<< Back to man.ChinaUnix.net

Administrative Guide

Diego Gagliardo

Raphael Lechner

Marco Sondermann

Raphael Vallazza

Peter Warasin

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled Appendix A, GNU Free Documentation License.

2006-05-24

Revision History
Revision 1.1rc72005-10-09
DocBook Edition
Revision 2.02006-05-24
DocBook Edition

Abstract

A comprehensive documentation for the Administrator of an Endian Firewall™.


Table of Contents

Preface
Rights and Disclaimers
Conventions used in this book
Typographic Conventions
Icons
Organization of this book
This Book is Free
Acknowledgments
1. Introduction
What Is Endian Firewall?
Partial List of Features
2. System Web pages
Introduction
Home Administrative Window
Network Configuration
Choose type of RED interface
Choose network zones
Network preferences
Internet Access preferences
RED type: NONE
RED type: ADSL
RED type: ISDN
RED type: ETHERNET STATIC
RED type: ETHERNET DHCP
RED type: PPPoE
Configure DNS resolver
Apply configuration
EN registration
Passwords
SSH Access
SSH Options
SSH Host Keys
GUI Settings
Backup Web Page
Backup to Files
Export Backup files
Restore
Reset configuration to factory defaults
Shutdown or Restart Endian Firewall
3. Status Menu
Introduction
System Status
Services
Memory
Disk Usage
Uptime and Users
Loaded Modules
Kernel Version
Network Status
Interfaces
RED DHCP configuration
Current Dynamic Leases
Routing Table Entries
ARP Table Entries
System Graphs
Traffic Graphs
Proxy Graphs
Connections
SMTP Mail Statistics
Mail Queue
IPTables Rules
4. Network Menu
Introduction
Host configuration (Edit Hosts)
Aliases
5. Services Menu
Introduction
DHCP Administrative Web Page
DHCP Server Parameters
Add a new fixed lease
Current fixed leases
Current dynamic leases
Error messages
Dynamic DNS Administrative Web Page
Add a host
Current hosts
Forcing a Manual Update
Time Server Administrative Web Page
Traffic Shaping Administrative Web Page
Intrusion Detection System Administrative Web Page
Linesrv
Server
Clients
XLC
WLC2
Hotspot
6. Firewall Menu
Introduction
Introduction
Port Forwarding Administrative Web Page
Port Forwarding Overview
Port Forwarding and External Access
External Access Administrative Web Page
Zone Pinholes Administrative Web Page
Outgoing Firewall Administrative Web Page
Globally DENY outgoing traffic to RED and explicitely configure outgoing rules
Globally ALLOW outgoing traffic to RED
User Customization
7. Proxy
Introduction
HTTP Proxy
Feature List
Web proxy configuration
Common settings
Upstream proxy
Log settings
Cache management
Network based access control
Time restrictions
Transfer limits
MIME type filter
Web browser
Authentication configuration
Content filter
HTTP Antivirus
Enforcing proxy usage
Web Proxy standard operation modes
Client side Web Proxy configuration
Requirements for mandatory proxy usage
Step by step examples
Active Directory and LDAP authentication
POP3
Global settings
Spamfilter configuration
SIP
FTP
SMTP
General Settings
Antivirus
AntiSpam
General Settings
Greylisting
Banned File Extension
Blacklists/Whitelists
Real-time Spam Black Lists (RBL)
Custom black/whitelists
Local Domains
Advanced settings
Smarthost
IMAP Server for SMTP Authentication
Advanced settings
8. VPN Menu
Introduction
Virtual Private Networks (VPNs)
Net-to-Net (Gateway-to-Gateway)
Host-to-Net (Roadwarrior)
OpenVPN
OpenVPN Web Interface
OpenVPN Server
Openvpn gateway2gateway client
Net-to-Net Step by Step Connection (between 2 or more Endian Firewall)
Configuration of an OpenVPN client on the roadwarrior side
IPSec
Methods of Authentication
Pre-shared Key
X.509 Certificates
Global Settings
Connection Status and Control
Certificate Authorities
Generate Root/Host Certificates
Upload a CA certificate
Reset configuration
Add a new connection
Connection Type
Authentication
9. Logs
Introduction
Log Settings Administrative Web Page
Log Summary Page
Proxy Logs Page
Firewall Logs Page
Intrusion Detection System Log Page
Content Filter Logs Page
OpenVPN Logs Page
System Log Page
SMTP Log Page
Clamav Log Page
SIProxy log page
A. GNU Free Documentation License
PREAMBLE
APPLICABILITY AND DEFINITIONS
VERBATIM COPYING
COPYING IN QUANTITY
MODIFICATIONS
COMBINING DOCUMENTS
COLLECTIONS OF DOCUMENTS
AGGREGATION WITH INDEPENDENT WORKS
TRANSLATION
TERMINATION
FUTURE REVISIONS OF THIS LICENSE
ADDENDUM: How to use this License for your documents

