1. Manuals
  2. Brands
  3. FireBrick Manuals
  4. Network Router
  5. 105
  6. Manual

FireBrick 105 Manual

Sophisticated router / firewall
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
FireBrick 105
Manuals
Home
Introduction
The FireBrick 105 is a sophisticated router/firewall product that is designed to be the key device between the
internet and your network. It provides state tracking firewalling and routing as well as useful features such as
network address translation and automatic IP address allocation. The FireBrick has a number of optional
extras making it invaluable at home or in an office. Whilst it is only a small box, it has the power to handle the
fastest 8Mb/s ADSL internet links running flat out and handle hundreds of computers in a large office network.

Using this manual

This manual covers the basic operations clearly and simply, and acts as a reference. There are sections for
each of the FireBrick configuration icons, and sections describing the underlying functionality of the FireBrick.
Each section has at the end a Technical Reference which goes in to much more detail about that section with
a number of key technical points and notes listed. There is also a section describing each of the optional extra
features that are available. Generally, the manual will describe the operation with most features installed, and
so your FireBrick may be missing some of the options listed if you do not have all features.
Basic terms
There are some key terms used throughout the manual which it is useful to understand. Please read these
first.
Local Area Network. This is a group of devices connected together, normally using ethernet, which
LAN
can communicate directly with each other. It can include cables, hubs, switches, and even wireless
access points.
LAN, WAN (Wide Area Network) and DMZ (DeMiliterized Zone) are used to describe the sides of a
firewall. They are all LANs but the WAN is used to describe the outside (connected to the rest of the
LAN,
world), The LAN is the inside connected to your network, and any DMZs are used for servers which
WAN,
are typically protected from the WAN but from which your LAN is protected in case such machines
DMZ
are compromised. Normally the single port on the left is the WAN and the 4 ports on the right are the
LAN.
Internet Protocol. An IP address is four parts with dots, e.g. 192.168.0.1. The FireBrick supports only
IP
conventional IP (version 4).
(Netmask, Subnet mask) is used to define the size of a local area network. Usually shown in the
Mask
same format as an IP address, e.g. 255.255.255.192, but also shown as a bit count on the end of an
IP address, e.g. 192.168.0.1/24. See Networks for more details.
Port
End point identity used by TCP and UDP protocols, a number 1 to 65535
Transport Control Protocol − used for most session based communications such as web pages,
TCP
email, etc.
User Datagram Protocol − used for realtime and transaction based communications such as DNS
UDP
and voice over IP.
Domain Name Service − the way in which machine names are converted to IP addresses, and
DNS
various related functions.

Getting started

A quick start guide is included with your FireBrick (PDF).
It is very simple to connect your FireBrick to an existing network and make use of it's facilities with no
additional configuration. Once connected, it is simple to access the configuration pages and make any
FireBrick 105 Manuals
Introduction
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 105 and is the answer not in the manual?

Questions and answers

Related Manuals for FireBrick 105

Summary of Contents for FireBrick 105

  • Page 1: Using This Manual

    A quick start guide is included with your FireBrick (PDF). It is very simple to connect your FireBrick to an existing network and make use of it's facilities with no additional configuration. Once connected, it is simple to access the configuration pages and make any...

  • Page 2: Factory Reset

    There are 5 ethernet ports on the front of the FireBrick. The one of the left is normally the WAN side, and the 4 on the right are normally a high speed network switch connected to the LAN side. All ports support 10base−T and 100base−T as well as Full and half Duplex automatically and also have auto crossover to...

  • Page 3: Basic Configuration

    FireBrick web configuration pages must login before they can do anything. Once an IP address is set up you may find you have to log in again − this is because the FireBrick will have just set its clock from the internet.

  • Page 4: Save Config

    Save config This allows the current configuration of the FireBrick to be saved on your local PC. Selecting save config will normally cause your browser to pop up with a save box allowing you selected where to save the config. The default filename is the serial number of your FireBrick, allowing you to save many configs in one directory without risk of overwritting a different one.
  • Page 5 Normally the FireBrick detects 10base−T or 100base−T automatically, but the port can be fixed to Speed only one speed. Normally the FireBrick detects Full or Half duplex mode, but the port can be fixed to only one Duplex mode. Disable Causes the port to be disabled, allowing no traffic in or out.
  • Page 6 / restart, the clock is not set and so it continually tries until the clock is set, ignoring the profile selected. Syslog The FireBrick has an internal log, and can also log to a syslog server. This allows the IP and syslog type to be set. Server IP...
  • Page 7 Optional Gateway IP interface sets the IP using the DHCP defined gateway for that subnet. The FireBrick acts as a DNS relay, and uses DNS itself. This address defines the DNS server it uses. Log/Filter Options This allows defaults and options to be defined relating to logging and filtering. See filters for a description of Blink, Flash, Log, Syslog, and Email.

