Configuration Using the Web Interface
Once installation is complete and you have the httpd2-naat service running, you will want to log into your firewall remotely by using a web browser. The address you will need to use is:
https://IPADDRESS:8443/ - for example https://10.0.0.10:8443/If you run into a "connection refused" or any other similar error, the problem is that shorewall is enabled, but not yet configured. To fix this simply type the following at the Firewall Computer:
shorewall clearNote: While setting up your firewall, the software will automatically restart Shorewall in some instances. Until Shorewall is properly configured, you may need to run the "shorewall clear" command whenever you find that you cannot connect to the web interface on your firewall.
System Setup
To begin configuring your firewall, you must enter the system setup section, it will have you hit next to read the current settings. Unfortunately these scripts are a little outdated, so you will probably have an empty slate to start with, just click "apply". Again, if you get a connection refused error or similar, you must execute the "shorewall clear" command at the firewall to reconnect.
Continuing setup, go back into the "System Setup" section, click on modify and re-enter the system and domain name you will use. Then click on "Network Cards" and ensure that all of you network cards are detected and all the basic settings are correct.
Continuing down the line of the System Setup section, the Account section will allow you to change your password, the Alert section will allow you to change the system's log level, and Time will allow you to change the time zone and specify a ntp server to sync the time with. You will want to rerun the Time setup after you configure your Internet settings and Shorewall to ensure you will be able to connect to a time server.
Internet Settings
The Internet Access section allows you to configure how your firewall accesses the Internet as well as the settings required to connect. Most firewalls will use the Cable/LAN settings to connect to the Internet, so click on it and enter the required fields for your Internet connection, otherwise select the proper connection method and enter the appropriate settings.
Don't worry to much about the Internet status section, as it rarely works properly. Also on this page, the "Provider Accounts" will eventually allow you to setup commercial ISP settings, but for now it just tells you to use the Cable/Lan settings. The "Schedule" setting allows you to set the time where the firewall will be able to connect to the Internet if you are using a modem to dial into another server. If you want to adjust the schedule for Internet access using a LAN connection, you will only be able to do this if you enable the Squid Proxy service, and utilize Squidguard (accessed through the "Services" section, which will be covered later).
Firewall Rules
Firewall Rules
The Firewall Rules section is where you will be able to configure Shorewall to specify what traffic through your firewall will be allowed and denied. The first thing you must do is to setup your zones. By default there are 3 different zones; WAN, LAN and DMZ. These specify what type of connection each Network card will be connected to, most people will only use the WAN and LAN zones. So, you will want to specify the network card connected to the Internet as a "WAN" zone, and the network card connected to your private network as a "LAN" zone.
After setting up your network "zones", you will want to skip down to the default policies section. Default policies allow you to setup the default behavior for information traveling between different zones. Most of the default policies should be properly setup for you. One setting you may want to change, however, is the policy of traffic coming from the LAN zone to the Internet zone. By default, you must specifically allow any connection going through the firewall. This means that if your computers on the LAN interface try to access the Internet through a non-standard port (such as streaming video), the connection will be refused (and you will hear about it from the user). A very quick fix for this problem is to either:
A ) set the default policy to allow all connections originating from the LAN Interface
B ) specifically allow certain IP addresses full outgoing permissions
If you choose to deny Internet access through all but certain popular ports, be prepared to add lots of rules to the firewall in the first week or two. I usually go ahead and deny most ports, then add whatever ports are needed. If it gets to be quite a few for only one or two users, go ahead and create a rule that says anything coming from their IPs are allowed.
IP Masquerading
In order for the firewall to be able to "share" it's Internet connection, you must either setup IP Masquerading or setup a Proxy Server (or both). It is extremely easy to setup IP Masquerading with 2 Network cards using the web interface. Again, if you are planning on using the Squid Proxy server, you do not need to enable IP Masquerading for simple web browsing.
For masquerading using 2 network cards, simply click on Masq NAT, then enter the Network Interface you want to masquerade (LAN Interface), then the Network card connected to the Internet. Also, you could enter all the relevant IP Addresses instead of Network Interfaces, but for simple masquerading this is not necessary. From this screen, you can also setup advanced NAT rules, such as utilizing a DMZ, if this is needed.
Creating Firewall Rules
Firewall rules allow you to change the Default Policies (specified earlier) for certain circumstances. Firewall Rules also allow you to "Forward" any packets on a port to a different computer on the LAN, this is useful if you setup a server on your network that you want people to be able to access from the Internet. Also, if someone wants to play online games from behind the firewall, you will need to forward the traffic for that port to their computer's IP Address.
