Endian Firewall Reference Manual r. 2.2.1.9

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 1: The System Menu

Select System from the menu bar at the top of the screen.

The following links will appear in a submenu on the left side of the screen. They allow for basic administration and monitoring of your Endian Firewall.

Each link will be explained individually in the following sections.

Home

Select System from the menu bar at the top of the screen, then select Home from the submenu on the left side of the screen.

This page displays an overview of the uplink connection(s) and general system health.

A table is displayed, detailing the connection status of each uplink. Usually you will see just a single uplink called main, since it is the primary uplink. Of particular interest is the status field of the individual uplink:

Stopped - The uplink is not connected.
Connecting - The uplink is currently connecting.
Connected - The uplink is connected and fully operational.
Disconnecting - The uplink is currently disconnecting. Endian Firewall keeps pinging the gateway and announces when it becomes available.
Failure - There was a failure while connecting the uplink.
Failure, reconnecting - There was a failure while connecting to the uplink. Endian Firewall is trying again.
Dead link - The uplink is connected, but the hosts that were defined in Network, Interfaces to check the connection could not be reached. Essentially this means that the uplink is not operational.

Each uplink can be operated in either managed mode (default) or manual mode. In managed mode Endian Firewall monitors and restarts the uplink automatically when needed. If managed mode is disabled, the uplink can be activated or deactivated manually. There will be no automatic reconnection attempt if the connection is lost.

Finally, after the uplink table, you can find a system health line, which looks similar to the following example:

 efw-1203950372.localdomain - 13:45:49 up 1 min, 0 users, load average: 4.84, 1.89, 0.68

This is basically the output of the Linux uptime command. It shows the current time, the days/hours/minutes that Endian Firewall has been running without a reboot, the number of console logins and the load averages for the past 1, 5, and 15 minutes.

Network configuration

Select System from the menu bar at the top of the screen, then select Network configuration from the submenu on the left side of the screen.

Network and interface configuration is fast and easy with the wizard provided in this section. The wizard is divided into steps: you can navigate back and forth using the <<< and >>> buttons. You can freely navigate all steps and decide to cancel your actions at any moment. Only in the last step you will be asked to confirm the new settings. If you confirm, the new settings will be applied. This might take some time during which the web interface might not respond.

Following is a detailed list of each wizard step.

Choose type of RED interface

When Endian Firewall was installed, the trusted network interface (called the GREEN interface) has already been chosen and set up.

This screen allows to choose the untrusted network interface (called the RED interface): the one that connects your Endian Firewall to the "outside" (typically the uplink to your internet provider). Endian Firewall does support the following types of RED interfaces:

ETHERNET STATIC - You want to operate an Ethernet adapter and you need to setup network information (IP address and netmask) manually. This is typically the case when you connect your RED interface to a simple router using an Ethernet crossover cable.
ETHERNET DHCP - You want to operate an Ethernet adapter that gets network information through DHCP. This is typically the case when you connect your RED interface to a cable modem/router or ADSL/ISDN router using an Ethernet crossover cable.
PPPoE - You want to operate a Ethernet adapter that is connected via an Ethernet crossover cable to an ADSL modem. Note that this option is only needed if your modem uses bridging mode and requires your firewall to use PPPoE to connect to your provider. Pay attention not to confuse this option with the ETHERNET STATIC or ETHERNET DHCP options used to connect to ADSL routers that handle the PPPoE themselves.
ADSL (USB, PCI) - You want to operate an ADSL modem (USB or PCI devices).
ISDN - You want to operate an ISDN adapter.
ANALOG/UMTS Modem - You want to operate an analog (dial-up) or UMTS (cell-phone) modem.
GATEWAY - Your Endian Firewall has no RED interface. This is unusual since a firewall normally needs to have two interfaces at least - for some scenarios this does make sense though. One example would be if you want to use only a specific service of the firewall. Another, more sophisticated example is an Endian Firewall whose BLUE zone is connected through a VPN to the GREEN interface of a second Endian Firewall. The second firewall's GREEN IP address can then be used as a backup uplink on the first firewall. If you choose this option, you will need to configure a default gateway later on.

Choose network zones

Endian Firewall borrows IPCop's idea of different zones. At this point you've already encountered the two most important zones:

GREEN - is the trusted network segment.
RED - is the untrusted network segment.

This step allows you to add one or two additional zones, provided you have enough interfaces. Available zones are:

ORANGE - is the demilitarized zone (DMZ). If you host servers, it is wise to connect them to a different network than your GREEN network. If an attacker manages to break into one of your servers, he or she is trapped within the DMZ and cannot gain sensible information from local machines in your GREEN zone.
BLUE - is the wireless zone (WLAN). You can attach a hotspot or WiFi access point to an interface assigned to this zone. Wireless networks are often not secure - so the purpose is to trap all wirelessly connected machines into their own zone without access to any other zone except RED (by default).

