First of all, enable SSH access on your Endian Firewall:

1. Go to System > SSH Access
2. Tick on Enabled
3. Save

Endian Firewall Documentation

In order to copy a file to the Firewall you need a Secure Copy client. Linux and MacOSX installations, normally ship the tool with the distribution. For Windows, there exist several Clients you can freely download and install.
Note: SFTP is not available on Endian Firewall, you need to have Secure Copy!

If you use Linux or MacOSX:

I presume you already have installed scp on your machine.
Type the following command within an open Shell:

scp file_you_want_to_copy root@green.ip.of.your.firewall:/path/filename/where/to/store

Example:

scp openvpn.conf roo@192.168.0.15:/etc/openvpn/openvpn.conf


If you use Windows:

While there exist plenty of Free tools, we describe only one of the most used Free Secure Copy tools: WinSCP
If you have not already installed, download it from WinSCP homepage and install it on your machine.

• Here you will find help about how to install WinSCP.
• Here you find how to connect to a remote host.
• Here you can learn how to upload a file with WinSCP.

In order to copy a file to Endian Firewall:

1. Connect to Endian Firewall:
   1. Type your GREEN IP Address or the Hostname of your Endian Firewall within the field Host name
   2. Leave Port 22 witin the field Port number
   3. Type in root as username within the field User name
   4. Type in the Endian Firewall root passwort within the field Password
   5. Select SCP as Protocol
   6. Click the button Login
   7. You will be asked if you like to accept the remotes host key. Select Yes.
2. On the remote panel, select the directory you want the file to copy to.
3. Select the local files you want to upload
4. Drag your selection and drop it on the remote panel
5. You will be asked if you want to copy the selection to the remote server. Click Copy

Endian Firewall has a DoS attack protection which limits ICMP packets to 1 packet per second if more than 5 packets come in too fast.

In order to replace a failed hard disk from a raid, do the following:

dd if=/dev/sd of=/dev/sd count=10
sfdisk --re-read /dev/sd
sync
MAKEDEV sd
mkswap /dev/sd2
mdadm -a /dev/md1 /dev/sd1
mdadm -a /dev/md3 /dev/sd3
mdadm -a /dev/md4 /dev/sd4

where is the device of the hard disk which is OK, for example a, so the device would be /dev/sda
and is the device of the hard disk which you newly mounted in, for example b, so the device would be /dev/sdb

Rebuild starts automatically. You can follow the progress with:
cat /proc/mdstat

There are several options you can do to reset your root password in the case you lost it.
The following describes two possibilities with different requirements:

1. You need a serial nullmodem cable and a workstation with serial interface and a terminal program
2. You need video and keyboard attached to the firewall.

Each Endian Firewall Appliance will have a serial interface (Console interface) but no Video and Keyboard connectors. If you have your own hardware you probably will have only Video and Keyboard but no Serial Interface.


Solution 1

Connect the serial nullmodem cable to the console port of your Endian Firewall and the other end to your workstations serial port (COM1).
Use a terminal program (Minicom for Unices, PuTTY for Windows) in order to connect to the Firewall. The necessary parameters are:

• 38400 baud
• 8 bit
• No parity bit
• 1 stop bit

After successful connect you should find a menu with 5 possibilities. One of them is "Change Root password".
Select that item and change your password.


Solution 2

1. Connect the video and keyboard and reboot your Endian Firewall.
2. During boot you will see a graphical menu on a grey background with title GNU GRUB. Press a cursor button in order to stop the countdown. Otherwise it will boot automatically.
   
   
3. Select the first menu item and press 'a'.
   
   
4. You should see:
   
   grub append> root=/dev/hda3 panic=10 ro
   
   Add 'single' separated with a space in order to finally have this line:
   
   grub append> root=/dev/hda3 panic=10 ro single
   
5. Press ENTER which starts the boot process
6. After the boot process the commandline prompt on the bottom of the screen looks like this:
   
   sh-3.00# _
7. type
   mount -o rw,remount /
   
8. type passwd and confirm pressing ENTER
   
   
9. follow the instructions
   
   
10. If you need to change also the admin password, do the following:
    
    htpasswd -m /var/efw/auth/users admin
    
    and follow the instructions.
11. sync
12. reboot

In most cases this happened if the SMTP Proxy is active and configured as spam filter. In some circumstances, for example after certain types of mail bomb/floods the antispam daemon may fill up it's temporary directories with extracted mail contents or with quarantine files

In order to check if this happened, do the following in the a shell of your firewall:

du /var -hc --max-depth=4 | sort -rn | head -10

This shows you the directories with most content ordered by content size.

If you find amavis directories with a very high amount of content, you can remove old already processed files with the following commands:

rm -rf /var/amavis/virusmails/*
rm -rf /var/amavis/amavis-*
rm -rf /var/tmp/clamav-*

After this you can restart the smtp proxy by calling the following commands:

restartsmtpscan

and force the smtp proxy to process it's mail queue

postqueue -f

There is no GUI possibility to achieve this. The easiest possibility to handle the quarantine is to configure a local email address as quarantine destination. So you can archive it within an IMAP folder on your Mail server and handle it as normal Mail with a normal Mail client.

