Endian Firewall Reference Manual r. 2.2.1.9

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 4: The Services Menu

Select Services from the menu bar at the top of the screen.

Endian Firewall can provide a number of useful services that can be configured in this section. In particular, these include services used by the various proxies, such as the ClamAV antivirus.
Intrusion detection, high availability and traffic monitoring can be enabled here as well.
Following is a list of links that appear in the submenu on the left side of the screen:

Each link will be explained in the following sections.

DHCP server

Select Services from the menu bar at the top of the screen, then select DHCP server from the submenu on the left side of the screen.

The DHCP (Dynamic Host Configuration Protocol) service allows you to control the IP address configuration of all your network devices from Endian Firewall in a centralized way.

When a client (host or other device such as networked printer, etc.) joins your network it will automatically get a valid IP address from a range of addresses and other settings from the DHCP service. The client must be configured to use DHCP - this is something called "automatic network configuration" and is often the default setting. You may choose to provide this service to clients on your GREEN zone only, or include devices on the ORANGE (DMZ) or BLUE (WLAN) zone. Just tick the check boxes that are labeled Enabled accordingly.

Click on the Settings link to define the DHCP parameters as described below:

Start address / End address - Specify the range of addresses to be handed out. These addresses have to be within the subnet that has been assigned to the corresponding zone. If you want to configure some hosts to use manually assigned IP addresses or fixed IP addresses (see below), be sure to define a range that does not include these addresses or addresses from the OpenVPN address pool (see OpenVPN, OpenVPN server) to avoid conflicts. If you intend to use fixed leases only (see below), leave these fields empty.
Default / Max lease time - This defines the default / maximum time in minutes before the IP assignment expires and the client is supposed to request a new lease from the DHCP server.
Domain name suffix - This is the default domain name suffix that is passed to the clients. When the client looks up a hostname, it will first try to resolve the requested name. If that is not possible, the client will append this domain name suffix preceded by a dot and try again.
Example: if the fully qualified domain name of your local file server is earth.example.com and this suffix is "example.com", the clients will be able to resolve the server by the name "earth".
Primary / Secondary DNS - This specifies the domain name servers (DNS) to be used by your clients. Since Endian Firewall contains a caching DNS server, the default value is the firewall's own IP address in the respective zone.
Primary / Secondary NTP server - Here you can specify the Network Time Protocol (NTP) servers to be used by your clients (to keep the clocks synchronized on all clients).
Primary / Secondary WINS server - This setting specifies the Windows Internet Name Service (WINS) servers to be used by your clients (for Microsoft Windows networks that use WINS).

Advanced users might wish to add custom configuration lines to be added to dhcpd.conf in the text area below the settings forms. Pay attention that Endian Firewall's interface does not perform any syntax check on these lines: Any mistake here, might inhibit the DHCP server from starting!

Example:
The following extra lines may be used to handle VoIP telephones that need to retrieve their configuration files from an HTTP server at boot time:

    option tftp-server-name "http://$GREEN_ADDRESS";    
    option bootfile-name "download/snom/{mac}.html";    

Note the use of $GREEN_ADDRESS which is a macro that is replaced with the firewall's own GREEN interface address.

Fixed leases

Sometimes it is necessary for certain devices to always use the same IP address while still using DHCP. Clicking on the Add a fixed lease link allows to assign static IP addresses to devices. The devices are identified with their MAC addresses. Note that this is still very different from setting up the addresses manually on each of these devices, since each device will still contact the DHCP server to get its address.

A typical use case for this is the case of thin clients on your network that boot the operating system image from a network server using PXE (Preboot Execution Environment).

The following parameters can be set to define fixed leases:

MAC address - the client's MAC address
IP address - the IP address that will always be assigned to this client
Description - optional description
Next address - the address of the TFTP server (only for thin clients / network boot)
Filename - the boot image file name (only for thin clients / network boot)
Root path - the path of the boot image file (only for thin clients / network boot)
Enabled - if this checkbox is not ticked the fixed lease will be stored but not written down to dhcpd.conf

Every fixed lease can be enabled, disabled, edited or removed by clicking on the respective icon (icons are described in the legend at the bottom of the fixed leases table).

