Quick Setup Guide

By: Philippe Baumgart and Victor Julien

Last updated on 2007-09-19

0-Introduction
This guide is written to help you quickly setup Vuurmuur so it can protect your pc or network. It shows all important steps to get going. This guide will setup a simple gateway firewall. It assumes a firewall with two interfaces, eth0 that is connected to the LAN and eth1 that is connected to the internet. If things are unclear to you, don't hesitate to contact us. We'll be glad to help out!

Some useful links: Installation: http://www.vuurmuur.org/trac/wiki/Installation FAQ: http://www.vuurmuur.org/trac/wiki/Faq Manual: http://www.vuurmuur.org/trac/wiki/Manual Support: http://www.vuurmuur.org/trac/wiki/Support

1-Initial startup
Installation is outside the scope of this document, but we touch the subject here to show that after a initial installation vuurmuur is not yet active. We assume Debian/Ubuntu was used for the installation here. The source based installation is also very simple as it is fully automated using a installation script. As you can see below Vuurmuur got installed, but it wasn't started yet. This is to prevent an empty ruleset from getting loaded, completely closing the firewall and possibly locking you out. If you are using the source based installation, the message is slightly different. Note that it is not adviced to a vuurmuur installation through ssh on a remote location. It can be done, but you need to be extremely careful not to lock yourself out.

All firewall management using Vuurmuur can be done using the GUI tool: vuurmuur_conf. It's time to start it by typing 'vuurmuur_conf' on the commandline and pressing enter. You need to do this as root or use su or sudo for it. 2

This is vuurmuur_conf's main screen. Don't get intimidated by the failure messages. It's nothing we won't be able to fix in a few minutes. Press F5 to see what Vuurmuur is complaining about.

As you can see it complains about two mainly things: 1. we have create a configuration and 2. vuurmuur and vuurmuur_log are not running. We just saw vuurmuur wasn't started yet, so that is not a surprise. We'll go on fixing 1 first. When we did that, we can start vuurmuur safely!

2-Interface Creation
Interfaces correspond to the network devices in the firewall system. Vuurmuur needs to know about them when creating the rules, so it can apply rules to the right interfaces. Interfaces are attached to networks, but we'll get to that later. From the main menu proceed to Interfaces

The interfaces list is empty because we have manually define the interfaces for Vuurmuur.

Press Insert to create a new Interface.

Give your interface a name so you know which one it is. Let's name the interface interface 'inet-nic' so we never forget it's the internet facing interface. Being able to give all objects such as interfaces, zones, networks, etc clear names was actually one of the primary design goals of Vuurmuur. The reason is to prevent any accidental mixups of different trust levels, such as safe and unsafe or intern and extern. Let's configure the interface.

This internet connection gets assigned an IP addres dynamically when connecting, so therefore the 'IP address' field is left empty and the 'Dynamic IP Address' box toggle is checked. Let's do the same for the lan interface. Let's call it 'lan-nic' to make it as clear as possible. Here we do know the IP address.

The end result of the interfaces is shown below.

If you have more interfaces, just repeat the above steps. There is no limit to the number of interfaces. I've heard of setups using over 30 interfaces that worked great! Let's define the surroudings of the firewall next.

3-Zone Creation
Now that we have defined our two interfaces we can define zones which are global containers for networks, groups and hosts. When thinking about zones think about general areas on different sides of the firewall, like 'inside' and 'outside', 'safe' and 'unsafe', 'lan', 'dmz' and 'inet'. Use names that have meaning to you and your network. To proceed, go to Zones.

Press Insert to create a new zone and enter the name. Let's call the external internet zone 'inet'. It's convinient to keep names short because of the limited space on the screen. Especially in the logviewer, connection monitor and rules window short names work better.

As you can see, there is not much configuration to do for the zone itself.

Don't forget to set the zone to 'active' after you have created it. Create a zone 'lan' as well for the lan side. Like with the interfaces, there are no real limits for the zones. Define as many as you need. Note however, that a zone can contain more than one network, so it may be wise to group related networks together in a zone. For example if your firewall has access to multiple vpn's, you could create a zone 'vpn' and add the networks to it. Next are networks.

4-Networks
Networks define the actual network connected to the interfaces of the firewall. Networks are created inside a zone and will be used to create rules on a per network basis. To proceed go to Zones and select the 'inet' zone then press enter. Press Insert to create a new network and enter the name. Let's call this one 'world', as it's the network that contains the outside world. In Vuurmuur you will refer to this network as 'world.inet'. This naming scheme comes back everywhere and is designed to never loose track of what zone a network or host belongs to.

