Page 1: User Manual
FireBrick FB6402 User Manual FB6000 Versatile Network Appliance...
Page 4: Table Of Contents
1.1. The FB6000 ....................... 1 1.1.1. Where do I start? ....................1 1.1.2. What can it do? ....................1 1.1.2.1. FB6402 Gigabit stateful firewall ............... 2 1.1.3. Ethernet port capabilities ..................2 1.1.4. Product variants in the FB6000 series ..............2 1.2.
Page 5 FireBrick FB6402 User Manual 4.1.4.2. Logged in IP address ................23 4.1.4.3. Restrict by profile ................. 23 4.1.5. Password change ..................... 23 4.1.6. One Time Password (OTP) ................23 4.2. General System settings ....................24 4.2.1. System name (hostname) .................. 24 4.2.2.
Page 6 FireBrick FB6402 User Manual 7.2. Session Tracking ....................... 41 7.2.1. Session termination ..................42 7.3. Session Rules ......................42 7.3.1. Overview ....................... 42 7.3.2. Processing flow ....................43 7.3.3. Defining Rule-Sets and Rules ................46 7.3.3.1. Recommended method of implementing firewalling ........47 7.3.3.2.
Page 7 11.1.6. NAT Traversal ....................75 11.1.7. Configuring a Road Warrior server ..............76 11.1.8. Connecting to non-FireBrick devices ..............77 11.1.8.1. Using StrongSwan on Linux ..............77 11.1.8.2. Setting up a Road Warrior VPN on an Android client ........ 78 11.1.8.3.
Page 8 A. CIDR and CIDR Notation ....................104 B. MAC Addresses usage ......................106 B.1. Multiple MAC addresses? ..................106 B.2. How the FireBrick allocates MAC addresses ..............107 B.2.1. Interface ...................... 107 B.2.2. Subnet ......................107 B.2.3. PPPoE ......................107 B.2.4.
Page 9 FireBrick FB6402 User Manual D.1. Monitoring information .................... 111 D.2. BGP information ..................... 111 E. Command line reference ...................... 113 E.1. General commands ....................113 E.1.1. Trace off ...................... 113 E.1.2. Trace on ...................... 113 E.1.3. Uptime ......................113 E.1.4. General status ....................113 E.1.5.
Page 10 FireBrick FB6402 User Manual F.2.3. Other colours and spacing ................122 F.3. Overnight archiving ....................122 F.3.1. Full URL format ................... 123 F.3.2. load handling ....................123 F.4. Graph scores ......................124 F.5. Creating graphs, and graph names ................124 G.
Page 11 FireBrick FB6402 User Manual H.2.43. ike-proposal: IKE security proposal ..............155 H.2.44. ipsec-proposal: IPsec AH/ESP proposal ............156 H.2.45. ipsec-manual: peer configuration ..............156 H.2.46. profile: Control profile ................. 157 H.2.47. profile-date: Test passes if within any of the time ranges specified ......158 H.2.48.
Page 12 FireBrick FB6402 User Manual H.3.38. dynamic-graph: Type of dynamic graph ............175 H.3.39. firewall-action: Firewall action ..............175 H.4. Basic types ......................175 Index ............................ 178...
Page 13 List of Figures 2.1. Initial web page in factory reset state ..................7 2.2. Initial "Users" page ......................7 2.3. Setting up a new user ......................8 2.4. Configuration being stored ....................8 3.1. Main menu ........................11 3.2. Icons for layout controls ..................... 12 3.3.
Page 14 List of Tables 2.1. IP addresses for computer ..................... 6 2.2. IP addresses to access the FireBrick ..................6 2.3. IP addresses to access the FireBrick ..................6 3.1. Special character sequences ....................17 4.1. User login levels ....................... 22 4.2.
Page 15 FireBrick FB6402 User Manual H.25. interface: Elements ......................139 H.26. subnet: Attributes ......................140 H.27. vrrp: Attributes ......................140 H.28. dhcps: Attributes ......................141 H.29. dhcps: Elements ......................142 H.30. dhcp-attr-hex: Attributes ....................142 H.31. dhcp-attr-string: Attributes ....................142 H.32. dhcp-attr-number: Attributes .................... 143 H.33.
Page 16 FireBrick FB6402 User Manual H.81. dhcp-relay: Attributes ..................... 165 H.82. dhcp-relay: Elements ...................... 165 H.83. autoloadtype: Type of s/w auto load .................. 166 H.84. config-access: Type of access user has to config ..............166 H.85. user-level: User login level ....................166 H.86.
Page 17: Preface
IPv6-capable networking software, written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain exceptional levels of quality and reliability.
Page 18: Introduction
The remainder of this chapter provides an overview of the FB6000's capabilities, and covers your product support options. The latest version of the QuickStart guide for the FB6000 can be obtained from the FireBrick website at : http://www.firebrick.co.uk/pdfs/quickstart-6000.pdf 1.1.2. What can it do? The FB6000 series of products is a family of high speed ISP/telco grade routers and firewalls providing a range of specific functions.
Page 19: Fb6402 Gigabit Stateful Firewall
Introduction • Gigabit performance The FB600 series are provided in a number of variants. This manual is for the FB6402. This variant includes: • Border Gateway Protocol, to allow routes to be announced and accepted from peering BGP routers. • IPsec/IKEv2 implementation for providing secure tunnelling and roaming VPN capability.
Page 20: Intended Audience
1.2.4. Document style At FireBrick, we appreciate that different people learn in different ways - some like to dive in, hands-on, working with examples and tweaking them until they work the way they want, referring to documentation as required.
Page 21: Comments And Feedback
FireBrick are building a library of Application Note documents that you can refer to - each Application Note describes how to use and configure a FireBrick in specific scenarios, such as using the device in a multi-tenant Serviced Office environment, or using the FireBrick to bond multiple WAN connections together.
Page 22: Training Courses
Introduction 1.3.5. Training Courses FireBrick provide training courses for the FB2x00 series products, and also training course on general IP networking that are useful if you are new to networking with IP. obtain information about upcoming courses, please contact e-mail...
Page 23: Getting Started
• Method 3 - use an existing DHCP server to configure the FireBrick. If your LAN already has a DHCP server, you can connect port 4 of your FireBrick to your LAN, and it will get an address. Port 4 is configured, by default, not to give out any addresses and as such it should not interfere with your existing network.
Page 24: Add A New User
2.2.1. Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick's user interface. Click on the "Users" icon, then click on the "Add" link to add a user. The "Users" page is shown below, with the "Add"...
Page 25: Setting Up A New User
Getting Started Figure 2.3. Setting up a new user You may also want to increase the login-session idle time-out from the default of 5 minutes, especially if you are unfamiliar with the user-interface. To do that, tick the checkbox next to timeout, and enter an appropriate value as minutes, colon, and seconds, e.g.
Page 26: Configuration
Chapter 3. Configuration 3.1. The Object Hierarchy The FB6000 has, at its core, a configuration based on a hierarchy of objects, with each object having one or more attributes. An object has a type, which determines its role in the operation of the FB6000. The values of the attributes determine how that object affects operation.
Page 27: Formal Definition Of The Object Model
XML. If the User Interface does not generate valid XML - i.e. when saving changes to the configuration the FireBrick reports XML errors, then this may be a bug - please check this via the appropriate support channel(s).
Page 28: User Interface Layout
The User Interface has the following general layout :- • a 'banner' area at the top of the page, containing the FireBrick logo, model number and system name • a main-menu, with sub-menus that access various parts of the user interface ; the main-menu can be shown vertically or horizontally - sub-menu appearance depends on this display style : if the main-menu is vertical, sub-menus are shown by 'expanding' the menu vertically ;...
Page 29: Config Pages And The Object Hierarchy
FB6000 will automatically be recalled next time you use the same computer/browser to connect to that FB6000. It is also possible to configure an external CSS to use with the FireBrick web control pages which allows a great deal of control over the overall layout and appearance. This can be usful for dealers or IT support companies to set up FireBricks in a style and branding of their choice.
Page 30: Object Settings
Erase. Simply going back "Up" or moving to another part of the config will leave this newly created empty object and that could have undesirable effects on the operation of your FireBrick if saved. 3.4.2.2. Object settings The details of an object are displayed as a matrix of boxes (giving the appearance of a wall of bricks), one for each attribute associated with that object type.
Page 31: Editing An "Interface" Object
Configuration Figure 3.5. Editing an "Interface" object By default, more advanced or less frequently used attributes are hidden - if this applies to the object being edited, you will see the text shown in Figure 3.6. The hidden attributes can be displayed by clicking on the link "Show all".
Page 32: Navigating Around The User Interface
FB6000. All changes are initially held in-memory (in the web browser itself), and are committed back to the FireBrick only when you press the Save button.
Page 33: Backing Up / Restoring The Configuration
You should be careful that you don't inadvertently add incompletely setup objects this way, as they may affect operation of the FireBrick, possibly with a detrimental effect. If you have added an object, perhaps for the purposes of looking at what attributes can be set on it, remember to delete the object before you navigate away -- the "Erase"...
Page 34: The Root Element -
'read-only', and so is 'safe' in as much as you can't accidentally change the configuration. 3.5.4. Example XML configuration An example of a simple, but complete XML configuration is shown below, with annotations pointing out the main elements <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ timestamp="2011-10-14T12:24:07Z" patch="8882"> <system name="gateway"...