List of Figures

2.1. System menu selected
2.2. Home
2.3. Displays the Endian Network Support status
2.4. Online status
2.5. Network wizard step 1: Choose type of RED interface
2.6. Network wizard showing Step2: Choose network zones
2.7. Network wizard showing Step 3: Network preferences
2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE
2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem
2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type
2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE)
2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)
2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)
2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences
2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences
2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences
2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences
2.18. Network wizard showing step 5: configure DNS resolver
2.19. Network wizard showing step 6: Apply configuration
2.20. Unregistered ENdian Firewall
2.21. Registered Endian Firewall
2.22. Password changing dialogue
2.23. SSH access page
2.24. GUI settings
2.25. Backup to files
2.26. Reset to factory defaults
2.27. Shutdown / Reboot page
3.1. Status menu selected
3.2. Page which displays the actual running services
3.3. Page which displays the current memory usage
3.4. Page which displays the current disk usage
3.5. Page which displays uptime and current logged in users
3.6. Page which displays the current loaded kernel modules
3.7. Page which displays the kernel version
3.8. Displays interfaces
3.9. Displays current RED DHCP configuration
3.10. Displays current dynamic leases
3.11. Displays current routing table
3.12. Displays ARP table
3.13. Display of CPU graph
3.14. Display disk usage graph
3.15. Display memory usage graph
3.16. Display current swap usage
3.17. Displays traffic graph of the GREEN interface
3.18. Displays traffic graph of the RED interface
3.19. Displays current connections
3.20. Mail Queue
3.21. Displays iptables rules
4.1. Network menu selected
4.2. Current hosts
4.3. Add a new alias
5.1. Services menu selected
5.2. Shows DHCP adminstration page
5.3. Add a fixed lease
5.4. Shows the current fixed leases
5.5. Shows the current dynamic leases
5.6. Shows the dialogue which allows you to create a new DynDNS configuration
5.7. Shows current configured DynDNS configuration
5.8. Shows the Time server administrative web page
5.9. Shows traffic shaping settings
5.10. Shows Type of Service configuration
5.11. Intrusion Detection System adminstrative web page
5.12. Linesrv
5.13. XLC Line down
5.14. XLC initiate a Connection
5.15. XLC main connection initiated
5.16. XLC up manually
5.17. WLC disconnected
5.18. WLC line is up
5.19. WLC connection established
5.20. WLC up manually
6.1. Firewall menu selected
6.2. Diagram of flow control and its configuration possibilities
6.3. Adding a new poprtforwarding configuration
6.4. Adds an acl to a portforwarding rule
6.5. Currently configured portforwarding rules
6.6. Add a new external access rule
6.7. Displays currently configured rules
6.8. Adds a new pinhole rule
6.9. Lists all configured pinhole rules
6.10. Adds a new outgoing rule
6.11. Lists all current outgoing rules
6.12. Globally allow outgoing traffic
6.13. Globally deny outgoing traffic
7.1. Proxy menu selected
7.2. Displays HTTP advanced proxy settings
7.3. Displays HTTP advanced proxy upstream proxy configuration
7.4. Displays HTTP advanced proxy log settings
7.5. Displays HTTP advanced proxy cache management configuration
7.6. Displays HTTP advanced proxy network based access control
7.7. Displays HTTP advanced proxy time restrictions configuration
7.8. Displays HTTP advanced proxy transfer limit configuration
7.9. Displays HTTP advanced proxy MIME type filter
7.10. Displays HTTP advanced proxy user agent filter
7.11. Displays HTTP advanced proxy authentication methods
7.12. Displays HTTP advanced proxy global authentication settings
7.13. Displays HTTP advanced proxy local user authentication
7.14. Displays HTTP advanced proxy local user authentication
7.15. Displays local user manager for the HTTP advanced proxy