List of current dynamic leases

The DHCP sections ends with a list of currently assigned dynamic IP addresses.

Dynamic DNS

Select Services from the menu bar at the top of the screen, then select Dynamic DNS from the submenu on the left side of the screen.

Dynamic DNS providers like DynDNS offer a service that allows assigning a globally available domain name to IP addresses. This works even with addresses that are changing dynamically such as those offered by residential ADSL connections. For this to work, each time the IP address changes, the update must be actively propagated to the dynamic DNS provider.

Endian Firewall contains a dynamic DNS client for 14 different providers - if enabled, it will automatically connect to the dynamic DNS provider and tell it the new IP address after every address change.

For each account (you might use more than one) click on the Add a host link, then specify the following parameters:

Service - choose the dynamic DNS provider
Behind a proxy - (only applies if you use the no-ip.com service) check this box if your Endian Firewall is connecting to the internet through a proxy
Enable wildcards - some dynamic DNS providers allow having all sub domains of your domain point to your IP address, i.e. www.example.dyndns.org and example.dyndns.org will both resolve to the same IP address: by checking this box you enable this feature (if supported by your dynamic DNS provider)
Hostname and Domain - the hostname and domain as registered with your dynamic DNS provider, for instance "example" and "dyndns.org"
Username and Password - as given to you by your dynamic DNS provider
behind Router (NAT) - check this if your Endian Firewall is not directly connected to the internet, i.e. behind another router / gateway: in this case the service at http://checkip.dyndns.org is used to find out what your external IP address is
Enabled - check to enable (default)

Please note that you still have to export a service to the RED zone if you want to be able to use you domain name to connect to your home/office system from the internet. The dynamic DNS provider just does the domain name resolution part for you. Exporting a service might typically involve setting up port forwarding (see Firewall, Port forwarding / NAT).

ClamAV antivirus

Select Services from the menu bar at the top of the screen, then select ClamAV antivirus from the submenu on the left side of the screen.

The mail proxy (POP and SMTP) and web proxy (HTTP) components of Endian Firewall use the well known ClamAV antivirus service. This sections lets you configure how ClamAV should handle archive bombs (see the next paragraph for an explanation) and how often information about new viruses is downloaded ("signature update schedule"). You can also see when the last scheduled update has been performed as well as manually start an update.

Anti archive bomb configuration

Archive bombs are archives that use a number of tricks to load antivirus software to the point that they hog most of the firewall's resources (denial of service attack). Tricks include sending small archives made of large files with repeated content that compress well (for example, a file of 1 GB containing only zeros compresses down to just 1 MB using zip), or multiple nested archives (e.g. zip files inside zip files) or archives that contain a large number of empty files, etc...).

To avoid these types of attack, ClamAV is preconfigured not to scan archives that have certain attributes, as configured here:

Max. archive size - Archives larger than this size in MB are not scanned.
Max. nested archives - Archives containing archives are not scanned if the nesting exceeds this number of levels.
Max. files in archive - Archives are not scanned if they contain more than this number of files.
Max compression ratio - Archives whose uncompressed size exceeds the compressed archive size by more than X times, where X is the specified number, are not scanned, the default value is 1000 - note that normal files typically uncompress to no more than 10 times the size of the compressed archive.
Handle bad archives - What should happen to archives that are not scanned because of the above settings: it is possible to choose between "Do not scan but pass" and "Block as virus".
Block encrypted archives - Since it's technically impossible to scan encrypted (password protected) archives, they might constitute a security risk and you might want to block them by checking this box.

ClamAV signature update schedule configuration

Another important aspect of running ClamAV are the antivirus signatures updates: information about new viruses must be downloaded periodically from a ClamAV server. The configuration pane (top right) lets you choose how often these updates are performed - the default is once every hour.
Tip: move the mouse over the question marks to see when exactly the updates are performed in each case - the default is one minute past the full hour.

