IPcop is a Linux based firewall that installs from a CD. You download it from here. You download an ISO image, and burn it (as an ISO..) to a cd. It seems to be a pretty good firewall, however there are a few things that could be improved. These are some of my notes as I have tried to keep them in one spot so I can easily access them.
For web based remote administrtion, IPcop uses port 445. However many ISP's bolck this port as it has been used for many attacks. So changing it to another port is required. Here is how:
First, you need to enable SSH access on you IPcop firewall. To do this, login via the web interface. The default URL is this: http://GREEN_IP_ADDRESS:81. Hover your mouse over system then click on ssh access. Check the
box that says ssh access then the save button.
Login into the IPcop firewall using ssh via port 222, and change these 5 files:
Then login to IPcop, then hover the mouse over firewall then click on external access and add what ever port you used above (EX: 441). Also if you want to SSH into IPcop via the internet, also enable port 222.
To access IPcop remotely (via internet..) enter the following in your browser: https://IPADDRESS:441 Where IPADDRESS is you public IP address, or your domain name etc.
IPcop has various addons. Although its a great firewall, it seems to me that these addons should be incorporated into the basic IPcop package. One such package is
Banish, which allows you to
block web sites by IP, CIDR, Domain name, and MAC addresses. Installation instructions are
straightforward, and can be found
here.
Another addon is Zernia, which is a GUI addon that uses
OpenVPN. As of this writing, the Zernia
install is a bit tricky. Although the Download/Install link is easy to follow, I found (as of the writing..) that
what was downloaded from their web site was a .tar file instead of a .gz file per their instructions. I found
that I had to rename the file to a .gz, then I had to shorten / rename the file itself. Then I had to give it
privs of 755. Then I ran the following command: tar -xzvf ./banish-xx.xx.xx.tar.gz. After that, all went well.
Once Banish is installed, just follow the instructions on their web site, Under HOWTOs on the left here.
For me, I was using the VPN to connect XP roadwarriors to a Windows 2000 server. This was a bit of a challenge, as I couldn't get the roadwarrior to join the domain. In searching the internet, here is what I found:
In order to ping the home network, you have to add the following line in /etc/rc.d/rc.firewall.up file
Near the beginning of the file after the following lines...
ipchains -P input REJECT
On the Windows XP computer:
You will need your Roadwarrior PC to use the same workgroup name as the domain of the server you are going to VPN into. To do this, RIGHT click on MY COMPUTER then click on PROPERTIES. Click on the Computer Name tab. Click the CHANGE button, and select WORKGROUP, and then type in the DOMAIN NAME that your server you want to VPN into is in. Click OK. Reboot the PC when it tells you.
/etc/httpd/conf/httpd.conf
Change 445 to 441 in these files, or what port you like.
Pay attention, to change all occurenses (1-2 per file).
Restart httpd (and squid if you use it). Restart IPCOP if you don't know how to do it!
/home/httpd/cgi-bin/portfw.cgi
/var/ipcop/header.pl
/var/ipcop/proxy/acl
/var/ipcop/proxy/squid.conf
ipchains -P forward REJECT
ipchains -P output ACCEPT
Insert the following...
iptables -t nat -A CUSTOMPOSTROUTING -s 10.26.1.0/24 -o eth0 -j MASQUERADE
# where 10.26.1.0/24 is the IP range of IP addresses used for the roadwarriors
# to VPN into. Also eth0 is the GREEN network card..
# Windows Netbios stuff blocked before log Source Ports 137,138,139
ipchains -A input -p udp --source-port 137:139 -j REJECT
ipchains -A input -p udp --destination-port 137:139 -j REJECT