10- IPFire

Installation

We will build a complete IPFire (2.9) virtual machine directly from the install .iso.

Create a new Virtual Machine, using the VMWare New Virtual Machine
Wizard. For the .iso image, use the .iso image provided on the labshare
(ipfire-2.9.i586-full-core48.iso). Yes, the entire .iso is 67 MB.

Set the operating system as Linux; for the version select “Other Linux 2.6 kernel”. Set the host name of your virtual machine; also set the location for the VM files. The hard drive size can be kept fixed at 8 GB. If you do not specify “Split the virtual disk into multiple files” you will find that you may be unable to copy the VM onto drives formatted with FAT32, like many portable hard drives.

You do need to customize the hardware prior to finishing the wizard; 256 MB should be sufficient memory for the system. You do not need a floppy drive; select it and remove it. You will need more than one network adapter; in this example we
will set up three.

• The first network adapter should be set to “Bridged”
• The second network adapter should use the virtual network VMNet2
• The third network adapter should use the virtual network VMNet3

At this point, you can complete the wizard and begin installing the system.

Once the system boots, simply hit enter to begin the install process. Select your language preference- but remember if you don’t select English, then I am not going to be helping you much, am I? The system is distributed under the GPL; you need to accept the license before proceeding.

The system will be installed on the root directory of the virtual disk, device /dev/sda. You do need to partition that drive. All of the file systems suggested (Ext2, Ext3, Ext4, ReiserFS) are reasonable; we will use Ext4.

Installation is quick, but does require a reboot. After the first reboot, you will be presented with a sequence of configuration screens. For the keyboard, I recommend US. Timezone- go ahead and choose something appropriate- e.g. America/New York. Set the name of the host- this is ONLY the name of the host, not the name of the (DNS) domain. In this example, I will keep the default (ipfire). Next select the (DNS) domain name. Following other examples, I will use “class”; then the fully qualified domain name will be ipfire.class

Select a password for the root user on the system. The installer does not echo back a “*” or the like as the password is entered. Next, select a password for the admin account which is used to log on to the web interface to administer the system. It is not a good idea to use the same password for both accounts.

For the Network configuration type, we want to select “GREEN + RED + ORANGE”. Traditionally in this context, RED is the external interface, ORANGE is the DMZ, GREEN is the internal interface, and BLUE is used for wireless.

Setting up the drivers and networking is a bit more challenging. Open the file IPFire.vmx (or TheNameYouChose.vmx) from the host directory for the virtual machine in a text editor. In lines 55-57 (or so) you should see three lines of the general flavor

ethernet0.generatedAddress = "00:0c:29:62:e0:a7"
ethernet1.generatedAddress = "00:0c:29:62:e0:b1"
ethernet2.generatedAddress = "00:0c:29:62:e0:bb"

This tells us the MAC address of each virtual network card. For the GREEN interface, select the network card that you mapped to VMNet2 above. For the RED interface, select the network card that is set to bridged. For the ORANGE interface, select the remaining network card; it should be set to VMNet3.

You will now have three networks- the external network, the internal network, and the DMZ. These need to have separate IP address ranges. You can select these however you please. Note that the private and the DMZ addresses on one host do not need to be different that the private and DMZ addresses on another host. In this example, I am going to use

• Public- 192.168.1.0/24
• Private- 172.16.1.0/24
• DMZ- 172.16.2.0/24

(My home network is built on 192.168.1.0/24; in class I would use the appropriate public space 10.0.x.0/24 and leave the others as listed.)

In this example, the IP addresses of the IPFire machine will be:

• Public- 192.168.1.2
• Private- 172.16.1.2
• DMZ- 172.16.2.2

Set these IP addresses. Notice that for the RED interface (only) the IP address can be set via DHCP; for GREEN and ORANGE the IP address must be static.

Set the DNS and gateway information. This information is for the public network. In my home network, I keep my home DNS server on 192.168.1.200. If your table is running a DNS server on e.g. 10.0.x.y, then that is the IP address you use for DNS.

Similarly, the gateway is the gateway for the public network. On my home network (for this example) it is located at 192.168.1.1 In the classroom laboratory, this is located at 10.0.x.254

You can set up IPFire to serve as a DHCP server for your internal (GREEN) network. Though convenient, this is not required. For now, we leave this turned off; we can enable it later.

