<?xml version="1.0" ?>
<!DOCTYPE book PUBLIC "-//KDE//DTD DocBook XML V4.1-Based Variant V1.0//EN" "dtd/kdex.dtd" [
<!ENTITY kappname "Guarddog">
<!ENTITY % addindex "IGNORE">
<!ENTITY % English "INCLUDE">
<!-- Do not define any other entities; instead, use the entities
from kde-genent.entities and $LANG/user.entities. -->
]>
<!-- kdoctemplate v0.8 October 1 1999
Minor update to "Credits and Licenses" section on August 24, 2000
Removed "Revision history" section on 22 January 2001 -->
<!-- ................................................................ -->
<!-- The language must NOT be changed here. -->
<book lang="&language;">
<!-- This header contains all of the meta-information for the document such
as Authors, publish date, the abstract, and Keywords -->
<bookinfo>
<title>The &kappname; Handbook</title>
<authorgroup>
<author>
<firstname>Simon</firstname>
<surname>Edwards</surname>
<affiliation>
<address><email>simon@simonzone.com</email></address>
</affiliation>
</author>
</authorgroup>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Simon Edwards</holder>
</copyright>
<!-- Translators: put here the copyright notice of the translation -->
<!-- Put here the FDL notice. Read the explanation in fdl-notice.docbook
and in the FDL itself on how to use it. -->
<legalnotice>&FDLNotice;</legalnotice>
<date>26/8/2003</date>
<releaseinfo>2.2.0</releaseinfo>
<abstract>
<para>
&kappname; is user friendly firewall utility for KDE running on Linux. The
best way to get started is to read the short tutorials starting with
the first one.
</para>
</abstract>
<keywordset>
<keyword>KDE</keyword>
<keyword>&kappname;</keyword>
<keyword>firewall</keyword>
<keyword>linux</keyword>
<keyword>ipchains</keyword>
<keyword>iptables</keyword>
</keywordset>
</bookinfo>
<chapter id="introduction">
<title>Introduction</title>
<para>
&kappname; is a user friendly firewall generation and management utility for KDE
running on Linux. It allows you to simply specify which network protocols should
be allowed between which groups of computers without requiring you to have
knowledge of port numbers or packets. &kappname; is built on top of Linux's
<command>ipchains</command> and <command>iptables</command> packet
filtering commands.
</para>
<sect1 id="introduction-what">
<title>What is a firewall and why do I need one?</title>
<para>
A firewall is a software and/or hardware tool for defending a computer or
network of computers, from attacks via the network performed by malicious or
curious computer users. It protects by restricting what hostile
computers are permitted to do to the protected computers.
It does this by filtering and blocking the network communication between the
protected computers and the Internet at large.
</para>
<para>
With the arrival of fast, permanent, 24 hour/7 day, internet connections for
home users, your computer is now exposed to constant attacks from anywhere in
the world. You may ask yourself "why would anyone want to break into my
computer? I don't have anything important". Actually you do, even a home
computer stores usernames and passwords for connecting to the internet,
personal email, possibly financial information and perhaps even credit card
information. Even without these things, your computer can be used as a
stepping stone by malicious users (often called 'crackers') to attack other
computers. The worst part of this is that these further attacks will look
like they are coming from you!
</para>
<para>
For more introductory material about firewalls try the
<ulink url="http://www.howstuffworks.com/firewall.htm">firewall</ulink> article
over at <ulink url="http://www.howstuffworks.com/">How Stuff Works</ulink>.
</para>
</sect1>
<sect1 id="introduction-silverbullet">
<title>A Warning: No Silver Bullet Here</title>
<para>I will now try to explain the nature of computer security and how a
firewall fits into the picture. The majority of security holes are quite
simply caused by bad software. Security holes are not created by 'hackers'
or 'crackers'. They merely find and exploit already existing flaws in
software. Security holes are usually just bugs or flaws in software itself
that can be taken advantage of for malicious purposes.</para>
<para>What a firewall does is try to put up a barrier with the bad guys on
one side and your possibly vulnerable software and services on the other.
It tries to stop attackers from gaining any kind of access to servers
and software running on machines behind the firewall. With no access,
attackers shouldn't be able to leverage flaws in the software you are
running. Unfortunately this approach of protection by disconnection only goes
so far because the whole point of having a network is to allow computers
on the network to communicate with each other. Simply put, for the network
to be useful you need to put 'holes' in the firewall to allow communication
or access between the protected computers and the outside world. A firewall
offers no protection from accesses that occur via 'holes' in the firewall.