However, if you read this you probably chose to have the quarantine locally on the Firewall, which is also the default.

In order to get your mail, log in to the firewall using SSH and do the following:

1. Search the desired quarantined message. The messages are archived within /var/amavis/virusmails/. Spam messages begin with spam-, while virus messages begin with virus- and will be followed by the quarantine ID, for example Q1oQs5iAYKr.
   You can use
   
   ls -l /var/amavis/virusmails/
   
   in order to list the quarantine and for example
   
   zcat /var/amavis/virusmails/spam-0Q1oQs5iAYKr.gz | less
   
   in order to read the specific message.
2. Unzip the desired message:
   
   gunzip /var/amavis/virusmails/spam-0Q1oQs5iAYKr.gz
   
   The file will now be named spam-0Q1o!s5iAYKr
   
3. Transfer the file to your workstation using scp or Winscp.
   
   
4. Open the file with your Mailclient.
5. Now you can handle it like a saved Mail and forward it to the recipient or extract parts.

Endian Firewall provides a couple of hook directories where you can put your scripts which should run as custom cron job. The cron process will start each script which resides within the respective hook directory.

Cron Job Scripts

Your custom cron job scripts will not be altered by Endian Firewall scripts or the upgrade process.

The scripts need to be:

• executable (chmod 700)
• should exit with errorcode 0
• must not contain a dot within the filename
• must end within a measurable time, otherwise put the process in background or it will delay all other jobs.

Cron Hooks

The directories beginning with cron will be started at a precisely configured time. The following presets will be provided as hooks:

• /etc/cron.cyclic/
  Will start every 5 minutes (i.e: 2:05, 3:10, 3:15)

• /etc/cron.minutely/
  Will start every minute (i,e: 2:01, 2:02, 3:30)

• /etc/cron.hourly/
  Will start every hour, one minute after full hour (i.e: 2:01, 3:01, 4:01).

• /etc/cron.daily/
  Will start every day at 1:25am.

• /etc/cron.weekly/
  Will start every week at Sunday 2:47am.

• /etc/cron.monthly/
  Will start every month at 3:52am of the first day of the month.

Directories beginning with anacron provide defined periodical time terms which start measurement from when the fcron process has been started. This can be used when you don't want to have a job run at a precisely specified time, but at random time terms with well defined intervals. The following hooks will be provided:

• /etc/anacron.cyclic/ (every 5 minutes)

• /etc/anacron.hourly/ (ever hour)
  

• /etc/anacron.daily/ (every day)
  

• /etc/anacron.weekly/ (every week)
  

/etc/anacron.monthly (every month)

1. Go to Proxy > HTTP > Antivirus and add the sites (one per line) within the box "Do not scan the following URL's".

Those lines can hold URLs with wildcards with following rules:

• Line must cointain Domain/Path
• Domains can have a wildcard at begin.
• Pages can hav a wildcard at begin and end.
• URLs without wildcards are exact

For example:

• www.server-side.de    (Only this URL is whitelisted)
• www.server-side.de/*  (Domain is completely whitelisted)
• *server-side.de/index.html    (Each index.html of each host with the domain server-side.de is whitelisted)
• */*.gif               (All .gif are whitelisted)
• www.server-side.de/novirus*    (each URL beginning with the pattern is whitelisted)
• www.server-side.de/*novirus*  (each URI which contains the string novirus is whitelisted)

Whitelist windows updates:

• *.microsoft.com/*
• *.windowsupdate.com/*

1. Go to Proxy > HTTP > Content Filter and add the sites (one per line) within the box "Allow the following sites".

Valid values are:

• Domain names, like endian.com
• Host names, like www.efw.it or sub.domain.efw.it
• Entire TLD-Domains, like .de
• Domain names including sub domains .microsoft.com will do updates.microsoft.com as well as microsoft.com
  Note: In order to allow the entire TLD-Domain you need to add a trailing dot before the TLD-Domain name!

Example:
endian.com
www.efw.it
.de

Note: You can allow only entire sites, specific urls is not possible.

You probably can't connect to your slave's webserver anymore but you should be able to login via SSH (if you have SSH enabled).
To connect to your slave firewall via web you can do the following:

(Assuming your management net is 1.1.1.0/27)

Add a virtual network interface to your machine and assign an IP address belonging to the management net to it. You can now directly connect to your slave firewall on its physical address 1.1.1.2.

On Linux you can do this by typing 'ifconfig eth0:0 1.1.1.6/29' in your shell.

Note: Endian Firewall will split your management net into 3 small nets, one for the green, one for the blue and one for the orange interface. This means your green management net in this case would be 1.1.1.0/29 including the following IP range 1.1.1.0-1.1.1.7. Usable IP addresses would be from 1.1.1.1 - 1.1.1.6, where your master firewall will use 1.1.1.1 and your first slave will use 1.1.1.2.

