Apprehend Intruders and Direct Traffic with IPCop - Page 2

 By Carla Schroder
Page 2 of 2   |  Back to Page 1
Print Article

Continued From Page 1

Opening Access To Public Servers
If you're running a public Web, mail, FTP, or other server, it won't do much good if it's locked away behind a firewall. One option is to put your public servers outside your firewall. The usual way to protect these is to strictly control what is installed on the machine, run daemons in chroot jails, and configure iptables firewalls. But putting your public servers behind an IPCop firewall has a number of advantages: traffic is allowed only to specified ports, plus they get the benefit of IPCop's intrusion detection, proxying, traffic shaping, and other useful features. And by using port forwarding, you may give your servers non-routable private IPs. This gives you the flexibility to move, add, and remove servers with a minimum of hassle.

Go to the Firewall -> Port Forwarding page. All you need to know is the IP of the server and the listening port. /etc/services lists all the standard assigned ports. An HTTP server, by default, listens on TCP 80. SMTP servers use TCP 25, POP3 uses TCP 110, and so forth. Most servers also let you configure a non-standard port, which some folks think is a useful security measure, but if you do the clients connecting to your server must manually specify the port, like http://domain.net:8080. And it really doesn't add much security.

Note that if you are running public servers it is best to give your IPCop gateway a static, routable IP. Sometimes you'll have to pay a few extra dollars to your ISP to get this. But if your IPCop box does not have a static routable IP, you'll have to pull some fancy DNS footwork to enable access to your servers. Using a service like dyndns.org lets you use a consumer-level DHCP account to run public servers. IPCop even provides a configuration page for dyndns.org and other similar services at Services -> Dynamic DNS. Don't do this for high-volume important servers get a proper business account.

Traffic Shaping
IPCop makes simple traffic shaping easy, at the Services -> Traffic Shaping page. You may configure only a global upload/download limit, rather than customized limits for each protocol. But it's still useful because it assigns priorities for latency, which often matters more than download or upload speeds. Enter your actual maximum upload and download speeds, then click "Save." Give interactive traffic like SSH or VNC a high priority this ensures the lowest latency, which means less keystroke and mouse lag. Streaming audio, video, and VoIP (define) should also get high priority, unless these are things you want to discourage. Ordinary Web surfing and email do fine with medium priority.

Backing Up And Restoring IPCop
You need a floppy diskette to do a complete restoration from scratch, so make sure your IPCop box has a floppy drive. Stick the diskette in your IPCop box and format it:

# fdformat /dev/fd0

Then scurry to your remote administration workstation and go to System -> Backup. Under "Backup Configuration- Floppy Disk" click "Backup to Floppy."

Next you'll create backups of your IPCop data. Under "Backup Configuration" click "Create." This creates two files, and both will have an "Export" button. Click "Export" to save these files to the location of your choice.

Restoring data is as easy as selecting the backup of your choice in the "Backup Sets" windows, and clicking "Restore." Or use the file browser dialogue to select a different backup file.

I know I promised howto do VPN and wireless access, but these need an entire article all by themselves, so stay tuned. Be sure to visit IPCop's documentation page for more help.

This article was originally published on Apr 12, 2005
Get the Latest Scoop with Networking Update Newsletter