For example, if you are operating a web server that can be accessed from the
outside, then the firewall will do nothing to protect you from attacks
aimed at your webserver.</para>
<para>A firewall should be just a part of your approach to security, and not
the whole thing. Here is a quick list of effective tips to greatly increase
the system's security. This advice will also apply to other computer systems
too:</para>
<itemizedlist>
<listitem><para>Number one. Make sure you get and install security fixes for
the software you are using on your computer systems. The best way to stop
attackers from exploiting flaws in the software you use, is to remove the
flaws. Go to the website for the Linux distribution you are using and go to
the security section or updates section regularly to see if security
updates, patches, or bug fixes are available. Most modern Linux distributions
these days also include tools for automatically checking for software updates.
Learn about and use these tools.
</para></listitem>
<listitem><para>Don't install software that you don't need or use. This is
especially true for network oriented software like servers and network
client software. Most Linux distributions install an incrediable amount
software by default. Most of it you won't need. Make sure you uninstall
any unneeded software after installing a new Linux system. Another strategy
is at install time to choose a 'minimumal' install if your distribution
offers that choice, and then after the installation install any additional
software that you may need.
</para></listitem>
<listitem><para>The maker of the Linux distribution that you are using will
have a security announcement mailing list. Find it on thier web site and join
it to hear about security fixes as soon as they become available.</para></listitem>
<listitem><para>If a piece of software you are using has a bad security
record and is still having security problems found in it, seriously consider
changing to a better, safer alternative.</para></listitem>
</itemizedlist>
<para>If you follow these tips, even without a firewall, your systems be about
one hundred times more secure.</para>
</sect1>
<sect1 id="introduction-why">
<title>Why use &kappname;</title>
<itemizedlist>
<listitem><para>Easy to use goal oriented user interface. You say what the
firewall should do without having to explain all the details of how it should
do it.</para></listitem>
<listitem><para>
Application protocol based. Unlike other tools, &kappname; does not require
you to understand the ins and outs of IP packets and ports. &kappname; takes
care of this for you. This also reduces the chances of configuration
mistakes being made which are a prime source of security holes in computer
systems.
</para></listitem>
<listitem><para>
Doesn't just generate an initial firewall and forgets it. &kappname; is used
to maintain and modify the firewall in place.
</para></listitem>
<listitem><para>
Can be used in workstation and router configurations.
</para></listitem>
<listitem><para>
Allows you to divide your network into groups of machines and control
what network protocols are allowed between them.
</para></listitem>
<listitem><para>
Works on the older Linux kernel 2.2 series <command>ipchains</command>
firewall subsystem, and also on newer Linux kernel 2.4 netfilter/
<command>iptables</command> firewall subsystem.
</para></listitem>
<listitem><para>
Takes advantage of advanced Linux kernel 2.4 features such as connection
tracking and rate limited logging.
</para></listitem>
<listitem><para>
Licensed under the terms of the GPL. Is Free and will remain Free.
</para></listitem>
</itemizedlist>
</sect1>
</chapter>
<chapter id="using-guarddog">
<title>Using &kappname;</title>
<para>
</para>
<sect1 id="tutorial-basic">
<title>Tutorial: Basic Configuration</title>
<para>
In this tutorial I will explain some basic networking concepts and how to
quickly setup &kappname; to protect a single workstation.
</para>
<sect2>
<title>Starting &kappname;</title>
<para>
First start up &kappname;. For recent Mandrake and Redhat systems there
should be a &kappname; menu entry on the K menu under Configuration/Networking.
You will then immediately be asked for the password for the 'root' user.
This is required because &kappname; needs administrator access in order to
modify the computer's networking sub-system.
</para>
<para>
Once &kappname; has opened it's window you will see that the user interface
is divided across four tabs. For this tutorial we will ignore the the
<guilabel>Zone</guilabel>, <guilabel>Logging</guilabel> and
<guilabel>Advanced</guilabel> tabs and concentrate on the
<guilabel>Protocol</guilabel> tab.