You can let the browsers get the proxy configuration automatically. Only precondition is, that you roll out the browsers with "Auto-detect proxy settings" enabled, which is default for both Firefox and Internet Explorer.

If you use the DHCP server or DNS proxy (or both) of Endian Firewall, there is no more to do. Otherwise you have two possibilities to make your clients find the proxy configuration on Endian Firewall:

1. Add a hostname to your local DNS called "wpad" and make it point to the Endian Firewall. You then should be able to reach Endian Firewall by accessing http://wpad/, otherwise it will not work.
2. Add a custom option to your DHCP server in order to make it push the wpad url with the other DHCP information.
   Example for ISC DHCP server:
   
   Global option:
   
   option wpad code 252 = text;
   
   Option for each subnet configuration:
   
   option wpad "http://YOUR_EFW_IP_ADDRESS/proxy.pac";
   
   Replace YOUR_EFW_IP_ADDRESS with the zones respective IP address of your Endian Firewall.

Note: If you like to force your users to use the proxy, you need to block HTTP ports within the outgoing Proxy. Otherwise a user may disable the Proxy within his/her browser and simply go directly without being blocked.

With SMTP Proxy this is possible by changing the value of SMTP>Spam>Spam Quarantine to the Email Address you prefer. Then the quarantine will not be made anymore on the harddisk of the firewall but each mail will be forwarded to that Email Address.

Additionally you can send also a notification to the administrator by setting an Email Address in the field "Email used for notification on Spam Alert (Spam Admin)".

With POP3 Proxy this is unfortunately not possible at all.

This issue can have several causes:
The clock of the Active Directory Server and the Endian Firewall are not synchonized.
You should let the Active Directory Server use the NTP Server of the Endian Firewall in order to synchronize its clock. Endian Firewall's clock will be synchronized with public Timeservers.

In order to check if this is  really the problem you can temporarily synchronize the firewalls clock with the clock of the Active Directory Server by starting the following command:

net time set -S IP_OF_YOUR_AD_SERVER

This can have the following reasons:

1. Endian Firewall is behind a NAT device
   
   Endian Firewall is behind another device which does NAT, like a router or another firewall which does not allow connections going through the device directly to the firewall.
   
   You can solve this by configure a port forwarding also on that device to the Endian Firewall's RED ip.
   
   
2. Server has wrong default gateway
   The Server to which the portforwarding should go has configured a wrong or no default gateway. Connections will be directed to the target ip address but since there is a wrong default gateway, packets will not be directed through Endian Firewall.

Yes you can train the Endian Antispam Engine.

You have to be using the SMTP Proxy for inbound and outbound scanning of email and your local domains need to be configured in
Proxy > SMTP > Local Domains.

To train the Endian Antispam Engine, attach the spam message in an email and send the email to spam@spam.spam.
You can also train the Endian Antispam Engine to recognize non-spam or ham emails. Take the legitimate email message, and attach it in a new email. Send the ham email to ham@ham.ham.

You probably have enabled proxy authentication.
Go to Proxy > HTTP > Acess policy and add the following domains to destinations Domains and give them no authentication:

• .windowsupdate.com
• .microsoft.com
• .windows.com

Endian Firewall is a true firewall in the sense that it does both ingress and egress filtering. By default Endian Firewall allows only basic outbound internet communication, such as:

• HTTP
• HTTPS
• FTP
• DNS
• POP3
• SMTP
• IMAP4

To allow other internet based communication out of the Endian Firewall (apart from using the application proxies) you will need to define outgoing firewall rules for other internet based applications. For example to configure an outgoing firewall rule to allow MSN messenger communication for the GREEN Zone:

• Go to Firewall > Outgoing firewall
• Click the Add New Rule button
• Remark: Allow MSN Messenger
• Protocol: TCP
  
• Policy:  ALLOW
• Source Net: GREEN
• Log packets which satisfy this rule: CHECKED (This makes the firewall log connections that match)
• Service:  MSN Messenger
• Click the SAVE button

By default Endian Firewall has pre-defined services for the most popular applications. If the application is not in the service list, you can enable the rule by selecting User Defined for the Service and defining the destination port.

Proxy > HTTP > Acess policy and add the following domains to destinations Domains and give them no authentication:

* only domain names (www.google.com, ...) are allowed (no urls: www.google.com/accounts, no protocol at the beginning: http://,...)
* only exact domain names work (*oogle.com does not block google.com)
* a . (dot) at the beginning whitelists all subdomains (.google.com blocks www.google.com, mail.google.com, .....)

examples:

urs.microsoft.com (only this subdomain is allowed)
.sun.com (all subdomains of sun.com are allowed)

Requirements:

1. You need a serial nullmodem cable
2. a workstation with serial interface
3. a terminal program

Connect the serial nullmodem cable to the console port of your Endian Firewall and the other end to your workstations serial port (COM1).
Use a terminal program (Minicom for Unices, PuTTY for Windows) in order to connect to the Firewall. The necessary parameters are:

• 38400 baud
• 8 bit
• No parity bit
• 1 stop bit

After successful connect, if the firewall is up and running, you should find a menu.

