Ipcop Admin en 1.4
Ipcop Admin en 1.4
Ipcop Admin en 1.4
Chris Clancey
Harry Goldschmitt
John Kastner
Eric Oberlander
Peter Walker
Administrative Guide
by Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, and Peter Walker
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free
Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section
entitled GNU Free Documentation License.
Revision History
Revision 0.1.0 (beta) 29 Dec 2001 Revised by: CW
Forward by Charles Williams
Revision 1.2.0 10 Jan 2003 Revised by: RW
1.2.0 revisions
Revision 1.3.0 4 May 2003 Revised by: HG
1.3.0 revisions
Revision 1.4.0 30 August 2004 Revised by: CC, HG, JK, EO, PW
1.4.0 revisions
Revision 1.4.10 13 December 2005 Revised by: HG, EO
1.4.10 revisions
Table of Contents
Preface ..................................................................................................................................... i
Rights and Disclaimers................................................................................................ i
Forward ......................................................................................................................... i
1. Project Leader’s Introduction .........................................................................................1
What Is IPCop? .............................................................................................................1
Partial List of Features .................................................................................................1
Acknowledgements .....................................................................................................2
2. Administration and Configuration................................................................................5
Home Administrative Window..................................................................................5
System Web Pages ........................................................................................................7
Updates AW ........................................................................................................8
Passwords ............................................................................................................9
SSH Access...........................................................................................................9
GUI Settings.......................................................................................................12
Backup Web Page..............................................................................................13
Shutdown Web Page ........................................................................................15
Status Menu ................................................................................................................16
System Status.....................................................................................................16
Network Status .................................................................................................19
System Graphs ..................................................................................................20
Traffic Graphs ....................................................................................................20
Proxy Graphs.....................................................................................................21
Connections .......................................................................................................22
Network Menu ...........................................................................................................23
Dialup.................................................................................................................23
Upload................................................................................................................27
Modem ...............................................................................................................28
External Aliases Administrative Web Page ..................................................29
Services Menu.............................................................................................................30
Web Proxy Administrative Web Page............................................................30
DHCP Administrative Web Page ...................................................................32
Dynamic DNS Administrative Web Page .....................................................38
Edit Hosts Administrative Web Page ............................................................40
Time Server Administrative Web Page..........................................................42
Traffic Shaping Administrative Web Page ....................................................43
Intrusion Detection System Administrative Web Page...............................45
Firewall Menu.............................................................................................................45
What traffic is allowed between Interfaces? .................................................46
User Customization..........................................................................................46
Port Forwarding Administrative Web Page .................................................47
External Access Administrative Web Page ...................................................49
DMZ Pinholes Administrative Web Page .....................................................50
Blue Access Administrative Web Page ..........................................................52
Firewall Options Administrative Web Page .................................................53
VPNs Menu .................................................................................................................54
Virtual Private Networks (VPNs)...................................................................54
Methods of Authentication .............................................................................55
Global Settings ..................................................................................................56
Connection Status and Control.......................................................................56
Logs Menu...................................................................................................................62
Introduction.......................................................................................................62
Log Settings Administrative Web Page .........................................................63
Log Summary Page ..........................................................................................63
Proxy Logs Page................................................................................................64
Firewall Logs Page............................................................................................65
Intrusion Detection System Log Page............................................................66
System Log Page ...............................................................................................67
iii
A. GNU Free Documentation License ............................................................................71
0. Preamble ..................................................................................................................71
1. Applicability and Definitions ...............................................................................71
2. Verbatim Copying ..................................................................................................72
3. Copying In Quantity..............................................................................................72
4. Modifications ..........................................................................................................73
5. Combining Documents .........................................................................................74
6. Collections of Documents .....................................................................................75
7. Aggregation With Independent Works ...............................................................75
8. Translation...............................................................................................................75
9. Termination .............................................................................................................75
10. Future Revisions of This License .......................................................................76
iv
Preface
Forward
Hello. On behalf of our Project Leader, Jack Beglinger, the Documentation staff would
like to welcome you to the IPCop Users Administration Document. We would like
to take this opportunity to thank you for trying our firewall and we hope that it will
serve your needs. The team would also like to thank the IPCop Linux Community for
its continuing presence and the outstanding job it does helping new and experienced
users alike. We would also like to thank the team at SmoothWall for bringing the
IPCop Linux Community together.
Whether you are an existing user moving up the version chain or a new user getting
ready for your first install, we hope you will find all you need to get up and running
in this manual. If, for some reason, something is not covered here and you feel it
should be, then by all means contact us and let us know. We always like to hear from
our user base (actually some of us are just kinda lonely sitting on the computer all day
and a little note is nice every once in a while) and hope to be able to accommodate
their needs as much as possible. Now you can relax and enjoy the Internet without
having to worry.
i
Preface
So, here is a bit of information for those of you that have the time to read this and
are waiting for your IPCop Linux box to install. The initial release of IPCop was an
interim release to assist us in finding problems in the IPCop Linux Distribution. We
are now on our third full release. If you do happen to find problems, please check the
IPCop FAQ first as we attempt to update the FAQ as soon as we find a problem and
can provide solid information on either a work around or a direct fix.
If your problem is not referenced in the FAQ then you can either join us on IRC
(server: irc.openprojects.net channel: #ipcop), contact the IPCop mailing list or send
the IPCop Linux Group an email for direct support. Please be advised that you will
more than likely receive a faster response and solution by using the first 3 methods
listed above. Contacting the IPCop Linux Group directly could have a large delay,
depending upon our development schedule.
You may find further information as well as the newest FAQ, mailing list information
and IPCop Linux Group contact information on our web site: IPCop Web Site 2
Notes
1. http://www.ipcop.org
2. http://www.ipcop.org
ii
Chapter 1. Project Leader’s Introduction
Welcome and thank-you for looking at and/or using IPCop.
What Is IPCop?
Now, what is IPCop?
Jack Beglinger
Project Leader
1
Chapter 1. Project Leader’s Introduction
• NIC Connected:
• DSL Modem
• Cable Modem
• Use of older equipment. 386 or better. Version 1.4 has been tested on 486sx25 with
12M of RAM and 273M of hard drive. This was the oldest and smallest we could
find at the time of test. It was loaded via the Net Install option and supported a full
Cable Modem download speed of 3Mb/s.
Acknowledgements
IPCop software is both a collaborative project and built upon great prior works.
These acknowledgements will cover many to help both directly and indirectly, but
will never the less miss untold many who toiled to help develop this project but I
failed to get them noted here. To those, I say many thanks and sorry for missing your
name.
For the rest, thank you. . . For a more up to listing please see System−→Credits in
IPCop.
Core Team
•Mark Wormgoor — Lead Developer
•Alan Hourihane — SMP & SCSI Developer
•Giles Espinesse —
•Harry Goldschmitt — Lead Documentation
•Eric Oberlander — Developer & Translation Coordinator
Developers
Mark Wormgoor, Alan Hourihane, Eric S. Johansson, Darren Critchley, Robert Kerr,
Gilles Espinasse, Steve Bootes, Graham Smith, Robert Wood, Eric Oberlander, Tim
Butterfield and David Kilpatrick.
Documentors
Harry Goldschmitt, Chris Clancey, John Kastner, Eric Oberlander, Peter Walker
2
Chapter 1. Project Leader’s Introduction
Translators
Notes
1. http://www.gnu.org/licenses/gpl.html
3
Chapter 1. Project Leader’s Introduction
4
Chapter 2. Administration and Configuration
To access the IPCop GUI is as simple as starting your browser and entering the IP
address (of the green IPCop interface) or hostname of your IPCop server along with
a port director of either 445 (https/secure) or 81(redirected to 445): https://ipcop:445
or https://192.168.10.1:445 or http://ipcop:81 or http://192.168.10.1:81.
Changing the HTTPS Port: Some Users need to change the port used for secure con-
nections to avoid a clash with port 445, which recent versions of Windows use for Di-
rectory Services (SMB over TCP/IP). Some ISPs routinely block port 445 as a security
measure, to prevent the spread of viruses.
A commandline utility setreservedports was introduced in version 1.4.8 to allow Users
to change the secure port.