Page 35 Configuration <user name="peter" full-name="Peter Smith" password="FB105#4D42454D26F8BF5480F07DFA1E41AE47410154F6" timeout="PT3H20M" config="full" level="DEBUG"/> <log name="default"/> <log name="fb-support"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support"/> </log> <services> <ntp timeserver="pool.ntp.org"/> <telnet log="default"/> <http /> <dns domain="watchfront.co.uk" resolvers="81.187.42.42 81.187.96.96"/> </services> <port name="WAN" ports="1"/> <port name="LAN" ports="2"/>...
Page 36: Downloading/Uploading The Configuration
3.6. Downloading/Uploading the configuration The XML file may be retrieved from the FireBrick, or uploaded to the FireBrick using HTTP transfers done via tools such as curl. Using these methods, configuration of the FB6000 can be integrated with existing administrative systems.
Page 37: Upload
IP address or DNS name>/config/config --user "username:password" --form config="@filename" Note You can also include --form override=true to force the config to be loaded even if it has minor (recoverable) errors, e.g. if it is config for older version of FireBrick.
Page 38: System Administration
Chapter 4. System Administration 4.1. User Management You will have created your first user as part of the initial setup of your FB6000, as detailed in either the QuickStart Guide or in Chapter 2 in this manual. To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config"...
Page 39: Configuration Access Level
System Administration Table 4.1. User login levels Level Description No access to any menu items, but can access control NOBODY switches for which the user has access. Guest user, access to some menu items GUEST Normal unprivileged user USER System administrator ADMIN System debugging user DEBUG...
Page 40: Logged In Ip Address
This can be useful for firewall rules where you may have to log in to the FireBrick, even as a NOBODY level user, just to get your IP address in an access list to allow further access to a network from that IP.
Page 41: General System Settings
System Administration If OTP is configured you can leave the pasword blank (which is not normally allowed) and hence use the authenticator code as the entire password, though this is not recommended for secuiry reasons as it also means the TOTP seed is recoverable from the config.. Note Technical details to allow you to create configs with password and OTP seed hashes are described in Appendix G.
Page 42: Software Upgrades
As a matter of policy, FireBrick software upgrades are always free to download for all FireBrick customers. To complement the responsive UK-based development process, the FB6000 is capable of downloading and installing new software directly from Firebrick's servers, providing the unit has Internet access.
Page 43: Identifying Current Software Version
System Administration a replacement attribute should be used instead. A release where such an change has been made, and existing configurations will need modifying, are termed Breakpoint software releases. Breakpoint releases are special as they are able to automatically update an existing configuration - used with the previous software release - so that it is compatible with the new release, and functionality is retained where- ever possible.
Page 44: Controlling Automatic Software Updates
This method is entirely manual, in the sense that the brick itself does not download new software from the FireBrick servers, and responsibilty for loading breakpoint releases as required lies with the user. In order to do this, you will first need to download the required software image file (which has the file extension .img) from the FB6000 software downloads website [http://www.firebrick.co.uk/software.php?
Page 45: Boot Process
System Administration 4.4. Boot Process The FB6000 contains internal Flash memory storage that holds two types of software :- • main application software (generally referred to as the app) • a bootloader - runs immediately on power-up, initialises system, and then loads the app It is possible for only one of these types of software, or neither of them, to be present in the Flash, but when shipped from the factory the unit will contain a bootloader and the latest factory-release application software.
Page 46: Event Logging
5.1. Overview Many events in the operation of the FireBrick create a log entry. These are a one-line string of text saying what happened. This could be normal events such as someone logging in to the web interface, or unusual events such as a wrong password used, or DHCP not being able to find any free addresses to allocate.
Page 47: Logging To The Console
Event Logging 5.1.1.2. Logging to the Console The console is the command line environment described in Chapter 16. You can cause log entries to be displayed as soon as possible on the console (assuming an active console session) by setting console="true" on the log target.
Page 48: Email
XML is shown below, from which you can see that in many cases, you only need to specify the to attribute (the comment attribute is an optional, general comment field) :- <log name="fb-support" comment="Log target for sending logs to FireBrick support team"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support team"/>...
Page 49: E-Mail Process Logging
5.5. Performance The FireBrick can log a lot of information, and adding logs can causes things to slow down a little. The controls in the config allow you to say what you log in some detail. However, logging to flash will always slow things down a lot and should only be used where absolutely necessary.
Page 50: Viewing Logs In The Cli Environment
Event Logging All log targets can be viewed via the web User Interface, regardless of whether they specify any external logging (or logging to Flash memory). 5.6.2. Viewing logs in the CLI environment The command line allows logs to be viewed, and you can select which log target, or all targets. The logging continues on screen until you press a key such as RETURN.
Page 51: Interfaces And Subnets
Chapter 6. Interfaces and Subnets This chapter covers the setup of Ethernet interfaces and the definition of subnets that are present on those interfaces. For information about other types of 'interfaces', refer to the following chapters :- • Tunnels, including FB105 tunnels - Chapter 11 6.1.
Page 52: Defining Subnets
Interfaces and Subnets To create or edit interfaces, select the Interface category in the top-level icons - under the section headed "Ethernet interface (port-group/vlan) and subnets", you will see the list of existing interface top-level objects (if any), and an "Add" link. The primary attributes that define an interface are the name of the physical port group it uses, an optional VLAN ID, and an optional name.
Page 53: Source Filtering
Interfaces and Subnets Editing an existing subnet works similarly - click the Edit link next to the subnet you want to modify. The FB6000 can perform conventional Network Address Translation (NAT) for network connections / flows originating from all machines on a subnet (for example, one using RFC1918 private IP address space) by setting the nat attribute on the subnet object.
Page 54: Fixed/Static Dhcp Allocations
Not all devices cope with this so it is recommended that an explicit range is used, e.g. 192.168.1.100-199. You do not, however, have to be careful of either the FireBrick's own addresses or subnet broadcast addresses as they are automatically excluded. When using the default (0.0.0.0/0) range network addresses are also omitted, as are any other addresses not within a subnet...
Page 55: Restricted Allocations
Interfaces and Subnets If you are setting up a static allocation, but your client has already obtained an address (from your FB6000) from a pool, you will need to clear the existing allocation and then force the client to issue a new DHCP request (e.g.
Page 56: Special Dhcp Options
The top level dhcp-relay configuration allows you to configure the FireBrick to be the remote server for a DHCP/BOOTP Relay Agent. The relay attribute allows specific pools to be set up for specific relays. The table and allow allow you to limit the use of the DHCP Remote server to requests from specific sources - note that renewal requests come from the allocated IP, or NAT IP if behind NAT and not necessarily from the relay IP.
Page 57: Setting Duplex Mode