Two causes can be took in consideration:

• You have a old version which has not had yet the feature of which we are talking about
• You use an Endian Firewall Community version and the feature is available only with the Endian Firewall Enterprise versions.

Please also take in consideration to read the Endian Firewall Administrator Guide.

UMTS USB modems mostly are bundled with an USB storage, which contains the Microsoft Windows Drivers.
USB storage sticks mostly have a boot manager installed on their master boot record (MBR), which jumps in when Endian Firewall boots. The boot manager then needs manual interaction or does not find the real boot image at all and remains stuck.

You need to remove the boot manager from the MBR in order to let Endian Firewall boot correctly.

With linux (or the Endian Firewall itself) you can achieve this using the following command:

dd if=/dev/zero of=/dev/sdX count=512

where the X in sdX needs to be the letter which identifies the drive. For example, use /dev/sda if the USB storage is the first, /dev/sdb if it is the second SCSI type device in your system.

First of all, it is no good idea to connect multiple zones on the same switch (or phsysical network). Zones are meant to physically separate your networks in order to have extra security.

But one may have good reasons to do so.
If you connect multiple zones on the same switch it is not predefined with the current kernel configuration, which interface will receive packets to an ip addresses of a zone, since the ip addresses will be owned by the firewall itself and not by the interface.

In order to change this behaviour log in to the firewall and write to each file in:

ls -1d /proc/sys/net/ipv4/conf/* | while read F; do echo "1" > $F/arp_ignore; done

If you like to have this executed at boot time, edit the file /var/efw/inithooks/start.local
and insert the following:

#!/bin/sh
ls -1d /proc/sys/net/ipv4/conf/* | while read F; do echo "1" > $F/arp_ignore; done

Clamav is as default configured to block archives which exceed the configured maximum archive size in order to prevent archive bombs.

You can change this behaviour on "Services > Clamav antivirus".

• Change the value of "Max. archive size"
• or switch from "Block as virus" to "Do not scan but pass" in order to let exceeded archives pass without scanning.

This happens because the Log Summary and the Proxy Analysis Report is
generated on a daily basis. Therefore you will always only see reports
of the past but not of the actual day.

The reports will be generated always in the night at 00:01 am with the data of the day before.

If a proxy will be used for a certain service (HTTP, POP, SMTP, DNS, ...) firewall rules in the outgoing firewall will take no effect, because of the very proper nature how proxies do work.

Connections from a client will be intercepted by the proxy on Endian Firewall (transparent mode) or go directly to the firewall, but never go through the firewall. The proxy then starts a new connection to the real destination, gets the data and sends it to the client. Those connections always start from the Firewall and not from the client, which hides the clients internal ip address. Such connections never go through the outgoing firewall, since in fact they are local connections.

You can use the network based access control of the respective proxy (if implemented) to block connections of certain clients.

No, by the very nature of how POP3 protocol works this is the only way to block spam and not have your POP3 client complain. If an email scores above the spam threshold score then a notification email is sent and the original email is attached. This is the safest way to handle POP3 spam

The HTTP proxy's cache may have been set to operate in offline mode. This turns off the validation of cached objects and gives access to more cached information. It may cause stale objects to be sent to the client even when the client sends F5 refresh command. In this mode the only way to get a fresh copy of a cached website is to clear the proxy cache.
To disable this go to Proxy > HTTP > Cache Management and uncheck the option Enable offline mode.

Connection attempts to a service on the firewall will slow down if connection attempts to this port are dropped (which is the default policy of Endian Firewall). This is the ident port and services use it to check which remote user initiated the connection. Endian does not have an ident daemon running, so these connections must first timeout in order to establish the connection to the service.

Endian Firewall denies access, to clients, using the HTTP proxy when accessing local web servers or web servers whose IP is defined in the Allowed Subnets of Proxy > HTTP > Network based access control. This is done for security reasons. If Endian Firewall did not enforce this, it will allow other zones to access ANY machine of ANY zone through the HTTP Proxy. For example if you have local clients wanting to browse a local web server, by using www.somedomain.com and you use HTTP Proxy then follow these steps:

• Go to Network > Edit Hosts
• Click on Add a host button   
  
• Host IP Address: 192.168.0.253 (This is the private IP address of the web server)
• Host Name: www
• Domain Name: somedomain.com
• Click the Add button

What we have essentially accomplished here is told Endian Firewall to resolve all requests for www.somedomain.com to the internal IP or private IP of the local web server. Browsers using the HTTP Proxy in Transparent Mode will directly connect to the IP of the local web server and not use the HTTP Proxy. If you are using the HTTP Proxy in Standard Mode or with Authentication then you will have to add the private IP address of the local web server into your browser's options to not use the configured proxy when connecting to that particular IP.

You need to create a rule in Proxy -> Http -> Access Policy.

The Access policy type must be set to Deny access.

Then in the mimetype box you must put the following mime types:

• Application/octet-stream this will block all traffic with binary (exe) extensions.
• Application/download - which will block binary files coming in masked in the url from sites like download.com

If there is other mime types you wish to block simply check the live web proxy logs. This can be made simpler by setting a filter based on your IP address. Then download the file to your computer and watch the logs carefully. The mimetype that you need to apply will be at the end of the log entry.