ClamAV virus signatures

This section shows when the last update has been performed and what the latest version of ClamAV's antivirus signatures is.

Click on Update signatures now to perform an update right now (regardless of scheduled updates) - note that this might take some time.
There is also a link to ClamAV's online virus database in case you are looking for information about a specific virus.

Time server

Select Services from the menu bar at the top of the screen, then select Time server from the submenu on the left side of the screen.

Endian Firewall keeps the system time synchronized to time server hosts on the internet by using the network time protocol (NTP).

A number of time server hosts on the internet are preconfigured and used by the system. Click on Override default NTP servers to specify your own time server hosts. This might be necessary if you are running a setup that does not allow Endian Firewall to reach the internet. These hosts have to be added one per line.

Your current time zone setting can also be changed in this section.

The last form in this section gives you the possibility to manually change the system time. This makes sense if the system clock is way off and you would like to speed up synchronization (since automatic synchronization using time servers is not done instantly).

Traffic shaping

Select Services from the menu bar at the top of the screen, then select Traffic shaping from the submenu on the left side of the screen.

The purpose of traffic shaping is to prioritize the IP traffic that is going through your firewall depending on the service. A typical application is to prioritize interactive services such as Secure Shell (SSH) or voice over IP (VoIP) over bulk traffic like downloads.

Traffic shaping per uplink

Click on the icons on the right side of the table to enable or disable traffic shaping for every single uplink. For traffic shaping to work properly it is also very important to specify the actual values for the down and up bandwidth for each uplink: click on the pencil icon (edit), then fill in the down and up bandwidth expressed in kbit per second.

Traffic shaping services

Add your traffic shaping rules: click on Create a service to add a new rule, specifying:

Enabled - check to enable (default)
Protocol - whether the service to be prioritized is a TCP or UDP service (example: SSH is a TCP service)
Priority - give a priority: "high", "medium" or "low"
Port - the destination port of the service to be prioritized (example: SSH uses port 22)

Click on Create service to save the settings and apply the new rule.

Spam Training

Select Services from the menu bar at the top of the screen, then select Spam Training from the submenu on the left side of the screen.

SpamAssassin can be be configured to learn automatically which emails are spam mails and which are not (so called ham mails). To be able to learn, it needs to connect to an IMAP host and check pre-defined folders for spam and ham messages.

The default configuration is not used for training. All it does is provide default configuration values that are inherited by the real training sources which can be added below. By clicking on the Edit default configuration link a new pane appears where the default values can be set:

Default IMAP host - the IMAP host that contains the training folders
Default username - the login name for the IMAP host
Default password - the password of the user
Default ham folder - the name of the folder that contains only ham messages
Default spam folder - the name of the folder that contains only spam messages
Schedule an automatic spam filter training - the interval between checks. This can either be disabled or be an hourly, daily, weekly, or monthly interval. For exact information about the scheduled time you can move your mouse cursor over the question mark next to the chosen interval.

Spam training sources can be added in the section below. By clicking on the Add IMAP spam training source link a new pane appears. The options for the additional training hosts are similar to the default configuration options. The only thing that is missing is the scheduling. This will always be inherited from the default configuration.
Three additional options are available.

Enabled - if this box is ticked the training source will be used whenever spamassassin is trained
Remark - in this field it is possible to save comment to remember the purpose of this source at a later time
Delete processed mails - if this box is ticked mails will be deleted after they have been processed

The other options can be defined just like in the default configuration. If they are defined they override the default values. To save a source it is necessary to click on the Update Training Source button after all desired values have been set.
A source can be tested, enabled, disabled, edited or removed by clicking on the appropriate icon in its row. The icons are explained in the legend at the bottom of the page.

