Features of IPCop
Throughout this book we will be discussing version 1.4.10 of IPCop, which is the latest release at time of writing. As IPCop is continually being developed new features will be added and some of these features may change.
A lot of firewalls come with a cluttered, complex user front end that requires significant amount of training and experience to become familiar with. The ISA server interface, for instance, is famously unintuitive and often interfaces aren't designed in order to make common tasks simple and easy to accomplish.
Frequently, proprietary firewalls such as ISA server and BorderWare will rename common functions such as port forwarding and refer to them as something entirely different, not making life any easier even for an administrator with experience of firewalls, but no knowledge of the particular user interface in question. As an easy example of this, BorderWare refers to port forwarding as an internal proxy, ISA as publishing, and DrayTek's line of (reliable and full-featured, but somewhat tricky-to-configure) routers refer to it as a virtual server. These definitions in some instances have a reason (application-layer firewalls will proxy traffic, as we discovered earlier), but don't really make life easier, even if they have a justification!
We will take a close look at how to set up IPCop and therefore will spend a lot of time inside the interface. It is therefore extremely fortunate that the interface is quite easy to use and very intuitive. The IPCop developers have decided to use an interface based on a website built into the system with the consequence that for most people, the interface is a familiar environment as it is quite unlikely that anyone setting up a firewall has never used a website.
Merely using a website as the Graphical User Interface (GUI) is not enough. The interface still has to be set out so that it is easy to figure out and access all of the common functions. Most of the functions we will look at will consist of filling simple forms, which is an effective and easy-to-manage interface. IPCop isn't unique in using such an interface. Many devices such as SOHO cable routers made by Linksys, DrayTek, and D-Link have a similar setup, and many high-end products from Cisco appliances to HP Procurve switches do too, but few of these contain all of the features and the ease of use provided by IPCop.
IPCop provides up to four network interfaces, each of which is usually connected to a separate network. This is an adequate number for most IPCop deployments as it is rare to have many networks converging at one point in a small to medium sized network, but IPCop can accommodate connections to more networks than this through use of Virtual Private Network (VPN). The four networks available are given identifying colors for ease of administration.
The Green network segment of an IPCop deployment represents the internal network, and is implicitly trusted. An IPCop firewall will automatically allow all connections from the Green segment to all other segments.
The Green segment is always an Ethernet Network Interface Card (NIC), and there is no support for any other device utilized in this capacity. A local network may be as simple as a small hub plugged into the Green interface, or may encompass several dozen switches, a layer two bridge to another site, or even a router.
Note
Addressing on the Green Interface
The Green network should use a private address range (private address ranges can be found in RFC1918). Although it is possible to set this up with a publicly addressable address range, the default IPCop configuration is one in which NAT is used to expose only one IP address, and as such, using a public address range on the Green network segment would be pointless, as IPCop would treat it as if it were a private address range! Using IPCop as a routing firewall (rather than a firewall performing NAT, which is the default configuration) requires more advanced configuration and cannot be accomplished through the GUI.
Typically, a network approaching this complexity would choose to segment its network with one or more firewalls or routers built on IPCop, another free software package, or a commercial package, but with adequate knowledge of networking and several hardware platforms, one could build a complex, secure network topology using IPCop.
Similar to the Green network interface, the Red network interface is always present. The Red network interface represents either the Internet or an untrusted network segment (in a larger topology).
The principle goal of the IPCop firewall is to protect the Green, Blue, and Orange segments and the networked hosts on them from traffic, users, and hosts on the Red segment. The Red network segment is typically well-firewalled and will not open a large number of ports into the internal network segments (if any at all). The default is none.
Note
Addressing on the Red Interface
The Red segment will almost always use a public address range, assigned by your Internet Service Provider. It is possible (but less common) for Internet Service Providers to use private address ranges for large portions of their internal networks and to perform NAT at the border in between their network and the Internet-exposed backbone.
GPRS and 3G networks commonly do this, as do some cable ISPs. If in doubt, ask your ISP or check an existing machine or router connected to your ISP. The website www.dnsstuff.com can be used to WHOIS an IP address to check the registration, and if you're unsure as to whether an IP address is private or public, this can be an excellent way to check the ownership.
The Red network segment is the only network segment on which IPCop has support for hardware other than an Ethernet Network Interface Card. The Red segment may be an Ethernet network interface allocated statically or using DHCP, it may be a USB ADSL modem, an ISDN card, or even a dial-up, analog modem connected to the Public Switched Telephone Network.
