Kwickserver Firewall Documentation Version 1.1 Peter Buzanits 27. 9. 2007 Overwiew Kwickserver Firewall is an installation CD with that you can setup a firewall for two distinct networks in a few steps and without expert knowledge. The firewall is optimized for the operation in schools and educational organizations, because in this area the requirements for a firewall are very high. Of course you can use Kwickserver Firewall in all other scenarios, where firewalls are necessary. The features of the firewall can be activated or deactivated distinctively. So the firewall can be customized for all possible uses. The main efford has been put on the easy installation and usability. The installation should run automatically and the configuration is done by an easy web interface. Features Two distinct internal networks You can build two internal networks. For example one for the administration and the teachers and the other for the students. All settings can be configured for both networks seperately. You can also configure, which networks should have access to the other one. Portfilter You can filter ports for your internal networks. There are two possibilities: To filter all except special ports or to filter none exept special ports. For some services like web or FTP portnumbers are predefined, so you do not have to know them by heart.
Web Content Filter Special contents, like websites that are not suitable for the youth or sites, that glorify violence, can be filtered for your networks. Users trying to surf to such sites are redirected to a configurable webpage. Be aware, that the content filter only works on connections to port 80 (most webservers work on this port). Traffic Shaping It is possible, to limit the available bandwith for the internal networks. Also limitations based on the IP address of the user or the connected port are possible. Also available bandwith can be garanteed to users or ports. So you can for example limit the bandwith for web downloads in one of your networks. DHCP Server Kwickserver Firewall can operate as DHCP server for both internal networks. The address areas for both networks can be defined. VPN It is possible, to define virtual private networks (VPN). So road warriors, persons whithout fixed IP Adresses out on the Internet, can access the networks from outside. Or you can connect two networks protected by Kwickserver Firewall with a VPN tunnel. Installation The installation of Kwickserver Firewall is pretty easy: You must boot the computer with the installation CD in the drive. Be sure that the computer ist configured to boot from the CD drive. Now the boot screen apears with a warning, that the harddisk will be deleted completely. Careful! If you press Enter now, the content of your harddisk will be deleted! If you have a DHCP server in your network (this server gives you the network settings automatically), you should connect the computer to the network. If you don't, you will be asked for the network settings during the installation process. You then have to type them in manually. After the installation you see a welcome message on your screen, where you can read the address, which you should type into your web browser to start the web configuration. All other configuration is now happening in your web browser.
Configuration Initial configuration First thing you should do after the installation, is setting the network addresses (IP addresses) for all network cards in the computer. Click on the Link settings in the left menu. In the section IP addresses you find under Internet Interface the settings for the network card, which is connected to the Internet (for example the router or DSL modem). Here you can activate DHCP, if you get your network settings from that device, or you can configure the IP settings manually. On the right side you find the settings for the network cards, which are connected to your internal networks. If you only have two network cards, use only the first of the two. Careful! Be sure to set the address of the first internal network correctly. After saving the new IP addresses for security reasons it is only possible to access the web administration via this interface! If you have not set the correct address in this step you can change it afterwards from the console. Look at the troubleshooting section in this manual. You will now probably lose the connection to the web interface of the Kwickserver, because you changed the network addresses. To reconnect to the web interface, type the address of the first internal network card you just configured into you browser. If this fails, the firewall is probably not connected to the internal network with the correct interface. Unfortunately it is not possible to automatically find out, which network card has been selected to be the first internal at installation. Here you have to try, until you find it out. Connect your firewall with every network card one after the other to the internal network and try to connect to it via the web interface. Be also sure, that your computer (where the web browser is running) is in the same network and has a network address out of the same range. Settings Change Password Here you can alter your password for the administration interface. To avoid mistypings you have to type in the password twice. If you forgot your password you can change it from the console. See the troubleshooting section of this manual for further instructions. IP addresses Here you can change the IP adresses (network addresses) of your Kwickserver Firewall. You can configure the Internet Interface to DHCP. Please ask your Internet Service Provider, if you don't know if you can use DHCP.