Interfaces and Subnets • The yellow port LED is configured to show Transmit activity. When you first create an ethernet object you will see that none of the attribute checkboxes are ticked, and the defaults described above apply. Ensure that you set the port attribute value correctly to modify the port you intended to.
Page 58: Session Handling
Chapter 7. Session Handling This chapter describes sessions, session-tracking, and how the rules for session creation can be used to implement Firewalling, subject specific traffic flows to traffic-shaping, and perform address mapping techniques including conventional Network Address Translation (NAT). Session-tracking is also involved in the route override functionality of the FB6000 - this is covered in Section 8.6.
Page 59: Session Termination
Session Handling The contents of the session-table can be viewed in the web user interface by clicking "Sessions" in the "Status" menu. You will normally see two entries per session, one with a green background and one with a yellow background.
Page 60: Processing Flow
Session Handling 7.3.2. Processing flow The following processing flow applies to rules and rule-sets :- • Rule-sets are processed sequentially. • Each rule-set can optionally specify entry-criteria - if present, these criteria must be matched against for the rules within the rule-set to be considered. •...
Page 61 Session Handling Note that drop and reject both drop packets, with the difference only being whether notification of this is sent back to the traffic source. For a short period after startup the actions of drop and reject are treated as ignore. This is so that a reboot which would forget all sessions allows sessions that have outbound traffic which is not NAT stand a chance of re-establishing by use of outbound traffic.
Page 62: Processing Flow Chart For Rule-Sets And Session-Rules
Session Handling Figure 7.2. Processing flow chart for rule-sets and session-rules Packet arrives, no m at ching session exist s P roces s ing continues with next rule-s et S es s ion All rule-s ets proces s ed? Allowed Examine next rule-s et object S tart proces s ing rules...
Page 63: Defining Rule-Sets And Rules
Session Handling It is helpful to understand that a session rule contributes to the final set of information recorded in the session- table entry - a rule does not necessarily completely define what the session-table will contain, unless it is the only rule that matches the traffic under consideration.
Page 64: Recommended Method Of Implementing Firewalling
Session Handling checked for target IP of, say, 0.0.0.0/24, that would pass if the target IP is within the same /24 as the source IP. This only works on IPv4, and only on subnets, not ranges, and only on source-ip and target-ip checks.
Page 65: Changes To Session Traffic
Session Handling protocol="6" comment="WAN access to company web server"/> </rule-set> Rule-set is named "firewall_to_LAN". The rule-set only applies to sessions targetting the "LAN" interface, from any other interface. The action to perform when no rule within the rule-set applies, is to "drop".
Page 66: Graphing And Traffic Shaping
Session Handling 7.3.3.3. Graphing and traffic shaping The set-graph and set-reverse-graph attributes cause the session traffic to be graphed, and therefore possibly be subject to traffic shaping ; they perform the same function as the graph attribute that can be specified on many different objects, as described in Chapter 10.
Page 67: Nat-Pmp / Pcp (Port Control Protocol)
It is importamt to understand that there are two stages to the use of these protocols. Firstly a device on the local network will send a message to the FireBrick as the gateway device requesting a mapping or firewall hole.
Page 68: Network Address Translation
(assuming they do the current Internet Protocol, which is version 6). Remember, NAT is not a means of protection - the FireBrick has a firewall for that, NAT is a workaround for IP address sharing, something that is simply not necessary with IPv6 and should not be encouraged.
Page 69: Setting Nat In Rules
7.4.4. What NAT does What the NAT setting does is cause the FireBrick to change the source IP and port used for the session. It picks an IP based on the interface to which the traffic will finally be sent, and uses the most appropriate IP address that it can to try and ensure correct return traffic to that IP address.
Page 70: Nat With Other Types Of External Routing
NAT to a new level. As ever we recommend using PPPoE to avoid an extra layer of NAT in a broadband router. In some cases the FireBrick may be expected to provide a carrier level of NAT in terms of number of sessions handled.
Page 71 FireBrick, and this is often not the case. This can be useful in very simple configurations where the FireBrick only has the one private subnet, but in most cases it is better to set NAT on a PPPoE or dongle interface and not use the NAT setting on the subnet configuration.
Page 72: Routing
Chapter 8. Routing 8.1. Routing logic The routing logic in the FB6000 operates primarily using a conventional routing system of most specific prefix, which is commonly found in many IP stacks in general purpose computers and routers. Conventional routing determines where to send a packet based only on the packet's destination IP address, and is applied on a 'per packet' basis - i.e.
Page 73: Routing Targets
Routing You can show the route(s) that apply for a specific destination IP address or address range using the CLI command show route. You can also see a list of all routes in a routing table using the CLI command show routes. There is also a routing display on the Diagnostics control web pages. 8.2.
Page 74: Special Targets
Routing the final target, e.g. it may be to an Ethernet interface, in which case an ARP is done for 192.168.0.100 to find the MAC to send the traffic. There is logic to ensure that the next-hop is valid - the gateway specified must be routable somewhere and if that is via an Ethernet interface then the endpoint must be answering ARP or ND packets.
Page 75: Route Overrides
Routing Bonding works with routing and shapers together. (See Chapter 10 for details of shapers.) The basic principle is that you have two or more routes that are identical (same target IP prefix) and have the same localpref, so that there is nothing to decide between them. As described above this normally means one of the routes is picked.
Page 76: Profiles
Chapter 9. Profiles Profiles allow you to enable/disable various aspects of the FB6000's configuration (and thus functionality) based on things such as time-of-day or presence/absence of Ping responses from a specified device. 9.1. Overview A profile is a two-state control entity - it is either Active or Inactive ("On" or "Off", like a switch). Once a profile is defined, it can be referenced in various configuration objects where the profile state will control the behaviour of that object.
Page 77: Tests
Profiles • recover : the duration that the overall test must have been passing for before the profile state changes to Active The timeout and recover parameters do not apply to manually set profiles (see Section 9.2.4) and those based on time-of-day (see Section 9.2.2.2). 9.2.2.
Page 78: Manual Override
Profiles attribute to true, the overall result is inverted (Pass changed to Fail and vice-versa) first before applying the mapping. 9.2.4. Manual override You can manually override all tests, and force the profile state using the set attribute - a value of true forces the state to Active, and false forces it to Inactive.
Page 79: Traffic Shaping
Chapter 10. Traffic Shaping The FB6000 includes traffic shaping functionality that allows you to control the speed of specific traffic flows through the FB6000. The FB6000 also provides graphing functionality, allowing specific traffic flows to be plotted on a graph image (PNG format) that the FB6000 generates. Within the FB6000, traffic shaping and graphing are closely associated, and this is reflected in how you configure traffic shaping - in order to be able to perform traffic shaping, you must first graph the traffic flow.
Page 80: Shapers
Traffic Shaping 10.1.2. Shapers Once you have graphed a (possibly bi-directional) traffic flow, you can then also define speed restrictions on those flows. These can be simple "Tx" and "Rx" speed limits or more complex settings allowing maximum average speeds over time. You define the speed controls associated with the graphed traffic flow(s) by creating a shaper top-level object.