To create a rule that will allow access through a port, click on "add simple rule". This will bring up a dialog that has a drop down box of popular ports and applications. This dialog will allow you to create a simple "Allow" or "Deny" rule based on the port number, what protocol is being used, where the traffic is originating from, and where it is going to (for example coming from the LAN (local network) and going to the WAN (Internet).
Note: Even though the "add simple rule" has a forward check box, DO NOT use it to setup a port forwarding rule. This interface was created for Shorewall version 1.3.7 and Mandrake 10.1 uses Shorewall version 2.0.8, which has changed the way it forwards packets. If you do inadvertently check that box, Shorewall will refuse to start.
In order to create a port forwarding rule, you must go through the "Add Custom Rule" dialog. Simply enter all the relevant information, including the I.P. address of the computer you want the traffic to go to and make sure you select "DNAT" as the action. Then, after applying the Firewall Rules, port forwarding should work as expected.
After you setup all the relevant rules you want, it is now time to start the firewall service and ensure that your machines on the LAN are able to access the Internet through the firewall computer. On any computer that you wish to be able to access the Internet through the Firewall, adjust it's Network Settings so it will use the Firewall's IP address as the default Gateway address.
Note: Before you actually start the firewall service, you must delete the rule for port 20022, that rule is not formatted properly and Shorewall will not start with that rule in place. Also, if you are having difficulty in getting shorewall to start, go to the firewall computer and restart the Shorewall service manually using the command:
/etc/init.d/shorewall restartand watch the output. If shorewall fails to start it will tell you which rule is causing the problem. To fix it, simply do a "shorewall clear", login to the web config pages and delete any offending rules (recreate them if needed) and restart shorewall.
The other options available through the Firewall Rules section include:
Blacklists - allows you to specify hosts by IP or network that the firewall will simply drop its packets. This is good if you continually get messages in your logs for "questionable" activity coming from certain IPs.
TOS - allows you to define TOS service field in packet headers (advanced use).
Tunnels - allows you to setup IPSEC tunnels for secure communication between hosts (advanced use).
Once installation is complete and you have the httpd2-naat service running, you will want to log into your firewall remotely by using a web browser. The address you will need to use is:
https://IPADDRESS:8443/ - for example https://10.0.0.10:8443/If you run into a "connection refused" or any other similar error, the problem is that shorewall is enabled, but not yet configured. To fix this simply type the following at the Firewall Computer:
shorewall clearNote: While setting up your firewall, the software will automatically restart Shorewall in some instances. Until Shorewall is properly configured, you may need to run the "shorewall clear" command whenever you find that you cannot connect to the web interface on your firewall.
System Setup
To begin configuring your firewall, you must enter the system setup section, it will have you hit next to read the current settings. Unfortunately these scripts are a little outdated, so you will probably have an empty slate to start with, just click "apply". Again, if you get a connection refused error or similar, you must execute the "shorewall clear" command at the firewall to reconnect.
Continuing setup, go back into the "System Setup" section, click on modify and re-enter the system and domain name you will use. Then click on "Network Cards" and ensure that all of you network cards are detected and all the basic settings are correct.
Continuing down the line of the System Setup section, the Account section will allow you to change your password, the Alert section will allow you to change the system's log level, and Time will allow you to change the time zone and specify a ntp server to sync the time with. You will want to rerun the Time setup after you configure your Internet settings and Shorewall to ensure you will be able to connect to a time server.
Internet Settings
The Internet Access section allows you to configure how your firewall accesses the Internet as well as the settings required to connect. Most firewalls will use the Cable/LAN settings to connect to the Internet, so click on it and enter the required fields for your Internet connection, otherwise select the proper connection method and enter the appropriate settings.
Don't worry to much about the Internet status section, as it rarely works properly. Also on this page, the "Provider Accounts" will eventually allow you to setup commercial ISP settings, but for now it just tells you to use the Cable/Lan settings. The "Schedule" setting allows you to set the time where the firewall will be able to connect to the Internet if you are using a modem to dial into another server. If you want to adjust the schedule for Internet access using a LAN connection, you will only be able to do this if you enable the Squid Proxy service, and utilize Squidguard (accessed through the "Services" section, which will be covered later).
