Installing and Setting up the Firewall, Part 2



By: Walter Metcalf
Date: 05/17/00

Components and Parameters

Last week we discussed the installation of InJoy Firewall. This week we shall look at the configuration of the various components of the Firewall. As a review, let us briefly list the components of the InJoy Firewall package and the functions of each:

InJoy Firewall Design
Firewall Component Function
Rule Based
Access Control
Closes unauthorized connections.
Network Address
Translation (NAT)
Hides internal IP addresses.
Port & Address
Redirection
Allows outside server to directly access internal IP address.
Packet Filter Selectively discards TCP/IP packets as they flow through the filter.
Alerts/Accounting/Logging Provide a complete system of communicating the Firewall activity to the Network/Firewall Administrator

Configuration

Unfortunately the order of the parameters as found in the configuration files does not always follow the logical order shown above. Use the above table as a reference as we discuss and/or initialize the parameters. I shall show you how to set up the relatively simple configuration I chose for my home LAN--one good enough, however, that my LAN cannot even by detected by external servers. I'll elaborate more on that a bit later.

  1. Gateway.cf[_]

    1. Registration

      1. When you have paid for the program and received the registration information from F/X Communications copy and the paste the information over top the 4 lines below under the line containing "[license]". Re-save the file as Gateway.cf.

    2. Network Address Translation (NAT)

        To enable NAT, you must:

      1. Enable "internal_net" and set it to the IP of LAN1 (See page 1 of the TCP/IP notebook.) (Set the last digit to 0 instead of 1.).
        1. e.g. - internal_net=192.168.1.0

      2. Enable "netmask" and set it to the Subnet mask on page 1 of the TCP/IP notebook. An example would be netmask=255.255.255.0.
        1. e.g. - netmask=255.255.255.0

      3. Disable "firewall_transparent". This forces the Firewall to work through the NAT engine, preventing unsolicited connections.
        1. i.e. - firewall_transparent=no

    3. Fragmented Packets

      1. Uncomment "fragment=yes" and "MTU=1500" under [hardware]. This allows the various firewall rules to operate on full packets.

    4. IRC Clients

      1. If you plan to run a chat client from one of internal LAN clients, then you need enable the [identd] parameters and set the "userID" parameter. A server must also be started on the Gateway/Firewall PC. Refer to the documentation for more information.

  2. FIREWALL.CNF

      The default (FIREWALL.CF) is acceptable. Re-save as FIREWALL.CNF.

  3. FIRERULE.CF is not used in my configuration.

  4. FILTER.CF_

    1. The copy of this file in the .\FILTERS directory contains a variety packet filter setups. After careful study, I decided the last one was perfect for my environment, and simply copied to .\FILTERS\FILTER.CNF and turned it on. For the sake of discussion I have reproduced the text of the filter below.
                        ALLOW-INCOMING-ACK   Filter-Status = Passive,
                               Filter-Root = Yes,
                               Comment = "Allow ACK packets (reply tcp packets)",
                               Filter-Scope = Incoming-Packets,
                               Protocol = TCP,
                               Bit-Offset = TCP-Head-Start,
                               Bit-Number = ACK,
                               Bit-Value = 1,
                               Action = Forward-Packet,
          
                        DENY-INCOMING-TCP Filter-Status = Passive,
                               Filter-Root = Yes,
                               Comment = "Deny all incoming TCP",
                               Filter-Scope = Incoming-Packets,
                               Protocol = TCP,
                               Action = Drop-Packet,
                               

    2. Comments

      1. The effect of this filter is to allow workstations on the LAN access to all possible servers, but to deny access to all incoming FTP packets. There is one exception: if the incoming packet has the ACK bit set, then it is considered a reply and will be allowed through.

      2. To activate the filter, change the Filter-Status from "Passive" to "Offline" (without quotes).

    3. Tips

      1. Start with the firewall configuration detailed here to make sure you have the InJoy Firewall as a whole is installed and working correctly. See below for testing instructions.

      2. Next, read through the documentation and samples, and make adjustments where needed to better fit your situation. If you need more help you should join the InJoy mailing list which is monitored by the author of InJoy Firewall in addition to a large number of highly experienced users.

Testing

  1. An Internet developer named Steve Gibson has put up a web site that allows you to test your firewall. It does a thorough, and seemingly reliable job. In the process you can learn some interesting information about the different levels of site security and about how crackers attempt to break into Internet sites. (For the paranoid, Steve promises that if he is able to access your computer he will simply report the fact, and not attempt to read or write to your drive or computer!)

  2. Once you have configured Firewall, start up the Gateway program, load a browser, and go to URL https://grc.com/x/ne.dll?bh0bkyd2. Wait a minute for the page to load, then scroll down one page, and follow the on-screen instructions.

  3. For complete testing click on "Test my Shields" followed by "Probe my Ports". The entire process will take 5 to 10 minutes to run.

  4. If you have installed and configured InJoy Firewall correctly, all of the tests should return the "Stealth" status, which means there is no possible way for a remote server to tell that there even a computer at the IP address you are currently running on. The on-screen text will give you more information.

  5. If you have specific problems, feel free to post them to me on the forum by clicking on TalkBack below.

Walter Metcalf

For Further Reading:

  1. Shields UP!
    Rich source of firewall and related server information. Also contains tests for the strength of your site's security and/or firewall.

  2. OS/2 Routes Part 2
    This article and its successor give a good description of TCP packet transmission, and IP communication in general.

Next week: Connecting a Windows Workstation to the LAN


Unless otherwise noted, all content on this site is Copyright © 2004, VOICE