Endian Firewall Reference Manual r. 2.2.1.9

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 6: The Proxy Menu

Select Proxy from the menu bar at the top of the screen.

A proxy is a service on your Endian Firewall that can act as a gatekeeper between clients (e.g. a web browser) and network services (e.g. a web server on the internet). Clients connect to the proxy which in turn can retrieve, cache, filter and potentially block the information from the original server. A proxy is called transparent if all traffic goes through it, of the client's configuration. Non-transparent proxies hence rely on the collaboration of the client (e.g. the proxy settings of your web browser).

Following is a list of proxies that are available on Endian Firewall. Each proxy can be configured via the links that are in the submenu on the left side of the screen:

Each section will be explained individually below.

HTTP

Select Proxy from the menu bar at the top of the screen, then select HTTP from the submenu on the left side of the screen.

Configuration

Click on the Enable HTTP Proxy toggle to enable the HTTP proxy (Endian Firewall uses the Squid caching proxy). Once the proxy is up and running, a number of controls appear.

First of all, you can define the way users in each zone (GREEN and, if enabled also ORANGE, BLUE) can access the proxy. Per zone choices are:

disabled - the proxy server is not available in the given zone
no authentication - the proxy server is available to anyone (no need to log in), but you need to configure your browser manually
authentication required - users need to configure their browser manually and need to log in in order to use the proxy server
transparent - the proxy server is available to anyone and no browser configuration is needed (HTTP traffic is intercepted by the proxy server)


Some browsers, including Internet Explorer and Firefox, are able to automatically detect proxy servers by using the Web Proxy Autodiscovery Protocol (WPAD). Most browsers also support proxy auto-configuration (PAC) through a special URL. When using an Endian Firewall the URL looks like this: http://<IP OF YOUR FIREWALL>/proxy.pac.

Next, comes a section with global configuration options:

Proxy port - the TCP port used by the proxy server (defaults to 8080)
Visible hostname - the proxy server will assume this as its hostname (will also show at the bottom of error messages)
Cache administrator email - the proxy server will show this email address in error messages
Language of error messages - the language in which error messages are displayed
Max upload size - limit for HTTP file uploads (such as used by HTML forms with file uploads) in KB (0 means unlimited)

Then you will find a number of additional options, each in its own panel that can be expanded by clicking on the + icon:

Allowed Ports and SSL Ports
Ports - list the TCP destination ports to which the proxy server will accept connections when using HTTP (one per line, comments start with #)
SSL Ports - as above, but when using HTTPS instead of HTTP
Log settings
Log enabled - log all URLs being accessed through the proxy (master switch)
Log query terms - also log parameters in the URL (such as ?id=123)
Log user-agents - also log user agents, i.e. which web browsers access the web
Log contentfiltering - also log when content is filtered
Firewall logs outgoing connections - have the firewall log web accesses (transparent proxies only)
Allowed Subnets per Zone
GREEN / ORANGE / BLUE - for each zone that the proxy serves you can define which subnets are allowed to access the proxy (defaults to all subnets associated with the respective zone) - give one subnet per line (example: 172.16.1.0/255.255.255.0 or 172.16.1.0/24). Note: there should be at least one entry for each active zone. If you do not want to allow connections from a whole zone, then rather disable the proxy on that zone using the select boxes below the Enable HTTP Proxy toggle.
Bypass / Banned Sources and Destinations
Bypass transparent proxy - specify sources (upper left panel) or destinations (upper right panel), that are not subject to transparent proxying; give one subnet, IP address or MAC address per line
Bypass proxy filter - specify source IP addresses (mid left panel) or source MAC addresses (mid right panel) that, while still passing through the proxy, are not subject to filtering
Banned clients - specify source IP addresses (lower left panel) or source MAC addresses (lower right panel) that are banned (unconditionally blocked by the proxy)
Cache management
Harddisk / Memory cache size - give the amount of memory the proxy should allocate for caching web sites, respectively on disk or in RAM (in Megabytes)
Max / Min object size - give upper and lower size limits of objects that should be cached (in Kilobytes)
Enable offline mode - if this option is on, the proxy will never try to update cached objects from the upstream webserver - clients can then browse cached, static websites even after the uplink went down
Do not cache these domains - in this textarea you can specify which domains should not be cached (one domain per line)
Upstream proxy
Upstream proxy - use this option to make your Endian Firewall's proxy connect to another (upstream) proxy; specify the upstream proxy as "host:port"
upstream username / password - specify credentials, if authentication is required for the upstream proxy
Username / client IP forwarding - forward the username / client IP address to the upstream proxy

