Copyright © 2002 Harry Goldschmitt
IPCop is distributed under the terms of the GNU General Public License.
This software is supplied AS IS. IPCop disclaims all warranties, expressed or implied, including, without limitation, the warranties of merchantability and of fitness for any purpose. IPCop assumes no liability for damages, direct or consequential, which may result from the use of this software.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
| Revision History | ||
|---|---|---|
| Revision 1.1 | 20 December 2002 | hg |
| Rel 0.1.2 Changes, including restore during install. | ||
| Revision 1.0 | 01 January 2002 | hg |
| Original version. | ||
Table of Contents
- Introduction
- 1 Preparing to install
- 2 Booting the IPCop Installation Media
- 3 Initial Configuration
- 4 After Installation
- A Quick Home Networking Overview
- A.1 Wiring
- A.2 IP Addressing
- A.2.1 Format of an Address
- A.2.2 Networks
- A.2.3 Network Address Classes
- A.2.4 Private Address Ranges
- B Troubleshooting During The Install
- C GNU Free Documentation License
- C.1 Preamble
- C.2 Applicability and Definitions
- C.3 Verbatim Copying
- C.4 Copying In Quantity
- C.5 Modifications
- C.6 Combining Documents
- C.7 Collections of Documents
- C.8 Aggregation With Independent Works
- C.9 Translation
- C.10 Termination
- C.11 Future Revisions of This License
- C.12 How to use this License for your documents
IPCop Linux is a complete Linux Distribution that's sole purpose in life is to protect the network that it is installed on. By implementing existing technology, outstanding new technology and secure programming practices, IPCop is the Linux Distribution for those wanting to keep their computers/networks safe and sound.
IPCop is open source and is distributed under the GNU General Public License. In addition to the many obvious advantages of open source, the fact that the source is open allows security experts, worldwide, to audit and fix security holes.
It will run on older “rescued” PC's retrieved from the junk heap. For further information on IPCop's hardware requirements please see the IPCop Hardware Compatibility List.
A secure, stable and highly configurable Linux based firewall
A web server and pages for easy administration of the firewall
A DHCP client that allows IPCop to, optionally, obtain its IP address from your ISP
A DHCP server that can help configure machines on your internal network
An intrusion detection system to detect external attacks on your network
The ability to partition your network into a GREEN, safe, network protected from the Internet, and a DMZ or ORANGE network containing publicly accessible servers, partially protected from the Internet
A VPN that allows you to connect your internal network to another network across the Internet, forming a single logical network
You will be installing an operating system on the IPCop PC. It is a Linux based operating system, but it is not meant to be a general-purpose system. The firewall design attempts to eliminate as many features from the system as possible. The central idea is that the more code that runs on the firewall, the more places there are that are vulnerable to attacks. Do not expect facilities like sendmail or FTP daemons to be present. These are not needed on a firewall and may contain holes that are known to malicious users.
Although these instructions will appear to be long and often detailed, take heart. Once you've figured out what you want to do and have obtained your current configuration parameters, installing IPCop will take as little as fifteen minutes.
You will have to boot from the installation media or a floppy. The installation media is distributed as an ISO file. If you have a CD burner, you will probably want to create a bootable CD from the ISO file. If you cannot burn a CD, you will have to place files from the ISO image on a web or FTP server. If the IPCop PC cannot boot from CD, you will have to create a bootable floppy.
Table of Contents
CAUTION: When you install IPCop on a PC, the hard drive will be formatted and all data on it will be lost.
Table of Contents
Table of Contents
- 1.1.1.1 GREEN Network Interface
- 1.1.1.2 ORANGE Network Interface
- 1.1.1.3 RED Network Interface
IPCop defines up to three network interfaces, RED, GREEN and ORANGE.
This interface only connects to the computer(s) that IPCop is protecting. It is presumed to be local. Traffic to it is routed though an Ethernet NIC on the IPCop computer firewall.
This optional network allows you to place publicly accessible servers on a separate network. Computers on this network cannot get to the GREEN network, except through tightly controlled “DMZ pinholes”. Traffic to this network is routed through an Ethernet NIC. The ORANGE NIC must be different from the GREEN NIC.
There are two combinations allowed in IPCop. GREEN, RED is the typical network combination specified for home and small offices. GREEN, ORANGE, RED, is only specified when you wish to run publicly accessible servers. You should decide which combination you want for your site.
Since the RED interface can connect either by modem or by Ethernet, there are four Network Configuration Types:
Table of Contents
- 1.1.4.1 Checking Your DHCP Host Name
How are you currently connecting to the Internet, today?
