newbook.document.writeln(''); newbook.document.close(); newbook.frames[2].location.href = targetFile; } // -->

7    FireScreen Administration

The FireScreen menus and forms lead you through the process of installing, configuring, and enabling the FireScreen firewall. An Internet Protocol (IP) packet arriving at a gateway is routed by the system's routing daemon to the kernel for forwarding through a particular network interface. FireScreen filters routed packets by inhibiting the kernel IP forwarding functionality the based on screening rules stored in its configuration file.

Use the FireScreen Administration menu to perform the following tasks:

Under Security on the Manage Components menu, choose FireScreen to access the FireScreen Administration menu, shown in Figure 7-1.

Figure 7-1:  FireScreen Administration Menu

Note

The AltaVista Firewall and FireScreen software cannot coexist on the same system. If you plan to use the AltaVista Firewall software, do not install FireScreen. The Administration utility will not allow you to install FireScreen if it detects the presence of the AltaVista Firewall software.

See Tuning Compaq Tru64 UNIX for Internet Services for system tuning information that applies to gateways, routers, and systems performing packet filtering (in this case, FireScreen).

7.1    Installing FireScreen

To install FireScreen, follow these steps:

  1. From the FireScreen Administration menu, choose Install FireScreen.

    The FireScreen installation checks that your system meets the following prerequisites:

    If any of the previous prerequisites are not met, the FireScreen installation terminates.

    Although it is not an installation prerequisite, your system's network hardware must be installed before starting FireScreen.

    During FireScreen installation, your system is examined to determine whether a routing daemon (routed or gated) has been configured. If you have not configured a routing daemon before installing FireScreen, you receive a warning message to configure the network hardware and software (Figure 7-2). Run the netconfigutility (recommended) or netsetup utility (releases prior to Tru64 UNIX Version 5.0 only) on the command line to configure your network hardware and software.

    Note

    If the system's routing daemon is running before FireScreen is configured and running, your network is vulnerable to unauthorized access in the interim.

    If you do not have the FireScreen reference pages installed, the FireScreen installation generates a warning message but continues with the installation.

    Figure 7-2 shows the results of the prerequisite-checking phase of the FireScreen installation.

    Figure 7-2:  Checking FireScreen Installation Prerequisites

  2. Click on Install.

  3. At this point in the FireScreen installation, the following startup variables are added to the /etc/rc.config file:

    The FireScreen installation installs a startup script (/sbin/init.d/firescreen) to run the FireScreen daemon when the system boots, and it links /sbin/rc3.d/S11firescreen to /sbin/init.d/firescreen.

    Note

    The FireScreen daemon and the system's routing daemon are started, in that order, when the system boots. This guarantees that no IP packets are forwarded across the gateway before FireScreen starts.

    The /etc/inittab file is modifed to set the default screening mode (on).

    Finally, the default FireScreen configuration file, /etc/firescreen.conf, is installed and the FireScreen reference pages are linked (assuming the OSFMANOS reference pages subset is installed).

    The default system configuration file and kernel are displayed.

  4. You can specify a different system configuration file, a different kernel, or both, before proceeding with the installation (Figure 7-3).

    Note

    Modifications that FireScreen makes to your system's kernel configuration file are not preserved when you update the Tru64 UNIX operating system. You must reinstall FireScreen after updating the operating system to replace these modifications and to ensure that the kernel is built with the option required by FireScreen.

    All FireScreen files that had been customized before updating the operating system are saved during the FireScreen installation with the .bck file extension (including the default FireScreen configuration file, /etc/firescreen.conf). To return FireScreen to its original configuration, you must move the saved customization files (with the .bck extension) back to their original file names (without the .bck extension).

    Figure 7-3:  Install FireScreen Form for Specifying the System Configuration File and Kernel

  5. Click on Continue Install.

    At this point in the FireScreen installation, the kernel you specified is examined to determine whether gateway screening is enabled. (FireScreen checks for GATED, GATED_OLD, or ROUTED in the /etc/rc.config file.) If gateway screening is not enabled, the FireScreen installation updates your system configuration file to enable gateway screening.

    The FireScreen installation then runs the doconfig program to make a backup copy of your original system configuration file and to rebuild the kernel using the updated system configuration file. The rebuilt kernel is then copied into place and you are asked to access the Shutdown or Reboot Operating System option (Section 28.1) on the Manage System menu to reboot the system.

  6. Shut down or reboot the operating system. See Section 28.1.

    Figure 7-4 shows how the FireScreen Install Kernel page appears after successfully completing the FireScreen installation when gateway screening was enabled in the kernel before installing FireScreen. After you complete the FireScreen installation, you must configure FireScreen (see Section 7.2).

    Figure 7-4:  Install FireScreen Page with Gateway Screening Enabled

    Figure 7-5 shows how the Install FireScreen page appears after the FireScreen installation with gateway screening was disabled in the kernel before installing FireScreen. Follow the link to the Shutdown or Reboot Operating System page to reboot the system before configuring FireScreen (Section 7.2).