Click the Save button to confirm and save the configuration changes. Do not forget to click the Apply button to restart the proxy for the changes to become active.

The Clear cache button allows to delete all web pages and files cached by the HTTP proxy.

Authentication

Endian Firewall's proxy supports four different authentication types: Local, LDAP, Windows, Radius. Each of these types needs different configuration parameters and is described below. However, the global configuration parameters are:

Number of authentication processes - the number of authentication processes that can run simultaneously
Authentication cache TTL (in minutes) - the time in minutes how long authentication data should be cached
Limit of IP addresses per user - the maximum number of IP addresses from which a user can connect to the proxy simultaneously
User / IP cache TTL (in minutes) - the time in minutes how long an IP address will be associated with the logged in user
Authentication realm prompt - this text will be shown in the authentication dialog
Require authentication for
unrestricted source addresses
- if you disable this unrestricted source addresses will not have to provide their credentials
Domains without authentication - in this textarea you can enter domain names that can be accessed without being authenticated (one per line)
Sources (SUBNET / IP / MAC)
without authentication
- in this textarea you can enter source subnets, IP addresses or MAC addresses that do not require authentication (one per line)

The following parameters are available for local authentication.

User management - Click on this button if you want to manage local users.
Min password length - Here you can set the minimum password length for local users.

The following parameters are available for LDAP authentication.

Base DN - the base distinguished name, this is the start point of your search
LDAP type - here you can choose whether you are using an Active Directory server, a Novell eDirectory server, a LDAP version 2 server or a LDAP version 3 server
LDAP server - the IP address or fully qualified domain name of your LDAP server
Port - the port on which the server is listening
Bind DN username - the fully distinguished name of a bind DN user, the user must have permission to read user attributes
Bind DN password - the password of the user
user objectClass - the bind DN user must be part of this objectClass
group objectClass - the bind DN user must be part of this objectClass

The following parameters are available for Windows authentication.

Domain - the domain you want to join
PDC hostname - the hostname of the primary domain controller
BDC hostname - the hostname of the backup domain controller
Username - the username you want to use to join the domain
Password - the user's password
Join Domain - click here to join the domain
Enable user-based access restrictions - if you tick this checkbox you can add authorized and unauthorized users to the textfields that will appear below
Use positive/negative access control - you can choose whether you want to use positive or negative access control, in the textfields you can enter one user per line that should have access or should not have access, depending on the access control policy you chose

The following parameters are available for Radius authentication.

RADIUS server - the address of the RADIUS server
Port - the port on which the RADIUS server is listening
Identifier - an additional identifier
Shared secret - the password to be used
Enable user-based access restrictions - if you tick this checkbox you can add authorized and unauthorized users to the textfields that will appear below
Use positive/negative access control - you can choose whether you want to use positive or negative access control, in the textfields you can enter one user per line that should have access or should not have access, depending on the access control policy you chose

Use native Windows authentication with Active Directory

In order to be able to use Windows' native authentication with active directory you have to make sure that a few conditions are met:
- The firewall must join the domain.
- The system clocks on the firewall and on the active directory server have to be in sync.
- In the Proxy, DNS, Custom nameserver a custom nameserver has to be entered.
- The firewall must be able to resolve the name of the Active Directory server (e.g. through an entry in Network, Edit hosts).
- The realm must be a fully qualified domain name.
- The PDC hostname has to be set to the netbios name of the Active Directory server.

Default policy

The default policy applies to all users of the proxy, whether they are authenticated or not. Policy settings include a simple user agent and MIME type filter as well as advanced time-based virus scanning and content filtering rules.