Note that one network interface is reserved for the GREEN zone. Another one may already be assigned to the RED zone if you have selected a RED interface type that requires a network card. This might limit your choices here to the point that you cannot choose an ORANGE or BLUE zone due to lack of additional network interfaces.

Network Preferences

This step allows you to configure the GREEN zone and any additional zone you might have set up in the previous step (ORANGE or BLUE).

Each zone is configured in its own section with the following options:

IP address - Specify one IP address (such as 192.168.0.1). Pay attention not to use addresses that are already in use in your network. You need to be particularly careful when configuring the interfaces in the GREEN zone to avoid locking yourself out of the web interface! If you change IP addresses of an Endian Firewall in a production environment, you might need to adjust settings elsewhere, for example the HTTP proxy configuration in web browsers.
Network mask - Specify the CIDR / network mask from a selection of possible masks (such as /24 - 255.255.255.0). It is important to use the same mask for all devices on the same subnet.
Additional addresses - You can add additional IP addresses from different subnets to the interface here.
Interfaces - Map the interfaces to zones. Each interface can be mapped to only one zone and each zone must have at least one interface. However, you might assign more than one interface to a zone. In this case these interfaces are bridged together and act as if they were part of a switch.
All shown interfaces are labeled with their PCI identification number, the device description as returned by lspci and their MAC addresses. A symbol shows the current link status: a tickmark shows that the link is active, an X means there is no link and a question mark will tell you that the driver does not provide this information.

Note that Endian Firewall internally handles all zones as bridges, regardless of the number of assigned interfaces. Therefore the Linux name of the interfaces is brX, not ethX.

Additionally, the system's host and domain name can be set at the bottom of the screen.

You need to use IP addresses in different network segments for each interface, for example:

IP = 192.168.0.1, network mask = /24 - 255.255.255.0 for GREEN
IP = 192.168.10.1, network mask = /24 - 255.255.255.0 for ORANGE
IP = 10.0.0.1, network mask = /24 - 255.255.255.0 for BLUE

It is suggested to follow the standards described in RFC1918 and use only IP addresses contained in the networks reserved for private use by the Internet Assigning Numbers Authority (IANA):

10.0.0.0 - 10.255.255.255 (10.0.0.0/8), 16,777,216 addresses
172.16.0.0 - 172.31.255.255 (172.16.0.0/12), 1,048,576 addresses
192.168.0.0 - 192.168.255.255 ( 192.168.0.0/16), 65,536 addresses

The first and the last IP address of a network segment are the network address and the broadcast address respectively and must not be assigned to any device.

Internet access preferences

This step allows you to configure the RED interface, that connects to the internet or any other untrusted network outside Endian Firewall.

You will find different configuration options on this page, depending on the type of the RED interface you have chosen earlier. Some interface types require more configuration steps than others. Below is a description of the configuration for each type.

ETHERNET STATIC - You need to enter the IP address and network mask of the RED interface, as well as the IP address of your default gateway - that is, the IP address of the gateway that connects your Endian Firewall to the internet or another untrusted network. Optionally, you can also specify the MTU (maximum transmission unit) and the Ethernet hardware address (MAC address) of the interface - usually this is not needed.
ETHERNET DHCP - You just need to specify whether you want DHCP to set the IP address of the DNS (domain name server) automatically or you want to set it manually.
PPPoE - You need to enter the username and password assigned to you by your provider, the authentication method (if you do not know whether PAP or CHAP applies, keep the default PAP or CHAP) and whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) and your provider's service and concentrator name - usually this is not needed.
ADSL (USB, PCI) - There are 3 sub-screens for this choice.
First you need to select the appropriate driver for your modem.
Then you need to select the ADSL type: PPPoA, PPPoE, RFC 1483 static IP or RFC 1483 DHCP.
Next, you need to provide some of the following settings (depending on the ADSL type fields are available or not): the VPI/VCI numbers as well as the encapsulation type; the username and password assigned to you by your provider and the authentication method (if you don't know whether PAP or CHAP applies, use the default PAP or CHAP); the IP address and network mask of the RED interface, as well as the IP address of your default gateway (RFC 1483 static IP only); whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) - usually this is not needed.
ISDN - You need to select your modem driver, phone numbers (your provider's number and the number used to dial out), as well as the username and password that have been assigned to you by your provider and the authentication method (if you don't know whether PAP or CHAP applies, use the default PAP or CHAP). Also specify whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) - usually this is not needed.
ANALOG/UMTS Modem - There are 2 sub-screens for this choice.
First you need to specify the serial port your modem is connected to and whether it is a simple analog modem or a UMTS/HSDPA modem. Note that /dev/ttyS0 is normally used as serial console and is therefore not available for modems.
Next you need to specify the modem's bit-rate, the dial-up phone number or access point name, the username and password that have been assigned to you by your provider and the authentication method (if you don't know whether PAP or CHAP applies, use the default PAP or CHAP). Also specify whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. For UMTS modems it is also necessary to specify the access point name. Optionally, you can also specify the MTU (maximum transmission unit) - usually this is not needed.
Please read the note below for problems with modems.
GATEWAY - You just need to specify the IP address of your default gateway - that is, the IP address of the gateway that connects your Endian Firewall to the internet or another untrusted network.

