interfaces. The interfaces will then internally bridged together,
so they have the same functionality like a switch.
The interface list shows you all necessary information to identify your network card:
consecutive numbers: The interface list will be sorted on the basis of the PCI slot identification number. Therefore you are
save to give your PCI mounted network cards an index counting from the first to the last. The first network card in your
computer should be the card with number 1. The second with number 2, and so forth.
device description: We use lspci to read out this description. If your device is not included within our pci devices list because
it is to new or to exotic, the description will be something like "Unknown device".
MAC address: The original MAC address of the device. This address should be worldwide unique (In reality it's not always).
Most devices have printed their MAC address somewhere on the card or within manual.
Note
Interfaces which are not supported by ethtool will not be supported by the network wizard
because the necessary information cannot be gathered.
Note
Note that each of this zones will be internally handled as bridges, regardless of the amount of assigned
interfaces. Remember this if you find any interface names. The interface name of a zone is always called
brX and not ethX. ethX is just the name of the physical interface which is part of the respective zone.
Convertido de web en PDF con http://www.htmlapdf.com!
Since you have no RED, you do not need to configure it. Wow, how impressive.
In order to allow your Security Device (In this case I do not dare to speak of a firewall) to access other networks like the internet you need
to configure a default gateway. Here you can set this up. In this only case you can use each ip address as default gateway, which
belongs to a network of your other zones (GREEN, ORANGE or BLUE). Normally you want to use an IP address belonging to the
GREEN network, which probably may be another firewall and gateway to the internet.
RED type: ADSL
If you have chosen ADSL as RED type then this will be of interest to you.
Since ADSL modems need a bunch of information this step is divided into three substeps.
Selection of the modem
Figure 2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem
Within the first substep you need to select which modem you like to use. The box on this page shows you all the modems which will be
actually supported by the Endian Firewall. If you can't find your modem then it obviously will not be supported and will not work. If your
modem is already plugged in, Endian Firewall will try to recognize it automatically and preselects the first detected modem. The
following string will be displayed on each modem which has been detected automatically:
--> detected <--
Figure 2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type
Endian Firewall supports four different possibilites to connect to an ADSL concentrator. You need to know which connectio type is
supported by your internet provider and use the respective type. Often internet provider allows you to choose between PPPoA and
PPPoE. Should this be the case you can choose between those 2 options. Keep in mind that PPPoE causes a little more traffic overhead
compared to PPPoA, if this is of importance for you. The four possibilities are:
PPPoA
PPP over ATM. You can find further information about this protocol on Wikipedia.
PPPoE
PPP over Ethernet. You can find further information about this protocol on Wikipedia
RFC1483 static IP
Basically this is a protocol which allows you to handle your modem like an ethernet device to which you assign an IP address
manually which you negotiated with your provider before. If you have a real static IP you may need to use this option. You can find
further information about this protocol on RFC Editor. http://www.rfc-editor.org/rfc/rfc1483.txt
RFC1483 dhcp
Basically this is the same as RFC1483 except that the provider assigns your ip address using DHCP.
Supply connection information
This substep depends on the decision you made during the previous substep. Depending on the selected ADSL connection type this
substep will show you different configuration options. Most of the needed information will be provided by your internet service provider.
The following fields are common for each ADSL type. They depend on the infrastructure of your ISP so you need to fill in the values you
get from your provider:
VPI number
VCI number
Encapsulation
PPPoA/PPPoE
Figure 2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information
(PPPoE)
Configuration for PPPoA and PPPoE are quite the same, therefore only PPPoE will be described here. The following fields do
exist additionally to the common fields described above:
Username
Provide the username which you got from your ISP.
Password
Provide the password which you got from your ISP.
Authentication method
Different protocols can be used to authenticate against the providers system. The following authentication methods are
supported:
Convertido de web en PDF con http://www.htmlapdf.com!
If you got a real static IP from your provider, then normally this type will be used. This type does not know any authentication or
Convertido de web en PDF con http://www.htmlapdf.com!
protocols to establish the connection. Therefore the providers system cannot automatically send you configuration parameters (like
IP address, DNS, ...) during connection establishment. You need to ask your provider for this information and need to configure
everything manually here. Once configured there is no system that changes these parameters automatically like with the other
ADSL types. The following fields do exist additionally to the common fields descibed above:
Static IP
Fill in your public IP address your provider assigned to you. If you do not have this information ask your provider. If you use
the wrong IP address you may not be able to use the connection.
Netmask
The network mask you got from your provider. For example: 255.255.255.0
Gateway
The IP address of the gateway located on your provider's side which should be used as your default gateway.
RFC1483 DHCP
Figure 2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information
(RFC1483 DHCP)
This ADSL type is the same as RFC1483 static ip, except that you do not need to provide IP address, netmask and gateway
because that information will be automatically retrieved using DHCP. The following fields do exist additionally to the common fields
described above:
Convertido de web en PDF con http://www.htmlapdf.com!
DNS
During connection establishment of a PPP connection, the provider normally sends information about which DNS servers
you need to use. If you select automatic those values will be used. If you wish to configure them manually, then select
manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS
resolver do not work correctly.
RED type: ISDN
If you chose ISDN as RED type you will see the following dialogue page within the fourth step.
Figure 2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences
Here you need to select the type of modem you are using. The selection box shows you all the modems that are actually supported
by the Endian Firewall. If you can't find your modem then unfortunately it is not supported and will not work. If your modem is
already plugged in, Endian Firewall will try to recognize it automatically and preselects the first detected modem. The following
string will be displayed next to each modem that has been automatically detected:
--> detected <--
providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by
selecting PAP or CHAP.
Use both B-Channels
Enable this if you want to use both ISDN channels bundled in order to double your bandwith. Your provider must support this.
Hang up after minutes of inactivity
If you want the modem to close the connection to your internet service provider if no data will be sent through it you may enable
this. If you select a value different to off, the modem will close the connection after the selected minutes of inactivity.
DNS
During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you
need to use as DNS resolver. If you select automatic those values will be used. If you wish to configure them manually, then select
manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers
do not work correctly.
RED type: ETHERNET STATIC
This dialogue page will be shown if you chose ETHERNET STATIC as your RED type.
Figure 2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences
Configuration is pretty the same as described before in the section called Network preferences. Actually you can have only one RED
device, therefore you cannot select multiple interfaces. Additionally you need to configure a default gateway. That is the IP address of
your remote host to which the firewall is connected to and which will be used as gateway to the internet. This IP address must be located
within the RED network. The network wizard does not allow you to provide a default gateway which is not within the RED network. For
example if you use 192.168.0.1 as IP address and 255.255.255.0 as network mask, the default gateway cannot be 192.168.1.1. A
possible value would be 192.168.0.2.
RED type: ETHERNET DHCP
This dialogue page will be shown if you chose ETHERNET DHCP as RED type.
Figure 2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences
ETHERNET DHCP is pretty the same as ETHERNET STATIC, except that there is no need to configure the device, since all necessary
information will be retrieved from the DHCP server. You only need to select which interface you would like to use for your RED zone.
Since there is actually no possibility to have more than one RED interface, you can not select multiple interfaces. The following
configuration options exist:
Interface
Select the interface you want to use as RED interface as already described above.
DNS
The DHCP server will also send you the IP addresses of your DNS servers. If you select automatic these addresses will be used. If
you wish to configure them manually, then select manually. In some cases this may be useful, for example if your DHCP server
sends wrong information or if the supplied DNS resolvers do not work correctly.
RED type: PPPoE
Convertido de web en PDF con http://www.htmlapdf.com!
This dialogue page will be shown if you chose PPPoE as RED type.
Figure 2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences
As already mentioned before, you use this type if you have an ADSL modem with a simple ethernet connection to your Endian Firewall.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
This cable in most of the cases has to be crossover!
The following configuration options are supported for this type:
Interface
Select the interface you want to use as RED interface and to which you connected the ADSL ethernet modem.
ADSL type
This option will disappear. It makes no difference what you select here.
Username
Fill in the username you got from your internet service provider
Password
Fill in the password you got from your internet serivce provider
Authentication method
Different protocols can be used to authenticate against the providers system. The following authentication methods are supported:
PAP - Password Authentication Method
CHAP - Challenge Handshake Authentication Protocol
PAP or CHAP - both authentication methods are implemented.
Some providers may support only one authentication method. In that case you should get that information from your provider. Most
providers implement both authentication methods, then it is safe to use whatever you want or to leave the decision to the system by
selecting PAP or CHAP.
DNS
During connection establishment of a PPP connection, the provider normally sends information about which DNS servers you
need to use as DNS resolvers. If you select automatic those values will be used. If you wish to configure them manually, then select
manually. In some cases this may be useful, for example if your provider sends wrong information or if the supplied DNS resolvers
do not work correctly.
Service
Some ISPs provide different services, therefore you may insert the service name here in order to select which one you want to use
if it is necessary. In most cases this option is meaningless.
Convertido de web en PDF con http://www.htmlapdf.com!
Concentrator name
Specifies the desired access concentrator name. In most cases you should not specify this option. Use it only if you know that there
are multiple access concentrators and your ISP wants you to specify a particular one.
Fill the both fields with the DNS servers you want to use as resolvers. If you have only one then it is safe to fill in the same value in both
fields but this is not recommended since you will not be able to resolve names anymore if that nameserver will not answer temporarily.
You need a working DNS resolver in order to resolve names. If resolving does not work you may not be able to access internet sites.
Apply configuration
This is the last step of the network wizard. It only asks you to confirm the modifications.
Figure 2.19. Network wizard showing step 6: Apply configuration
Click the button OK, apply configuration to go ahead. Once you did this, the network wizard will write down the data, reconfigure all
necessary devices and restart all depending services. This may take up to 20 seconds. During the restarting process you may not be
able to connect to the administration interface and for a short time no connections through the firewall are possible. So no worries, that's
normal. The administration interface will automatically reload after 20 seconds.
If you changed the ip address of the GREEN zone you will be redirected to the new IP address, after the 20 seconds of course. In this
case and/or if you have changed the hostname a new SSL certificate will be generated.
Note
There is an issue when managing more than one Endian Firewalls. The browser will refuse the new
certificate because it finds that the certificate is corrupt. You can solve this issue by removing all accepted
certificates from the browser cache or closing all running browser windows and then restart the browser.
EN registration
This menu item is not available in the Community version.
The Endian Firewall Enterprise version has the ability to register to the Endian Network. The registration to the Endian Network allows
you to monitor and manage your Firewalls using Endian Network. Your registered Endian Firewalls can also be collectively updated
automatically or manually through Endian Network with just a few clicks. In order to be able to get those updates you need to register.
The following describes how to register and below you will find the same page of a successfully registered Firewall.
Figure 2.20. Unregistered Endian Firewall
In order to register to the Endian Network supply the following information within registration form:
Endian network username
Fill in the username of your user account on Endian Network.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
If you change any of those information fields on the Endian Network your firewall will be
synchronized within one hour.
Activation Keys
You need a valid activation key for each maintainance channel provided by the Endian Network if you like to get the updates
provided by the respective channel. An installation may use more than one activation key if you need to subscribe to more than one
channel. Normaly you will have only one. The following information will be provided for each activation key:
Channel
Displays the name of the Endian Network channel for which the respective activation key is valid. For example Endian
Firewall.
Valid from
The subscription to the respective channel is valid from this date on.
Valid until
The subscrption to the respective channel is valid until this date.
Days
Displays how many days the subscription will still be valid.
Passwords
Convertido de web en PDF con http://www.htmlapdf.com!
The Passwords subsection of this AW is present to allow you to change the Admin passwords or the password of the dial user, as you
deem necessary. Simply enter the desired password once in each field for the User you wish to update and click on Save.
Note
You have to relogin with the new password if you change the admin user password.
SSH Access
The SSH subsection of this AW allows you to decide if remote SSH access is available on your Endian Firewall or not. By placing a
checkmark in the box you will activate remote SSH access. It is also possible to configure several SSH daemon parameters from this
web page. The SSH option is disabled by default and we would advise enabling it only as needed and then disabling it afterwards.
Figure 2.23. SSH access page
Note
The SSH port on the EFW machine is the standard 22 (not switched to 222 like in IpCop).
SSH Options
The following SSH options are available from the web page:
Enabled:
Checking this box enables SSH. Unless you use external access, SSH will only be available from the GREEN network. With SSH
enabled it is possible for anyone with the Endian Firewall root password to log into your firewall at the command prompt.
Support SSH protocol version 1 (required only for old clients)
Checking this box enables support of SSH version 1 clients. Use of this option is strongly discouraged. There are known
vulnerabilities with SSH version 1. Use this option only for temporary access, if you only have SSH version 1 clients and there is no
way to upgrade to SSH version 2. Most, if not all, of the current SSH clients support version 2. Upgrade your clients if at all
possible.
Allow TCP Forwarding
Convertido de web en PDF con http://www.htmlapdf.com!
Checking this box, allows you to create SSH encrypted tunnels between machines inside your firewall and external users.
What use is this when EFW already has a VPN?
You are on the road and something goes wrong with one of your servers. You haven't set up a road warrior VPN connection. If you
know your EFW root password you can use SSH port forwarding to get through your firewall and get access to a server on one of
your protected networks. These next few paragraphs will discuss how to do this, assuming you have a Telnet server running on an
internal computer at 10.0.0.20. It also assumes your remote machine is a Linux machine. The putty SSH command on Windows
has the same capabilities, but they are accessed via dialog boxes. You may already have done one or more of the first two steps.
1. Enable or have someone else enable external access for port 10443, the HTTPS port.
2. Use the EFW web pages to enable SSH access, port forwarding and external access for port 22.
3. Create an SSH tunnel between your remote machine and the internal server running an SSH daemon by issuing the
command:
$ ssh -N -f -L 12345:10.0.0.20:23 root@efw
-N
in conjunction with -f, tells SSH to run in the background without terminating. If you use this option, you will have to
remember to use kill to terminate the SSH process. As an alternative, you may want to add the command sleep 100
to the end of the command line, and not use the -N option. If you do this the SSH invoked by the ssh command will
terminate after 100 seconds, but the telnet session and its tunnel will not terminate.
-f
option to run SSH in the background.
-L
tells SSH to build a port forwarding tunnel as specified by the next parameters.
12345
The local port that will be used to tunnel to the remote service. This should be greater than 1024, otherwise you must be
running as root to bind to well known ports.
10.0.0.20
This is the GREEN address of the remote server.
23
This specifies the remote port number to be used, Telnet.
root@efw
Convertido de web en PDF con http://www.htmlapdf.com!
Finally, this specifies you will be using your Endian Firewall as the port forwarding agent. You need a user ID to log in
as, and the only one available is root. You will be prompted for EFW's root password.
4. Finally, log into the remote Telnet using the tunnel.
$ telnet localhost 12345
localhost is the machine you are running on. The loopback address 127.0.0.1 is defined as localhost. 12345 is the local
tunnel port specified on the previous command.
There is a tutorial on SSH port forwarding at Dev Shed.
Allow password based authentication
Allows users to log into the Endian Firewall using the root password. If you decide to turn this off, set up your SSH key files, first
and then verify you can log in using your key files.
Allow public key based authentication
By checking this box, public key authentication can be used by SSH. This is the preferred method of securing EFW using SSH.
This article has a discussion about using SSH-keygen to generate RSA keys and how to use them with SSH.
GUI Settings
This web page governs how the Endian Firewall web pages function and appear.
Figure 2.24. GUI settings
This checkbox will turn on the display of an Endian Firewall host's name at the top of each web page. If you are maintaining more
than one Endian Firewall machine, this will be advantageous, since you will be able to tell which machine your browser is currently
displaying.
Select the language you wish EFW to display in:
This drop down menu will let you choose which one of the languages currently available for EFW web pages will be displayed.
The Creation Date column contains the creation date, while the Content column shows a list of flags that will tell you more about your
backup:
S
This flag means that this specific backup contains your settings.
Convertido de web en PDF con http://www.htmlapdf.com!
D
D tells you that this backup contains a database dump.
E
This archive is encrypted.
L
This backup contains log files.
A
Older log file backups have been saved with this backup.
!
There was a problem when trying to send this file.
C
This backup was created automatically by the backup scheduler.
The disk in the Action columns will let you store the backup file on your computer. By clicking the garbage bin you can delete this backup
file. If you click the last symbol this backup will be restored.
The following options can be specified before the creation of the backup fule:
Remark
This field gives you the possibility to add some personal information which will later let you remember the reason for this backup.
Include configuration
This option lets you include the configuration of your Endian Firewall - This is the content of the /var/efw directory.
Include database dumps
If you want to include dumps of your database tick this checkbox.
Include log files
If you want to include your log files this checkbox should be checked.
Include log archives
If you also want to include the backups of your old log files tick this checkbox.
Create new Backup
By hitting this button the new backup file will be created and saved. You can now find it in the list of your backup sets.
You also have the possibility to encrypt your backups if you want to. To do this you need to do the following:
1. Select your public key by clicking on the Browse... button and then selecting the key file.
2. Make sure the Encrypt backup archives checkbox is ticked.
3. Upload the key file by clicking the Save button.
If you want to import a backup file from your computer you have to do the following:
1. Choose a name for the backup and write it into the Remark field.
2. Browse your local folders and select the backup file you want to import.
3. Finally click the Import button - your backup will be saved on the Endian Firewall and then show up in the list of backup sets.
Note
By importing your backup it will not automatically be restored. Read here how you can restore your backup.
Restore a Backup
Figure 2.29. Restore Backup
Note
The Restore button is the button with the blue circle orbitted by a grey arrow.
Schedule Backups
Figure 2.30. Schedule backups
If you want to schedule automatic backups you will be presented with two windows. The first window is used to configure the scheduling
itself while the second window gives you the opportunity to automatically send the created backup files to you via e-mail.
Scheduling your backups is very easy and the options regarding the backup content are the same as when creating manual backups.
New options are:
Enabled
Check this if you want automatic backups.
Keep # of archives
This number lets you decide how many automatic backups you want to save on your Endian Firewall.
Schedule for automatic backups
Convertido de web en PDF con http://www.htmlapdf.com!
Choose here how often you want to create a backup of your firewall.
Save
Click this button to save the configuration.
Note
If you move the mouse cursor over the question marks you will see detailed information about the
schedules.
If you want to receive an e-mail for every automatic backup you'll have to have a look at the second window.
Enabled
Tick this if you want e-mails with your backup files.
E-Mail Address of Recipient
Here you need to enter the address you want the backups sent to.
E-Mail Address of Sender
Here you can specify a sender-address for the automatic e-mails.
Address of Smarthost to be used
If your e-mails are considered spam by many mail servers because you are using a dynamic IP address you'll probably want to
enter the address of your internet service provider's mail server here. All backups will then be sent through this mail gateway.
Save
Click here to save your options.
Send a backup now
If you want to save a backup now and have your settings stored click this button.
Note
If you enable mailing, logfile archives will not be sent to keep the backup files at a reasonable size.
The button Factory defaults allows you to reset the configuration of your Endian Firewall to factory defaults. In fact a backup which has
been created on first boot will be restored if you do this.
This page was last modified on: $Date: 2006-11-14 16:46:10 +0100 (Tue, 14 Nov 2006) $.
System Graphs
Traffic Graphs
Proxy Graphs
Connections
SMTP Mail Statistics
Mail Queue
IPTables Rules
Introduction
Figure 3.1. Status menu selected
This group of web pages provides you with information and statistics from the Endian Firewall. To get to these web pages, select Status
Convertido de web en PDF con http://www.htmlapdf.com!
from the menu bar at the top of the screen. The following choices will appear in the left menu:
System Status
Network Status
System Graphs
Traffic Graphs
Proxy Graphs
Connections
SMTP Mail Statistics
Mail Queue
IPTable Rules
System Status
The Status pages present you with a VERY thorough list of information regarding the current status of your Endian Firewall. The first
subsection, System Status, displays the following in top-down order:
Services
Services - Displays which services are currently running. You may use this display to control if all services which you enabled are
currently really up and running. Services which are not enabled are listed as stopped services, so no worries about them. If you find
services which in fact should be running then it may solve the problem if you simply restart that service.
Figure 3.2. Page which displays the actual running services
Memory
Displays the memory/swapfile usage on your EFW box.
Figure 3.3. Page which displays the current memory usage
This is the formatted output of the tool free. Basically it displays the amount of existing (Size) physical (RAM) and virtual (Swap)
memory. The amount of existing memory actually reflects the memory which is available for user applications. For both, physical and
virtual memory, you can see the amount of currently used and free memory. The percentage helps you to better figure out the numbers.
