Update: If you’re interested to virtualize a newer version of IPCop click here.
Before starting with this project I had to create virtual switches using ESXi server’s impressive virtual networking capabilities. These where the steps I took to create them. To learn more about virtual switches on VMware ESX server click here.
For redundancy and performance I will assign two nic cards for the virtual switch0 to use for redundancy and performance. This is where the VMware Infrastructure Client connects to manage ESXi. I will also use this Virtual Switch as a virtual LAN for all of my virtual machines, therefore I am naming it as Virtual Machine Network. To do the changes I have mentioned I will go to Configuration | Networking | Properties | Network Adapters | Add | choosing vmnic1 from the unclaimed adapters lists | click next, next | Finish. I have also change the name to Virtual Machine Network by using edit then changing the Network Label value.
In Vmware ESXi speak ETH0 is called vmnic0. In Linux a network interface is called ETH0 which is the first NIC card.
How VMWare ESXi server identifies my installed physical NIC cards on my Super Micro server.
The only way I was able to decide this was by plugging and unplugging one RJ45 cable to each nic port at the back of the server then looking at the VMware Infrastructure Client console. I’m sure there is a better way to do this but I just can’t think of it at the moment. If you have a better solution I’d be happy to hear it!
With that out-of-the-way the next thing to do was create the virtual switches layout. In the ESXi server console go to the Configuration tab | Networking | click Add Networking | this starts the Network Wizard | choose Virtual Machine | click next | if there are vmnics checked at this point I will uncheck them for now. I will add it later. Click next | create a name for this network label | click next | click finish.
I’m now going to assign a vmnic to my newly created vSwitch1. Click the properties of vSwitch1 | Network Adapters | Add | since I already know my physical nic layout I will choose vmnic5.
Click next,next | Finish. vSwitch1 now is using vmnic5 attached to a physical nic card.
I have already created a datastore which VMware ESX server uses to store virtual machines. But if you haven’t done so yet this is how I created mine. In the VMware Infrastructure Client go to Configuration | Storage | Add Storage | I am using a local storage which means my server has a RAID 5 volume | choose the option Disk/LUN | it will now show available space I could use for storage | I chose vmhba1:2:0, which is the RAID5 | click next, next | create a name for the datastore | click next | I will choose Block size: 1 MB, which means the biggest virtual machine I can create will be no more than 256 GB | click next | Finish.
This is what it looks like for my datastore storage. This was formatted by ESX using the vmfs3 file system especially optimized for virtualization.
Note: After downloading the IPCop ISO I checked the MD5 sum of the downloaded ISO to see if it matches the one posted on the IPCop’s web page.
I will Download the latest version of IPCop. Once done I will create a folder called ISO in my ESX server’s datastore to hold the iso files. Go to Configuration | Storage | I will double click the SAF-HQ-PRIMARY-DATASTORE | click the folder icon with the plus sign | name the folder ISO | click the upload icon choose file | browse to where IPCop was downloaded | click yes. It is considered good practice to upload all the ISOs of any operating system you will use for the virtual machines into this folder.
Something to keep in mind. IPCop names each interface according to function based on color. GREEN is for the local subnet | RED is for Internet | ORANGE is DMZ | BLUE is used for wireless.
With the datastore in place now comes the fun part. I am now going to create the virtual machine for IPCop to use. In VMware Infrastructure Client go to | Getting Started Create a new virtual machine.
Create the name for the virtual machine.
Choose the datastore to hold this new virtual machine. Since I have two datastores I will choose the one I named Primary of course then click next.
This will be a Linux machine and I prefer to use the option, other Linux 32 (32-bit), click next.
This IPCop install will also serve as a firewall, web proxy, web content filter and virus scanner for my LAN so I will give it two virtual processors | click next.
I will also give it a Gig of ram, click next.
I would like this IPCop firewall to have a DMZ, so I am going to use three NICs. Each virtual nic is connected to a virtual switch which I have already created earlier.
Click next | for the disk size I will choose 4 GB | click next.
Click check Edit the virtual machine before submitting | continue | I will remove the floppy by highlighting it then clicking Remove | Finish.
I will now attach the IPCop iso file for my newly created IPCop virtual machine to boot from.Ã‚Â Click the IPCop virtual machine | under the getting started tab | Edit virtual machine settings | highlight CD/DVD Drive 1 | choose option Datastore ISO file | browse to location of the ISO file from the datastore | click OK | check Connect at power on for device status | click OK.
I will now power on the virtual machine by clicking on the play green play icon. When it begins to power I will open up the virtual machine console by clicking the computer icon with the green arrow.
IPCop install screen comes up. I will place my mice cursor within the IPCop install screen then double click. From hereon all input from keyboard or mice will happen within this screen. To release control use the keys, Ctrl & Alt. Hit enter to start the install process | follow the install prompts.
Choose the default language. Click OK.
Start the install program. Click OK.
| use CDROM/USB-KEY.
Click OK to prepare the harddisk.
I am not using data from a backup to populate this new IPCop install. I will choose skip by using the tab key to move through the options then using the space key to make the choice then click OK.
