Endian Firewall Administrators Guide
   Next

Administrative Guide

Diego Gagliardo

Raphael Lechner

Marco Sondermann

Raphael Vallazza

Peter Warasin

Christian Graffer

Copyright © 2002, 2003, 2004, 2005, 2006 Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, Peter Walker, Marco Sondermann, Endian srl

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled Appendix A, GNU Free Documentation License.

2006-05-24

Revision History
Revision 1.1rc72005-10-09
DocBook Edition
Revision 2.02006-05-24
DocBook Edition
Revision 2.12006-11-17
DocBook Edition

Abstract

A comprehensive documentation for the Administrator of an Endian Firewall™.

Table of Contents

Preface
Rights and Disclaimers
Conventions used in this book
Typographic Conventions
Icons
Organization of this book
This Book is Free
Acknowledgments
1. Introduction
What Is Endian Firewall?
Features
2. System Web pages
Introduction
Home Administrative Window
Network Configuration
Choose type of RED interface
Choose network zones
Network preferences
Internet Access preferences
RED type: NONE
RED type: ADSL
RED type: ISDN
RED type: ETHERNET STATIC
RED type: ETHERNET DHCP
RED type: PPPoE
Configure DNS resolver
Apply configuration
EN registration
Passwords
SSH Access
SSH Options
SSH Host Keys
GUI Settings
Backup Web Page
Your Backup list
Create a new Backup file
Encrypt Backup files
Export Backup files
Import Backup files
Restore a Backup
Schedule Backups
Reset configuration to factory defaults
Shutdown or Restart Endian Firewall
3. Status Menu
Introduction
System Status
Services
Memory
Disk Usage
Uptime and Users
Loaded Modules
Kernel Version
Network Status
Interfaces
RED DHCP configuration
Current Dynamic Leases
Routing Table Entries
ARP Table Entries
System Graphs
Traffic Graphs
Proxy Graphs
Connections
SMTP Mail Statistics
Mail Queue
IPTables Rules
4. Network Menu
Introduction
Host configuration (Edit Hosts)
Aliases
5. Services Menu
Introduction
DHCP Administrative Web Page
DHCP Server Parameters
Add a new fixed lease
Current fixed leases
Current dynamic leases
Error messages
Dynamic DNS Administrative Web Page
Add a host
Current hosts
Forcing a Manual Update
ClamAV Antivirus
Time Server Administrative Web Page
Traffic Shaping Administrative Web Page
Intrusion Detection System Administrative Web Page
Linesrv (removed in version 2.1)
Server
Clients
XLC
WLC2
Hotspot
6. Firewall Menu
Introduction
Firewall
Port Forwarding Administrative Web Page
Port Forwarding Overview
Port Forwarding and External Access
External Access Administrative Web Page
Zone Pinholes Administrative Web Page
Outgoing Firewall Administrative Web Page
Globally DENY outgoing traffic to RED and explicitely configure outgoing rules
Globally ALLOW outgoing traffic to RED
7. Proxy
Introduction
HTTP Proxy
Feature List
Web proxy configuration
Common settings
Upstream proxy
Log settings
Cache management
Network based access control
Time restrictions
Transfer limits
MIME type filter
Web browser
Authentication configuration
Content filter
Content filter (Dansguardian)
Block pages which contain unallowed phrases
Block pages known to have content of the following categories
Custom black- and whitelists
HTTP Antivirus
Max. content scan size
Last Update
Do not scan the following URLs
Enforcing proxy usage
Web Proxy standard operation modes
Client side Web Proxy configuration
Requirements for mandatory proxy usage
POP3
Global settings
Spamfilter configuration
SIP
FTP
SMTP
General Settings
Antivirus
AntiSpam
General Settings
Greylisting
Banned File Extension
Blacklists/Whitelists
Real-time Spam Black Lists (RBL)
Custom black/whitelists
Domains
BCC
Advanced settings
Smarthost
IMAP Server for SMTP Authentication
Advanced settings
8. VPN Menu
Introduction
Virtual Private Networks (VPNs)
Net-to-Net (Gateway-to-Gateway)
Host-to-Net (Roadwarrior)
OpenVPN
OpenVPN Web Interface
OpenVPN Server
Openvpn Net2Net client
Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls)
Configuration of an OpenVPN client on the roadwarrior side
IPSec
Methods of Authentication
Pre-shared Key
X.509 Certificates
Global Settings
Connection Status and Control
Certificate Authorities
Generate Root/Host Certificates
Upload a CA certificate
Reset configuration
Add a new connection
Connection Type
Authentication
9. Logs
Introduction
Log Settings Administrative Web Page
Log Summary Page
Proxy Logs Page
Firewall Logs Page
Intrusion Detection System Log Page
Content Filter Logs Page
OpenVPN Logs Page
System Log Page
SMTP Log Page
Clamav Log Page
SIProxy log page
Proxy Analysis Report
10. Hotspot
Introduction
Hotspot
Accounts
How to add a new account or edit an existing one
User balance
User connections
Ticket Rates
Add or edit a ticket rate
Statistics
Active Connections
Connection Log
Settings
Dialin
Password
Template Editor
Printout Template
Allowed sites
Client connecting to Endian Hotspot
Login
House guests login
Succesful login
A. GNU Free Documentation License
PREAMBLE
APPLICABILITY AND DEFINITIONS
VERBATIM COPYING
COPYING IN QUANTITY
MODIFICATIONS
COMBINING DOCUMENTS
COLLECTIONS OF DOCUMENTS
AGGREGATION WITH INDEPENDENT WORKS
TRANSLATION
TERMINATION
FUTURE REVISIONS OF THIS LICENSE
ADDENDUM: How to use this License for your documents