This example below the mimetype to block xml into the network is in bold.

This problem has to do with permissions on /var/cache/samba/winbindd_privileged.

But before changes are made first check the log file in nano /var/log/squid/cache.log

if the following error is found in this log file winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.

If you do find this error run the following two commands.

• chown -R root:squid /var/cache/samba/winbindd_privileged

• /etc/init.d/winbind restart

If that fails to correct the problem, try clearing the cache in the proxy as well as the cache on the local machine.

On this page hopefully you will find the answers or solutions to any questions or queries you may have.  If not send us an email at endian@veritechcorp.com.au and we will be sure to add it to our knowledgebase.

If you want to post your own questions, jump to our Forums Section

Access Policies in the Endian Firewall are evaluated from top to bottom.  Evaluation stops when a rule is matched, and no further access policies are tested.

For this reason, you should create the most specific rules towards the top of the list.

You can click the edit button (the little pencil) to see the configuration of an Access Policy.

The POP3 scanner breaks Pop3S connections.

The POP3 scanner doesn't handle encrypted sessions.

More information can be found at http::/kb.endian.it/entry/25/

Yes, you can intercept and relay SMTP to your preferred mail server for hotspot users.

When a user connects to a hotspot, the HTTP traffic is passed through the hotspot and the http proxy  
intercepts it only if it is enabled as trasparent proxy -> http ->  blue..

The same happens for the smtp: you can activate the transparent smtp  
proxy on blue. If you want that forward all the mail to a trusted smtp  
server you can configure a smarthost server in smtp proxy advanced  
section.

The Endian Hotspot module is a hybrid combination of 4 different projects:
- CoovaChilli for access control (opensource)
- FreeRadius for provisioning and accounting (opensource)
- postgresql database used for logging, managing users and tickets, calculating balances  (opensource)
- endian-hotspot which keeps all together and provides the user interface (developed by endian)

With regard to the community version how is this updated?  Does it require reinstallation everytime a new version or update is released or just manual application of it.

To upgrade versions, it is possible to extract RPMs from the distributed ISO images, and install/upgrade them.  That will not cause you to lose configuration settings (except if Endian change the bootstrap settings) which is possible in future releases.

Explain Endian Load Balancing

Endian UTM Appliance does not support load balancing per-se, BUT:

- it is possible to create routing policies.
- it is possible to create backup uplinks.
- it is possible to use traffic shaping, unfortunately this is of no use for VoiP since the protocol does not use one standard port but many of them (port 5060 being the only standard port).

In this case the configuration would look like this:
Uplink A is used for normal traffic.
Uplink B is used for VoIP traffic and as backup for uplink A.

On Endian UTM uplink A will be the main uplink. Then uplink B will be created and setup as the backup uplink for uplink A.

Add a routing policy which specifies that all traffic coming from the phone central should use uplink B.

This way internet and VoIP will run on different uplinks and if one of the uplinks goes down all traffic will be redirected through the remaining uplink.

Traffic shaping for VoIP is not (or: only if all VoIP traffic is going to a well defined range of destination ports) possible. However, other services can be shaped.

As at version 2.2, there is no support for Dig or Nslookup commands.

However, this is on the development plan for the version 2.3 release.

What Port does Endian network use?

It uses TCP port 8991, amongst others.

I have a client who wishes to increase an existing 10 User Software Licence to a 25 User Software Licence.  The existing Licence expiry date is 19 November 2011.

My question is – if I upgrade this Licence to a 25 User in the Endian Network will it extend for a full year or only until the expiry date of the existing 10 User Licence?

Usually the upgrade should be done when renewing the maintenance, so in order to have what your're asking me, your customer should add 1 year (at least).

If your customer only wants to upgrade the existing license from 10 to 25, without adding 1 year, Endian's action is needed.

In order to calculate the pro-rata payment, you can refer to the following formula:

x = total days of the current license

y = days to expiration

z = price of the new license

Why can't I port forward port 8080 to an internal server?

Because there are already system  access rules in place for port 8080.  There are also default rules for 80, 22, 500 and others.  These are the redirection rules required for the endian to operate.

You can find a list of these rules under Firewall > System Access > Show Rules of System Services.

You should avoid using these ports for forwarding.  If possible, use other ports, eg .forward port 82 to port 80 internally.  Otherwise you could disable the System Services rules, but that will undoubtedly interfere with the operation of the firewall.

Does Endian have internet management?

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=403.0

What I want to know is if Endian support any kind of network/internet management in terms of the amount of data users are allowed. i.e.: I have a network with 10 PC's. I have 100 GB of internet per month and want each PC have 10 GB. I would like to be able to track how much each PC is using and also lock their internet when they go over.

Solution

No, there is no Traffic Level where you can define that you have 10GBs per month free.

And if one machine downloads to much the Endian can not deny automatically ....