$ /usr/local/bin/setreservedports 5445
Although 5445 is suggested here as the alternative port, any port number between 445
and 65535 is allowed. If you forget which port you changed https to, use http and port 81
to be automatically redirected.
You should now be looking at the Home Page of your IPCop server’s Administration
GUI. You can immediately start exploring the different options and the information
available to you through this interface. Below, we have listed the Main Configura-
tion/Administration Options available through the GUI. When you have acquainted
yourself sufficiently with the system, please continue with the next section.
IPCop’s Administrative web pages or AWs are available via the tabs at the top of the
screen.
5
Chapter 2. Administration and Configuration
• System: System configuration and utility functions associated with IPCop, itself.
• Status Displays detailed information on the status of various portions of your IP-
Cop server.
• Network Used for the configuration/administration of your dial-up/PPP settings.
• Services: Configuration/Administration of your IPCop server’s many Services op-
tions.
• Firewall: Configuration/Administration of IPCop’s firewall options.
• VPNs: Configuration/Administration of your IPCop server’s Virtual Private Net-
work settings and options.
• Logs: View all your IPCop server’s logs (firewall, IDS, etc.)
The Home web page is one of several web pages that will look differently depending
on the way IPCop is configured. If your Internet connection is via an Ethernet RED
interface the Home web page will only not show the current connection name, etc.
If all went well during the configuration of your PPP connection and PPP is the con-
nection type being used to connect to the Internet, then you will see 3 buttons on the
IPCop GUI main page.
Note: You will not see an active connection until you have finished configuring your IPCop
server.
At the top left corner of the folder you will see the fully qualified domain name of
your IPCop machine.
6
Chapter 2. Administration and Configuration
• Connected ( #d #h #m #s)
• d=Days connected
• h=Hours connected
• m=Minutes connected
• s=Seconds connected
Below your connection status line you will see a line similar to the following:
7:07pm up 1 day, 7:21, 0 users, load average: 0.03, 0.01, 0.00
This line is basically the output of the Linux uptime command and displays the cur-
rent time, the days/hours/minutes that IPCop has been running without a reboot,
number of users logged in to the IPCop server, and the load average on the IPCop
server. Additionally, if there are updates available for IPCop that you have not yet
installed, you will be informed via this page.
IPCop has two web users, in addition to the root login user. The first is called “ad-
min”. Authenticating as this user gives access to all Administrative Webpages. The
other user, called “dial”, is able only to use the Connect or Disconnect buttons. By
default, the “dial” user is disabled; to enable it you must set a password for that user.
No password is required to view the Home or Credits webpages. All others require
the “admin” password.
Updates AW
Note: The Opera web browser does not handle uploads properly and thus should not be
used for applying a patch to your IPCop server.
Note: Only IPCop official patches will actually install on your IPCop server. Some patches
may automatically reboot your IPCop server, so please read all patch information thor-
oughly before applying said patch.
8
Chapter 2. Administration and Configuration
Passwords
The Passwords subsection of this AW is present to allow you to change the Admin
and/or Dial User passwords, as you deem necessary. Simply enter the desired pass-
word once in each field for the User you wish to update and click on Save.
Entering the Dial password activates the Dial user ID. This special user has the ability
to use the buttons on the IPCop Home web page but cannot get to any other IPCop
web pages. Use this facility if you have a dial up connection and want to allow users
to connect to the Internet, but not have admin authority on the firewall.
SSH Access
The SSH subsection of this AW allows you to decide if remote SSH access is available
on your IPCop server or not. By placing a checkmark in the box you will activate
remote SSH access. It is also possible to configure several SSH daemon parameters
from this web page. The SSH option is disabled by default and we would advise
enabling it only as needed and then disabling it afterwards.
9
Chapter 2. Administration and Configuration
Similar to the HTTP and HTTPS ports for the IPCop machine being switched to ports
81 and 445, the SSH port on the IPCop machine is switched to 222. If you are using a
GUI based application to access your IPCop machine, remember to specify port 222. If
you are using the ssh, scp or sftp commands, the syntax for specifying non-standard
ports is different for each command, even though they are related. Assuming your
IPCop machine is at IP address 192.168.254.1, the commands would be:
SSH
SCP
SFTP
Use your desktop machine’s man pages to get a more complete explanation of these
commands.
SSH Options
The following SSH options are available from the web page:
Enabled:
Checking this box enables SSH. Unless you use external access, SSH will only
be available from the GREEN network. With SSH enabled it possible for anyone
with the IPCop root password to log into your firewall at the command prompt.
10
Chapter 2. Administration and Configuration
they are accessed via dialog boxes. You may already have done one or more of
the first two steps.
1. Enable or have someone else enable external access for port 445, the HTTPS
port.
2. Use the IPCop web pages to enable SSH access, port forwarding and external
access for port 222.
3. Create an SSH tunnel between your remote machine and the internal server
running an SSH daemon by issuing the command:
$ ssh -p 222 -N -f -L 12345:10.0.0.20:23 root@ipcop
-p 222
IPCop listens for SSH on port 222, not the normal 22.
-N
in conjunction with -f, tells SSH to run in the background without termi-
nating. If you use this option, you will have to remember to use kill to
terminate the SSH process. As an alternative, you may want to add the
command sleep 100 to the end of the command line, and not use
the -N option. If you do this the SSH invoked by the ssh command will
terminate after 100 seconds, but the telnet session and its tunnel will not
terminate.
-f
option to run SSH in the background.
-L
tells SSH to build a port forwarding tunnel as specified by the next pa-
rameters.
12345
The local port that will be used to tunnel to the remote service. This
should be greater than 1024, otherwise you must be running as root to
bind to well known ports.
10.0.0.20
This is the GREEN address of the remote server.
23
This specifies the remote port number to be used, Telnet.
[email protected]
Finally, this specifies you will be using your IPCop firewall as the port
forwarding agent. You need a user ID to log in as, and the only one avail-
able on is root. You will be prompted for IPCop’s root password.
11
Chapter 2. Administration and Configuration
localhost is the machine you are running on. The loopback address 127.0.0.1
is defined as localhost. 12345 is the local tunnel port specified on the previous
command.
GUI Settings
This web page governs how the IPCop web pages function and appear.
After making any changes, remember to press the Save button.
To restore the default settings, press the Restore defaults button, then press the Save
button.
12
Chapter 2. Administration and Configuration
Display
Enable Javascript:
The 1.4.0 administrative web pages use JavaScript extensively to provide an
improved look and feel. However, some browsers do not work properly wth
JavaScript. If this button is not checked, the various drop down menus will be
disabled and your choices on any page will appear across the top of the page.
Sound
13
Chapter 2. Administration and Configuration
Backup to Files
This panel of the Backup web page manages the creation, export, import and restore
of IPCop file backups. By clicking on the create button, IPCop will create a backup
key, if one has not been created previously, and create the two backup files. If this is
the first time you’ve created backup files, the text in the Import .tar.gz button will
change to Import .dat. This indicates that in the future only .dat files may be im-
ported. Next, export both files to the computer you are running your web browser
on by clicking on their Export links.
If you wish to restore from a backup file, select one of the backup sets shown in the
Backup Sets window. Or import a saved .dat file from another machine.
14
Chapter 2. Administration and Configuration
Backup to Floppy
This panel of the Backup Web Page will let you back up your IPCop configuration
to a floppy disk. The easiest way to restore your configuration is to reinstall IPCop
from CD-ROM or HTTP/FTP. Early in the installation process, you will be asked if
you have a floppy with an IPCop system configuration on it. If you wish to restore
your configuration from a backup floppy, place the floppy disk in the floppy drive
and select the Restore button. Your configuration will be restored and installation
will terminate.
After installation completes, you can use the Backup Web page to import an unsigned
.tar.gz file and restore from it, regaining missing logs, etc.
Warning
At this time, IPCop will not overwrite DOS formatted floppy disks. To
format a floppy disk for IPCop, you will need to format it for Linux. The
command to do this is:
# fdformat /dev/fd0
If you have another Linux machine, you can format a floppy on that
machine. Otherwise, use SSH or putty to log in to IPCop as root, and
issue the command there. fdformat will not prompt for a floppy like DOS
format will, so insert the floppy disk into the floppy disk drive before
issuing fdformat.