You may notice that after the system has been running for a while it reports a really small amount of free memory. To explain this it is
needed to strike out a bit and explain basically how the kernel manages the memory. Since disk I/O access is really slow compared to
memory I/O access and since files normally get read multiple times, the kernel tries to cache the read data within the disk cache within
RAM. The chance is quite high to read out the same data again from the faster cache instead from the slow disk - if the data actually
exists in the cache of course. Therefore the kernel fills up all your free memory with disk cache to never waste free RAM. You can see the
amount of disk cache as cached in the screenshot above. But no worries, the kernel dynamically frees memory which is used as disk
cache as soon as applications need it. To get a clue about how much memory really will be left as free memory to applications you have
the line -/+ buffers/cache. That line shows you the amount of used and free memory without the amount of kernel buffers and disk cache.
If that line shows you that you have no more free memory, then your machine begins to heavily use the swap and probably may get into
performance problems. In this case it may be better to add some additional RAM chips. You may find additional information on Linux
System Administrator's Guide.
Disk Usage
Disk Usage - Displays the output of df, which reports the amount of total (Size), used and free disk space on your Endian Firewall.
Figure 3.4. Page which displays the current disk usage
Note
Convertido de web en PDF con http://www.htmlapdf.com!
The mountpoint /dev shows up as it was mounted twice. This is a known issue but has no side-effects.
If any user is currently logged in, which normaly should not be the case if you are not logged in, you will see a table with information for
each user, including his/her login name (USER), the tty name which has been used for login (TTY), the IP address of the remote host
from which he/she is logged in (FROM), the timestamp of the login (LOGIN@), the amount of time the user was idle (IDLE), the CPU time
used by all processes of the logged in user on this tty (JCPU), the CPU time used by the current process which the user actually runs
(PCPU), the process which the user currently is runnning (WHAT).
Loaded Modules
Loaded Modules - This displays all modules currently loaded and in use by the kernel.
Figure 3.6. Page which displays the current loaded kernel modules
Kernel Version
Kernel Version - This displays information on the EFW Kernel itself. This is the output of uptime -a. It displays the kernel name, the
hostname, the kernel version with release information, the timestamp from when it has been built, the architecture for which it has been
built and the name of the operating system.
Figure 3.7. Page which displays the kernel version
Network Status
The Network Status subsection displays the following in top-down order:
Interfaces
Interfaces - This section displays information about all your network devices. This includes PPP, OpenVPN, IPSec, Loopback, etc.
Basically this is the output of ifconfig
Figure 3.8. Displays interfaces
Convertido de web en PDF con http://www.htmlapdf.com!
You will find each interface name colored with the appropriate zones color. The purple color identifies interfaces which belongs to a
VPN. Since each zone in reality is a bridge to which all assigned interfaces are joined, you need to take a look at the interfaces
beginning with br. They are the real zone interfaces which are holding the IP addresses you configured, however they are virtual
interfaces. The interfaces beginning with eth are the physically existing network cards. The interface called lo is the loopback interface.
This one is needed to allow communication with the machine itself without leaving any real network card. You may also find interfaces
beginning with tap. That interfaces will be used for openvpn tunnels.
Each interface shows a bunch of information at the right side. If you want to know more then it would probably be better to read the
Network Administrators Guide. Here you will find a short description about the most important values:
Link encap
Specifies the link type. Values like Ethernet, Local Loopback, Point-to-Point Protocol may appear here.
HWaddr
The hardware address (MAC) of the respective interface
inet addr
The IP address which has been assigned to the interface. You may notice that the interfaces which are part of a bridge do not have
an IP address.
Bcast
The broadcast address which has been assigned to the interface.
Mask
The network mask which has been assigned to the interface.
RX/TX packets
This lines shows how many packets have been received or transmitted errorfree, how many errors occurred, how many packets
were dropped - probably because of low memory - and how many were lost because of an overrun. Receiver overruns usually
happen when packets come in faster than the kernel can service the last interrupt.
RX/TX bytes
This lines show the data volume which has been received or transmitted by this interface.
Between the lines descibed above you find a line with information about the status and options set for the respective interface. You
probably may be concerned about the PROMISC option which is set for most of the interfaces. Most physically mounted network cards
are put into promiscuous mode since they are all part of a bridge and therefore need to be in this mode.
Note
This section will only be visible if DHCP is enabled. Refer to the section on the DHCP Server for details.
Destination
Specifies the destination network address. The kernel compares the destination ip address of each packet passing through it with
this destination network address and so searches an entry to which network the ip address may belong to.
Gateway
Specifies the gateway, which is the host to which the packet should be sent. 0.0.0.0 means, put it on the media (LAN) and do not
send it to a specific host.
Genmask
The network mask of the respective network.
Flags
The only interesting flags would be the following:
U - means that the route is up.
G - means that the route uses the gateway address specified by gateway.
H - means that the route entry is a host route, which is true only for a host instead of a whole network. You may notice that the
netmask in this case is 255.255.255.255.
Iface
Specifies the interface through which the kernel will send the packets if the respective routing entry applies.
The output will show you the actual cached assignements of the ip address (Address) to MAC address (HWaddress). Additionally you
see also behind which interface you can find the network card with the respective MAC address (Iface).
You may notice lines with [incomplete] instead of a MAC address. This will happen if someone tried to reach an IP address which is
currently not available because it is wrong or the device with the assigned IP address is currently down or not connected.
System Graphs
Click on one of the four graphs (CPU Usage, Memory Usage, Swap Usage and Disk Access) to get graphs of the usage per Day, Week,
Month and Year.
Figure 3.13. Display of CPU graph
Traffic Graphs
This page gives a graphic depiction of the incoming and outgoing traffic of the EFW box.
There are sections for each network interface, Green and Red (and Blue and Orange if configured), which show graphs of incoming and
outgoing traffic through that interface.
Click on one of the graphs to show more graphs of the traffic on that interface: per Day, Week, Month and Year.
Figure 3.17. Displays traffic graph of the GREEN interface
Proxy Graphs
This page shows the traffic that went through the proxy service of the EFW box. The first section gives the date and time the graph was
created, the lines analyzed, the duration of the analysis, the speed (lines per second), the start and end date and time of the graph as
well as the domain (overall length of the graph in time).
This information is useful in seeing whether the proxy has the correct size for the load being experienced.
Connections
Endian Firewall uses the Linux Netfilter or IPTables firewall facility to maintain a stateful firewall. Stateful firewalls keep track of
connections to and from all GREEN, BLUE and ORANGE network IP addresses, based on both the source and destination IP addresses
and ports, as well as the state of the connection itself. After a connection is established involving protected machines, only packets
consistent with the current state of the connection are allowed their way through the Endian Firewall.
The IPTables Connection Tracking window shows the IPTables connections. Connection end points are color-coded based on their
network location. The color-coding legend is displayed at the top of the page. Information on individual connections is displayed next.
Each connection from or to your networks is shown.
Note
Click on an IP Address to do a reverse DNS lookup.
Figure 3.19. Displays current connections
You may notice that connections which will be intercepted by a transparent proxy will be nevertheless shown here instead of both a
connection from client to the firewall and from the firewall to the remote host, as one may assume. In fact you will see all of them. The
connection from your client to the proxy, the connection from the proxy to the remote host and furthermore the intercepted connection
from your client to the remote host, since that is the real connection which has been established.The other two connections are only
consequences of the redirect to the proxy which of course will be made by the kernel.
Mail Queue
Displays the current mail queue. In the best case this is always empty. The mail queue contains mails which the mail server has not
already delivered for different reasons. You will find the respective reason printed in each line. You can force the mail server to start
delivery of the mail queue by pressing the button Flush Mailqueue. Please don't expect that the mail queue turns empty after doing that.
This just starts delivery. If the mail server should be unable to deliver some mails again they will stay in the mail queue until expiration.
Convertido de web en PDF con http://www.htmlapdf.com!
IPTables Rules
This window shows all IPTables rules that are currently configured on your Endian Firewall.
Figure 3.21. Displays iptables rules
Introduction
Figure 4.1. Network menu selected
This group of web pages is designed to help you administer network related configuration. To get to these web pages, select Network
from the menu bar at the top of the screen. The following choices will appear in a submenu on the left:
Edit Hosts Allows you to specify custom host entries for the DNS service.
Aliases Allows you to configure IP aliases to your RED zone in order to set up multiple RED IP addresses.
can be resolved only by your clients but can't set them up directly on your DNS server. This page allows you to edit this hosts file.
Below under Current hosts you will see listed (if any) all current host entries. By clicking on the pencil icon you can edit the respective
entry. The trash icon removes the entry.
Figure 4.2. Current hosts
To add a new host entry simply click on Add a host in order to open the dialogue. The following fields will appear:
Host IP address
Fill in the ip address to which you want that the new host points to.
Hostname
Fill in the hostname which you want to assign to the ip address above.
Domain name
This field is optional. If you want to have the new hostname on a domain, then add it. However if you like to have only the hostname
without domain, for example because it is shorter, then leave this blank.
If you create for instance a new entry with IP address 207.46.19.30, hostname beaten.by and domain samba.org, you will be
able to ping beaten.by.samba.org from each of your clients.
Convertido de web en PDF con http://www.htmlapdf.com!
Note that you will not become very lucky if you directly edit the /etc/hosts file on the firewall, since it will be overwritten by the web
administration interface, during reboot and some other events, since the content of that file will be generated from the configuration you
make on this page.
Aliases
This page allows you to create IP aliases for your RED interface. This is only possible if your RED type is ETHERNET STATIC. For all
the other RED types you do not have the possibility to configure more than one RED IP address. You normally want to do this if you have
more than one public IP address in order to make them reachable from the outside.
Figure 4.3. Add a new alias
If you click on Add a new alias, you will be able to create a new IP alias. The following configuration fields are available:
Name
Fill in some name, which allows you to easily identify the alias later. This is only a symbol and has no other meaning. You may
refer to this name later within firewall configuration.
Alias IP
The IP address you want to set up. Note that this IP address has to be in the RED subnet, otherwise the configuration wizard will
report an error.
Enabled
Toggles the configuration of the respective IP alias on or off.
Convertido de web en PDF con http://www.htmlapdf.com!
Below in the box entitled Current aliases you can see a list of already configured IP aliases (if any). On the right you can toggle on/off the
respective IP alias by clicking on the checkbox icon. With the pencil icon you can edit the respective IP alias and with the trash icon you
may remove one.
For each configured IP alias you can define more precise firewall rules later on the firewall configuration pages. For example you may
configure portforwarding of a specific port from a specific IP alias to a server behind ORANGE.
This page was last modified on: $Date$.
Introduction
Figure 5.1. Services menu selected
In addition to its core function of Internet firewall, EFW can provide a number of other services that are useful in a small network.
These are:
DHCP Server
Dynamic DNS Management
Clamav antivirus
Time Server
Traffic Shaping
Intrusion Detection System
Linesrv (has been removed in version 2.1)
Hotspot
In a larger network it is likely that these services will be provided by dedicated servers and therefore should be disabled here.
Convertido de web en PDF con http://www.htmlapdf.com!
The following DHCP parameters can be set from the web interface:
Start Address (optional)
You can specify the lowest and highest addresses that the server will hand out to other requestors. The default is to hand out all the
addresses within the subnet you set up when installing your Endian Firewall. If you have machines on your network that do not use
DHCP, and have their IP addresses set manually, you should set the start and end address so that the server will not hand out any
of these manually assigned IPs.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
You should also make sure that any addresses listed in the fixed lease section (see below) are also
outside this range.
End Address (optional)
Specify the highest address you want to handout (see above).
Default lease time
This can be left at its default value unless you want to specify your own value. The default lease time is the time interval that is
used before the lease for an assigned IP address expires and your computers will request a renewal of their lease, specifying their
current IP address.
Note
If you change your DHCP parameters those changes will be propagated to the machines in your
network when they request a new lease. Generally, leases are renewed by the server.
Maximum lease time
This can be left at its default value unless you want to specify your own value. The maximum lease time is the time interval during
which the DHCP server will always honor client renewal requests for their current IP addresses. After the maximum lease time,
client IP addresses may be changed by the server. If the dynamic IP address range has changed, the server will hand out an IP
address in the new dynamic range.
Domain name suffix (optional)
Sets the domain name that the DHCP server will pass to the clients. If a host name cannot be resolved, the client will try again after
appending the specified name to the original host name. Many ISP's DHCP servers set the default domain name to their network
name and tell customers to get to the web by entering www as the default home page on their browser. www is not a fully
qualified domain name. But the software in your computer will append the domain name suffix supplied by the ISP's DHCP server
to it, creating a FQDN for the web server. If you do not want your users to have to unlearn addresses like www, set the Domain
name suffix to your ISP's DHCP server specifications.
Note
There should not be a leading dot in this box.
Primary DNS
Specifies what the DHCP server should tell its clients to use as Primary DNS server. Because Endian Firewall runs a DNS proxy,
Convertido de web en PDF con http://www.htmlapdf.com!
you will probably want to leave the default value here so the Primary DNS server is set to the EFW box's IP address. If you have
your own DNS server then specify it here.
Secondary DNS
You can also specify a second DNS server which will be used if the primary is unavailable. This could be another DNS server on
your network or that of your ISP.
Primary NTP Server (optional)
If you are using Endian Firewall as an NTP Server, or want to pass the address of another NTP Server to devices on your network,
you can put its IP address in this box. The DHCP server will pass this address to all clients when they get their network parameters.
Secondary NTP Server (optional)
If you have a second NTP Server address, put it in this box. The DHCP server will pass this address to all clients when they get
their network parameters.
Primary WINS server address (optional)
If you are running a Windows network and have a Windows Naming Service (WINS) server, you can put its IP address in this box.
The DHCP server will pass this address to all hosts when they get their network parameters.
Secondary WINS server address (optional)
If you have a second WINS Server, you can put its IP address in this box. The DHCP server will pass this address to all hosts when
they get their network parameters.
Below you will find the following global confguration possibility:
Custom configuration lines
In this field you have the possibility to add configuration lines which will then be added to the configuration file of the DHCP server.
This certainly is optional.
Warning
Use it only if you know exactly what you are doing, since wrong syntax will cause the DHCP server to
refuse to work! Read the documentation of the DHCP server on ISC to be sure if you need to add
custom configuration lines.
For example you may use this configuration possibility to send the location of the configuration files of your VoIP telephones to
those telephones.
Example 5.1. Example of a custom confguration line
option tftp-server-name "http://%(GREEN_ADDRESS)s";
Warning
The format of the MAC address is xx:xx:xx:xx:xx:xx, not xx-xx-xx-xx-xx-xx, as some machines show,
i.e. 00:e5:b0:00:02:d2.
IP Address
The static lease IP address that the DHCP server will always hand out for the associated MAC address.
Note
Do not use an address from the server's dynamic address range.
Convertido de web en PDF con http://www.htmlapdf.com!
Remark (optional)
If you want, you can include a string of text to identify the device using the fixed lease.
Next Address (optional)
Some machines on your network may be thin clients that need to load a boot file from a network server. You can specify the server
here if needed.
File Name (optional)
Specify the boot file for this machine.
Root Path (optional)
If the boot file is not in the default directory then specify the full path to it here.
Enabled
Click on this check box to tell the DHCP server to hand out this static lease. If the entry is not enabled, it will be stored in EFW's
files, but the DHCP server will not issue this lease.
To edit an existing lease, click on its pencil icon. The fixed leases values will be displayed in the Edit an existing lease section of the
page. The fixed lease being edited will be highlighted in yellow. Click the Update button to save any changes.
To remove an existing profile, click on its trash can icon. The lease will be removed.
hostname (if available) and lease expiry time of each record are shown, sorted by IP Address.
You can sort the display of dynamic leases by clicking on any of the four underlined column headings. A further click will reverse the sort
order.
It is easy to cut and paste a MAC Address from here into the fixed lease section (see the section called Current fixed leases), if needed.
Figure 5.5. Shows the current dynamic leases
Error messages
An error message will appear at the top of the page if a mistake is found in the input data, after you press the Save button.
Add a host
Figure 5.6. Shows the dialogue which allows you to create a new DynDNS configuration
The following DYNDNS parameters can be set from the web interface:
Service
Choose a DYNDNS provider from the dropdown. You should have already registered with that provider.
Behind a proxy
This tick box should be ticked only if you are using the no-ip.com service and your Endian Firewall is behind a proxy. This tick box
is ignored if you choose any of the other services.
Enable wildcards
Enable Wildcards will allow you to have all the subdomains of your dynamic DNS hostname pointing to the same IP as your
hostname (e.g. with this tick box enabled, www.some.dyndns.org will point to the same IP as some.dyndns.org). This tick box is
useless with no-ip.com service, as they only allow this to be activated or deactivated directly on their website.
Hostname
Enter the hostname you registered with your DYNDNS provider.
Domain
Enter the domain name you registered with your DYNDNS provider.
Username
Enter the username you registered with your DYNDNS provider.
Password
Enter the password for your username.
behind Router(NAT)
If your Endian Firewall resides behind a device which does NAT, you need to tick this on. In that case the Endian Firewall cannot
know the real public IP address which is needed for updating though. In order to get the real IP address Endian Firewall uses
checkip.dyndns.org to determine the real public IP address.
Enabled
If this is not ticked then Endian Firewall will not update the information on the DYNDNS server. It will retain the information so you
can re-enable DYNDNS updates without reentering the data.
Current hosts
This section shows the DYNDNS entries you have currently configured.
Figure 5.7. Shows current configured DynDNS configuration
To edit an entry click on its pencil icon. The entry's data will be displayed in the form above. Make your changes and click the Save
button on the form.
You can also update the Behind a proxy, Use wildcards and Enabled tick boxes directly from the current host's list entry.
ClamAV Antivirus
ClamAV is an Open Source virus scanner that can be used to scan all incoming traffic for viruses. Endian Firewall lets you configure the
most important features.
Figure 5.8. ClamAV Antivirus
In the Clamav configuration box you can set the way ClamAV will handle incoming archives. The options are:
Max. archive size
This lets you set the maximum archive size in Megabytes that will be scanned by ClamAV.
Max. nested archives
Here you can specify the maximum depth of nested archives ClamAV will scan.
Max. files in archive
ClamAV will not scan archives that contain more files than specified here.
Convertido de web en PDF con http://www.htmlapdf.com!
Tip
By moving your mouse cursor over the question marks you will get information on when exactly the
updates will happen for the respective interval-type.
To configure the time system, make sure that the Enabled box is ticked and enter the full name of the timeserver you want to use in the
Primary NTP Server box. You can also enter an optional Secondary NTP Server if you want to.
Endian Firewall will use these NTP Servers to keep its time synchronized. It automatically does an update once every hour. If you do not
want your firewall to update itself make sure the Synchronize with time servers box is not checked.
If you want to change your timezone you can do this in the Change the Timezone box. Just select your timezone from the drop-down list
and hit the Save button.
To save your configuration click the Save button.
If you choose to not use an Internet timeserver by ticking off Synchronize with time servers you can enter the time manually and click the
Instant Update button in the Update the time box.
Note
Before version 2.1 the Synchronize with time servers option was called Disable autoupdate and its
functionality was inverted since then.
Note
Convertido de web en PDF con http://www.htmlapdf.com!
Before version 2.1 Endian Firewall was using the ntpdate command. Since 2.1 it uses the ntpd daemon to
synchronize the time, which is more accurate.
Note
The first time the synching process can take some minutes if the preconfigured time is extremely wrong.
Many ISPs sell speed as download rates, not as latency. To maximize download speeds, they configure their equipment to hold large
queues of your traffic. When interactive traffic is mixed into these large queues, their latency shoots way up, as ACK packets must wait in
line before they reach you. Endian Firewall takes matters into its own hands and prioritizes your traffic the way you want it. This is done
by setting traffic into High, Medium and Low priority categories. Ping traffic always has the highest priority to let you show how fast
your connection is while doing massive downloads.
Figure 5.11. Shows Type of Service configuration
EFW can monitor packets on the GREEN, BLUE, ORANGE and RED interfaces. Just tick the relevant boxes and click the Save button.
As more attacks are discovered the rules Snort uses to recognize them will be updated. You can choose between 3 update types:
Community Rules (no subscription needed)
Sourcefire VRT rules with subscription
Sourcefire VRT rules for registered users
Sourcefire VRT Certified Rules are the official rules of snort.org. Each rule has been rigorously tested against the same standards the
VRT uses for Sourcefire customers. These rules are distributed under the new VRT Certified Rules License Agreement that restricts
commercial redistribution. There are three ways to obtain these rules:
1. Subscribers receive real-time rules updates as they are available.
2. Registered users can access rule updates 5 days after release to subscription users.
3. Unregistered users receive a static ruleset at the time of each major Snort Release.
To download the latest version, select your preferred rules type and click the Download new ruleset button. To utilize Sourcefire VRT
Certified Rules, you need to register on http://www.snort.org, acknowledge the license, receive your password by email, and connect to
the site. Go to USER PREFERENCES, press the 'Get Code' button at the bottom and copy the 40 character Oink Code into the field.