List of Figures

2.1. System menu selected
2.2. Home
2.3. Displays the Endian Network Support status
2.4. Online status
2.5. Network wizard step 1: Choose type of RED interface
2.6. Network wizard showing Step2: Choose network zones
2.7. Network wizard showing Step 3: Network preferences
2.8. Network wizard showing Step 4: Internet Access Preferences for RED type NONE
2.9. Network wizard showing Step 4, with RED type ADSL, Substep 1: Selection of the modem
2.10. Network wizard showing Step 4 with RED type ADSL: Substep 2: Choose ADSL connection type
2.11. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (PPPoE)
2.12. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 static ip)
2.13. Network wizard showing step 4 with RED type ADSL: Substep 3: Supply connection information (RFC1483 DHCP)
2.14. Network wizard showing step 4 with RED type ISDN: Internet Access Preferences
2.15. Network wizard showing step 4 with RED type ETHERNET STATIC: Internet Access Preferences
2.16. Network wizard showing step 4 with RED type ETHERNET DHCP: Internet Access Preferences
2.17. Network wizard showing step 4 with RED type PPPoE: Internet Access Preferences
2.18. Network wizard showing step 5: configure DNS resolver
2.19. Network wizard showing step 6: Apply configuration
2.20. Unregistered Endian Firewall
2.21. Registered Endian Firewall
2.22. Password changing dialogue
2.23. SSH access page
2.24. GUI settings
2.25. Backup to files
2.26. Create new backup
2.27. Encrypt Backups
2.28. Import Backup
2.29. Restore Backup
2.30. Schedule backups
2.31. Reset to factory defaults
2.32. Shutdown / Reboot page
3.1. Status menu selected
3.2. Page which displays the actual running services
3.3. Page which displays the current memory usage
3.4. Page which displays the current disk usage
3.5. Page which displays uptime and current logged in users
3.6. Page which displays the current loaded kernel modules
3.7. Page which displays the kernel version
3.8. Displays interfaces
3.9. Displays current RED DHCP configuration
3.10. Displays current dynamic leases
3.11. Displays current routing table
3.12. Displays ARP table
3.13. Display of CPU graph
3.14. Display disk usage graph
3.15. Display memory usage graph
3.16. Display current swap usage
3.17. Displays traffic graph of the GREEN interface
3.18. Displays traffic graph of the RED interface
3.19. Displays current connections
3.20. Mail Queue
3.21. Displays iptables rules
4.1. Network menu selected
4.2. Current hosts
4.3. Add a new alias
5.1. Services menu selected
5.2. Shows DHCP adminstration page
5.3. Add a fixed lease
5.4. Shows the current fixed leases
5.5. Shows the current dynamic leases
5.6. Shows the dialogue which allows you to create a new DynDNS configuration
5.7. Shows current configured DynDNS configuration
5.8. ClamAV Antivirus
5.9. Shows the Time server administrative web page
5.10. Shows traffic shaping settings
5.11. Shows Type of Service configuration
5.12. Intrusion Detection System adminstrative web page
5.13. Linesrv
5.14. XLC Line down
5.15. XLC initiate a Connection
5.16. XLC main connection initiated
5.17. XLC up manually
5.18. WLC disconnected
5.19. WLC line is up
5.20. WLC connection established
5.21. WLC up manually
5.22. Hotspot Activation
6.1. Firewall menu selected
6.2. Diagram of flow control and its configuration possibilities