  • Page 8: Technical Reference

    When cycling LEDs mode is used, the left hand port used LED mode 5. • As soon as internet access from the FireBrick is possible (i.e. IP, gateway, etc) the clock may set and • this will usually cause the logged on user to be logged off as the time jumps forward.

  • Page 9: User Settings

    Home Users The FireBrick uses a username/password system to manage security. There can be a number of different users of the system, and each can have their own access permissions. One user is special, the nobody user, which defines the permissions before you are actually logged in as anyone else.
  • Page 10 The FireBrick tries to keep the same address for each device, and will only re−use an address if it is available and is the oldest (i.e. not used for the longest). You can manually clear an allocation by clicking on the interface.
  • Page 11 When using stealth the MAC report can be a bit confusing. e.g. Traffic from the LAN to WAN shows • as LANn on the LAN side, and as FireBrick on the WAN side because the FireBrick will have received it from LANn on the LAN and sent with the MAC unchanged out on the WAN.
  • Page 12 Home Profiles FireBrick profiles are a very powerful feature. Most settings on the FireBrick have a profile, which is by default 24/7 (always active). There are standard profiles for 24/7, 9−5M−F and 2amSun. Additional profiles can be based on time, or pinging an address, or manually switch on the main dragon page along with quick filters.
  • Page 13 5 seconds, then the profile is down. Pings continue every second, and if there is one response then the profile is up. Avoid making profile inter dependance loops − it will not crash or hang the FireBrick but will have •...
  • Page 14 Shaping rules The FireBrick can be used to change the rate of traffic using speed lanes. The shaping rules define in to which speed lane each type of traffic is assigned. They operate much like filters. The first in−profile rule which matches the traffic in question is applied.
  • Page 15 Speed lanes The FireBrick can manage the rate at which traffic flows using speed lanes. Traffic is placed in a speed lane using the shaping rules. All traffic in any speed lane is controlled by that lane − the speed is for the total traffic in the lane.
  • Page 16 By limiting this you can avoid the external routers buffers filling. This means that traffic marked fast is able to jump the queue on the FireBrick and then not hit another queue in the external router.
  • Page 17 FireBrick 105 Manuals Latency added is added for the specific speed lane and the master speed lane for the from and to • interface making a total of 20s latency possible. Speed lanes...
  • Page 18 The FireBrick can operate like any conventional network device with an IP address and netmask. However, the FireBrick can have multiple addresses and be on multiple networks at the same time even on the same physical network. The subnets allow the network address to be defined as well as DHCP and other settings.
  • Page 19 • between as the subnet name. If stealth is set then the FireBrick will answer traffic for its IP, but other traffic on this subnet can be • passed through the FireBrick (subnet to filtering) in stealth mode. If not set, then traffic for any of the IPs on this subnet are considered to be on that subnet and not passed through as stealth.
  • Page 20 DHCP address which is that received on the WAN. An address mapping entry can then be used to map traffic for the FireBrick on its WAN to the LAN hence passing through the external traffic (still subject to filtering).
  • Page 21 Home Routes The FireBrick has to decide where to send traffic. This is done using routing rules. The rules are considered in order and the first appropriate matching route is applied. The routing list includes the subnets and the deafult gateway.
  • Page 22 If a route is set for target Any, then the NAT flag may be set at that point, but the routing continues • until an explicit target interface is found The proxy ARP setting causes the FireBrick to answer ARPs on the source interfaces for the IP • range/group specified as the target Routing is done before filtering as filters operate on the apparent target interface (which is decided by •...

