«  
  »

Endian Firewall 2.3 Notes

Some notes and tips about Endian Firewall 2.3

Firewall & DNS Proxy

The default settings for the firewall and DNS proxy may cause unexpected behavior.  By default, only certain ports are allow access to the internet from the LAN.  Verify the Outgoing and Inter-Zone Firewall settings.  Depending on the setup, the system access rules may also need modification to allow SSH and Web administration from interfaces other than GREEN.

The DNS proxy is a useful feature to redirect DNS requests for certain domains to specific name servers (ie. to an internal Windows DNS server that’s integrated with Active Directory) but it also contains an Anti-Spyware feature.  By default, if the DNS proxy resolves an address that’s on the blacklist, it rewrites the DNS response to point to a “spyware listening post”.   The domains of many dynamic dns services (eg. no-ip, dyndns)  are blacklisted, which is very inconvenient if you are using a dynamic dns service.

Dynamic DNS

The dynamic DNS client for the No-IP service does not work. Download and install the latest client directly from No-IP or grab my pre-built binary.  Copy it to /usr/bin.  I rename the EFW version (noip-efw) then create a symlink called noip that points to noip-i686.  Run “noip -C” to configure it, then add “/usr/bin/noip” to /etc/init.d/rc.local to have it start on boot.

Custom DHCP Options

Endian 2.3 uses the Internet Systems Consortium DHCP Server V3.05.  When adding custom options to the DHCP server (Services -> DHCP Server -> Custom Configuration Lines), quotation marks will be escaped when the page is saved and reloaded (eg. “Hello” becomes &quote;Hello&quote;).  This prevents the DHCP server from loading, as invalid characters get written to /etc/dhcpd.conf (see the dhcpd.conf man page)

To add a line such as:

option tftp-server-name “10.0.0.1″;

you will need to manually edit /var/efw/dhcp/custom.tpl.  Add any custom configuration, save the file, then mark it as read-only (chmod a-w /var/efw/dhcp/custom.tpl) to prevent the web interface from overwriting it in the future.

/var/log Partition Full

The installer creates a small (~300MB) partition that is mounted as /var/log.  Most log files are small, however /var/log/messages can get quite large and easily fill the partition, as can /var/log/snmpd/snmpd.   I have not looked to see if there is any logfile rotation.  This post has further discussion about the problem and potential fixes.

Reduce messages from the snmp daemon by changing the log level.  Edit /etc/init.d/snmpd and change the OPTIONS line:

OPTIONS=”-Ls4 -Lf /dev/null -p /var/run/snmpd.pid -a”

Here, the level has been changed from 6 to 4.  Snmp can also be used to monitor disk space via SNMP.  Add the following to /etc/snmp/snmpd.conf.tmpl:

disk /var/log

disk /var/efw

disk /

Then disk space can be monitored using SNMP traps or other monitoring programs.

OpenVPN

The OpenVPN server works quite well, but the GW-to-GW setup can be a little tricky.  To connect two networks, one Endian box acts as the server and the other as the client.  If setup properly, there will be two way communication between the networks – there is no need to configure each box as a client and server.

The key is to specify the “Networks Behind Client” when creating an account on the server and properly setting the “Push These Networks” under the Advanced tab of the server.  You may also want to check “Don’t block traffic between clients” on the Server Advanced page, depending on your setup.  On the client, simply enter the host name and account info and then connect.

Traffic Monitoring on Interfaces other than br0

Endian Firewall uses ntop (Services -> Traffic Monitoring -> Administration Interface) to monitor traffic on br0.  To monitor traffic on other interfaces, edit /etc/init.d/ntop according to these instructions.  Make the file read-only after editing (chmod a-w /etc/init.d/ntop) to prevent the web interface from re-writing it.

Temperature Monitoring

Environmental temperature can be monitored using lm-sensors and SNMP.  First, configure the sensors:

  1. From a command line, run ‘sensors-detect’ and accept all the defaults.
  2. One of the last few lines of output will have some text between “— cut here —”  markers.  Copy and paste this text into /etc/init.d/rc.local (above ‘exit 0′).
  3. Execute /etc/init.d/rc.local to load the modules (they’ll be loaded automatically next reboot)
  4. Test by running ‘sensors’

Next, setup SNMP:

  1. Go to Services -> SNMP.  Enable the SNMP Server and enter the details.
  2. Restart SNMP to load the new MIBs (/etc/init.d/snmpd restart)
  3. Add a new System Access Rule for SNMP on any interfaces that need to read temperatures via SNMP (Firewall -> System Access -> Add New Rule)
  4. From a remote machine, test SNMP (snmpwalk -v2c -c <community string> <EFW Hostname> system)
  5. From a remote machine, test the LM_SENSORS-MIB (snmpwalk -v2c -c <community string> <EFW Hostname> 1.3.6.1.4.1.2021.13.16)
January 4th, 2010 | Tags: , , , | Category: At Work

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>