Backup configuration
Place a floppy disk in the floppy disk drive and click the Backup button. Your con-
figuration will be written to the floppy and verified.
Information
All messages generated during a backup will appear in this section of the page.
15
Chapter 2. Administration and Configuration
Shutdown
Press one of the Reboot or Shutdown buttons to immediately reboot or halt the IPCop
server.
Status Menu
This group of web pages provides you with information and statistics from the IPCop
server. To get to these web pages, select Status from the tab bar at the top of the
screen. The following choices will appear in a dropdown:
• System Status
• Network Status
• System Graphs
• Traffic Graphs
• Proxy Graphs
• Connections
16
Chapter 2. Administration and Configuration
System Status
The Status pages present you with a VERY thorough list of information regarding the
current status of your IPCop server. The first subsection, System Status, displays the
following in top-down order:
Services
Services - Displays which services are currently running.
Memory
Memory - Displays the memory/swapfile usage on your IPCop server.
Disk Usage
Disk Usage - Displays the total/used amount of hard drive space on your IPCop
server.
17
Chapter 2. Administration and Configuration
Loaded Modules
Loaded Modules - This displays all modules currently loaded and in use by the kernel.
Kernel Version
Kernel Version - This displays information on the IPCop Kernel itself.
18
Chapter 2. Administration and Configuration
Network Status
Content to be written...
Interfaces
Interfaces - This section displays information on all your network devices. This in-
cludes PPP, IPSec, Loopback, etc.
Content to be checked...
19
Chapter 2. Administration and Configuration
Note: This section will only be visible if DHCP is enabled. Refer to the section on the
DHCP Server for details.
Content to be written...
System Graphs
Click on one of the four graphs (CPU Usage, Memory Usage, Swap Usage and Disk
Access) to get graphs of the usage per Day, Week, Month and Year.
20
Chapter 2. Administration and Configuration
Traffic Graphs
This page gives a graphic depiction of the traffic in and out of the IPCop box.
There are sections for each network interface, Green and Red, (and Blue and Orange
if configured) which show graphs of incoming and outgoing traffic through that in-
terface.
Click on one of the graphs to show more graphs of the traffic on that interface: per
Day, Week, Month and Year.
Note: When v1.4.0 was being developed, it was found that the rrdtool used to generate
the graphs was unable to handle special characters, which particularly affects languages
that rely on the UTF-8 character set. At the moment, the text on the graphs is forced to
use English, until a solution can be found.
21
Chapter 2. Administration and Configuration
Proxy Graphs
This page shows traffic through the proxy service of the IPCop box. The first section
gives the date and time the graph was created, the lines analyzed, the duration of the
analysis, the speed (lines per second), the start and end date and time of the graph,
and the domain (overall length of the graph in time).
This information is useful in seeing whether the proxy is the correct size for the load
being experienced.
Connections
IPCop uses the Linux Netfilter or IPTables firewall facility to maintain a stateful fire-
22
Chapter 2. Administration and Configuration
wall. Stateful firewalls keep track of connections to and from all GREEN, BLUE and
ORANGE network IP addresses, based on both the source and destination IP ad-
dresses and ports, as well as the state of the connection itself. After a connection is
established involving protected machines, only packets consistent with the current
state of the connection are allowed through the IPCop firewall.
The IPTables Connection Tracking window shows the IPTables connections. Connec-
tion end points are color-coded based on their network location. The color-coding
legend is displayed at the top of the page. Information on individual connections is
displayed next. Each connection from or to your networks is shown.
Click on an IP Address to do a reverse DNS lookup.
Network Menu
Dialup
This subsection of the Dialup Administration Window (AW) is divided into 5 differ-
ent editable sections and is only applicable if you are accessing the Internet using an
analog modem, an ISDN device or a DSL connection.
Note that you cannot select or modify a profile while the IPCop server is online, or
waiting to go online in “Dial on Demand” mode. Before using this page, go to the
Home AW and if the status line reports Connected or Dial on Demand waiting then the
click on the Disconnect button before returning to this Window. After setting up or
selecting Profiles, remember to return to the Home AW and click the Connect button,
if you want your IPCop server to go back online.
Profiles
This section of the Window provides the facilities to name and set up new Dialup
Profiles (up to a total of five), or to rename existing Profiles and change their param-
eters.
Select a Profile to be created or modified from the drop-down list. Fill in or change
the parameters for the profile (see below) and click on the Save button. To select the
Profile to be used for future connections, use the drop-down list to make your choice
and click the Select button at the bottom of the page. Use the Restore button while
editing a Profile to reinstate the previous Profile settings.
Telephony
This section allows you to do the following:
1. Select the appropriate Interface for your Internet connection device. This will
be either a Communications port (COM1 - COM4) used mostly for modems
and ISDN cards, or PPPoE which is used mostly for DSL connections.
2. Select the appropriate Computer to modem rate. This will decide how quickly
data is passed to and from your connection device. With older computer sys-
tems or modems, you may find it necessary to use one of the lower data rates
to establish reliable computer/ modem communications.
3. Enter the correct Number to dial for your Internet connection. If connecting
through the PPPoE interface then chances are you will probably be leaving
this blank.
4. Select whether or not the Modem speaker on. Having the speaker on allows you
to hear the connection taking place and can be a useful diagnostic aid when
troubleshooting. This option is only likely to be useful if you are connecting
via an analog modem.
23
Chapter 2. Administration and Configuration
5. Select your Dialing mode . Use Tone dialing unless your telephone connection
only recognizes Pulse dialing. Pulse dialing is a lot slower than Tone dialing.
6. Enter your desired Maximum retries. This will decide how often IPCop attempts
to connect to the Internet after a failed connection attempt.
7. Enter your Idle timeout . This will decide how IPCop handles your Internet
connection when nothing is actually being sent or received via the Internet
connection. The number you enter here indicates to IPCop how long it should
wait after any Internet activity before it disconnects the modem link. If you set
this parameter to 0 then IPCop, once connected, will not disconnect from the
Internet of its own accord.
8. The Persistent Connection checkbox is used to instruct IPCop to maintain the
modem connection at all times, even in the absence of Internet activity. In this
mode it will attempt to reconnect the Internet connection whenever the link
fails for any reason, such as a connection time-out at the ISP end of the modem
link. Use this mode with caution. If you have metered connection charges you
probably will not want to use this feature. However, if you have unlimited ser-
vice time (often called "Flatrate") with your ISP, you may want to use this in
order to keep the link connected as much as possible. Note that in Persistent
mode, IPCop will cease reconnecting after more than the number of consecu-
tive failed dial attempts set in Maximum Retries In this event, you have to use
the Dial button on the Home AW.
9. Dial on Demand is available by clicking the checkbox. Note that after enabling
Dial on Demand, you still have to click the Connect button on the Home AW
before IPCop will start connecting automatically when it detects Internet ac-
tivity. The Dial on Demand option is not available for PPPoE connections.
10. The Dial on Demand for DNS option determines whether IPCop will connect
automatically when it detects DNS requests. This will be usually what you
will want to happen.
11. Connect on IPCop Restart will make IPCop connect after booting, if Dial on
Demand is not selected. You will probably want to set this option as active if
you are also using Dial on Demand. This is because the combination of settings
will automatically put the IPCop system into Dial on Demand waiting mode
each time the IPCop server is switched on or rebooted.
12. ISP Requires Carriage Return Some ISPs require that the modem sends a car-
riage return to signal to indicate that it is finished sending data. If your ISP
requires this, then leave it checked. If not then you can uncheck this box. The
default is checked.
Additional PPPoE settings - If either PPPoE or USB ADSL is enabled, additional con-
figuration options are available. Here you can enter two additional parameters, a ser-
vice name, and a concentrator name, which some ISPs require. If your ISP does not
require them, or does not give you any, then you may leave these two fields blank.
Your ISP will give you two settings, VPI and VCI, which you must enter if you are
using a USB ADSL connection.
Authentication
Username and Password are the username and password that your ISP should have
supplied to you when you opened your account with them. There are several ways
in which ISPs use this username and password to login to their systems. The most
common methods are PAP or CHAP. Select this if your ISP uses either of those two.
