2.4. Services AW

2.4.1. Web Proxy Adminstrative Web Page

This subsection allows you to configure the Web Proxy settings for IPCop. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

To enable this feature, click the Enable box. The Remote proxy box allows IPCop to utilize your ISP's own web proxy. Upstream username and password refer to Enter the machine name in the following format: hostname:port. If you wish to make this a transparent proxy, click the Transparent box. A transparent proxy means that the internal machines do not have to set their browsers up as if there was a proxy, even though there is. This will automatically redirect requests to cached pages, if they exist. If you are not using transparent proxying, then you should configure your browser to use port 800 on the IPCop as the web proxy. Cache size is the total amount of hard drive space you are willing to devote to the cache. The larger this size, the more pages can be cached.

Note

For privacy reasons, it will not cache pages received via https, or other pages where a username and password are submitted via the URL

Note

Caching can take up a lot of space on your hard drive. If you use a large cache, then the minimum size hard drive listed in the IPCop specs will not be large enough.

Minimum and Maximum object size refers to the size of objects which will be cached. This is listed in KB. The default is not to cache objects larger then 4096 KB (4MB). Maximum and minimum Incoming size refers to the largest size file allowed in or out of the Proxy. Maximum Incoming size can be used, for example, stop people from downloading large files that would slow down your network. The default is not to place any restriction on download size. To save any changes, press the Save button.

2.4.2. DHCP Administrative Web Page

This subsection allows you to configure your DHCP settings for IPCop. This is 100% optional so you may safely ignore this section if you do not wish to make use of this feature.

2.4.2.1. Quick Introduction to DHCP

DHCP or Dynamic Host Configuration Protocol is a way for network administrators to help their users configure their PCs automatically. In addition, it can help shield users from having to change network parameters when they change.

Without DHCP, when you add a computer to your network, you will have to configure several parameters, IP address, netmask, default router and Domain Name Server address(es). If you are running a Windows network you may want to add your WINS server's IP address. Finally, you may wish to define a “Domain Name Suffix”.

If you are currently connecting to the Internet, without using a firewall, your ISP's DHCP server may be providing these services for you.

Another feature of DHCP, is it allows properly configured “foreign” computers to be hooked up to your local network and start using the Internet immediately. Let's say that your daughter comes home from college on vacation with her laptop. Most colleges force their users to use DHCP. With IPCop's DHCP configured just plugging her laptop into your network will correctly configure the computer. Without DHCP, someone will have to reconfigure the laptop for use on your network, and then remember to reconfigure the machine back to using DHCP when she leaves.

DHCP works by handing out “leases” on IP addresses. That way if a friend from out of town plugs his computer into your network a dynamic address will be assigned. When he goes back home, the address will be recovered and can be used by another computer.

What if you have some machines that are used as internal servers on your network? They need a fixed IP address, so you can always find them. The DHCP AW will allow you to specify machines that will always get the same IP address.

If you are still confused, you may want to read Linux Magazine's “ Network Nirvana - How to make Network Configuration as easy as DHCP ”

2.4.2.2. DHCP Server Parameters

Start Address .  Sets the starting address of your DHCP IP address range from which you wish the DHCP server to supply dynamic IP addresses. This address range should not contain the IPs of other machines on your LAN with static IP assignments. Suppose you had a network in the 192.168.0.0 range. Assuming all your statically assigned IP address were all lower then 192.168.0.100, you could use the upper portion of the address range for the dynamic addresses. In this case your Start Address would be 192.168.0.100.

End Address .  Sets the ending address of your DHCP IP address range from which you wish the DHCP server to supply dynamic addresses. As mentioned above, this address range should not contain the IPs of other machines on your LAN with static IP assignments. Using the example above the End Address would be 192.168.0.254.

Primary DNS .  Specifies what the DHCP server should tell its clients to use for their Primary DNS server. Because IPCop runs a DNS proxy, you will probably want to leave the default alone and set the Primary DNS server to the IPCop box's IP address. This will sheild your machines if your ISP changes its DNS server address.

Secondary DNS .  If you run a local DNS server and want your desktops to use it, set the Secondary DNS to its address.

Default lease time .  This can be left at its default value unless you need to specify your own value. The default lease time is the time interval IP address leases are good for. Before, the lease time for an address expires your computers will request a renewal of their lease, specifying their current IP address. If DHCP parameters have been changed, when a lease renewal request is made the changes will be propagated. Generally, leases are renewed by the server.

Maximum lease time .  This can be left at its default value unless you need to specify your own value. The maximum lease time is the time interval during which the DHCP server will always honor client renewal requests for their current IP addresses. After the maximum lease time, client IP addresses may be changed by the server. If the dynamic IP address range has changed, the server will hand out an IP address in the new dynamic range.

