Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
Free Documentation License".
Select Proxy from the menu bar at the top of the screen.
A proxy is a service on your Endian Firewall that can act as a gate keeper between clients (such as a web browser on the LAN) and network services (such as a web server on the internet). Clients connect to the proxy which in turn can retrieve, cache, filter and potentially block the information from the original server. A proxy is called transparent if all traffic goes through it regardless whether the client is explicitly configured to make use of the proxy or not. Non-transparent proxies hence rely on the collaboration of the client (for example, the proxy settings of your web browser).
Following is a list of proxies available on Endian Firewall. Each proxy can be configured via the links that appear in the submenu on the left side of the screen:
Each link will be explained individually in the following sections.
Select Proxy from the menu bar at the top of the screen, then select HTTP from the submenu on the left side of the screen.
Click the Enable HTTP Proxy toggle to enable the HTTP proxy (Endian Firewall uses the Squid caching proxy). Once the proxy is up and running, a number of controls appear.
First of all, you can define the way users in each zone (GREEN, and, if enabled also ORANGE, BLUE) can access the proxy. Per zone choices are:
| disabled | - | the proxy server is not available in the given zone |
| no authentication | - | the proxy server is available to anyone (no need to log in), but you need to configure your browser manually |
| authentication required | - | users need to configure their browser manually and need to log in in order to use the proxy server |
| transparent | - | the proxy server is available to anyone and no browser configuration is needed (HTTP traffic is intercepted by the proxy server) |
Next, comes a section with global configuration options:
| Proxy port | - | the TCP port used by the proxy server (defaults to 8080) |
| Visible hostname | - | the proxy server will assume this as its hostname (will show at the bottom of error messages) |
| Cache administrator email | - | the proxy server will show this email address in error messages |
| Language of error messages | - | ditto |
| Max upload size | - | limit for HTTP file uploads (such as used by HTML forms with file uploads) in KB (0 means unlimited) |
Then you will find a number of additional options, each in its own panel that can be expanded by clicking on the + icon:
| Allowed Ports and SSL Ports | ||
| Ports | - | list the TCP destination ports the proxy server will accept connecting to when using HTTP (one per line, comments start with #) |
| SSL Ports | - | idem, when using HTTPS |
| Log settings | ||
| Log enabled | - | log each URL being accessed through the proxy (master switch) |
| Log query terms | - | also log parameters in the URL (such as ?id=123) |
| Log user-agents | - | also log user agents, i.e. which web browsers access the web |
| Firewall logs outgoing connections | - | have the firewall log web accesses (transparent proxies only) |
| Allowed Subnets per Zone | ||
| GREEN / ORANGE / BLUE | - | for each zone the proxy serves, define which subnets are allowed to access the proxy (defaults to all subnets associated with the respective zone) - give one subnet per line (example: 172.16.1.0/255.255.255.0 or 172.16.1.0/24). Note: there should be at least one entry for each active zone. If you don't want to allow any clients from a zone, then rather disable it altogether using the select boxes below the Enable HTTP Proxy toggle. |
| Inter-Zone traffic settings | ||
| checkboxes... | - | here, you can override the default settings that govern how HTTP traffic is allowed to flow between the zones: by default GREEN clients can reach destinations in orange and blue, while all other combinations are forbidden |
| Bypass / Banned Sources and Destinations | ||
| Bypass transparent proxy | - | specify sources (upper left panel) or destinations (upper right panel), that are not subject to transparent proxying; give one subnet, IP address or MAC address per line |
| Bypass proxy filter | - | specify source IP addresses (mid left panel) or source MAC addresses (mid right panel) that, while still passing through the proxy, are not subject to filtering |
| Banned clients | - | specify source IP addresses (lower left panel) or source MAC addresses (lower right panel) that are banned (unconditionally blocked by the proxy) |
| Cache management | ||
| Harddisk / Memory cache size | - | give the amount of memory the proxy should allocate for caching web sites, respectively on disk or in RAM (in units of MB) |
| Max / Min object size | - | give upper and lower size limit of what objects should be cached (in units of KB) |
| Enable offline mode | - | if this option is on, the proxy will never try to validate cached objects with the upstream webserver - clients can than browse cached, static websites even after the uplink went down |
| Upstream proxy | ||
| Upstream proxy | - | use this option to make your Endian Firewall's proxy use another (upstream) proxy; specify the upstream proxy as "host:port" |
| upstream username / password | - | specify credentials, if authentication is required for the upstream proxy |
| Username / client IP forwarding | - | forward the username / client IP address to the upstream proxy |
Click the Save button to confirm and save the configuration changes. Do not forget to click the Apply button to restart the proxy for the changes to become active.