  • Page 23: Logged In Users

    There is a special group which is not listed in the IP groups section but which can be selected in filters, etc. This IP of logged in users and is any IP address from which any user is logged in to the FireBrick. This can be useful to allow access from the location from which you have just logged in to the FireBrick.
  • Page 24 Erases the whole port group and all entries within it FireBrick Tunnel Traffic A default port group in the factory reset config is FireBrick tunnel traffic which uses UDP port 1. Technical Reference The security on a group does not affect whether a user can use the group.
  • Page 25 Home Filters Filters are the way that the FireBrick provides firewall protection. The FireBrick tracks every session, and applies filters when that session starts. Once checked against the filters, the session is then allowed even if the filters later change. Filters are considered in order until one matches, and then the filter rule applied to the session.
  • Page 26 If no filter matches, the default filter is used as specified in the setup menu. • Before the default filter there is an implicit filter allowing LAN to FireBrick port 80 and allowing • FireBrick to any traffic. Explicit filtering rules can however block this default behaviour if required.
  • Page 27 FireBrick 105 Manuals Filtering is done before address mapping and so any IPs and ports apply before the addresses are • changed. Filtering is done before NAT is applied • Filtering is also done before traffic shaping. • Filters...

  • Page 28: Address Mapping

    Address mapping Address mapping allows a change to be made to the ports and IP addresses of traffic going via the FireBrick. This is the same principle as NAT, but allows more specific changes to be made. All new sessions are put through the address mapping table, and the first applicable entries is used.
  • Page 29 Setting the new interface to Any will allow the routing rules to decide the new target interface • Setting the new source IP to 255.255.255.255 causes the FireBrick to use NAT, using an IP • appropriate for the subnet on which is eventually sends the packet.
  • Page 30 FireBrick 105 Manuals FireBrick 105 Manuals Home Tunnels Tunnels provide a means of accessing remote networks and creating a virtual private network (VPN) to other FireBricks. Once a tunnel is created it becomes available in the routing rules as a destination, allowing traffic to be routed down a tunnel.

  • Page 31: Tunnel Status

    The tunnel traffic is wrapped up in another packet to send over the internet to the other FireBrick. This traffic needs to be allowed. The FireBrick can is allowed to send traffic (unless a filter explicitly blocks it), but it will not automatically allow such traffic.
  • Page 32 Packet reordering in a FireBrick can happen as a result of the bonding features. These are typically used to send packets down multiple internet links. The difference in packet sizes alone can therefore result in packets arriving in a different order.
  • Page 33 FireBrick in the correct order. When this is used effecively, the QOS option becomes redundant and so is deprecated. Note that this will not work if the far end is a FireBrick which does not have the Reorder option available (i.e. older software).

  • Page 34: Quick Setup

    Quick setup When you connect to the FireBrick admin pages, or click on the dragon, you will access the quick setup page. If you are not logged in then this may show no information as you may have no access to any filters or profiles.
  • Page 35 The 105 has more capacity − allowing more sessions and DHCP addresses, etc. • The 4 port switch on the 105 is a high speed network switch capable of 100Mb/s full duplex on all • ports. On the SoHo/Plus this was a 10Mb/s hub All ports are auto 10/100 with autocrossover •...
  • Page 36 FireBrick 105 Manuals Plus The Plus is roughly equivilant to the 105 with Extras, Profiles, Shaping, Tunnels, Reporting and Bonding with the following key differences:− There are more profiles, routes, tunnels, address mapping rules, and speed lanes • SNMP now provides details of all 5 ports distinctly •...

  • Page 37: Ethernet Networking

    FireBrick 105 Manuals FireBrick 105 Manuals Home Ethernet Networking This is a guide to basic networking, covering cables, hubs, switches, routers, IP, DNS, netmasks, firewalls and gateways. It is meant as a basic guide and does not cover every aspect in great detail − just enough to get you started when setting up a network for the first time −...

  • Page 38: Hubs And Switches

    Usually the switch/hub will automatically work out if the connection is 10Mb/s or 100Mb/s and usually has a light to tell you. The FireBrick 105 works out if a port is 10Mb/s or 100Mb/s automatically, although you can set it manually if necessary.

  • Page 39: Full-Duplex

    Most modern switches have auto crossover, so that you can connect directly to a PC or another switch or hub with either a straight or crossover cable. The FireBrick 105 has auto crossover, but it can be set manually if necessary.