If you are connected through an external modem or router, you probably will be connected via an Ethernet network interface card or NIC. In any case, a similar card must be in your IPCop PC. If you are connected via an internal analog modem, ISDN modem, or ADSL USB modem, this must be moved to the IPCop PC.
This hardware will be used for your RED network interface.
Write down some key parameters from your current interface.
Check how you are currently obtaining your IP address: static, DHCP, PPPOE or PPTP.
If you obtain your IP address via DHCP, check to see if your system has a hostname it is providing to your ISP's DHCP server, see Checking Your DHCP Host Name, below.
Check what your name servers' addresses are. Your ISP's DHCP server may provide the addresses automatically or you may need to enter them manually.
These allow you to specify hosts like mail or news without entering the full host name, see the discussion in DHCP setup, below.
If you don't know if you ISP requires a host name, or you don't know what it is, check the paperwork that came with your ISPs installation kit or call their support center for help. If that fails, enter:
$ ifconfig -a |
on a *nix platform, and look at your eth0 IP address. On Windows 95, 98, ME,etc. the command is
C:\winipcfg |
entered from the command prompt. On Windows NT and Windows 2000, the command is
C:\ipconfig /all. |
In any case, write down your IP address and then issue an
$ nslookup nnn.nnn.nnn.nnn |
command, where nnn.nnn.nnn.nnn is your IP address. If you get a response, write down the full host name you receive. The first part may be your DHCP hostname, the last part may be used to configure IPCop's DHCP server.
Decide what your GREEN or local network address range will be. This is not the IP address provided by your ISP. Addresses on this interface will never appear on the Internet. IPCop uses a technique called Port Address Translation, PAT, to hide your GREEN machines from outside eyes. To make sure there are no IP address conflicts, it is suggested that you choose one of the address ranges defined in RFC1918 as private (non-routable) addresses. There are over 65,000 of these network address ranges you can choose from. For a list of available network address ranges, please see Appendix A . The easiest network to pick is the 192.168.1.xxx network. This will allow IPCop to handle over 250 computers. Typically routers and firewalls are placed at the top or bottom of the address range, so we suggest that you pick 192.168.1.1 for your GREEN network interface. IPCop will automatically set your network mask based on your IP address, but you can modify it, if you need to.
Although IPCop will automatically probe your machine for NICs, it may be necessary to input individual NIC card's configuration parameters during installation. In this case the type, IO address and IRQ number will be needed. The easiest way to configure the cards or determine this information is via a program on the floppy disk that comes with the NIC. Alternatively, check the manufacturer's web site.
If you have an internal ISDN modem, IPCop will automatically probe it, too. Again, if IPCop can't determine the modem information, you will need to know the type, IO address and IRQ number of your modem. The easiest way to configure the modem or determine this information is via a program on the floppy disk that came with the card. Alternatively, check the manufacturer's web site. In addition, you will have to know the country and protocol of the connection, as well as the local phone number for your modem.
If you have an ADSL USB modem, IPCop will probe for the type of USB controller. If this fails, you will need to know the controller type.
Obtain the IPCop PC. Check the IPCop Hardware Compatibility List to verify the PC you are planning to use will support IPCop.
Insert any additional network cards needed to handle your configuration in the IPCop PC. You will need an Ethernet NIC for the GREEN interface. If you decide on an ORANGE interface, you will another NIC. If your RED interface is via Ethernet you will need one Ethernet NIC for this network, as well.
Insert the ISDN modem card, if needed.
During the installation process a video monitor will need to be attached to the IPCop PC. IPCop stays in character mode, so almost any monitor will do. The monitor can be removed after the install. In addition, a keyboard will be needed. If your BIOS keyboard test can be disabled, the keyboard can also be removed after the installation.
Set the BIOS parameters so that the target machine will operate, as much as possible, as a stand-alone server. For example:
Turn off the CPU power saver feature; the target computer must wake on all network activity on all NICs and/or modems. It's usually easier and safer to just turn off the power saver features. You can leave the video power saver turned on.
Set the power state to “Always restore power after power failure”. This will guarantee your IPCop PC will power up and reboot after power is restored.
Table of Contents
Obtain an ISO image from www.ipcop.org. The size of this image is about 28 megabytes.
There are three possible ways to install IPCop. The following table summarizes the requirements for each.
Table 1.1. Installation methods
| Method | Boot Floppy | Driver Floppy | CD Drive | FTP/Web Server |
|---|---|---|---|---|
| Bootable CD | N | N | Y | N |
| Bootable Floppy with CD | Y | N | Y | N |
| Bootable Floppy with FTP/Web Server | Y | Y | N | Y |
If the IPCop PC has a CD drive and its BIOS can boot from CD, you can use the “Bootable CD” media for the install. The CD drive can be removed after the install.