</para>
</sect2>
<sect2>
<title>Basic Networking Concepts</title>
<para>
(Skip this section if you understand network protocols and the
"Client Server Model".)
</para>
<para>
Now I must explain what a protocol is. Computer networks are all about
computers talking to other computers. And just like when talking to other
person in the real world, it helps if you both agree to speak the same
language, be it English, Dutch or Sign Language. The same thing applies
to computers on networks. They need to agree on what language they are going
to speak when talking to another computer. These 'languages' are know as network
protocols. An important difference between human languages and network
protocols is that protocols are usually only intended for one particular task,
like moving files (for example, FTP, the File Transfer Protocol), fetching web
pages (for example, HTTP, the HyperText Transmission Protocol) or chatting
with other computer users (for example, IRC, Internet Relay Chat).
</para>
<para>
Attacks against computer systems across a network are performed by using
and abusing protocols and the software that implements them. All too often
the software implementing a protocol contains flaws that can be
exploited by malicious people to gain access to a system, or to disrupt it.
</para>
<para>
One more important concept to understand about network protocols is the
"Client Server Model". All network protocols involve at least two different
parties communicating. Although each party is using the same protocol,
quite often they will have different roles to play in that protocol. The most
common model is where one party acts as a "client" while the other acts as a
"server" who responds to requests from the "client". A very close analogy
in the real world would be buying fries down at the local fast food
restaurant. You and the person behind the counter would both be using English
as the communication protocol, but in this situation you both have different
roles. You would have the role of "client" while the person serving you would
be acting as the "server", basically doing what the "client" requests. HTTP,
the protocol used on the World Wide Web uses a the "Client Server Model".
Your web browser acts as the client while the big web server at Slashdot or
CNN acts as the server, delivering pages back to your browser when it asks for
them.
</para>
</sect2>
<sect2>
<title>Permitting DNS</title>
<para>
(Skip the next paragraph is you know what DNS is.)
</para>
<para>
The <guilabel>Protocol</guilabel> tab is where you specify which protocols
may be used between your computer and the internet. The "Domain Name System"
protocol, commonly known as DNS, is a very important protocol. All machines
on the internet have what is known as an IP address, which is just a number.
You may have seen some before. They are often written as a "dotted quad" like
"195.231.34.5" for example. An IP address is sort of like a telephone number,
except that it's for identifying computers on the internet and not
telephones. One problem with using IP addresses to identify machines is that
it's not very human friendly. This is why "Domain Names" were invented. A
"Domain Name" is just a human friendly name for a machine. Some examples of
domain names are www.simonzone.com, www.cnn.com and dot.kde.org. But to use
the internet your computer needs IP addresses, and not "domain names".
This is where DNS comes in. It bridges the gap between "Domain Names" and IP
addresses. It is a system for turning human friendly names like www.simonzone.com
into computer friendly IP addresses. Machines on the internet known as DNS
Servers do nothing except answer queries from other machines wanting to know
what IP address matches which domain name. Much like how a telephone directory
matches people's names and address to telephone numbers. By using a DNS server
your computer knows what you are talking about when you ask for
www.slashdot.org. Without DNS your web browser won't know where to find
www.cnn.com, and ICQ chat client won't be able to find the chat network at
icq.com either. Without DNS most other protocols don't work.
</para>
<para>
Lets go through the steps involved for permitting our computer to use the DNS
protocol to communicate with DNS servers on the internet.
</para>
<itemizedlist>
<listitem><para>
Go to the <guilabel>Protocol</guilabel> tab.
</para></listitem>
<listitem><para>
First make sure that <guilabel>Internet</guilabel> is selected in the
<guilabel>Defined Network Zones:</guilabel> list. (It's at the top left
corner in the window.) The list should have two entries,
<guilabel>Internet</guilabel> and <guilabel>Local</guilabel>.
</para></listitem>
<listitem><para>
Open the <guilabel>Network</guilabel> part of the list view control in the
center of the window.
It should expand to show more options and check boxes with entries like
<guilabel>ICMP Redirect</guilabel> and <guilabel>DNS - Domain Name Server
</guilabel> for example.
</para></listitem>
<listitem><para>
To the right of the protocol list is a black box in the
<guilabel>Local</guilabel> column. The box is a check box. Click on it until it shows
a check mark (tick). The box has three states, unchecked, checked and crossed.