It is also possible to check all connections by clicking on the Test all connections button. Note that this can take some time if many training sources have been defined or the connection to the IMAP servers is slow.
To start the training immediately the Start training now has to be clicked. It is important to note that training can take a long time depending on the number of sources, the connection speed and most importantly on the number of emails that will be downloaded.

You can also train the antispam engine manually if the SMTP Proxy is enabled for incoming as well as for outgoing mails.
This is done by sending spam mails to spam@spam.spam. Non-spam mails can be sent to ham@ham.ham.
For this to work it is necessary that spam.spam and ham.ham can be resolved. Typically this is achieved by adding these two hostnames to the host configuration in Network, Edit hosts, Add a host on your Endian Firewall.

Intrusion detection

Select Services from the menu bar at the top of the screen, then select Intrusion detection from the submenu on the left side of the screen.

Endian Firewall includes the well known intrusion detection (IDS) and prevention (IPS) system Snort. It is directly built into the IP-firewall (Snort inline). At this time no rules can be added through the web interface, hence Snort is usable only for advanced users that can load their own rules through the command line.
Functionality to manage rules from the web interface will be added in a future update.

High availability

Endian Firewall can be easily run in high availability (HA) mode. At least 2 Endian Firewall machines are required for HA mode: one assumes the role of the active (master) firewall while the others are standby (slave) firewalls.

If the master firewall fails, an election between the slaves will take place and one of them will be promoted to the new master, providing for transparent failover.

Master setup

To set up such a HA configuration, first set up the firewall that is going to be the master:

  1. Execute the setup wizard, filling in all needed informations.

  2. Log into the administration web interface, select Services from the menu bar at the top of the screen, then select High availability from the submenu on the left side of the screen.

  3. Set Enable High Availability to Yes and set High Availability side to Master.

  4. At this point an extra panel appears where the master-specific settings can be configured:
    The Management network is the special subnet to which all Endian Firewalls that are part of a HA setup must be connected via the GREEN interface. The default is 192.168.177.0/24. Unless this subnet is already used for other purposes there is no need to change this.
    The Master IP Address is the first IP address of the management network.
    Next, there are some fields that you can fill in if you wish to be notified by email if a failover event takes place.
    Finally, click on Save, then Apply to activate the settings.

Slave setup

Setup the the firewall that is going to be the slave:

  1. Execute the setup wizard, including the network wizard, filling in all needed information. It is not necessary to configure services etc, since this information will be synchronized from the master. However, it is necessary to register the slave with Endian Network.

  2. Log into the administration web interface, select Services from the menu bar at the top of the screen, then select High availability from the submenu on the left side of the screen.

  3. Set Enable High Availability to Yes and set High Availability side to Slave.

  4. At this point an extra panel appears where the slave-specific settings can be configured:
    Choose the management network option according to the settings on the master: either GREEN zone or a dedicated network port.
    Fill in the Master IP address (CIDR) field: 192.168.177.1/24 unless you choose a non-standard management network address for the master.
    Fill in the Master root password (the slave needs this to synchronize its configuration from the master).
    Finally, click on Save, then Apply to activate the settings.

At this point the slave cannot be reached anymore via its old IP address (factory default or previous GREEN address) since it is in standby mode. It is connected to the master only through the management network.

If you log in to the master again, on the HA page you can see a list of connected slaves. If you click on the Go to Management GUI link you can open the slave's administration web interface via the management network (routed via the master firewall).

Traffic Monitoring

Select Services from the menu bar at the top of the screen, then select Traffic Monitoring from the submenu on the left side of the screen.

Traffic monitoring is done by ntop and can be enabled or disabled by clicking on the main switch on this page. Once traffic monitoring is enabled a link to the monitoring administration interface appears in the lower section of the page. This administration interface is provided by ntop and includes detailed traffic statistics. ntop displays summaries as well as detailed information. The traffic can be analyzed by host, protocol, local network interface and many other types of information.
For detailed information about the ntop administration interface please have a look at About, Online Documentation on the ntop administration interface itself or visit the ntop documentation page.