1.1. Decide On Your Configuration

1.1.1. Network Interfaces

IPCop defines up to three network interfaces, RED, GREEN and ORANGE. GREEN Network Interface

This interface only connects to the computer(s) that IPCop is protecting. It is presumed to be local. Traffic to it is routed though an Ethernet NIC on the IPCop computer firewall. ORANGE Network Interface

This optional network allows you to place publicly accessible servers on a separate network. Computers on this network cannot get to the GREEN network, except through tightly controlled “DMZ pinholes”. Traffic to this network is routed through an Ethernet NIC. The ORANGE NIC must be different from the GREEN NIC. RED Network Interface

This network is the Internet or other untrusted network. IPCop's primary purpose is to protect the GREEN and ORANGE networks and their computers from traffic originating on the RED network. Your current connection method and hardware are used to connect to this network.

1.1.2. Network Configurations

There are two combinations allowed in IPCop. GREEN, RED is the typical network combination specified for home and small offices. GREEN, ORANGE, RED, is only specified when you wish to run publicly accessible servers. You should decide which combination you want for your site.

1.1.3. Network Configuration Types

Since the RED interface can connect either by modem or by Ethernet, there are four Network Configuration Types:

  • GREEN (RED is modem/ISDN)

  • GREEN + ORANGE (RED is modem/ISDN)

  • GREEN + RED (RED is Ethernet)

  • GREEN + ORANGE + RED (RED is Ethernet)

1.1.4. Connecting to the Internet or External Network

How are you currently connecting to the Internet, today?

If you are connected through an external modem or router, you probably will be connected via an Ethernet network interface card or NIC. In any case, a similar card must be in your IPCop PC. If you are connected via an internal analog modem, ISDN modem, or ADSL USB modem, this must be moved to the IPCop PC.

This hardware will be used for your RED network interface.

Write down some key parameters from your current interface.

  • Check how you are currently obtaining your IP address: static, DHCP, PPPOE or PPTP.

  • If you obtain your IP address via DHCP, check to see if your system has a hostname it is providing to your ISP's DHCP server, see Checking Your DHCP Host Name, below.

  • Check what your name servers' addresses are. Your ISP's DHCP server may provide the addresses automatically or you may need to enter them manually.

  • Note any default sub domain addresses specified.

These allow you to specify hosts like mail or news without entering the full host name, see the discussion in DHCP setup, below. Checking Your DHCP Host Name

If you don't know if you ISP requires a host name, or you don't know what it is, check the paperwork that came with your ISPs installation kit or call their support center for help. If that fails, enter:

$ ifconfig -a

on a *nix platform, and look at your eth0 IP address. On Windows 95, 98, ME,etc. the command is


entered from the command prompt. On Windows NT and Windows 2000, the command is

C:\ipconfig /all.

In any case, write down your IP address and then issue an

$ nslookup nnn.nnn.nnn.nnn

command, where nnn.nnn.nnn.nnn is your IP address. If you get a response, write down the full host name you receive. The first part may be your DHCP hostname, the last part may be used to configure IPCop's DHCP server.

1.1.5. Decide On Your Local Network Address

Decide what your GREEN or local network address range will be. This is not the IP address provided by your ISP. Addresses on this interface will never appear on the Internet. IPCop uses a technique called Port Address Translation, PAT, to hide your GREEN machines from outside eyes. To make sure there are no IP address conflicts, it is suggested that you choose one of the address ranges defined in RFC1918 as private (non-routable) addresses. There are over 65,000 of these network address ranges you can choose from. For a list of available network address ranges, please see Appendix A . The easiest network to pick is the 192.168.1.xxx network. This will allow IPCop to handle over 250 computers. Typically routers and firewalls are placed at the top or bottom of the address range, so we suggest that you pick for your GREEN network interface. IPCop will automatically set your network mask based on your IP address, but you can modify it, if you need to.