DNS server Here you can configure the DNS servers to use. Your Internet Service Provider should have given you that information. These settings are also given to your client computers, if you use the DHCP server feature of the Kwickserver Firewall. Misc. settings Enable SSH access for vendor: Here you cann allow the programmers of Kwickserver Firewall SSH (secure shell) access to your firewall for diagnostic purposes. When the firewall is in production use, this feature should be disabled. Enable SNMP access from this address: Here you can configure an IP address which is allowed to contact the internal SNMP server of the firewall. This is usable to monitor the traffic on the firewall. If you are not familiar with SNMP you should leave this field empty. Name for first/second network: Here you can give your internal networks names. This names are only used in the web administration and have no other effect. System Change Language: Here you can set the language for the web administration. This is the only effect of this setting. Bootup and Shutdown: Here you can reboot or shutdown your firewall. If you press one of these buttons, you must confirm your choise with another button. Update: Here you can download updates and install them. Further information can be found in the chapter update in this manual. Security Here you can configure several parameters for the security of your firewall. Deactivate password change on console: If this checkbox is checked, it is not possible to change the admin password on the console with setpasswd. If you choose this option and forget your password, the root password of the underlying Linux operating system has to be reset. This should only be done by experts, because much damage on the system can be done with the root login. Deactivate IP address change on console: If you check this option, the IP address of your firewall cannot be changed from the console with setip any more. If you cannot reach the web administration because of a wrong IP address, the root password of the underlying Linux operating system has to be reset and the IP address changed manually. This should only be done by experts, because much damage on the system can be done with the root login. Deny SSH login: If you check this checkbox, the admin user cannot login to the firewall with SSH any more. Because this is only usable for diagnostic purposes, you can check this checkbox without
any problems. Deny admin login on colsole: With this checkbox you can prevent the admin user to log into the firewall on the console. Because this is only usable for diagnostic purposes, you can check this checkbox without any problems. Firewall In this section you configure the special firewall features. Content Filter Kwickserver Firewall has a builtin content filter for websites, e. g. to prevent young people in educational facilities from accessing improper contents and you as operator of the network would be responsible for that. The filter can be configured for both networks. If the filter is active for a network, you see a selection of content categories, which can be filtered by checking them with the checkboxes. Under the categories you find a textbox, where you can set the web address, where users should be forwarded if they try to access improper contents. The last filter category is Your List. This is a special list. This list you can define yourself. If you click on Your List, you get to a form, where you can define your own filter addresses. You can define domains (e. g. badpage.com), URLs (e. g. http://www.verybad.com/badpics.html) or expressions (e. g. abadword). Be aware, that there are no perfect filters in the world. There will always be sites, that are not covered by the filters. Also consider, that only websites that run on port 80 of the webserver are filtered. This is the case on almost every webserver. DHCP server You have the possibility to let the firewall act as DHCP server for your internal networks. So you can provide the most important network settings to your client computers automatically. You can activate this feature for both networks seperately. For both networks you find textboxes in the web interface for the first and the last address your client computers should get. Be sure to use addresses in the same network as the interface of your firewall is in! If you are not sure if you need this feature, leave this deactivated. Portfilter/Forward Here you can block ports for your users. So you can forbid the access to special services (e. g. FTP or Telnet). There are four different types of settings: No Filter: No ports are filtered Allow only these ports: Every port except those you define in the list below is blocked Block only these ports: Every port except those you define is allowed. Ports in the list are blocked Block all: Every port is blocked. No access to the Internet from that network ist possible.
