|
|
|
|
|
Installing and Setting up the Firewall, Part 2
By: Walter Metcalf
Date: 05/17/00
Components and Parameters
Last week we discussed the installation of
InJoy Firewall. This week we shall look at the configuration of the
various components of the Firewall. As a review, let us briefly list the components of the InJoy Firewall package
and the functions of each:
InJoy Firewall Design
Firewall Component
|
Function
|
|
Rule Based
Access Control
|
Closes unauthorized connections.
|
|
Network Address
Translation (NAT)
|
Hides internal IP addresses.
|
|
Port & Address
Redirection
|
Allows outside server to directly access internal IP address.
|
|
Packet Filter
|
Selectively discards TCP/IP packets as they flow through the filter.
|
|
Alerts/Accounting/Logging
|
Provide a complete system of communicating the Firewall activity to the Network/Firewall
Administrator
|
Configuration
Unfortunately the order of the parameters as found in the configuration files does not always follow the
logical order shown above. Use the above table as a reference as we discuss and/or initialize the
parameters. I shall show you how to set up the relatively simple configuration I chose for my home LAN--one
good enough, however, that my LAN cannot even by detected by external servers. I'll elaborate more on that a
bit later.
- Gateway.cf[_]
- Registration
- When you have paid for the program and received the registration information from
F/X Communications copy and the paste the information
over top the 4 lines below under the line containing "[license]". Re-save the file
as Gateway.cf.
- Network Address Translation (NAT)
To enable NAT, you must:
- Enable "internal_net" and set it to the IP of LAN1 (See page 1 of the TCP/IP notebook.) (Set the
last digit to 0 instead of 1.).
- e.g. - internal_net=192.168.1.0
- Enable "netmask" and set it to the Subnet mask on page 1 of the TCP/IP notebook. An
example would be netmask=255.255.255.0.
- e.g. - netmask=255.255.255.0
- Disable "firewall_transparent". This forces the Firewall to work through the NAT
engine, preventing unsolicited connections.
- i.e. - firewall_transparent=no
- Fragmented Packets
- Uncomment "fragment=yes" and "MTU=1500" under [hardware]. This allows the various firewall
rules to operate on full packets.
- IRC Clients
- If you plan to run a chat client from one of internal LAN clients, then you need enable the
[identd] parameters and set the "userID" parameter. A server must also be started on the
Gateway/Firewall PC. Refer to the documentation for more information.
- FIREWALL.CNF
The default (FIREWALL.CF) is acceptable. Re-save as FIREWALL.CNF.
- FIRERULE.CF is not used in my configuration.
- FILTER.CF_
- The copy of this file in the .\FILTERS directory contains a variety packet filter setups.
After careful study, I decided the last one was perfect for my environment, and simply
copied to .\FILTERS\FILTER.CNF and turned it on. For the sake of discussion I have
reproduced the text of the filter below.
ALLOW-INCOMING-ACK Filter-Status = Passive,
Filter-Root = Yes,
Comment = "Allow ACK packets (reply tcp packets)",
Filter-Scope = Incoming-Packets,
Protocol = TCP,
Bit-Offset = TCP-Head-Start,
Bit-Number = ACK,
Bit-Value = 1,
Action = Forward-Packet,
DENY-INCOMING-TCP Filter-Status = Passive,
Filter-Root = Yes,
Comment = "Deny all incoming TCP",
Filter-Scope = Incoming-Packets,
Protocol = TCP,
Action = Drop-Packet,
- Comments
- The effect of this filter is to allow workstations on the LAN access to all
possible servers, but to deny access to all incoming FTP packets. There is
one exception: if the incoming packet has the ACK bit set, then it is considered
a reply and will be allowed through.
- To activate the filter, change the Filter-Status from "Passive" to "Offline"
(without quotes).
- Tips
- Start with the firewall configuration detailed here to make sure you have the
InJoy Firewall as a whole is installed and working correctly. See below for
testing instructions.
- Next, read through the documentation and samples, and make adjustments where
needed to better fit your situation. If you need more help you should join
the InJoy mailing list which is
monitored by the author of InJoy Firewall in addition to a large number of
highly experienced users.
Testing
- An Internet developer named Steve Gibson has put up a web site that allows you to test your
firewall. It does a thorough, and seemingly reliable job. In the process you can learn some
interesting information about the different levels of site security and about how crackers
attempt to break into Internet sites. (For the paranoid, Steve promises that if he is able to
access your computer he will simply report the fact, and not attempt to read or write to your
drive or computer!)
- Once you have configured Firewall, start up the Gateway program, load a browser, and go to URL
https://grc.com/x/ne.dll?bh0bkyd2.
Wait a minute for the page to load, then scroll down one page, and follow the on-screen
instructions.
- For complete testing click on "Test my Shields" followed by "Probe my Ports". The entire process
will take 5 to 10 minutes to run.
- If you have installed and configured InJoy Firewall correctly, all of the tests should return the
"Stealth" status, which means there is no possible way for a remote server to tell that there
even a computer at the IP address you are currently running on. The on-screen text will give you
more information.
- If you have specific problems, feel free to post them to me on the forum by clicking on TalkBack
below.
Walter Metcalf
For Further Reading: - Shields UP!
Rich source of firewall and related server information. Also contains tests for the strength of your site's security and/or firewall. - OS/2 Routes Part 2
This article and its successor give a good description of TCP packet transmission, and IP communication in general.
Next week: Connecting a Windows Workstation to the LAN
Unless otherwise noted, all content on this site is Copyright © 2004, VOICE
|
|
|
|
|
|
|