The Clear cache button allows to delete all web pages and files cached by the HTTP proxy.
The default policy applies to all users of the proxy, authenticated or not. Policy settings include a simple user agent and MIME type filter as well as advanced time-based virus scanning and content filtering.
| Restrict allowed clients for web access | - | activate user agent filter, it restricts web access to selected user agents |
| Max download size | - | limit for HTTP file downloads in KB (0 means unlimited) |
| Block MIME types | - | activate MIME type filter which checks incoming headers for their MIME type. If the requested MIME type is listed to be blocked, access will be denied. This way you can block files not corresponding to the company policy (for example multimedia files) |
| Allowed clients for web access | - | a list of allowed clients and browser can be selected by clicking on the + icon |
| Blocked MIME types | - | you can specify blocked MIME types by clicking on the + icon and adding one type per line. The syntax conforms to the standard defined by IANA. Examples: application/javascript, audio/mpeg, image/gif, text/html, video/mpeg |
Click the Save button to save policy settings.
You can view your own rules in the section Rule Edit. Any rule can specify if web access is blocked or allowed, in this last case you can activate and select a filter type. To add a new rule just click on Create a rule and the following settings can be performed:
| Web access | - | specify whether the rule allows web access or not; also state whether it has effect all day long or at a specific day or time: choose days and time ranges. |
| Filter type | - | select "antivirus scan only" to create a rule which only scans for viruses, select "content filter only" to create a rule which analyzes the content of web pages and filter them according to the settings in the Content filter section. Note: if you tick the check box Activate antivirus scan on Content filter section then all rules (new ones and old ones) marked as "content filter only" are changed in "content filter + antivirus"; this means, of course, that antivirus filter and content filter work concurrently. |
| Position | - | specify where to place the new rule, larger numbers have higher priority |
You can then change priority, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom)
At the bottom of this page you can view a rule timetable, it shows graphically what filter type is active day by day and hour by hour. Different colors mean different filtering policy, the corresponding color is displayed in the legend.
Firstly, in order to use the content filter, you have to use "Content filter" as filter type in a rule (either in Default policy or Policy profiles). Endian Firewall's Content Filter (DansGuardian) takes advantage of three filtering techniques.
The first is called PICS (Platform for Internet Content Selection), it is a specification created by W3C that uses metadata to label webpages to help parental control. The second is based on an advanced phrase weighting system, it analyzes the text of web pages and calculates a score for each page. The last method takes advantage of a huge list of categorized URLs and domains, all URLs requested are compared with the blacklist before being served to clients.
The screen is divided into a general configuration section and a section where the specific filtering policy can be chosen.
| Activate antivirus scan | - | enable both content filter and antivirus proxy (HAVP) |
| Enable logging | - | log blocked requests |
| Platform for Internet Content Selection | - | enable parental control based on PICS metadata |
| Max. score for phrases | - | specify the maximum score level of a trustworthy page (50-300). You can tune this level: if children browse the web through Endian Firewall you should set a value of about 50, for teenagers it should be 100 and for young adults 160. |
| Content Filter | - | this section allows configuration of filtering based on phrases analysis. You can block or allow categories of sites by clicking on the icon aside. More specific categories get shown by clicking on + icon. |
| URL Blacklist | - | this section allows configuration of filtering based on a URL list comparison. You can block or allow categories of site by clicking on the icon aside. More specific categories get shown by clicking on + icon. |
| Custom black and white lists | - | content filtering may cause false positives and false negatives - here you can list domains that should always be blockes or allowed regardless the results of the content filter's analysis. |
Phrases analysis requires much more computing power than others technologies (PICS and URL blacklist).