If the IPCop PC cannot boot from CD, but has both a floppy drive and a CD drive, the “Bootable Floppy With CD” can be used. Both the floppy drive and CD drive can be removed after the install. However, if you plan on using IPCop's backup and restore facilities, you will need to keep the floppy disk in the IPCop PC.
Finally, if the IPCop PC has only a floppy drive or you do not own a CD burner, the “Bootable Floppy with FTP/Web Server” must be used. Again, the floppy drive can be removed after the install. If you plan on using IPCop's backup and restore facilities, you will need to keep the floppy disk in the IPCop PC.
If you have a CD burner, use your favorite CD writer package to transfer the ISO image to a CD-ROM. Be aware that the IPCop CD image is a full CD image. In many CD writer software packages, it can be difficult to find the “Burn CD From ISO or Disk Image” option. The option may not be placed under the obvious menu. If you wind up with only one file on the CD, you have not created the CD correctly.
If you don't have a CD writer, have no fear. You can still install IPCop, but you will have to go through some extra work. What has to be done depends upon the hardware and operating systems you have available on other computers.
If you have a Linux or Unix system, you can mount the CD image, using the following commands:
# losetup /dev/loop0 /path/to/IPCop/iso |
where /path/to/IPCop/iso is the device in the /dev directory that designates your CD-ROM drive. This links a “loop back” hardware level device to the IPCop ISO file.
# mount -r -t iso9660 /dev/loop0 /mnt/cdrom |
This actually mounts the hardware device on a *nix file system. The CD-ROM image will appear at /mnt/cdrom. NOTE: On most systems you must have root authority or use the sudo command to mount file systems.
There are several utilities such as ISOBuster and WinImage available on the Internet that can be used to open the iso image. Download one of them, and follow their directions to open the IPCop iso file.
On Macintosh OS X, Apple's Disk Copy utility will open the iso image. There does not seem to be a free or public domain utility available to open IPCop's iso images on Mac systems before OS X. However, many commercial CD-ROM burning programs do have this capability. If you have a CD burner, check the software that came with it.
Table of Contents
If your IPCop PC has a CD-ROM, but your BIOS will not allow a CD-ROM boot, you will need to create a floppy boot disk. If your IPCop PC does not have a CD-ROM, you will need to create both the floppy boot disk and the driver floppy disk. Both images reside in the /images directory on the ISO image.
On Linux, Unix and Macintosh OS X systems, creating the floppies can be done from a terminal window with the dd command:
# dd if=/mnt/cdrom/images/boot-0.1.2.img of=/dev/fd0 bs=1k count=1440 |
Use the same command with if= pointing to the driver disk image to create the driver floppy, if needed.
Two utilities are provided in the /dosutils directory on the CD and its iso image. These are rawrite.exe and rawwritewin.exe. rawrite.exe is a DOS based command that can be used to create floppies from the .img files in the /images directory. Similarly, rawwritewin.exe is a windows executable that you can run under Windows to create the floppy disks from the disk images on the CD
This step is only needed if you are installing from bootable floppy and FTP/Web Server. In the root directory / of the iso image there is a file named ipcop.tgz. This file contains a compressed image of the IPCop hard drive. Copy this file to a machine that is running a web server or FTP server. Put it where the server can find it during install. During the install, IPCop will log in to your FTP or web server as anonymous. Most servers do not allow anonymous users to access files out of the server's hierarchy. Even though a directory appears at the top level of the server, such as /pub they really are somewhere else, such as /anonftp/pub.
If you are creating your private network for the first time, change the IP address of the server machine to be on the private, GREEN, network, using a static address. You only need to do this for the duration of the install.
If your server machine is connected to the Internet, remove the connection and physically connect your IPCop PC and other machines together. See Appendix A, for a discussion of your choices. If you are using 192.168.1.1 for the IPCop PC, 192.168.1.2 is a good address for the server. Set the server up with a static IP address, temporarily. You will need to reboot any Windows PC if you change its IP address.
Verify that the IPCop installation file is available via the FTP command or entering its URL from a browser, even if you have to do it from the server machine. You can cancel the download or close your browser once you are sure the URL works.
Table of Contents
You are now ready to install IPCop.
Even though the IPCop installation steps are very similar, each method of installing IPCop will be discussed separately. If you are not sure of which method to choose, see the discussion in the chapter, above.