Complete the installation

Now we need to verify that our network works as intended. If you correctly identified the RED interface, you should be able to

• Ping the class gateway from the IPFire command line
• Ping your DNS server from the IPFire command line
• Perform an nslookup from the IPFire command line

To check the ORANGE interface, start a new box (BT4R2 is a nice choice). Set the network adapter to VMNet3. Assign the BT4R2 machine the static IP address 172.16.2.3 with netmask 255.255.255.0

root@bt:~# ifconfig eth0 172.16.2.3 netmask 255.255.255.0

Set the default route of the BT4R2 machine to be the DMZ (ORANGE) address of the IPFire machine; in this example that is 172.16.2.2

root@bt:~# route add default gw 172.16.2.2

From IPFire, ping the BT4R2 box at 172.16.2.3. From BT4R2, ping the IPFire box at 172.16.2.2

To check the GREEN interface, start a new box- say another BT4R2. Set the network adapter to VMNet2. Set the BT4R2 machine to the static IP addredd 172.16.1.3 with
netmask 255.255.255.0; also set the default route of the BT4R2 machine to 172.16.1.2. From IPFire, ping the BT4R2 box at 172.16.1.3 From BT4R2, ping the IPFire box at 172.16.1.2

Configuring the IPFire machine.

To access the configuration screen, start a machine on the GREEN network (VMNet2). From a browser, visit the page https://172.16.1.2:444. You may need to replace the IP address with the GREEN ip address of your IPFire machine. Be sure to use https, not http. To log in, use the account “admin” and the password you specified during the installation process.

System Tab
From the system tab on the configuration web page you can see the basic network configuration, including the IP addresses of the IPFire interfaces. From the side menu on this page, you can enable SSH access to the IPFire machine. By default, this is on port 222 rather than port 22. Access is via either the internal (GREEN) network or the external (RED) network. In the latter case, the firewall must be configured to allow that access; see External Access below. For details, see http://wiki.ipfire.org/en/configuration/system/ssh

Status Tab
From the Services entry on the side menu, you can go to a page and view all of the services avialble in IPFire; these include a DHCP server (for the GREEN network), a DNS Proxy, a snort intrusion detection system, an NTP server, VPN servers, the SSH server, and a Web Proxy (Squid). Other add-on services can be installed. See http://wiki.ipfire.org/en/configuration/status/services for more details.

From the Connections entry on the side menu, you can go to a page that shows all of the connections to and through your IPFire system. See http://wiki.ipfire.org/en/configuration/status/connections for more details.

Network Tab
From the DHCP Server entry on the side menu, you can go to a page that will let you configure IPFire to serve as a DHCP server on the GREEN interface. You can set the DHCP server up to only serve some addresses; this way you can reserve some addresses to be given to machines with static IP addresses (e.g. log servers). You can also use this page to set up fixed leases by MAC address.

Test this system by enabling the interface and starting another machine on the GREEN interface (VMNet2). For details, see http://wiki.ipfire.org/en/configuration/network/dhcp

From the Webproxy entry on the side menu, you can go to a page that will allow you to configure IPFire to serve as a proxy for web traffic. One advantage of proxies is that they allow for faster responses on large networks because they can cache commonly visited web pages. Another advantage is that, by passing all web site
connections through a single point, you can enable content filtering, access restrictions, and the logging of all outbound web requests. Proxies can be set up through a proxy port (on IPFire, the default is 800) which then needs to be appropriately set in the browser. You can also set the proxy to run transparently;
in this case no changes need to be made to the client browsers.

Set up IPFire to serve as a transparent web proxy. From a machine on the GREEN network, visit the web page of a host on the RED (external) network. Be sure to enable logging on the proxy. Verify that the proxy functioned correctly by vieiwing the proxy logs. [You can access those from the logs tab, and selecting Proxy Logs and then Proxy Reports from the side menu. For more details, see http://wiki.ipfire.org/en/configuration/network/proxy.

From the Content Filter entry on the side menu, you can go to a page that will allow you to configure IPFire to block various types of web traffic- by categories, by domain, by URL, by file extension and by other traffic characteristics. The Web proxy service must be running to use the content filter. See http://wiki.ipfire.org/en/configuration/network/url-filter for more details.

From the Edit Hosts entry on the side menu, you can go to a page that will allow you to specify names for hosts on your internal network. Your internal hosts are not likely to have their own names in an external DNS server, and you may not wish to run an internal (or split) DNS server. This page allows you to set host names for the various machines with static addresses on your internal & DMZ networks. See http://wiki.ipfire.org/en/configuration/network/hosts for more detail.