You can  watch the ntop site in the Endian and there can you see how much traffic is being used.  Alternatively, you can connect using an external SNMP system to monitor.

Block Gmail Chat?

I need to block gmail chat (from webmail) but it seems to be impossible.

I'm blocking in the proxy: chatenabled.mail.google.com, mail.google.com/mail/channel/*.....etc.

but I can still access the chat.

Solution

Under Proxy - Content Filter - Allow List - make sure you don't have mail.google.com in there (like we did).

And under the block list block the following:

Code:

chatenabled.mail.google.com

mail.google.com/mail/im/

mail.google.com/mail/channel/

talk.google.com

www.google.com/talk

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=440.0

You would need to track down all ports for the IM clients and block them. That could be a lot of work and you could miss some. A better approach for a firewall admin (IMO) is to block all outgoing traffic and only allow traffic you know you want to go out.

To do this you create a rule to block all outgoing traffic and position it Last.

Make sure of this one, or else your other rules to allow outgoing traffic will all be denied. You can turn logging on for the rule, but there will be a lot of blocked traffic.

This won't block web server based traffic that can use your proxy. For that you need to enable the content filter and make sure the "chat" filters (described above) are on.

Alternately you can try using Intrusion Detection, and block all chat related HTTP traffic. You must change from alert to block (a red shield).

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=651.0

Cannot connect to iTunes behind Endian

I have opened outgoing traffic (any to any) and still cannot connect to iTunes?

Solution

If I remember correctly iTunes uses web traffic port 80, make sure its setup to use your proxy server and you should be fine.

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=657.0

Endian and Google Earth

If you are having problems enabling users to use google earth, read on!

According to Google I should add to the whitelist the following servers:

kh.google.com

maps.google.com

auth.keyhole.com

which I have done, but it still isn't working!

Solution

Proxies may also block the use of Google Earth. Make sure your proxy permits access on port 80 to kh.google.com, geo.keyhole.com and auth.keyhole.com.

url: http://earth.google.com/support/bin/answer.py?hl=en&answer=25096

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=815.0

I have a DSL and T1 line connected to my 2.2 ENDIAN firewall. Fail-over works great.

The DSL is the primary link (7mbps/800kbps) but I want all outbound email to go over our ADSL link since it has reverse DNS setup and has twice the upload speed. My Exchange server sends email out to the Internet directly (do not use the SMTP outbound proxy or a smarthost). I wish to continue this if possible.

How can I do this with ENDIAN?

Solution

Use Policy routing for port TCP/25

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=836.0

Effectively you can acquire the software at no cost, but in order to get  anti-virus/anti-spam/security updates, you need to take out a maintenance package.

It's an annual fee.

Each package has a different level of features, which you can read about in the Endian website.

If you are an end-user, a business/corporation, please contact Veritech Corporation so we can put you in touch with your closest reseller.

If you are an existing IT reseller, please visit our "Become a Reseller" page at the site www.veritechcorp.com.au.

Follow these steps:

1. During boot you will see a menu with title GNU GRUB. Press a cursor button in order to stop the countdown. Otherwise it will boot automatically.
2. Select the first menu entry and press 'a'
3. You should see something like the following:
   
   grub append> root=/dev/md3 panic=10 ro
   
4. Append 'single console=ttyS0,38400' to the end of the line, in order to finally have a line like this:
   
   grub append> root=/dev/md3 panic=10 single console=ttyS0,38400
   
5. Press ENTER, which starts the boot process

In some circumstances or with some ISP's the standard MTU size of 1500 is to high. If that happens you will notice strange network behaviour like downloads which always stop after a while or connections which will not work at all.

You can discover the MTU size by sending special icmp packets of the packetsize you think is your needed MTU size. If the packet passes the MTU size is ok, if not it is to high and you may lower the packetsize and retry until you find the size which is comfortable for your ISP.

In order to send the icmp packets do the following:

1. Log in to your EFW and choose a server which you actually can ping.
2. Ping that host with the following command:
   
   ping -M do -s 1460
   
   If the actual MTU size is ok for icmp packets of the size 1460, you will get ping replies like this:
   
   PING 10.10.10.10 (10.10.10.10) 1460(1488) bytes of data.
   1468 bytes from 10.10.10.10: icmp_seq=1 ttl=49 time=75.2 ms
   
   If the actual MTU size is to big for packets of the size 1460, you will get the following error message:
   
   PING 10.10.10.10 (62.116.64.82) 1461(1489) bytes of data.
   ping: sendmsg: Message too long
   
3. Retry with different packet sizes (the value after the -s option), until you find the size which is at the limit to work ok.
4. The value which ping shows you in brackets is your MTU size. In this example: 1460(1488), 1488 is the MTU size you need to configure.

Never connect Endian Firewall multiple times on the same switch if you did not configure it yet using the network wizard.
After installation Endian Firewall connects each network interface within a bridge in order to easily access the web interface without need to search for the correct green interface.

The device acts like a switch if it is not configured yet, which causes a loop within your LAN if you connect it multiple times to another switch.