Restrict allowed clients for web access - This checkbox activates the user agent filter, it restricts web access to the selected user agents.
Max download size - This sets the limit for HTTP file downloads in KB (0 means unlimited).
Block MIME types - Enabling this option will activate a filter which checks incoming headers for their MIME type. If the MIME type of the incoming file is set to be blocked, access will be denied. This way you can block files not corresponding to the company policy (for example multimedia files).
Allowed clients for web access - Here you can choose allowed clients and browsers from a list after clicking on the + icon.
Blocked MIME types - You can specify blocked MIME types by clicking on the + icon and then adding one type per line. The syntax conforms to the standard defined by the IANA. Examples: application/javascript, audio/mpeg, image/gif, text/html, video/mpeg

Click the Save button to save the default policy settings.

You can view your own rules in the Rule list. Any rule can specify if web access is blocked or allowed, in this last case you can activate and select a filter type. To add a new rule just click on Create a rule and the following settings can be performed:

Web access - Specify whether the rule allows web access or blocks it; also state whether it has effect all day long or at a specific time: choose the days of the week on which you want this rule to be applied and, in case the rule is not valid all day long, you can also set the time range.
Filter type - Choose antivirus scan only to create a rule which only scans for viruses, choose content filter only to create a rule which analyzes the content of web pages and filters it according to the settings in the Content filter section. If you choose unrestricted no checks will be performed.
Position - Specify where to place the new rule. Larger numbers have higher priority.

If you tick the check box Activate antivirus scan on the Proxy, HTTP, Content filter page then all rules (new ones and old ones) marked as content filter only are changed to content filter + antivirus.
This means that antivirus filter and content filter work concurrently.

You can then change priority, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom)

Content filter

Firstly, in order to use the content filter, you have to use Content filter as filter type in a rule (either in Default policy or Policy profiles). Endian Firewall's Content Filter (DansGuardian) takes advantage of three filtering techniques.

The first is called PICS (Platform for Internet Content Selection), it is a specification created by W3C that uses metadata to label webpages to help parental control. The second is based on an advanced phrase weighting system, it analyzes the text of web pages and calculates a score for each page. The last method takes advantage of a huge list of categorized URLs and domains, all URLs requested are compared with the blacklist before being served to clients.

The screen is divided into a general configuration section and a section where the specific filtering policy can be chosen.

Activate antivirus scan - Enable both the content filter (Dansguardian) and the antivirus proxy (HAVP).
Enable logging - Log blocked requests.
Platform for Internet Content Selection - Enable parental control based on PICS metadata.
Max. score for phrases - Specify the maximum score level of a trustworthy page (50-300). You can tune this level: if children browse the web through Endian Firewall you should set a value of about 50, for teenagers it should be 100 and for young adults 160.
Content Filter - This section allows filter configuration based on phrase analysis. You can block or allow categories of sites by clicking on the icon beside it. Subcategories are shown when clicking on the + icon.
URL Blacklist - This section allows configuration of filtering based on URL comparison. You can block or allow categories of sites by clicking on the icon beside the category name. Subcategories are shown by clicking on + icon.
Custom black and white lists - Content filtering may cause false positives and false negatives - here you can list domains that should always be blocked or allowed regardless of the results of the content filter's analysis.

Phrase analysis requires much more computing power than other technologies (PICS and URL blacklist). If you wish to disable this filtering technique you can mark all categories as allowed in the Content Filter section.

When whitelisting a domain always make sure to whitelist all necessary domains for that site to work as well.

An example:
- google.com is blocked, which means all subdomains of google.com are blocked as well
- maps.google.com is whitelisted so you can access it
- maps.google.com does not work like it should because it tries to get data from other google servers
- you will have to whitelist these domains (e.g. mt0.google.com) as well

Click on Save to save the settings of content filter.

Antivirus

In this section you can configure the virus scanner engine (ClamAV) used by the HTTP proxy.