If your ISP uses a text-based login script, choose standard login script. For people
in the UK who use Demon Internet as their ISP, a special script has been created for
them to use. The "Other" login script option has been provided for people who have
ISPs with special needs. If you need to do this, you will need to login to the IPCop
box and create a file in /etc/ppp. This filename (without the /etc/ppp component)
should be entered into the Script name box. The file contains ’expect send’ pairs,
24
Chapter 2. Administration and Configuration
separated by a tab. USERNAME will be substituted for the username and PASSWORD
for the password. Examine the file demonloginscript in /etc/ppp, and use it as an
example of what should be in this file.
DNS
Select Automatic if your ISP supports automatic DNS server configuration, as is now
usually the case. The alternative is to leave Automatic unticked and put IP addresses
in the Primary DNS and Secondary DNS boxes. These IP addresses will generally be
provided where necessary by your ISP.
25
Chapter 2. Administration and Configuration
26
Chapter 2. Administration and Configuration
Upload
Use this page to download the files necessary for supporting various modems to your
desktop machine, and then upload it to your IPCop server.
27
Chapter 2. Administration and Configuration
machine, and then press the upload button to transfer it to IPCop. Once this has been
successfully uploaded, you can use Fritz!DSL.
Modem
Modem Configuration
Is only applicable if you are attempting to connect to the Internet with a standard
analog modem. The default settings that appear in this Administration Window are
appropriate for most analog modems. However if you are experiencing problems
connecting, then compare these settings with those suggested in the modem manual
for use with your particular modem. Any or all of these settings may be left blank.
Init - The standard Initialization string used by most Hayes-compatible modems is
already provided for you in this field. If, however, your modem requires a different
setting then by all means change it.
Hangup - The standard Hang up string used by most Hayes-compatible modems is
already provided for you in this field. If, however, your modem requires a different
setting then by all means change it.
Speaker on - The standard Speaker on string used by most Hayes-compatible modems
is already provided for you in this field. If, however, your modem requires a different
setting then by all means change it.
Speaker off - The standard Speaker-off string used by most Hayes-compatible modems
is already provided for you in this field. If, however, your modem requires a different
setting then by all means change it.
Tone Dial - The standard Tone Dial string used by most Hayes-compatible modems is
already provided for you in this field. If your modem and telephone line can support
the Tone Dial feature and you are experiencing problems connecting then make sure
that this string is appropriate for use with your modem.
Pulse Dial - The standard Pulse Dial string used by most Hayes-compatible modems
is already provided for you in this field. You should not need to change it, but if your
telephone service does not support Tone Dialing then you may need to make sure
this is the correct string for your modem.
The only section in this area that may not be blank is the Connect Timeout. This
tells IPCop the amount of time to allow the modem to attempt to connect. After this
number of seconds has elapsed without proper response on the receiving end, IPCop
will give up and move on to the next connection attempt. The default should work
fine for you but if you notice that the connection is being dropped in the middle of
the negotiation sequence (turn on the modem speaker and listen to the attempted
connection) then you may need to increase this parameter slightly until it connects
successfully.
28
Chapter 2. Administration and Configuration
Note: This Administrative Web Page will only appear as a menu item if your RED interface
is STATIC.
In some cases, your ISP may assign you a range of IP addresses for your network.
If you have multiple IP addresses, only, so that you can connect multiple, non-server
computers, to the Internet, you will no longer need the extra addresses. IPCop should
connect directly to your modem or the Internet.
On the other hand, if you are providing a server on one of internal computers you
may need to use multiple aliases on your RED interface. To use this facility effectively,
you may have to adjust IPCop’s routing tables by hand.
29
Chapter 2. Administration and Configuration
Current aliases
This section lists the aliases that are in effect. To remove one, click the “Trash Can”
icon. To edit one, click the “Yellow Pencil” icon.
To enable or disable a rule - click on the “Enabled” icon (the checkbox on the left of
the Action column) for the particular entry you want to enable or disable. The icon
changes to an empty box when a rule is disabled. Click on the checkbox to enable it
again.
Services Menu
As well as performing its core function of Internet firewall, IPCop can provide a num-
ber of other services that are useful in a small network.
These are:
30
Chapter 2. Administration and Configuration
You can choose if you want to proxy requests from your Green (private) network
and/or your Blue (wireless) network. Just tick the relevant boxes.
If you choose to enable the proxy then you can also log web accesses by ticking the
Log Enabled box. Accesses made through the proxy can be seen by clicking the Proxy
Logs choice of the Logs menu.
If your ISP requires you to use their cache for web access then you should specify
the hostname and port in the Upstream proxy text box. If your ISP’s proxy requires a
user name and password then enter them in the Upstream username and Upstream
password boxes.
Cache Management
You can choose how much disk space should be used for caching web pages in the
Cache Management section. You can also set the size of the smallest object to be
cached, normally 0, and the largest, 4096KB. For privacy reasons, the proxy will not
cache pages received via https, or other pages where a username and password are
submitted via the URL.
Transfer limits
The web proxy can also be used to control how your users access the web. The only
control accessible via the web interface is the maximum size of data received from
and sent to the web. You can use this to prevent your users downloading large files
and slowing Internet access for everyone else. Set these to 0,the default, to remove all
restrictions.
To save any changes, press the Save button.
You can flush all pages out of the proxy cache at any time by clicking the Clear Cache
button.
31
Chapter 2. Administration and Configuration
Warning
Caching can take up a lot of space on your hard drive. If you use a large
cache, then the minimum size hard drive listed in the IPCop documen-
tation will not be large enough.
The larger the cache you choose the more memory is required by the
proxy server to manage the cache. If you are running IPCop on a ma-
chine with low memory do not choose a large cache.
You can choose if you want to provide this service to your Green (private) network
and/or your Blue (wireless) network. Just tick the relevant box.
For a full explanation of DHCP you may want to read Linux Magazine’s “ Network
Nirvana - How to make Network Configuration as easy as DHCP ” 8
32
Chapter 2. Administration and Configuration
Enabled
Check this box to enable the DHCP server for this interface.
IP Address/Netmask
The IP Address of the network interface and it’s Netmask are displayed here for
reference.
Note: To enable DHCP to provide fixed leases without handing out dynamic leases,
leave both Start and End Address fields blank. However, if you provide a Start Ad-
dress, you also have to provide an End Address, and vice versa.
33
Chapter 2. Administration and Configuration
Primary DNS
Specifies what the DHCP server should tell its clients to use for their Primary
DNS server. Because IPCop runs a DNS proxy, you will probably want to leave
the default alone so the Primary DNS server is set to the IPCop box’s IP address.
If you have your own DNS server then specify it here.
34
Chapter 2. Administration and Configuration
Option name
You specify the name of the DHCP option here, for example: smtp-server or
tcp-keepalive-interval.
Option value
The value, appropriate to the option, goes here. It could be a string, an integer,
an IP Address, or an on/off flag, depending on the option.
Enabled
Click on this check box to tell the DHCP server to hand out this option. If the
entry is not enabled, it will be stored in IPCop’s files, but the DHCP server will
not issue the option.
Add
Click on this button to add the option.
List options
Click on this button to display a list of options with possible values.
Fixed Leases
If you have machines whose IP addresses you would like to manage centrally but
require that they always get the same fixed IP address you can tell the DHCP server
to assign a fixed IP based on the MAC address of the network card in the machine.
This is different to using manual addresses as these machines will still contact the
DHCP server to ask for their IP address and will take whatever we have configured
for them.
35
Chapter 2. Administration and Configuration
MAC Address
The six octet/byte colon separated MAC address of the machine that will be
given the fixed lease.
Warning
The format of the MAC address is xx:xx:xx:xx:xx:xx,
not xx-xx-xx-xx-xx-xx, as some machines show, i.e.
00:e5:b0:00:02:d2.
IP Address
The static lease IP address that the DHCP server will always hand out for the
associated MAC address. Do not use an address in the server’s dynamic address
range.
Remark (optional)
If you want, you can include a string of text to identify the device using the fixed
lease. (This field was added in v1.4.4).
36
Chapter 2. Administration and Configuration
Enabled
Click on this check box to tell the DHCP server to hand out this static lease. If
the entry is not enabled, it will be stored in IPCop’s files, but the DHCP server
will not issue this lease.