Convertido de web en PDF con http://www.htmlapdf.com!
Server
Linesrv is the Server part of the LineControl Tool.You need enable the server if you want use the remote clients.
Figure 5.13. Linesrv
Enabled:
Tick this to enable the LineControl Server.
Save
To save the changes and restart the LineControl server press the save button.
Note
The LineControl Server is frequently used with ISDN Lines and therefore it's desirable that the line not
goes automatic up on a reboot.This is default when the linesrv is enabled.
Clients
There exists multiple clients for GNU/Linux/Windows and Clients written in Java(plattform indipendent).The Clients can be downloaded
Convertido de web en PDF con http://www.htmlapdf.com!
from linecontrol.srf.ch.
XLC
XLC is a linux Linecontrol Client(linux X (gtk)).If your distro don't have the xlc onboard you can obtain the client from linecontrol.srf.ch.
Figure 5.14. XLC Line down
The picture show the XLC Client with a disconnected main line.
Figure 5.15. XLC initiate a Connection
The XLC Clients show that the main line is now connected.
Figure 5.17. XLC up manually
The main line is up manually and the LineControl server can not stop/start the connection.This is when connection is initiated through
the Web GUI.
Warning
The Linecontrol can only control connection initiated trough the linesrv.If the clients shows the status "up
manually",you need disconnect the line trough the Web GUI and start the connection from the LineControl
client.
WLC2
WLC2 is a windows client for the LineControl Server.The Client works on Win 9x/Me/2000/XP/2003 and ca be downloaded from
linecontrol.srf.ch
Figure 5.18. WLC disconnected
The main line is disconnected and you can connect the line by pressing the online button.
Figure 5.19. WLC line is up
The main connection is established and and you can close the connection by pressing the offline button.If no other user needs the
internet connection the line goes down.
Figure 5.20. WLC connection established
Another users is using the internet connection.You can now press the online button and the connection won't get killed until each client
Convertido de web en PDF con http://www.htmlapdf.com!
told to do so.
Figure 5.21. WLC up manually
The main line is up manually and the LineControl server can not stop/start the connection.This is when connection is initiated through
the Web GUI.
Warning
The Linecontrol can only control connection initiated trough the linesrv.If the clients shows the status "up
manually",you need disconnect the line trough the Web GUI and start the connection from the LineControl
client.
Warning
Please close or disconnect any linecontrol client before restarting the linecontrol server.
Hotspot
Figure 5.22. Hotspot Activation
On this page you can enable the Endian Hotspot on the BLUE zone by ticking on the checkbox labeled Enabled on BLUE and then
hitting the Save button. For further configuration options you have to click on the Hotspot administration interface link which will then
open a new page.
Note
In order to be able to run the Endian Hotspot you will have to have the BLUE zone enabled. The IP of the
BLUE interface must belong to a C-class network and it must end with a trailing .1 e.g. 192.168.20.1/24.
The bridge for the BLUE zone does not support more than one port.
Note
Usually the hotspot is intended for use with wireless networks, however this is not mandatory. It is as well
possible to connect a normal switch to the BLUE LAN port. Please note also that there is no wireless
access point supplied with Endian Firewall.
Tip
If you are running a Community version of Endian Firewall and are wondering where your Endian Hotspot
may be just upgrade to Endian Firewall Enterprise Edition.
This page was last modified on: $Date: 2006-11-22 00:47:05 +0100 (Wed, 22 Nov 2006) $.
Introduction
Figure 6.1. Firewall menu selected
In the Firewall Menu you can find some of the core functions of EFW which control how traffic will flow through the firewall.
These are:
Port Forwarding
External Access (Controls remote administration of EFW from the Internet)
Zone Pinholes
Outgoing Firewall
Firewall
This feature is one of the most important parts of Endian Firewall and most probably the reason for you to use a firewall. Endian Firewall
uses a standard netfilter firewall and creates it's firewall rules using iptables. Basically Endian Firewall is configured in a way that the
firewall itself is the only point of contact seen from the outside or the internet. The public IP addresses can be assigned only to the RED
interface, thus a connection attempt from the internet to one of your public IP addressess will reach only the RED interface of the firewall
and cannot pass beyond as this has been made technically impossible by the use of NAT. Routing of public IP addresses to a zone
behind the firewall will be prevented since this would circumvent the firewall rules.
Figure 6.2. Diagram of flow control and its configuration possibilities
If not configured otherwise, the firewall's default settings will block all traffic coming from the outside. As default behaviour, traffic from the
GREEN zone will be allowed to pass to each of the other zones (BLUE and ORANGE), since GREEN is the trusted network, but for each
pass from one zone to another NAT will be performed to obscure the real source-address and - by doing this - hide all information about
the network configuration of the GREEN zone. On the other side no access from any of the other zones will be granted to anywhere by
default. The only exception is the access to the RED interface, the internet - but still only some standard services
(HTTP,FTP,SMTP,DNS) are allowed by default when accessing from the GREEN zone and only DNS when trying to access from the
BLUE and ORANGE zones.
Certainly Endian Firewall gives you the possibility to lighten these strong restrictions and let you define access rules from among each
zone. In order to allow access to RED - the internet - you will have to configure this in the outgoing firewall submenu. If you need to give
access from the outside to the firewall itself, you need to create rules in the External Access menu. Access from BLUE to GREEN and
from ORANGE to GREEN or BLUE will be arranged by Zone pinholes.
If you have servers in the DMZ in ORANGE and need to allow access from the internet, you can create a port forwarding rule. You may
flexibly forward different ports from the same ip address to different servers within the DMZ or different ports from different ip addresses to
the same servers, just as you wish.
Once those receiving ports are ready, you can enter the information that is needed into the administration interface on Endian Firewall.
The following describes each configuration fields:
Protocol
This drop down list allows you to choose which protocol this rule will follow. Possible values are TCP, UDP and GRE. Most regular
servers use TCP. Some game servers and chat servers use UDP. The GRE protocol is used for example in PPTP. If the protocol is
not specified in the server documentation, then it usually is TCP.
Source port
This is the port to which the outsiders will connect. In most cases, this will be the standard port for the service being offered (80 for
web servers, 20 & 21 for FTP servers, 25 for mail servers, etc.) If you want to you may specify a range of ports to forward. To specify
a range use the : character between two port numbers, lowest number first.
Note
Port ranges cannot overlap each other.
Destination IP
is the internal IP address of the server (for example, you may have your web server running on 192.168.0.3).
Destination Port
is the port that you have chosen when you set up your server in the first paragraph. You only need to enter the source port, the
destination will be filled in for you if it does not differ.
Alias IP
This dropdown menu allows you to choose which RED IP will be affected by this rule. Endian Firewall has the capability of
handling more than one RED IP. With the Aliases submenu in the Network main menu you are able to configure them. If you only
have one RED IP set up, then choose Default IP.
Convertido de web en PDF con http://www.htmlapdf.com!
Remark
This is optional. As the name says this field allows you to add some remark, in order to easier identify the rule in the current rules
list.
Enabled
Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.
Endian Firewall automatically creates a NAT rule for each zone for each configured port forwarding rule in order to allow access to
ORANGE not only from RED but also from each of the other zones.
Note
If you create a port forwarding rule from an alias IP, Endian Firewall automatically generates NAT rules for
outgoing connections started by the machine to which the port has been forwarded. In order to change the
source IP address to the respective alias IP. This NAT will occur only for destination ports equal to those
forwarded. This is needed for example if you want to run a mail server within the DMZ and therefore
forward port 25 to the machine in the ORANGE network. That machine certainly needs to send mails with
the alias IP and not with the main RED IP address.
You can have more than one external address - after you have created the port forwarding entry, it will appear in the table. If you wish to
add another external address, click the Red Pencil with the Plus sign next to the entry - the entry screen at the top of the page will
change (it will load the values from the port forwarding entry) and allow you to enter an external IP address or network. When added you
will now notice that there is a new entry for this forwarded port in the table.
Note
You can have port ranges and wildcards. Valid wildcards are:
* which translates to 1-65535
85-* which translates into 85-65535
*-500 which translates into 1-500
Reserved ports - on the main Red Address (DEFAULT IP) some ports are reserved for EFW services,
they are 67, 68 for doing DHCP on RED and 10443 for the web interface itself.
Figure 6.5. Currently configured portforwarding rules
You already noticed the rules listing below in the Current rules box, since this is the place where you can find the red pencil icon. You
can edit a record by clicking on the Yellow Pencil icon in the Action column and until you hit the update button nothing changes and
nothing is lost. When you are editing a record you will see the record highlighted in yellow. When you edit a port forwarding rule, there
will be an extra check box labeled Override external access to ALL. This is used as a quick and dirty way to open a port to ALL Internet
addresses for testing or whatever your reasons may be.
To delete a record, click on the Trash Can icon on the right hand side of the Action column.
Note
If you have a forwarded port with multiple external access rules and delete all of the external access rules,
the port becomes open to ALL addresses, be careful.
There is a Shortcut to enable or disable a port forward or external access - click on the Enabled icon (the checkbox in the Action
column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click on the
checkbox to enable it again.
Note
When you disable the port forward, all associated external access rules are disabled, and when you enable
the port forward, all associated external access rules are enabled.
External Access only controls access to the Endian Firewall box. It has no affect on the GREEN, BLUE or ORANGE network access.
That is controlled in the Port Forwarding section, as described above.
If you wish to maintain your EFW machine remotely, you should enable access on TCP port 10443, https. If you have enabled ssh
access, you can also enable TCP port 22, ssh.
The following describes the configuration fields of the Add a new rule box:
Protocol
The drop down list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Most regular
servers use TCP. If the protocol is not specified in the server documentation then it is usually TCP.
Source IP, or network (blank for "ALL")
This is the IP address of the external machine(s) you want to give permission to access your firewall. You may leave this blank,
Convertido de web en PDF con http://www.htmlapdf.com!
which allows any IP address to connect. Although dangerous, this is useful if you want to maintain your machine from anywhere in
the world. However, if you can limit the IP addresses for remote maintenance, only these IP addresses or networks should be listed
in this box.
Destination Port
This is the external port that they are allowed to access, i.e. 10443.
Destination IP
This dropdown menu allows you to choose which RED IP this rule will affect. Endian Firewall has the capability of handling more
than one RED IP. If you only have one RED IP set up then choose Default IP.
Enabled
Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.
Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule.
Current rules lists all the rules that have been created. To remove one, click the Trash Can icon. To edit one, click the Yellow Pencil
icon.
To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or
disable. The icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it.
Figure 6.7. Displays currently configured rules
Note
By default the port 113 will be opened. This is a dirty solution to make connections faster. Since many
services use an old unsafe protocol (ident) to fulfill standards, which asks for the remote user who has
established the connection to the service and most machines do not support this service anymore,
connections need a long time to successfully establish, since the ident request needs to timeout because
the firewall drops those packets. This rule opens the ident port, so the kernel can promptly reject the ident
packet and there is no need to timeout. Currently this is the only possibility since there is not yet a support
Convertido de web en PDF con http://www.htmlapdf.com!
Note
This page will only be visible if you have enabled the ORANGE and/or the BLUE zone within Network
Wizard.
A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the external RED Zone and the internal
GREEN zone. The GREEN zone has all your internal machines. The RED zone is the Internet at large. The DMZ allows them to share
servers without allowing undue access to the internal LAN by those in the RED Zone.
For example, suppose that your business has a web server. Certainly, you want your customers (those in the RED zone) to be able to
access it. But what if you also want your web server to be able to send customer orders to employees in the GREEN zone? In a
traditional firewall setup, this wouldn't work, because the request for access to the GREEN zone would be initiating from outside the
GREEN zone. You certainly do not want to give all your customers direct access to the machines on the GREEN side, so how can this
work? By using the DMZ and zone pinholes.
Figure 6.8. Adds a new pinhole rule
Zone pinholes give machines in the Orange (DMZ) zone (and also BLUE zone) limited access to certain ports on Green machines.
Because servers (the machines in the ORANGE zone) have to have relaxed rules with respect for the RED zone, they are more
susceptible to hacking attacks. By only allowing limited access from ORANGE to GREEN, this will help to prevent unauthorized access
to restricted areas should your server be compromised.
The following describes the configuration fields of Add a new rule:
Protocol
The drop down list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Some game
servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP.
Source Net
This is a drop menu that shows the available source networks on the machine. You will not find the GREEN network here, since
GREEN can - being the trusted network - access all zones by default.
Source IP
This is the IP address of the machine that you wish to give permission to access your internal servers.
Destination Net
This is a drop down menu that shows the available destination zones.
Destination IP
Fill in the IP address of the machine of your GREEN or BLUE zone that you want to open. The IP address must be part of the
destination zone you selected before.
Destination Port
This is the destination port you want to open. This is optional. If you do not specify a port, access to the machine will not be limited
to a port.
Remark
You may add a remark which then helps you to easier identify the rule within the Current rule list.
Enabled
Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.
Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule.
Figure 6.9. Lists all configured pinhole rules
Current rules lists the rules that are in effect. To remove one, click the Trash can icon. To edit one, click the pencil icon. To enable or
Convertido de web en PDF con http://www.htmlapdf.com!
disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The
icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it.
Globally DENY outgoing traffic to RED and explicitely configure outgoing rules
The following services are allowed by default from the GREEN zone:
HTTP
HTTPS
FTP
SMTP
POP3
IMAP
DNS
DNS is also allowed by default for all other zones.
Figure 6.10. Adds a new outgoing rule
If you like to add a rule open the Add a new rule dialogue, which will be described below:
Convertido de web en PDF con http://www.htmlapdf.com!
Remark
You may add a remark which then helps you to easier identify the rule within the Current rule list.
Enabled
Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.
Protocol
The drop down list allows you to choose which protocol this rule will follow. Possible values are UDP and TCP. Most regular
servers use TCP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it
is usually TCP.
Policy
Select the policy you set for this rule. Possible values are:
ALLOW - Allows the traffic which applies to the rule.
DENY - Silently blocks the traffic which applies to the rule. Dropped connections will be logged by default. You can toggle
that off in the Log main menu.
Source Net
This drop down list allows you to choose a whole zone as source net. You will find listed every zone the firewall knows, except the
RED one, since that per design of the outgoing firewall of course always is the destination zone. If you like to define the rule more
precisely and allow only an IP address, then select use source IP address.
Source IP address
This is optional if you choose a zone before. You can specify an IP address, for example 10.1.1.3, or a network like
10.1.1.0/24, which you want to allow or disallow to access RED.
Log packets which satisfy this rule
Tick this on if you want the firewall to log all connection attempts which satisfy the rule. This for example is convenient for testing
purposes.
Note
In some countries this may be illegal.
MAC address
This is optional. You may fill in the MAC address of a network card which is allowed or disallowed to pass through. If you do not
want to specify both, IP address and MAC address, but only the MAC address, then simply select a zone within the source net and
Current rules lists the rules that are in effect. To remove one, click the Trash can icon. To edit one, click the Pencil icon. To enable or
disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The
icon changes to an empty box when a rule is disabled. Click again on the checkbox to re-enable it.
On top of the table there is a checkbox labeled Log accepted outgoing connections. Tick this checkbox on if you want the firewall to log
all connections which have been established or tried to and successfully passed the firewall without being blocked.
Note
Enabling this may not be legal in some countries, but in some other countries this is compulsory.
You can go back to the default settings which limit access to RED by answering yes to the question enable outgoing firewall ? in the
drop down menu below and then clicking on the save button.
Figure 6.13. Globally deny outgoing traffic
You will notice a single checkbox, labeled Log accepted outgoing connections. Tick this checkbox on if you want the firewall to log all
connections which have been established or tried to and successfully passed the firewall without being blocked.
Note
Enabling this may not be legal in some countries, but in some other countries this is compulsory.
Convertido de web en PDF con http://www.htmlapdf.com!
Chapter 7. Proxy
Table of Contents
Introduction
HTTP Proxy
Feature List
Web proxy configuration
Common settings
Upstream proxy
Log settings
Cache management
Network based access control
Time restrictions
Transfer limits
MIME type filter
Web browser
Authentication configuration
Content filter
Content filter (Dansguardian)
Block pages which contain unallowed phrases
Block pages known to have content of the following categories
Custom black- and whitelists
HTTP Antivirus
Max. content scan size
Last Update
Do not scan the following URLs
Enforcing proxy usage
Web Proxy standard operation modes
Client side Web Proxy configuration
Requirements for mandatory proxy usage
POP3
Global settings
Spamfilter configuration
SIP
Convertido de web en PDF con http://www.htmlapdf.com!
FTP
SMTP
General Settings
Antivirus
AntiSpam
General Settings
Greylisting
Banned File Extension
Blacklists/Whitelists
Real-time Spam Black Lists (RBL)
Custom black/whitelists
Domains
BCC
Advanced settings
Smarthost
IMAP Server for SMTP Authentication
Advanced settings
Introduction
Figure 7.1. Proxy menu selected
The proxy server is a service that allows your clients to make indirect network connections to other network services. The
client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The
proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the
proxy may alter the client's request or the server's response for various purposes (e.g. a mail header will be changed or
added if the mail contains spam-content, advertisement will be removed from a website).
This chapter covers the whole proxy menu.
The following submenus will be described in this chapter:
HTTP
Convertido de web en PDF con http://www.htmlapdf.com!
POP3
SIP
FTP
SMTP
HTTP Proxy
Feature List
User authentication
Local user authentication, including group based user management
LDAP authentication, including MS Active Directory, Novell eDirectory and OpenLDAP
Windows authentication, including Windows NT4.0 or 2000/2003 domains and Samba
RADIUS authentication
Advanced access control
Network based access control over IP and MAC addresses
Time based access restrictions
Download throttling
MIME type filter
Blocking of unauthorized browsers or client software
Group based access with groups coming from Windows active directory
Enabled on zone
This enables the Proxy Server to listen for requests on the selected zone (GREEN or BLUE or ORANGE).
Note
If the proxy service is disabled, all client requests will be forwarded directly to the destination address
without passing the proxy service and therefore the requests will bypass all configured ACLs.
Transparent on zone
If the transparent mode is enabled, all requests for the destination port 80 will be forwarded to the Proxy Server without the need of
any special configuration changes to your clients.
Warning
Transparent mode works only for destination port 80. All other requests (e.g. port 443 for SSL) will
bypass the Proxy Server.
Note
When using any type of authentication, the Proxy may not run in transparent mode.
Note
To enforce the usage of the Proxy Server in non-transparent mode, you will have to block all outgoing
ports usually used for http traffic (80, 443, 8000, 8080, etc.).
Proxy Port
This is the port the Proxy Server will listen for client requests. The default is 8080.
Note
In transparent mode, all client requests for port 80 will automatically be redirected to this port.
Warning
In non-transparent mode, make sure that your clients are configured to use this port. Otherwise they
will bypass the Proxy Server and all ACLs will be ignored.
Visible hostname
If you want to present a special hostname in error messages or for upstream proxy servers , then define this. Otherwise, the real
hostname of your Endian Firewall will be used. This is optional.
Cache administrator e-mail
This e-mail address will be shown on the Proxy Server error messages. This is optional.
Error messages language
Select the language in which the Proxy Server error messages will be displayed to the clients.
Contentfilter enabled
By enabling this feature you can activate different types of filters in the Content filter menu.
Note
Convertido de web en PDF con http://www.htmlapdf.com!
This feature will only partially work for SSL connections, as it is not possible to do pattern matching
on encrypted data. The URL filtering however will work perfectly.
Antivirus enabled
This enables antivirus protection when browsing through the world wide web.
Warning
It is not possible to scan encrypted connections for viruses.
Allowed ports
Only HTTP connections on one of the specified ports will pass through the proxy. The rest will be blocked
Note
When using transparent mode this feature will not work.
.
Allowed SSL ports
Like the allowed ports option but this time for SSL encrypted HTTP (HTTPS) connections.
Note
When using transparent mode this feature will not work.
Upstream proxy
These settings may be required for chained proxy environments.
Figure 7.3. Displays HTTP advanced proxy upstream proxy configuration
Username forwarding
If any type of authentication is activated for HTTP Proxy, this enables the forwarding of the login name. This can be useful for user
based ACLs or logging on remote proxy servers.
