IPCop firewall polices your neighborhood

Monday October 18, 2004 (08:00 AM GMT)

By: Rob Reilly

    A firewall acts like a virtual security guard for your network. Datacoming in over the Internet is checked at the gate (firewall), and if it's OK, the firewall passes itthrough to its destination (a machine on your network). If it's something bad,it's dropped on the spot, without any information going back to the sender.Every computer attached to the Internet should go through a firewall.

I've been happy using IPCop 1.3.0 for about a year. Version 1.4.0 has lotsof new features that make using a firewall even easier than before, such as:

• iptable network filters
• Support for four separate network cards:

     Green-- internal trusted network
     Blue -- wireless semi-trusted network (can beused as a second Green)
     Orange -- DMZ forInternet-aclearcase/" target="_blank" >ccessed servers
     Red -- the Internet connection

• DHCP client support on Red to receive an IP address from ISP
• DHCP server for Green and Blue
• NTP server and client for setting IPCop clock and supplying a common clock for internal Green and Blue networks
• Intrusion detection for all four networks
• Virtual private network (VPN) support
• Proxy support for both Web surfing and Domain Name Services
• Performance graphics for CPU, memory, and disk utilization and network throughput

The main enhancements over 1.3.0 include a new Web interface, more graphs,and support of wireless networks. Having a separate Wi-Fi leg makes sense,because while it isn't open to the Internet, a wireless network is open toanybody within range of your access point. Under 1.3.0 you'd have to wire youraccess point into your trusted (Green) or DMZ (Orange) network. Now you can put your access point on a separate network leg andhave an easier time tracking users and activity.

Installation

To get started, downloadthe ISO file and burn it on a CD. It won't take very long, since it's onlyabout 40MB in size.

Grab any old desktop machine with at least five open PCI or ISA slots. Istarted out with a 200MHz Pentium box with 64MB of memory and a combination of4 PCI and 3 ISA slots. I stuffed in three Intel PCI 10/100 network interfacecards (NIC), a Digital/Tulip PCI 10/100 NIC, and an old 2MB ISA video card. Youcould use ISA-based NICs too, but you'll limit traffic on your networks to10Mbps speeds. My box also had a CD reader and a 3GB IDE disk.

For the installation, I hooked up a keyboard, mouse, and monitor. Afterinstallation, those components are no longer needed, as you can make changesvia a Web browser or SSH into the firewall over the trusted (Green) network.You could even remove the video card and CD reader when you're done.

Loading IPCop couldn't be easier, because the developers have automatedjust about everything. Simply pop in the CD, boot up the machine, and followthe on-screen directions. The installation will re-partition and take over theentire disk, so make sure you want to do that before you continue.

The setup program will walk you through setting up your host name, networkconfiguration, passwords, and other settings. I set the firewall to use allfour NICs and assigned IP addresses according to the following table:

If you get a static IP address from your Internet provider, use that addressfor your Red interface and select Static instead of DHCP. Once you've gonethrough all the screens, you'll be able to reboot and use any Web browserconnected to the trusted (Green) network to manage the firewall.

Sorting out the networks

With four network cards, how do you tell which is which? Log in as root onthe IPCop console and type ifconfig. You'll see the normal output for theloopback (lo) and the four network cards device names from eth0 through eth3. Aquick and dirty way to identify the cards is to plug your active cable or DSLmodem Ethernet cable into the topmost NIC and rerun the ifconfig command. Lookdown the ifconfig listing and see which device changes the RX packet line. Run ifconfiga couple of times, just to make sure. Mark the card using a marker on the backof the PC with its corresponding device name (eth0, eth1, etc.). Mark the restof the NICs following the same procedure.

When you're done, unhook the modem cable right away. I logged a couple ofaccess attempts within the first couple of minutes of firewall operation. Youdon't want someone hacking into your firewall box because you forgot to unhookthe Internet cable from the trusted Green or Blue network leg.

Next, while still logged into the firewall console as root, perform thefollowing:

    #> cd /usr/local/sbin
    #> ./setup

Use the Tab and arrow keys to travel down the menu to select Networking.Move down and select Drivers and Card Assignments. Look at the list and you canfigure out that Green will probably correspond to eth0. In my case Blue waseth1, Orange eth2, and Red eth3. Go back up the menu structure to getback to your root prompt.

Now you can hook up your cables and rerun ifconfig to make sure theappropriate data is moving across each NIC. Power down the firewall (with shutdown-h now), remove the monitor, keyboard, and mouse, then power up the machineagain. You may have to power down the cable modem to get a new IP address ifyou're using a dynamic IP address from your ISP.

Web-based management

After the firewall reboots, take a look at the Web-based managementinterface. Use a browser connected to the Green network and go tohttp://192.168.2.1:81/, or use the Green IP address that you assigned and addthe :81/ port. You'll see a splash screen and login prompt. Enter"admin" and the admin password that you set during installation.

Now you can click through a tabbed interface to see the settings andinformation you need. Here's a description of some of the more useful tabs.

Status

The Status tab lets you keep track of what's going on inside your IPCopsystem. Some of the more useful menu items include system and network graphsand network status. The system graphs are useful for monitoring CPU and memoryusage, to make sure that your firewall can handle the data flow. If you'verecruited an old 300MHz Pentium II machine for your firewall, you can checkusage as you add users. Six months from now, when you've tripled your userbase, the system graph can tell you if you're maxed out and need a more powerfulmachine.

Likewise with the traffic graph. You can watch the amount of trafficflowing over each network leg. Naturally, you'd assume that the largest amountof traffic would flow over the trusted (Green) network. A large increase onyour wireless (Blue) network might mean that unauthorized users has found youraccess point.

Another screen you'll find useful is network status. Here you'll seenetwork interface information (much like the output of ifconfig), Red networkDHCP information, LAN-side DHCP clients, and routing table data.

Logs

You'll want to regularly look at the Firewall and IDS screens to find outwho is trying to break in and what kinds of threats are coming in over theInternet. If you click on the Summary menu item you'll see a nice compilationof all the IP addresses that have tried to access your firewall's ports, whatnetwork the probes came from, and how many times it's happened in the last 24hours (default). To track intrusion attempts on all four networks, click theenable boxes under the Services -> Intrusion Detection and click Save.

Wrapping up

I was impressed with IPCop 1.4.0. It was easy to install, easy toconfigure, and provides more status information than 1.3.0. The IPCop teambuilt a new Web GUI that's intuitive and functional. It also added welcomesupport for the fourth (wireless) network. I like having a semi-accessiblenetwork leg with logging capabilities.

An IPCop firewall can be an important network protection device for yourmedium-sized business or educational organization.

Rob Reilly is a technologyconsultant who specializes in helping clients communicate effectively. Many ofhis published articles are geared to the use of Linux, portable computing, andpresentation technology, especially as it relates to communication in business.Send him a note or visit his Web site at http://home.earthlink.net/~robreilly.

原文转自：http://www.ltesting.net