Max. content scan size - Specify the maximum size for files that should be scanned for viruses.
Do not scan the following URLs - A list of URLs that will not be scanned for viruses (one per line).
Last update - Shows the day and time of the last virus signatures update and the total amount of viruses recognized by ClamAV (in parenthesis).

Click on Save to save the settings of the virus scanner engine.

Group policies

On this page you can create groups that can be associated to different policy profiles. These groups can be associated to users when using Local authentication in the Proxy, HTTP, Authentication section.
You can add a group by clicking on the Create a group link and entering a group name. After clicking on the Create group button the group is saved.
The profile of the groups can be changed by selecting the appropriate policy profile and then clicking on the Save button below the group list. Groups can be deactivated, activated and removed by clicking on the respective icons (as described in the legend below the list).

Policy profiles

It is possible to create additional profiles that can be used in the Proxy, HTTP, Group policies section.
Policy profiles are created just like the default policy in the Proxy, HTTP, Default policy section.

POP3

Select Proxy from the menu bar at the top of the screen, then select POP3 from the submenu on the left side of the screen. In this section you can configure the POP3 (incoming mail) proxy.

Global settings

On this page you can configure the global configuration settings of the POP3 proxy. You can enable or disable the POP3 proxy for every zone. It is also possible to enable the Virus scanner and the Spam filter for incoming emails.
If you want to log every outgoing POP3 connection you can enable the Firewall logs outgoing connections checkbox.

Spam filter

On this page you can configure how the POP3 proxy should react once it finds a spam email.

Spam subject tag - Here you can specify a prefix for the spam email's subject.
Required hits - This option defines how many hits are required for a message to consider it spam. The default value is 5.
Enable message digest spam detection(pyzor) - If you want to detect spam using message digests you can enable this option. Note that this might slow down your POP3 proxy.
White list - Here you can whitelist sender email-addresses (one address per line). It is also possible to whitelist whole domains by using wildcards, e.g. *@example.com.
Black list - Here you can blacklist sender email-addresses (one address per line). It is also possible to blacklist whole domains by using wildcards, e.g. *@example.com.

SIP

Select Proxy from the menu bar at the top of the screen, then select SIP from the submenu on the left side of the screen.

The SIP Proxy is a proxy/masquerading daemon for the SIP and RTP protocols. SIP (Session Initiation Protocol, RFC3261) and RTP (Real-time Transport Protocol) are used by Voice over IP (VoIP) devices to establish telephone calls and carry voice streams.

The proxy handles registrations of SIP clients on the LAN and performs rewriting of the SIP message bodies to make SIP connections possible through Endian Firewall and therefore allow SIP clients (like x-lite, kphone, linphone or VoIP hardware) to work behind NAT. Without this proxy, connections between clients are not possible at all if both are behind NAT, since one client cannot reach the other directly and therefore no RTP connection can be established between them.

Once enabled, the following options can be configured (confirm the settings by clicking Save).

Status - transparent means all outgoing traffic to the SIP port will be automatically redirected to the SIP proxy; enabled means the proxy will listen to the SIP port and clients need to be made aware of the proxy
SIP Port - default: 5060
RTP Port Low / High - The UDP Port range that the SIP proxy will use for incoming and outgoing RTP traffic. By default the range from 7070 to (and including) 7090 is used. This allows up to 10 simultaneous calls (2 ports per call). If you need more simultaneous calls, increase the range.
Outbound proxy host / port - The SIP Proxy itself can send all traffic to another outbound proxy.
Autosave registrations - This allows the SIP proxy to remember registrations after a restart.
Log calls - Check this if you want to log established calls in the SIP proxy log.
Firewall logs outgoing connections - This will show outgoing connections in the firewall log.

FTP

Select Proxy from the menu bar at the top of the screen, then select FTP from the submenu on the left side of the screen.

The FTP (File Transfer Protocol) proxy is available only as transparent proxy, this allows scanning for viruses on FTP downloads. Note that only connections to the standard FTP port (21) are redirected to the proxy. This means that if you configure your clients to use the HTTP proxy also for the FTP protocol, this FTP proxy will be bypassed!