Other hardware interfaces that IPCop will support on this interface include:
DSL is a technology that allows a broadband, high-speed internet or network signal to be sent over an existing copper phone line. This form of internet provision is extremely popular, particularly in countries with traditionally lower uptake of services like cable, as it requires no expensive digging up and rewiring of streets and premises with new wiring for cable or network infrastructure. One of the downsides of DSL is the comparatively short range of DSL signals, necessitating proximity to a telephone exchange, although this limit increases as technology advances.
IPCop will allow users with DSL services (both SDSL and ADSL) to attach certain brands of modem directly to the IPCop firewall. There are three principle ways to attach an IPCop firewall to a DSL line.
The first of these is to attach the IPCop host to an ADSL modem via Ethernet. Generally the most stable way, this has the disadvantage of being more difficult to set up. Modems that are full-fledged routers, such as the many routers based around Conexant chipsets, are generally designed to act as the NAT router in a network themselves. These devices have either one Ethernet port (which plugs into a switch or hub) or several Ethernet ports (and a small built-in switch), and hand out private addresses (frequently in the 10.0.0.0/8 range) to clients on the network themselves, acting as a firewall. Connecting an IPCop host to the rear of one of these routers without altering the default configuration is a bad idea, as you are performing Network Address Translation twice.
While NAT frequently breaks protocols when performed once, performing it twice is almost a guaranteed way to give you networking headaches. In addition to the routing issues caused by essentially having two networks between you and the Internet, it is very hard to achieve port forwarding through these routers for protocols such as BitTorrent, SIP, online gaming, or incoming services like SMTP mail, as each port forward must be configured twice. These routers must therefore be configured not to act as NAT gateways, but instead fallback to behaving like normal routers. Without more than one IP address this is impossible, leaving home users or businesses without a fixed pool of IP addresses from their ISP in a conundrum if they wish to use IPCop!
Some ADSL routers that are Ethernet-based, therefore, have a feature referred to as PPP Half Bridge. This feature allows the device plugged in via Ethernet (i.e. your IPCop firewall) to get the public IP address from your ISP, and disables the router from acting as a firewall or NAT gateway. When acting in this mode, an ADSL router takes the IP address allocated by the ISP during authentication, and gives it to the first device that requests a DHCP address via DHCP. This function should be documented in your ADSL manual.
The second way to configure ADSL is using a USB ADSL modem attached directly to the PC or firewall. While perhaps simplest (as it requires minimal knowledge of networking, and no complex cabling or hardware installation), these modems are the cheapest, least reliable, and have the poorest performance of all three methods.
The third way to configure ADSL is using internal ADSL or SDSL cards, occupying one PCI slot inside a firewall, PC, or server. This is perhaps the least common method of configuring ADSL.
IPCop supports all three, to an extent: Wherever possible, the authors strongly recommend the use of an Ethernet ADSL modem either configured as a router using a static set of addresses, or (if this isn't possible) using DHCP either natively or using a workaround like PPP Half Bridge. Here is a list of supported devices in IPCop:
- The Alcatel SpeedTouch series of USB ADSL modems
- ECI USB ADSL devices (including BT Voyager Modems, the Zoom 5510 ADSL modem, and several dozen other similar devices)
- BeWan USB/PCI ADSL modems (the ST series of USB modem, and the ST series of PCI modem)
- Conexant USB modems (including the Zoom 5510, DrayTek Vigor 318, and several others)
- Conexant PCI modems
- Amedyn ADSL modems (for which the HCL lists only the Zyxel 630-11, Asus AAM6000UG USB)
- The 3com 3CP4218 USB ADSL modem
Integrated Services Digital Network (ISDN) is a form of (slow) broadband internet access provision predating ADSL or Cable connections. ISDN is essentially a form of digital circuit telephone line. ISDN was frequently used before the widespread adoption of broadband via cable, DSL, and satellite, and still sees usage in some branch offices, for remote working, and in areas with no DSL, cable, or satellite availability.
IPCop has support for a large number of ISDN modems (the 1.4.10 HCL lists 34). The full list is available on the IPCop Wiki site (http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCopHCLv01).
IPCop should support any hardware analog (dial-up) modem. Hardware devices are generally attached via a serial port or as an ISA card.
Newer modems using the PCI interface are frequently software based. This means that a certain proportion of the modem's work is performed on the CPU of the computer it is attached to, by software, rather than by the modem itself.
Without device drivers that perform this work, such modems will not work, and as there are typically no drivers for these devices written for the Linux operating system, they are generally viewed as broken in Linux. USB modems should also work in IPCop.
The IPCop HCL lists one PCI modem that works with IPCop, the PCI Smartlink 5634PCV.
Generally speaking, internet services via cable from providers in Europe and the USA provide Ethernet modems that will just work in IPCop as they provide a public, routable IP address via DHCP. Some cable providers, however, provide USB modems that are unlikely to work in IPCop. The same is true of satellite internet (that USB modems are unlikely to work in IPCop).