Just repetitively click on it to cycle through the states.
</para></listitem>
</itemizedlist>
<para>
Done. That is all you need to do to grant your machine permission to access
DNS servers on the Internet. Your screen should look like the picture below.
</para>
<para>
<screenshot>
<screeninfo>Reading the protocol tab</screeninfo>
<mediaobject>
<imageobject>
<imagedata fileref="guarddog2_protocol.png" format="PNG"/>
</imageobject>
<textobject>
<phrase>Reading the protocol tab</phrase>
</textobject>
</mediaobject>
</screenshot>
</para>
<para>
This illustration also summarises how to read all of the information presented
on the <guilabel>Protocol</guilabel> tab. There is a lot of information
packed into this one tab, but it is vital that you understand what it means
so that you can avoid misconfiguration.
</para>
</sect2>
<sect2>
<title>Protocol Organisation</title>
<para>
Once we have DNS permitted we can move on to permitting other common protocols
that we might want to use.
</para>
<para>
&kappname; supports many different network protocols. They are organised into
categories to make it easier to find what you want. The different categories are:
</para>
<itemizedlist>
<listitem><para>
<guilabel>Chat</guilabel> - Protocols used by chat programs like IRC and ICQ.
</para></listitem>
<listitem><para>
<guilabel>Data Serve</guilabel> - Protocols used by databases and other data sources like time
servers for example.
</para></listitem>
<listitem><para>
<guilabel>File Transfer</guilabel> - Protocols used to transfers files. HTTP
for the Web and FTP are very good examples.
</para></listitem>
<listitem><para>
<guilabel>Game</guilabel> - Protocols used by games for online multiplayer gaming.
</para></listitem>
<listitem><para>
<guilabel>Interactive Session</guilabel> - Protocols used for working on or
performing actions on a remote system. SSH Secure Shell, telnet and also RPC
protocols are here.
</para></listitem>
<listitem><para>
<guilabel>Mail</guilabel> - Protocols associated with delivering and moving
email. SMTP and POP3 are under here.
</para></listitem>
<listitem><para>
<guilabel>Media</guilabel> - Protocols used for delivering multimedia
across the internet.
</para></listitem>
<listitem><para>
<guilabel>Miscellaneous</guilabel> - Other protocols that really didn't fit
under the other categories.
</para></listitem>
<listitem><para>
<guilabel>Network</guilabel> - Protocols related to the operation of the
network itself.
</para></listitem>
<listitem><para>
<guilabel>User Defined</guilabel> - Protocols defined by the user on the
<guilabel>Advanced</guilabel> tab appear here.
</para></listitem>
</itemizedlist>
<para>
Naturally there is some overlap and some protocols could easily be
placed under a different category than the end they are currently in.
</para>
<tip><para>
Click on the name of a protocol to quickly get information about it. A
description of the protocol will appear in the area in the lower left corner
of the window.
</para></tip>
</sect2>
<sect2>
<title>Permitting Common Protocols</title>
<para>
Here is a quick list of the most common protocols that you will probably
want to permit.
</para>
<itemizedlist>
<listitem><para>
HTTP - Used on the World Wide Web to move web pages around. If you want to
browse the web you will need this. It's in the <guilabel>File Transfer</guilabel>
category.
</para></listitem>
<listitem><para>
FTP - File Transfer Protocol. Used for uploading and downloading files. Also
commonly used on the web too. If you have seen something like "ftp://" in the
location bar on your web browser, then you have used FTP. FTP is in the
<guilabel>File Transfer</guilabel> category.
</para></listitem>
<listitem><para>
SMTP - Simple Mail Transport Protocol. Used for sending email around the
internet. It's in the <guilabel>Mail</guilabel> category.
</para></listitem>
<listitem><para>
POP3 - Post Office Protocol version 3. Commonly used for picking up and
downloading email from a mailbox located at an ISP. It's in the
<guilabel>Mail</guilabel> category.
</para></listitem>
</itemizedlist>
<warning><para>
Resist any temptation to permit all protocols. The more protocols you permit
the weaker your firewall will be. The idea is to only permit the protocols
you really need, and no more. Don't permit something just in case you might
need it in the future. If you need to permit another protocol in the future
then you can just come back to &kappname; and turn it on.