Domain name suffix .  This parameter is optional. There should not be a leading period in this box. Sets the domain name that the DHCP server will pass to the clients. If any host name cannot be resolved, the client will try again after appending the specified name to the original host name. Many ISP's DHCP servers set the default domain name to their network and tell customers to get to the web by entering “www” as the default home page on their browser. “www” is not a fully qualified domain name. But the software in your computer will append the domain name suffix supplied by the ISP's DHCP server to it, creating a FQDN for the web server. If you do not want your users to have to unlearn addresses like www, set the Domain name suffix identically to your ISP's DHCP server specifies.

Wins server address .  This parameter is optional. If you are running a Windows network and have a Windows Naming Service, WINS, server, you can put its IP address in this box. The DHCP server will pass this address to all hosts when they get their network parameters.

Enabled .  Enable the DHCP server by ticking the Enabled checkbox. When you press Save, the change is acted upon.

2.4.2.3. Add a new fixed lease

This section allows you to add machines that will always be given the same IP address.

MAC Address .  The six octet/byte colon seperated MAC address of the machine that will be given the fixed lease.

Warning

The format of the MAC address is xx:xx:xx:xx:xx:xx, not xx-xx-xx-xx-xx-xx, as some machines show, i.e. 00:e5:b0:00:02:d2.

IP Address .  The static lease IP address that the DHCP server will always hand out for the associated MAC address. Do not use an address in the server's dynamic address range.

Enabled .  Click on this check box to inform the DHCP server to hand out this static lease. If the entry is not enabled, it will be stored in IPCop's files, but the DHCP server will not issue this lease.

2.4.2.4. Current Fixed Leases

This section displays current fixed leases and allows editing or deletion of them.

Editing a profile .  To edit an existing profile, click on its Mark check box. Press the Edit button and the fixed leases values will be displayed in the Add a new fixed lease section of the page. The fixed lease will have been removed from the fixed lease display. Unless the Save button in the Add a new fixed lease section is pressed, the lease will be lost. Make any necessary changes and press the Save.

Removing a Fixed Lease .  To remove an existing profile, click on its Mark check box. Press the Remove button. The lease will be removed.

2.4.2.5. Error messages

The error message area will show any error messages generated by the DHCP server when you press the Save button.

2.4.3. Port Forwarding Adminstrative Web Page

This subsection allows you to configure the Port Forwarding settings for IPCop. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

Firewalls prevent externally initiated requests from accessing the protected system. However, sometimes, this is too strict a situation. For example, If one is running a web server, then any requests to that web server by users outside the protected network will be external requests by definition. Which means that only other users on the same internal network can use the web server. This is not the normal situation for web servers. Most people want outsiders to be able to access the server. This is where Port Forwarding and External Access come in. See the External Access Administrative Window for more information on External Access

Port Forwarding is a service which allows limited access to the internal LANs from outside. When you set up your server, you can choose the receiving or “listening” ports on the internal network machines. This is done differently depending on which software is being used. Please refer to the documentation that came with your servers to set up the ports on those servers.

Once those receiving ports are ready, you are ready to enter information into the AW on IPCop. The TCP/UDP drop down list allows you to choose which protocol this rule will follow. Most regular servers use TCP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP. Source port is the port to which the outsiders will connect. In most cases, this will be the standard port for the service which is being offered (80 for web servers, 20 for FTP servers, 53 for mail servers, etc.) Destination IP is the internal IP address of the server (for example, you may have your web server on 192.168.2.3). Destination Port is the port that you chose when you set up your server in the first paragraph. The SourceIP dropdown menu allows you to choose which Red IP this rule will effect. IPCop has the capability of handling more than one Red IP. If you only have one Red IP set up, then choose Default IP.

Once you have entered all the information, click the Enabled box and press Add. This will move the rule to the next section, and list it as an active rule.

Current rules lists the rules that are in effect. To remove one, highlight it by checking the Mark box and click the Remove button. To edit one, highlight it by checking the Mark box and click the Edit button.

2.4.4. External Aliases Adminstrative Web Page

In some cases, your ISP may assign you a range of IP addresses for your network.

If you have multiple IP addresses, only, so that you can connect multiple, non-server computers, to the Internet, you will no longer need the extra addresses. IPCop should connect directly to your modem or the Internet.

On the other hand, if you are providing a server on one of internal computers you may need to use multiple aliases on your RED interface. To use this facility effectively, you may have to adjust IPCop's routing tables by hand.

2.4.5. External Access Adminstrative Web Page

This subsection allows you to configure the External Access settings for IPCop. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

External Access goes hand in hand with Port Forwarding. Port Forwarding allows any requests to a specific external port to be forwarded to an internal machine. External Access allows restriction as to who may make those requests.

Once the Port Forwarding has been set up, you can begin to setup External Access. The TCP/UDP drop down list allows you to choose which protocol this rule will follow. Most regular servers use TCP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP. Use the protocol specified on the Port Forwarding page. Source IP is the IP address of an external machine you give permission to access your internal servers. Many people will leave this blank, which allows any IP address to connect. This is useful if you want your web server to be reachable by anyone in the world. However, some servers are intended only for use by specific people (perhaps this is a private web server for employees only). In a case like that, the IP addresses of those who are allowed access, should be listed in this box. Destination Port is the external port that they are allowed to access. In most cases, this will be the standard port for the service that you are running. The SourceIP dropdown menu allows you to choose which Red IP this rule will effect. IPCop has the capability of handling more than one Red IP. If you only have one Red IP set up, then choose Default IP.