The optional Orange network interface is designed as a DMZ network (see http://www.firewall.cx/dmz.php for more information on DMZ firewalls). In military terminology, a DMZ (DeMiliatized Zone) is an area where military activity is not permitted, such as a frontier in between two distinct (and hostile) countries. In firewall terminology, then, the term DMZ takes on a similar meaning, as a network segment in between the internal network of an organization and an external network such as the Internet. In this segment, servers are protected from the Internet by firewalls, but segregated (as they have internet exposure) from internal clients that are in a more protected zone behind the front line.
It is into this untrusted but segregated network that an organization will generally put any service designed to face the outside world, such as a web server (which serves outside clients for website requests), or more commonly a mail server (to which outside servers connect in order to deliver mail via SMTP).
For this reason, the DMZ is considered to be an untrusted network segment, second only to the Red network interface. Hosts on the Orange network segment cannot connect to the Green or Blue network segments—all traffic from the Orange network segment to these internal segments must be explicitly allowed via DMZ pinholes. Traffic from the Red network segment to the Orange segment is allowed via port forwarding.
Clients on the Orange network should not, however, use the IPCop firewall as a DNS or DHCP server. There are valid security reasons for this—additional exposure to services on the IPCop host for this segment, apart from being harder to configure, increases the exposure of the IPCop host to attack from the Orange zone, decreasing the ability to provide secure services for clients in the Green zone.
The optional Blue network interface is a comparatively recent addition to IPCop, arriving with the 1.4 release series. This network is designed specifically for a separate wireless segment. Hosts on the Blue segment cannot get to the Green network other than through specific pinholes in a similar manner to the Orange network.
IPCop also allows for the capability to connect to the Green zone via a Virtual Private Network, allowing clients to fully access resources on this network segment.
The Blue segment does not necessarily have to be a wireless segment—as the Blue segment is simply another network segment, and the wireless connection of hosts is transparent to IPCop, there is absolutely nothing stopping you from using the Blue segment as another subnet on your network if you are outgrowing the number of hosts available to you in your Green zone.
Using the Blue zone in this manner would also be a good way to separate hosts with distinct usage of the network, such as a subnet of workstations used by a particular group of staff, in public areas, or on a factory floor. The Blue zone might even be used as the default zone for a network in which the administrator did not want the hosts on the network to automatically have access to every resource on the network, as the Green zone does.
In such a topology, the IT staff might be allocated the Green zone in order to access network resources, while workstations might be kept in the Blue zone, with specific access to areas of the network they required.
Simple Administration and Monitoring
As a device that aims to be easy to use, it would not be of much use to the user if he or she had to reinstall each time a new version came out. It would also be extremely beneficial if the user didn't have to log in to the Linux console on the machine at any time. The IPCop developers obviously agree with this and therefore have a built in a simple upgrade system. This can be managed entirely from the web interface. If, however, the user did want to log in to the Linux console and make changes this could be done quite simply by using a keyboard/monitor attached to the machine or by using SSH from a computer on the local network (Green interface). SSH, for added security, is disabled by default and would have to be enabled before it could be used.
Note
Local Console
It is quite common to run servers such as IPCop firewalls on PCs with keyboard and monitor detached, as they are rarely used. Although convenient, this can cause problems as some motherboards (and software packages) do not like keyboards and mice (particularly with PS/2 connectors) being hotplugged. Although monitors are hot-swappable (so you can disconnect and reconnect the monitor to an IPCop system at will), we recommend that you leave your IPCop system attached either to a keyboard or a KVM switch.
Another side effect of leaving the keyboard detached is that the BIOS in many computers will halt on startup and await a keypress if it does not see a keyboard attached. For computers that do not have keyboards attached, this behavior can (and really should) usually be disabled in the BIOS configuration.
You can also back up and restore your configuration from this same interface, which ensures that all common administration tasks for the firewall can be managed very easily and more importantly without any knowledge about Linux or the bash shell.
With the status provided on the web interface we can see exactly how the system is doing. For example we can see which services are currently running on the firewall, memory and disk usage, as well as traffic graphs, if we have an interest in this.
Again these features show the power of the web-based interface and why this particular interface was chosen. We can also quickly see important system information without logging in to the system with an interactive shell.
Logs can also be viewed using the web-based log viewer, which means you can keep an eye on the system quite easily with absolutely no need to log directly into the system. IPCop also has the ability to export these logs to a remote Syslog server for simplified management and log aggregation, especially if you have a few devices to monitor.