Page 81: Basic Principles
Traffic Shaping • The ingress interface can have a defined shaper • When the packet passes through session tracking, the two sides of the session tracking (forward and reverse) can each have shapers that apply. • It is possible to create a bonded gateway route where multiple routes exist for the same target (typically a default gateway) and each route as a speed set, which is itself a shaper.
Page 82: Tunnels
One of the uses of IPsec is to create a private tunnel between two places. This could be two FireBricks, or between a FireBrick and some other device such as a router, VPN box, Linux box, etc. The tunnel allows traffic to IP addresses at the far end to be routed over the Internet in secret, encrypted at the sending end and decrypted at the receiving end.
Page 83: Authentication
The FireBrick supports version 2 of the IKE protocol (IKEv2). IKE uses Public Key Cryptographic mechanisms to select the keys to be used, using the Diffie-Hellman key exchange mechanism. IKE also performs authentication between the two link endpoints using for example X.509 certificates, pre-shared secrets or other methods...
Page 84: Identities And The Authentication Mechanism
IPs not in the allow or trusted lists are not accepted. There is also a Force-NAT option which will force the FireBrick to assume that remote devices on the list are behind NAT boxes. IKE has built-in NAT detection so this option is rarely needed. See the separate section...
Page 85: Ike Proposals
FireBrick perform network address translation on sessions initiated by the client. Note that there is a restriction on the total number of IPs (both IPv4 and IPv6 combined) of approximately 65536 addresses - ie a single IPv4 range of /16, or a single IPv6 range of /112.
Page 86: Authentication And Ike Identities
FQDN or EMAIL forms of ID are used there is no requirement for the domain or email address to actually be associated with the peer or even to exist at all. If the prefix (IP:, FQDN: etc) is omitted in the identity, the FireBrick chooses the most appropriate type, based on the syntax of the identity used.
Page 87: Road Warrior Connections
The local-ip is optional - if omitted the IP used by the peer to reach the FireBrick is used for a connection initiated remotely, and the FireBrick chooses a suitable source IP when it initiates a connection. You can also optionally specify an internal-ipv4 and/or an internal-ipv6 address.
Page 88: Ip Endpoints
The local-spi uniquely identifies this IPsec connection, so must be distinct for all IPsec connections on this FireBrick. The current FireBrick implementation requires that the local SPI for manual connections to be in the range 256 to 65535. The local-spi must match the outgoing SPI of the far end of the link, and vice-versa.
Page 89: Other Parameters
IPsec/IKE authentication data payloads. When a certificate is installed on the FireBrick, a short local name must be chosen to accompany it. This name appears in the certificate store contents list but need bear no relation to the actual certificate identity. The local names are displayed on the UI certificate configuration page, and are also used to form the filename (with .pem...
Page 90 (and for security should not be installed). During the IKE authentication procedure the FireBrick sends a copy of the certificate identifying itself to the peer, and also sends the trust chain of certificate(s) used to sign the end-entity certificate. The peer does not need to have the end-entity certificate installed, but must have a CA certificate (usually the self-signed "root"...
Page 91: Creating Certificates
Generating suitable certificates can be a painful experience for the uninitiated, so we have provided some useful tools which can be downloaded from the FireBrick website. These are bash scripts which use the OpenSSL tools, and can be run on Linux or MacOS systems, or on Windows using Cygwin. They should be downloaded and saved locally (eg by cut-and-paste from the displayed web page text, or using the browser save source function).
Page 92: Nat Traversal
Tunnels • PRF: A pseudo-random function used to generate further keying info from the Diffie-Hellman key (control channel only) • ESN: A flag indicating whether extended sequence numbers are supported for the data channel Manually-keyed connections do not have a control channel, and use only integrity and encryption algorithms. Both integrity checking and encryption allow a choice of algorithms.
Page 93: Configuring A Road Warrior Server
FireBrick so it can be sent over the VPN. One of three methods is typically used: • Use a range in private address space - eg 10.42.42.1-100. As these are not internet-routable, if the clients require internet access through the VPN, incoming sessions from the client should be NATed by the FireBrick.
Page 94: Connecting To Non-Firebrick Devices
</ipsec-ike> 11.1.8. Connecting to non-FireBrick devices The FireBrick IPsec implementation should be compatible with any IPsec IKEv2 implementation. Note that IKE version 1 is not supported. Older equipment may not support IKEv2 yet, in which case manual keying may be possible. Several vendors have released IKEv2 support only recently; it is worth checking with your vendor for firmware upgrades.
Page 95: Setting Up A Road Warrior Vpn On An Android Client
To set up a client VPN connection on an Android device, perform the following steps • The FireBrick connection should be configured as a Road Warrior connection, and client usernames and passwords should be configured, as described earlier, using certificate authentication for the FireBrick and EAP for the peers.
Page 96: Setting Up A Road Warrior Vpn On An Ios (Iphone/Ipad) Client
IKE identity. Names used to identify the VPN on the client settings pages can also be supplied. The client IKE identity may be freely chosen - the Firebrick RoadWarrior server will accept any client ID, and it will be displayed in the FireBrick IPsec status information and logging. Note that the server address should be entered as an IP address rather than a domain name for reliable operation;...
Page 97: Fb105 Tunnels
11.2. FB105 tunnels The FB105 tunnelling protocol is a FireBrick proprietary protocol that was first implemented in the FireBrick FB105 device, and is popular with FB105 users for setting up VPNs etc. It is 'lightweight' in as much as it is relatively simple, with low overhead and easy setup, but it does not currently offer encryption.
Page 98: Tunnel Wrapper Packets
IP address in tunnel definitions on such 'shared' end-points. The latter case is typical where an ISP deploys a FireBrick device to provide a 'head-end' device for tunnel bonding.
Page 99: Viewing Tunnel Status
Tunnels If you wish to use a different UDP port number than the default of 1, specify the port number using the port attribute. 11.2.3. Viewing tunnel status The status of all configured FB105 tunnels can be seen in the web User Interface by selecting "FB105" from the "Status"...
Page 100: Fb6000 Doing Nat
Consider two FireBricks A and B which are able to communicate with each other using IP (eg over the internet). An otherwise unused port on each FireBrick can be configured as an ETUN port. Every ethernet packet arriving at FireBrick A's ETUN port is encapsulated and transmitted to FireBrick B (over IP). FireBrick B decapsulates the packet and transmits it on its configured ETUN port.
Page 101 Configuring an ETUN connection is very simple. Select "Add: New: Ether tunnel (RFC3378)" on the tunnel configuration page, and enter the IP of the remote Firebrick and the local port to be used for ETUN. The local IP can be optionally set, and the usual log, profile and table options are also available. The local ETUN port is specified by selecting a port group.
Page 102: System Services
Chapter 12. System Services A system service provides general functionality, and runs as a separate concurrent process alongside normal traffic handling. Table 12.1 lists the services that the FB6000 can provide :- Table 12.1. List of system services Service Function SNMP server provides clients with access to management information using the Simple Network Management Protocol...
Page 103: Http Server Configuration