Note
This is for ACL or logging purposes only and doesnt work if the upstream proxy requires a real login.
Note
The forwarding is limited to the username, the password will not be forwarded.
Client IP address forwarding
This enables the HTTP x-forwarded-for header field. If enabled, the internal client IP address will be added to the HTTP
header.
x-forwarded-for: 192.168.1.37
This can be useful for source based ACLs or logging on remote proxy servers. Instead of forwarding unknown, this field will be
completely suppressed by default.
Note
If the last proxy in chain doesnt strip this field, it will be forwarded to the destination host!
Upstream proxy (host:port)
If you are using a parent cache, then enter the IP address and port of this upstream Proxy. If no value for port is given, the default
port 80 will be used.
Convertido de web en PDF con http://www.htmlapdf.com!
Upstream username
Enter the username for the upstream Proxy Server (only if required).
Note
If you enter a password, the username forwarding (described above) will be disabled.
Upstream password
Enter the password for the upstream Proxy Server (only if required).
Note
If you enter a password, the username forwarding (described above) will be disabled.
Log settings
These options are for enabling the HTTP Proxy log files.
Figure 7.4. Displays HTTP advanced proxy log settings
Log enabled
This enables the Web Proxy logging feature. All client requests will be written to a log file and can be viewed within the GUI under
Logs > Proxy Logs (See the section called Proxy Logs Page).
Warning
Enabling this option may be considered invasion of personal privacy of your clients in some countries
and/or break other legal rules.
Before you are using this option make sure that this will be in accordance with the national law or
other legal regulations.
Convertido de web en PDF con http://www.htmlapdf.com!
In most countries, the user must agree that personal data will be logged. Do not enable this in a
business environment without the written agreement of the workers council.
Firewall logs outgoing connections
Tick this on if you want the firewall to log all outgoing connections.
Warning
In most countries this may be illegal!
Log query terms
The part of the URL containing dynamic queries will be stripped by default before logging. Enabling the option Log query terms will
turn this off and the complete URL will be logged.
Warning
Enabling this option may be considered invasion of personal privacy in some countries!
Log useragents
Enabling this option will write the useragent string to the log file /var/log/squid/useragent.log. This log file option should only be
activated for debugging purposes and the result is not shown within the GUI based log viewer.
Cache management
The cache management settings control the caching parameters for Advanced Proxy.
Figure 7.5. Displays HTTP advanced proxy cache management configuration
Note
This parameter does not specify the maximum process size. It only places a limit on how much
additional RAM the Web Proxy will use as a cache of objects.
Harddisk cache size
This is the amount of disk space (MB) to use for cached objects. The default is 500 MB. Change this to suit your configuration. Do
not put the size of your disk drive here. If you want Squid to use the entire disk drive, subtract 20% of the real disk size and use that
value instead.
Min object size
Objects smaller than this size will not be saved on disk. The value is specified in kilobytes, and the default is 0 KB, which means
there is no minimum.
Max object size
Objects larger than this size will not be saved on disk. The value is specified in kilobytes, and the default is 4MB (4096KB). If you
wish to increase speed at the expense of saving bandwidth you should keep this low.
Do not cache these domains
A list of sites which cause the request not to be satisfied from the cache and the reply not to be cached. In other words, use this to
force objects to never be cached. All domains must be entered with a leading dot:
Convertido de web en PDF con http://www.htmlapdf.com!
.advproxy.net
.google.com
Allowed subnets
All listed subnets are allowed to access the Proxy Server. By default, the subnets for GREEN, BLUE and ORANGE (if available)
are listed here.
Warning
If you ever change the network configuration of any zone with the network wizard described in the
section called Network Configuration, you also need to change the values also in this list, especially
if a subnet will be changed.
You can add other subnets like subnets behind GREEN in larger environments to this list.
Note
All subnets not listed here will be blocked for web access.
Sources which bypass the transparent proxy
When using the transparent proxy all subnets, IP adresses and MAC addresses that are specified here will be allowed to connect
directly to the requested URLs, instead of using the proxy.
Note
MAC addresses have to be entered in the following form: 00:00:00:00:00:00
Destinations to which the transparent proxy is bypassed
When using the transparent proxy and connecting to the subnets or IP adresses that are specified here, the connection will not go
through the proxy but will be established directly.
Unrestricted IP addresses
All client IP addresses in this list will override the following restrictions:
Time restrictions
Size limits for download requests
Download throttling
Browser check
MIME type filter
Authentication (will be required by default for these addresses, but can be turned off)
Concurrent logins per user (only available if authentication is enabled)
Unrestricted MAC addresses
All client MAC addresses in this list will override the following restrictions:
Convertido de web en PDF con http://www.htmlapdf.com!
Time restrictions
Size limits for download requests
Download throttling
Browser check
MIME type filter
Authentication (will be required by default for these addresses, but can be turned off)
Concurrent logins per user (only available if authentication is enabled)
Note
Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without
having fixed leases defined.
Note
MAC addresses can be entered in one of these forms:
00-00-00-00-00-00 or 00:00:00:00:00:00
Note
The Proxy Server can only determine MAC addresses from clients configured for the subnets of the
GREEN, BLUE or ORANGE interfaces.
Banned IP addresses or subnets
All requests from these clients (IP addresses or subnets) in this list will be blocked.
Banned MAC addresses
All requests from these clients in this list will be blocked. Using MAC addresses instead of IP addresses can be useful if the DHCP
service is enabled without having fixed leases defined.
MAC addresses can be entered in one of these forms:
00-00-00-00-00-00 or 00:00:00:00:00:00
Convertido de web en PDF con http://www.htmlapdf.com!
Note
The Proxy Server can only determine MAC addresses from clients configured for the subnets of the
GREEN, BLUE or ORANGE interfaces.
Time restrictions
This defines the operational time of the Web Proxy.
Figure 7.7. Displays HTTP advanced proxy time restrictions configuration
The option allow allows web access and the option deny blocks web access within the selected time. The choice of allow or deny will
depend on the time rules you want to apply. The default is set to allow access every day around the clock.
Note
Time restrictions will not be effective for these clients.
Sources which bypass the transparent proxy
Destinations to which the transparent proxy is bypassed
Unrestricted source IP addresses
Unrestricted source MAC addresses
Members of the group Extended if the Proxy uses Local authentication
Transfer limits
This allows you to enter limitations of the size for each download and/or upload request.
Figure 7.8. Displays HTTP advanced proxy transfer limit configuration
The values are given in KB. A reason for transfer limits could be that you want to prevent downloading large files, such as CD images.
The default is set to 0 KB for upload and download. This value turns off any limitation.
Note
This limits refer to each single request. Its not the total amount for all requests.
Note
Download limits will not be effective for these clients:
Sources which bypass the transparent proxy
Destinations to which the transparent proxy is bypassed
Unrestricted source IP addresses
Unrestricted source MAC addresses
Members of the group Extended if the Proxy uses Local authentication
Note
Upload limits will be effective for all clients except:
Sources which bypass the transparent proxy
Destinations to which the transparent proxy is bypassed
MIME type filter
The MIME type filter can be configured to block content depending on its MIME type.
Figure 7.9. Displays HTTP advanced proxy MIME type filter
Convertido de web en PDF con http://www.htmlapdf.com!
If enabled, the filter checks all incoming headers for their MIME type. If the requested MIME type is listed to be blocked, the access to this
content will be denied. This way you can block content, no matter of the given file name extension.
Example 7.1. Add this MIME type if you want to block the download of PDF files:
application/pdf
Example 7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files:
application/pdf
video/quicktime
Note
The MIME types are processed as regular expressions. This means, the entry javascript will block all
content with MIME types containing this word, like:
application/x-javascript and text/javascript
Note
MIME type blocking will not be effective for these clients:
Sources which bypass the transparent proxy
Destinations to which the transparent proxy is bypassed
Unrestricted source IP addresses
Convertido de web en PDF con http://www.htmlapdf.com!
If this option is enabled, only the selected clients will be able to pass the Proxy Server. All other requests will be blocked.
Note
Browser based access control will not be effective for these clients:
Sources which bypass the transparent proxy
Destinations to which the transparent proxy is bypassed
Unrestricted source IP addresses
Unrestricted source MAC addresses
Members of the group Extended if the Proxy uses Local authentication
Convertido de web en PDF con http://www.htmlapdf.com!
Client definitions
The most important web clients are already listed. You can create your own definitions by editing the file
/var/efw/proxy/advanced/useragents and adding the browser specific information there.
Adding custom clients could be necessary if you want to allow your AntiVirus software to download updated definitions. If you dont know
the useragent of this software, you can enable the useragent logging in the section Log settings and watch the file
/var/log/squid/useragent.log.
The syntax for client definitions is:
name,display,(regexp)
name
is required for internal processing of the Advanced Proxy and should be a short name in alphanumeric capital letters without
spaces.
display
is the string which appears in the GUI list and should contain the common name for this client.
(regexp)
is a regular expression which matches the browser useragent string and must always be enclosed by parentheses.
The values are separated by commas.
Authentication configuration
Warning
When using authentication and enabling the web proxy log files, the requesting user name will be logged
in addition to the requested URL. Before enabling log files while using authentication, make sure not to
violate existing laws.
Note
Authentication will not work with the transparent proxy turned on.
Authentication methods overview
None
Authentication is disabled. Users dont need to authenticate when accessing web sites.
Local Authentication
This authentication method is the preferred solution for SOHO environments. Users need to authenticate when accessing web sites
by entering a valid username and password. The user management resides on the Endian Firewall Proxy Server. Users are
categorized into three groups: Extended, Standard and Disabled.
Authentication using LDAP
This authentication method is the preferred solution for medium and large network environments. Users will have to authenticate
when accessing web sites by entering a valid username and password. The credentials are verified against an external Server
using the Lightweight Directory Access Protocol (LDAP).
LDAP authentication will be useful if you already have a directory service in your network and dont want to maintain additional
user accounts and passwords for web access.
The HTTP Proxy works with these types of LDAP Servers:
Active Directory (Windows 2000 and 2003 Server)
Novell eDirectory (NetWare 5.x und NetWare 6)
LDAP Version 2 and 3 (OpenLDAP)
As an option, membership for a certain group can be required.
Note
The protocol LDAPS (Secure LDAP) is not supported.
Windows authentication
This authentication method is one of the preferred solutions for small and medium network environments. Users will have to
authenticate when accessing web sites. The credentials are verified against an external Server acting as a Domain Controller. This
can be a:
Convertido de web en PDF con http://www.htmlapdf.com!
Windows NT 4.0 Server or Windows 2000/2003 Server (even with Active Directory enabled)
Samba 2.x / 3.x Server (running as Domain Controller)
Advanced Proxy works with Windows integrated authentication (transparent) or with standard authentication (explicit with
username and password). You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist).
Note
Workgroup based authentication may probably work, but is neither recommended nor supported.
RADIUS authentication
This authentication method is another good solution for small and medium network environments. Users will have to authenticate
when accessing web sites. The credentials are verified against an external RADIUS server. You can maintain lists with authorized
user names (whitelist) or unauthorized user names (blacklist).
Global authentication settings
The global authentication settings are available for all authentication methods.
Figure 7.12. Displays HTTP advanced proxy global authentication settings
Note
If the user opens a new session, the credentials must always be entered, even if the TTL has not
expired for another session.
Limit of IP addresses per user
Number of source IP addresses a user can be logged in at a time. The IP address will be released after the time defined at User/IP
cache TTL.
Note
This has no effect if running Local authentication and the user is a member of the Extended group.
User/IP cache TTL
Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0
(disabled). A value greater than 0 is only reasonable when using a limit for concurrent IP addresses per user.
Require authentication for unrestricted source addresses
By default authentication is required even for unrestricted IP addresses. If you dont want to require authentication for these
addresses, untick this box.
Authentication realm prompt
This text will be shown in the authentication dialog.
Domains without authentication
This allows you to define a list of domains that can be accessed without authentication.
Note
These domains are destination DNS domains and not source Windows NT domains.
Note
This works only for DNS domain names and not for IP addresses.
Example 7.3. Windows Update To allow access to Windows Update without authentication add these
domains to the list:
.download.microsoft.com
.windowsupdate.com
.windowsupdate.microsoft.com
Note
All listed domains require a leading dot.
Local user authentication
The Local user authentication lets you manage user accounts locally without the need for external authentication servers.
Figure 7.13. Displays HTTP advanced proxy local user authentication
User management
The integrated user manager can be executed from the main settings page.
Figure 7.14. Displays HTTP advanced proxy local user authentication
Within the user manager page, all available accounts are listed in alphabetical order.
Group definitions
You can select between three different groups:
Standard
The default for all users. All given restrictions apply to this group.
Extended
Convertido de web en PDF con http://www.htmlapdf.com!
Use this group for unrestricted users. Members of this group will bypass any time- and filter-restrictions.
Disabled
Members of this group are blocked. This can be useful if you want to disable an account temporarily without losing the password.
Proxy service restart requirements
The following changes to user accounts will require a restart of the proxy service:
a new user account was added and the user is not a member of the Standard group
the group membership for a certain user has been changed
The following changes to user accounts will not require a restart of the proxy service:
a new user account was added and the user is a member of the Standard group
the password for a certain user has been changed
an existing user account has been deleted
Create user accounts
Username
Enter the username for the user. If possible, the name should contain only alphanumeric characters.
Group
Select the group membership for this user.
Password
Enter the password for the new account.
Password (confirm)
Confirm the previously entered password.
Create user
This button creates a new user account. If this username already exists, the account for this username will be updated with the new
group membership and password.
Back to main page
This button closes the user manager and returns to the Advanced Proxy main page.
Edit user accounts
Convertido de web en PDF con http://www.htmlapdf.com!
A user account can be edited by clicking on the pencil icon. When editing an user account, only the group membership or password can
be changed.
While editing an account, the referring entry will be marked with a yellow bar.
Figure 7.16. Displays editing a user with local user manager of HTTP advanced proxy
Note
The username cannot be modified. This field is read-only. If you need to rename a user, delete this user
and create a new account.
Delete user accounts
A user account can be deleted by clicking the trash can icon. The account will be deleted immediately.
Client side password management
Users may change their passwords if needed. The interface can be invoked by entering this URL:
https://efw:10443/cgi-bin/chpasswd.cgi
Convertido de web en PDF con http://www.htmlapdf.com!
Note
Replace efw with the GREEN IP address of your Endian Firewall.
The web page dialog requires the username, the current password and the new password (twice for confirmation):
Figure 7.17. Change it yourself page, allowing user to change their local HTTP proxy password
LDAP authentication
This authentication method uses an existing directory infrastructure for user authentication.
Convertido de web en PDF con http://www.htmlapdf.com!
If you are unsure about your internal directory structure, you can examine your LDAP server using the command line based
ldapsearch tool.
Windows clients can use the free and easy to use Softerra LDAP browser for this: http://www.ldapbrowser.com.
Common LDAP settings
Base DN
This is the base where to start the LDAP search. All subsequent Organizational Units (OUs) will be included. Refer to your LDAP
documentation for the required format of the base DN.
Example 7.4. Base DN for Active Directory
cn=users,dc=ads,dc=local
This will search for users in the group users in the domain ads.local.
Example 7.5. Base DN for eDirectory
ou=users,o=acme
This will search for users in the Organizational Unit users (and below) in the Organization acme.
Note
If the Base DN contains spaces, you must escape these spaces using a backslash.
Example 7.6. Base DN containing spaces
cn=internet\ users,dc=ads,dc=local
LDAP type
You can select between different types of LDAP implementations:
Active Directory (ADS)
Novell eDirectory (NDS)
LDAP v2 and v3
LDAP Server
Convertido de web en PDF con http://www.htmlapdf.com!
Note
The protocol LDAPS (Secure LDAP, port 636) is not supported.
Bind DN settings
Figure 7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy
Bind DN username
Enter the full distinguished name for a Bind DN user.
Note
A Bind DN user is required for Active Directory and eDirectory.
Note
The Bind DN user must be allowed to browse the directory and read all user attributes.
Note
If the Bind DN username contains spaces, you must escape these spaces using a backslash.
Bind DN password
Enter the password for the Bind DN user.
Convertido de web en PDF con http://www.htmlapdf.com!
Figure 7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy
Note
If the group name contains spaces, you must escape these spaces using a backslash.
Advanced Group Selections
Windows authentication
This authentication method uses an existing windows domain environment for user authentication.
Figure 7.22. HTTP advanced proxy authentication against Windows
In addition to the authentication you can define positive or negative user based access control lists.
Common domain settings
Figure 7.23. Common domain settings of Windows authentication on HTTP advanced proxy
Domain
Convertido de web en PDF con http://www.htmlapdf.com!
Enter the name of the domain you want to use for authentication. If you are running a Windows 2000 or Windows 2003 Active
Directory, youll have to enter the NetBIOS domain name.
PDC hostname
Enter the NetBIOS hostname of the Primary Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active
Directory, you can enter the name of any Domain Controller.
Note
For Windows 2000 and above the Primary Domain Controller is not assigned to a specific server. The
Active Directory PDC emulator is a logical role and can be assigned to any server.
Warning
The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the
hostname at Network > Edit Hosts (See the section called Host configuration (Edit Hosts)).
BDC hostname (optional)
Enter the NetBIOS hostname of the Backup Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active
Directory, you can enter the name of any Domain Controller. If the PDC doesnt respond to authentication requests, the
authentication process will ask the BDC instead.
Warning
The PDC hostname must be resolvable for Endian Firewall. This can be done by adding the
hostname at Network > Edit Hosts (See the section called Host configuration (Edit Hosts)).
Authentication mode
be used for authentication. This option is enabled by default. If integrated authentication is disabled, the user will be requested
explicitly for username and password.
User based access restrictions
Figure 7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy
Enabled
Enables access control lists for authorized or unauthorized users.
Use positive access control / Authorized domain users
These listed users will be allowed for web access. For all other users, access will be denied.
Use negative access control / Unauthorized domain users
These listed users will be blocked for web access. For all other users, access will be allowed.
Note
If Windows integrated authentication is enabled, the username must be entered with the domain name as a
prefix for the username, separated by a backslash.
Example 7.7. User based access control lists using integrated authentication
Figure 7.26. Integrated windows authentication with HTTP advanced proxy
Convertido de web en PDF con http://www.htmlapdf.com!
Note
When using integrated authentication, the user must be logged into the domain, otherwise the
name of the local workstation instead of the domain name will be added to the username.
Example 7.8. User based access control lists using explicit authentication
Figure 7.27. Explicit authentication with HTTP advanced proxy
Note
Explicit authentication grants access to the user, even if the user is not logged
into the domain, as long as the username will be the same and the local
workstation password and the domain password match.
RADIUS authentication
This authentication method uses an existing RADIUS server for user authentication.
Figure 7.28. Displays RADIUS authentication configuration of HTTP advanced proxy
In addition to the authentication you can define positive or negative user based access control lists.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
This authentication method cannot handle encrypted connections. If you are running a Microsoft IAS for
RADIUS youll have to turn off any type of encryption at your IAS.
Figure 7.29. Displays common RADIUS settings of HTTP advanced proxy authentication
RADIUS Server
Enter the IP address of the RADIUS Server you want to use for authentication.
Port
Enter the port that will be used to communicate with the RADIUS Server. The default is port 1645, some RADIUS servers may use
port 1812 instead.
Identifier
This is an optional field and can be used to identify your Endian Firewall for the RADIUS Server. If this is left empty, the IP address
of your Endian Firewall will be used for identification.
Shared secret
This is the shared secret for the authentication of your Endian Firewall against the RADIUS Server. This must be the same
password that you have entered at your RADIUS Server.
User based access restrictions
Figure 7.30. Displays user based access restrictions of HTTP advanced proxy
Enabled
Enables access control lists for authorized or unauthorized users.
Use positive access control / Authorized users
These listed users will be allowed for web access. For all other users, access will be denied.
Use negative access control / Unauthorized users
These listed users will be blocked for web access. For all other users, access will be allowed.
Advanced Group Selections
Content filter
Note
Requests from users in the extended group won't be affected by the filter as well as those from users that
are allowed to bypass the proxy.
Content filter (Dansguardian)
Figure 7.31. General contentfilter configuation
Note
If you want to see the clients' IP addresses you will have to turn on client IP address forwarding in the
upstream proxy section.
PICS
This will enable the support for the Platform for Internet Content Selection (PICS: http://www.w3.org/PICS/). PICS enables labels to
be assigned with Internet content and was initially designed to help parents and teachers control their children. Today many other
rating services and filtering softwares are built on PICS.