7.16. Displays editing a user with local user manager of HTTP advanced proxy
7.17. Change it yourself page, allowing user to change their local HTTP proxy password
7.18. Displays LDAP authentication page of HTTP advanced proxy
7.19. Common LDAP settings of HTTP advanced proxy
7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy
7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy
7.22. HTTP advanced proxy authentication against Windows
7.23. Common domain settings of Windows authentication on HTTP advanced proxy
7.24. Authentication mode of windows authentication on HTTP advanced proxy
7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy
7.26. Integrated windows authentication with HTTP advanced proxy
7.27. Explicit authentication with HTTP advanced proxy
7.28. Displays RADIUS authentication configuration of HTTP advanced proxy
7.29. Displays common RADIUS settings of HTTP advanced proxy authentication
7.30. Displays user baed access restrictions of HTTP advanced proxy
7.31. General contentfilter configuation
7.32. Selection of allowed phrases which pages may contain
7.33. Selection of categories of url lists which shoulr be blocked by the HTTP contentfilter
7.34. Custom Black and whitelists of HTTP contentfilter
7.35. HTTP Antivirus configuration page
7.36. HTTP proxy disabled
7.37. Figure which displays traffic with will not be directed through the HTTP proxy
7.38. HTTP proxy enabled
7.39. Figure which displays traffic with will not be directed through the HTTP proxy
7.40. Figure which displays traffic which will be redirected through the HTTP proxy.
7.41. HTTP proxy enabled as transparent proxy
7.42. Figure which display traffic which will be transparently redirected through the HTTP proxy.
7.43.
7.44.
7.45.
7.46.
7.47.
7.48.
7.49.
7.50.
7.51.
7.52.
7.53.
7.54.
7.55.
7.56.
7.57. Shows POP3 proxy global settings
7.58. Spamfilter configuration of POP3 proxy
7.59. SIP Proxy Settings
7.60. FTP proxy administration page
7.61. General Settings
7.62. SMTP Antivirus
7.63. SMTP Antispam
7.64. Greylisting
7.65. banned files
7.66. Real-time Black Lists
7.67. black/whitelists
7.68. Local Domains
7.69. Smarthost
7.70. IMAP Server for SMTP Authentication
7.71. Advanced Settings
8.1. VPN menu selected
8.2. Figure of a Net-to-net VPN
8.3. Figure of a Host-to-net VPN
8.4. Figure of a VPN used OpenVPN as mixed VPN constisting of roadwarrior and net-to-net in hub-and-spoke topology
8.5.
8.6.
8.7. VPN global settings
8.8. VPN connection status and control window: initial view
8.9. VPN certificate authorities window: initial view
8.10. VPN connection type selection
8.11. VPN Host-to-Net connection input
8.12. VPN Net-to-Net connection input
8.13. VPN authentication input
9.1. Logs menu selected
9.2. Generic navigation items
9.3. Configuration of log viewer
9.4. Configuration of log summaries
9.5. Configuration of remote logging
9.6. Configuration of firewall logging
9.7. Displays log summaries
9.8. Displays firewall log
9.9. Display of system logs
9.10. Displays clamav log viewer

List of Examples

5.1. Example of a custom confguration line
7.1. Add this MIME type if you want to block the download of PDF files:
7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files:
7.3. Windows Update To allow access to Windows Update without authentication add these domains to the list:
7.4. Base DN for Active Directory
7.5. Base DN for eDirectory
7.6. Base DN containing spaces
7.7. User based access control lists using integrated authentication
7.8. User based access control lists using explicit authentication
7.9. Example spam info headers
7.10. Example spam info headers
7.11. Allow or deny a complete domain
7.12. Allow or deny only the subdomains of a domain
7.13. Allow or deny single email addresses or user names.
7.14. Allow or deny a complete domain
7.15. Allow or deny only the subdomains of a domain
7.16. Allow or deny single email addresses or user names.
7.17. Allow or deny ip block.
8.1. An example command line to start openvpn on your roadwarrior
8.2. An example configuration file for openvpn on your roadwarrior
8.3. Example plain text certificate output.
8.4. Example content of an exported CA.
9.1. Log line of the OpenVPN server
9.2. Log line of an OpenVPN client