After a successful installation, and a reboot the firewall hangs at stage 2 of the boot loader:

Endian firewall needs an enabled serial port for the serial console. Without this grub hangs on Stage 2. To fix this issue, enable a serial port in your system's BIOS and reboot

Yes, the installer automatically detects if the System has 2 available Harddisks and gives the choice to enable or disable RAID-1 support to the user.

Endian Firewall Appliance models "Mercury Pro" and "Macro" (2nd generation, available on Q2/2007) have builtin RAID-1 support

The HTTP Proxy (squid) is using negotiated NTLMv2, which Vista does not allow by default (only straight NTLMv2).  The following changes  to your Vista configuration are required:

• Start -> gpedit.msc (run as administrator)
• GoTo: Computer configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
• Find  "Network Security: LAN MANAGER Authentication Level"
• Set it  to "Send LM * NTLM - use NTLMv2 session security if negotiated"

After applying these changes your browser should automatically use your AD Login Name / Credentials for HTTP Proxy authentication.

No eth0 on Xen virtual Machine

This problem can occur in the Xen Virtual Machine Environment. 

XEN assigns interface numbers that are not eth0 and eth1

This can be seen in this directory /etc/businfotab

# Generated by ethconfig
eth10    XEN-eth0
eth11    XEN-eth1

to correct this problem make the following changes

# Generated by ethconfig
eth0    XEN-eth0
eth1    XEN-eth1

Endian does not offer load balancing as a comprehensive feature.  However, it is possible to do load-sharing across multiple WAN connections.

This can be done using the Routing > Policy Routing configuration where depending on the source (client) IP address, or the type of traffic or service, you can choose the outbound route for that traffic.

This way you can route time-critical or bandwidth intensive traffic via your preferred uplink.

Whats a good way to activate load
> balancing on endian?

A problem happened in authenticating to an LDAP server, with a group name that had a space in it, eg. "IT Users". So when the endian sent the ldap query, the second word was cut off (space is a delimiter). Changing it to "ITUsers" fixed the problem.

I thought further about the spacing issue with the endian, and I do think it is an endian bug. LDAP should indeed support spaces in names, eg. cn=Name Surename
And its the parsing in endian which fails when spaces occur.

Well, spaces need to be escaped:
IT Users -> IT\ Users

otherwise squid will not start.

SSL certificate complains of a different name

After changing the name of an EFW, the SSL certificate complains of a different name.  How can I recreate the SSL certificate?

Each time the name of the firewall gets changed a new certificate gets generated. If the customer faces an issue when connecting then it is likely due to the browser that saved the old certificate. This certificate must be deleted from the browser and there is no need to create e new certificate.

If you are using IE8 (Internet Explorer 8) you need to enable 'Compatibility Mode' in this browser.

Otherwise, use a browser such as Mozilla Firefox, or an older version of Internet Explorer.

Change the look of the Access Denied Page

When a page is denied, you get a plain webpage which basically says you don't have access.....

Does anyone know how to change this page?

Solution

The file you want to edit is named template.html and it's located at usr\share\dansguardian\languages\ukenglish

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=553.0

It is not recommended to upgrade the software from the Community Edition to the Enterprise edition.  The integrity of the data cannot be guaranteed.

It is notionally possible to do this - however, since the version of the Community Edition is inevitably different to the version of the Enterprise edition, some or all of the configuration settings may be different.  Porting the configurations across is risky.  In any case, its a good idea to start with a clean configuration when deploying a new security device.

How to reach Endian Firewall via SSH if a fresh installation does not boot and I would like to reach the machine when the installer finished to install all packages?

1. Switch to the console (Alt-F3)
2. Chroot into the installation using:
   
   chroot /harddisk
   
3. Mount proc:
   
   mount -t proc none /proc
   
4. Mount devpts:
   
   mount -t devpts none /dev/pts
   
5. Start SSH:
   
   /etc/init.d/sshd start
   
6. Assign an IP address manually:
   
   ifconfig ethX ip.ip.ip.ip netmask mask.mask.mask.mask up
   
   replace ethX with the interface you need to use, for example eth0 and  ip.ip.ip.ip and mask.mask.mask.mask respectively with the ip address and netmask which you like you have.
7. If you need to have access from internet, set the default gateway with:
   
   route add default gw gw.gw.gw.gw
   
   replace gw.gw.gw.gw with the default gateway to be used.

This article describes how to configure the OpenVPN Server so that it authenticates from a Windows Active Directory Server as well as the local user database.  Note that this process is separate to the Active Directory authentication system included with the Endian Proxy service.

Endian have released an article http://kb.endian.com/entry/64/ which describes LDAP authentication, however, that article is not precisely related to Active Directory.  The following instructions pertain specifically to using an Active Directory (AD) back-end.

It isn't possible to configure AD authentication through the administration graphical interface.  Instead, a file needs to be edited in the command-line

First, enable the OpenVPN server on he Endian and ensure it works with local accounts.

Edit the file: /var/efw/openvpn/settings

(it is advisable to make a backup copy of this file first!)