Put the IPCop CD in the IPCop PC's CD-ROM drive. If necessary, put the IPCop bootable floppy in the floppy drive. Press the reset button to start the boot sequence. If the IPCop PC does not boot, check the BIOS boot parameters.
Soon the boot up screen, below, will appear. If it does not appear, check that your monitor is connected to the video port on the target machine, is powered on and that you have booted from the CD or floppy drive.
This screen contains a warning that all your existing data will be destroyed.
Press Enter to continue, or eject the IPCop media and reboot to abort the installation.
During boot up many kernel informational messages will scroll by.
These can be ignored unless a hardware problem is detected. If an error is detected, the boot may stop.
After a few seconds, the language selection screen will appear.
At this time only English, German, French and Turkish are available.
Note: On this and all other installation screens, the mouse is ignored. To move the cursor around the screen, use the Tab key and the keyboard arrow keys. To select an item, press the Space key. To accept the language choice, press the Enter key.
The next screen simply informs you of how to abort the installation. “ Select the Cancel and press the Enter key. ”
The next dialog box lets you choose the installation media. Since you are installing from CD-ROM, select it, tab to the Ok button and press the Enter key.
Your final warning appears next.
After you select Ok and press Enter on this screen all of the data on your hard drive will be erased. To abort the installation, select Cancel and press the Enter key.
After this point in the IPCop install, you can still abort the installation by selecting Cancel, but all the data on your hard drive has been erased.
Next IPCop will begin setting up your GREEN (local) network interface. You can allow IPCop to probe your network card, and automatically select driver parameters. Select the Probe button and press Enter to have IPCop probe your hardware. Select the Select button and press Enter to manually select a NIC card or specify parameters information you collected from the manufacturer's driver floppy or the manufacturer's web page.
If you specify Select, above, the following screen will appear:
Select your GREEN Ethernet NIC from the list.
If you select MANUAL the following screen will appear. Enter the object module for the driver you require. Each driver may require extra installation parameters. Unfortunately, these are driver dependent. The sample, below, is for a NE 2000 driver. It needs both its IO address, io= and IRQ, irq=, specified.
If you specify Probe, above, the following screen will appear:
Your NIC card's manufacturer may not appear. IPCop identifies NICs based on the chip manufacturer, not the card manufacturer. This can be ignored.
IPCop will now configure its internal network address, the GREEN interface.
This is an address on the network discussed in Decide On Your Local Network Address, above. Usually, this will be either GREEN address 1, i.e. 192.168.1.1; or GREEN address 254, i.e. 192.168.1.254. Although any address on your GREEN network will do. IPCop will automatically set your Network mask based on your IP address, but you can modify it if you need to. This network will be used to locate and download the IPCop installation file from your web or FTP server.
Next IPCop will install all files it needs to run.
At this point, you have the option of restoring files from an IPCop backup floppy.
To do the restore, place the backup floppy in the floppy disk drive and select Restore and press the Enter key. Otherwise, select Skip and press the Enter key.
At the time of this writing there is no way to create back ups of previous versions of IPCop or restore them. This facility is intended to recover damaged IPCop installations. In fact, after setting up IPCop to your satisfaction, using the web interface, take a backup. If there is a failure, reinstall IPCop using the procedure you used to do the initial installation, and during the install, mount the backup floppy disk, and respond Restore to this prompt. IPCop configuration will be restored.
If you restore from floppy, you will not have to respond to any more dialogs. After the old configuration is restored, the install process will skip to the “Installation Complete” dialog, below.
All of IPCop has now been installed on your hard drive. The following screen will appear. Remove the IPCop CD from your CD drive and, if present, the bootable floppy from the floppy drive. Select Ok to continue.
IPCop will continue with the setup command automatically.
From this point on the Installation process is identical no matter which media was used for the initial boot. Please continue with the Initial Configuration Section, below.
Put the IPCop bootable floppy in the floppy drive. Press the reset button to start the boot sequence. If the IPCop PC does not boot, check the BIOS boot parameters.
Soon the boot up screen below will appear. If it does not appear, check that your monitor is connected to the video port on the target machine, is powered on and that you have booted from the CD or floppy drive.
This screen contains a warning that all your existing data will be destroyed.
Press Enter to continue, or eject the floppy and reboot to abort the installation.
During boot up many kernel informational messages will scroll by.
These can be ignored unless a hardware problem is detected. If an error is detected, the boot may stop.
At this time only English, French, German and Turkish are available.
Note: On this and all other installation screens, the mouse is ignored. To move the cursor around the screen, use the tab key and the keyboard arrow keys. To select an item, press the Space key. To accept the language choice, press the Enter key.