As many home users are using ISDN or ADSL modems for dial-up (including USB/ADSL modems), it's important that IPCop supports them. A variety of common modems are supported and IPCop has the functionality to have additional drivers loaded for modems it does not support by default, and the configuration options for these are fairly flexible. It's not very common for firewalls to support modems and drivers for them in this manner; this is one of the most unique features of IPCop and why it fits so well in the SOHO network.
IPCop provides a variety of essential services for a small network. It's not strictly firewall best practice to provide such services on the same box that is supposed to be a network protection mechanism, but economy comes into play on smaller networks and it's very useful to have all the basic network services provided by a single machine.
IPCop can be used as a proxy as well as a firewall. You can easily manage the cache and configure the proxy on the Green interface. The benefit of the defined interfaces becomes quite apparent here as it means a simple checkbox click is all that is required to set up proxying on IPCop.
As a network grows, allocating network configuration to clients manually becomes extremely difficult, and it's fairly important to be able to automate this, as well as manage the use of the network addresses you use. The Dynamic Host Configuration Protocol (DHCP) configuration in IPCop makes it easy for you to provide DHCP services to the clients on the Green interface if you're unsure of how to do this. Doing this via DHCP simplifies client-side configuration, meaning that most machines will connect to the network and have internet access automatically without any configuration required on the host.
Generally speaking, internet connections for SOHO users will have a Fully Qualified Domain Name (FQDN) something like 31-34-43-10.some ISP.net. The FQDN of a computer on the Internet can be used to make connections to it—so a connection made to Google, for instance, goes to www.google.com. For a home user, your FQDN is not a domain name like google.com, but instead a domain name used by your ISP to identify what ISP you're coming from and which client you are on your network, and generally make things a bit more understandable for humans.
While this makes sense for an ISP managing its clients, it makes connecting remotely to a network that has internet connectivity provided like this difficult. Even if you could memorize and hand out your ISP's allocated domain name, it would still not be a solution if you want people to be able to access services you host, as the IP address, and therefore the FQDN of your firewall or router would change from time to time.
Therefore, many networks use Dynamic DNS. Using a dynamic DNS system, a small piece of software running on a firewall or client attached to the Internet will update a server on the Internet (a dynamic DNS server) with your IP address, and redirect a fixed hostname (such as yourname.dynamicdnsprovider.com) to whatever your IP address is at present. If you connect to an IPSec VPN, or another service such as HTTP, VNC, or a terminal service, or if clients connect to you remotely using these protocols, the connections can be made to this dynamic DNS hostname, and will seamlessly go to the IP updated with the dynamic DNS server.
Since these services require constantly updating a server with your current IP address in order to keep the DNS working, use of dynamic DNS requires a computer or other device running software constantly talking to a Dynamic DNS Provider.
Dynamic DNS is a feature not commonly found in larger firewall products and certainly isn't common in most low-end home routers.
Hosts on the network commonly need to be configured to keep the same time, whether this is because of authentication mechanisms such as Kerberos or merely for convenience. IPCop provides the Network Time Protocol (NTP) service, which can be used to keep all clients on the network synchronized.
Using NTP, the IPCop server connects to an NTP timeserver on the Internet, from which it ascertains the correct time. It then keeps this internally using the computer's clock, and acts as an NTP server for clients within the network. By regularly updating from an upstream NTP server, the IPCop box can ensure that the time is kept to a reasonable degree of accuracy.
By updating from a local source, rather than having every local client update from an external time source, you keep clients accurate to each other (so even if the time isn't strictly accurate, you know all of your local clients keep approximately the same time, important for things like log auditing and Kerberos). Most importantly, it also reduces the load on NTP servers, which are providing you with a free service!
Information on how to configure client operating systems to talk to an NTP server can be found here:
- Windows: http://www.boulder.nist.gov/timefreq/service/pdf/win2000xp.pdf
- Linux: http://Linuxreviews.org/howtos/ntp/
- OS X: Select System Preferences, and Use Network Time
Traffic shaping and intrusion detection are quite advanced network services that we wouldn't expect to see in most SOHO devices. IPCop not only provides these, but also makes them very easy to manage, and as we look at configuring IPCop, we will see exactly how easily these quite complicated systems can be maintained.
This is a feature that is quite common in a firewall from SOHO to large enterprises. The benefits of IPCop here are twofold. Firstly, we don't have any limitations on the number of forwardings we can add and secondly it is very easy to set up. With some SOHO devices not only do we have limitations on the number of ports we can forward, but we also often find very complicated configurations surrounding it. Enterprise systems are complicated by nature and in this particular feature the complication is exacerbated.
As we can see, the IPCop firewall appears to the client to be both a mail server and a web server, but connections to ports 25 and 80 in this example configuration are in fact forwarded to the servers configured in the port forwarding menu. These servers in an IPCop configuration would probably be in the Orange zone.