You can enable the transparent FTP proxy on the GREEN zone and on the other enabled zones (ORANGE, BLUE).The following options can be configured (confirm the settings by clicking Save).

Firewall logs outgoing connections - Show outgoing connections in the firewall log.
Bypass the transparent Proxy - Specify sources (left panel) or destinations (right panel), that are not subject to transparent FTP proxying. Always specify one subnet, IP address or MAC address per line.

Endian Firewall supports transparent FTP proxying with frox if and only if it is directly connected to the internet.
If you have another NATing firewall or router between Endian Firewall and the internet, frox does not work because it uses an active FTP upstream.

SMTP

Select Proxy from the menu bar at the top of the screen, then select SMTP from the submenu on the left side of the screen.

The SMTP (simple mail transfer protocol) proxy can relay and filter email traffic as it is being sent towards email servers.

The scope of the SMTP proxy is to control and optimize SMTP traffic in general and to protect your network from threats when using the SMTP protocol. The SMTP (Simple Mail Transport Protocol) protocol is used whenever an email is sent by your mail client to a remote mail server (outgoing mail). It will also be used if you have your own mail server running on your LAN (GREEN interface) or your DMZ (ORANGE interface) and are allowing mails to be sent from the outside of your network (incoming requests) through your mail server.
The SMTP proxy configuration is split into several subsections.

Warning

In order to download mail from a remote mailserver with your local mail clients, the POP3 or IMAP protocol will be used. If you want to protect that traffic too, you have to enable the POP3 proxy in Proxy, POP3. Scanning of IMAP traffic is currently not supported. With the mail proxy functionality, both sorts of traffic (incoming and outgoing mail) can be scanned for viruses, spam and other threats. Mail will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers in order to remove the necessity to have SMTP connections from the outside within your local networks.

Main

The is the main configuration section for the SMTP proxy. It contains the following options:

Enabled - This enables the SMTP proxy in order to accept requests on port 25.
Transparent on GREEN, BLUE, ORANGE - If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need to change the configuration on your clients.
Antivirus is enabled - Check this box if you would like to enable antivirus. The antivirus can be configured in the Proxy, SMTP, Antivirus link.
Spamcheck is enabled - Check this box if you would like to filter spam emails. The spam filter can be configured in the Proxy, SMTP, Spam section.
File extensions are blocked - Check this box if you would like to block mails that contain attached files with certain extensions. The file extensions can be configured in the Proxy, SMTP, File extensions section.
Incoming mail enabled - If you have an internal mailserver and would like the SMTP proxy to forward incoming mails to your internal server you must enable this option.
Firewall logs outgoing connections - Tick this on if you want the firewall to log all established outgoing connections. Note that in some countries this may be illegal.


You need to configure the email domains for which the server should be responsible. You can add the list of domains in the Proxy, SMTP, Domains section.

To save and apply the settings you must click on the Save changes and restart button.

Antivirus

The Antivirus is one of the main features of the SMTP proxy module. Three different actions can be performed when a mail that contains a virus is sent. It is also possible to configure an email address for notifications.

Mode - You can choose between three different modes how infected mails should be handled.
DISCARD: if you choose this mode the mail will be deleted
BOUNCE: if you choose this mode the email will not be delivered but bounced back to the sender in form of a non-delivery notification
PASS: if you choose this mode the mail will be delivered normally
Email used for virus notifications - Here you can provide an email-address that will receive a notification for each infected email that is processed.
Virus quarantine - Here you can specify what kind of quarantine you are using. Valid values are:
- leaving this field empty will disable the quarantine.
- virus-quarantine this stores infected mails on the firewall (in /var/amavis/virusmails), this is the default setting.
- valid.email@address any valid email address will result in the infected emails being forwarded to that email address.

To save and apply the settings just click on the Save changes and restart button.

Spam

The antispam module knows several different ways to protect you from spam mails. In general spamassassin and amavisd-new are used to filter out spam. SpamAssassin provides several means of detecting spam. It has a score tally system where large numbers of inter-related rules fire off and total up a score to determine whether a message is spam or not.
The page is divided into two sections: SMTP Proxy and greylisting.