    Note

    On the Reboot Operating System form, change the number of minutes to wait from 30 to 1.

    Figure 7-5:  Install FireScreen Installation Page with Gateway Screening Disabled

7.2    Configuring FireScreen

To configure FireScreen, on the FireScreen Administration menu, choose Configure FireScreen. Figure 7-6 shows the Configure FireScreen menu.

Figure 7-6:  Configure FireScreen Menu

Use the Configure FireScreen menu to perform the following tasks:

Note

You must restart FireScreen for configuration file changes to take effect (Section 7.3).

7.2.1    Setting Command-Line Options

To set the command-line options for FireScreen, follow these steps:

  1. From the Configure FireScreen menu, choose Set Options.

    The current command-line options are displayed, as shown in Figure 7-7. These command-line options are passed to FireScreen when it is started.

    Figure 7-7:  Default Command-Line Options for FireScreen

    The default command-line options specify that:

  2. When the syslog.conf file does not contain a daemon entry, the /var/adm/firescreen.log file is used to log screening events. (This corresponds to the -L option.)

    By default, screening records are logged with other daemons' log records (in the file specified by the daemon entry in the /etc/syslog.conf file) by syslog. To specify a separate file in which only screening records will be logged, make sure the Log File check box is selected and enter the full pathname of the log file you want to use in the field provided.

  3. Screening events will be logged using the /usr/sbin/syslogd daemon. (This corresponds to the -s option.)

    Note

    FireScreen uses the syslogd daemon to log screening errors, regardless of whether or not the Syslog Logging (-s) or Log File (-L) command-line options are enabled.

  4. To log all packets, ensure that the Log All Packets check box is selected. If the check box is not selected, packets are not logged. (This corresponds to the -l option.)

  5. Logging records will include the line number from the /etc/firescreen.conf configuration file corresponding to the rule that caused the event to be logged. This information is useful for debugging configuration file problems. (This corresponds to the -r option.)

    To omit screening rule line numbers from log file entries, ensure that the Log Rule Numbers check box is not selected.

  6. Click on Submit.

    The Set Options confirmation page shows you the command-line options for Firescreen, as shown in Figure 7-8.

    Figure 7-8:  Set Options Confirmation Page

    You must restart FireScreen for the default command-line option changes to take effect (Section 7.3). However, if you specify a configuration file or log file other than the default, the file you specify is modified and read by the FireScreen Administration pages immediately, without restarting FireScreen.

For more information on specifying command-line options for FireScreen, see screend(8).

Notes

The -c option peforms the same function as Check Screening Rules (Section 7.2.4), so this option is not available on the Set Options form.

The -d option is also not available on the Set Options form. If you want to use the -d option to debug FireScreen, you must set this option on the command line.

7.2.2    Setting the Screening Mode

To set the screening mode for FireScreen, follow these steps:

  1. From the Configure FireScreen menu, choose Set Screening Mode.

    Figure 7-9 shows the Set Screening Mode form.

    Figure 7-9:  Set FireScreen Screening Mode Form

    The settings on this form vary, depending on whether screening mode is enabled or disabled.

  2. To change the screening mode or boot-time screening mode, click on the appropriate checkbox.

  3. Click on Submit.

As long as screening mode is enabled, your system is protected from unauthorized access.

7.2.3    Adding a Screening Rule

Screening rules determine which IP packets are allowed to pass through the gateway to your network and which packets are to be rejected. By default, all IP packets are rejected.

You can add screening rules to the FireScreen configuration file to allow certain packets to be passed to your network. Screening rules are not checked for correct syntax at the time you add them; you must use the Check Screening Rules option on the Configure FireScreen menu to verify that the syntax of screening rules is correct.

FireScreen searches screening rules in the order that the rules appear in the FireScreen configuration file, from first to last. Because action is taken on each packet as soon as a matching rule is found, place specific rules before general rules. If no matching rule is found, the action specified by the default rule is taken. The FireScreen Administration utility forces the default rule to be the last rule in the configuration file; you cannot add screening rules after the default rule.

If the FireScreen configuration file contains conflicting screening rules, the IP packet is accepted or rejected based on the first rule encountered in the file that applies to that packet.

You can also delete screening rules from the FireScreen configuration file.

You must restart FireScreen for screening rule changes to take effect (Section 7.3).

Before setting up your firewall using FireScreen Administration, you should read the following technical report on implementing TCP/IP security policies: 

http://www.research.digital.com/nsl/publications/TN-2.html#TN-2

This report explains how FireScreen (which is based on the screend daemon) operates, what FireScreen can and cannot do to protect your network, and how to use screening rules to implement firewall security policies.

To add a screening rule, follow these steps:

  1. From the Configure FireScreen menu, choose Add New Screening Rule.

    The first time you add a screening rule, the only rule defined is the default rule.