System Services If specified, then the service only accepts requests/connections on the specified table routing table. If not specified then the service works on any routing table. Where the service is also a client then this specifies the routing table to use (default 0). If specified then this is a list of ranges of IP addresses and ip group names from allow which connections are allowed.
Page 104: Access Control
LAN. This is done by telling the FireBrick the domain for your local network. Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP. This is applied in reverse for reverse DNS mapping an IP address...
Page 105: Ntp Configuration
Time Protocol (NTP) server. There are public NTP servers available for use on the Internet, and a factory reset configuration does not specify an NTP server which means a default of ntp.firebrick.ltd.uk. You can set your preferred NTP server instead.
Page 106: Network Diagnostic Tools
Chapter 13. Network Diagnostic Tools Various network diagnostic tools are provided by the FB6000, accessible through either the web user interface or the CLI :- • Packet dump : low level diagnostics to for detailed examination of network traffic passing through the FB6000 •...
Page 107: Access Check
This address is not on a local Ethernet subnet and so not allowed access. 13.3. Packet Dumping The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This might typically be used where the behaviour of the FB6000 is not as expected, and can help identify whether other devices are correctly implementing network protocols - if they are, then you should be able to determine whether the FB6000 is responding appropriately.
Page 108: Dump Parameters
Network Diagnostic Tools • using an HTTP client on another machine (typically a command-line client utility such as curl) The output is streamed so that, when used with curl and tcpdump, you can monitor traffic in real time. Limited filtering is provided by the FB6000, so you will normally apply any additional filtering you need via tcpdump.
Page 109: Packet Types
Network Diagnostic Tools IP matching is only performed against ARP, IPv4 or IPv6 headers and not in encapsulated packets or ICMP payloads. If capturing too much, some packets may be lost. 13.3.4. Packet types The capture can collect different types of packets depending on where the capture is performed. All of these are presented as Ethernet frames, with faked Ethernet headers where the packet type is not Ethernet.
Page 110: Example Using Curl And Tcpdump
Linebreaks are shown in the example for clarity only - they must not be entered on the command-line In this example we have used username name and password pass to log-in to a FireBrick on address 1.2.3.4 - obviously you would change the IP address (or host name) and credentials to something suitable for your FB6000.
Page 111: Vrrp
Note You can disable the use of the special MAC if you wish, and use a normal FireBrick MAC. However, this can lead to problems in some cases.
Page 112: Configuring Vrrp
VRRP 14.2. Configuring VRRP VRRP operates within a layer 2 broadcast domain, so VRRP configuration on the FB6000 comes under the scope of an interface definition. As such, to set-up your FB6000 to participate in a Virtual Router group, you need to create a vrrp object, as a child object of the interface that is in the layer 2 domain where the VRRP operates.
Page 113: Vrrp Version 3
Note that the FB6000 has non-standard support for some specific packets sent to the VRRP virtual addresses. This includes answering pings (configurable) and handling DNS traffic. Other VRRP devices may not operate in the same way and so may not work in the same way if they take over from the FireBrick.
Page 114: Bgp
Chapter 15. BGP 15.1. What is BGP? BGP (Border Gateway Protocol) is the protocol used between ISPs to advise peers of routes that are available. Each ISP tells its peers the routes it can see, being the routes it knows itself and those that it has been advised by other peers.
Page 115: Simple Example Setup
• RFC2385 TCP MD5 protection • RFC2796 Route reflector peers • RFC3392 Capabilities negotiation • RFC3065 Confederation peers • RFC5082 TTL Security • Multiple independent routing tables allowing independent BGP operations • Multiple AS operation 15.2.3. Simple example setup A typical installation may have transit connections from which a complete internet routing table is received, peers which provide their own routes only, internal peers making an IBGP mesh, customers to which transit is provided and customer routes may be accepted.
Page 116: Route Filtering
confederate For EBGP that is part of a confederation. Confederation rules apply Peers only with different Must be EBGP, and sets default of no-fib and not add-own-as. Routes from this peer are marked as IXP routes which affects filtering on route announcements. Only announced on EBGP not IBGP.
Page 117: Well Known Community Tags
15.2.7. Announcing black hole routes The FireBrick allows black hole routes to be defined using the the blackhole object. Routing for such addresses is simply dropped with no ICMP error. Such routes can be marked for BGP announcement just like any other routes.
Page 118: Announcing Dead End Routes
Any route installed as network are announced with this community. Note, this is not set automatically on a nowhere route, allowing a route to be announced to get to this FireBrick to be propagated via IBGP. The effect of this is that your network can include one (or more) source of top level network routes which, within your network, are installed as dead ends at each point.
Page 119: Diagnostics
15.2.15. TTL security The FireBrick supports RFC5082 standard TTL security. Simply setting ttl-security="1" on the peer settings causes all of the BGP control packets to have a TTL of 255 and expects all received packets to be TTL 255 as well.
Page 120: Command Line Interface
Chapter 16. Command Line Interface The FB6000 provides a traditional command-line interface (CLI) environment that can be used to check status information, and control some aspects of the unit's operation. The CLI is accessed via the 'telnet' protocol - the FB6000 implements a telnet server, which you can connect to using any common telnet client program.
Page 121: Cidr And Cidr Notation
Appendix A. CIDR and CIDR Notation Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993 that had the aims of "conserving the address space and limiting the growth rate of global routing state". The current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632].
Page 122 CIDR and CIDR Notation routing table entry - 10.1.2.0/24 and 10.1.3.0/24 - routing table entries for these subnets would appear in a downstream router. Note that in either a network/subnet or routing destination specification, the address will be the starting address of the IP address range being expressed, such that there will be M least significant bits of the address set to zero, where M = 32 - prefix_length Combined interface IP address and subnet definitions...
Page 123: Mac Addresses Usage
In principle the FireBrick could have a single MAC address for all operations. However, practical experience has led to the use of multiple MAC addresses on the FireBrick. A unique block of addresses is assigned to each FireBrick, with the size of the block dependent on the model.
Page 124: How The Firebrick Allocates Mac Addresses
ISP links as above where ports are locked to only accept one MAC. The way the FireBrick manages MAC addresses is designed to be a bit sticky so that a config change will not usually cause a MAC address assigned to a subnet or interface to change.
Page 125: Running Out Of Macs
MAC Addresses usage B.2.5. Running out of MACs The allocations are recorded in persistent data, so if an object is removed from the config and later put back it should get the same MAC address. If however there are not enough MAC addresses when loading a config, then previous assignments are re-used.
Page 126: Using With A Dhcp Server
MAC Addresses usage • the first address in the range has zero for the remaining digits (00) • the last address in the range has F for the remaining digits (FF) Therefore this range spans 00:03:97:14:7C:00 to 00:03:97:14:7C:FF inclusive (256 addresses). B.4.
Page 127: Vlans : A Primer