For defining the ports, that you want to filter or block, you must type in the port number and the protocol (tcp or udp). For some services you can select the service name (like www ) from a list instead of tpying the port number. With port forwarding you can specify, which ports of the Internet interface should be forwarded to a computer on your local networks. This way you can e. g. run a web server inside your network that is accessible from outside. Be aware that it is a potential security risk to forward ports from the Internet into your local networks! In the port forward form, type in the port on the firewall that should be forwarded and the used protocol (tcp or udp). Then specify to which computer (IP address) the port should be forwarded and to which port on this computer. Routing Here you can specify, if data traffic between your internal networks should be possible. This means if computers from one network should be able to access the computers on the other network. Check the checkbox, if you want to allow this access for one or both of the networks. Below that you can define static routes. You should be familiar with networking basics to do that. Traffic Shaping Here you can configure, how your bandwith should be used. You can limit the bandwith used by a network or a single user and you can guarantee users or network certain bandwiths. You can also set the bandwith für certain services or ports. Of course the limits you define should be smaller than the maximum bandwith you have available. With this feature you can for example prevent, that downloads from websites use up all your Internet bandwith. There are two sections on this page: In the upper one you can define limits for both networks both incoming and outgoing. Beneath that you can define IP addresses or subnets, which should be limited. In the lower section you can define ports to be filtered. This also works incoming and outgoing. In the case of conflicting settings the port settings take priority before IP addresses and networks. Virtual private networks Here you can define VPNs. You have two options: You can connect Windows computers from outside you networks into a local network ( road warriors ), or you can connect two networks secured by Kwickserver Firewalls on distinct locations. All computers from one of these networks can then connect to those on the other one. Road warriors
To grant access to your networks to computers on the Internet, you must activate the roadwarrior feature for that network. You must load a p12 file from here and transfer it to the Windows computer of the road warrior. Read more information in the VPN chapter in this manual. You can activate the road warrior feature for both networks seperately. After activating the feature you can download certificates for windows computers on the administration interface. To do so, you must type in a comment and a password. You will need this password when importing the certificate into the windows computer. You can choose whatever password you want. With the link beneath you can download a configuration file, which you need on your windows computer. Please read instructions for installing road warrior computers later here. In the last section of the administration page you can set up VPN tunnels between two networks protected by Kwickserver firewalls. To do so, you must type the IP address of the remote firewall and the network address of the network behind this firewall into the web administration form. After that you see an entry in the list under the form. With the link on the right you can load the created certificate for importing it on the remote firewall. This is done whith the very last form on the administration page. Careful! Keep the certificate files secret! If someone has access to these files he could get access to your network! VPN Road warrior installation With kwickserver firewall you can integrate persons sitting outside of your networks into these networks over a VPN (virtual private network). For this there are a few steps to do. Here you can read, how to integrate a windows XP computer over VPN. 1. Go to the VPN page in the Kwickserver web administration and activate VPN for the local network you wish using the dropdown list and save with the button beside it. 2. Download the Certificate for your Windows XP computer. To do this, type a password in the Textbox "Password" (remember that password!) and click the button beside it. Now your browser should download a file named certificate.p12. Save that file somewhere. 3. Download the configuration file you need on your Windows XP computer with the link below. 4. Transfer both downloaded files on your client Windows computer. Do not use FTP or any other insecure protocol over the Internet for this transfer! The certificate.p12 has to be kept secret! Use scp or floppy disks etc. 5. Download the ipsec.exe utility from http://vpn.ebootis.de and unzip it to some directory on your Windows machine (e. g. c:\vpn)