  2. Select one of the lines displayed in the Screening Rules list box on the Add New Screening Rule form (Figure 7-10). Each entry in the list box consists of a line number in the FireScreen configuration file and the corresponding screening rule. (The first time you add a new screening rule, you must select the default rule.) If you do not first select a rule, you will receive an error message when you click on Submit, stating that no line number was selected.

    Figure 7-10:  Add New Screening Rule Form

    Note

    Screening rules can span multiple lines and must always end in a semicolon (;). If a screening rule spans multiple lines, each part of the rule and the line number it appears on is displayed in the list box. Be careful not to add a screening rule in the middle of a multiline rule.

  3. Enter the new screening rule, using the correct syntax, in the New Screening Rule field.

  4. Click on Add.

The Add New Screening Rule confirmation page confirms that the new screening rule has been added to the FireScreen configuration file and displays all screening rules, as shown in Figure 7-11. Note the order in which the screening rules are listed in the FireScreen configuration file.

Figure 7-11:  New Screening Rule Confirmation Page

To return to the Add New Screening Rule form, click on the back arrow icon at the bottom of the form.

To check the syntax of screening rules, see Section 7.2.4.

7.2.4    Checking Syntax of Screening Rules

To check the syntax of screening rules in the FireScreen configuration file, on the Configure FireScreen menu, choose Check Screening Rules.

The existing screening rules are displayed and checked for syntax errors. Figure 7-12 shows the Check Screening Rules confirmation page.

Figure 7-12:  Checking Screening Rules

If screening errors are reported, you must use the Delete Screening Rules option on the Configure FireScreen menu to remove the offending rule from the FireScreen configuration file, and then add the rule using correct syntax. For more information, see Section 7.2.5 and Section 7.2.3.

7.2.5    Deleting a Screening Rule

To delete a screening rule from the FireScreen configuration file, follow these steps:

  1. From the Configure FireScreen menu, choose Delete Screening Rules.

    Screening rules and their corresponding line numbers are displayed, as shown in Figure 7-13.

  2. Select the screening rule you want to delete from the Screening Rules list box, as shown in Figure 7-13.

    Figure 7-13:  Delete Screening Rules Form

  3. Click on Delete.

7.3    Starting and Stopping FireScreen

When you make changes to the FireScreen configuration file, you must restart FireScreen for the changes to take effect (Section 7.3.1).

When you stop FireScreen with screening mode enabled, all IP forwarding is rejected until FireScreen starts again (Section 7.3.2).

The contents of the Start/Stop FireScreen form reflect the current state of the FireScreen daemon; the form updates immediately whenever the daemon's state changes.

7.3.1    Starting FireScreen

To start (or restart) FireScreen, choose Start/Stop FireScreen from the FireScreen Administration menu. The Start/Stop FireScreen form is displayed.

The contents of the Start/Stop FireScreen form depend on the current state of the FireScreen daemon.

To protect your system from unauthorized access, the Administration utility starts a new FireScreen process, which reads the latest FireScreen configuration file, and then stops any FireScreen process that was previously running, as shown in the confirmation page (Figure 7-16).

Figure 7-16:  Start/Stop FireScreen Confirmation Page

7.3.2    Stopping FireScreen

To stop FireScreen, follow these steps:

  1. Choose Start/Stop FireScreen from the FireScreen Administration menu.

  2. On the Start/Stop FireScreen form, ensure that the Stop option button is set on (as shown in Figure 7-17).

    Figure 7-17:  Start/Stop FireScreen Form with Stop Option Enabled

  3. Click on Submit.

The confirmmation page indicates that FireScreen is stopped (Figure 7-18).

Figure 7-18:  Stop FireScreen Confirmation Page

7.4    Viewing FireScreen Status

Using the View FireScreen Status menu, you can view the following:

To access this menu, choose View FireScreen Status from the FireScreen Administration menu.

7.4.1    Viewing FireScreen Screening Rules

To view FireScreen screening rules in the FireScreen configuration file, from the View FireScreen Status menu, choose View Screening Rules.

The screening rules and the line numbers they occupy in the FireScreen configuration file are displayed (Figure 7-19).

Figure 7-19:  View Screening Rules Page

If you need to modify a screening rule, you must first delete the rule and then add the modified rule. See Section 7.2.4 for information on the syntax for screening rules.

7.4.2    Viewing the FireScreen Log

To view the FireScreen log file, choose View Log from the View FireScreen Status menu.

The contents of the FireScreen log file are displayed (Figure 7-20). When the log file requires more than one page, buttons are displayed at the top of the page to allow you to navigate through the log file

Figure 7-20:  View Log File Page

To specify the types of events to be recorded in the FireScreen log file, access the Configure FireScreen menu and choose Set Options. See Section 7.2.1 for more information.

7.4.3    Viewing FireScreen Statistics

FireScreen invokes the /usr/sbin/screenstat command to display statistics for IP packet handling.

To view FireScreen statistics, choose View Statistics from the View FireScreen Status menu.

The statistics are displayed (Figure 7-21).

Figure 7-21:  View Statistics Page