  • Page 40: Mac Addressing

    FireBrick 105 Manuals Packets The internet, and ethernet work on packets. These are small chunks of data (up to 1.5K) that contain information about where they are to go, and where they are from, and some data. All communications on a network or the internet is broken down in to small packets like this.
  • Page 41 FireBrick 105 Manuals If you are setting up a private network, and need some IP addresses, you should always use these ranges. If you just make up addresses (e.g. 100.100.100.x) then they could be allocated to a real place on the internet −...
  • Page 42 This means if you have a block of, say, 16 addresses, you can only use 14 of them anyway. Note that the FireBrick 105 treats the first (network)address like a normal address, but most other equipment does not.
  • Page 43 The FireBrick 105 can act as a DNS relay. This means you can use it as a DNS server, and it will send your requests on to the DNS server it has been configured to use.

  • Page 44: What Is A Session

    FireBrick tracks this from the initial SYN packets through to the final FIN packets. In the case of UDP, the FireBrick tracks corresponding replies back to the same port and IP from the same port and IP as the initial packet, and uses timeouts to end the session.

  • Page 45: Filtering Rules

    DHCP gateways. If routing is to an ethernet interface with no gateway or subnet then the FireBrick will ARP for the off−subnet address. It may use its stealth address as the source for the ARP and the base MAC address. This is not ideal, and a gateway or subnet should be specified.
  • Page 46 As such it is normal to have this subnet on the LAN and the WAN. The LAN first allowing use of the addresses for PCs, and the WAN so that the FireBrick has an address it can use when talking to the WAN.
  • Page 47 Probability based routing The typical usage is with two internet feeds, each with a small block of IPs so that the FireBrick has a real IP. The LAN then uses private IPs. The FireBrick NATs traffic to the internet.

  • Page 48: Tunnel Bonding

    Tunnel bonding The FireBrick can be used to establish tunnels to other FireBricks (tunnel feature). With the bonding feature as well, the tunnels can be linked in to a set allowing multiple tunnels to be used as one. Normally this would be configured so that each tunnel is sent via a different physical link.

  • Page 49: Special Settings

    8 different settings. Each of the settings in the FireBrick has a level defined. It is in the setup for each filter, mapping, route, etc. Each user has a 8 check boxes, one for each level, defining the view settings. When logged in as a user, you can only view settings on the levels which you have ticked.
  • Page 50 You can also time control when this is visible even. FireBrick 105 User security model...

  • Page 51: Using Curl

    Home FireBrick 105 Scripted access The only configuration access to the FireBrick is via the web interface. However, there are a number of examples of cases where some automated access is required, e.g. configuring many FireBricks at ones; uploading new softtware to many FireBricks; or automated saving of configs from many FireBricks.
  • Page 52 Target port first address Source port last address Targte port last address Port/protocol group number, or 0 for not applied Interface, source (intterface number, dot sub interface), see interfaces Interface, target Action, 1=Aloow, 0=Drop, 2=Reject, 3=Bounce FireBrick 105 Scripted access...

  • Page 53: Uploading Software

    To upload a config you need to make a POST containing the config file to upload with the file argument UPLOAD. e.g. curl −s −f −o /dev/null −F UPLOAD=@config.dat http://my.firebrick.co.uk/1/upload It is recommended you do a login again after the upload.
  • Page 54 The supplier may assign the feature to the specific FireBrick and feature you have requested. This is usually the case when ordering a new FireBrick with specific features. If the supplier has access to the FireBrick, he may install the feature as well which means you do not have to do anything.

  • Page 55: Standard Features

    As such it is possible to have a FireBrick which does not have these standard features. Filtering This is the core fire walling function of a FireBrick. It controls the filter icon, and the filtering table. Without this feature the FireBrick allows all traffic.
  • Page 56 • FireBrick to be time based. Ping profiles are on if there are responses to a ping being sent by the FireBrick, and off if there is no • response. The pings can be via specific routes and gateways allowing the profile to be used to monitor an internet link or a server.
  • Page 57 5Port The FireBrick normally operates with a WAN port and a LAN port (on 4 port switch). In this mode the WAN and LAN can be reversed, putting the 4 port switch on the WAN. There are however only two interfaces for fire walling, WAN and LAN.
  • Page 58 ID, but allow one to be created. However, when making scripts to access the FireBrick you may find it helpful to use a session ID which you create. The IDs are any non zero unsigned 32 bit number.

Table of Contents