</para></warning>
</sect2>
<sect2>
<title>Applying your new Firewall</title>
<para>
Changes made in &kappname; don't take effect immediately. To activate your
changes you need to press the <guibutton>Apply</guibutton> button or the
<guibutton>OK</guibutton> button. The <guibutton>Ok</guibutton> button will
also quit the &kappname; once the firewall is in place. &kappname; will then
set up the networking subsystem on your machine with your new firewall
rules. Once you click on the <guibutton>Ok</guibutton> or
<guibutton>Apply</guibutton> button a warning message
appears to warn you that changing the system's firewall may disrupt existing
network connections. Generally it is not a good idea to be doing anything
important on your network, like an FTP download for example, when you
<guibutton>Apply</guibutton> the firewall. After you click on the warning's
<guibutton>OK</guibutton> button another popup window will appear, showing
the firewall setup progress. If any errors occurred while setting up the
firewall, they will be shown in the popup. Click on the
<guibutton>OK</guibutton> button to exit the popup window.
</para>
<para>
Done! Your new firewall should now be in place and working. From now on
whenever your system starts it will automatically be set up to use your
firewall. &kappname; does not have to be constantly running to protect
your computer. As your firewalling needs evolve you can just run &kappname;
again and modify the configuration.
</para>
<tip><para>
To see if your firewall is doing its job you can put it too a bit of a test.
Go over to <ulink url="http://grc.com/">Gibson Research Corporation</ulink> and
head towards the "Shields Up!" area and ask it to "Test My Shields!" or "Probe
My Ports!". It will then scan your machine and give you a report on what it
found. Hopefully it should give you a very positive report.
</para>
</tip>
</sect2>
</sect1>
<sect1 id="tutorial-zones">
<title>Tutorial: Using Zones</title>
<para>
In this tutorial we will build on what we have learnt in the first tutorial
and introduce the concept of <guilabel>Zones</guilabel>.
<guilabel>Zones</guilabel> allow you to precisely control which protocols
are permitted between different groups of computers.
</para>
<sect2>
<title>Introducing Zones</title>
<para>
In &kappname; a zone is just a bunch of IP addresses.
You may recall that IP addresses are like telephone numbers for machines
on the internet. A zone more or less specifies a group of computers.
Once a zone has been created we can use the <guilabel>Protocol</guilabel>
tab to specify which protocols computers in the zone may use.
</para>
<para>
For example. If we know that the people at evil.com are evil and can not be
trusted, then we can restrict thier access to our computer by using zones.
First we create a zone called "Bad Guys" and place evil.com in it. Next we
go to the <guilabel>Protocol</guilabel> tab and make sure that no
protocols are selected between the "Bad Guys" zone and the "Local" zone. (The
<guilabel>Local</guilabel> zone represents the local machine). This
way we can limit, or even completely block evil.com's access to our computer.
</para>
<para>
<screenshot>
<screeninfo>Placing the Bad Guys in a zone and firewalling them out</screeninfo>
<mediaobject>
<imageobject>
<imagedata fileref="guarddog2_zonedia.png" format="PNG"/>
</imageobject>
<textobject>
<phrase>Placing the Bad Guys in a zone and firewalling them out.</phrase>
</textobject>
</mediaobject>
</screenshot>
</para>
</sect2>
<sect2>
<title>Editing Zones</title>
<para>
Zones are specified and edited on the <guilabel>Zone</guilabel> tab.
To the left of the <guilabel>Zone</guilabel> tab is the list of
defined zones.
&kappname; has two builtin zones that you can't change. They are
<guilabel>Local</guilabel> and <guilabel>Internet</guilabel>.
<guilabel>Local</guilabel> is a zone simply containing the local machine;
the machine that &kappname; is running on. <guilabel>Internet</guilabel>
corresponds to any IP address that's not in another zone. Put simply, if a
IP address is not in another zone it is assumed to be in the
<guilabel>Internet</guilabel> zone.
</para>
<para>
The information about the currently selected zone are displayed to the right
of the zone list. Each zone has a name which is used on the
<guilabel>Protocol</guilabel> tab and therefore should be kept fairly short.
A more descriptive comment can also be given to a zone.
</para>
<para>
The list of IP addresses in a zone are shown in the
<guilabel>Zone Addresses</guilabel> list.