If you wish to disable this filtering technique you can mark all categories as allowed in the
Content Filter section.
Click on Save to save the settings of content filter.
In this section you can configure the virus scanner engine (ClamAV) used by the HTTP proxy.
| Max. content scan size | - | specify the maximum size of files that will be scanned for viruses |
| Do not scan the following URLs | - | list of URLs that will not be scanned for viruses (one per line) |
| Last update | - | shows the day and time of the last virus signatures update and the total amount of viruses recognized by ClamAV (inside brackets) |
Click on Save to save the settings of the virus scanner engine.
Select Proxy from the menu bar at the top of the screen, then select POP3 from the submenu on the left side of the screen.
Select Proxy from the menu bar at the top of the screen, then select SIP from the submenu on the left side of the screen.
The SIP Proxy is a proxy/masquerading daemon for the SIP and RTP protocol. The SIP (Session Initiation Protocol, RFC3261) and RTP (Real-time Transport Protocol) are used by Voice over IP (VoIP) devices to establish telephone calls and carry voice streams.
The proxy handles registrations of SIP clients on the LAN and performs rewriting of the SIP message bodies to make SIP connections possible through Endian Firewall and therefore make SIP clients (like x-lite, kphone, linphone or VoIP hardware) able to work behind NAT. Without this proxy, connections between clients are not possible at all if both are behind NAT, since one client can't reach the other directly and therefore no RTP connection can be established between them.
Once enabled, the following settings can be performed (confirm by clicking Save).
| Status | - | "transparent" means all outgoing traffic to port SIP port will be automatically redirected to the SIP proxy; "enabled" means the proxy will listen to the SIP port and clients need to be made aware of the proxy |
| SIP Port | - | default: 5060 |
| RTP Port Low / High | - | UDP Port range the SIP proxy will use for incoming and outgoing RTP traffic. By default the range 7070 up to (and including) 7090 is used. This allows up to 10 simultaneous calls (2 ports per call). If you need more simultaneous calls, increase the range. |
| Outbound proxy host / port | - | the SIP Proxy itself can be told to send all traffic to another outbound proxy |
| Autosave registrations | - | this allows the SIP proxy to remember registration across a restart |
| Log calls | - | log established calls in the SIP proxy log |
| Firewall logs outgoing connections | - | show outgoing connections in the firewall log |
Select Proxy from the menu bar at the top of the screen, then select FTP from the submenu on the left side of the screen.
The FTP (File Transfer Protocol) proxy is available only as transparent proxy, this allows scanning for viruses on FTP downloads. Note that only connections to the standard FTP port (21) are redirected to the proxy. This means that if you configure your clients to use the HTTP proxy also for the FTP protocol, this FTP proxy will be bypassed!
You can enable transparent FTP proxy on the GREEN, and on the other enabled zones (ORANGE, BLUE).The following settings can be performed (confirm by clicking Save).
| Firewall logs outgoing connections | - | show outgoing connections in the firewall log |
| Bypass the transparent Proxy | - | specify sources (left panel) or destinations (right panel), that are not subject to transparent proxying; give one subnet, IP address or MAC address per line |
Endian Firewall supports transparent ftp proxying
with frox if and only if Endian Firewall is directly
connected to the internet.
If you have another NATing firewall or router between Endian Firewall and the internet,
frox doesn't work because it uses an active FTP upstream that the other NAT
doesn't know about.
Select Proxy from the menu bar at the top of the screen, then select SMTP from the submenu on the left side of the screen.
The SMTP (simple mail transfer protocol) proxy can relay and filter email traffic as it is being send towards email servers.
Select Proxy from the menu bar at the top of the screen, then select DNS from the submenu on the left side of the screen.