The next screen simply informs you of how to abort the installation. “ Select the Cancel and press the Enter key. ”
The next dialog box lets you choose the installation media. Since you are installing from HTTP, select it, tab to the Ok button and press the Enter key.
IPCop will ask you to replace the boot floppy with the driver floppy, created above.
Please do so. Then select Ok .
Your final warning appears next.
After you select Ok and press Enter on this screen all of the data on your hard drive will be erased. To abort the installation, select Cancel and press the Enter key.
After this point in the IPCop install, you can still abort the installation by selecting Cancel, but all the data on your hard drive has been erased.
Next IPCop will begin setting up your GREEN (local) network interface. You can allow IPCop to probe your network card, and automatically select driver parameters. Select the Probe button and press Enter to have IPCop probe your hardware. Select the Select button and press Enter to manually select a NIC card or specify parameters information you collected from the manufacturer's driver floppy or the manufacturer's web page.
If you specify Select, above, the following screen will appear:
Select your GREEN Ethernet NIC from the list.
If you select MANUAL the following screen will appear. Enter the object module for the driver you require. Each driver may require extra installation parameters. Unfortunately, these are driver dependent. The sample, below, is for a NE 2000 driver. It needs both its IO address, io= and IRQ, irq=, specified.
If you specify Probe, above, the following screen will appear:
Your NIC card's manufacturer may not appear. IPCop identifies NICs based on the chip manufacturer, not the card manufacturer. This can be ignored.
IPCop will now configure its internal network address, the GREEN interface.
This is an address on the network discussed in Decide On Your Local Network Address, above. Usually, this will be either GREEN address 1, i.e. 192.168.1.1; or GREEN address 254, i.e. 192.168.1.254. Although any address on your GREEN network will do. IPCop will automatically set your Network mask based on your IP address, but you can modify it if you need to. This network will be used to locate and download the IPCop installation file from your web or FTP server.
The IPCop installation will now ask for a URL to use to download the ipcop.tgz file you placed on your web or FTP server earlier.
Enter ftp or http depending on the server, and use the IP address of your server. For example: ftp://192.168.1.2/pub/ipcop.tgz
IPCop will download the file it needs to finish installation.
Next IPCop will install all files it needs to run.
At this point, you have the option of restoring files from an IPCop backup floppy.
To do the restore, place the backup floppy in the floppy disk drive and select Restore and press the Enter key. Otherwise, select Skip and press the Enter key.
At the time of this writing there is no way to create back ups of previous versions of IPCop or restore them. This facility is intended to recover damaged IPCop installations. In fact, after setting up IPCop to your satisfaction, using the web interface, take a backup. If there is a failure, reinstall IPCop using the procedure you used to do the initial installation, and during the install, mount the backup floppy disk, and respond Restore to this prompt. IPCop configuration will be restored.
If you restore from floppy, you will not have to respond to any more dialogs. After the old configuration is restored, the install process will skip to the “Installation Complete” dialog, below.
IPCop will continue with the setup command automatically.
From this point on the Installation process is identical no matter which media was used for the initial boot. Please continue with the Initial Configuration Section, below.
For all install media IPCop will automatically continue with its installation, by setting up its initial configuration.
The first screen allows you to configure your keyboard.
The next screen, above, asks for your time zone.
Many people leave the time zone as London or UTC. This allows you to leave your PC's hardware clock set to the local time. There is a disadvantage to this setting. If your local time zone changes from Winter to Summer or Daylight Savings to Standard time, you will have to remember to manually change the IPCop PC's clock. If you set the time zone to your correct time zone, IPCop will automatically change the time for you.
You must then configure your IPCop machine's hostname.
The default of “ipcop” is fine. You may want to change this if you are planning on setting up a VPN and allowing administration across your VPN. In this case you may want to give each IPCop machine a unique hostname, such as ipcop1, ipcop2, millie, steve, bob, etc.
IPCop will continue with the setup command automatically.
The next screen starts a series of dialogs that will help you set up your ISDN card. If you do not have an ISDN card, select Disable ISDN, and setup will continue with USB ADSL modem setup.
If you do have an ISDN modem, select the protocol and country.
After setting protocol and country, you may need to set driver parameters for your card, especially if it's an ISA card. If so, select Set additional module parameters.
Next you must select the type of ISDN card you have.
IPCop will probe for the card type, if you select AUTODETECT. If necessary, you can manually select the card you have.
The final step in setting up your ISDN card is setting its local phone number.
You can select your USB connected ADSL modem on the screen below.
If you do not have one, select Disable USB ADSL and setup will continue with your network configuration, below.