Firewall Rules
Firewall Rules
The Firewall Rules section is where you will be able to configure Shorewall to specify what traffic through your firewall will be allowed and denied. The first thing you must do is to setup your zones. By default there are 3 different zones; WAN, LAN and DMZ. These specify what type of connection each Network card will be connected to, most people will only use the WAN and LAN zones. So, you will want to specify the network card connected to the Internet as a "WAN" zone, and the network card connected to your private network as a "LAN" zone.
After setting up your network "zones", you will want to skip down to the default policies section. Default policies allow you to setup the default behavior for information traveling between different zones. Most of the default policies should be properly setup for you. One setting you may want to change, however, is the policy of traffic coming from the LAN zone to the Internet zone. By default, you must specifically allow any connection going through the firewall. This means that if your computers on the LAN interface try to access the Internet through a non-standard port (such as streaming video), the connection will be refused (and you will hear about it from the user). A very quick fix for this problem is to either:
A ) set the default policy to allow all connections originating from the LAN Interface
B ) specifically allow certain IP addresses full outgoing permissions
If you choose to deny Internet access through all but certain popular ports, be prepared to add lots of rules to the firewall in the first week or two. I usually go ahead and deny most ports, then add whatever ports are needed. If it gets to be quite a few for only one or two users, go ahead and create a rule that says anything coming from their IPs are allowed.
IP Masquerading
In order for the firewall to be able to "share" it's Internet connection, you must either setup IP Masquerading or setup a Proxy Server (or both). It is extremely easy to setup IP Masquerading with 2 Network cards using the web interface. Again, if you are planning on using the Squid Proxy server, you do not need to enable IP Masquerading for simple web browsing.
For masquerading using 2 network cards, simply click on Masq NAT, then enter the Network Interface you want to masquerade (LAN Interface), then the Network card connected to the Internet. Also, you could enter all the relevant IP Addresses instead of Network Interfaces, but for simple masquerading this is not necessary. From this screen, you can also setup advanced NAT rules, such as utilizing a DMZ, if this is needed.
Creating Firewall Rules
Firewall rules allow you to change the Default Policies (specified earlier) for certain circumstances. Firewall Rules also allow you to "Forward" any packets on a port to a different computer on the LAN, this is useful if you setup a server on your network that you want people to be able to access from the Internet. Also, if someone wants to play online games from behind the firewall, you will need to forward the traffic for that port to their computer's IP Address.
To create a rule that will allow access through a port, click on "add simple rule". This will bring up a dialog that has a drop down box of popular ports and applications. This dialog will allow you to create a simple "Allow" or "Deny" rule based on the port number, what protocol is being used, where the traffic is originating from, and where it is going to (for example coming from the LAN (local network) and going to the WAN (Internet).
Note: Even though the "add simple rule" has a forward check box, DO NOT use it to setup a port forwarding rule. This interface was created for Shorewall version 1.3.7 and Mandrake 10.1 uses Shorewall version 2.0.8, which has changed the way it forwards packets. If you do inadvertently check that box, Shorewall will refuse to start.
In order to create a port forwarding rule, you must go through the "Add Custom Rule" dialog. Simply enter all the relevant information, including the I.P. address of the computer you want the traffic to go to and make sure you select "DNAT" as the action. Then, after applying the Firewall Rules, port forwarding should work as expected.
After you setup all the relevant rules you want, it is now time to start the firewall service and ensure that your machines on the LAN are able to access the Internet through the firewall computer. On any computer that you wish to be able to access the Internet through the Firewall, adjust it's Network Settings so it will use the Firewall's IP address as the default Gateway address.
Note: Before you actually start the firewall service, you must delete the rule for port 20022, that rule is not formatted properly and Shorewall will not start with that rule in place. Also, if you are having difficulty in getting shorewall to start, go to the firewall computer and restart the Shorewall service manually using the command:
/etc/init.d/shorewall restartand watch the output. If shorewall fails to start it will tell you which rule is causing the problem. To fix it, simply do a "shorewall clear", login to the web config pages and delete any offending rules (recreate them if needed) and restart shorewall.
The other options available through the Firewall Rules section include:
Blacklists - allows you to specify hosts by IP or network that the firewall will simply drop its packets. This is good if you continually get messages in your logs for "questionable" activity coming from certain IPs.
TOS - allows you to define TOS service field in packet headers (advanced use).
Tunnels - allows you to setup IPSEC tunnels for secure communication between hosts (advanced use).
Sumber : http://www.flexbeta.net/main/printarticle.php?id=87
Labels: jaringan
0 Comments:
<< Home | << Add a comment