Add the following lines to this file:

LDAP_BIND_DN=cn=administrator,cn=Users,dc=domainname,dc=local

This is an authorised user that can query the AD.  Administrator works well here.  The 'dc' parameters pertain to the Windows AD domain name.

* Note: it's possible that your AD tree is different, and possibly users are not in the cn=Users subtree.  In that case, you will need to adjust this string.  A good tool to help determine your tree structure is the Softerra LDAP Browser tool.

LDAP_BIND_PASSWORD=administratorpassword

This is the password for the user specified in LDAP_BIND_DN above.

LDAP_URI=ldap://192.168.1.1

This is the IP address of the Active Directory server.

LDAP_USER_BASEDN=cn=Users,dc=domainname,dc=local

This is the tree in AD where the users reside.  Including cn=Users allows the search to be quicker and locate only the relevant users.

* Note: it's possible that your AD tree is different, and possibly users are not in the cn=Users subtree.  In that case, you will need to adjust this string.  A good tool to help determine your tree structure is the Softerra LDAP Browser tool.

LDAP_USER_SEARCHFILTER=(&(objectCategory=person)(objectClass=user)(SAMAccountName=%(u)s))

This is the search filter to locate users, and passes the username and password in the AD query.

Save the 'settings' file.

Restart the openVPN service (from the GUI) and connect using the OpenVPN client.

More details on the file options are available at http://kb.endian.com/entry/64/

• Endian Firewall
• Basic Configuration Knowledge

1. Login to your Endian Firewall Web Interface
2. Go to the "Firewall"-Tab and click on "Port Forwarding" in the menu, at your left
3. Add a new Rule with following properties:
   • Port on Red: 80
   • Destination IP: (ex. 192.168.0.15)
   • Destination Port:
   • Click on Add, an voila
4. Go to the "VPN"-Tab and click on "Openvpn Server" in the menu at your left
5. Change protocol to "TCP" (UDP might work, please report if it does)
6. Click on the edit option of your openvpn user
7. In the section "Client Routing" activate the "use firewall as default gateway" checkbox
8. Save and done!

1. Change the Settings of your openvpn client

1. Using Endian VPN-Client:
   • Click on "Properties"
   • Select the "Profile" you want to use
   • Click on the "Advanced" tab
   • Port: 80
   • Protocol: TCP (UDP might work as well, though haven't tried)
2. Manual configuration of the vpn.conf file
   1. Look for the line beginning with 'remote' and change it like this:
      < remote myhost.com 119
      > remote myhost.com 80
   2. Look for the line beginning with 'proto' and change it like this (again, udp might work as well):
      < proto udp
      > proto tcp

Click connect and hope the best

1. Open "System Preferences.app"
2. Select the "Network" option
3. Choose the "Location" and "Device" you're connected to the Internet with
4. Enter the IP of your firewall as dns server entry in "DNS-Server"
5. Click on "Apply" on you're done!
6. Enjoy the World Wide Web with no port locks what so ever!

Intranet behind Endian an OpenVPN

I noticed interesting behavior of EFW server after 2.2 upgrade.

On this server I have a OpenVpn with 16 users. Before update they could access an intranet web page through the VPN service (http://intranet with definition on /etc/hosts). But since the upgrade to 2.2 the intranet access is forbidden.

I have tried to route all navigation through the VPN but still no intranet access. I included all users with transparent proxy but to no avail.

I've changed /etc/hosts configuration on endian firewall but seems it doesn't change anything

I decided to check all options on the proxy. I had to bypass all IP directions defined as VPN IPs and it works

If you have a paid Endian Subscription, and your hardware has failed - there is a simple process to transfer your subscription to the new hardware.

In the case of changed hardware, the customer purchases a new license
for the new hardware, but receives a discount off that price (equivalent
to the remaining active time on the old subscription).

This needs to be arranged with the reseller prior to the order being raised (so that everyone is aware of what is happening).

The endian supports GPRS/NextG cellular phone adapters.  I want to have a USB attached cellular adapter.  Are there any limitations with this?  Are there specific supported models?   Does it use PPPOE to connect?

UMTS/GPRS modems are supported if they are USB serial modems (which most modems should be). The connection is therefore similar to a normal analog modem connection - PPP.

Endian now supports i386 processors only... Atom is not supported

Maximum number of interfaces

I am currently using ipcop and am using the mod that allows me to have a max of 8 interfaces. Does Endian firewall also have this sort of capability or am I limited to the red, green, orange and blue interfaces? I'm planning to replace my ipcop box with endian to take advantage of WAN load balancing features.

Solution

Normaly you have 4 zones, each one represents one NIC:

RED,GREEN,BLUE,ORANGE

However, you can have more interfaces - but all interfaces must be assigned to one of those zones.

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=357.0

Support of Realtek NetworkCard RTL8100C

Has anybody information about the Support of the Realtek NetworkCard/Chip RTL8100C?  Or is the hardware support of Endian good and up to date?

Solution

Normally all the Realtek cards are supported.

http://efwsupport.com/index.php?PHPSESSID=481b36274017331d7f7a045c61dd3085&topic=68.0