The only step you need to take in setting up your USB connected ADSL controller is to select the type of controller. IPCop as usual will try to detect the correct controller, but if it can't, you will have to select it yourself.
As mentioned, above, there are three network interfaces supported by IPCop, RED, ORANGE and GREEN.
The RED interface is considered the hostile network and can connect via Ethernet, ISDN, analog or ADSL modem. This dialog lets you choose your network configuration type.
When you select Ok, you will be returned to the Network Configuration Menu, above. Tab to the Drivers and card assignments line, select it and press the Enter key.
If your RED interface uses an Ethernet connection, configuration is identical to the way you configured your GREEN interface, above.
If your RED interface does not use an Ethernet connection, skip to the discussion about configuring your ORANGE network interface.
After configuring your Ethernet card and driver information for the RED interface, return to the Network Configuration Menu by selecting the Done button.
Next, select the Address settings menu item to configure the way your interface gets its IP address information. This is dependent on your ISP and connection.
Static addressing is used when your ISP has supplied you with a permanent IP address. Enter it in the IP address box of the dialog. IPCop will automatically choose a Network mask. You may modify the network mask as needed.
DHCP is used when your ISP has indicated you are to use automatic addressing.
Some ISP's, require you to provide a hostname to their DHCP server. This probably is not IPCop's hostname. If it's needed, you can probably use the first part of the fully qualified domain name you noted while gathering the network parameters, above.
If your connection is via PPPOE, your ISP will supply all necessary information during the initial connection, so you won't have to do anything, after selecting it.
If your connection is via PPTP, you will have to supply your RED network IP address and Network mask, just like the static addressing case. This address is almost always 10.0.0.150 with a network mask of 255.255.255.0.
You may choose to configure an ORANGE interface. Its configuration is identical to the way you configured your GREEN interface, above.
You can even reconfigure your GREEN interface at this time, by selecting it from the interface menu.
When you are done, select the Ok button, to return to the Network Configuration Menu.
The next item in the Network Configuration Menu allows you to configure your ISP's DNS servers and your default gateway. You will only need to use this dialog if you are using a static IP address configuration for your RED interface.
If you are planning to run a DHCP server on IPCop you can configure it at this time. Otherwise, do not enable the server, and continue with setting passwords, below.
Dynamic Host Configuration Protocol allows computers to configure their network interfaces when they are booted.
You can delay setting up IPCop's DHCP server until after the installation completes. See the Administration Manual for a description of the web based method of enabling and configuring the DHCP server.
You must select Enabled to enable the DHCP server.
The Start and End addresses define a range of addresses that IPCop's DHCP server will assign to computers when they ask for an address. Do not use your full network range for DHCP. At a minimum leave out IPCop's address. As a practical matter, at some future point in time you may wish to run servers that are only accessible from within your GREEN network. Whether they run FTP servers, web servers, sendmail or any other service that needs a permanent address. These servers should be assigned IP addresses outside the dynamic DHCP range. A good range might be from 192.168.1.200 to 192.168.1.250. This will allow 51 concurrently connected computers on your GREEN network.
DHCP will pass out one or two DNS server addresses in addition to IP addresses. If you wish to run IPCop's DNS proxy, the first should be IPCop's IP address. You can enter a second DNS address as well. If you do not want to use IPCop's DNS proxy and are using Static IP addresses, use the DNS servers you specified while setting up your RED interface.
DHCP works by passing out leases on dynamic addresses that expire after a certain amount of time. Default lease time specifies the default lease time in minutes that DHCP will offer. After the default lease time, the client computer will attempt to ask for a new lease time for its acquired address. When the maximum lease time has expired, the client computer is no longer allowed to ask for the acquired IP address, but the server may still pass out a lease on the acquired address.
Finally, the Domain name suffix allows you to specify a suffix that is automatically appended to DNS requests if the initial name can't be found. Many ISPs set up a domain name suffix, and then tell users to enter “mail”, “news”, or “www” to get to services. What really happens under the hood is that a DNS request is sent out for “mail” first. When the DNS servers indicate that they don't know an IP address for mail, the next request is sent out with the domain name suffix appended, i.e. “mail.xxx.yyy.zzz.com” To make life easier, you may wish to add this suffix in the Domain name suffix line.
Unfortunately, space does not permit enough room on this line for some domain name suffixes. Please check the Administration Manual for another way to specify the suffix, which allows for a virtually unlimited length domain name suffix.
When you are done with the DHCP server configuration select the Ok button.
The next steps will set up your root, setup and web administrator passwords.
