IPCop, a Linux firewall distribution that turns an x86 machine into a firewall appliance, is relatively easy to install, as I described in my last article. Luckily, the IPCop Web administration interface is just as easy to work with, and I'm going to walk you through many of the common configuration and monitoring tasks that you'll typically want to do after you get IPCop installed. Along the way, I'll also provide a few configuration tips that you may find helpful when you're first getting IPCop up and running.
Once IPCop is installed, you can access the Web interface via HTTP or HTTPS. You'll need to use a URL in the following format (replace ipcop or 192.168.1.1 with the hostname or IP address that you assigned to IPCop at installation):
When you first access the Web interface, you'll see a "home" screen that looks like Figure A.
To get started, click the Information link on the navigation bar on the left side of the screen. This will prompt IPCop to authenticate you. Enter the username admin and the password that you assigned during installation. Once you are authenticated, you will see the IPCop Status screen (Figure B).
This is the primary spot to gather current information about IPCop. First is the Services section, which shows you the services that are running or stopped. You have control over five of these services (IDS, DHCP, Web proxy, VPN, and SSH) and you can turn them off and on as needed, as I'll show you later in this article. The other five services should always be on. If any of them are off, there could be a problem and you should try restarting IPCop to see if they come back on.
Next is the Memory section, which shows you the RAM and swap file usage of IPCop. The Swap should be equal to the amount of physical RAM (Mem) and, as with any server, you should monitor the usage levels of both to make sure the machine doesn't need a boost in RAM.
The Disk Usage section shows the IPCop file system. IPCop requires very little disk space, as you can see. The only thing you'll need to watch here is the /var/log volume (typically /dev/harddisk3). This will grow over time as your log files multiply and the cache of your Web proxy grows (assuming you turn on the Web proxy).
If you scroll down, you'll see some more information on the Status screen. Next is Uptime And Users, which is self-explanatory and uses the typical Linux/UNIX output you would expect for uptime. Then you have the Interfaces section. If you have the typical firewall setup with two interfaces, you'll see eth0, eth1, and lo (loopback) in the Interfaces section. This is the same information you get when you run the Linux command ifconfig (similar to ipconfig in Windows), which shows IP address, subnet mask, and interface statistics.
The final two sections of the status screen are Loaded Modules and Kernel Version. The Loaded Modules area shows the software modules that are currently loaded to support the firewall. This includes the driver for the NIC card (3c59x for a 3Com NIC), a variety of NAT modules that allow certain types of traffic to pass through NAT, and a few other modules. If you are having problems with certain types of traffic such as VPN or FTP, then you can check here to make sure the NAT modules are loaded. The Kernel Version section simply shows the version of the Linux kernel that is currently running and also shows the fully qualified domain name of the IPCop firewall.
In addition to these status updates, the Information screen also contains three graphical reports: traffic graphs, proxy graphs, and connections. You can access these reports by using the links in the upper-right corner of the Information screen. The traffic graphs (Figure C) show the amount of traffic for the current day on the GREEN interface and the RED interface. The proxy graphs show the usage and traffic of your Web proxy's cache. The connections link shows a graphical representation of all of the current connections that are being made through the firewall.
In addition to my earlier TechProGuild article on installing IPCop, you can also get more details on the features, background, and development of IPCop by taking a look at this TechRepublic article about this powerful little firewall.
Setting up the Web proxy
One of the first things that you may want to configure, because it is not turned on by default, is the proxy server. Essentially, IPCop contains a built-in version of the Squid Web Proxy Cache, a popular open source program for setting up a Web proxy server. As you probably know, a proxy server caches a local copy of often used Web pages and images and serves up the copies to users so that they don't have to be downloaded each time a user accesses them. This can reduce page-load time and save bandwidth.
To turn on IPCop's Web proxy, click the Services link on the navigation bar on the left side of the window. Web Proxy is the first section that comes up in the Services screen (Figure D).
To turn it on, simply click the Enabled box and the Transparent box. This activates a transparent proxy and simplifies client configuration. The firewall's clients simply select the firewall as their default gateway (or have it selected by DHCP) and automatically get the benefits of the proxy server.
The Remote Proxy option on the Web Proxy screen is for use if you already have an upstream proxy server at your company, or if you use a proxy server via your ISP.
The Cache Size setting is for determining the amount of disk space (in MB) that you want to dedicate to the cache. If you have less than 256 MB of RAM, you should set the cache size to match the amount of RAM you have on your system. However, if you have 256 MB or more, you can easily set the cache to 1,000 MB (1.0 GB). You can experiment with a larger cache, if needed. You'll still see some administrators recommend that you keep the cache the same size as the amount of physical RAM no matter how much RAM you have, but IPCop has better memory management than it used to, and so it's generally safe to increase this number.
The Min Object Size can be 0, while the Max Object Size is 4096 (4.0 MB) by default. Those settings are fine. Below that, you can use the Max Incoming Size setting if you want to limit the size of the files that users can download. For example, some administrators don't want users to be able to download large MP3 music files or large video files such as movie trailers, which can tie up bandwidth.
Setting up other services
On the Services screen, you can also configure several other important services. You can access each of them using the links on the navigation bar in the upper-right corner of the Services screen.
Following the Web proxy is the DHCP server (Figure E), another one of the services that many administrators will likely want to turn on.