To edit an existing lease, click on its pencil icon. The fixed leases values will be dis-
played in the Edit an existing lease section of the page. The fixed lease being edited
will be highlighted in yellow. Click the Update button to save any changes.
To remove an existing profile, click on its trash can icon. The lease will be removed.
37
Chapter 2. Administration and Configuration
Error messages
An error message will appear at the top of the page if a mistake is found in the input
data, after you press the Save button.
38
Chapter 2. Administration and Configuration
Add a host
The following DYNDNS parameters can be set from the web interface:
Service
Choose a DYNDNS provider from the dropdown. You should have already reg-
istered with that provider.
Behind a proxy
This tick box should be ticked only if you are using the no-ip.com service and
your IPCop is behind a proxy. This tick box is ignored by other services.
Enable wildcards
Enable Wildcards will allow you to have all the subdomains of your dynamic
DNS hostname pointing to the same IP as your hostname (e.g. with this tick box
enabled, www.ipcop.dyndns.org will point to the same IP as ipcop.dyndns.org).
This tick box is useless with no-ip.com service, as they only allow this to be
activated or deactivated directly on their website.
Hostname
Enter the hostname you registered with your DYNDNS provider.
Domain
Enter the domain name you registered with your DYNDNS provider.
39
Chapter 2. Administration and Configuration
Username
Enter the username you registered with your DYNDNS provider.
Password
Enter the password for your username.
Enabled
If this is not ticked then IPCop will not update the information on the DYN-
DNS server. It will retain the information so you can re-enable DYNDNS updates
without reentering the data.
Current hosts
This section shows the DYNDNS entries you have currently configured.
To edit an entry click on its pencil icon. The entry’s data will be displayed in the form
above. Make your changes and click the Save button on the form.
You can also update the Behind a proxy, Use wildcards and Enabled tick boxes directly
from the current hosts list entry.
40
Chapter 2. Administration and Configuration
Add a host
The following parameters can be set from the web interface:
Host IP Address
Enter the IP address here.
Hostname
Enter the host name here.
Hostname
Enter the host name here.
Enabled
Check this box to enable the entry.
When you press Add, the details will be saved.
Current hosts
This section shows the local DNS entries you have currently configured.
You can re-sort the display by clicking on any of the three underlined column head-
ings. A further click will reverse the sort order.
41
Chapter 2. Administration and Configuration
To enable or disable an entry - click on the “Enabled” icon (the checkbox in the Action
column) for the particular item you want to enable or disable. The icon changes to an
empty box when a rule is disabled. Click on the checkbox to enable it again.
To edit an entry click on its Pencil icon. The entry’s data will be displayed in the form
above. Make your changes and click the Update button on the form.
To delete an entry click on its Trash Can icon.
To configure the time system, make sure that the Enabled box is ticked and enter the
full name of the timeserver you want to use in the Primary NTP Server box. You can
also enter an optional Secondary NTP Server if you want.
If you want to provide a time service to the rest of your network then tick the Provide
time to local network checkbox.
You can choose to update the time on IPCop on a periodic basis, for instance every
hour, or to update it when you wish from this web page (just click Set Time Now).
To save your configuration click the Save button.
Note: Although IPCop can act as a timeserver for your network, it uses the ntpdate pro-
gram to update its time on a periodic basis instead of allowing the more accurate ntpd
server to maintain the time continuously. This means that the IPCop clock is more likely
to drift out of synchronisation with the real time but does not require that IPCop is perma-
nently connected to the Internet.
42
Chapter 2. Administration and Configuration
If you do not want to use an Internet timeserver you can enter the time manually and
click the Instant Update button.
Warning
If you correct the time by a large amount, and offset the clock ahead
of itself, the fcron server that runs regular cron jobs can appear to stop
while it waits for the time to catch up. This can affect graph generation
and other regular tasks that run in the background.
If this happens, try running the command fcrontab -z in a terminal to
reset the fcron server.
43
Chapter 2. Administration and Configuration
Many ISPs sell speed as download rates, not as latency. To maximize download
speeds, they configure their equipment to hold large queues of your traffic. When
interactive traffic is mixed into these large queues, their latency shoots way up, as
ACK packets must wait in line before they reach you. IPCop takes matters into its
own hands and prioritizes your traffic the way you want it. This is done by setting
traffic into High, Medium and Low priority categories. Ping traffic always has the
highest priority — to let you show off how fast your connection is while doing mas-
sive downloads.
To use Traffic Shaping in IPCop:
1. Use well known fast sites to estimate your maximum upload and download
speeds. Fill in the speeds in the corresponding boxes of the Settings portion of
the web page.
2. Enable traffic shaping by checking the Enable box.
3. Identify what services are used behind your firewall.
4. Then sort these into your 3 priority levels. For example:
a. Interactive traffic such as SSH (port 22) and VOIP (voice over IP) go into
the high priority group.
b. Your normal surfing and communicating traffic like the web (port 80) and
streaming video/audio to into the medium priority group.
c. Put your bulk traffic such as P2P file sharing into the low traffic group.
5. Create a list of services and priorities using the Add service portion of the web
page.
44
Chapter 2. Administration and Configuration
The services, above, are only examples of the potential Traffic Shaping configuration.
Depending on your usage, you will undoubtedly want to rearrange your choices of
high, medium and low priority traffic.
IPCop can monitor packets on the Green, Blue, Orange and Red interfaces. Just tick
the relevant boxes and click the Save button.
45
Chapter 2. Administration and Configuration
Firewall Menu
Grouped together in the Firewall Menu are some of the core functions of IPCop which
controls how traffic flows through the firewall.
These are:
• Port Forwarding
• External Access (Controls remote administration of IPCop from the Internet)
• DMZ Pinholes
• Blue Access (Connecting a Wireless Access Point to IPCop)
• Firewall Options
46
Chapter 2. Administration and Configuration
User Customization
In v1.4 there is a new file for users to make their own changes to firewall rules. Have
a look inside the file /etc/rc.d/rc.firewall.local
It is called by /etc/rc.d/rc.firewall, and for manual use, the usage is:
$ /etc/rc.d/rc.firewall.local {start|stop|reload}
Note: The reload option was added in v1.4.2, and further modified in v1.4.6, but changes
were not included in Official Updates, to avoid overwriting Users’ existing modifications.
There are also specific chains for Users’ use, called CUSTOMINPUT, CUSTOMFORWARD etc.
as per version 1.3.
Introduced in version 1.3, there is also the file /etc/rc.d/rc.local which is run
when IPCop boots, and can contain your own specific commands to run at boot time,
for instance to setup an internal modem.
Neither of these files will be affected by Official Updates, and are included in the set
of files saved when you backup the system files.
You can have more than one external address - after you have created the port for-
ward entry, it will appear in the table. If you wish to add another external address,
click the Red Pencil with the Plus sign next to the entry, the entry screen at the top
of the page will change (it will load values from the port forward) and allow you to
enter an external IP address or network.
When added you will now notice that there is a new entry under the port forward in
the table.
Other things to note:
48
Chapter 2. Administration and Configuration
49
Chapter 2. Administration and Configuration
From v1.3.0 onwards, External Access only controls access to the IPCop box. It has
no affect on the Green, Blue or Orange network access. That is now controlled in the
Port Forwarding section, see above.
If you wish to maintain your IPCop machine remotely, you should specify TCP port
445, https. If you have enabled ssh access, you can also enable TCP port 222, ssh.
The TCP/UDP drop down list allows you to choose which protocol this rule will fol-
low. Most regular servers use TCP. If the protocol is not specified in the server docu-
mentation, then it is usually TCP. Source IP is the IP address of an external machine
you give permission to access your firewall. You may leave this blank, which allows
any IP address to connect. Although dangerous, this is useful if you want to maintain
your machine from anywhere in the world. However, if you can limit the IP addresses
for remote maintenance, the IP addresses of those machines or networks that are al-
lowed access, should be listed in this box. Destination Port is the external port that
they are allowed to access, i.e. 445. The Destination IP dropdown menu allows you to
choose which Red IP this rule will affect. IPCop has the capability of handling more
than one Red IP. If you only have one Red IP set up, then choose Default IP.