If you are familiar with Linux you may wish to do maintenance on IPCop. There are only two Linux user ids that are allowed to log on to the firewall root and setup. Enter the root password twice. Be careful, the root userid has the “keys to the kingdom” of your firewall. If someone gets its password they can cause all sorts of mischief. By default root is only allowed to log in via the console, though.
Next you will be prompted for your setup user id password.
This user id will immediately start running the setup command. When the setup command completes the user will be logged out. Again, be careful of this password. The setup user and command are very powerful.
Finally, you will be prompted for your web admin password.
The IPCop web pages will prompt you for this user ID and password when you use the IPCop web pages to administer IPCop. Unlike root and setup user passwords, web browsers do not handle special characters in passwords very well. Limit your admin password to upper lower case alphanumeric characters.
Congratulations!
You've completed your IPCop installation. Press Ok to reboot. After reboot is complete, you will undoubtedly need to perform some administrative tasks to complete you setup. For a complete description of how to administer IPCop, please check the Administration Manual.
Table of Contents
Make sure you can access IPCop via a web browser. IPCop moves selected ports away from their standard numbers so that you can forward the well-known ports to real servers on your ORANGE network. The following examples assume you have set your GREEN network interface to 192.168.1.1. If not substitute the correct IP address. Verify that you can ping IPCop from a GREEN network machine. On Windows enter:
C:\ ping 192.168.1.1 |
On *nex and Macintosh OS X enter:
$ ping -n 192.168.1.1 |
IPCop's DNS proxy has not yet been enabled from its administration pages, so the ping command, above, deliberately stops ping from attempting to look up the fully qualified host name of the IPCop PC.
If ping works attempt to access your IPCop by opening a web browser to URL:
You should try the HTTPS, secure http port, next by attempting to access URL:
When you are satisfied with your IPCop installation, you can remove extra hardware on the IPCop PC: your video monitor and CD drive. You will probably want to leave your floppy disk drive in for backup purposes.. If your BIOS permits, you can turn off keyboard detection and remove the keyboard, too.
If you remove the CD drive and/or floppy disk drive, remember to change your BIOS settings so the IPCop PC boots from its hard drive, first.
Table of Contents
- A.1 Wiring
- A.2 IP Addressing
- A.2.1 Format of an Address
- A.2.2 Networks
- A.2.3 Network Address Classes
- A.2.4 Private Address Ranges
More complete tutorials of home networking can be found on the web. A good place to start looking is the Linux Documentation Project Network Administrators Guide.
IPCop requires Ethernet connections for your GREEN and optionally your ORANGE network interfaces. This appendix will cover simple wiring and IP addressing well enough to get you through your IPCop installation.
Table of Contents
Unless you wind up with very old Ethernet cards, your Network Interface Cards or NICs will probably support one or two speeds on the network, 10 megabit, 10BaseT, or 100 megabit, 100BaseT. You can recognize these cards by the square connector on the back, called an RJ45 connector. If your cards have a different connector, check your manufacturer's web site.
Unless you have a very fast leased line connection to the Internet, 10BaseT cards will do for your NICs. Cable modems only transfer at 3 Megabits/sec. ADSL modems cannot go faster than 8 Megabits/sec.
You will be connecting the computers on your GREEN network to the IPCop computer on IPCop's internal GREEN NIC. If you have an ORANGE network, the ORANGE network computers will be connected to IPCop on its internal ORANGE NIC.
If there is only one computer on your network, all you will need is a single category 5 crossover cable. You can recognize a crossover cable by holding the transparent RJ45 connectors at each end next to each other. If the wires in the connector attach to different pins at either end of the cable, you have a cross over cable. Otherwise you have a straight through cable.
Connect IPCop and your computer to each other with the crossover cable. You have just set up your simple network.
If you have more than the IPCop and a single computer on the same network, you will need to add another piece of hardware called a hub or a switch. The Ethernet protocol sends message packets to all computers on a network out of a single port, so all other computers on that network have to be able to see their packets, and be able to send packets to the other computers on that network.
If you have a hub or a switch, you will have to plug each computer on a network into the hub or switch via a straight through category 5 cable. Make sure each cable is a straight through cable by holding the transparent RJ45 connectors at each end of the cable next to each other. If the wires at each end attach to the same pins, you have a straight through cable.
Table of Contents
- A.2.1 Format of an Address
- A.2.2 Networks
- A.2.3 Network Address Classes
- A.2.4 Private Address Ranges
An IP address consists of four numbers, ranging from 0 to 255, connected with dots, i.e. 192.168.1.1. This format is called a dotted IP address. Each computer on your networks needs a different IP address. IPCop, needs two or three different IP addresses.