Appendix C. VLANs : A primer An Ethernet (Layer 2) broadcast domain consists of a group of Ethernet devices that are interconnected, typically via switches, such that an Ethernet broadcast packet (which specifies a reserved broadcast address as the destination Ethernet address of the packet) sent by one of the devices is always received by all the other devices in the group.
Page 128: Firebrick Specific Snmp Objects
Appendix D. FireBrick specific SNMP objects This appendix details the SNMP objects that are specific to the FireBrick. D.1. Monitoring information General monitoring information. Table D.1. iso.3.6.1.4.1.24693.1 ...OID Type Meaning Integer (mV) Voltage: "A" power supply. Should be around 12V. May show a few volts when no...
Page 129 FireBrick specific SNMP objects IP.4 Integer Received IPv4 prefixes IP.5 Integer Seconds since last state change IP.6 Integer Received IPv6 prefixes...
Page 130: E. Command Line Reference
Shows how long since the FB6000 restarted. E.1.4. General status show status Shows general status information, including uptime, who owns the FireBrick, etc. This is the same as the Status on the web control pages. E.1.5. Memory usage show memory Shows memory usage summary.
Page 131: E.1.8. Logout
Command line reference E.1.8. Logout logout quit exit You can also use Ctrl-D to exit, or close the connection (if using telnet) E.1.9. See XML configuration show run show configuration Dumps the full XML configuration to the screen E.1.10. Load XML configuration import configuration You then send the XML configuration, ending with a blank line.
Page 132: E.2. Networking Commands
Command line reference Shows current DNS resolver list and status. E.2. Networking commands E.2.1. Subnets show subnets show subnet <integer> You can list all current subnets, or details of a specific subnet. This shows the same information as the web status pages for subnets.
Page 133: E.2.6. See Dhcp Allocations
Command line reference E.2.6. See DHCP allocations show dhcp [<IP4Addr>] [table=<routetable>] Shows DHCP allocations, with option to show details for specific allocation. E.2.7. Clear DHCP allocations clear dhcp [ip=<IP4Range>] [table=<routetable>] Allows you to remove one or more DHCP allocations. E.2.8. Lock DHCP allocations lock dhcp ip=<IP4Addr>...
Page 134: E.3. Firewalling Commands
This can be useful to test fallback scenarios by simulating a fatal error. Note that panic crash logs are emailed to the FireBrick support by default, so please use a meaningful string. e.g. panic "testing fallback" confirm=yes E.5.2.
Page 135: E.5.4. Make Outbound Command Session
This allows a reverse telnet connection to be made. A TCP connection is made to the IP address (and port) where a user can login. This can be useful where a firewall policy prevents incoming access to allow someone to have access from outside, e.g. the FireBrick support team. E.5.5. Show command sessions show command sessions The FB6000 can have multiple telnet connections at the same time.
Page 136 Command line reference The logging system can log to flash for a permanent record. This is done automatically for some system events and when booting. You can specify the number of bytes of recent log to show..
Page 137: File Types
Appendix F. Constant Quality Monitoring - technical details The FireBrick provides constant quality monitoring. The main purpose of this is to provide a graphical representation of the performance of an interface or traffic shaper • 100 second interval statistics available graphically as svg or png and in text as csv covering at least the last 25 hours (one day) •...
Page 138: F.1.3. Authenticated Access
Constant Quality Monitoring - technical details F.1.3. Authenticated access Authenticate access requires a prefix of a hex sha1 string. e.g. http://host:port/cqm/longhexsha1/circuit.png or http://host:port/cqm/longhexsha1/YYYY-MM-DD/circuit.png. The SHA1 is 40 character hex of the SHA1 hash made from the graph name, the date, and the http-secret. The date is in the form YYYY-MM-DD, and is today's date for undated access (based on local time).
Page 139: Other Colours And Spacing
Constant Quality Monitoring - technical details Table F.3. Text Text Clean output, clears all additional text fields Clean and clear, as z but also sets inside background and off-line colours to transparent so graphs are easy to merge with those other LNSs Line 1 top left text, default if not set in config is system name Line 2 top left text Line 3 top left text...
Page 140: Full Url Format
Constant Quality Monitoring - technical details day in the first 3 hours 46 minutes of the new day (2 hours 46 or 4 hours 46 when clocks change in previous day). As such it is recommended that over night archiving is done of the previous day just after midnight. The recommended command to run just after midnight is wget -m http://host:port/cqm/`date +%F -dyesterday`/z/ as this will create a directory for the server, cqm, date, and z, and then the files.
Page 141: Graph Scores
Constant Quality Monitoring - technical details F.4. Graph scores Graphs are scored based on settings in the config. Each 100 second sample has a score which is included in the csv and xml lists for any graph. The score is also totalled for a graph as a whole and included in the csv and xml list of all graphs.
Page 142: Hashed Passwords
It is still important to keep the configuration hashes safe, as someone could use the hashes to try millions of passwords off-line before trying to log in to a FireBrick. For this reason it is also important to use good passwords that cannot be guessed, and are not simply made from normal dictionary words.
Page 143: One Time Password Seed Hashing
OTP sequence to be generated, not simply checked (as is the case with a password hash). The issue with encrypting the OTP seed is that the FireBrick has to be able to decrypt it so as to check the OTP sequence used.
Page 144 Hashed passwords • N bytes: The OTP seed XOR with the hash made from the password with salt appended. If seed is longer than hash then only initial hash length bytes are XOR'd. • S bytes: Seed bytes, should be random. •...
Page 145: Configuration Objects
Appendix H. Configuration Objects This appendix defines the object definitions used in the FireBrick FB6402 (firewall) configuration. Copyright © 2008-16 FireBrick Ltd. H.1. Top level H.1.1. config: Top level config The top level config element contains all of the FireBrick configuration data.
Page 146: Objects
Configuration Objects sampling sampling Optional Sampling parameters services services Optional General system services shaper shaper Optional, unlimited Named traffic shapers system system Optional System settings user user Optional, unlimited Admin users H.2. Objects H.2.1. system: System settings The system settings are the top level attributes of the system which apply globally. Table H.3.
Page 147: Link: Web Links
Configuration Objects source string Source of data, used in automated config management sw-update autoloadtype false Load new software automatically sw-update-profile NMTOKEN Profile name for when to load new s/w table (unsignedByte 0-99) Routing table number for system functions routetable (s/w updates, etc) Table H.4.
Page 148: Eap: User Access Controlled By Eap
Configuration Objects table (unsignedByte 0-99) Restrict login to specific routing table routetable timeout duration 5:00 Login idle timeout (zero to stay logged in) H.2.4. eap: User access controlled by EAP Identities, passwords and access methods for access controlled with EAP Table H.7.
Page 149: Log-Email: Email Logger Settings
Configuration Objects Table H.10. log-syslog: Attributes Attribute Type Default Description comment string Comment facility syslog-facility LOCAL0 Facility setting port unsignedShort Server port profile NMTOKEN Profile name server IPNameAddr Not optional Syslog server severity syslog-severity NOTICE Severity setting source string Source of data, used in automated config management source-ip IPAddr...
Page 150: Services: System Services
Configuration Objects H.2.8. services: System services System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.
Page 151: Telnet-Service: Telnet Service Settings
NMTOKEN Not logging Log debug log-error NMTOKEN Log as event Log errors ntpserver List of IPNameAddr ntp.firebrick.ltd.uk List of time servers (IP or hostname) from which time may be set by ntp poll duration 1:00:00 NTP poll rate profile NMTOKEN...
Page 152: Http-Service: Http Service Settings
