This is an old revision of the document!
Table of Contents
Firewall
The firewall was constructed with the PCXFirewall Toolkit available here: http://pcxfirewall.sourceforge.net/ After determining list of services to be offered, a list of open ports was created. The following list enumerates that list.
Open Ports
- 22 – SSH
- 25 – SMTP
- 80 – http
- 110 – pop3
- 143 – imap2
- 443 – https
992 – telnets- 993 – imaps
- 995 – pop3s
- 10000 – webmin (https)
Access
Admin instructions on how to access PCXFirewall
https://63.252.5.3/pcxfirewall/
username – admin
Firewall Config – budlight1
Budlight1 Definition
Config
Config Options
- Network Command – ifconfig
- Mangle Rules – Enabled
Validity Check:
- TCP Flags – on
- ECN Enabled – off
- Unclean – off
- Kernel Type – modular
Zones:
- internal Zone Enabled – off
- ipsec Zone Enabled – off
- dmz Zone Enabled – off
- dialin Zone Enabled – off
- Bridge Support Enabled – off
- Snort-Inline Support Enabled – off
Special Protocol Modules:
- ftp Enabled – on
- ftp Params – none
- irc Enabled – off
- irc Params – none
Rate Limit:
- Tainted Packets Log Rate – 20 / minute
- Reserved Packets Log Rate – 20 / minute
- Default Policy Packets Log Rate – 30 / minute
- Reject Packets Log Rate – 30 / minute
- Normal Packets Log Rate – 30 / minute
- ICMP Packets Allow Rate – 30 / minute
Logging:
- Log Prefix – FW
- Log Level – debug
Dynamic Interfaces:
- Dynamic Interfaces Mode – ignoreIP
Networks
- Index – 0
- Host – budlight
- Type – normal
- Active – true
- Comment – external network/lan
Reserved External Networks
| Index | Host | LimitTo | Active | Comment |
|---|---|---|---|---|
| 10.0.0.0/8 | false | Class A | ||
| 192.168.0.0/16 | false | Class C | ||
| 127.0.0.0/8 | true | Local machine | ||
| 172.16.0.0/12 | false | Class B | ||
| 224.0.0.0/4 | false | Class D Multicast | ||
| 240.0.0.0/5 | true | Class E Reserved | ||
| 0.0.0.0/8 | false | Illegal except for DHCP | ||
| 169.254.0.0/16 | true | Link Local Networks | ||
| 192.0.2.0/24 | false | TEST-NET |
Zones
- Alias – external
- Interface – eth0
- IP Address – 63.252.5.3
- IPSec – false
- IPSec LimitFrom –
- Network – budlight
- Proxy Arp – false
- Active – true
- Comment – This is configured for a LAN server, not a WAN.
Services
Existing services were left as preconfigured.
Added : POP3s
- Protocol – tcp
- d-port – 995
- s-port – any
- icmp type –
Paths
ServiceGroups
| in | out | ip | source | dest | action | service | active |
|---|---|---|---|---|---|---|---|
| firewallToExternal | |||||||
| * | ALL | ALL | ACCEPT | DNS, SSH, IDENT, SMTP, ICMP, TRACEROUTE, SQUID, HTTP, FTP, BOOTP, NTP, RSYNC | true | ||
| externalToFirewall | |||||||
| * | ALL | ALL | ACCEPT | SSH, SMTP, POP3, IMAP, ICMP-limited, HTTP, HTTPS, BOOTP, IMAPS, POP3S | true | ||
| * | ALL | ALL | Reject | IDENT | true | ||
| external | ALL | ALL | Drop No Log | SMB | true | ||
| external | ALL | ALL | ACCEPT | Webmin | true | ||
| externalBroadcast | |||||||
| * | ALL | ALL | ACCEPT | BOOTP | true |
Installation
get this from PCXFirewall instructions and put here
System Changes
Please post changes here in the format of: [H4] date|your name [/H4] [CR]description of chages made
March 5 2005 | Carl Fitch
Added Path to allow Webmin access. This was added as a seperate path to allow an easier way to turn the path on or off as needed.
Feburary 19 2005 | James Pattie, Carl Fitch
The initial installation
March 5 2005 | Carl Fitch
Changed Zone "external" to current static IP address
TODO
Get installation instructions and have James verify
need to get how to access and use front end.
Credits
Initially installed, configured, and documented by James Pattie and Carl Fitch, 2005-02-19.