Some modern UMTS modems are USB mass storage devices as well. These modems usually register two devices (e.g. /dev/ttyUSB0, /dev/ttyUSB1). In this case the second device is the modem. This type of modem can cause problems when restarting the firewall because the firewall tries to boot from the USB mass storage device.

SIM cards that require a personal identification number (PIN) are not supported by Endian Firewall.

Configure DNS resolver

This step allows you to define up to two addresses for DNS (domain name server), unless they are assigned automatically. Should only one nameserver be used it is necessary to enter the same IP address twice. The IP addresses that are entered must be accessible from this interface.

Apply configuration

This last step asks you to confirm the new settings.

Click the OK, apply configuration button to go ahead. Once you did this, the network wizard will write all configuration files to the disk, reconfigure all necessary devices and restart all depending services. This may take up to 20 seconds, during which you may not be able to connect to the administration interface and for a short time no connections through the firewall are possible.

The administration interface will then reload automatically. If you have changed the IP address of the GREEN zone's interface, you will be redirected to the new IP address. In this case and/or if you have changed the hostname a new SSL certificate will be generated.

Support

Select System from the menu bar at the top of the screen, then select Support from the submenu on the left side of the screen.

A support request can be created directly from this screen. Fill in all necessary information and submit your request. A member of the Endian support team will contact you as soon as possible. Please provide a detailed problem description in order to help the support team to resolve the issue as quickly as possible.

Optionally, you can grant access to your firewall via SSH (secure shell). This is a secure, encrypted connection that allows support staff to log in to your Endian Firewall to verify settings, etc. This option is disabled by default. When enabled, the support team's public SSH key is copied to your system and access is granted via that key. Your root password is never disclosed in any way.

Endian Network

Select System from the menu bar at the top of the screen, then select Endian Network from the submenu on the left side of the screen.

Your Endian Firewall can connect to Endian Network (EN). Endian Network allows for easy and centralized monitoring, managing and upgrading of all your Endian Firewall systems with just a few clicks.

This screen contains three tabs.

The Subscriptions tab shows a summary of your Endian Network support status. The last section lists your activation keys. You need at least one valid activation key (not expired) to receive updates from and participate in Endian Network. There is a key for each support channel (typically just one).
If the firewall has not yet been registered the registration form is shown.

The Remote Access tab allows to specify whether your Endian Firewall can be reached through Endian Network at all, and if so, through which protocol: HTTPS means the web interface can be reached through Endian Network and SSH means it is possible to login via secure shell through Endian Network.

The Updates tab displays and controls the update status of your system. There are three sections.

Firstly, pressing the Check for new updates! button will access your support channels looking for new updates. If any updates are found they will be listed (updates are distributed as RPM packages). Pressing the Start update process NOW! button will install all updated packages.

Secondly - to save you some time - the system retrieves the update list automatically. You may choose the interval to be hourly, daily, weekly (the default) or monthly - do not forget to click on Save to save the settings.

Thirdly, by pressing Update signatures now you can update the ClamAV antivirus signatures. This works only if ClamAV is in use, for example in combination with the email or HTTP proxy.

Passwords

Select System from the menu bar at the top of the screen, then select Passwords from the submenu on the left side of the screen.

You can change one password at a time here. Specify each new password twice and press Save. The following users are available:

Admin - the user that can connect to the web interface for administration.
Root - the user that can login to the shell for administration. Logins can be made locally to the console, through the serial console or remotely via SSH (secure shell) if it has been activated.
Dial - the Endian Firewall client user.

SSH access

Select System from the menu bar at the top of the screen, then select SSH access from the submenu on the left side of the screen.

This screens allows you to enable remote SSH (secure shell) access to your Endian Firewall. This is disabled by default which is the recommended setting.
SSH access is always on when one of the following is true:

Some SSH options can be set:

SSH protocol version 1 - This is only needed for old SSH clients that do not support newer versions of the SSH protocol. This is strongly discouraged since there are known vulnerabilities in SSH protocol version 1. You should rather upgrade your SSH clients to version 2, if possible.
TCP forwarding - Check this if you need to tunnel other protocols through SSH. See the note below for a use case example.
password authentication - Permit logins through password authentication.
public key authentication - Permit logins through public keys. The public keys must be added to /root/.ssh/authorized_keys.