Once you have entered all the information, click the Enabled box and press Add. This
will move the rule to the next section, and list it as an active rule.
Current rules lists the rules that are in effect. To remove one, click the “Trash Can”
icon. To edit one, click the “Yellow Pencil” icon.
To enable or disable a rule - click on the “Enabled” icon (the checkbox in the Action
column) for the particular entry you want to enable or disable. The icon changes to
an empty box when a rule is disabled. Click on the checkbox to enable it again.
50
Chapter 2. Administration and Configuration
51
Chapter 2. Administration and Configuration
To enable or disable a rule - click on the “Enabled” icon (the checkbox in the Action
column) for the particular entry you want to enable or disable. The icon changes to
an empty box when a rule is disabled. Click on the checkbox to enable it again.
Note: This page will only be visible if you have installed and configured a Blue network
interface card.
1. Use the DMZ Pinholes page and shoot bullet holes through the Blue interface
for your services, or:
2. Setup a VPN for your road-warriors on Blue to provide access.
52
Chapter 2. Administration and Configuration
In the Add Device section you input the IP Address or the MAC Address of a wireless
Access Point, or any device on the Blue network that you want to connect to the
Internet through IPCop.
Once you have entered all the information, click the Enabled box and press Add. This
will move the entry to the next section, and list it as enabled.
The Devices on Blue section lists the current entries. To remove one, click the “Trash
Can” icon. To edit one, click the “Yellow Pencil” icon.
To enable or disable an entry, click on the “Enabled” icon (to the left of the Yellow
Pencil) for the particular entry you want to enable or disable. The icon changes to an
empty box when a device is disabled. Click the checkbox to enable it again.
If DHCP is enabled for the Blue network, the Current DHCP leases on Blue section will
be displayed.
This provides a quick way of adding wireless devices to the list. You just have to click
on the “Blue Pencil” icon for a device to be added to the list of enabled devices. You
can then edit the entry, if necessary, by clicking on the “Yellow Pencil” icon, as before.
53
Chapter 2. Administration and Configuration
VPNs Menu
Net-to-Net
Net-to-net VPNs link two or more private networks across the Internet, by creat-
ing an IPSec “tunnel”. In a net-to-net VPN, at least one of the networks involved
must be connected to the Internet with an IPCop firewall. The other network can be
connected to an IPCop firewall, or another IPSec enabled router or firewall. These
router/firewalls have public IP addresses assigned by an ISP and are most likely to
be using Network Address Translation, hence the term Net-to-Net.
54
Chapter 2. Administration and Configuration
If desired, a VPN can be created between wireless machines on your BLUE network
and an IPCop firewall. This ensures that traffic on your BLUE network cannot be
intercepted with wireless sniffers.
Host-to-Net
A Host-to-Net connection is where IPCop is at one end of the VPN tunnel and a
remote or mobile user is on the other end. The mobile user is most likely to be a
laptop user with a dynamic public IP address assigned by an ISP, hence the terms
Host-to-Net or Roadwarrior.
Methods of Authentication
It is necessary to have a pre-shared key/password/pass phrase or an X.509 certificate
before trying to configure a Roadwarrior or Net-to-Net VPN connection. These are
methods of authentication, which identify the user trying to access the VPN. They
will be required in the VPN configuration stage.
Pre-shared Key
The pre-shared key authentication method or PSK is a very simple method that al-
lows VPN connections to be set up quickly. For this method, you enter an authenti-
cation phrase. This can be any character string — similar to a password. This phrase
must be available for authentication on IPCop and to the VPN client.
The PSK method involves fewer steps than certificate authentication. It can be used to
test connectivity of a VPN and to become familiar with the procedure of establishing
a VPN connection. Experienced users may wish to progress straight to generating a
certificate of authority before trying to configure a roadwarrior or a net-to-net VPN
connection.
The pre-shared key method should not be used with Roadwarrior connections as all
roadwarriors must use the same pre-shared key.
Note: The clocks on either end of the IPCop VPN tunnel should be up to date before
configuring a VPN.
X.509 Certificates
X.509 certificates are a very secure way of connecting VPN servers. To implement
X.509 certificates you must either generate or setup up the certificates on IPCop or
use another certification authority on your network.
X.509 Terminology: X.509 certificates on IPCop and many other implementations are
manipulated and controlled by OpenSSL. SSL, or the Secure Sockets Layer, has its own
terminology.
X.509 certificates, depending on their type, may contain public and private encryption
keys, pass phrases and information about the entity they refer to. These certificates are
meant to be validated by Certification Authorities (Certificate Authorities) or CAs. When
used by web browsers, the CA certificates of major, pay for, CAs are compiled into the
browsers. To validate a host certificate, the certificate is passed to the appropriate CA to
perform validation. On private networks or unique hosts, the CA may reside on a local
host. In IPCop’s case, this is the IPCop firewall, itself.
Certification requests are requests for X.509 certificates that are passed to CAs. The
CAs in turn generate an X.509 certificate by signing the request. These are returned to
55
Chapter 2. Administration and Configuration
the requesting entity as X.509 certificates. This certificate will be known to the CA, since
it signed it.
You will see that X.509 certificates and requests can be stored on your hard drive in
three different formats, usually identified by their extensions. PEM format is the default
for OpenSSL. It can contain all the information associated with certificates in printable
format. DER format contains just the key information and not any extra X.509 information.
This is the default format for most browsers. PEM format wraps headers around DER
format keys. PKCS#12, PFK or P12 certificates contain the same information as PEM
files in binary format. Using the openssl command, PEM and PKCS#12 files can be
transformed into their opposite number.
To use a certificate, you must import it into the other side’s CA, too. The IPSec im-
plementation on IPCop contains its own built in CA. CAs may run on roadwarrior’s
machines, also.
If the roadwarrior’s IPSec implementation does not have CA capabilities, you can
generate a certificate request, import it into IPCop so that IPCop’s CA can sign it,
export the resulting certificate and import it into the originating road warrior’s IPSec
software.
Global Settings
Enter the VPN server details, either its fully qualified domain name or the public IP
address of the red interface. If you are using a dynamic DNS service, you should use
your dynamic DNS name here.
VPNs and Dynamic DNS: If your ISP changes your IP address, be aware that Net-to-Net
VPNs may have to be restarted from both ends of the tunnel. Roadwarriors will also have
to restart their connections in this case.
Enable the VPN on IPCop by selecting Local VPN Hostname/IP and click on the Save
button. The VPN on Blue option will only be visible if you have configured a BLUE
network interface card. To enable a VPN over your BLUE wireless connection click
on the VPN on BLUE Enabled: check box and then click on the Save button.
56
Chapter 2. Administration and Configuration
Figure 2-26. VPN Connection status and control window: Initial View
To create a VPN connection use the Add button. The VPN connection type page will
appear.
To create an IPCop’s Certificate Authority or CA, enter your CA’s name in the CA
Name box. The name should be different than the IPCop machine’s host name to
avoid confusion. For example, ipcopca for the CA and ipcop for the hostname.
Then click on the Generate Root/Host Certificates button.
The Generate Root/Host Certificates will appear. Fill out the form and both a X.509 root
and host certificate will be generated.
Organization Name
The organization name you want used in the certificate. For example, if your VPN is
tying together schools in a school district, you may want to use something like “Some
School District.”
IPCop’s Hostname
This should be the fully qualified domain name of your IPCop. If you are using a
dynamic DNS service, use it.
57
Chapter 2. Administration and Configuration
Your Department
This is the department or suborganization name. Continuing the school district ex-
ample, this could be XX Elementary School.
City
The city or mailing address for your machine.
State or Province
The state or province associated with the mailing address.
Country
This pull down selection menu contains every ISO recognized country name. Use it
to select the country associated with the certificate.
After completing the form, click on the Generate Root/Host Certificates button to
generate the certificates.
If desired, you can generate several root and host certificates on a single IPCop, and
then export them to PKCS12 format files, encrypted with a password. You can then
email them as attachments to your other sites. Using the Upload PKCS12 file portion of
this web page, you can upload and decrypt the certificates on a local IPCop machine.