Save
To save your settings click here.
Block pages which contain unallowed phrases
Figure 7.32. Selection of disallowed phrases which pages may contain
Note
This feature is not available for the mini edition of Endian Firewall.
Note
This won't affect users from the extended group as well as users that bypass the proxy.
Block pages known to have content of the following categories
Figure 7.33. Selection of categories of url lists which should be blocked by the HTTP contentfilter
Block pages that are known to have content of the ticked categories
By checking the boxes corresponding to the displayed categories, it will be impossible to load URLs that appear in URL list for one
of the checked categories.
Save
To save your settings click here.
Note
This won't affect users from the extended group as well as users that bypass the proxy.
Custom black- and whitelists
Figure 7.34. Custom black- and whitelists for the HTTP contentfilter
Note
This will not affect users that bypass the proxy and users in the extended group.
HTTP Antivirus
Figure 7.35. HTTP Antivirus configuration page
The URLs that are entered here will not be scanned for viruses. Please enter only URL per line.
Client access: Disabling the proxy service gives direct access for all clients.
Figure 7.37. Figure which displays traffic with will not be directed through the HTTP proxy
Result: The proxy service will never be used. Logging, filtering and authentication will not be available.
Proxy service enabled, running in non-transparent mode
Client access: All clients without explicit proxy configuration will bypass the proxy service.
Figure 7.39. Figure which displays traffic with will not be directed through the HTTP proxy
Client access: All clients configured for proxy usage will use the proxy for all destination ports (80, 443, 8080, etc.) and even for browser
based FTP access.
Figure 7.40. Figure which displays traffic which will be redirected through the HTTP proxy.
Result: It depends on the client configuration whether the proxy service will be used or not. Unconfigured clients will bypass logging,
filtering and authentication.
Proxy service enabled, running in transparent mode
Client access: All requests with destination port 80 will be internally redirected to the proxy service. Requests with other destination
ports (e.g. 443 for https) will bypass the proxy service.
Figure 7.42. Figure that displays traffic which will be transparently redirected through the HTTP proxy.
Result: Not all but most requests will pass the proxy service. Therefore filtering, logging and authentication will not be reliable.
Client side Web Proxy configuration
There are different ways to configure the clients to use the Web Proxy service. Some of them are described in this section
Manual client configuration
All direct web access needs to be blocked. See the section called Outgoing Firewall Administrative Web Page.
POP3
Global settings
Figure 7.43. Shows POP3 proxy global settings
Enabled on zone
This enables the E-Mail POP Scanner to listen for requests on the selected zone (GREEN or BLUE or ORANGE). All requests for
the destination port 110(POP3) will automatically be intercepted and forwarded to the POP3 Scanner without the need of any
special configuration changes to your clients.
Virus scanner
This option enables the virus scanner for the incoming mails using the POP3 protocol.
Spam filter
When activated this will turn on the spam filter for incoming mails.
Firewall logs outgoing connections
By enabling this feature the firewall will log every successful connection to an external POP3 server.
Spamfilter configuration
Figure 7.44. Spamfilter configuration of POP3 proxy
E-mails coming from these addresses are always treated like spam.
Note
Black list and white list for the POP3 proxy will NOT be used by the SMTP proxy.
SIP
The SIP Proxy is a proxy/masquerading daemon for the SIP and RTP protocol. The SIP (Session Initiation Protocol, RFC3261) and RTP
(Real-time Transport Protocol) are used by Voice over IP (VoIP) devices to establish telephone calls and carry voice streams. The proxy
handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections
possible through the firewall and therefore make SIP clients (like x-lite, kphone, linphone or VoIP hardware) able to work behind NAT.
Without this proxy, connections between clients are not possible at all if both are behind NAT, since one client can't reach the other
directly and therefore no RTP connection can be established between them.
Figure 7.45. SIP Proxy Settings
Enabled on zone
This enables the SIP Proxy to listen for requests on the selected port (default: 5060)
Transparent on zone
If transparent mode is enabled, all requests for the destination port 5060 will be forwarded to the SIP Proxy without the need of any
special configuration changes on your clients.
Convertido de web en PDF con http://www.htmlapdf.com!
SIP Port
Port to listen on for incoming SIP messages.(default:5060)
RTP Port low / RTP Port high
UDP Port range which the SIP proxy will use for incoming and outgoing RTP traffic. By default the range 7070 up to (and including)
7090 is used. This allows up to 10 simultaneous calls (2 ports per call). If you need more simultaneous calls, increase the range.
Autosave Registration
This allows the SIP proxy to remember registration across a restart.
Time
Save the registration file after every amount of seconds specified by this field.
Outbound Proxy Host/Port
The SIP Proxy itself can be told to send all traffic to another outbound proxy.
Log Calls
This enables logging of established calls. You will see the logging entries within siproxy logviewer. (See the section called
SIProxy log page)
Firewall logs outgoing connections
Tick this on if you want the firewall to log all outgoing connection. Note that in some countries this may be illegal.
Save and Restart
Save the settings and restart the SIP proxy by clicking the Save and restart button.
Note
Some VoIP devices need special configuration in order to be able to cooperate with the SIP proxy. We
noticed especially on snom phones the necessity to enable Support for broken registrars in order to have it
fully functional.
FTP
The FTP proxy is only available as transparent proxy. As such it intercepts each ftp connection on port 21 made to the outside, scans the
received contents against virii and handles it instead of the client.
Warning
If you configure your FTP clients or browsers to use the HTTP proxy also for the FTP protocol, this FTP
proxy will be bypassed!
Note
The FTP proxy does not support tickling. This means that the proxy needs to download the entire file before
the virus scanner can scan it. The FTP client will get data on the control connection in order not to time out,
but get no data on the data connection. The effect is, that the user does not see any progress during
download and gets all the data at once after the file has been scanned by the proxy.
Figure 7.46. FTP proxy administration page
Since the FTP proxy is supported only basically you do not have many configuration options. They are:
Enabled on zone
This enables the FTP proxy on the specified zone.
Firewall logs outgoing connections
Tick this on if you want the firewall to log all outgoing connections made through the proxy. Note that in some countries this may be
illegal.
Warning
With some FTP clients such as Web browsers, the FTP proxy can have some trouble with the
authentication. If you need to authenticate against external FTP servers, use real FTP clients or disable the
FTP proxy.
Convertido de web en PDF con http://www.htmlapdf.com!
SMTP
The scope of the SMTP proxy is to control and optimize SMTP traffic in general and to protect your network from threats when using the
SMTP protocol. The SMTP (Simple Mail Transport Protocol) protocol is used whenever you send an e-mail through your mail client to a
remote mail server (outgoing mail). It will also be used if you have your own mail server running on your LAN (GREEN interface) or your
DMZ (ORANGE interface) and are allowing mails to be sent from the outside of your network (incoming requests) through your mail
server.
Warning
In order to download mail from a remote mailserver with your local mail clients, the POP3 or IMAP protocol
will be used. If you want to protect that traffic too, you have to use the POP3 proxy. Scanning of IMAP traffic
is currently not supported.
With the mail proxy functionality, both sorts of traffic (incoming and outgoing mail) can be scanned for virii, spam and other threats. Mail
will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan
incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers in order to remove
the necessity to have SMTP connections from the outside within your local networks.
The following is a complete feature list, which will be described in detail in the following sections:
Multi-domain support
Configurable relaying policy per domain
Spool visualiation & managment
External authentication support
TLS Email Transport Encryption support
Mail statistics
Day, Week, Month, Year graphs
Spam, Virus, Bounced, Rejected
Configurable maximum mail data size
Spam blocking
Spam notification
Local/Remote Quarantine
Realtime Blacklist (RBL) support
General Settings
Figure 7.47. General Settings
Enabled
This enables the SMTP proxy in order to accept requests on port 25.
Note
Relaying is disabled without authentication in non transparent mode.
Transparent on zone
If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without
the need of any special configuration changes on your clients.
Antivirus is enabled
Tick this on if you'd like to enable the antivirus. If you enable the antivirus, you can configure the antivirus by clicking on the
Antivirus link. See the section called Antivirus for a detailed description.
Spamcheck is enabled
Tick this on if you'd like to enable the antispam. If you enable the spam filter, you may configure it by clicking on the Spam link. See
the section called AntiSpam for a detailed description.
File Extension are blocked
Convertido de web en PDF con http://www.htmlapdf.com!
Tick this on if you like to enable the file extension blocker. With this you may specify a list of file extensions which are not allowed
as attachement. If you enable it, configure it by clicking on the File Extensions link. See the section called Banned File Extension
for a detailed description.
Incoming Mail enabled
If you have an internal Mailserver and would like the SMTP proxy to forward incoming mails to your internal server you need to tick
this checkbox on.
Note
You need to configure the e-mail domains for which it should be responsable. List the responsable
domains within the page you reach by clicking on the Domains link. See the section called Domains
for a detailed description.
Firewall logs outgoing connections
Tick this on if you want the firewall to log all established outgoing connections. Note that in some countries this may be illegal.
Save changes and restart
Save the settings and restart the SMTP proxy by pushing this button.
Antivirus
The Antivirus is a core functionality of the SMTP proxy module. It knows four different possibilities to handle mail containing a virus. You
have also the possibility to configure an email address for notification of the recognized and handled threat.
Figure 7.48. SMTP Antivirus
Mode
This allows you to select the mode of handling infected emails. The following possibilities exist:
DISCARD
In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a virus
quarantine is defined a copy of the original e-mail will be sent or copied to the virus quarantine.
Note
In most cases this is the best way of handling infected mails.
BOUNCE
In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status
notification with a non-delivery notification. If a virus quarantine is defined a copy of the original email will be sent or copied to
the virus quarantine.
Warning
Sending notification mails to the sender is insofar not really helpful as worms normally use
spoofed sender addresses. Therefore such notifications mostly will reach anyone but the right
person. The SMTP proxy does not send bounces back to the sender if a worm, of which the
SMTP proxy knows that it normally spoofs the sender address, will be recognized. Nevertheless
the benefit may be less than the problems caused by this mode.
REJECT
The email will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1)
PASS
Mail will pass to its recipients, regardless of bad content.
Virus Admin
Gives you the possibility to specify a (fully qualified) administrator email address where virus notifications should be sent. (Default
is empty)
Virus Quarantine
Location to put infected mail into. The following possibilites are valid:
leave empty
Convertido de web en PDF con http://www.htmlapdf.com!
Warning
There is no possibility to control and manage the quarantine if you use this possibility.
any email address
You can specify any valid e-mail address, to which infected e-mails will be forwarded to. With this variant you can forward all
infected mails to a POP3 or an IMAP account where you may manage them easily.
Note
The email address must contain a @.
Warning
This email address must not have any virus scanner, otherwise the quarantined mail will be
blocked by that server.
Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
AntiSpam
The antispam module knows several different possibilities to protect you against spam. In general spamassassin and amavisd-new
are used to filter out spam. SpamAssassin incorporates several means of detecting spam. It has a score tally system where large
numbers of inter-related rules fire off and total up a score to determine if a message is spam or not. In this system each rule affects the
proper score of every other rule in the ruleset and the system tries to balance the most spam and nonspam each on the right side of the
tolerance mark.
While much of the rules block much of simplier spam, well known spam and spam sent by known spam hosts, spammer always adapt
their messages in order to knock out spam filters. Therefore it is necessary to also always train the spam filter in order to reach a
personalized and stronger statistical filter (bayes).
Convertido de web en PDF con http://www.htmlapdf.com!
Note
While the spam filter blocks much spam it never will block all of your spam.
Note
The spamassassin rules will not be updated automatically like the virus signatures. Here you can read
why.
General Settings
Figure 7.49. SMTP Antispam
Spam destination
This allows you to define what should be happen to spam mails. The following possibilities do exist:
DISCARD
In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a
spam quarantine is defined a copy of the original e-mail will be sent or copied to the spam quarantine.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
In most cases this is not very useful, since it is possible that the spam filter may block also
regular mail (false positives) if it is configured to restrictive.
Warning
Check your local law. In most countries it is illegal to delete mail without the permission of the
recipient.
BOUNCE
In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status
notification with a non-delivery notification. If a spam quarantine is defined a copy of the original email will be send or copied
to the spam quarantine.
Warning
Sending notification mails to the sender of spam is insofar not really helpful as spammers then
more than ever know that they hit a real e-mail address. Furthermore, spammers mostly do not
use their real sender addresses. They nearly always use spoofed sender addresses, therefore
such notifications always reach anyone but the right person.
REJECT
The email will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1)
PASS
Mail will pass to its recipients, regardless of bad content.
Note
In most cases, this is the best mode you can use. The spam filter adds spam headers and
changes the subject of the mail if it recognizes the mail as spam. The recipients then may use
their mail clients to filter those mails themselves.
Spam admin
Gives you the possibility to specify a (fully qualified) administrator e-mail address to which spam notifications should be sent.
Convertido de web en PDF con http://www.htmlapdf.com!
(Default is empty)
Spam quarantine
Location to put spam mail into. The following possibilities are valid:
leave empty
Disables the quarantine
spam-quarantine
Set this if you would like to store spam mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the
default.
Warning
There is no possibility to control and manage the quarantine if you use this possibility.
any email address
You can specify any valid email address, to which spam mail will be forwarded. With this variant you can forward all spam
mails to a POP3 or IMAP account where you may manage them easily.
Note
The email address must contain a @.
Warning
This email address must not have any blocking spam filter, otherwise the quarantined mail will
be blocked by that server.
SPAM TAG Level:
If spam score is greater or equal to this level add spam info e-mail headers. You will find them as X-Spam-Status and X-SpamLevel headers.
Note
This level will not block the mail regardless what you defined as spam destination.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
This level will not block the mail regardless what you defined as spam destination.
Example 7.10. Example spam info headers
X-Spam-Status: Yes, hits=12.4 tagged_above=-10.0 required=5.3 tests=BAYES_99,
RCVD_HELO_IP_MISMATCH, RCVD_IN_XBL, RCVD_NUMERIC_HELO, SARE_FWDLOOK,
SARE_MONEYTERMS, SARE_OEM_FAKE_YEAR
X-Spam-Level: ************
X-Spam-Flag: YES
Note
Users may use X-Spam-Flag: YES as search string for their mail client filter.
SPAM quarantine level
If spam score is greater or equal to this level then the spam evasive action which you selected in spam destination will be used.
Note
This is the level which may delete spam mail if you selected to DISCARD spam mail.
Sendernotification only below level
Convertido de web en PDF con http://www.htmlapdf.com!
If spam score is greater than this level no notification mails will be sent to the administrator.
SPAM subject
String to prepend to the subject header field when message exceeds SPAM MARK level.
Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
Greylisting
Greylisting is a simple method of defending electronic mail users against e-mail spam. In short, a mail transfer agent which uses
greylisting will temporarily reject any e-mail from a sender it does not recognize. The sender will be delayed for the configured time. If the
mail is legitimate, the originating server will try again to send it later. If the delay time is elapsed, the destination will accept it. Spammers
normaly will not retry to send temporarily rejected mails, since this is cost effective. However, even spam sources which re-transmit later
are more likely to be listed in DNSBLs and distributed signature systems such as pyzor.
Figure 7.50. Greylisting
greylisting activated
Tick this on if you want to enable greylisting.
delay(sec)
You can change the delay from 30 secs to maximum 3600 (1 hour).
Whitelist recipient
With this you can whitelist an address or a complete domain (one entry per line).
Whitelist client
You can exclude a Mailserver address in order to bypass greylisting for this mail server (one entry per line).
Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button
Note
File Extension Block must be enabled in gereral settings.
Banned files destination
This allows you to define what should happen to e-mails containing files with banned extensions. The following possibilities do
exist:
Convertido de web en PDF con http://www.htmlapdf.com!
DISCARD
In this mode the e-mail will not be delivered to its recipients and deleted without sending a notification to the sender. If a
quarantine for banned files is defined a copy of the original e-mail will be sent or copied to that quarantine.
BOUNCE
In this mode the e-mail will not be delivered to its recipients but bounced back to the sender in form of a delivery status
notification with a non-delivery notification. If a quarantine for banned files is defined a copy of the original e-mail will be sent
or copied to that quarantine.
Note
Normaly it may be wise to use this variant, since senders then know what they are doing wrong.
REJECT
The e-mail will be rejected by the MTA. Basically this is the same as BOUNCE. (removed in version 2.1)
PASS
Mail will pass to its recipients, regardless of bad content.
Banned files quarantine
Location to put mail with banned files into. The following possibilites are valid:
leave empty
Disables the quarantine
spam-quarantine
Set this if you would like to store bad mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the
default.
Warning
There is no possibility to control and manage the quarantine if you use this possibility.
any email address
You can specify any valid e-mail address, to which bad mail will be forwarded. With this variant you can forward all bad mail
to a POP3 or an IMAP account where you may manage it easily.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
The e-mail address must contain a @.
Admin notification
Gives you the possibility to specify a (fully qualified) administrator e-mail address where notifications about bad attachements
should be sent. (Default is empty)
Block double extension:
tick this if you want block attachements which have one of the following double extensions.
filename.XXX.exe
filename.XXX.vbs
filename.XXX.pif
filename.XXX.scr
filename.XXX.bat
filename.XXX.cmd
filename.XXX.com
filename.XXX.dll
Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
Blacklists/Whitelists
An often used method to block certain types of spam e-mails are so called real-time blacklists (RBL). Those have been created by many
different organisations and will be managed, administrated and actualised by them. If a domain or a sender ip address is listed within
one of those blacklists, the mail will be refused promptly and without the need and possibility to gather more information about it. This
saves more bandwith in comparison to the RBL of the antispam module, since the mail will not be accepted and then handled, but
refused as soon as a listed ip address will be recognized.
This dialogue gives also the possibility to explicitely block (blacklist) or explicitely allow (whitelist) certain sender, recipients, ip
addresses or networks.
Real-time Spam Black Lists (RBL)
Convertido de web en PDF con http://www.htmlapdf.com!
A DNS-based Blackhole List (DNSBL, Real-time Blackhole List or RBL), is a published list of IP addresses, in a format that can be easily
queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name
System. DNSBLs are chiefly used to publish lists of addresses linked to spamming.
Warning
It may happen that IP addresses have been wrongly listed by the RBL operator. If this should happen, it
may negatively impact your communication, to the effect that mail will be refused without the possibility to
recover it. You also have no direct influence on the RBLs.
Figure 7.52. Real-time Black Lists
bl.spamcop.net
RBL based on user submission.(www.spamcop.net)
sbl-xbl.spamhaus.org
The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support
services), maintained by the Spamhaus Project team and supplied as a free service to help e-mail administrators to better manage
incoming e-mail streams.
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies
(HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits
(www.spamhaus.org).
Convertido de web en PDF con http://www.htmlapdf.com!
cbl.abuseat.org
The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open
proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their
own direct mail transmission, or some types of trojan-horse or stealth spamware, without doing open proxy tests of any kind.
The CBL does NOT list open SMTP relays (cbl.abuseat.org).
dul.dnsbl.sorbs.net
This contains a list of Dynamic IP Address ranges (www.au.sorbs.net).
list.dsbl.org
DSBL is the Distributed Sender Blackhole List, it publishes the IP addresses of hosts which have sent special test email to
listme@listme.dsbl.org or another listing address.The main delivery mechanism of spammers is the abuse of non-secure
servers. For this reason, many people want to know which servers are non-secure so they can refuse email from these servers.
DSBL is intended as a place to publish whether a server is non-secure (www.dsbl.org).
relays.ordb.org
ORDB.org is the Open Relay Database. ORDB.org is a non-profit organisation which stores a IP-addresses of verified open SMTP
relays. These relays are, or are likely to be, used as conduits for sending unsolicited bulk email, also known as spam. By
accessing this list, system administrators are allowed to choose to accept or deny email exchange with servers at these addresses
(www.ordb.org).
opm.blitzed.org
OPM is designed to list IPs confirmed to be running insecure proxies. These can be present because of misconfiguration of
legitimately-installed software, or they can be due to the installation of trojans, viruses and other malware. OPM differs from other
open proxy DNSBLs in that it tries not to proxy test remote hosts unless they are implicated in reports of abuse, and it aggressively
expires old IPs, especially those known to be used for dynamic leases, such as dialup customers.
The opm.blized.org does NOT list open SMTP relays (wiki.blitzed.org/OPM). (This list has been removed in version 2.1)
dsn.rfc-ignorant.org
The dsn.rfc-ignorant.org is a list which contain domains or IP networks whose administrators choose not to obey the RFCs, the
building block rules of the net (www.rfc-ignorant.org).
blackhole.securitysage.com
This list is comparable to the dsn.rfc-ignorant.org list - it contains a list of domain names (as opposed to IP addresses) that can be
checked against the client domain of an email, as well as the domain portion (after the @) of the sender and recipient addresses.
