Once the FireLance cgi has been installed browse to the servers cgi like this:
The server running as a firewall (hence running FireLance as a service of the web server, hereby the FireLance server) must be multihomed, have two network interfaces to connect to. i.e. An internal network interface probably ethernet and an external (WAN/internet, wide area network) connection. FireLance functions correctly only in this situation. A typical scenario is if the FireLance server is connected to a Cable/DSL line via an ethernet connection and by another ethernet connection to your LAN (local area network). The Cable/DSL connection is the WAN/internet connection. When you first load FireLance it will attempt to discover and display your ethernet connections e.g. please note these values are totally bogus, just examples
There must be two interfaces for the firewall to function correctly. Below this information you can select which is to be the external (WAN/internet) interface and which is to be the internal (LAN) interface.
DO NOT get this wrong as this will render the whole firewall useless and potentially dangerous (don’t worry we will run a minor test on the firewall after setup to make sure it is functioning correctly). Now continue onto the general usage instructions below.
There is one configuration file /etc/firelance.conf, it is not needed to be used in normal circumstances. However if you wish to force the use of a different interface say ppp0 which will not at this time be found by FireLance you can use this file to force its usage. At present the only settings available in the file are the WAN and LAN interfaces e.g.
# FIRELANCE version0.2 # # http://johnwiggins.net/firelance/ # email@example.com/ # WAN=eth0 LAN=eth1
There are no spaces on a line, comments start with a ‘#’ character. So to change the WAN to be the ppp0 interface just replace eth0 with ppp0. Refresh the browser and the ppp0 interface should turn up as a choice in the selections for interfaces section.
In suid installed mode.
To set up a NAT firewall all that is needed is to browse to FireLance and issue four commands by clicking on the appropriate buttons at the bottom of the FireLance page.
- To have the firewall server act as a gateway check the Allow LAN to access the WAN (act as a gateway) checkbox before running the Create Script button. Also the contents of the created script will be displayed in the results section of the page below the control buttons.
- Running the script causes the current firewall rules to be deleted and the FireLance rules loaded instead. The current loaded iptables rules will displayed in the results section of the page below the control buttons.
- The iptables Save button will save the current loaded iptables rules in the system default location so if iptables is stopped and restarted via the system control script its default rules will be FireLances.
- The Activate on boot button will ensure that iptables is started automatically on a reboot. This way you needn’t worry if the server is protected if it is rebooted for some reason, e.g. on a power outage.
In non suid mode.
Set the options for the script how you want them and click the Create Script button. Now highlight/copy and paste the script text that is displayed in the results section of the page into your favorite text editor and save this file. Make the file executable chmod 755 scriptname. Now run this script as root to start the firewall. It is advisable at this point to also save the rules as the default rules for the FireLance server.
e.g. as root
myconsole:~ /etc/init.d/iptables save myconsole:~ service iptables on (redhatesque distros) myconsole:~ update-rc.d iptables defaults 40 S (debianesque distros)
After this check to see that the firewall is actually running.
- See if you can access the WAN/internet from a machine other than the firewall server. This will only work if a computer within your LAN knows that the firewall server is a gateway. If you use dhcp to tell machines on your network tell the DHCP server what the gateway is. If not tell each particular machine (with a static address) that the gateway is the FireLance servers LAN address.
- Access the FireLance server from its external interface to see if you can connect. If you can logon to a machine somewhere outside and then try and get back in using a well known service at the specific ip of the external interface. If this is not possible try using the excellent ShieldsUp (at www.grc.com ) service to contact your server externally. DO NOT try from inside your LAN to connect to the internal interface, this will probably be allowed even with the firewall running properly. You must connect from outside for real testing.