An IP network consists of two or more computers with IP addresses in the same range. The network mask determines the ranges. Even though they are not mandatory any more, there are several default network masks based on the first number in the dotted IP address.
Class A networks' first numbers range from 1 to 126, (127 is special.). These networks, with their default network mask of 255.0.0.0, allow over 16 million computers to be on the same network. Computers on the 4.x.y.z network, are on the same network. While computers on the 5.x.y.z network are on a different class A network. The IP address of x.0,0,0 designates the entire network and the IP address of x.255.255.255 designates a broadcast to every computer on the network.
Class B networks' first numbers range from 128 to 191. These networks with their default network mask of 255.255.0.0 allow over 65 thousand computers to be on the same network. Computers on the 190.4.y.z network, are on the same network. While computers on the 190.5.y.z network are on a different class B network. The IP address of x.y.0.0 designates the entire network and the IP address of x.y.255.255 designates a broadcast to every computer on the network.
Class C networks' first numbers range from 192 to 203. These networks with their default network mask of 255.255.255.0 allow over 250 computers to be on the same network. Computers on the 193.4.5.z network, are on the same network. While computers on the 193.4.6.z network are on a different class C network. The IP address of x.y.z.0 designates the entire network and the IP address of x.y.z.255 designates a broadcast to every computer on the network.
Why should you care about this?
The powers that be have designated several IP address ranges as private in RFC1918. If packets addressed to or from one of these ranges leak out onto the Internet they will be discarded.
One of IPCop's features is Port Address Translation or PAT. Using this technique any conversations over the Internet will appear to originate from IPCop's RED network address. To help shield your GREEN and ORANGE networks from malicious users, you should use private address ranges for your network(s). Remember, your GREEN and ORANGE networks must have different network addresses.
The private address ranges are:
10.0.0.0 - A class A network. You can conceivably have over 16 million computers on this network.
172.16.0.0 through 172.31.0.0 - 16 class B networks. You can conceivably have over 64 thousand computers on each network.
192.168.0.0 through 192.168.255.0 - 256 class C networks. You can conceivably have over 250 computers on each network.
You can, if you wish, subdivide each network using a custom network mask. For example, if you wish to keep both your GREEN and ORANGE networks in the same private range, and you don't expect to ever need 32 thousand computers, you can use 172.16.0.0 with a network mask of 255.255.128 as your GREEN network and 172.16.128.0 with the same network mask as your ORANGE network. You will still have the ability to have over 32 thousand computers on each network.
Table of Contents
During the install there are two hidden console screens that can be used for debugging. The screen you normally see during installation can be reached by pressing the ALT-F1 key combination.
If you press ALT-F2 you will see detail messages from the Linux commands run during the install.
If you press ALT-F3 you will be at a Linux command prompt.
During the first part of the install, until the full IPCop file system is built, the commands available at this prompt are extremely limited. Type
# help |
for a list of shell built-in commands, and
# ls /bin |
for a list of individual commands.
Table of Contents
- C.1 Preamble
- C.2 Applicability and Definitions
- C.3 Verbatim Copying
- C.4 Copying In Quantity
- C.5 Modifications
- C.6 Combining Documents
- C.7 Collections of Documents
- C.8 Aggregation With Independent Works
- C.9 Translation
- C.10 Termination
- C.11 Future Revisions of This License
- C.12 How to use this License for your documents
Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
The purpose of this License is to make a manual, textbook, or other written document “free” in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.
This License is a kind of “copyleft”, which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.
This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The “Document”, below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as “you”.
A “Modified Version” of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.
A “Secondary Section” is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.
The “Invariant Sections” are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.
The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.
A “Transparent” copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not “Transparent” is called “Opaque”.
Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.
The “Title Page” means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, “Title Page” means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly display copies.
If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.
You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.
List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).
State on the Title page the name of the publisher of the Modified Version, as the publisher.
Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.
Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.
Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.
Preserve the section entitled “History”, and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled “History” in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.
Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the “History” section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.
In any section entitled “Acknowledgements” or “Dedications”, preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.
Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.
Delete any section entitled “Endorsements”. Such a section may not be included in the Modified Version.
Do not retitle any existing section as “Endorsements” or to conflict in title with any Invariant Section.
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.
You may add a section entitled “Endorsements”, provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made `by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.
The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections entitled “History” in the various original documents, forming one section entitled “History”; likewise combine any sections entitled “Acknowledgements”, and any sections entitled “Dedications”. You must delete all sections entitled “Endorsements.”
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an “aggregate”, and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.