From the Alias entry on the side menu, you can go to a page that will allow you to specify additional aliases- IP Addresses- for your external (RED) interface. Aliases allow you to set up more comple topologies; for example suppose that you want to place two web servers in your DMZ. If IPFire has just one external IP address, then there is no way that the two servers can be visible to the external network, as incoming traffic to IPFire on port 80 can be forwarded to only one of the servers. By using an alias, your IPFire machine can have two (or more) public IP addresses, and port 80 traffic to the first IP address can be forwarded to the first web server
and port 80 traffic to the second IP address can be forwarded to the second web server.

In what follows, we will set up two additional aliases for the IPFire machine together with appropriate external DNS entries. In particular, we have

ipfire.class = 192.168.1.2
ipf2.class = 192.168.1.3
ipf3.class = 192.168.1.4

where all of these names and addresses are on the external (RED) network.
For details on the use of the page, see http://wiki.ipfire.org/en/configuration/network/aliases

Services Tab
The IPSec entry in the side menu takes you to a web page to allow you to use IPSec to set up two types of VPN tunnels- either host-to-network tunnels (RoadWarrior tunnels) or a net-to-net VPN. Given the time constraints of class, I am not going to cover
this topic. See http://wiki.ipfire.org/en/configuration/services/ipsec for details.

The OpenVPN entry in the side menu takes you to a web page to allow you to set up VPN connections using TLS (SSL) rather than IPSec as above. Only host-to-net tunnels are currently supported. Nope- we don’t have time for this either. It would be cool though- even if the documentation online is occasionally in German. See http://wiki.ipfire.org/en/configuration/services/openvpn for details. Seriously- did you look at the language in the pictures?

The Time server entry in the side menu takes you to a page that you guessed it- will let you use IPFire as a time server. If you want to provide time to your local network, this must be enabled here. See http://wiki.ipfire.org/en/configuration/services/ntp for documentation, partially in German.

The intrusion detection entry in the side menu takes you to a page that lets you configure the snort intrusion detection system. Note that the installed version of IPFire does not come bundled with a set of snort rules; it also does not come with a
tuned configuration file. It is designed to work online and obtain the rule sets directly from Sourcefire. Since the lab is not connected to the Internet, this approach is problematic. It is possible to manually set up the snort rules. When I did so, the web interface for the IDS no longer functioned, and I had to start snort manually, on the other hand it did correctly read the snort logs.

One approach to getting the snort rules to the IPFire machine is to copy the snort rules to a convenient VM with SSH- say a BT4R2 box- on the green network. Use SSH on BT4R2 to copy the file to the IPFire machine:

root@bt:~# scp snortrules-snapshot-2904.tar.gz root@172.16.1.2:snortrules.tgz

Unpack snortrules.tgz in the directory /etc/snort on the IPFire machine. Edit the /etc/snort/snort.conf rules as you see fit. If you use the snort.conf file that comes with the IPFire box, note that is references the files /etc/snort/classification.config and /etc/snort/reference.config. The rule set, when unzipped in the snort directory, puts these files in /etc/snort/etc/classification.config and /etc/snort/etc/reference.config. Either move the files or modify the lines.

The snort.conf file that comes with IPFire does not load any rules. You can copy over just the rules that you want from the snort.conf file in the rules package.

Firewall Tab
All traffic from the external network (RED) to a host on the internal network (GREEN) or the DMZ (ORANGE) must be explicitly allowed via a port forwarding rule. Traffic not permitted is blocked by default. See http://wiki.ipfire.org/en/configuration/firewall/portforwarding

Any traffic destined for the IPFire machine itself from the external network (RED) must be explicitly allowed via an external access rule. Any traffic not expliticly permitted is prohibited. See also http://wiki.ipfire.org/en/configuration/firewall/externalaccess.

Any traffic from the DMZ (ORANGE) to the internal network (GREEN) must be explicitly allowed through a DMZ Pinhole. See also http://wiki.ipfire.org/en/configuration/firewall/dmzpinholes.

Outbound traffic can be controlled via the settings for the external firewall configuration. See also http://wiki.ipfire.org/en/configuration/firewall/outgoingfirewall.

The Logs tab
The elements of the logs tab are self-explnatory.