Connection Type
Select either Host-to-Net (Roadwarrior) for mobile users who need access to the
GREEN network or Net-to-Net to allow users on another network access to your
GREEN network and to allow users on your GREEN network access to the other
network.
Choose the connection type you wish to create and click on the Add button.
The next web page that appears contains two sections. The Connection section will
be different depending on the connection type you are adding. The Authentication
section will be the same.
Host-to-Net Connection
Name
Choose a simple name (lower case only with no spaces) to identify this connection.
58
Chapter 2. Administration and Configuration
Interface
Then select the IPCop network interface the road warrior will be connecting on, either
RED or BLUE. Selecting the RED interface will allow the roadwarrior to connect from
the Internet. Selecting the BLUE interface will allow the roadwarrior to connect to the
GREEN network from a local wireless network.
Local Subnet
Local Subnet defaults to your GREEN network. If desired, you can create a subnet of
your GREEN network to limit roadwarrior access to your GREEN network.
Remark
Remark allows you to add an optional remark that will appear in the IPCop VPNs
connection window for this connection.
Enable
Click on the Enable check box to enable this connection.
Net-to-Net Connection
Name
Choose a simple name (lower case only with no spaces) to identify this connection.
IPCop side
Choose an IPCop side, right or left, that will be used in the IPSec configuration files
to identify this IPCop’s side of the connection on this machine. Remember, the side
makes no difference.
Local Subnet
Local Subnet defaults to your GREEN network. If desired, you can create a subnet of
your GREEN network to limit roadwarrior access to your GREEN network.
Remote Host/IP
Enter the static Internet IP address of the remote network’s IPSec server. You can
also enter the fully qualified domain name of the remote server. If the remote server
is using a dynamic DNS service, you may have to restart the VPN if its IP address
changes. There are several scripts available on the IPCop news groups that will do
this for you.
Remote subnet
Enter the remote network’s network address and subnet mask in the same format
as the Local Subnet field. This network must be different from the Local Subnet since
IPSec sets up routing table entries to send IP packets to the correct remote network.
Remark
The Remark field allows you to add an optional comment that will appear in the
IPCop VPNs connection window for this connection.
59
Chapter 2. Administration and Configuration
Enable
Click on the Enable check box to enable this connection.
Host-to-Net Connection
Name
A simple name (lowercase only, with no spaces) to identify this connection.
Section to be written...
Net-to-Net Connection
60
Chapter 2. Administration and Configuration
Note on IPSec Terminology: IPSec uses the terms right and left for the two sides of a
connection or tunnel. These terms have no real meaning. IPSec will orient itself based
on network addresses and routes. Once it determines which network connection, left or
right, to use to get to the other side of a connection, all other right or left parameters follow.
Many folks use left for the local side of a connection and right for the remote side. This is
not necessary. It is best to think of the terms as “side 1” and “side A” of an old LP record.
Name
A simple name (lowercase only, with no spaces) to identify this connection.
IPCop side
Section to be written...
Section to be written...
Authentication
The second section of the web page deals with authentication. In other words, this is
how this IPCop will make sure the tunnel established by both sides of the interface
is talking to its opposite number. IPCop has made every effort to support both PSKs
and X.509 certificates. There are four mutually exclusive choices that can be used to
authenticate a connection.
Upload a certificate
In this case, the peer IPSec has a CA available for use. Both the peer’s CA certificate
and host certificate must be uploaded.
Generate a certificate
In this case, the IPSec peer will be able to provide an X.509 certificate, but lacks the
capacity to even generate a certificate request. In this case, complete the required
fields. Optional fields are indicated by blue dots. If this certificate is for a Net-to-Net
connection, the User’s Full Name or System Hostname field may need to be the Internet
fully qualified domain name of the peer. The optional organization name is meant
to isolate different portions of an organization from access to IPCop’s full GREEN
network by subnetting the Local Subnet in the connection definition portion of this
web page. The PKCS12 File Password fields ensure that the host certificates generated
cannot be intercepted and compromised while being transmitted to the IPSec peer.
61
Chapter 2. Administration and Configuration
Authentication
Section to be written...
Logs Menu
Introduction
The Logs AW Consists of five or six sub-pages - Log Settings, Log Summary, Proxy
Logs, Firewall Logs, IDS Logs (if enabled) and System Logs. These share a com-
mon set of interface features to select the log information to be displayed, and to
export that information to your local machine. Dropdown Month: and Day: lists in
the Settings: area of the AW are provided to allow you to select Logs information for
preceding days and months. Each time that you select a new combination of Month:
and Day:, you must also click the Update button before the Logs information will be
updated. When you first select a sub-page, the Logs information displayed will be
that for the current date.
The << button lets you quickly jump back a day, and the >> button moves a day
forward.
The Logs information appears as a list in the main section of the window (usually
labeled Log:). If that list is too long to fit into a reasonably sized window, only the
latest Logs information is displayed. In that situation, the Older and Newer links at
the top and bottom of this section of the window become active and you may use
these to page through the list of Logs data.
Pressing the Export button downloads a text-format file (log.dat), containing the
information from the current Logs AW page, from the IPCop server to your computer.
62
Chapter 2. Administration and Configuration
Depending on how your computer is set up, pressing the Export button will initiate
a file download dialogue on your computer, show the contents of log.dat in your
web browser window, or open the file in a text editor. In the latter cases, you can save
log.dat as a text-format file if required.
63
Chapter 2. Administration and Configuration
Note: The Proxy Log menu item will only appear if you have enabled logging on the
Services > Proxy page.
Due to the large amount of information that has to be processed, the Web Proxy page
can take an appreciable time to appear after its initial selection or an Update.
There are several controls on this page in addition to the Month:, Day:, and Update
controls described at the beginning of this Section:
• The Source IP: dropdown box allows you selectively look at web proxy activity
related to individual IP addresses on the local network, or the activity related to
ALL machines that have used the proxy.
• The Ignore filter: box allows you type in a regular expressions text string to define
which file types should be omitted from the web proxy Logs. The default string
hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and JavaScript files
(.js).
• The Enable ignore filter: tick box allows you to control whether the Ignore filter: is
active or not.
64
Chapter 2. Administration and Configuration
• The Restore defaults button allows you to return the above controls and filters to
their defaults.
For this page, the Logs information appearing in the Log: section of the window con-
sists of:
Note: The Website URL entries in these Logs are also hyperlinks to the referenced web
pages or files.
Note: Not all denied packets are hostile attempts by crackers to gain access to your
machine. Blocked packets commonly occur for a number of harmless reasons and many
can be safely ignored. Among these may be attempted connections to the "ident/auth"
port (113), which are blocked by default in IPCop.
65
Chapter 2. Administration and Configuration
The controls on this page are the basic Month, Day, << (Day before), >> (Day after),
Update and Export buttons that are described in detail at the beginning of this Sec-
tion.
The Log: section of this page contains an entry for each of the packets that were
"dropped" by the firewall. Included is the time of the event, the Source and Destina-
tion IP addresses and ports for the dropped packet, the protocol used for that packet,
and the IPCop Chain and Interface involved.
You can obtain information about the listed IP addresses by clicking on an IP Ad-
dress. IPCop performs a DNS lookup and reports any available information about its
registration and ownership.
• IPCop (default) - general IPCop events like PPP profile saving and connection ("PPP
has gone up on ppp0 ") and disconnection ("PPP has gone down on ppp0 ") of
dialup modem links.
• RED - traffic sent over the interface that is providing the PPP interface for IPCOP.
This includes the data strings sent to, and received from modems and other net-
67
Chapter 2. Administration and Configuration
Notes
1. https://ipcop:445
2. https://192.168.10.1:445
3. http://ipcop:81
4. http://192.168.10.1:81
5. http://www.devshed.com/c/a/Administration/Secure-Tunnelling-with-SSH/
6. http://security.itworld.com/4360/LWD010410SSHtips/page_1.html
7. http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=HowToT
68
Chapter 2. Administration and Configuration
8. http://www.linux-mag.com/2000-04/networknirvana_01.html
9. http://www.snort.org/
69
Chapter 2. Administration and Configuration
70
Appendix A. GNU Free Documentation License
Copyright (C) 2000,2001,2002 Free Software Foundation, Inc. 59 Temple Place, Suite
330, Boston, MA 02111-1307 USA. Everyone is permitted to copy and distribute ver-
batim copies of this license document, but changing it is not allowed.