</para>
<para>
Zones that the currently selected zone may communicate with, are listed in the
<guilabel>Connection</guilabel> list located on the right side of the window.
</para>
<para>
<screenshot>
<screeninfo>The Zone tab.</screeninfo>
<mediaobject>
<imageobject>
<imagedata fileref="guarddog2_zones.png" format="PNG"/>
</imageobject>
<textobject>
<phrase>The Zone tab.</phrase>
</textobject>
</mediaobject>
</screenshot>
</para>
<warning><para>
An IP address should only be in one zone at a time.
</para></warning>
</sect2>
<sect2>
<title>Creating a Demilitarised Zone</title>
<para>
Let's put zones to work.
</para>
<para>
A good use of zones is to harden our firewall by setting up a "Demilitarised
Zone" (DMZ). In network security a DMZ is a group of computers
located between the internet and an organisation's internal computer
network. Computers in the DMZ are exposed to the internet and usually
performing tasks like serving web pages to public or handling email.
Since these machines are exposed to the internet and constant attack from
outside, thier access to the internal network is restricted. The idea is that
if an attacker gains control of a machine in the DMZ, they won't
automatically gain higher access to the organisation's internal computer
network.
</para>
<para>
Even if you are not managing an internal network or a group of web or email
servers, you probably do make use of a group of computers that could
be considered to be in a DMZ. For this tutorial we will set up a DMZ
containing the mail server you use for sending and receiving email.
</para>
<para>
Go to the <guilabel>Zone</guilabel> tab and click on the <guibutton>New Zone</guibutton>
button to create a new zone. The new zone will appear in the zone list
and will be called <guilabel>new zone</guilabel>. Go up to the
<guilabel>Name</guilabel> text box and change <guilabel>new zone</guilabel> to
say "DMZ". The name should be fairly short, but you may put a longer, more
descriptive comment in the <guilabel>Comment</guilabel> text box.
</para>
<para>
On the right side of the window is the <guilabel>Connection</guilabel> list.
It is just a group of check boxes that let you specify which other zones the
currently selected zone is connected to. Put a tick in <guilabel>Local</guilabel>
check box to indicate that the <guilabel>DMZ</guilabel> zone is connected to the
<guilabel>Local</guilabel> zone. The combination of <guilabel>DMZ</guilabel> and
<guilabel>Local</guilabel> zone will only be available on the
<guilabel>Protocol</guilabel> tab when this check box is ticked. &kappname;
will block all communication between zones that are not connected to each
other.
</para>
<para>
Now move over to the <guilabel>Protocol</guilabel> tab and make sure that
<guilabel>Protocols Served from Zone:</guilabel> is set to
<guilabel>DMZ</guilabel>. In the protocol list below there is a
column called <guilabel>Local</guilabel>. Open up the
<guilabel>Mail</guilabel> group of protocols and tick
<guilabel>POP2</guilabel>, <guilabel>POP3</guilabel>, and
<guilabel>SMTP</guilabel>. POP3 is used to fetch mail from a
mail box on a mail server. While SMTP is used for sending outgoing mail. By
turning these on for <guilabel>Local</guilabel> we are saying that we want
the local machine to be allowed to use these mail protocols with the machines
in the <guilabel>DMZ</guilabel> zone.
</para>
<para>
If the machines in your DMZ are also web servers you may also want to turn on
HTTP, FTP and some other common protocols.
</para>
<para>
Once you have finished configuring &kappname;, apply your changes with the
<guibutton>Apply</guibutton> button and test your email program to see if you
can still send and receive email.
</para>
</sect2>
</sect1>
<sect1 id="tutorial-router">
<title>Tutorial: Router Configuration</title>
<para>
So far we have only used &kappname; to protect a single workstation (i.e. the
computer &kappname; is running on), but as many people know a computer
running Linux can also act as a fantastic router for connecting multiple
networks. In this tutorial we will go through how &kappname; can be used on
a gateway machine to protect a LAN from the internet.
</para>
<important><para>&kappname; only supports router configurations on machines
running Linux kernel series 2.4 with <command>iptables</command>.