If you've configured other DHCP servers before, then the options here will look familiar. To turn on the DHCP server, you simply need to enter a Start and End address (the range of IP addresses you want DHCP to hand out to clients), enter at least the Primary DNS for clients to use, and enter the Default lease time and Max lease time. Then you need to click the Enabled box. Optionally, you can also enter a secondary DNS, a WINS server, and a domain name suffix for clients. These DHCP options cover the basics, but they certainly pale in comparison to the extensive options you have with a full-fledged DHCP implementation. However, IPCop does offer fixed leases. You simply enter the MAC address and the IP address you want to assign that system in the Add A New Fixed Lease section and click the Add button.
The other sections in the Services area are:
- Port forwarding—Here you can set up ports on the RED interface of the firewall to be forwarded to servers behind the firewall.
- External aliases—This is only an option if your RED interface has a static IP address. This is typically used if you have a range of IP addresses from your ISP and you want the IPCop firewall to handle them all and then forward them to the appropriate servers behind your firewall.
- External service access—You'll need to use this only if you want to set up your IPCop firewall to be administered over the Internet (which, of course, is a serious security risk, but is necessary sometimes). If you do want to provide external access to IPCop, simply enter 81 and/or 445 (which is what I would recommend because it uses HTTPS) as the Destination Port and click Add.
- DMZ pinholes—This is where you enter the information for any ports you need opened for servers you are hosting on your DMZ. This is applicable only if you have set up an ORANGE interface for a DMZ during your installation of IPCop.
- Dynamic DNS—For those who want to host servers behind IPCop but don't have a static IP address, the only option in many cases is to use a dynamic DNS service such as dyndns.org or zoneedit.com. IPCop supports those two services, as well as the other services shown in the drop-down menu in this section.
Another service supported by IPCop is a VPN server, which isn't listed in the Services screen but has its own screen that you can access by clicking the VPN link on the left navigation bar. There are two sections to the VPN screen—Control and Connections. In the Control section, you can turn on the VPN server by clicking the Enabled box and clicking Save. Here you can also change the IP address of the VPN server, if you want to use an address other than the IP address of the RED interface. The other option on the control page is to stop and restart the VPN service.
In the Connections section of the VPN screen (you can access this using the link on the upper navigation bar across the top of the VPN screen), you can set up clients and/or servers to be able to connect to the IPCop VPN server. The IPCop VPN is probably most useful for setting up a site-to-site VPN between two different IPCop firewalls. This can be helpful, for instance, for connecting a remote office network to the corporate network. You can also set up the IPCop VPN server so that Windows clients can connect across the Internet to the internal network that IPCop is protecting. However, that's a little more tricky, and it's beyond the scope of this article (for more on IPCop VPN setup, check out this document).
To turn on a couple of other services, you'll need to go to the System screen (click the System link on the left navigation bar). Once you're in there, you can click on the SSH link on the navigation bar along the top of that screen. That takes you into the section for Secure Shell (SSH) access. To turn this on, simply click the box and click Save. I recommend that you don’t leave this on all the time, but turn it on only when you need it.
Next, click the link for Intrusion Detection System, then click on the box and click Save if you want to turn on the Snort IDS for your IPCop firewall. As long as you have at least 256 MB of RAM in your IPCop system, I definitely recommend turning on the IDS. You can check the alerts in the Logs screen, which we're going to take a look at next.
Monitoring the log files
Click on the Logs link on the left navigation bar. It will open in the "other" screen, where you can click the drop-down menu and select a variety of logs to view, such as Kernel, SSH, IPSec, and DHCP server. If you click on the Web Proxy link on the navigation bar at the top of the screen, you'll see the list of files that your IPCop proxy server has cached. One of the nice features here is that you can select the Source IP to look at the files cached only by a particular system. This can be helpful for forensic analysis or for monitoring the Internet usage of an employee (remember that you need to have a policy in place before monitoring Internet usage).
Next, click on the Firewall link and you'll see the list of packets that your IPCop firewall has blocked. Finally, you can click on Intrusion Detection System to see the list of security alerts that Snort has detected. Some of these messages are pretty cryptic, but if you do a Google search for the text of the message, you should easily find the meaning in a newsgroup or forum.
I have been impressed with the speed with which IPCop is updated when there is a security flaw found in any of the Linux software that IPCop uses. Several times I have come across news alerts revealing Linux flaws and suspected that they probably affect my IPCop firewall. Every time I have checked, there was already an IPCop update that fixed the flaw.
Stay informed of updates
If you are running an IPCop firewall, you should definitely join the IPCop-Announce mailing list. This is a low-volume e-mail list that only sends announcements about patches and updates.
Fortunately, IPCop is fairly easy to update. You simply click on the System link on the left navigation bar, and the Updates section is the first screen you see (Figure F). It lists all of the available updates for your version of IPCop, explains what they do, and shows whether you've installed them or not.
You can click the Refresh Update List button to check for new updates. If you discover that there are updates you haven’t installed, simply click the Info link to the right of the update, which takes you to the IPCop downloads page where you can manually download the appropriate patch to a local system (such as your administrator's workstation or a file server). Then you scroll down to the Install New Update section at the bottom of the IPCop screen, click Browse, and select the update file that you got from the IPCop site. Then click the Upload button. This both uploads and installs the update.
The description of the update will tell you whether or not a reboot is required with the update. If a reboot is required, click the Shutdown link on the upper navigation bar of the System screen. Here you have two options: Reboot and Shutdown (Figure G). Click Reboot. I should also note that I have never had a problem with any of the IPCop updates. They have never caused anything to stop working.
We've covered just about everything you will need to know to fully configure and monitor an IPCop firewall. There are a few administrative tasks that we haven't covered, but those are mostly self-explanatory, and I have confidence that you can figure them out by simply following the links and menus in the IPCop Web interface. Otherwise, you can also check out the IPCop documentation for a thorough breakdown of the various configuration options.