0. Preamble
The purpose of this License is to make a manual, textbook, or other functional and
useful document “free” in the sense of freedom: to assure everyone the effective free-
dom to copy and redistribute it, with or without modifying it, either commercially or
noncommercially. Secondarily, this License preserves for the author and publisher a
way to get credit for their work, while not being considered responsible for modifi-
cations made by others.
This License is a kind of “copyleft”, which means that derivative works of the doc-
ument must themselves be free in the same sense. It complements the GNU General
Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because
free software needs free documentation: a free program should come with manuals
providing the same freedoms that the software does. But this License is not limited
to software manuals; it can be used for any textual work, regardless of subject matter
or whether it is published as a printed book. We recommend this License principally
for works whose purpose is instruction or reference.
71
Appendix A. GNU Free Documentation License
2. Verbatim Copying
You may copy and distribute the Document in any medium, either commercially or
noncommercially, provided that this License, the copyright notices, and the license
notice saying this License applies to the Document are reproduced in all copies, and
that you add no other conditions whatsoever to those of this License. You may not
use technical measures to obstruct or control the reading or further copying of the
copies you make or distribute. However, you may accept compensation in exchange
for copies. If you distribute a large enough number of copies you must also follow
the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may
publicly display copies.
3. Copying In Quantity
If you publish printed copies (or copies in media that commonly have printed cov-
ers) of the Document, numbering more than 100, and the Document’s license notice
requires Cover Texts, you must enclose the copies in covers that carry, clearly and
legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover
72
Appendix A. GNU Free Documentation License
Texts on the back cover. Both covers must also clearly and legibly identify you as the
publisher of these copies. The front cover must present the full title with all words
of the title equally prominent and visible. You may add other material on the covers
in addition. Copying with changes limited to the covers, as long as they preserve the
title of the Document and satisfy these conditions, can be treated as verbatim copying
in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put
the first ones listed (as many as fit reasonably) on the actual cover, and continue the
rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than
100, you must either include a machine-readable Transparent copy along with each
Opaque copy, or state in or with each Opaque copy a computer-network location
from which the general network-using public has access to download using public-
standard network protocols a complete Transparent copy of the Document, free of
added material. If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure that this Trans-
parent copy will remain thus accessible at the stated location until at least one year
after the last time you distribute an Opaque copy (directly or through your agents or
retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well
before redistributing any large number of copies, to give them a chance to provide
you with an updated version of the Document.
4. Modifications
You may copy and distribute a Modified Version of the Document under the condi-
tions of sections 2 and 3 above, provided that you release the Modified Version un-
der precisely this License, with the Modified Version filling the role of the Document,
thus licensing distribution and modification of the Modified Version to whoever pos-
sesses a copy of it. In addition, you must do these things in the Modified Version:
A. Use in the Title Page (and on the covers, if any) a title distinct from that of
the Document, and from those of previous versions (which should, if there
were any, be listed in the History section of the Document). You may use the
same title as a previous version if the original publisher of that version gives
permission.
B. List on the Title Page, as authors, one or more persons or entities responsible
for authorship of the modifications in the Modified Version, together with at
least five of the principal authors of the Document (all of its principal authors,
if it has fewer than five), unless they release you from this requirement.
C. State on the Title page the name of the publisher of the Modified Version, as
the publisher.
D. Preserve all the copyright notices of the Document.
E. Add an appropriate copyright notice for your modifications adjacent to the
other copyright notices.
F. Include, immediately after the copyright notices, a license notice giving the
public permission to use the Modified Version under the terms of this License,
in the form shown in the Addendum below.
G. Preserve in that license notice the full lists of Invariant Sections and required
Cover Texts given in the Document’s license notice.
H. Include an unaltered copy of this License.
I. Preserve the section entitled “History”, Preserve its Title, and add to it an item
stating at least the title, year, new authors, and publisher of the Modified Ver-
73
Appendix A. GNU Free Documentation License
sion as given on the Title Page. If there is no section Entitled “History” in the
Document, create one stating the title, year, authors, and publisher of the Doc-
ument as given on its Title Page, then add an item describing the Modified
Version as stated in the previous sentence.
J. Preserve the network location, if any, given in the Document for public access
to a Transparent copy of the Document, and likewise the network locations
given in the Document for previous versions it was based on. These may be
placed in the “History” section. You may omit a network location for a work
that was published at least four years before the Document itself, or if the orig-
inal publisher of the version it refers to gives permission.
K. In any section Entitled “Acknowledgements” or “Dedications”, Preserve the
Title of the section, and preserve in the section all the substance and tone of
each of the contributor acknowledgements and/or dedications given therein.
L. Preserve all the Invariant Sections of the Document, unaltered in their text and
in their titles. Section numbers or the equivalent are not considered part of the
section titles.
M. Delete any section Entitled “Endorsements”. Such a section may not be in-
cluded in the Modified Version.
N. Do not retitle any existing section to be Entitled “Endorsements” or to conflict
in title with any Invariant Section.
O. Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or appendices that qualify
as Secondary Sections and contain no material copied from the Document, you may
at your option designate some or all of these sections as invariant. To do this, add
their titles to the list of Invariant Sections in the Modified Version’s license notice.
These titles must be distinct from any other section titles.
You may add a section Entitled “Endorsements”, provided it contains nothing but
endorsements of your Modified Version by various parties--for example, statements
of peer review or that the text has been approved by an organization as the authori-
tative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage
of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the
Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text
may be added by (or through arrangements made ‘by) any one entity. If the Docu-
ment already includes a cover text for the same cover, previously added by you or by
arrangement made by the same entity you are acting on behalf of, you may not add
another; but you may replace the old one, on explicit permission from the previous
publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permis-
sion to use their names for publicity for or to assert or imply endorsement of any
Modified Version.
5. Combining Documents
You may combine the Document with other documents released under this License,
under the terms defined in section 4 above for modified versions, provided that you
include in the combination all of the Invariant Sections of all of the original docu-
ments, unmodified, and list them all as Invariant Sections of your combined work in
its license notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and multiple identi-
cal Invariant Sections may be replaced with a single copy. If there are multiple Invari-
ant Sections with the same name but different contents, make the title of each such
section unique by adding at the end of it, in parentheses, the name of the original
74
Appendix A. GNU Free Documentation License
author or publisher of that section if known, or else a unique number. Make the same
adjustment to the section titles in the list of Invariant Sections in the license notice of
the combined work.
In the combination, you must combine any sections Entitled “History” in the var-
ious original documents, forming one section Entitled “History”; likewise combine
any sections Entitled “Acknowledgements”, and any sections Entitled “Dedications”.
You must delete all sections Entitled “Endorsements.”
6. Collections of Documents
You may make a collection consisting of the Document and other documents released
under this License, and replace the individual copies of this License in the various
documents with a single copy that is included in the collection, provided that you
follow the rules of this License for verbatim copying of each of the documents in all
other respects.
You may extract a single document from such a collection, and distribute it individu-
ally under this License, provided you insert a copy of this License into the extracted
document, and follow this License in all other respects regarding verbatim copying
of that document.
8. Translation
Translation is considered a kind of modification, so you may distribute translations of
the Document under the terms of section 4. Replacing Invariant Sections with transla-
tions requires special permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the original versions of
these Invariant Sections. You may include a translation of this License, and all the
license notices in the Document, and any Warrany Disclaimers, provided that you
also include the original English version of this License and the original versions of
those notices and disclaimers. In case of a disagreement between the translation and
the original version of this License or a notice or disclaimer, the original version will
prevail.
If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or
“History”, the requirement (section 4) to Preserve its Title (section 1) will typically
require changing the actual title.
75
Appendix A. GNU Free Documentation License
9. Termination
You may not copy, modify, sublicense, or distribute the Document except as expressly
provided for under this License. Any other attempt to copy, modify, sublicense or
distribute the Document is void, and will automatically terminate your rights under
this License. However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such parties remain in
full compliance.
Notes
1. http://www.gnu.org/licenses/licenses.html#FDL
76