Once you have entered all the information, click the Enabled box and press Add. This will move the rule to the next section, and list it as an active rule.

Current rules lists the rules that are in effect. To remove one, highlight it by checking the Mark box and click the Remove button. To edit one, highlight it by checking the Mark box and click the Edit button.

2.4.6. DMZ Pinholes Adminstrative Web Page

This subsection allows you to configure the DMZ Pinholes settings for IPCop. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

A DMZ or Demilitarized Zone is used as a semi-safe interchange point between the external Red Zone and the internal Green zone. The Green zone has all your internal machines. The Red zone is the internet at large. The DMZ allows them to share servers without allowing undue access to the internal LAN by those in the Red Zone.

For example, suppose that your business has a web server. Certainly, you want your customers (those in the Red zone) to be able to access it. But suppose you also want your web server to be able to send customer orders to employees in the Green Zone? In a traditional firewall setup, this wouldn't work, because the request for access to the Green zone would be initiating from outside the Green zone. You certainly do not want to give all your customers direct access to the machines on the Green side, so how can this work? By using the DMZ and DMZ pinholes.

DMZ pinholes give machines in the Orange (DMZ) zone limited access to certain ports on Green machines. Because servers (the machines in the Orange zone) have to have relaxed rules with respect to the Red zone, they are more susceptible to hacking attacks. By only allowing limited access from Orange to Green, this will help to prevent unauthorized access to restricted areas should your server be compromised.

The TCP/UDP drop down list allows you to choose which protocol this rule will follow. Most regular servers use TCP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP. Use the protocol specified on the Port Forwarding page Source IP (labeled in orange) is the IP address of the machines in the Orange zone which you wish to give permission to access your internal servers. The Destination IP is the machine in the Green zone which will receive the request. Destination Port is the port on the Green machine that will be listening for the request.

Once you have entered all the information, click the Enabled box and press Add. This will move the rule to the next section, and list it as an active rule.

Current rules lists the rules that are in effect. To remove one, highlight it by checking the Mark box and click the Remove button. To edit one, highlight it by checking the Mark box and click the Edit button.

2.4.7. DYNDNS Adminstrative Web Page

This subsection allows you to configure the DYNDNS settings for IPCop. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

For the lucky few, their ISP issues them a static IP number. This is very handy for setting up servers and for inserting one's domain name into Domain Name Servers (DNS), but for those whose ISP issues a dynamic IP number upon connection (this is done mainly with modem connections), then having one's domain name listed in a DNS won't work properly. For these people, Dynamic Domain Name Servers (DYNDNS) were created.

DYNDNS services work by issuing a domain name to the user, and then having the user update the current IP address each time it changes. This allows them to have a subdomain name pointing to their computer so that they can run services like a web server, VNC, etc. Because the IP changes each time the user reconnects, keeping the DYNDNS service updated used to be a tedious chore, but that has been simplified by IPCop. By entering the information on the DYNDNS AW, the DYNDNS will be updated whenever your IP changes. There is also an option to force an update manually. Let's get started.

Add a Host: The first step is to register with one of the many DYNDNS services available on the Internet. Several have been listed in the Service dropdown menu. Go to one of those sites, and get a username, password, and most importantly, a dynamic domain name. Choose the host from the Service dropdown menu. The Behind a proxy The check box Behind a proxy has to be checked if you're using the no-ip.com service and if your IPCop is behind a proxy. This checkbox is useless with other services. Enable Wildcards will allow you to have all the subdomains of your dynamic DNS hostname pointing to the same IP as your hostname (e.g. with this check box enabled, www.ipcop.dyndns.org will point to the same IP as ipcop.dyndns.org). This check box is useless with no-ip.com service, as they only allow this to be activated or deactivated directly on their website.

Hostname and Domain refer to the hostname and domain you registered with the dynamic service provider. Using the example above, ipcop is the hostname and dyndns.org is the Domain. Username and Password are the login information you chose when you subscribed to one of the dynamic DNS service providers. Once you have entered all the information, click Add to save the information. It will now appear in the Current hosts section. If you wish to edit the information, check the Mark box next to the entry to wish to change and then press Edit. Once you have made your changes, you will need to resave by pressing the Save button. There may be times when you want to retain the information for one of your dynamic DNS hostnames saved but do not want to have it active. To do this, uncheck the Enabled box and again Save.

You can force IPCop to refresh the information manually by pressing Force Update, however, it is best to only update when the IP address has actually changed, as dynamic DNS service providers don't like to handle updates that make no changes. Once the hostnames have been enabled and updated the first time, your IP will automatically be updated each time your IP changes, allowing you to always be able to find your IPCop and your LAN.