Endian Firewall Reference Manual r. 2.2.1.9

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 3: The Network Menu

Select Network from the menu bar at the top of the screen.

The following links will appear in a submenu on the left side of the screen. They allow setting up network-related configuration options:

Each link will be explained individually in the following sections.

Edit hosts

Select Network from the menu bar at the top of the screen, then select Edit hosts from the submenu on the left side of the screen.

Endian Firewall contains a caching DNS server (dnsmasq) that checks the system's host file for name look-ups. In this section you can define a custom host entry that will then be resolved for all clients.

Click the Add a host link to add a host entry. This is done by specifying IP address, hostname and domain name and then confirming the host entry by clicking on the Add Host button.
An existing entry can be deleted by clicking on the trash bin in its row. To edit an entry it is necessary to click on the pencil symbol. The line is then highlighted and a pre-filled form opens up. After all the changes have been applied the entry is saved by clicking on the Update Host button.

Routing

Select Network from the menu bar at the top of the screen, then select Routing from the submenu on the left side of the screen. It is possible to choose between two types of routing: static routing and policy routing.

Static routing

Allows to associate specific network addresses with given gateways or uplinks. Click the Add a new rule link to specify a static routing rule using the following fields:

Source Network - source network in CIDR notation (example: 192.168.10.0/24)
Destination Network - destination network in CIDR notation (example: 192.168.20.0/24)
Route Via - enter the static IP address of a gateway or choose between the available uplinks
Enabled - check to enable rule (default)
Remark - a remark to remember the purpose of this rule later

Click the Save button to confirm your rule. You can then disable/enable, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

Policy routing

Allows to associate specific network addresses and service ports / protocols with given uplinks. Click the Create a policy routing rule link to specify a policy routing rule. The following fields are available:

Source - The source can be a list of zones or interfaces, a list of IPs or networks in CIDR notation (example: 192.168.10.0/24), a list of OpenVPN users or a list of MAC addresses. By selecting <ANY> the rule will match every source.
Destination - The destination can be a list of IPs, networks in CIDR notation or a list of OpenVPN users. By selecting <ANY> the rule will match every source.
Service/Port - Optionally you can specify the protocol and, in case of TCP, UDP or TCP + UDP, a port for the rule. Some predefined combinations, e.g. HTTP (protocol TCP, port 80), can be selected from the Service dropdown list.
Route Via - Choose the uplink that should be used for this rule. If you want to use the backup uplink whenever the chosen uplink becomes unavailable, the checkbox has to be checked.
Type Of Service - The type of service (TOS) can be chosen here.

The binary number behind each type of service describes how this type works. The first three bits describe the precedence of the packet: 000 stands for default precedence and 111 describes the highest precedence.
The fourth bit describes the delay where 0 means normal delay and 1 means low delay. The fifth bit describes the throughput. 1 increases the throughput while 0 stands for normal throughput. The sixth bit controls the reliability. Again 1 increases reliability and 0 is the setting for normal reliability.
The eight IP precedence values are called class selectors (CS0-7). Additionally twelve values have been created for assured forwarding (AFxy, x being a class from 1 to 4 and y being drop precedence from 1 to 3) that provide low packet loss with minimum guarantees about latency. Expedited forwarding (EF PHB) has been defined to ask for low-delay, low-jitter and low-loss service.

Remark - Set a remark to remember the purpose of the rule.
Position - Define where to insert the rule (relative position in the list of rules).
Enabled - Check this checkbox to enable the rule (default).
Log all accepted packets - Check this to log all packets that are affected by this rule.

Click the Create rule button to confirm your rule. You can then disable, edit or delete any rule from the list by clicking on the respective icon on the right side of the table. You can also change the order of the rules (by clicking on the down and up arrow icons).
After making changes to a rule, do not forget to click the Apply button on the top of the list!

Interfaces

Select Network from the menu bar at the top of the screen, then select Interfaces from the submenu on the left side of the screen, finally choose one of the two following tabs:

Uplink editor

Additional uplinks can be defined by clicking on the Uplink editor tab: choose the type of uplink, then fill in the type-specific form. The fields are almost the same as in the network configuration wizard (see the "Network configuration" section in "The System Menu" chapter).
The following options differ from the network confguration wizard:

Type - This selection includes one additional protocol: PPTP.
PPTP can be configured to work in static or in DHCP mode. This is done by selecting the respective value from the "PPTP method" dropdown. The IP address and netmask must be defined in the appropriate textfields and is only required if the static method has been chosen. Additional IP/netmask or IP/CIDR combinations can be added in the field below if the respective checkbox is enabled. Phone number, username and password are not required but may be needed for some configurations to work. This depends on the provider's settings. The authentication method can be PAP or CHAP. If you are not sure which one to use, just keep the default value "PAP or CHAP" that will work in either case.
Start uplink on boot - This checkbox specifies whether an uplink should be enabled at boot time or not. This is useful for backup uplinks which are managed but do not need to be started during the boot procedure.
if this uplink fails - If enabled, this field gives you the possibility to choose an alternative uplink from the dropdown list. This uplink will be activated if the current uplink should fail.
Reconnection timeout - With this timeout you can specify the time (in seconds) after which an uplink tries to reconnect if it fails. This value depends on your provider's settings. If you are unsure just leave this field empty.

VLANs

Virtual LANs (VLANs) can be defined by clicking on the VLANs tab. The idea behind offering VLAN support in Endian Firewall is helping to allow arbitrary associations of VLAN ids to firewall zones. To add an association click the Add new VLAN link, then specify the following parameters:

Interface - the physical interface the VLAN is connected to
Zone - the Zone the VLAN is associated with
VLAN ID - VLAN ID (0-4095)

Whenever a virtual LAN is created a new interface is created. This interface is named ethX.y where X is the number of the interface and y is the VLAN ID. This interface is then assigned to the chosen zone. "NONE" can be chosen, if the interface is used as High Availability management port.