home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 35 Internet
/
35-Internet.zip
/
sfire.zip
/
install.txt
< prev
next >
Wrap
Text File
|
1999-03-04
|
15KB
|
411 lines
SafeFire Firewall
Version 1.0
Installation and Configuration guide.
Copyright (C) 1999, Link Guard Solutions Ltd.
____________________________________________________________________________
Contents
____________________________________________________________________________
0. Before installing
1. Introduction
2. Installation
3. Uninstallation
4. Configuration
5. SFIRE.CFG description
____________________________________________________________________________
0. Before you begin
____________________________________________________________________________
WARNING: SafeFire Installation utility makes changes in PROTOCOL.INI.
After this changes Adapter and Protocol Services configuration
utility is unable to utilize this file.
If you need to make changes in your adapter and protocol
configuration, run SETUP.EXE coming with SafeFire and choose
"Uninstall from system files"
option and press OK. Then run Adapter and Protocol Services
and do desired changes. When changes will be done, run
SETUP.EXE again and choose
"Update system files only"
option to return back settings required for SafeFire.
____________________________________________________________________________
1. Introduction
____________________________________________________________________________
SafeFire Firewall is a Network Address Translation / Firewall utility
for OS/2. It is designed to utilize the power and flexibility of OS/2
operating system: SafeFire is pure 32 bit, highly multithreaded
application.
The Network Address Translation (NAT) feature allows to connect network
to Internet using only one real IP address regardless from a number of
PC's in an internal network and allow PC's from an internal network
access almost all Internet services transparently, as if these PC's
would be connected to Internet directly.
Another advantage of using NAT is that all packets go to and from
internal network is checked for correctness and translated so it is
impossible to access PC's in the internal net without special and
controlled actions (see below description of a Port Mapper feature) and
therefore an internal net is protected from external attacks even
without any additional actions.
Packet Filter feature supported by SafeFire allows system administrator
to limit access of users from internal net to Internet services and
external access from Internet to PC where SafeFire is running.
Port Mapping feature allows system administrators to move services
accessible from Internet behind firewall while retaining controlled
access to this services.
Run-time configuration of Packet Filter and monitoring of statistics
are provided by various parts of SafeFire. It is possible using simple
in use command line utility.
To achieve a maximum performance and retain a minimal dependence from a
LAN adapter it uses low level access to adapter through the NDIS
interface and a helper driver. This allows SafeFire use any Ethernet
LAN adapters with available MAC NDIS drivers for OS/2.
____________________________________________________________________________
2. Installation
____________________________________________________________________________
SafeFire can be installed in two types of environment.
■ One LAN adapter used for connection to ISP and local PC's
■ One LAN adapter used for connection to ISP and other LAN adapter
is used for connection to local PC's
This cases schematically presented below:
PC with SafeFire
Internal net ┌────┐
┌──┐ ┌──┐ ┌──┐ ┌──┐ ├────┤ HUB
├──┤ ├──┤ ├──┤ ├──┤ │ │ ┌────┐
│ │ │ │ │ │ │ │ │ │ ┌─┤ ├─┐
└┬─┘ └┬─┘ └┬─┘ └┬─┘ └─┬──┘ ├─┤ │ │
└────┴────┴────...──┴────────┴──────┘ └────┘ └──> ISP
One LAN adapter configuration
PC with SafeFire
Internal net ┌────┐
┌──┐ ┌──┐ ┌──┐ ┌──┐ HUB ├────┤
├──┤ ├──┤ ├──┤ ├──┤ ┌────┐ │ │
│ │ │ │ │ │ │ │ ┌─┤ ├─┐ │ │
└┬─┘ └┬─┘ └┬─┘ └┬─┘ ├─┤ │ │ └┬──┬┘
└────┴────┴────...──┴────┘ └────┘ └───┘ └──────> ISP
Two LAN adapters configuration
SafeFire relies on a correct configuration of a TCP/IP stack of the PC
where it is installed.
In first case IP address assigned by ISP (i.e. real IP address) should
be assigned as a main IP address of an interface and an IP address in
the internal network should be assigned as an alias.
Second case does not have such a limitation.
In both cases IP forwarding at PC where SafeFire is installed should be
turned on.
Client PC's should be configured so as if they connected directly to
Internet and have assigned PC with SafeFire installed as a default
router. You should provide correct DNS settings for this PC's. This is
highly recommended to set DNS server address to the same as for gateway
PC.
Installation process is very simple:
o extract SafeFire package in temporary directory
o run INSTALL.EXE
o Choose directory where SafeFire will be installed
o Choose a LAN interface connected to an external network
from the list of available interfaces
o Press OK button
Installer will make appropriate changes in CONFIG.SYS and
PROTOCOL.INI and will create backup copies of these files.