(www.securitysage.com). (New in version 2.1)
save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
advanced users can modify the list by editing the file /var/efw/smtpd/default/RBL.
Custom black/whitelists
You have full control and can blacklist, whitelist specific sender/recipient or client.
Figure 7.53. black/whitelists
Sender Whitelist/Blacklist
There are multiple ways to deny (blacklist) or allow (whitelist) a sender or domain (one per line).
The addresses in these listings will be compared to the senders' e-mail address of each incoming mail.
Domain (with subdomains)
Allow or deny a complete domain with all its subdomains.
Example 7.11. Allow or deny a complete domain
endian.it
sub.example.com
This will cover each e-mail address under both domains and its subdomains, like mail@sub.endian.it.
Subdomains
Allow or deny only the subdomains of the specified domain. In order to achieve this, add a leading dot to the domain name.
Example 7.12. Allow or deny only the subdomains of a domain
.endian.it
.sub.example.com
This will cover each e-mail address under each subdomain of both domains. For instance it will include
mail@test.endian.it but exclude info@endian.it.
Address
Allow or deny a single fully qualified e-mail address or any e-mail address having the specified user part.
Example 7.13. Allow or deny single email addresses or user names.
info@endian.it
postmaster@
abuse@
This will cover the single e-mail address info@endian.it of course, and each e-mail address with postmaster or
abuse as user part, like postmaster@riaa.org.
Recipient Whitelist/Blacklist
There are multiple ways to deny or allow a single recipient or domain (one per line).
These addresses covered by this listings will be compared with the recipient's email address of each incoming mail.
Domain (with subdomains)
Convertido de web en PDF con http://www.htmlapdf.com!
This will cover each email address under both domains and its subdomains, like mail@sub.endian.it.
Subdomains
Allow or deny only the subdomains of the specified domain. In order to achieve this, add a leading dot to the domain name.
Example 7.15. Allow or deny only the subdomains of a domain
.endian.it
.sub.example.com
This will cover each e-mail address under each subdomain of both domains. For instance it will include
mail@test.endian.it but exclude info@endian.it.
Address
Allow or deny a single fully qualified e-mail address or any e-mail address having the specified user part.
Example 7.16. Allow or deny single email addresses or user names.
info@endian.it
postmaster@
abuse@
This will cover the single email address info@endian.it of course, and each email address with postmaster or abuse
as user part, like postmaster@riaa.org.
Warning
If the SMTP proxy runs in transparent mode, each IP address of subnets known to the Endian
Firewall will be allowed automatically. Therefore it is not possible to blacklist a recipient which has
one of those ip addresses.
Client Whitelist/Blacklist
You can also block or allow a single IP address or subnet from which mail will be sent (one per line).
Example 7.17. Allow or deny ip block.
Note
The whitelist overwrites the blacklists. You can blacklist a whole subnet and then whitelist a single
address.
Domains
If you have enabled incoming mail and would like to forward that mail to a mail server behind the Endian Firewall - usually set up in the
GREEN or ORANGE zone - you need to declare the domains which will be accepted by the SMTP proxy and to which of your mail
servers the incoming mail should be forward to. It is possible to specify multiple mail servers behind Endian Firewall for different
domains. It is also easily possible to use Endian Firewall as a backup MX.
Figure 7.54. Domains
Note
Incoming mail must be enabled to activate this functionality.
BCC
Enable this if you would like to have a copy of certain mails that go through the SMTP proxy - being it to a certain recipient or from a
certain sender. Specify if you want to check the e-mail for a recipient- or a sender-address. Then type that e-mail address into the Mail
address field and finally add the address that should get the copy in the BCC (Blind Carbon Copy) address field.
Figure 7.55. BCC
Note
The sender and the recipient of the e-mail will not know that their messages have been copied unless you
tell them.
Warning
In most countries of this planet it is highly illegal to read other people's private messages. Do not abuse this
feature.
Advanced settings
This section covers advanced settings of the SMTP proxy.
Smarthost
If you have a dynamic IP address because you are using an ISDN or ADSL dialup internet connection, you will get problems sending
mails to other mail servers. More and more mail servers compare DNS with it's reverse DNS, while other mail servers check if your ip
address is listed as a dynamic IP address and refuse to accept your e-mail. Therefore it could be necessary to use a smarthost for
Convertido de web en PDF con http://www.htmlapdf.com!
sending emails.
A smarthost is a mail server which your smtp proxy will use as outgoing SMTP. The smarthost needs to accept your e-mail and relays it
for you. Normally you may use your providers SMTP as smart host, since it will accept to relay your e-mails and other mail servers may
not.
Figure 7.56. Smarthost
Note
Normally you may use your providers SMTP as smart host, since it will accept to relay your mails and
other mail servers may not.
Authentication required
Some mail servers require authentication. Tick this on if your mail server requires authentication.
Username
Convertido de web en PDF con http://www.htmlapdf.com!
Authentication enabled
Tick this on to enable the remote authentication.
IMAP Server
Address of the remote IMAP Server.
Number authentication daemons
If you have many concurrent users you can increase the number of authentication daemons (default 5).
Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
Advanced settings
Convertido de web en PDF con http://www.htmlapdf.com!
There are even more advanced configuration possibilities for the SMTP proxy. You may change the maximal size of a single email
address, change the language of smtp proxy mails, or make the mail server more restrictive and strictly RFC compliant in order to fight
against spam.
Figure 7.58. Advanced Settings
Note
Enabling this will stop some UCE malware.
Reject invalid hostname
Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname (default enabled).
Reject non fqdn sender
Reject the connecting client when the hostname supplied within the client HELO or EHLO command is not a fully-qualified domain
name, as required by the RFC (default enabled).
Convertido de web en PDF con http://www.htmlapdf.com!
Note
If the e-mail to the BCC address bounces it will be returned to the sender.
Smtpd hard error limit
The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The SMTP Proxy server
disconnects when the limit is exceeded (default 20).
Language E-Mail Templates
Allows to specify the language for the error messages (default English).
Maximal E-Mail size
The maximal allowed size (in MBytes) a message can have (default 10MB).
Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
This page was last modified on: $Date: 2006-11-23 19:30:06 +0100 (Thu, 23 Nov 2006) $.
Introduction
Virtual Private Networks (VPNs)
Net-to-Net (Gateway-to-Gateway)
Host-to-Net (Roadwarrior)
OpenVPN
OpenVPN Web Interface
OpenVPN Server
Openvpn Net2Net client
Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls)
Configuration of an OpenVPN client on the roadwarrior side
IPSec
Methods of Authentication
Pre-shared Key
X.509 Certificates
Global Settings
Connection Status and Control
Certificate Authorities
Generate Root/Host Certificates
Upload a CA certificate
Reset configuration
Add a new connection
Connection Type
Authentication
Introduction
Figure 8.1. VPN menu selected
Net-to-Net (Gateway-to-Gateway)
Figure 8.2. Figure of a Net-to-Net VPN
Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by creating a crypted tunnel. In a net-tonet VPN, at least one of the networks involved must be connected to the Internet with an Endian Firewall. The other network(s) can be
connected to an Endian Firewall or another IPSec or OpenVPN enabled router or firewall. These router/firewalls have public IP
addresses assigned by an ISP and are most likely using Network Address Translation (NAT), hence the term Net-to-Net.
If desired, a VPN can be created between wireless machines on your BLUE network and Endian Firewall. This ensures that traffic on
your BLUE network cannot be intercepted with wireless sniffers.
Host-to-Net (Roadwarrior)
We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and a remote or mobile user is on
the other end. The mobile user is most likely to be a laptop user with a dynamic public IP address assigned by an ISP, hence the terms
Host-to-Net or Roadwarrior.
Figure 8.3. Figure of a Host-to-Net VPN
OpenVPN
OpenVPN is an SSL/TLS based virtual private network solution. It uses the industry standard SSL/TLS protocol to create the encrypted
tunnel which can transmit packets of OSI layer 2 or 3. Pay attention to not confuse OpenVPN with what many vendors call SSL VPN.
Most of them only claim to be real SSL VPNs, instead they actually are just application level gateways that tunnel only application
streams of certain services through an encrypted tunnel without implementing a whole VPN, which in fact is a site-to-site tunnel. As a
real SSL VPN, OpenVPN has the ability to tunnel all your traffic from OSI layer 2 on, so even ARP traffic can be transmitted to the remote
endpoint.
The main advantage of this type of VPN is the ease of use. Since OpenVPN is an application on both sides of the tunnel, it runs of
course in user-space instead of kernel space. Therefore it does not even need modifications of the kernel and furthermore minimizes the
probability of a catastrophic failure which is certainly higher for software which runs in kernel space. This makes the whole A LOT easier
to introduce in a network. In fact wherever you manage to establish a normal TCP or UDP connection, like from a browser to a server,
you can use OpenVPN. There is no need for NAT traversal or the like. We strongly encourage you to use OpenVPN instead of IPSec if
you can choose. The only argument which comes to our mind for using IPSec is interoperability to other vendors.
Figure 8.4. Figure of a VPN using OpenVPN as mixed VPN combining a Host-to-Net VPN (the Roadwarrior) and
Net-to-Net VPNs in a hub-and-spoke topology
Endian Firewall implements both OpenVPN server and client. The administration interface is divided in two main parts Openvpn Server
and Openvpn Net2Net client. Basically the OpenVPN server opens a virtual interface (the interface name begins with tap) whose
function is to send bits to the OpenVPN server instead to the wire. The tap interface is joined with the GREEN bridge, so each connected
client is - from the sight of the other machines behind GREEN - also directly part of the GREEN network. For the OpenVPN server it
makes no difference at all if the client connects a whole net (Net-to-Net) or just a roadwarrior (Net-to-Host) and it makes no difference if
there are connected one, two or many clients.
Another advantage compared to IPSec is the fact that the OpenVPN server acts like a switch (hub-and-spoke). Communication between
the VPN endpoints is possible and communication between the connected OpenVPN clients is kept within the tunnel and goes always
through the server process. It must not leave the tap interface on the server side and therefore must not be decrypted and then reencrypted on the server.
OpenVPN Server
The following describes the OpenVPN Server admin interface which you can find by clicking on the OpenVPN Server tab on top of the
page.
Global Settings
This is the port on which the OpenVPN Server will listen for incoming requests.
Protocol
This option allows you to change your protocol from UDP to TCP.
Warning
Do not select TCP as protocol, unless you know exactly what you are doing!
Block DHCP responses coming from tunnel
Since the virtual tap device of the OpenVPN server is joined with the GREEN bridge, broadcast packets of your GREEN zone will
pass the tunnel. This includes DHCP requests from your workstations. If the client on the other side is in bridged mode, DHCP
responses will return from it if the remote side has a DHCP server running. This may cause problems - if you do not want the
remote DHCP server to assign IP addresses to your local workstations within GREEN tick this option to block the responses.
Note
Pay attention, this will not block the DHCP responses which come from your local DHCP and go to
the remote network! You need to block them on the remote side.
CA Certificate
This is the text representation of your Certification Authority Certificate. This is needed on every OpenVPN client that wants to
connect to your OpenVPN server.
Download CA Certificate
By clicking this link you can download the CA Certificate which is needed by each OpenVPN client in order to be able to connect to
your OpenVPN server.
Users which are allowed to connect to openvpn
Below the global settings box, you will find the possibility to manage accounts which can connect to the OpenVPN server.
All known users will be listed within a table. Each line has the following action icons which will apply for the respective user:
Configure Networks
When clicking this button you will be redirected to a new window where you can administer this user's network settings.
Enabled icon
If this appears as a ticked on checkbox, the user is enabled and can connect. Click on it to disable or enable the user. Note that
disabling an already connected user does not kick it, it just refuses reconnecting.
Trash can icon
Click on it to remove the account.
Pencil icon
Click on it to edit the respective account. This will open a new page which will be described later in Add Account.
Below, you will find a single button, Add Account, which allows you to add a new account. This button will open a new page which will
be described later in the Add Account section.
Add Account
If you create a new account, you find the following configuration fields:
Username
Fill in the username to be created
Password
Choose a password for the new account.
Verify Password
Fill in the same password as above. This is only for verification purposes in order to ensure that you typed the password correctly.
Remote network
This is not needed if the remote client which uses to connect with this new account, is in bridge mode. Otherwise you need to
specify the network address of the remote GREEN network in order to let the Endian Firewall create correct routing entries on both
sides.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
This option is only available if you have configured your BLUE zone.
push route to orange zone
This option will grant the new user access to your ORANGE zone.
Note
This option is only available if you have configured your ORANGE zone.
Connection status and control
The following is below the box Users which are allowed to connect to openvpn and shows you all currently connected users.
Figure 8.8. Connection status and control
Bans the user. In fact this deactivates and then kicks the user in a row. The user cannot reconnect.
Openvpn Net2Net client
This section describes the configuration of the OpenVPN client shipped with Endian Firewall. With this client, you can have the Endian
Firewall connect to a remote OpenVPN server. Normally you will use this if you would like to create a Net-to-Net connection to another
EFW. A client configuration needs the following information to be able to successfully connect to a remote OpenVPN server:
Username
Password
CA Certificate of the remote server.
You will get the CA certificate from the server if you push the Download CA Certificate link on Openvpn Server configuration page - on
the remote Endian Firewall of course. This is needed to add an additional random information which one must have. In this manner it is
not possible for attackers to connect to the VPN by only gathering the username and the password. They also need the certificate in
order to be able to connect.
VPN tunnel and control
This page lists status-reports for the configured tunnels. You will notice that this page reloads every five seconds in order to update the
status display if the status of some clients changes.
Figure 8.9. VPN tunnel and control
The following describes the displayed configuration items of each client and your action possibilites:
Status
Displays the connection status of the respective tunnel. The following values do exist:
Convertido de web en PDF con http://www.htmlapdf.com!
closed
The tunnel is closed. There is no connection to the remote host.
established
The tunnel to the remote host is established and working.
connecting...
The client is actually trying to connect to the remote host.
resolve error
The client could not resolve the remote's hostname. Probably the hostname does not exist or you have a problem with your
DNS resolver.
invalid ca cert
The CA certificate is invalid. Maybe you supplied the wrong certificate. Another possibility could be that the date on your host
is wrong, so that the certificate is not yet valid.
authentication failed
The client could not authenticate to the remote host. You may have supplied the wrong username or password.
Remote Address
The remote host to which the client should connect.
Options
Displays configuration options if they are set. Possibly values are:
bridged
The client is in bridged mode.
drop DHCP
The client blocks DHCP responses coming from the tunnel.
Remark
Optional connection description.
Action
To edit an existing tunnel, click on its pencil icon. The VPN tunnel values will be displayed in the add vpn tunnel settings section of
the page.
Convertido de web en PDF con http://www.htmlapdf.com!
To remove an existing tunnel, click on its trash can icon. You will be asked if you really want to remove the tunnel, and if you
choose Yes, the tunnel configuration will be removed.
To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to
enable or disable. The icon changes to an empty box when a tunnel is disabled. Click on the checkbox to enable it again
Below you find a single button Add tunnel configuration, which allows you to create a new client configuration in order to connect to a
remote Endian firewall or another sort of OpenVPN server.
Add a VPN tunnel
If you push the button Add tunnel configuration you will reach this page.
Figure 8.10. Add a VPN tunnel
In order to create a new tunnel configuration you need to provide the following information:
Connect to
IP address or public host name (FQDN) of the remote Endian Firewall (or other OpenVPN server).
Username and Password
Username and password of the OpenVPN account created on the remote host.
Bridged/routed
The OpenVPN client can run in either routed or bridged mode. The difference is in which OSI layer the client will act. If you specify
Convertido de web en PDF con http://www.htmlapdf.com!
bridged mode, the clients virtual tap device will be joined to the bridge of the GREEN zone (br0). As a member of the bridge, all
traffic created within the GREEN network will also be passed through the tunnel to the remote side. This includes ARP traffic and
other protocols which are below TCP. In this manner, the tunnel acts like a switchport. You can use this for example if you need to
be able to browse the remote's Microsoft Windows servers. In order to access hosts on the remote side you certainly must use the
same GREEN network address on both sides, since in fact those two GREEN networks will really be part of the same physical
network.
Note
But pay attention, this option does not scale well and sends much unneeded traffic through the tunnel!
Use it only if you really need it.
With routed mode the clients tap device will remain alone and will not be joined to the GREEN bridge. The device will obtain an IP
address assigned by the remote OpenVPN server which selects it from the IP its configured pool. The two GREEN zones are
splitted and the two networks will be routed. This all happens within a higher OSI layer. In order to make this work, you need to
have different GREEN network addresses, since the two networks in this mode are not the same and need to be distinctable. You
also need to specify your local GREEN network and network mask on the remote OpenVPN server in order to let the client set the
needed routes.
block DHCP responses coming from the tunnel
If you selected routed mode, this does not interest you at all. Otherwise, if you have selected bridged mode, the virtual tap device of
the OpenVPN client is joined to the GREEN bridge. Therefore broadcast packets of your GREEN zone will pass through the
tunnel. This includes DHCP requests from your workstations. Since the server on the other side is also part of this GREEN bridge,
DHCP responses will return from it if the remote runs a DHCP server. This may cause problems - if you do not want the remote
DHCP server to assign IP addresses to your local workstations in the GREEN zone. Tick this on if you would like to block these
responses.
Note
Pay attention, this will not block the DHCP responses which come from your local DHCP and go to
the remote network! You need to block them on the remote side.
Remark
An optional connection description.
CA certificate
Endian Firewall OpenVPN server CA certificate. You get this certificate by pressing the Download CA Certificate link on the remote
OpenVPN server configuration page.
CA certificate
Convertido de web en PDF con http://www.htmlapdf.com!
you can paste your CA certifcate content (text) in this box or...
upload CA file
...you can upload the CA certificate file.
Save
Click "save" to add your configuration.
Note
The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN, otherwise
the connection may not be established if the CA certificate is not yet valid because of a wrong clock.
Configure Endian Firewall OpenVPN server
One of the three Endian firewall must act as OpenVPN server (the hub):
1. Go to the OpenVPN server section (VPN > Openvpn Server)
Figure 8.11. Openvpn Server
2. Set an IP address range which will be used to assign an internal (GREEN) IP address to the other two Endian Firewalls.
3. Tick on the Enabled box.
4. Now add 2 users, office1 and office2 (one for each Endian Firewall that will be connected to our Endian Firewall OpenVPN
server) pressing on Add Account button in the Users which are allowed to connect to openvpn section.
Figure 8.12. Users which are allowed to connect to openvpn
5. Fill in the information in the add new user form items. In this case we assume that it is enough to use routed mode. You need
to specify the GREEN network address and network mask of the respective branch office. (office1 and office2). If you want the
new user to be able to connect to your BLUE or ORANGE zone you have to tick the respective push route to blue/orange
zone checkbox.
Convertido de web en PDF con http://www.htmlapdf.com!
7. Ok. The Endian Firewall in office0 is ready to receive VPN connections from the other offices.
8. Download the CA certificate file by clicking the link Download CA Certificate. You will need this file on both other Firewalls.
Warning
Pay attention to keep this file private.
Figure 8.15. Openvpn Server CA Certificate
and the office0 Endian Firewall should show you the following on the VPN > OpenVPN Server page:
Figure 8.19. Connected Office 1 and 2 clients
With this configuration your workstations in the office1 and office2 nets should be able to reach the GREEN network of your office0.
In order to connect to the Endian Firewall OpenVPN server you can choose from a list of free projects which implement an openvpn
client with a graphical user interface. One you can find on Mathias Sundman's OpenVPN GUI site. You can also download openvpn from
the OpenVPN Homepage, which does provide the sourcecode package or a packaged Microsoft Windows Installer. Each major Linux
distribution should have an own package of it and it has also been ported to other unix derivates.
Tip
Endian Firewall Enterprise Edition has a Linux package as well as a Windows package of the OpenVPN
client available for download in the VPN > OpenVPN > Download section.
Next you need a valid and most notably Endian Firewall compatible configuration file. The OpenVPN server on the Endian Firewall:
runs as server of course, so your openvpn installation must act as client (--client) in order to successfully establish a
connection.
listens on the standard port 1194 (--port 1194).
uses the UDP protocol (--proto udp).
encapsulates ethernet 802.3, therefore uses tap devices (--dev tap).
uses static key mode (--auth-user-pass).
uses fast LZO compression (--comp-lzo).