IPCop install will now probe all available nic cards installed | click OK.
IPCop detects the first NIC card for the GREEN interface.
Enter the IP address for the GREEN interface. Click OK.
IPCop has been successfully installed. I will make a note of the port number 445 being used by IPCop for its web gui. Click OK.
Choosing the keyboard type | timezone | host name | domain name. I am not using ISDN so I will disable it.
Configure the network type | click OK. I have three nic cards to be use by this firewall so I will choose GREEN + ORANGE + RED. Click OK.
I have already assigned the GREEN interface an IP address earlier. Time to do it for the ORANGE and RED interface. Down arrow to Drivers and Card assignments | Click OK.
It now informs me the Orange and Red interface are unset. I will click OK.
Assign the unclaim ethernet cards. Clicking OK for each one.
All cards should now be allocated.
I will now enter addresses for the ORANGE and RED interface. By using Address settings.
Selecting the RED interface to enter the public IP address. I am using a static IP provided by my ISP. Then choosing the ORANGE interface to use an IP address for my DMZ to use. Click done.
Enter DNS and Gateway settings. Using any public DNS servers. For the gateway settings this will the IP address given to me by my ISP (failure to add the correct gateway IP address will prevent computers in the LAN from accessing the Internet.) Click OK.
I have run into this problem where I hit Cancel at this part of the installation, the installation will just quit without giving youÃ‚Â chance to create the passwords for the IPCop accounts. Just click the space bar to either set or unset DHCP, then click OK never cancel! This also applies when creating the passwords. Or you’ll end up having to reinstall.
I don’t need this firewall to be my DHCP server so I will disable it by leaving it unset. Click OK then Done.
After doing all the IP address, gateway, DNS settings. I can now move out of this menu by clicking done.
The install now wants me to create a password for the root, admin and backup user.
The setup has completed.
I am now going to login into the IPCop console as the user root.I have decided not to install vmware tools on IPCop since I will be administering it via a web gui or SSH. Besides installing vmware tools will need a compiler which does not come with IPCop.
Let us see if I am able to ping any computer in my LAN.Ã‚Â At the prompt I type in ping 18.104.22.168 and I get four replies back. That’s great! I know the GREEN interface is correctly connected to vSwitch0 where my Virtual Machines live.
Will this firewall communicate with the Internet? We shall see. I am going to ping www.redhat.com. And I get Destination Host Unreachable. Which means the virtual nic assigned to the RED interface is not using the correct vSwitch.
I know the RED interface is using eth2 from looking at the output of ifconfig eth2. It is using the IP address I assigned it earlier during setup.
I will jot down the MAC address of this card by noting down the values after the word HWaddr:. I can now use this information when I go into the VMware Infrastructure Client to assign the correct vSwitch to the RED interface.
I am going to shutdown the IPCop VM for now. By typing init 0 at the command prompt, lower the virtual machine console. Click on Edit virtual machine settings. This takes me to the hardware properties. I know Network Adapter 1 is correctly using vSwitch0 assigned to Virtual Machine Network as confirmed by the first ping test. I was also able to verify this further by looking at the MAC address shown by Network Adapter 1.
Typing ifconfig eth0 to find the MAC address of eth0. It matches what is shown by ESX.
Clicking on Network Adapter 3 which is eth2. It clearly shows it is using the wrong virtual nic based on the MAC address. This is different from what I noted down earlier. The correction is easy enough all I have to do is switch the Network Label to WAN T1 (this is the vSwitch1 I created earlier to connect to the physical NIC card in the server.) I shall do the same for Network Adapter 2, this time have it use the network label DMZ.
All of the network adapters are now assigned correctly to the correct network label (vSwitch.)
Network Adapter 1 ETH0Ã‚Â -> Virtual Machine NetworkÃ‚Â (vSwitch0)
Network Adapter 2 ETH1 -> DMZÃ‚Â (vSwitch3)
Network Adapter 3 ETH5 -> WAN T1 (vSwitch1)
After turning IPCop back on to test the changes. This time ping test to www.redhat.com succeeds! My virtual machine IPCop firewall is now successfully connected to the Internet.
At the moment my DMZs physical NIC is unplugged since I don’t have any computers on this subnet.
I will connect to IPCop’s gui interface using a web browser. Typing https://22.214.171.124:445. Accept the warning about the security certificate. Login using the username admin. After logging in I will check for updates. Go to System | Updates | Download new updates.
Click apply now.
I ran NMAP against my public IP on the firewall from another computer outside my network to test the firewall this is what came up. NMAP confirms the firewall is filtering traffic sent to the public IP (RED). The nice thing with IPCop it is a stateful firewall.
I will disable ping responses from the RED interface using IPCop’s web gui under the Firewall tab | Firewall Options | Save.
IPCop was primarily designed to be a firewall but there are many addons which does extend IPCop’s functionality. One of them I like to use is the URL addon. This allows my firewall to not only act as a proxy server but a web content filter as well to help enforce my company’s Internet use policy. This addon can be obtained here. Choosing the one made for IPCop. After downloading the addon to my desktop I need to copy the file to IPCop. To get this to work I need to enable SSH access on IPCop. Using IPCop’s web gui go to System |Ã‚Â SSH Access | check the box | Save.
