SafeFire Firewall

SafeFire Firewall Version 1.2 Copyright (C) 1999-2004 Link Guard Solutions Ltd. README Contents 1. Introduction 2. System requirements 3. Before you install 4. Installation 5. DHCP Configuration 6. Uninstallation 7. Frequently Asked Questions (FAQ) 8. Changes 1. Introduction SafeFire Firewall is a Network Address Translation / Firewall utility for OS/2. It is designed to utilize any kind of LAN-to-LAN connection: - xDSL - Cable modems - Ordinary LAN SafeFire Firewall provides following features: - Flexible configuration - Port Mapping - Packet Filter - MAC Packet Filter - Traffic shaper - Network Address Translation (masquerading) for unlimited number of users - Full support for FTP and IRC connections, including built-in IDENT server - Number of supported simultaneous connections limited only by OS/2 TCP/IP stack - Virtually unlimited number filer rules - Full remote control with configurable access control lists - DHCP support - External plugins support 2. System requirements o Operating System - OS/2 Warp Version 4 - OS/2 Warp Version 3 - OS/2 Warp with WIN-OS/2 Version 3 - OS/2 Warp Connect - OS/2 Warp Connect with WIN-OS/2 - OS/2 Warp Server - OS/2 Warp Server for e-business o TCP/IP support - TCP/IP v4.0x (coming with OS/2 Warp 4.0) - TCP/IP v4.1 - TCP/IP v4.2.x (coming with OS/2 Warp Server for e-business) o Disk free space - About 1 MB o Memory - Minimum 8 MB - Recommended 12 Mb o CPU - Intel 486 CPU running at 66 MHz or better 3. Before you install SafeFire Firewall requires completely configured and working LAN-type connection. In other words connection should be established before you begin SafeFire Firewall installation. 4. Installation Installation of SafeFire Firewall is simple and consist of following steps: - Unpack SafeFire Firewall package to desired directory with InfoZip's unzip utility. Note that package internal directory structure should be preserved. - Copy NDIS\SFPROT.SYS and NDIS\SFPROT.NIF into x:\IBMCOM\PROTOCOL Copy NDIS\SFMAC.SYS and NDIS\SFMAC.NIF into x:\IBMCOM\MACS where x: is the drive where MPTN is installed - Run SETUP.EXE from the command line with the following parameters: SETUP.EXE -i lanX x: where lanX - is TCP/IP name of the LAN interface such as lan0, lan1, etc. Default value 'lan0' is used when omitted. x: - is the drive letter where MPTN is installed. Default value is set to OS/2 boot drive. For example: setup -i - install SafeFire Firewall on lan0 and look for PROTOCOL.INI in the x:\IBMCOM, where x: is the OS/2 boot drive. setup -i lan2 - install SafeFire Firewall on lan2 and look for PROTOCOL.INI in the x:\IBMCOM, where x: is the OS/2 boot drive. setup -i d: - install SafeFire Firewall on lan0 and look for PROTOCOL.INI in the D:\IBMCOM. setup -i lan1 E: - install SafeFire Firewall on lan1 and look for PROTOCOL.INI in the E:\IBMCOM. - Copy SFIRE.SMP into SFIRE.CFG and change it to suit your needs. Refer to CONFIG.TXT for more details. - Reboot PC and run SFIRE.EXE. NOTE: Device driver model used in SafeFire Firewall not allows IP packets to reach physical network when SFIRE.EXE is not running. 5. DHCP Configuration New "auto_pipe" option greatly simplified DHCP configuration. In order to make DHCP configuration work just change following line in the [dhcp] section in configuration file: [dhcp] ... auto_pipe=on With this setting enabled firewall will be turned into transparent mode at startup and then will be automatically switched into working mode when valid IP address will be assigned by DHCP. 6. Uninstallation To remove SafeFire Firewall just run SETUP.EXE from the command line as follows: [C:\bin\sfire]SETUP -r Setup will remove appropriate entries in CONFIG.SYS and PROTOCOL.INI and will restore bindings for TCP/IP. 7. Frequently Asked Questions 1. Q: SFIRE is running but seems not filter packets and NAT doesn't work. A: This problem exists with some stacks 4.1 and up. Try to change following setting in SFIRE.CFG [device] broken_arp=1 2. Q: Software installed correctly and external hosts are accessible from gateway PC but not accessible from PC's in internal net. A: Verify presence of the following line in \MPTN\BIN\SETUP.CMD ipgate on 3. Q: Is there a sample set of rules? A: Lets assume internal network is 192.168.1.0, netmask 255.255.255.0. Enable DNS: ; DNS for gateway rule= 100 allow udp from any 53 to myip bidi ; DNS for internal network rule= 200 allow udp from any 53 to 192.168.1.0/24 bidi Note that it might be more efficient to setup cache DNS server on the gateway PC and disable access from internal network to external DNS services. Other services (FTP, SMTP, POP3, HTTP and HTTPS): ; FTP, SMTP, POP3, HTTP, HTTPS for gateway rule= 300 allow tcp from any 20,21,25,110,80,443 to myip bidi ; FTP, SMTP, POP3, HTTP, HTTPS for internal network rule= 400 allow tcp from any 20,21,25,110,80,443 to 192.168.1.0/24 bidi To enable IRC add following rule: ; IRC for the internal network rule= 500 allow tcp from any 6666-6668 to 192.168.1.0/24 bidi For some services it might be necessary to enable incoming connection to IDENT service running at gateway: ; IDENT rule=600 allow tcp from any to myip 113 bidi Similar rules should be added if other services are running at gateway. For example, for the Web server: ; HTTPD rule= 700 allow tcp from any to myip 80 bidi In some cases it might be necessary to enable ICMP to/from gateway. Note that it might present a security risk! ; ICMP for gateway rule= 1000 allow icmp from myip to any out rule= 1100 allow icmp from any to myip in ; ICMP for internal network rule= 2000 allow icmp from 192.168.1.0/24 to any out rule= 2100 allow icmp from any to 192.168.1.0/24 in 8. Changes 1.2.1 -> 1.2.2 - fixed some "Internal Processing Error" crashes - added traffic shaper - added filter plugins - added skipto rules to filters - added assembly, assemblytimeout and dropbcast config options - improved documentation (documented DHCP-related extensions, updated filter docs, added sample set of rules) 1.1.0 -> 1.2.1 - Improved performance on high speed interfaces - Added filter by MAC addresses - Transactional filter configuration in remote control - Changed device driver model There are many minor changes and bug fixes . b87 - Support for "bidi" rules - Some minor bugfixes in rule compiler - Support for filtering all traffic - Support for "MYIP" in rules (complete support for DHCP) - Support for "deny_incoming" feature (part of stateful inspection) b86 - Workaround for broken ARP interface in some 4.1+ hotfixes - Removed unused license checking code 1.0 -> 1.1.0 - Improved performance - Full remote control - Support of SYSLOG - Support of DNCP - Changed device driver model There are many minor changes and bug fixes .