Enter the 0.0.0.0 in the Network field and 0.0.0.0 Netmask field. You'll notice the warning about no interfaces attached. Thats next. But first have a look at the 'Anti-Spoofing' check boxes. Anti-spoofing rules protect you from people pretenting to be on your local network while coming from the internet. There are a number of ip netblocks that can be blocked. Beware in this context Class A means 10.0.0.0/8 B means 172.16.0.0/16 and C 192.168.0.0/24! Don't activate anti spoofing for your own type of network. For example if you got a network 192.168.0.0/24 you can't activate the antispoofing class C. Beware that many setups use such a network for communicating with a cable or dsl modem. The 'DHCP Server' box is needed when the firewall needs to act as a DHCP server on this network. The 'DHCP Client' box if the firewall needs to get a IP address on this network.

First let add the right interface to this network. Assign an interface to this network by pressing F6.

Select the inet-nic because thats our internet facing interface. You can add more than one interface to a network. Again, no limits.

10

As you can see, the warning is now gone. Don't forget to enable the 'DHCP Client' box if your interface is set to dynamic. In short the same for our lan network. We call this one 'local.lan':

Of course, the interface 'lan-nic' was added to this network. Well done, you are now ready to create rules!

11

5-Rules
Rules are where you tell the firewall what to do in what situation. By default all policies (IN, OUT, FORWARD) are set to DROP Which means everything is . dropped. Quite secure don't you think! Sadly, a completely closed firewall is not very useful. So in the rules you define what is allowed. To proceed go To Rules. An empty rules window shows like this.

Press Insert to add a new rule. We will start by adding a rule that allows lan clients to access the DNS server of our ISP on the internet.

By pressing Space on most fields, a menu will pop up to make a selection. In this case we select 'Accept' as action, 'local.lan' as source, 'world.inet' as destination and 'dns' as service. Keep an eye on the 'Status' box on the bottom of the screen, it contains some useful clues. 12

The log toggle controls whether or not the connections are logged. The prefix is a short text that is added to the log for your confinience. Thats the first rule done. But because creating many similar rules is boring there is a handy shortcut in the rules list. Press 'c' on a rule to create an exact copy of it. Here we add support for http, https and ftp. We will also add an snat rule, but more on that below. See the help function inside the program for more tips on useful keys. The help can be opened by pressing F12.

If you, like in our example, are using private IP addresses on your LAN, you need to use NAT. Vuurmuur support multiple forms of NAT rules, but here we need Source NAT (SNAT). Notice that the service is set to 'any'. This means that all traffic that is accepted by the Accept rules above, is SNAT'ed. This prevents you from creating two rules for every service. In the linux world many people talk about masquerade when talking about Source NAT

13

Usually it's a good idea to allow some services from and to the firewall itself. To allow the lan clients to connect to the firewall's ssh service for management add a rule like: Acceptservicesshfromlocal.lantofirewall Note the destination 'firewall' here. This means the firewall machine itself is the desitnation. There is no need (or a way for that matter) to tell Vuurmuur on what interface it listens. Vuurmuur will figure that out by itself. Other rules that may be useful are rule allowing the firewall to access the internet so it can download updates: Acceptservicednsfromfirewalltoworld.inet Acceptservicehttpfromfirewalltoworld.inet Acceptservicehttpsfromfirewalltoworld.inet Acceptserviceftpfromfirewalltoworld.inet Note that there is no need for SNAT here. The firewall will use it's public IP address for traffic generated locally. If you've made it this far, you're almost getting your reward! Exit vuurmuur_conf. Debian/Ubuntu users should now edit /etc/default/vuurmuur to enable vuurmuur startup. Others can just start vuurmuur.

Now start vuurmuur_conf again.

14

Like promised, all warnings are gone! So you think you're done now? Think again! The fun part is only just starting. Next we'll have a look at monitoring the way your firewall is working.

15

6-Monitoring
The realtime logviewer is used to monitor new connections and dropped packets. It's a useful tool for determining what's going on. It even allows you respond to the logs you see in a number of ways, but that is beyond the scope of this document. One hint: press 'm' to get into the log management.

Play around with this screen a bit, it will probably be where you spend most time in of all vuurmuur. As you can see the log prefix is quite useful to see which rule is used to allow or block a connection. That's why you are adviced to choose them with caution so that you can to clearly identify what rule is missing or causing trouble. In the main menu the Connections option gives you the ability to monitor in real time all the connection that are passing through the firewall.

16

The connection monitor has some very interesting features. It can display the connections in a number of ways. It can be used to block connections. To do that see a description at http://www.vuurmuur.org/trac/wiki/VuurmuurConfConnview

17

7-Conclusion
This completes this quick setup guide. Hopefully you will be able to get going with this. Using the realtime monitoring tools you can solve most problems you may encounter. Of course check the site http://www.vuurmuur.org/ for additional documentation, a FAQ, bug fixes and information on how get support. This guide provides guidelines for a simple setup, but Vuurmuur can be used for much more advanced setups as well. Think about portforwarding (easy!), traffic marking (for shaping and advanced routing), transparent proxies (easy!), integration with Snort_inline, traffic volume monitoring, virtual interfaces and much more! For advanced setups be sure to read the manual that can be found online at http://www.vuurmuur.org/trac/wiki/Manual Have Fun with your new firewall!

18