</para></important>
<sect2>
<title>Anatomy of a typical LAN connected to the Internet</title>
<para>
<screenshot>
<screeninfo>A typical router or gateway configuration with &kappname; running on the router machine.</screeninfo>
<mediaobject>
<imageobject>
<imagedata fileref="guarddog2_routerdia.png" format="PNG"/>
</imageobject>
<textobject>
<phrase>A typical router configuration with &kappname; running on the router machine.</phrase>
</textobject>
</mediaobject>
</screenshot>
</para>
<para>
The diagram above shows the network configuration of a typical LAN connected
to the Internet via a Linux based system acting as a router.
The LAN that we wish to protect is on the left side of the diagram. The
internet is shown on the right side. All communication between the LAN
and internet passes through the gateway machine which is marked by the dog.
&kappname; runs on the gateway machine. The most important aspect of this
setup from a security point of view is that all of the network traffic
between the LAN and the internet passes through one machine: the gateway.
This provides us with an obvious "choke point" that we can place the
firewall on to filter the network traffic.
</para>
<para>
The diagram also shows the zones that we will setup in &kappname;.
</para>
</sect2>
<sect2>
<title>"Repeat after me: &kappname; is a firewall"</title>
<para>
There seems to be a bit of confusion surrounding the function of a firewall
versus the task of packet routing. Firewalls act as network traffic
<emphasis>filters</emphasis>. Filtering and blocking unwanted and dangerous
network traffic. They are security devices. Features such as routing and
IP masquerade are not primarily security devices. They are advanced networking
features.
</para>
<note>
<para>
This misconception arose because in the past on Linux, before kernel series 2.4,
the networking sub-system was such that it wasn't possible to separate
advanced routing functionality from normal firewall functionality. This lead
to firewall programs that also included direct support for advanced routing
features such as IP masquerade and port forwarding for example.
</para>
</note>
<para>
&kappname; is a firewall and is not used for configuring networking
features such as IP masquerade and routing. These networking features must
be configured using a different program.
</para>
<tip>
<para>
<ulink url="http://www.simonzone.com/software/guidedog/">Guidedog</ulink>
is a user friendly utility for configuring advanced networking features
and is designed to work along side &kappname;.
</para>
</tip>
</sect2>
<sect2>
<title>Configure Routing and Network Settings</title>
<para>
Before we continue, you should go and configure the routing setup for your machine
and confirm that it is routing/masquerading network traffic as expected.
To make the task of debugging your gateway configuration easier, you can
disable &kappname; by checking the <guilabel>Disable firewall</guilabel>
checkbox on the <guilabel>Advanced</guilabel> tab and then applying the
changes. This will allow you to test your routing setup separately without
&kappname; blocking any test traffic.
</para>
<warning>
<para>
I strongly recommend that you do not test your network setup while connected
to a hostile network like the Internet. Attach a machine to the network
card that you plan to connect to the internet and give it an IP address so
that it can act as a pretend Internet.
</para>
</warning>
</sect2>
<sect2>
<title>Teaching &kappname; to Allow Traffic to/from your LAN</title>
<para>
If you configured and tested your routing and network settings with
&kappname; disabled, enable firewalling in &kappname; again and apply.
If all is going well then you will find that your LAN is once
again totally cut off from the internet. &kappname; has a fail-safe, "what is
not explicitly permitted, is denied" design. What this means in this
situation is that since &kappname; hasn't been told to allow traffic from your
LAN out to the internet, or visa versa, it will assume that the traffic should
be blocked. This is intended to make it easy to get a secure configuration
(even if it is too secure) and difficult to have an insecure configuration.
</para>
<para>
The way we specify to &kappname; that computers on the LAN are allowed to
access computers on the Internet is by using zones. We simply create a zone
to hold the addresses of all of the computers on our LAN and then specify that
this zone is connected to the Internet, and probably to the
<guilabel>Local</guilabel> zone also, and then go to the
<guilabel>Protocols</guilabel> tab and tick on whatever
protocols should be allowed between the LAN and the Internet.
</para>
</sect2>
<sect2>
<title>Step by Step</title>
<para>
Go to the <guilabel>Zone</guilabel> tab and create a new zone and call
it "LAN". In the <guilabel>Zone Addresses</guilabel> list enter the IP
addresses of the computers on your LAN.
The address list understands several notations for addresses and can also
accept whole network blocks. If you are running an IP masqueraded network
using the 192.168.1.0/255.255.255.0 private address space, you can enter
the whole block into a single address line using 192.168.1.0/255.255.255.0
format or the shorter 192.168.1.0/24 format.