While most simple spam mails such as well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is absolutely necessary to always train the spam filter in order to reach a personalized and stronger filter (bayes).

The SMTP Proxy section contains the main configuration for the spam filter.

Spam destination - You can choose between three different modes how spam emails should be handled.
DISCARD: if you choose this mode the email will be deleted
BOUNCE: if you choose this mode the email will not be delivered but bounced back to the sender in form of a non-delivery notification
PASS: if you choose this mode the email will be delivered normally
Email used for notification on spam alert - Here you can provide an email-address that will receive a notification for each spam email that is processed.
Spam quarantine - Here you can specify what kind of quarantine you are using. Valid values are:
- leaving this field empty will disable the spam quarantine.
- spam-quarantine this stores spam mails on the firewall (in /var/amavis/virusmails), this is the default setting.
- valid.email@address any valid email address will result in the spam emails being forwarded to that email address.
Spam tag level - If SpamAssassin's spam score is greater than this number X-Spam-Status and X-Spam-Level headers are added to the email.
Spam mark level - If SpamAssassin's spam score is greater than this number mails are tagged with the Spam subject and an X-Spam-Flag header.
Spam quarantine level - Mails that exceed this spam score will be moved to the quarantine.
Send notification only below level - Send notification emails only if the spam score is below this number.
Spam subject - Here you can specify a prefix for the subject of marked spam emails.

The second section contains configuration options for Endian Firewall's greylisting. It contains the following options:

greylisting enabled - Check this box if you want to enable greylisting.
delay(sec) - The greylisting delay in seconds can be a value between 30 and 3600.
Whitelist recipient - You can whitelist email-addresses or whole domains in this textarea, e.g. test@endian.com or the domain endian.com (one entry per line).
Whitelist client - You can whitelist a mailserver's address here. This means that all emails coming from this server's address will not be checked for spam (one entry per line).

Save the settings and restart the SMTP Proxy by clicking on the Save changes and restart button.

File Extensions

This allows you to block files with certain file extensions which may be attached to mails. Mails which contain such attachments will be recognized and the selected action will be performed for the respective mail. The following options can be configured:

Blocked file extensions - You can select one or more file extensions to be blocked. In order to select multiple files press the control key and click on the desired entries with your mouse.
Banned files destination - You can choose between three different modes how emails that contain such attachments should be handled.
DISCARD: if you choose this mode the email will be deleted
BOUNCE: if you choose this mode the email will not be delivered but bounced back to the sender in form of a non-delivery notification
PASS: if you choose this mode the email will be delivered normally
Banned files quarantine - Here you can specify what kind of quarantine you are using. Valid values are:
- leaving this field empty will disable the quarantine for mails with blocked attachments.
- spam-quarantine this stores mails with blocked attachments on the firewall (in /var/amavis/virusmails), this is the default setting.
- valid.email@address any valid email address will result in the emails with blocked attachments being forwarded to that email address.
Email used for notification on banned files - Whenever an email with an attachment that is blocked due to its file extension is found, a notification email is sent to this address.
Block double extensions - If you enable this option, files with double extensions will be blocked since these files are usually created to harm computers (blocked double extensions are composed of any extension followed by .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll).

Save the settings and restart the SMTP Proxy by clicking on the Save changes and restart button.

Blacklists/Whitelists

An often used method to block spam e-mails are so called real-time blacklists (RBL). These lists are created, managed and updated by different organisations. If a domain or a sender IP address is listed in one of the blacklists, emails from it will be refused without further notice. This saves more bandwith than the RBL of the antispam module, since here mails will not be accepted and then handled, but dismissed as soon as a listed IP address is found.
This dialogue also gives you the possibility to explicitely block (blacklist) or allow (whitelist) certain senders, recipients, IP addresses or networks.

Warning

Sometimes it may happen that IP addresses have been wrongly listed by the RBL operator. If this should happen, it may negatively impact your communication, to the effect that mail will be refused without the possibility to recover it. You also have no direct influence on the RBLs.