Example 8.1. An example command line to start openvpn on your roadwarrior
openvpn --client --pull --comp-lzo --nobind --dev tap --ca /path/to-the-cacertificate.pem --auth-user-pass --remote your.remote.efw
Example 8.2. An example configuration file for openvpn on your roadwarrior
client
dev tap
proto udp
remote your.remote.efw
resolv-retry infinite
nobind
persist-key
persist-tun
ca path-to-the-ca-certificate.pem
auth-user-pass
comp-lzo
Note
Note
Download the CA certificate using the appropriate link on the OpenVPN server configuration page and
copy the certificate file to the location to which you point with the --ca parameter.
IPSec
IPSec (IP Security) is a generic standardized VPN solution. Compared to OpenVPN, encryption and authentication are already done on
the OSI layer 3 as an extension to the IP protocol. Therefore IPsec must be implemented in the IP stack which is part of the kernel. Since
IPSec is a standardized protocol it is compatible to most vendors that implement IPSec. Compared to OpenVPN IPSec's configuration
and administration is due to its complexity usually quite difficult and due to it's design some situations are impossible to handle
compared to OpenVPN, especially if you have to cope with NAT. However, Endian Firewall implements an easy to use adminstration
interface with different authentication possibilities. We strongly encourage you to use IPSec only if you need to because of
interoperability purposes. Use OpenVPN wherever you can, especially if NAT is in the game.
Methods of Authentication
It is necessary to have a pre-shared key/password/pass phrase or an X.509 certificate before trying to configure a Roadwarrior or Net-toNet VPN connection. These are methods of authentication, which identify the user trying to access the VPN. They will be required in the
VPN configuration stage.
Pre-shared Key
The pre-shared key authentication method or PSK is a very simple method that allows VPN connections to be set up quickly. For this
method, you enter an authentication phrase. This can be any character string similar to a password. This phrase must be available for
authentication on Endian Firewall and on the VPN client.
The PSK method involves less steps than certificate authentication. It can be used to test connectivity of a VPN and to become familiar
with the procedure of establishing a VPN connection. Experienced users may wish to progress straight to the section called Generate
Root/Host Certificates before trying to configure a roadwarrior or a net-to-net VPN connection.
The pre-shared key method should not be used with Roadwarrior connections as all roadwarriors must use the same pre-shared key.
Note
The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN.
X.509 Certificates
X.509 certificates are a very secure way of connecting VPN servers. To implement X.509 certificates you must either generate or setup
the certificates on Endian Firewall or use another certification authority on your network.
X.509 Terminology
X.509 certificates on Endian Firewall and many other implementations are manipulated and controlled by
OpenSSL. SSL, or the Secure Sockets Layer, has its own terminology.
X.509 certificates, depending on their type, may contain public and private encryption keys, pass phrases
and information about the entity they refer to. These certificates are meant to be validated by Certification
Authorities (Certificate Authorities) or CAs. When used by web browsers, the CA certificates of major, pay
for, CAs are compiled into the browsers. To validate a host certificate, the certificate is passed to the
appropriate CA to perform validation. On private networks or unique hosts, the CA may reside on a local
host. In EFWs case, this is the Endian Firewall, itself.
Certification signing requests are requests for signing unsigned X.509 certificates that are passed to CAs.
The CAs in turn generate an X.509 certificate by signing the request. These are returned to the requesting
entity as valid X.509 certificates. These signed certificates will then obviously be known to the CA.
You will see that X.509 certificates and requests can be stored on your hard drive in three different formats,
usually identified by their extensions. PEM format is the default for OpenSSL. It can contain all the
information associated with certificates in printable format. DER format contains just the key information
and no extra X.509 information. This is the default format for most browsers. PEM format wraps headers
around DER format keys. PKCS#12, PFK or P12 certificates contain the same information as PEM files in
binary format. Using the openssl command, PEM and PKCS#12 files can be transformed into the
respectively other format.
To use a certificate, you must import it into the other side's CA, too. The IPSec implementation on Endian Firewall contains its own built
in CA. CAs may run on roadwarrior's machines too.
If the roadwarrior's IPSec implementation does not have CA capabilities, you can generate a certificate request, import it into EFW so
that EFW's CA can sign it. Then you have to export the resulting certificate and import it into the originating roadwarrior's IPSec software.
Global Settings
Figure 8.20. VPN global settings
Enter the VPN server details, either its fully qualified domain name or the public IP address of the RED interface. If you are using a
dynamic DNS service, you should use your dynamic DNS name here.
Convertido de web en PDF con http://www.htmlapdf.com!
This box lists each configured connection and its status. For each connection you will see the following information:
Name
The name of the respective connection
Type
The connection type (Net-to-Net or Net-to-Host) with it's authentication type.
Common Name
This field is filled only if certificate authentication will be used. It does contain the value which has been inserted into the remote
certificate as common name. Normally this is the hostname of the remote host.
Remark
A short remark to make it easier to identify the connection.
Status
Shows the status of the respective connection. The following values are possible:
CLOSED
the connection is closed.
Convertido de web en PDF con http://www.htmlapdf.com!
OPEN
the connection is established.
The next items symbolise the Actions you can do for each respective connection:
Restart icon
By clicking on this icon the connection will be restarted. Use this on both sides if your ip address changes for example.
Enabled checkbox
To enable or disable a connection - click on the Enabled icon for the particular entry you want to enable or disable. The icon
changes to an empty box when a connection is disabled. Click on the checkbox to enable it again.
Pencil icon
Click on this icon if you want to edit that particular connection entry.
Trash can icon
By clicking on this icon the connection will be removed.
Warning
The administration interface does not ask you if you really want to remove the connection!
To create a VPN connection use the Add button. The VPN connection page will appear (see the section called Connection Type).
Certificate Authorities
This part is needed to create or import Root CA Certificates. The box shows two special marked lines with information about the existing
certificates. If you already created or imported the certificates you will see the lines filled with information. On the right you will find two
symbols in the Actions column. By clicking the blue information icon you will load a page with the certificate printed out as plain text and
as ascii armored output.
Example 8.3. Example plain text certificate output.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=AF, O=endian, CN=endian CA
Validity
Not Before: Apr 30 16:21:28 2006 GMT
Not After : Mar 11 06:56:08 2022 GMT
Convertido de web en PDF con http://www.htmlapdf.com!
The blue discette icon allows you to download the certificate as pem encoded file, which you then can import on other devices.
Convertido de web en PDF con http://www.htmlapdf.com!
To create an EFW Certificate Authority or CA, enter your CA's name in the CA Name box. The name should be different than the Endian
Firewall machine's host name to avoid confusion. For example, efwa for the CA and efw for the hostname. Then click on the Generate
Root/Host Certificates button. The Generate Root/Host Certificates page will appear. Fill out the form and both a X.509 root and host
certificate will be generated.
The following describes the items in the form:
Organization Name
Convertido de web en PDF con http://www.htmlapdf.com!
The organization name you want to use in the certificate. For example, if your VPN is tying together schools in a school district, you
may want to use something like Some School District.
Endian Firewall's Hostname
This should be the fully qualified domain name of your Endian Firewall. If you are using a dynamic DNS service (see the section
called Dynamic DNS Administrative Web Page), use it.
Your E-mail Address
Your E-mail address, so that folks can get hold of you.
Your Department
This is the department or suborganization name. Continuing the school district example, this could be XX Elementary School.
This is optional.
City
The city or mailing address for your machine. This is optional.
State of Province
The state or province associated with the mailing address.
Country
This pull down selection menu contains every ISO recognized country name. Use it to select the country associated with the
certificate.
After completing the form, click on the Generate Root/Host Certificates button to generate the certificates.
If desired, you can generate several root and host certificates on a single Endian Firewall, and then export them to PKCS12 format files,
encrypted with a password. You can then email them as attachments to your other sites. Using the Upload PKCS12 file portion of this
web page, you can upload and decrypt the certificates on a local Endian Firewall machine. You generate the PKCS12 file on the remote
Endian Firewall which owns the CA by creating the connection which is intended for the tunnel to your local Firewall as described in the
section called Host-to-Net Connection, later in this document. If you select Generate a certificate on the remote side as described in the
section called Authentication, it will create the file you need here.
Upload a CA certificate
If you already have created a CA certificate on another machine, you can simply upload the certificate file in order to give the local
Endian Firewall the chance to verify remote certificates. Simply push the Browse button and choose the CA certificate file. Then finally
push the Upload CA Certificate button. Thereafter the CA will be visible within the box above.
Reset configuration
By pressing the Reset button on the front page you will delete the entire VPN configuration from Endian Firewall. This could be
necessary for example if you need to remove the CA because you want to create a new one.
Warning
This removes the entire IPSec configuration including Certificates, Keys and Connection configurations.
Select either Host-to-Net (Roadwarrior) for mobile users who need access to the GREEN network or Net-to-Net to grant users on another
network access to your GREEN network and to allow users on your GREEN network to access the other network.
Choose the connection type you want to create and click on the Add button.
The next web page that appears contains two sections. The Connection section will differ depending on the connection type you are
adding. The Authentication section will be the same.
Host-to-Net Connection
The following descibes each field of the connection configuration box if you selected Host-to-Net connection:
Name
Choose a simple name (lower case only, no spaces) to identify this connection.
Interface
Select the Endian Firewall network interface the roadwarrior will be connecting on, either RED or BLUE. Selecting the RED
interface will allow the roadwarrior to connect from the Internet. Selecting the BLUE interface will allow the roadwarrior to connect
to the GREEN network from a local wireless network.
Local Subnet
defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your
GREEN network. Example for this field: 10.1.1.0/255.255.255.0.
Remark
allows you to add an optional remark that will appear in the Endian Firewall VPNs connection window for this connection.
Enabled
Click on the Enabled check box to enable this connection.
Edit advanced settings when done.
Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec.
Net-to-Net Connection
Enter the remote network's network address and subnet mask in the same format as the Local Subnet field. This network must be
different from the Local Subnet since IPSec sets up routing table entries to send IP packets to the correct remote network.
Remark
allows you to add an optional remark that will appear in the Endian Firewall VPN's connection window for this connection.
Enabled
Click on the Enabled check box to enable this connection.
Edit advanced settings when done.
Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec.
Authentication
The second section of the web page deals with authentication. In other words, this is how this Endian Firewall will make sure the tunnel
established by both sides of the interface is talking to its opposite number. Endian Firewall has made every effort to support both PSKs
and X.509 certificates.
Figure 8.26. VPN authentication input
There are four mutually exclusive choices that can be used to authenticate a connection:
Use a Pre-Shared Key
Enter a pass phrase to be used to authenticate the other side of the tunnel. Choose this if you wish a simple Net-to-Net VPN. You
can also use PSKs while experimenting in setting up a VPN. Do not use PSKs to authenticate tunnels to roadwarriors.
Upload certificate request
Some roadwarrior IPSec implementations do not have their own CA. If they wish to use IPSec's built in CA, they can generate what
is a so called certificate request. This is a partial X.509 certificate that must be signed by CA to be a complete certificate. During
certificate request upload, the request is signed and the new certificate will become available on the VPN's main web page.
Upload a certificate
In this case, the peer IPSec has a CA available for use. Both the peer's CA certificate and host certificate must be uploaded.
Generate a certificate
Convertido de web en PDF con http://www.htmlapdf.com!
In this case, the IPSec peer will be able to provide an X.509 certificate, but lacks the capacity to even generate a certificate request.
In this case, complete the required fields. Optional fields are indicated by red dots. If this certificate is for a Net-to-Net connection,
the User's Full Name or System Hostname field may have to be the Internet fully qualified domain name of the peer. The optional
organization name is meant to isolate different portions of an organization from access to EFW's full GREEN network by subnetting
the Local Subnet in the connection definition portion of this web page. The PKCS12 File Password fields ensure that the host
certificates generated cannot be intercepted and compromised while being transmitted to the IPSec peer.
This page was last modified on: $Date: 2006-11-22 23:32:04 +0100 (Wed, 22 Nov 2006) $.
Chapter 9. Logs
Table of Contents
Introduction
Log Settings Administrative Web Page
Log Summary Page
Proxy Logs Page
Firewall Logs Page
Intrusion Detection System Log Page
Content Filter Logs Page
OpenVPN Logs Page
System Log Page
SMTP Log Page
Clamav Log Page
SIProxy log page
Proxy Analysis Report
Introduction
Figure 9.1. Logs menu selected
SMTP Log
ClamAV Log
SIProxy log viewer
Proxy Analysis Report (new in version 2.1)
The log viewer pages share a common set of interface features to select the log information to be displayed and to export that information
to your local machine. By default the log viewer always shows you the most actual log lines as they appear in the log files. The
information is shown as a list (usually labeled log) of all log entries in the main section of the window. If that list is too long to fit into a
reasonably sized window, only the latest logs entries are displayed. In that situation, the Older and Newer links at the top and bottom of
this section of the window become active and you may use these to page through the list of Logs data.
Since the amount of data created by the log files can become literally huge, log files are rotated weekly in order to keep the actual file
small. During a rotation the logfile will be moved away, compressed in order to save disk space and and a new one will be created.
Therefore you will have a log file for each week and each log file may contain more or less data then the last one. The so archived log
files will remain on the disk for 52 weeks until they will be deleted.
The log viewer enables you to navigate through the entire amount of log lines. If you reach the end of one file the next file will be
automatically used. In order to know where exactly you stand within the log lines the following informational line displays some
information:
Total number of lines matching selected criteria: 1054 - File: 1/14 - Offset: 1/8
As the line says, the first number shows you the total amount of lines which match the selected criteria. It can be that the lines are split
within more different log files, so in some situations you need to jump back nevertheless there where enough space to fit all lines within
the page.
The numbers after the label File informs you about the actual logfile you are showing and of the total number of archived and not
archived log files for the current service.
The next numbers after the label Offset, shows you the current position within the log file. The first number informs about the page
number you are currently displaying while the second stands for the total pages which the current log file contains.
Figure 9.2. Generic navigation items
The following desribes the common interface elements which you can use to take affect to the displayed log lines:
Filter
The Filter edit field lets you define a search term which will be searched in the log files. The viewer then displays only those lines
Convertido de web en PDF con http://www.htmlapdf.com!
which contain the search term. This field accepts also perl compatible regular expressions. After you changed the value in this field
you need to press the Update button in order to reflect the changes in the logviewer output.
Older
This button allows you to cronologically jump back within the log entries. The button will disappear if there are no older log entries.
Newer
This button allows you to cronologically jump forth within the log entries. The button will disappear if there are no newer log entries.
Jump to offset
Instead of pushing the Older or Newer buttons as long as you need to reach a desired page, you can simply jump directly to a
specific page if you know the exact position. You can certainly also jump to an estimated position and then use the Older/Newer
buttons to reach the desired position.
Jump to file
Enables you to directly jump to a specific archived file. Pressing the Older button again and again, lets you jump back page by
page. If you reached the last page of the current file, the next elder log file will be opened if you push the Older button again. Using
Jump to file is just a faster possibility to reach a desired place within the whole amount of data.
Export
Pressing the Export button downloads a text-format file (log.dat), containing the information from the current Logs page, from the
Endian Firewall to your computer. Depending on how your computer is set up, pressing the Export button will initiate a file
download dialogue on your computer, show the contents of log.dat in your web browser window, or open the file in a text editor. In
the latter cases, you can save log.dat as a text-format file if required.
This lets you configure the summary page, which will be described later in this document:
Log summaries for xxx days
Lets you define for how many days you would like to save the daily summaries on disk.
Detail level
Lets you decide the detail level of the log summary. You can choose from the following possibilities: Low, Medium, High. Due
to this configuration the summary will provide you with less, more or much information.
Remote logging
Figure 9.5. Configuration of remote logging
It is possible to let Endian firewall log all its log files also to a remote syslog server. This is very useful if you would like to have all
the logs of your company on one centralized log server and it is useful for example to have access to log files in case of a fatal
disaster. In order to enable remote logging you need to provide the hostname or ip address of the remote syslog server in the text
field labeled Syslog server and then tick on the checkbox Enabled. Endian Firewall then will log as well to the remote syslog server
as to local log files.
Note
Currently not every service is able to use syslog. Therefore some can only write down to log files and
Convertido de web en PDF con http://www.htmlapdf.com!
cannot log to a remote syslog server. Services which currently cannot use syslog are: all sort of HTTP
services (administration web server, HTTP proxy, HTTP content filter, HAVP), FTP proxy, IDS (snort).
Firewall logging
Figure 9.6. Configuration of firewall logging
Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are very much packets that will be
blocked by the firewall. Not all of these are hostile attempts of attackers, but will nevertheless be logged and create much data.
Here you have the possibility to globally configure what you would like to have logged and what not:
Log packets with BAD constellation of TCP flags
TCP allows everybody to set flags in constellations which make no sense at all. Such constellations may confuse firewalls
and/or computers in general and allow an attacker to gather more information than you would like to share. Especially
portscanners do this. Endian Firewall blocks such attempts. Tick this on if you want to have it logged. You will find such
attempts in the firewall log resulting as packets which passed the chain BADTCP.
Log portscans
You may enable portscan detection by ticking this checkbox on. The portscan detection will be performed using the netfilter
psd match. You will find the logged portscans in the firewall log resulting as packets which passed the chain PORTSCAN.
Note
Portscans will never be blocked! They will only be logged! If you have not configured any ports
to be forwarded a portscan of an Endian Firewall will not reveal anything of interest to the
attacker since there is nothing open.
Log NEW connections without SYN flag
Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is not sane. Endian Firewall
will block such packets and you can log the attempts if you tick this checkbox on.
Log refused packets
Convertido de web en PDF con http://www.htmlapdf.com!
If you tick this on, Endian Firewall will log all connection attempts which have been denied by Endian Firewall. Since Endian
Firewall as default denies all connection attempts and allows only what you have defined, this certainly will lead to a bunch of
unneeded data, so you may toggle this off. It may be useful to check which ports you need to open for applications that are
using ports you don't know.
Log accepted outgoing connections
Tick this on if you would like to globally log all connections which have successfully passed Endian Firewall without being
dropped. You can use this to test if your newly created rules are correct as this allows you to see the connections made by
your applications.
Note
Check your local law! Enabling this may be prohibited by privacy law in most countries! But
some countries may enforce you by law to enable this (For example the antiterror law in Italy). If
you need to enable it, think about to backup your logs since you probably also need them after a
case of fatal disaster! Ensure that nobody has access to backups and log files (privacy law)!
Note
The summaries will be generated daily during night hours. Therefore Endian Firewall must be up and
running over night in order to have the summaries of each day.
Note
In version 2.1 there are four more types of summaries that are not shown on this screenshot to keep it at a
reasonable size. They are:
Clamav
Convertido de web en PDF con http://www.htmlapdf.com!
DHCP Server
Kernel
SSHD
Note
Due to the large amount of information that has to be processed, the Web Proxy page can take an
appreciable time to appear after its initial selection or an Update.
There are several controls on this page in addition to the controls described in the introduction section:
Source IP
This dropdown box allows you to selectively look at web proxy activity belonging to individual IP addresses on the local network, or
the activity related to ALL machines that have used the proxy.
Ignore filter
The box allows you to type in a regular expression text string to define which file types should be omitted from the web proxy logs.
The default string hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and JavaScript files (.js).
Enable ignore filter
Tick this on to enable the Ignore filter: or tick it off to disable it.
Restore defaults
This button allows you to restore factory settings for the above controls and filters.
For this page, the information appearing in the Log: section of the window consists of:
The Time when the file was requested and cached.
The Source IP address of the local system requesting the file.
The Username, if applicable, of the authenticated user which retrieved the file. This shows a dash if users do not need not to
authenticate in order to have access to the cache.
Convertido de web en PDF con http://www.htmlapdf.com!
The Website - or more precisely the URL for each of the requested and cached files.
Note
The Website URL entries in these logs are also hyperlinks to the referenced web pages or files.
Note
Not all denied packets are hostile attempts by crackers to gain access to your machine. Blocked packets
commonly occur for a number of harmless reasons and many can be safely ignored. Among these may be
attempted connections to the "ident/auth" port (113), which are blocked by default in Endian Firewall.
The controls on this page are the basic elements that are described in detail in the introduction.
Figure 9.8. Displays firewall log
The Log: section of this page contains an entry for each of the packets that were dropped by the firewall. Included is:
the time of the event
the firewall Chain which was responsible for the log entry
the interface (iface) through which the packet came in
the protocol (Proto) used for that packet.
the source ip address
the source port (src port)
the MAC address of the sender
Convertido de web en PDF con http://www.htmlapdf.com!