From my Windows computer I will now upload the file to IPCop using WinSCP. I am putting it into IPCop’s /tmp directory.
To complete the install I will now login to IPCop using SSH or putty on Windows. IPCop uses port 222 for SSH access. Login as root then move into the /tmp directory. Untar the downloaded file.
Move into the unpacked ipcop-urlfilter directory then run the install.
The install process begins.
After the installation the rest of the work will be done using IPCOp’s web gui so I can now disable SSH access to IPCop by unchecking it.
From IPCop’s web gui under Services there is a new link now for the URL filter (you might need to refresh the web page.) To have IPCop’s Web proxy use this content filter I need to enable it first. Going to Services | Proxy | click the following | URL filter | Log Enabled.
I wanted the web content filter always enabled even if a computer savy user manages to change the proxy settings within the browser. As long as all the computer’s on the LAN are using this firewall as their gateway it will always force Internet access traffic to pass through the web content filter. To enable it both Enabled on Green and Transparent on Green have to be checked. Leaving the Transparent on Green unchecked will still offer web content filtering as long as it has been set in the web browser’s proxy settings. I also use the default proxy port of 8080. Click Save to apply the changes.
URL filter settings to enable. The default block categories are somewhat limited so I wanted to add more. Going to Services | URL Filter | Scrol down to URL filter maintenance. I will download the latest blocked sites from these free sites. I will also enable the automatic update set to monthly. Clicking Update now will download the latest lists. Be patient it does take some time.
Refreshing the page now shows an expanded lists of categories to choose from.
When a user “accidentally” surfs to sites against company policy I want them to see a warning page. These are the settings I have enabled. Logging has been enabled so user web visits are logged. Don’t forget to click on the Save and restart button to apply the changes.
Anyone surfing to sites which are blocked will get this message on their monitor screen.
Looking at the URL filter logs will also show the clients IP and URL’s being accessed.
After doing all that work I want to make sure I have the settings saved in the event I have to do a reinstall. Going to System | Backup | Click on Create a new backup set. I could now download the backup settings from Backup Sets by clicking the floppy icon.
Another cool thing running IPCop as a virtual machine I could do snapshots as a form of backup before applying updates or installing addons!Ã‚Â From the VMware Infrastructure Client | Click on the IPCop VM | Snapshot icon | Give it a brief description. While the snapshot occurs the firewall stops working. This is hardly a problem when it only takes less than a minute.
From the snapshot manager I can revert back to an earlier state if I wanted to.
In the event ESX server shutdowns unexpectedly due to a long power outage I would want my virtual machines to start backup automatically. This could be done by going to Configuration | Virtual Machine Startup/Shutdown | Properties | Moving up any virtual machines I want to start automatically | click OK.
To futher extend my IPCop’s capabilties I will also install an addon called Copfilter which comes with an impressive lists of security programs. Before installing Copfilter I will create a snapshot. SSH access has to be enabled to allow uploading Copfilter.
I decided to use the version which the author considers the most stable copfilter-0.84beta3a.tgz.
After copying it to the /tmp folder in IPCop using WinSCP I am now ready to do the installation. Login using SSH, then move into the /tmp directory.
tar -xzvf copfilter-0.84beta3a.tgz
These erros came up during reboot. Hitting enter on the terminal brought up the login prompt. The problem was the e-mail address where to send reports was still not set.
This problem was corrected by going into the Email link from the Copfilter menu.
I’m going to reboot IPCop again to see if there are still any errors during startup from the command line.
This time no erros came up.
I will now activate the security programs I want to use by using the web gui then going into the Copfilter menu. I will enable HTTP Scanning to protect my user’s web wanderings.
It would also be a good idea to update the ClamAV virus database signatures. I will also set the automatic update schedule in the AntiVirus menu of Copfilter. Don’t forget to save and restart the settings.
Incase any of the services should fail I want the system to automatically restart it. This is done through monit which also comes installed with Copfilter. Go to Monitoring from the Copfilter menu then change it to on.
To protect users who download files using FTP I will also enable FTP Scanning through Copfilter by enabling it on the GREEN and ORANGE network.
These are the security programs I have enable on Copfilter. I am doing any of the e-mail scanning since this is already being done through my SMTP Proxy box ASSP. And Spamassassin is already running on my mail server.
Checking the memory usage of IPCop by going to Status | System. There is a 30% percent increased after running the security programs through Copfilter. Another cool thing using IPCop as a virtual machine adding more memory is as easy as editing the virtual machines settings. No more having to open the physical box! From the VMware Infrastructure Client | Edit virtual machine settings after shutting down the IPCop virtual machine.
I will boost it to 1.5 Gigs.
These resources will be good to start with considering I only have 27 users on the LAN.
Note: The Snort IDS is not enabled the code is now broken in IPcop. After adding Copfilter addon I had to increase memory to 2 Gigs.
These are just some of the tasks I can use IPCop firewall for there is just way to many to cover.Ã‚Â A good place to find more information on how to use IPCop could be found here.