6.3. Adding a new portforwarding configuration
6.4. Adds an acl to a portforwarding rule
6.5. Currently configured portforwarding rules
6.6. Add a new external access rule
6.7. Displays currently configured rules
6.8. Adds a new pinhole rule
6.9. Lists all configured pinhole rules
6.10. Adds a new outgoing rule
6.11. Lists all current outgoing rules
6.12. Globally allow outgoing traffic
6.13. Globally deny outgoing traffic
7.1. Proxy menu selected
7.2. Displays HTTP advanced proxy settings
7.3. Displays HTTP advanced proxy upstream proxy configuration
7.4. Displays HTTP advanced proxy log settings
7.5. Displays HTTP advanced proxy cache management configuration
7.6. Displays HTTP advanced proxy network based access control
7.7. Displays HTTP advanced proxy time restrictions configuration
7.8. Displays HTTP advanced proxy transfer limit configuration
7.9. Displays HTTP advanced proxy MIME type filter
7.10. Displays HTTP advanced proxy user agent filter
7.11. Displays HTTP advanced proxy authentication methods
7.12. Displays HTTP advanced proxy global authentication settings
7.13. Displays HTTP advanced proxy local user authentication
7.14. Displays HTTP advanced proxy local user authentication
7.15. Displays local user manager for the HTTP advanced proxy
7.16. Displays editing a user with local user manager of HTTP advanced proxy
7.17. Change it yourself page, allowing user to change their local HTTP proxy password
7.18. Displays LDAP authentication page of HTTP advanced proxy
7.19. Common LDAP settings of HTTP advanced proxy
7.20. Bind DN settings of LDAP authentication within HTTP advanced proxy
7.21. Groupbased access control of LDAP authentication within HTTP advanced proxy
7.22. HTTP advanced proxy authentication against Windows
7.23. Common domain settings of Windows authentication on HTTP advanced proxy
7.24. Authentication mode of windows authentication on HTTP advanced proxy
7.25. Userbased access restrictions on windows authentication of HTTP advanced proxy
7.26. Integrated windows authentication with HTTP advanced proxy
7.27. Explicit authentication with HTTP advanced proxy
7.28. Displays RADIUS authentication configuration of HTTP advanced proxy
7.29. Displays common RADIUS settings of HTTP advanced proxy authentication
7.30. Displays user based access restrictions of HTTP advanced proxy
7.31. General contentfilter configuation
7.32. Selection of disallowed phrases which pages may contain
7.33. Selection of categories of url lists which should be blocked by the HTTP contentfilter
7.34. Custom black- and whitelists for the HTTP contentfilter
7.35. HTTP Antivirus configuration page
7.36. HTTP proxy disabled
7.37. Figure which displays traffic with will not be directed through the HTTP proxy
7.38. HTTP proxy enabled
7.39. Figure which displays traffic with will not be directed through the HTTP proxy
7.40. Figure which displays traffic which will be redirected through the HTTP proxy.
7.41. HTTP proxy enabled as transparent proxy
7.42. Figure that displays traffic which will be transparently redirected through the HTTP proxy.
7.43. Shows POP3 proxy global settings
7.44. Spamfilter configuration of POP3 proxy
7.45. SIP Proxy Settings
7.46. FTP proxy administration page
7.47. General Settings
7.48. SMTP Antivirus