Note
This will be blank if the respective interface does not support MAC. For example all types of PPP
connections.
the Destination ip address
the destination port (dst port) to which the client connected.
You can obtain information about the listed IP addresses by clicking on an IP Address. Endian Firewall performs a DNS lookup and
reports any available information about its registration, ownership and geographical position. By clicking on a port number you will get
some information about the service which normally uses this port.
Note
Due to the large amount of information that has to be processed, the Content Filter page can take a
considerable amount of time to load after its initial selection or an Update.
There are several controls on this page in addition to the common controls described at the beginning of this Section:
Source IP
This dropdown box allows you to selectively look at web proxy activity related to single IP addresses on the local network, or the
activity related to ALL machines that have used the proxy.
Ignore filter
The box allows you type in a regular expressions text string to define which file types should be omitted from the web proxy logs.
The default string hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and JavaScript files (.js).
Enable ignore filter
Tick this on to enable the Ignore filter: or tick it off to disable it.
Restore defaults
This button allows you to restore the factory settings for this section.
For this page, the information appearing in the Log: section of the window consists of:
The Time the file was requested.
The Source IP address of the local system requesting the file.
The Website - or more precisely the URL for each requested and cached file.
Note
The Website URL entries in these logs are also hyperlinks to the referenced web pages or files.
The Status - denied. Which currently can be only DENIED, since requests to allowed pages will not be logged here. (before
version 2.1 blocked was used instead of denied)
This page allows you to view the system and other miscellaneous logs. (See the Introduction on how to use the common controls). There
are eleven different categories, selected via the Section dropdown list:
Endian Firewall (default) - general EFW events like PPP profile saving and connection and disconnection of dialup modem links.
RED - traffic sent over the interface that is providing the PPP interface for EFW. This includes the data strings sent to, and received
from modems and other network interfaces. This can be a very useful resource in troubleshooting "failure to connect" situations.
DNS - shows a log of activity for dnsmasq, the domain name service utility.
DHCP server - shows a log of activity for the DHCP Server function of Endian Firewall.
SSH - provides a record of users who have logged in to, and out of the Endian Firewall over a network via the SSH interface.
NTP - shows a log of activity for the ntpd Server function.
Cron - provides a record of activity of the cron daemon.
Login/Logout- provides a record of users who have logged in to and out of the Endian Firewall. This includes both local log-ins and
logins over a network via the SSH interface.
Convertido de web en PDF con http://www.htmlapdf.com!
For this page, the information appearing in the Log: section of the window consists of:
The Time the event has happened.
The data that the services write to the logfile.
Clamav itself normally does not have to log really much, since the services that make use of clamav log to their logfiles themselves if
they find a virus. This logfile is useful to see information about clamav signature updates.
As you can see below the lines show when the update process started and what was done. On Endian Firewall ClamAV automatically
updates each full hour, therefore you will see these lines appear every hour. The last two lines show the currently installed signature
base version and how many virus signatures they contain.
May
May
May
May
16
16
16
16
08:01:00
08:01:00
08:01:00
08:01:00
freshclam[27206]:
freshclam[27206]:
freshclam[27206]:
freshclam[27206]:
Daemon started.
ClamAV update process started at Tue May 16 08:01:00 2006
main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm)
daily.cvd is up to date (version: 1463, sigs: 4343, f-level: 8, builder: ccordes)
If new signatures are ready to install they will be automatically downloaded, installed and then the ClamAV daemon will automatically
reload its signature database. You will find such a log like the one below if this happens:
May
May
May
May
May
May
May
May
May
15
15
15
15
15
15
15
15
15
13:01:00
13:01:00
13:01:00
13:01:08
13:01:08
13:01:08
13:01:08
13:01:08
13:01:08
As the log lines show you, after the download of the new signaturefile daily.cvd, the update daemon freshclam notifies the antivirus
daemon clamd about the modification who immediatly reloads all its virus signatures.
Note
Each line shows you process information after the timestamp. This is the name of the process and the
Process ID in square brackets.
This page shows the log files of the Squid Analysis Proxy Generator (SARG). You are presented with two options:
Enable
This turns SARG on if the checkbox is ticked on.
Respect your users privacy and anonymize their IP addresses
Tick this on if you want to hide your users' IP addresses.
Note
In some countries it may be illegal to show your users' IP addresses.
On this page you will not find the generic navigation items as this special logs will be shown in a completely new page. By clicking on
the Daily/Weekly/Monthly Report links a new page with the respective analysis will pop up.
This page was last modified on: $Date: 2006-11-16 05:15:57 +0100 (Thu, 16 Nov 2006) $.
Table of Contents
Introduction
Hotspot
Accounts
How to add a new account or edit an existing one
User balance
User connections
Ticket Rates
Add or edit a ticket rate
Statistics
Active Connections
Connection Log
Settings
Dialin
Password
Template Editor
Printout Template
Allowed sites
Client connecting to Endian Hotspot
Login
House guests login
Succesful login
Introduction
Figure 10.1. The Endian Hotspot
The Endian Hotspot is a powerful hotspot. It can be used for wireless connections as well as for normal LAN connections. This means
you can easily connect a wireless access point to the BLUE interface or just a normal switch. With Endian Hotspot you can manage
users and their allowed access-time based on pre-paid or post-paid tickets. It is also possible to specify websites that are available
without having to log in.
Note
In order to be able to run the Endian Hotspot you will have to have the BLUE zone enabled. The IP of the
BLUE interface must belong to a C-class network and it must end with a trailing .1 e.g. 192.168.20.1/24.
The bridge for the BLUE zone does not support more than one port.
Note
Usually the hotspot is intended for use with wireless networks, however this is not mandatory. It is as well
possible to connect a normal switch to the BLUE LAN port. Please note also that there is no wireless
Convertido de web en PDF con http://www.htmlapdf.com!
Tip
If you are running a Community version of Endian Firewall and are wondering where your Endian Hotspot
may be just upgrade to Endian Firewall Enterprise Edition.
Hotspot
This is the main menu of the Endian Hotspot. Almost all settings are configured in this menu. You have to use this menu if you want to
manage accounts, specify ticket rates, modify your settings or have a look at the log files or at the statistics.
Accounts
Figure 10.2. Account management
By clicking on the Accounts link in the submenu of this page you will be presented with a list of all enabled accounts for this hotspot. If
you want to show the disabled accounts to, you will have to tick the Show disabled users checkbox which will reload the page and show
both enabled and disabled users. If you want to display any users that match certain search criteria you can enter your filter in the
appropriate textfield and then hit enter.
The list itself consists of five columns:
Note
It is not possible to delete users. Disable them instead.
How to add a new account or edit an existing one
Figure 10.3. Add a new account
This is the User Information dialog which is shown if you want to add a new account or edit an existing one (then of course with all the
known values alread filled in). Most of the fields should be self-explanatory but we will describe them anyway.
Username
In this field you have to enter the username. This is the only mandatory field.
Password
In this field you can enter the password for the new account. This is shown in plain text. If you do not have the time to think of an
adequate password just leave this field empty and the password will be autogenerated.
Valid until
The date until the account will be valid. If you want to change it you can either enter the new date manually or click on the ... button
and select the new date from the calendar popup.
Enabled
Convertido de web en PDF con http://www.htmlapdf.com!
This checkbox specifies if the account is enabled or not. If this is ticked on the account is active. If you want to disable a user tick
this checkbox off.
Title
The user's title. A good example would be Dr.
Firstname
The user's first name.
Lastname
The user's last name.
Language
Here you can select the user's native language if available. Otherwise English should be a good choice.
City of Birth
The user's city of birth.
Birthdate
Here you can enter the user's birth date.
Document type
This lets you specify the document type you used to identify the user.
Document issued by
Here you can specify the issuer of the document that was used to identify the user.
Document ID
This field lets you specify the document's identification number.
Save
By hitting this button you will save the entered information.
Print
This option is only available when editing an already existing account. By hitting this button a dialog will be opened to print the
user information.
On the right side of the screen you will notice the Tickets section. If you want to add a new ticket to the user just select the appropriate
ticket-type and hit the Add button. Below you will notice a list of all tickets for this user with the following information:
Convertido de web en PDF con http://www.htmlapdf.com!
Ticket type
The type of ticket.
Creation date
The on which this ticket has been created.
Action
If the ticket has not been used yet you will be able to Delete it here by clicking on the appropriate link.
Note
If the ticket has already been used no Delete link will be available.
Note
If a user has both pre-paid and post-paid tickets when logging in he will automatically use his pre-paid
ticket first and only if that ticket(s) expire(s) the post-paid ticket will be charged. If however the user does not
have a post-paid ticket and the pre-paid ticket runs out of money the connection will be stopped.
User balance
Figure 10.4. User balance
The user balance window is split horizontally into two main sections. The bottom section shows a list of all tickets for the current user
containing the following:
Ticket name
This is the name of the ticket-type.
Amount
The amount of money that has been used or paid.
Note
If the amount is positive this will represent a payment.
Date / Time
The date and time when the ticket has been issued.
Duration
The duration of the session.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
Payments do not have a duration.
Traffic
The traffic that has been used during this session.
Note
Payments do not use any traffic.
Processed
Here you can see if this ticket has been processed by ASA.
Note
This feature is only available if ASA is enabled. ASA is a hotel management software written
especially for South Tyrolean hotels. We will not go into details of ASA here.
Retries
This field will show the number of retries when connecting to ASA.
Note
This feature is only available if ASA is enabled. ASA is a hotel management software written
especially for South Tyrolean hotels. We will not go into details of ASA here.
Message
Here you will find the ASA return message if any.
Note
This feature is only available if ASA is enabled. ASA is a hotel management software written
especially for South Tyrolean hotels. We will not go into details of ASA here.
Convertido de web en PDF con http://www.htmlapdf.com!
On the top section of the window you can find some more information split up into 3 parts. In the left part you will find some information
about the user, containing the name as well as the username, the city of birth, the birthdate, the document identification number and the
issuing party of the document.
The central part contains information about the Account balance. The available surf time is first, followed by the used surf time. In the
third line you can see the amount of money that this user has already paid - this will be displayed in the currency you set in the settings
page. The fourth line shows how much of this money has been spent so far. Finally the last line shows the amount of money that is still
due to pay. This bigger box will be displayed in green if everything has already been paid.
In the Payment column on the right you can either see a message that everything has already been paid or you can choose the amount
of money the user wants to pay and bill that amount by clicking on the Bill button.
User connections
Figure 10.5. User connections
In this window you can see all the connections of the user you specified. The window is split into two parts - at the top you can see the
user information, while the bottom part shows all the data regarding the connections. The list with all the connections has six columns:
Username
The username of this user.
IP address
The IP address the user had during the respective connection.
Convertido de web en PDF con http://www.htmlapdf.com!
MAC address
The MAC address from which the user was connecting.
Connection start
The start time and date of the connection.
Connection stop
The time and date when the connection wos stopped.
Duration
The amount of time how long this connection lasted.
Ticket Rates
Endian Firewall gives you the possibility to specify more than one ticket rate. You can even specify if you want a rate to be post-paid or
pre-paid. You can create different rates for both types. This is mostly useful if you want to sell different pre-paid types e.g. 4 pre-paid 15
minutes tickets should be more expensive than 1 pre-paid 1 hour ticket.
Figure 10.6. Ticket Rates
In this list you can see the different ticket rates, the following are the columns:
Name
The name you gave to the ticket rate.
Code
This is the ASA code for your ticket rate. Although this can be used only for the ASA hotel management system the field is
mandatory.
Convertido de web en PDF con http://www.htmlapdf.com!
Hourly price
This is the hourly price you specify.
Actions
Here you can choose to Edit or Delete a ticket rate by clicking on the respective link.
Add or edit a ticket rate
Figure 10.7. Add or edit a ticket rate
Note
This field is mandatory nevertheless.
Unit Length
This option lets you specify how long one unit of this ticket rate will last. The available options are:
15 minutes
30 minutes
Convertido de web en PDF con http://www.htmlapdf.com!
45 minutes
1 hour
2 hours
3 hours
postpaid
While the first 6 entries show you the amount of time that has to be paid in advance (pre-paid), the postpaid length will be paid after
the user has used the hotspot and is therefore not limiting the user a priori.
Hourly Price
Here you can specify the hourly price for a the actual ticket rate. This is useful if e.g. you want the hourly price for 3 hours to be
cheaper than the hourly price for 15 minutes. This example will show you how to set hourly prices. The amount after the unit length
is the money you will get when selling a ticket of this rate.
Example 10.1. Specifying hourly prices
15 minutes: 3 Euro => hourly price has to be set to 12 Euro.
3 hours: 21 Euro => hourly price has to be set to 7 Euro.
Save
By hitting this button you will save the ticket rate.
Statistics
Figure 10.8. Statistics
On this page you can see an overview of the connections grouped by user as well as a summary at the bottom of the table. The following
columns will be displayed:
Username
The name of the user.
Note
The username is linked. By clicking on this link you will be redirected to the balance page for that
user.
Amount used
Here you can see how much money each user spent while using the hotspot.
Paid
This shows how much has been paid by the user.
Duration
In this column you can see how long the user was connected.
Traffic
This column shows the traffic the user made during his connection time.
You can choose two different viewing types: Filter Period and Open Accounting Items.
Convertido de web en PDF con http://www.htmlapdf.com!
When using Filter Period you can set a start and an end date respectively in the From and Until textfields. Alternatively you can use the ...
buttons to use the calendar-popup to enter the dates. When using Open Accounting items all still open payments will be displayed.
Active Connections
Figure 10.9. Active Connections
On this page you can see all actually active connections on the hotspot. The list contains the following columns:
Username
The username of the user that is connected.
Connection Start
The start date and time of the connection.
Duration
The amount of time the user is already connected.
IP Address
The IP address that was assigned to the interface which is connected to the hotspot.
MAC Address
The MAC address of the interface that was used to connect to the hotspot.
Action
For every active connection you will see a Close connection link. By clicking on this link you can kill the respective connection.
Connection Log
Figure 10.10. Connection Log
On this site you can see the connection log. The log is display in a table with six columns:
Username
The username of the user.
IP Address
The IP address that was used for the connection.
MAC Address
The MAC address that was used to connect to the Hotspot.
Connection Start
The start date and time of the connection.
Connection Stop
The end date and time of the connection.
Duration
The duration of the connection.
On the top of the page there is a Export as CSV link. Clicking on this link will download a text file containing the log entries in CSV
(comma separated values) format.
Convertido de web en PDF con http://www.htmlapdf.com!
Settings
Figure 10.11. Settings
This page consists of two main sections, the Global settings and the ASA jHotel settings. ASA jHotel is a South Tyrolean hotel
management platform and will not be described here.
The Global settings contain three configuration variables:
Homepage after successful login
This homepage will be displayed after a successful user login.
Currency
Here you can specify your local currency symbol.
Logout user on Idle-Timeout
After how many should a user be logged out, when doing nothing.
Save
Click this button to save your settings.
Dialin
Convertido de web en PDF con http://www.htmlapdf.com!
This page shows the connection status of the Endian Firewall. A description of this status window can be seen here.
Password
Figure 10.13. Password
On this page you can set the password for the hotspot user. To do this you have to enter the new password twice in the Password and
Again fields and then hit the Save button.
Template Editor
Figure 10.14. Template Editor
On this page you can modify the message that will be shown to your clients before logging in. Endian Hotspot provides a fully featured
graphical user interface to edit this message. To save this message you just have to hit the disc icon in the top-left corner of the editor
window.
If you want to edit another language just click on the appropriate flag symbol on the left side of your screen. The page will be reloaded
with the new language settings - again hit the disc icon to save the text.
Convertido de web en PDF con http://www.htmlapdf.com!
Note
You do not necessarily have to enter just plain text. You can format this page however you like as long as
the information that you supply will be conform to the laws of your country.
Printout Template
Figure 10.15. Printout template
On this page it is possible to edit the information sheet that will be printed and handed out to a user after he has been registered for the
Endian Hotspot. Please note that you will have to use placeholders for the information to be complete. Valid placeholders are:
$title - this will be replaced by the user's title.
$firstname - this will be replaced by the user's first name.
Convertido de web en PDF con http://www.htmlapdf.com!
Allowed sites
Figure 10.16. Allowed sites
This is the page where you can specify websites, IP addresses and subnets that are accessible without authentification. You just have to
add one entry per line. Access will be allowed to every page and subnet that are specified here and saved by clicking the Save button.
Convertido de web en PDF con http://www.htmlapdf.com!
First of all the client has to go to a terminal that is connected to Endian Hotspot. He will be presented with a welcome screen that shows
the content of the page that has been specified in the Template Editor section. By clicking on the appropriate flag symbol the user can
choose the language he wants. If ASA is activated every house guest can login by using the Login for house guests link which can be
found in the menu on the left just above the normal Login link which is the way to go if either ASA is disabled or the user is not a house
guest.
Login
Figure 10.18. Normal login
Every normal user can connect to Endian Hotspot by supplying his username and password in this form and then hitting the Login
button. After entering a valid username and password a popup will show up.
If ASA is enabled every house guest can login by clicking on login for house guests here and then providing his last name and first name
as well as his birthdate and finally hitting the Send button. Hit Close if you want to close the window. After successful login another
popup will show up.
Note
Please note that the last name has to be entered in the first text field.
Succesful login
Figure 10.20. Successful login
If you see this popup you are successfully logged in. Provided the fact that you are using a pre-paid ticket the displayed timer will be a
countdown. If you are using post-paid payment the timer will start with 00:00:00 and count upwards.
If you wish to logout you can do this by simply clicking on the Logoff link.
This page was last modified on: $Date: 2006-11-21 09:19:11 +0100 (Tue, 21 Nov 2006) $.
Table of Contents
PREAMBLE
APPLICABILITY AND DEFINITIONS
VERBATIM COPYING
COPYING IN QUANTITY
MODIFICATIONS
COMBINING DOCUMENTS
COLLECTIONS OF DOCUMENTS
AGGREGATION WITH INDEPENDENT WORKS
TRANSLATION
TERMINATION
FUTURE REVISIONS OF THIS LICENSE
ADDENDUM: How to use this License for your documents
PREAMBLE
The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially.
Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible
for modifications made by others.
This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It
complements the GNU General Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free
program should come with manuals providing the same freedoms that the software does. But this License is not limited to software
manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend
this License principally for works whose purpose is instruction or reference.
and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under
copyright law.
A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with
modifications and/or translated into another language.
A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the
publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall
directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any
mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial,
philosophical, ethical or political position regarding them.
The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice
that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not
allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any
Invariant Sections then there are none.
The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25
words.
A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the
general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels)
generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for
automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format
whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not
Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called
"Opaque".
Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format,
SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human
modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can
be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally
available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.
The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this
License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text
near the most prominent appearance of the work's title, preceding the beginning of the body of the text.
A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses
following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as
"Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the
Document means that it remains a section "Entitled XYZ" according to this definition.
The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These
Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other
implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.
Convertido de web en PDF con http://www.htmlapdf.com!
VERBATIM COPYING
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no
other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further
copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large
enough number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly display copies.
COPYING IN QUANTITY
If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the
Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify
you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible.
You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the
Document and satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the
actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable
Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the
general network-using public has access to download using public-standard network protocols a complete Transparent copy of the
Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of
Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year
after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to
give them a chance to provide you with an updated version of the Document.
MODIFICATIONS
You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you
release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing
distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the
Modified Version:
GNU FDL Modification Conditions
A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version
if the original publisher of that version gives permission.
B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified
Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five),
unless they release you from this requirement.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
M.
N.
O.
State on the Title page the name of the publisher of the Modified Version, as the publisher.
Preserve all the copyright notices of the Document.
Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.
Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the
terms of this License, in the form shown in the Addendum below.
Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.
Include an unaltered copy of this License.
Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and
publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one
stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified
Version as stated in the previous sentence.
Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section.
You may omit a network location for a work that was published at least four years before the Document itself, or if the original
publisher of the version it refers to gives permission.
For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the
substance and tone of each of the contributor acknowledgements and/or dedications given therein.
Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are
not considered part of the section titles.
Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.
Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section.
Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material
copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the
list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.
You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a
standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of
the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or
through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by
you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one,
on explicit permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version.
COMBINING DOCUMENTS
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for
modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified,
and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single
copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by
adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number.
Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled
"History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all
sections Entitled "Endorsements".
COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released under this License, and replace the individual
copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of
this License for verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of
this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations
of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this
License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English
version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and
the original version of this License or a notice or disclaimer, the original version will prevail.
If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title
(section 1) will typically require changing the actual title.
TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt
to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However,
parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties
remain in full compliance.