Finally there is a section detailing the public SSH keys of this Endian Firewall that have been generated during the first boot process.

Assume you have a service such as telnet (or any other service that can be tunneled through SSH) on a computer inside your GREEN zone, say port 23 on host 10.0.0.20.

This is how you can setup a SSH tunnel through your Endian Firewall to access the service securely from outside your LAN.

1. Enable SSH and make sure it can be accessed (see Firewall, System access).

2. From an external system connect to your Endian Firewall using

    ssh -N -f -L 12345:10.0.0.20:23 root@endian_firewall    

where -N tells SSH not to execute commands, but just to forward traffic, -f runs SSH in the background and -L 12345:10.0.0.20:23 maps the external system's port 12345 to port 23 on 10.0.0.20 as it can be seen from your Endian Firewall.

3. The SSH tunnel from port 12345 of the external system to port 23 on host 10.0.0.20 is now established. In this example you can now telnet to port 12345 on localhost to reach 10.0.0.20.

GUI settings

Select System from the menu bar at the top of the screen, then select GUI settings from the submenu on the left side of the screen.
In the community release it is also possible to click on the Help translating this project link which will open the Endian Firewall translation page. Any help is appreciated.

Two options regarding the web interface can be set in this screen: whether to display the hostname in the browser window title and the language of the web interface (English, German and Italian are currently supported).

Backup

Select System from the menu bar at the top of the screen, then select Backup from the submenu on the left side of the screen.

In this section you can create backups of your Endian Firewall configuration and restore the system to one of these backups when needed. Backups can be saved locally on the Endian Firewall host, to a USB stick or downloaded to your computer. It is also possible to reset the configuration to factory defaults and to create fully automated backups.

Backup sets

By clicking on the Create new Backup button a dialog opens up where you can configure the new system snapshot:

configuration - includes all configurations and settings you have made, that is the content of the directory /var/efw.
database dumps - includes a database dump, which for example includes hotspot accounting information.
log files - includes the current log files
log archives - includes older log files, backups with this option checked will get very big after some time
remark - an additional comment can be added here

Click on the Create new Backup button again to go ahead and create the backup.

Following is the list of available backups (initially empty): you can choose to download them, delete them or restore them by clicking on the appropriate icon in this list. Each backup is annotated with zero or more of the following flags:

S - Settings. The backup contains your configurations and settings.
D - Database. The backup contains a database dump.
E - Encrypted. The backup file is encrypted.
L - Log files. The backup contains log files.
A - Archive. The backup contains older log files.
! - Error! The backup file is corrupt.
C - Created automatically. The backup has been created automatically by a scheduled backup job.
U - This backup has been saved to a USB stick.

Encrypt backup

You can provide a GPG public key that will be used to encrypt all backups. Select your public key by clicking on the Browse button and then choosing the key file from your local file system. Make sure Encrypt backup archives is checked. Confirm and upload the key file by clicking Save.

Import Backup files

You can upload a previously downloaded backup. Select your backup by clicking on the Browse button and then choosing the backup file from your local file system. Fill in the Remark field in order to name the backup and upload it by clicking Save.
It is not possible to import encrypted backups. You must decrypt such backups before uploading them.

The backup appears in the backup list above. You can now choose to restore it by clicking on the restore icon.

Reset to factory defaults

Clicking the Factory defaults button allows you to reset the configuration of your Endian Firewall to factory defaults and reboot the system immediately after. A backup of the old settings is saved automatically.

Scheduled backups

Select the Scheduled backups tab if you wish to enable and configure automated backups.

First, enable and configure automatic backups. You can choose what should be part of the backup: the configuration, database dumps, log files and old log files as seen in the Backup Sets section. You can also choose how many backups you want to keep (2-10) and the interval between backups (hourly, daily, weekly or monthly). When you're done click the Save button.

Next, you can tell the system whether or not you want backups emailed to you. If you wish to receive backups by email you can enable this feature and select the email address of the recipient. You can then Save the settings. There is also a Send a backup now button that will save the settings and try to send an email with the backup immediately, so you can test the system. Optionally you can also provide a sender email address (this must be done if your domain or hostname are not resolvable by your DNS) and the address of a smarthost to be used (in case you want all outgoing email go through your companies SMTP server, rather than be sent directly by your Endian Firewall). If the SMTP proxy is disabled it is absolutely necessary to add a smarthost to be able to send emails.

Shutdown

Select System from the menu bar at the top of the screen, then select Shutdown from the submenu on the left side of the screen.

In this screen you can shutdown or reboot your Endian Firewall by clicking the Shutdown or the Reboot button respectively.

Credits

Select System from the menu bar at the top of the screen, then select Credits from the submenu on the left side of the screen.

This screen displays the list of people that brought Endian Firewall to you.