In the RBL section you can enable the following lists:

bl.spamcop.net - This RBL is based on submissions from its users (www.spamcop.net).
zen.spamhaus.org - This list replaces sbl-xbl.spamhaus.org and contains the Spamhaus block list as well as Spamhaus' exploits block list and its policy block list.
cbl.abuseat.org - The CBL takes its source data from very large spamtraps. It only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc.) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.
dul.dnsbl.sorbs.net - This contains a list of Dynamic IP Address ranges (www.au.sorbs.net).
list.dsbl.org - DSBL is the Distributed Sender Blackhole List. It publishes the IP addresses of hosts which have sent special test emails to listme@listme.dsbl.org or another listing address. The main delivery method of spammers is the abuse of non-secure servers. For that reason many people want to know which servers are non-secure so they can refuse email from these servers. DSBL provides exactly that information (www.dsbl.org).
dsn.rfc-ignorant.org - This is a list which contains domains or IP networks whose administrators choose not to obey to the RFCs, the standards of the net (www.rfc-ignorant.org).
ix.dnsbl.manitu.net - A publicly available DNS blacklist which is permanently regenerated from the IP blacklist and the spam hash table of the spam filter NiX Spam.

Save the settings and restart the SMTP Proxy by clicking the Save changes and restart button.

Note

Advanced users can modify the list by editing the file /var/efw/smtpd/default/RBL.

You can also create custom black- and whitelists by adding entries to the fields in the blacklist/whitelist section.
The following textareas can be filled out in this section:

sender whitelist - Mails from these addresses or domains will always be accepted.
sender blacklist - Mails from these addresses or domains will never be accepted.
recipient whitelist - Mails to these addresses or domains will always be accepted.
recipient blacklist - Mails to these addresses or domains will never be accepted.
client whitelist - Mails that have been sent from these IP addresses or hosts will always be accepted.
client blacklist - Mails that have been sent from these IP addresses or hosts will never be accepted.

To save the changes and restart the SMTP proxy click on the Save changes and restart button.

Examples for recipient/sender black- and whitelists:

a whole domain - example.com
only subdomains - .example.com
a single address - admin@example.com

Domains

If you have enabled incoming mail and would like to forward that mail to a mail server behind your Endian Firewall - usually set up in the GREEN or ORANGE zone - you need to declare the domains which will be accepted by the SMTP proxy and to which of your mail servers the incoming mail should be forwarded to. It is possible to specify multiple mail servers behind Endian Firewall for different domains. It is also easily possible to use Endian Firewall as a backup MX.

Domain - The domain this mailserver is responsible for.
Internal mailserver - The address of the mailserver.

To add a domain click the Add button. To apply the changes the SMTP proxy has to be restarted by clicking on the Save changes and restart button.
Existing entries can be edited and deleted by clicking on the respective icon (as described in the legend at the bottom of the page).

Mail Routing

This option allows you to send a blind carbon copy (BCC) to a specified email address. This option will be applied to all emails that are sent to the specified recipient address or are sent from the specified sender address.

Direction - Specify whether you want to apply this copying process for a certain Sender or Recipient.
Mail address - Here you specify the mail address of the recipient or sender (depending on what you have chosen above).
BCC address - The mail address where you want to send the copy of the emails.

The mail route is saved by clicking on the Add mail route button. Existing entries can be changed or deleted by clicking on the respective icons which are explained in the legend at the bottom of the page.

Warning

Neither the sender nor the recipient will be notified of the copy. In most countries of this planet it is highly illegal to read other people's private messages. Do not abuse this feature.

Advanced

On this page you can configure the advanced settings of the SMTP proxy. In the Smarthost section the following options can be configured:

Smarthost enabled for delivery - Check this box if you want to use a smarthost to deliver emails.
Address of smarthost - Here you can enter the address of the smarthost.
Authentication required - Check this box if the smarthost requires authentication.
Username - This username is used for authentication.
Password - This password is used for authentication
Authentication method - Here you can choose the authentication methods that are supported by your smarthost. PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5 are supported.

The settings are saved and applied by clicking on the Save changes and restart button.