Configuration Objects port unsignedShort Service port profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable H.2.12. http-service: HTTP service settings Web management pages Table H.16. http-service: Attributes Attribute Type Default Description...
Page 153: Dns-Host: Fixed Local Dns Host Settings
Configuration Objects domain string Our domain fallback boolean true For incoming requests, if no server in required table, relay to any DNS available local-only boolean true Restrict access to locally connected Ethernet subnets only NMTOKEN Not logging Log events log-debug NMTOKEN Not logging Log debug...
Page 154: Ethernet: Physical Port Controls
Configuration Objects Table H.20. dns-block: Attributes Attribute Type Default Description comment string Comment name List of string Not optional Host names (can use * as a part of a domain) profile NMTOKEN Profile name restrict-interface List of NMTOKEN - Only apply on certain interface(s) restrict-to List List of IP ranges to which this is served...
Page 155: Portdef: Port Grouping And Naming
Configuration Objects agent-ip IPAddr use source-ip IP address used to identify this agent collector-ip IPAddr Not optional IP address of collector collector-port unsignedShort 6343 sFlow, UDP port which collector listens on 4739 for IPFIX comment string Comment (unsignedShort 1500 576-2000) mtu name string Name...
Page 156: Subnet: Subnet Settings
Optional, unlimited DHCP server settings subnet subnet Optional, unlimited IP subnet on the interface vrrp vrrp Optional, unlimited VRRP settings H.2.20. subnet: Subnet settings Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.
Page 157: Vrrp: Vrrp Settings
Test link state using ARP/ND for this IP unsignedByte TTL for originating traffic via subnet H.2.21. vrrp: VRRP settings VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Table H.27. vrrp: Attributes Attribute...
Page 158: Dhcps: Dhcp Server Settings
Configuration Objects answer-ping boolean true Whether to answer PING to VRRP IPs when master comment string Comment delay unsignedInt Delay after routing established before priority returns to normal interval unsignedShort Transit interval (centiseconds) List of IPAddr Not optional One or more IP addresses to announce NMTOKEN Not logging Log events...
Page 159: Dhcp-Attr-Hex: Dhcp Server Attributes (Hex)
Configuration Objects NMTOKEN Not logging Log events (allocations) List Partial or full MAC addresses (hexBinary) macprefix name string Name List of IP4Addr From system settings NTP server profile NMTOKEN Profile name source string Source of data, used in automated config management syslog List of IP4Addr...
Page 160: Dhcp-Attr-Number: Dhcp Server Attributes (Numeric)
Configuration Objects name string Name value string Not optional Value vendor boolean Add as vendor specific option (under option 43) H.2.25. dhcp-attr-number: DHCP server attributes (numeric) Additional DHCP server attributes (numeric) Table H.32. dhcp-attr-number: Attributes Attribute Type Default Description comment string Comment force...
Page 161: Network: Locally Originated Networks
Configuration Objects graph (token) graphname - Graph name List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name profile NMTOKEN Profile name source string Source of data, used in automated config management speed unsignedInt...
Page 162: Loopback: Locally Originated Networks
Configuration Objects name string Name no-fib boolean Route not in forwarding, only for EBGP profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable List of Community - List of community tags H.2.30.
Page 163: Bgprule: Individual Mapping/Filtering Rule
Configuration Objects H.2.32. bgprule: Individual mapping/filtering rule An individual rule for BGP mapping/filtering Table H.40. bgprule: Attributes Attribute Type Default Description comment string Comment community Community Community that must be present to match detag List of Community - List of community tags to remove drop boolean Do not import/export this prefix...
Page 164: Bgppeer: Bgp Peer Definitions
Configuration Objects peer bgppeer Optional, up to 50 List of peers/neighbours H.2.34. bgppeer: BGP peer definitions The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers. Table H.43.
Page 165: Bgpmap: Mapping And Filtering Rules Of Bgp Prefixes
Configuration Objects max-prefix (unsignedInt 10000 Limit prefixes (IPv4+IPv6) 1-10000) bgp- prefix-limit Secret MD5 signing secret name string Name next-hop-self boolean false Force us as next hop outbound no-fib boolean Don't include received routes in packet forwarding unsignedByte Pad (prefix stuff) our AS on export by this many profile NMTOKEN...
Page 166: Cqm: Constant Quality Monitoring Settings
Configuration Objects comment string Comment detag List of Community - List of community tags to remove drop boolean Do not import/export this prefix localpref unsignedInt Set localpref (highest wins) unsignedInt Set MED prefix List of IPFilter Drop all that are not in this prefix list source string Source of data, used in automated config...
Page 167: Text
Configuration Objects label-latency string Latency Label for latency label-max string Label for maximum latency label-min string Label for minimum latency label-off string Label for off line seconds label-period string Period Label for period label-poll string Polls Label for polls label-rej string %Reject Label for rejected seconds...
Page 168: Fb105: Fb105 Tunnel Definition
Configuration Objects text1 string Text line 1 text2 string Text line 2 text3 string Text line 3 text4 string Text line 4 timeformat string %Y-%m-%d Time format %M:%S unsignedByte Pixels space at top of graph Colour #080 Colour for Tx traffic level H.2.37.
Page 169: Fb105-Route: Fb105 Routes
Configuration Objects satellite boolean Mark links that are high speed and latency for split latency bonding (experimental) secret Secret Unsigned Shared secret for tunnel unsignedByte Set ID for reorder ID tagging (create a set of tunnels together) sign-all boolean false All packets must be signed, not just keepalives source...
Page 170: Ike-Connection: Connection Configuration
Comment graph (token) graphname - Graph name internal-ipv4 IP4Addr local-ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal-ipv6 IP6Addr local-ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel local-ip IPAddr Local IP...
Page 171: Ipsec-Route: Ipsec Tunnel Routes
Configuration Objects profile NMTOKEN Profile name routes List of IPPrefix Routes when link up source string Source of data, used in automated config management speed unsignedInt no shaping Egress rate limit used (b/s) table (unsignedByte 0-99) Routing table number for IKE traffic and routetable tunnel wrappers tcp-mss-fix...
Page 172: Ike-Roaming: Ike Roaming Ip Pools
Configuration Objects Table H.55. ipsec-route: Attributes Attribute Type Default Description bgpmode Not announced BGP announce mode for routes comment string Comment List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name profile...
Page 173: Ipsec-Proposal: Ipsec Ah/Esp Proposal
Comment graph (token) graphname - Graph name internal-ipv4 IP4Addr local-ip Internal IPv4 for traffic originated on the FireBrick and sent down tunnel internal-ipv6 IP6Addr local-ip Internal IPv6 for traffic originated on the FireBrick and sent down tunnel local-ip IPAddr Local IP...
Page 174: Profile: Control Profile
Configuration Objects table (unsignedByte 0-99) Routing table number for IKE traffic and routetable tunnel wrappers tcp-mss-fix boolean true Adjust MSS option in TCP SYN to fix session MSS type ipsec-type Encapsulation type auth-algorithm ipsec-auth-algorithm null Manual setting for authentication algorithm auth-key hexBinary Manual key for authentication...
Page 175: Profile-Date: Test Passes If Within Any Of The Time Ranges Specified
Configuration Objects name NMTOKEN Not optional Profile name NMTOKEN Active if specified profile is inactive as well as all other tests passing, including 'and' List of NMTOKEN - Active if any of these other profiles are active regardless of other tests (including 'not' or 'and') ports Set of port...
Page 176: Profile-Ping: Test Passes If Any Addresses Are Pingable
Configuration Objects Table H.64. profile-time: Attributes Attribute Type Default Description comment string Comment days Set of day Which days of week apply, default all source string Source of data, used in automated config management start time Start (HH:MM:SS) stop time End (HH:MM:SS) H.2.49.