7.49. SMTP Antispam
7.50. Greylisting
7.51. banned files
7.52. Real-time Black Lists
7.53. black/whitelists
7.54. Domains
7.55. BCC
7.56. Smarthost
7.57. IMAP Server for SMTP Authentication
7.58. Advanced Settings
8.1. VPN menu selected
8.2. Figure of a Net-to-Net VPN
8.3. Figure of a Host-to-Net VPN
8.4. Figure of a VPN using OpenVPN as mixed VPN combining a Host-to-Net VPN (the Roadwarrior) and Net-to-Net VPNs in a hub-and-spoke topology
8.5. Global Settings
8.6. Users which are allowed to connect to openvpn
8.7. Add Account
8.8. Connection status and control
8.9. VPN tunnel and control
8.10. Add a VPN tunnel
8.11. Openvpn Server
8.12. Users which are allowed to connect to openvpn
8.13. Add a new user
8.14. List of allowed users
8.15. Openvpn Server CA Certificate
8.16. Configure Office 1 Endian Firewall
8.17. Add Office 0 tunnel
8.18. Connected to Office 0 tunnel
8.19. Connected Office 1 and 2 clients
8.20. VPN global settings
8.21. VPN connection status and control window: initial view
8.22. VPN certificate authorities window: initial view
8.23. VPN connection type selection
8.24. VPN Host-to-Net connection input
8.25. VPN Net-to-Net connection input
8.26. VPN authentication input
9.1. Logs menu selected
9.2. Generic navigation items
9.3. Configuration of log viewer
9.4. Configuration of log summaries
9.5. Configuration of remote logging
9.6. Configuration of firewall logging
9.7. Displays log summaries
9.8. Displays firewall log
9.9. Display of system logs
9.10. Displays clamav log viewer
9.11. Proxy Analysis Report
10.1. The Endian Hotspot
10.2. Account management
10.3. Add a new account
10.4. User balance
10.5. User connections
10.6. Ticket Rates
10.7. Add or edit a ticket rate
10.8. Statistics
10.9. Active Connections
10.10. Connection Log
10.11. Settings
10.12. Dialin
10.13. Password
10.14. Template Editor
10.15. Printout template
10.16. Allowed sites
10.17. Endian Hotspot Client start page
10.18. Normal login
10.19. Login for house guests
10.20. Successful login

List of Examples

5.1. Example of a custom confguration line
7.1. Add this MIME type if you want to block the download of PDF files:
7.2. Add these MIME types if you want to block the download of MPEG and QuickTime video files:
7.3. Windows Update To allow access to Windows Update without authentication add these domains to the list:
7.4. Base DN for Active Directory
7.5. Base DN for eDirectory
7.6. Base DN containing spaces
7.7. User based access control lists using integrated authentication
7.8. User based access control lists using explicit authentication
7.9. Example spam info headers
7.10. Example spam info headers
7.11. Allow or deny a complete domain
7.12. Allow or deny only the subdomains of a domain
7.13. Allow or deny single email addresses or user names.
7.14. Allow or deny a complete domain
7.15. Allow or deny only the subdomains of a domain
7.16. Allow or deny single email addresses or user names.
7.17. Allow or deny ip block.
8.1. An example command line to start openvpn on your roadwarrior
8.2. An example configuration file for openvpn on your roadwarrior
8.3. Example plain text certificate output.
8.4. Example content of an exported CA.
9.1. Log line of the OpenVPN server
9.2. Log line of an OpenVPN client
10.1. Specifying hourly prices
   Next
   Preface