6. Create a IPSEC + Certificates MMC Start/Run/MMC File (or Console) Add/Remove Snap in Click on 'Add' Click on 'Certificates', then 'Add' Select 'Computer Account', and 'Next'. Select 'Local computer', and 'Finish'. Click on 'IP Security Policy Management', and 'Add'. Select 'Local Computer', and 'Finish' Click 'Close' then 'OK' 7. Add the certificate Click the plus arrow by 'Certificates (Local Computer)' Right click 'Personal', and click 'All Tasks' then 'Import' Click Next Type in the path to the.p12 file (or browse and select the file), and click 'Next' Type the export password, and click Next Select 'Automatically select the certificate store based on the type of certificate', and click Next Click Finish, and say yes to any prompts that pop up Exit the MMC, and save it as a file so you don't have to re add the Snap Ins each time 8. Set up the IPSec utility Install ipseccmd.exe (Windows XP) as described in the documentation for the ipsec utility. Note that for Windows XP SP2, you'll need a new version of ipseccmd.exe it can be downloaded from http://support.microsoft.com/default.aspx?scid=kb;en us;838079. 9. Start ipsec.exe Now you should be able to contact a computer inside your network with the windows machine on the Internet. Delete road warriors If you want to prevent a road warrior to access the network in the future, you must revoke his certificate. For that you have to click on manage certificates in the web administration. You now see a list of all ever created certificates. On the right side of every certificate you see a link for the revokation of the certificate. Click on this link and agree to the confirmation and the certificate is revoked. Creating VPN tunnels If you have two networks on distinct locations, which are protected by Kwickserver Firewall, you can build a VPN tunnel between these two networks. For that go to the VPN page in the web administration. In the last section of the page you see the tunnel administration. You can manage VPN tunnels for both networks. For setting up a new tunnel, type in the following
informations into the form: 1. The external IP address of the remote firewall 2. The address of the network behind the remote firewall 3. The netmask of the network behind the remote firewall After you submitted the form, you can download the certificate with the link in the list and transfer it to the remote firewall. Be sure to transfer the certificate in a secure manner! In the web administration of the remote firewall you now can import the certificate in the very last form on the page. After that you repeat this procedure on the remote firewall. After that you should be able to reach all computers from one network on the other. Be sure, that the addresses of the two networks do not overlap! Deleting VPN tunnels To delete a tunnel, just delete the certificate from the list of one of the firewalls. It is advised to delete the certificates out of both firewalls. Update system Kwickserver Firewall has its own update system. So you can download updates from the programmers of kwickserver on your server and then decide to install them or not. You find the update system in the menu System Update. With the button load updates you receive the actual list of available updates. These update appear in the list. With the download button you can load the update files on your harddisk. Then you can decide which updates to install. Click on install to install the update on the server. Some updates have the option to be uninstalled. In that case, after installation there is a button uninstall. Console Tools Change Administrator password If you forgot your administrator password, you can reset it from the console. For that you must sit directly on the computers console (keyboard and screen). At the login prompt type setpasswd. You will then be asked for a new password. You have to type in the new password twice to prevent typing errors. Change IP address If you did not set the IP address for the first internal network card correctly, you cannot access the web administration any mone. You can change the address from the console. Type in setip in the login prompt. You will be asked for the administrator password. You then come to a mask, where you can type in the new IP address and netmask. Now you should be able to connect to the web administration via that address.
Troubleshooting Problem: The CD is in the drive, but the computer does not boot from it. Solution: Be sure, the CD drive is first in the boot order of your computer setup Problem: I installed the firewall on a computer, where I still need the data on the harddisks. Can I restore them? Answer: Unfortunately not. But if you have two harddisks in your computer, the second one will be still untouched and the data is available. Problem: During installation I get the error message automatic network configuration did not succeed. Answer: You are not connected to a network with a DHCP server. Look, if the network cable is well connected in your network card and to the switch/hub. Ask your network administrator, if you have access to a DHCP server. If not, you have to type in the network address by hand. Problem: I changed the IP addresses and I lost the connection to the web administration. Solution: Type in the new network address you just defined for the first internal network card. Problem: I typed the address of my first internal network card into the browser, but I don't get to the web administration. Solution: Probably your firewall is connected to your network with the wrong network card. The only possibility to figure out the correct card is to connect with every card (one after the other) to the network and try again. Problem: I changed the network addresses of my firewall, but I did not type in the correct address for the first internal network card. Now the web administration is not reachable any more. Solution: Go to the console of the computer (keyboard and screen connected to it) and type setip on the login prompt. Enter your administration password.