模板
教程
环境
性能
功能
管理
IPCop firewall polices your neighborhood
By: Rob Reilly
A firewall acts like a virtual security guard for your network. Data
coming in over the Internet is
I've been happy using IPCop 1.3.0 for about a year. Version 1.4.0 has lots
of new features that make using a firewall even easier than before, such as:
- iptable
network filters
- Support for
four separate network cards:
Green
-- internal trusted network
Blue -- wireless semi-trusted network (can be
used as a second Green)
Red -- the Internet connection
- DHCP client
support on Red to receive an IP address from ISP
- DHCP server
for Green and Blue
- NTP server
and client for setting IPCop clock and supplying a common clock for
internal Green and Blue networks
- Intrusion
detection for all four networks
- Virtual
private network (VPN) support
- Proxy support
for both Web surfing and Domain Name Services
- Performance
graphics for CPU, memory, and disk utilization and network throughput
The main enhancements over 1.3.0 include a new Web interface, more graphs,
and support of wireless networks. Having a separate Wi-Fi leg makes sense,
because while it isn't open to the Internet, a wireless network is open to
anybody within range of your access point. Under 1.3.0 you'd have to wire your
access point into your trusted (Green) or DMZ (
Installation
To get started, download
the ISO file and burn it on a CD. It won't take very long, since it's only
about 40MB in size.
Grab any old desktop machine with at least five open PCI or ISA slots. I
started out with a 200MHz Pentium box with 64MB of memory and a combination of
4 PCI and 3 ISA slots. I stuffed in three Intel PCI 10/100 network interface
cards (NIC), a Digital/Tulip PCI 10/100 NIC, and an old 2MB ISA video card. You
could use ISA-based NICs too, but you'll limit traffic on your networks to
10Mbps speeds. My box also had a CD reader and a 3GB IDE disk.
For the installation, I hooked up a keyboard, mouse, and monitor. After
installation, those components are no longer needed, as you can make changes
via a Web browser or SSH into the firewall over the trusted (Green) network.
You could even remove the video card and CD reader when you're done.
Loading IPCop couldn't be easier, because the developers have automated
just about everything. Simply pop in the CD, boot up the machine, and follow
the on-screen directions. The installation will re-partition and take over the
entire disk, so make sure you want to do that before you continue.
The setup program will walk you through setting up your host name, network
configuration, passwords, and other settings. I set the firewall to use all
four NICs and assigned IP addresses according to the following table:
|
Trusted |
Green |
192.168.2.1 |
|
DMZ-Web |
|
192.168.3.1 |
|
Wireless |
Blue |
192.168.4.1 |
|
Internet |
Red |
ISP-DHCP |
If you get a static IP address from your Internet provider, use that address
for your Red interface and select Static instead of DHCP. Once you've gone
through all the screens, you'll be able to reboot and use any Web browser
connected to the trusted (Green) network to manage the firewall.
Sorting out the networks
With four network cards, how do you tell which is which? Log in as root on
the IPCop console and type ifconfig. You'll see the normal output for the
loopback (lo) and the four network cards device names from eth0 through eth3. A
quick and dirty way to identify the cards is to plug your active cable or DSL
modem Ethernet cable into the topmost NIC and rerun the ifconfig command. Look
down the ifconfig listing and see which device changes the RX packet line. Run ifconfig
a couple of times, just to make sure. Mark the card using a marker on the back
of the PC with its corresponding device name (eth0, eth1, etc.). Mark the rest
of the NICs following the same procedure.
When you're done, unhook the modem cable right away. I logged a couple of
access attempts within the first couple of minutes of firewall operation. You
don't want someone hacking into your firewall box because you forgot to unhook
the Internet cable from the trusted Green or Blue network leg.
Next, while still logged into the firewall console as root, perform the
following:
#> cd /usr/local/sbin
#> ./setup
Use the Tab and arrow keys to travel down the menu to select Networking.
Move down and select Drivers and Card Assignments. Look at the list and you can
figure out that Green will probably correspond to eth0. In my case Blue was
eth1,
Now you can hook up your cables and rerun ifconfig to make sure the
appropriate data is moving across each NIC. Power down the firewall (with shutdown
-h now), remove the monitor, keyboard, and mouse, then power up the machine
again. You may have to power down the cable modem to get a new IP address if
you're using a dynamic IP address from your ISP.
Web-based management
After the firewall reboots, take a look at the Web-based management
interface. Use a browser connected to the Green network and go to
http://192.168.2.1:81/, or use the Green IP address that you assigned and add
the :81/ port. You'll see a splash screen and login prompt. Enter
"admin" and the admin password that you set during installation.
Now you can click through a tabbed interface to see the settings and
information you need. Here's a description of some of the more useful tabs.
Status
The Status tab lets you keep track of what's going on inside your IPCop
system. Some of the more useful menu items include system and network graphs
and network status. The system graphs are useful for monitoring CPU and memory
usage, to make sure that your firewall can handle the data flow. If you've
recruited an old 300MHz Pentium II machine for your firewall, you can check
usage as you add users. Six months from now, when you've tripled your user
base, the system graph can tell you if you're maxed out and need a more powerful
machine.
Likewise with the traffic graph. You can watch the amount of traffic
flowing over each network leg. Naturally, you'd assume that the largest amount
of traffic would flow over the trusted (Green) network. A large increase on
your wireless (Blue) network might mean that unauthorized users has found your
access point.
Another screen you'll find useful is network status. Here you'll see
network interface information (much like the output of ifconfig), Red network
DHCP information, LAN-side DHCP clients, and routing table data.
Logs
You'll want to regularly look at the Firewall and IDS screens to find out
who is trying to break in and what kinds of threats are coming in over the
Internet. If you click on the Summary menu item you'll see a nice compilation
of all the IP addresses that have tried to access your firewall's ports, what
network the probes came from, and how many times it's happened in the last 24
hours (default). To track intrusion attempts on all four networks, click the
enable boxes under the Services -> Intrusion Detection and click Save.
Wrapping up
I was impressed with IPCop 1.4.0. It was easy to install, easy to
configure, and provides more status information than 1.3.0. The IPCop team
built a new Web GUI that's intuitive and functional. It also added welcome
support for the fourth (wireless) network. I like having a semi-accessible
network leg with logging capabilities.
An IPCop firewall can be an important network protection device for your
medium-sized business or educational organization.
Rob Reilly is a technology
consultant who specializes in helping clients communicate effectively. Many of
his published articles are geared to the use of Linux, portable computing, and
presentation technology, especially as it relates to communication in business.
Send him a note or visit his Web site at http://home.earthlink.net/~robreilly.