Page 177: Shaper-Override: Traffic Shaper Override Based On Profile
Configuration Objects tx-max unsignedInt Tx rate limit max tx-min unsignedInt Tx rate limit min tx-min-burst duration Tx minimum allowed burst time tx-step unsignedInt Tx rate reduction per hour Table H.67. shaper: Elements Element Type Instances Description override shaper-override Optional, unlimited Profile specific variations on main settings H.2.51.
Page 178: Route-Override: Routing Override Rules
Configuration Objects users List of NMTOKEN - Include IP of (time limited) logged in web users H.2.53. route-override: Routing override rules Routing override rules Table H.70. route-override: Attributes Attribute Type Default Description comment string Comment name string Name source string Source of data, used in automated config management table...
Page 179: Session-Route-Share: Route Override Load Sharing
Configuration Objects target-ip List Target IP address range(s) IPNameRange target-port List of PortRange Target port(s) Table H.73. session-route-rule: Elements Element Type Instances Description share session-route-share Optional, unlimited Load shared actions H.2.55. session-route-share: Route override load sharing Route override setting for load sharing Table H.74.
Page 180: Session-Rule: Firewall Rules
Configuration Objects source-interface List of NMTOKEN - Source interface(s) source-ip List Source IP address range(s) IPNameRange source-port List of PortRange Source port(s) startup-delay duration 1:00 Startup interval to use ignore instead of reject/drop table (unsignedByte 0-99) Applicable routing table routetable target-interface List of NMTOKEN - Target interface(s)
Page 181: Session-Share: Firewall Load Sharing
Configuration Objects set-initial-timeout duration Initial time-out set-nat boolean Changed source IP and port to local for set-ongoing-timeout duration Ongoing time-out set-reverse-graph string Graph name for shaping/logging (far side of session) set-source-ip IPAddr New source IP set-source-port unsignedShort New source port set-table (unsignedByte 0-99) Set new routing table...
Page 182: Etun: Ether Tunnel
Configuration Objects set-source-port unsignedShort New source port set-table (unsignedByte 0-99) Set new routing table routetable set-target-ip IPAddr New target IP set-target-port unsignedShort New target port weight positiveInteger Weighting of load share H.2.59. etun: Ether tunnel Ether tunnel Table H.80. etun: Attributes Attribute Type Default...
Page 183: Data Types
Configuration Objects H.3. Data types H.3.1. autoloadtype: Type of s/w auto load Table H.83. autoloadtype: Type of s/w auto load Value Description false Do no auto load factory Load factory releases beta Load beta test releases alpha Load test releases H.3.2.
Page 184: Eap-Method: Eap Access Method
Configuration Objects H.3.5. eap-method: EAP access method Table H.87. eap-method: EAP access method Value Description MD5 Challenge MSChapV2 MS Challenge H.3.6. syslog-severity: Syslog severity Log severity - different loggable events log at different levels. Table H.88. syslog-severity: Syslog severity Value Description EMERG System is unstable...
Page 185: Month: Month Name (3 Letter)
Configuration Objects Unused Unused Unused LOCAL0 Local 0 LOCAL1 Local 1 LOCAL2 Local 2 LOCAL3 Local 3 LOCAL4 Local 4 LOCAL5 Local 5 LOCAL6 Local 6 LOCAL7 Local 7 H.3.8. month: Month name (3 letter) Table H.90. month: Month name (3 letter) Value Description January...
Page 186: Port: Physical Port
Configuration Objects H.3.10. port: Physical port Table H.92. port: Physical port Value Description Port 0 (left) Port 1 (right) H.3.11. Crossover: Crossover configuration Physical port crossover configuration. Table H.93. Crossover: Crossover configuration Value Description auto Crossover is determined automatically Force no crossover H.3.12.
Page 187: Linkclock: Physical Port Gigabit Clock Master/Slave Setting
Configuration Objects H.3.15. LinkClock: Physical port Gigabit clock master/ slave setting Table H.97. LinkClock: Physical port Gigabit clock master/slave setting Value Description prefer-master Master status negotiated; preference for master prefer-slave Master status negotiated; preference for slave force-master Master status forced force-slave Slave status forced H.3.16.
Page 188: Linkfault: Link Fault Type To Send
Configuration Objects H.3.19. LinkFault: Link fault type to send Table H.101. LinkFault: Link fault type to send Value Description false No fault true Send fault off-line Send offline fault (1G) Send ANE fault (1G) H.3.20. sampling-protocol: Sampling protocol Table H.102. sampling-protocol: Sampling protocol Value Description sflow...
Page 189: Dhcpv6Control: Control For Ra And Dhcpv6 Bits
Configuration Objects H.3.23. dhcpv6control: Control for RA and DHCPv6 bits Table H.105. dhcpv6control: Control for RA and DHCPv6 bits Value Description false Don't set bit or answer on DHCPv6 true Set bit but do not answer on DHCPv6 dhcpv6 Set bit and do answer on DHCPv6 H.3.24.
Page 190: Ipsec-Type: Ipsec Encapsulation Type
Configuration Objects Table H.109. peertype: BGP peer type Value Description normal Normal BGP operation transit EBGP Mark received as no-export peer EBGP Mark received as no-export, only accept peer AS customer EBGP Allow export as if confederate, only accept peer AS internal IBGP allowing own AS reflector...
Page 191: Ipsec-Crypt-Algorithm: Ipsec Encryption Algorithm
Configuration Objects HMAC-SHA1 HMAC-SHA1-96 (RFC 2404) AES-XCBC AES-XCBC-MAC-96 (RFC 3566) HMAC-SHA256 HMAC-SHA-256-128 (RFC 4868) H.3.32. ipsec-crypt-algorithm: IPsec encryption algorithm Table H.114. ipsec-crypt-algorithm: IPsec encryption algorithm Value Description null No encryption (RFC 2410) 3DES-CBC 3DES-CBC (RFC 2451) blowfish Blowfish CBC (RFC 2451) with 16-byte key blowfish-192 Blowfish CBC (RFC 2451) with 24-byte key blowfish-256...
Page 192: Ipsec-Encapsulation: Manually Keyed Ipsec Encapsulation Mode
Configuration Objects H.3.36. ipsec-encapsulation: Manually keyed IPsec encapsulation mode Table H.118. ipsec-encapsulation: Manually keyed IPsec encapsulation mode Value Description tunnel IPsec tunnel transport IPsec transport H.3.37. switch: Profile manual setting Manual setting control for profile Table H.119. switch: Profile manual setting Value Description false...
Page 193 Configuration Objects integer integer (-2147483648-2147483647) positiveInteger positive integer (1-4294967295) unsignedInt unsigned integer (0-4294967295) unsignedShort unsigned short integer (0-65535) byte byte integer (-128-127) unsignedByte unsigned byte integer (0-255) boolean Boolean dateTime YYYY-MM-DDTHH:MM:SS date/time time HH:MM:SS time NMTOKEN String with no spaces void Internal use IPAddr...
Page 194 Configuration Objects subnetlist List of subnets (IPSubnet) ra-max Route announcement max interval (seconds) (4-1800) (unsignedShort) ra-min Route announcement min interval (seconds) (3-1350) (unsignedShort) ip6list List of IPv6 addresses (IP6Addr) vlan VLAN ID (0=untagged) (0-4095) (unsignedShort) ip4rangelist List of IP4ranges (IP4Range) macprefixlist List of strings (macprefix) macprefix...
Page 195: Index
Index Hostname setting, 24 HTTP service configuration, 86 overview, 97 Boot process, 28 Interfaces Breadcrumbs, 12 defining, 34 Ethernet, 34 relationship with physical ports, 34 Configuration backing up and restoring, 16 categories (user interface), 12 LEDs methods, 10 Power LED - status indications, 28 overview, 9 Log targets, 29 overview of using XML, 16...
Page 196 Index processing flow, 43 processing flow-chart, 44 Session Table, 41 introduction to, 16 Session Tracking XML Schema Document (XSD) file, 10 changes to session traffic, 48 configuring time-outs, 49 load balancing, 49 NAT-PMP / PCP, 50 overview, 41 time-outs, 42 Shapers, 63 SNMP configuring service, 88...

FireBrick FB6402 User Manual

1 Introduction

2 Getting Started

3 Configuration

4 System Administration

5 Event Logging

6 Interfaces and Subnets

7 Session Handling

8 Routing

9 Profiles

10 Traffic Shaping

11 Tunnels

12 System Services

13 Network Diagnostic Tools

14 Vrrp

15 Bgp

16 Command Line Interface

Quick Links

User Manual

Need help?

Questions and answers

Related Manuals for FireBrick FB6402

Summary of Contents for FireBrick FB6402