If you have a dynamic IP address because you are using an ISDN or an ADSL dialup internet connection you might get problems sending mails to other mail servers. More and more mail servers check whether your IP address is listed as a dynamic IP address and therefore might refuse your emails. Hence it could be necessary to use a smarthost for sending emails.
A smarthost is a mail server which your SMTP proxy will use as outgoing SMTP server. The smarthost needs to accept your emails and relays them for you. Normally you may use your provider's SMTP server as smarthost, since it will accept to relay your emails while other mail servers may not.

In the IMAP Server for SMTP Authentication section you can configure which IMAP server should be used for authentication when sending emails. Most of all this is important for SMTP connections that are opened from the RED zone.
The following settings can be configured:

Authentication enabled - Check this box if you want to enable IMAP authentication.
IMAP server - Here you can enter the address of the IMAP server.
Number authentication daemons - This settings defines how many concurrent logins should be possible through your Endian Firewall.

The settings are saved and applied by clicking on the Save changes and restart button.

In the Advanced settings additional parameters can be defined. The options are:

smtpd HELO required - If this is enabled the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session.
reject invalid hostname - Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname.
reject non-FQDN sender - Reject the connecting client if the hostname supplied with the HELO or EHLO command is not a fully-qualified domain name as required by the RFC.
reject non-FQDN recipient - Reject the request when the RCPT TO address is not in fully-qualified domain name form, as required by the RFC.
reject unknown sender domain - Reject the connection if the domain of the sender email address has no DNS A or MX record.
reject unknown recipient domain - Reject the connection if the domain of the recipient email address has no DNS A or MX record.
SMTP HELO name - The hostname to send with the SMTP EHLO or HELO command. The default value is the IP of RED. Specify a hostname or IP address.
Always BCC address - Optionally you can enter an email address here that will receive a blind carbon copy of each message that goes through the SMTP proxy.
smtpd hard error limit - The maximum number of errors a remote SMTP client is allowed to produce without delivering mail. The SMTP Proxy server disconnects once this limit is exceeded (default 20).
Language email templates - The language in which error messages should be sent.
maximal email size - The maximum size a single message is allowed to have.

The settings are saved and applied by clicking on the Save changes and restart button.

DNS

Select Proxy from the menu bar at the top of the screen, then select DNS from the submenu on the left side of the screen.

In this section you can change the settings for the DNS proxy. It is divided into three subpages.

DNS proxy

On this page you can enable the transparent DNS proxy for the GREEN, ORANGE and BLUE zones (if they are active).
You can also define for which source addresses the proxy will be bypassed in the lower left textarea. These sources can be IP addresses, addresses of subnets and MAC addresses (one per line).
In the lower right textarea you can enter destinations for which the proxy is bypassed. In this textarea IP addresses and addresses of subnets can be entered.
To save the settings you must click on the Save button.

Custom nameserver

On this page you can add custom nameservers for specific domains. You can add a new custom nameserver by clicking on the Add new custom name server for a domain link. To change an existing entry you have to click on the pencil icon in its row. Clicking on a trash can icon will delete the custom nameserver in that row.
The following details can be saved for custom nameservers:

Domain - The domain for which you want to use the custom nameserver.
DNS Server - The IP address of the namserver.
Remark - An additional comment you might want to save.

Anti-spyware

On this page you can configure how your Endian Firewall should react if a domain name has to be resolved that is known to be used by spyware. The options that can be set are:

Enabled - If enabled these requests will be redirected to localhost.
Redirect requests to spyware listening post - If this is enabled the requests will be redirected to the spyware listening post instead of localhost.
Whitelist domains - Domain names that are entered here are not treated as spyware targets regardless of the list's content.
Blacklist domains - Domain names that are entered here are always treated as spyware targets regardless of the list's content
Spyware domain list update schedule - Here you can specify how often the spyware domain list should be updated. Possible values are Hourly, Daily, Weekly and Monthly. By moving the mouse cursor over the respective question mark you can see when exactly the updates will be performed.

The settings are saved and applied by clicking on the Save button.