SafeFire Firewall v. 1.2.2 beta (1/1/2004) |
Readme/What's new |
SafeFire Firewall
Version 1.2
Copyright (C) 1999-2004 Link Guard Solutions Ltd.
README
Contents
1. Introduction
2. System requirements
3. Before you install
4. Installation
5. DHCP Configuration
6. Uninstallation
7. Frequently Asked Questions (FAQ)
8. Changes
1. Introduction
SafeFire Firewall is a Network Address Translation / Firewall
utility for OS/2. It is designed to utilize any kind of LAN-to-LAN
connection:
- xDSL
- Cable modems
- Ordinary LAN
SafeFire Firewall provides following features:
- Flexible configuration
- Port Mapping
- Packet Filter
- MAC Packet Filter
- Traffic shaper
- Network Address Translation (masquerading)
for unlimited number of users
- Full support for FTP and IRC connections, including
built-in IDENT server
- Number of supported simultaneous connections limited
only by OS/2 TCP/IP stack
- Virtually unlimited number filer rules
- Full remote control with configurable access control lists
- DHCP support
- External plugins support
2. System requirements
o Operating System
- OS/2 Warp Version 4
- OS/2 Warp Version 3
- OS/2 Warp with WIN-OS/2 Version 3
- OS/2 Warp Connect
- OS/2 Warp Connect with WIN-OS/2
- OS/2 Warp Server
- OS/2 Warp Server for e-business
o TCP/IP support
- TCP/IP v4.0x (coming with OS/2 Warp 4.0)
- TCP/IP v4.1
- TCP/IP v4.2.x (coming with OS/2 Warp Server for e-business)
o Disk free space
- About 1 MB
o Memory
- Minimum 8 MB
- Recommended 12 Mb
o CPU
- Intel 486 CPU running at 66 MHz or better
3. Before you install
SafeFire Firewall requires completely configured and working
LAN-type connection. In other words connection should be established
before you begin SafeFire Firewall installation.
4. Installation
Installation of SafeFire Firewall is simple and consist of
following steps:
- Unpack SafeFire Firewall package to desired directory
with InfoZip's unzip utility. Note that package internal directory
structure should be preserved.
- Copy NDIS\SFPROT.SYS and NDIS\SFPROT.NIF into x:\IBMCOM\PROTOCOL
Copy NDIS\SFMAC.SYS and NDIS\SFMAC.NIF into x:\IBMCOM\MACS
where x: is the drive where MPTN is installed
- Run SETUP.EXE from the command line with the following parameters:
SETUP.EXE -i lanX x:
where
lanX - is TCP/IP name of the LAN interface such as lan0, lan1, etc.
Default value 'lan0' is used when omitted.
x: - is the drive letter where MPTN is installed.
Default value is set to OS/2 boot drive.
For example:
setup -i
- install SafeFire Firewall on lan0 and look for
PROTOCOL.INI in the x:\IBMCOM, where x: is the
OS/2 boot drive.
setup -i lan2
- install SafeFire Firewall on lan2 and look for
PROTOCOL.INI in the x:\IBMCOM, where x: is the
OS/2 boot drive.
setup -i d:
- install SafeFire Firewall on lan0 and look for
PROTOCOL.INI in the D:\IBMCOM.
setup -i lan1 E:
- install SafeFire Firewall on lan1 and look for
PROTOCOL.INI in the E:\IBMCOM.
- Copy SFIRE.SMP into SFIRE.CFG and change it to suit your needs.
Refer to CONFIG.TXT for more details.
- Reboot PC and run SFIRE.EXE.
NOTE: Device driver model used in SafeFire Firewall not allows IP
packets to reach physical network when SFIRE.EXE is not running.
5. DHCP Configuration
New "auto_pipe" option greatly simplified DHCP configuration.
In order to make DHCP configuration work just change following
line in the [dhcp] section in configuration file:
[dhcp]
...
auto_pipe=on
With this setting enabled firewall will be turned into transparent
mode at startup and then will be automatically switched into
working mode when valid IP address will be assigned by DHCP.
6. Uninstallation
To remove SafeFire Firewall just run SETUP.EXE from the command line
as follows:
[C:\bin\sfire]SETUP -r
Setup will remove appropriate entries in CONFIG.SYS and PROTOCOL.INI
and will restore bindings for TCP/IP.
7. Frequently Asked Questions
1. Q: SFIRE is running but seems not filter packets and NAT doesn't work.
A: This problem exists with some stacks 4.1 and up. Try to change
following setting in SFIRE.CFG
[device]
broken_arp=1
2. Q: Software installed correctly and external hosts are accessible
from gateway PC but not accessible from PC's in internal net.
A: Verify presence of the following line in \MPTN\BIN\SETUP.CMD
ipgate on
3. Q: Is there a sample set of rules?
A: Lets assume internal network is 192.168.1.0, netmask 255.255.255.0.
Enable DNS:
; DNS for gateway
rule= 100 allow udp from any 53 to myip bidi
; DNS for internal network
rule= 200 allow udp from any 53 to 192.168.1.0/24 bidi
Note that it might be more efficient to setup cache DNS server
on the gateway PC and disable access from internal network to
external DNS services.
Other services (FTP, SMTP, POP3, HTTP and HTTPS):
; FTP, SMTP, POP3, HTTP, HTTPS for gateway
rule= 300 allow tcp from any 20,21,25,110,80,443 to myip bidi
; FTP, SMTP, POP3, HTTP, HTTPS for internal network
rule= 400 allow tcp from any 20,21,25,110,80,443 to 192.168.1.0/24 bidi
To enable IRC add following rule:
; IRC for the internal network
rule= 500 allow tcp from any 6666-6668 to 192.168.1.0/24 bidi
For some services it might be necessary to enable incoming
connection to IDENT service running at gateway:
; IDENT
rule=600 allow tcp from any to myip 113 bidi
Similar rules should be added if other services are running
at gateway. For example, for the Web server:
; HTTPD
rule= 700 allow tcp from any to myip 80 bidi
In some cases it might be necessary to enable ICMP to/from gateway.
Note that it might present a security risk!
; ICMP for gateway
rule= 1000 allow icmp from myip to any out
rule= 1100 allow icmp from any to myip in
; ICMP for internal network
rule= 2000 allow icmp from 192.168.1.0/24 to any out
rule= 2100 allow icmp from any to 192.168.1.0/24 in
8. Changes
1.2.1 -> 1.2.2
- fixed some "Internal Processing Error" crashes
- added traffic shaper
- added filter plugins
- added skipto rules to filters
- added assembly, assemblytimeout and dropbcast config options
- improved documentation (documented DHCP-related extensions, updated
filter docs, added sample set of rules)
1.1.0 -> 1.2.1
- Improved performance on high speed interfaces
- Added filter by MAC addresses
- Transactional filter configuration in remote control
- Changed device driver model
There are many minor changes and bug fixes .
b87
- Support for "bidi" rules
- Some minor bugfixes in rule compiler
- Support for filtering all traffic
- Support for "MYIP" in rules (complete support for DHCP)
- Support for "deny_incoming" feature (part of stateful inspection)
b86
- Workaround for broken ARP interface in some 4.1+ hotfixes
- Removed unused license checking code
1.0 -> 1.1.0
- Improved performance
- Full remote control
- Support of SYSLOG
- Support of DNCP
- Changed device driver model
There are many minor changes and bug fixes . |
Add new comment