After reboot SafeFire can be lunched either by double clicking on the
SafeFire icon in the SafeFire folder or from a command line:
c:\SFire\bin>sfire.exe
____________________________________________________________________________
3. Uninstallation
____________________________________________________________________________
Uninstallation process is simple too:
o Run SETUP.EXE located in the \BIN sub directory of the SafeFire
installation directory from a command line or by double clicking at a
"Install/Uninstall" icon in the SafeFire folder.
o Choose the "Uninstall and remove program files" action
o Press OK button
The installer will make appropriate changes in CONFIG.SYS and
PROTOCOL.INI and will create backup copies of these files. Also the
installer will remove files coming in SafeFire package, program objects
and a folder from the desktop. Your own configuration files will be
preserved. Empty directories and SETUP.EXE should be deleted manually.
After reboot the SafeFire NDIS helper driver will be removed from
memory and an uninstallation process will be done completely.
____________________________________________________________________________
4. Configuration
____________________________________________________________________________
Configuration of SafeFire is done by editing a SFIRE.CFG configuration
file.
SafeFire is coming with a sample configuration file called SFIRE.SMP.
Copy it to SFIRE.CFG and change to reflect your needs.
NOTE: For editing SFIRE.CFG use an editor which retain an ASCII format
of this file, for example OS/2 System Editor (E.EXE).
If no SFIRE.CFG is provided then SafeFire will use default settings.
See chapter '5. SFIRE.CFG description' where default settings is
described.
____________________________________________________________________________
5. SFIRE.CFG description
____________________________________________________________________________
SFIRE.CFG is a main configuration file of the SafeFire.
SFIRE.CFG is split into sections, each section contains variables.
Following sections are used by SafeFire:
[nat] - Network Address Translation section
[ident] - IDENT server section
[remote] - Remote control section
[portmap] - Port Mapping section
[filter] - Packet Filter section
[key] - License key section
Each section can defines variables. If a value of the variable is not
set in SFIRE.CFG the default value is used.
Description of variables in each section follows:
o Section [nat]
■ enable
possible values: yes no
description : This variable enables or disables Network
Address Translation
sample : enable = yes
■ defragment
possible values: yes no
description : This variable enables or disables
processing of packet fragments. If this
option is enabled then fragments will be
saved and then correctly translated when
header fragment will be available.
sample : defragment = yes
■ forward_ignored
possible values: yes no
description : If this option is enabled then packets
ignored by NAT will be forwarded to
internal net without translation.
Otherwise such packets are dropped. This
option does not affect packet filter
checks. I.e. if the packet filter is
enabled then these packets will be
checked by packet filter.
sample : forward_ignored = yes
■ private_net
possible values: yes no
description : If this option is enabled then NAT will
limit set of packets coming from an
internal net to private address ranges as
described in RFC1918:
Class A: from 10.0.0.0 to 10.255.255.255
Class B: from 172.16.0.0 to 172.31.255.255
Class C: from 192.168.0.0 to 192.168.255.255
sample : private_net = no
o Section [ident]
■ enable
possible values: yes no
description : This option enables or disables a
built-in IDENT protocol server. Keeping
this server enabled is important for full
IRC clients support because most IRC
servers requires it.
sample : enable = yes
■ user
description : This option set variable part of the
IDENT server answer response.
sample : user = os2user
o Section [portmap]
■ rule
description : Each occurrence of this variable defines
a rule for the port mapping feature. Each
rule consist of two pairs of values
delimited by a comma. Each pair of
consist of an address and a port number
delimited by a colon. First pair of
address:port determines a point where
incoming connections going and second
pair determines a point where this
connections will be redirected. You can
use 0 instead of first address. In this
case an IP address of the LAN interface
used by SafeFire will be assumed.
sample : rule = 0:80,10.0.1.1:8080
Connections going to the port 80 (WWW) of
the LAN interface utilized by SafeFire
will be redirected to the port 8080 of
the host 10.0.1.0 in an internal net.
o Section [filter]
■ enable
possible values: yes no
description : This variable enables or disables a
packet filter feature.
sample : enable = yes
■ default_policy
possible values: accept reject
description : This variable set a default policy of the
packet filter. If this variable is set to
'accept' then packets which does not
match any rule in the packet filter rules
database will be accepted. Otherwise it
will be rejected. For more details refer
to FILTER.TXT.
sample : default_policy = reject
■ rule
possible values: yes no
description : Each occurrence of this variable defines
one rule for the packet filter. A rule
syntax described in an appropriate
chapter of FILTER.TXT.
sample : rule = allow icmp from any to 192.168.1.0/24
o Section [key]
■ name
■ key
These two variables are used by license key.
Default settings are listed below:
o Section [nat]
enable = yes
defragment = yes
private_net = yes
forward_ignored = no
o Section [ident]
enable = yes
user = os2user
o Section [filter]
enable = no
default_policy = reject
____________________________________________________________________________
____________________________________________________________________________