</para>
<para>
Next, go to the <guilabel>Connection</guilabel> list and tick
<guilabel>Internet</guilabel> and <guilabel>Local</guilabel> to specify that
your LAN zone should be connected to the <guilabel>Internet</guilabel> and
<guilabel>Local</guilabel> zones.
</para>
<para>
Now, go to the <guilabel>Protocol</guilabel> tab and make sure that
<guilabel>Protocols Served from Zone:</guilabel> is set to
<guilabel>Internet</guilabel>. In the list of protocols below you should see
a column of check boxes for the <guilabel>Local</guilabel> zone and another column
for the <guilabel>LAN</guilabel> zone.
Just like when we were turning on protocols for the local zone in the first
tutorial, we can do the same for the LAN zone. Tick the list of protocols that
machines in the LAN zone should be able to use with the Internet.
</para>
<para>
When you are ready, apply the changes and see if your machines on your LAN
can access the internet. That's all there is to it.
</para>
</sect2>
</sect1>
<sect1 id="specific-protocols">
<title>Important Notes</title>
<para>
Here are some important notes concerning the use of some protocols.
</para>
<sect2>
<title>Windows Networking (NETBIOS)</title>
<para>
If your computer is connected to a LAN that you want to use NETBIOS on, there
is a little extra you need to do to get things working smoothly. Basically,
create a zone for your LAN, which you probably have done anyway, and make
sure that the broadcast address of the LAN is is also in the list of zone
addresses.
</para>
<para>
If you don't know what the broadcast address for your LAN is, the simplest way
is to go to shell and run the command <userinput>/sbin/ifconfig</userinput>.
You will see something similar to this:
<screen>
eth0 Link encap:Ethernet HWaddr 00:50:FC:2A:AB:7A
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:240 (240.0 b)
Interrupt:10 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:992 errors:0 dropped:0 overruns:0 frame:0
TX packets:992 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:76568 (74.7 Kb) TX bytes:76568 (74.7 Kb)
</screen>
This is a list of the network interfaces that your computer has. Your list
will probably be different of course. The names of the network interfaces are
listed on the left side. You need to go to one that corresponds to you LAN.
It will typically be called <computeroutput>ethX</computeroutput>. It's also
possible that you will have multiple <computeroutput>ethX</computeroutput>
entries, especially if you also have cable internet access or ADSL. Once you
have found the entry look for <computeroutput>Bcast:</computeroutput>.
This is the broadcast address for the network connected to that network
interface. Put this broadcast address in your LAN zone's list of IP addresses.
</para>
</sect2>
<sect2>
<title>Nmap and Nessus Scanning</title>
<para>
It is not possible to do effective scanning with nmap or nessus through, or
from out of, a machine running &kappname;. The reason is that firewalls are
designed to block the kind of unusual and "hostile looking" network traffic
that these kinds of programs produce. A firewall can't distinguish between
friendly scan traffic produced by you, and unwanted scan traffic produced by
intruders, so it blocks both types.
</para>
</sect2>
<sect2>
<title>Telstra BigPond Cable</title>
<para>
People in Australia using Telstra's BigPond cable for internet access
need to make sure that Telstra's <computeroutput>dce-server</computeroutput>
machine is permitted to serve <guilabel>BigPond Cable Login</guilabel> to
your local machine. This is needed for logging on to BigPond and also to
allow the 'heartbeat' that BigPond uses to check that your machine is still
online.
</para>
<para>
One thing you could do is create special zone for the important BigPond
servers that also serve mail etc and then make sure that
<computeroutput>dce-server</computeroutput> is entered in there, and then
permit <guilabel>BigPond Cable Login</guilabel> protocol and whatever mail
and web protocols you want, to be served from there.
</para>
</sect2>
<sect2>
<title>X Window System</title>
<para>
In X Window System the notion of client and server is a bit backwards. The
server is considered to be the machine running the X server program and
displaying the screen and accepting user input. While the client is
considered to be the remote program whose user interface is being displayed
on the X server.
</para>
<para>
What this means is that you need to make sure that X is permitted to be served
from the zone containing the machine showing the X display (the X server), to
the zone containing the machines that actually run your programs (the
clients).
</para>
</sect2>
<sect2>
<title>DHCP (Dynamic Host Configuration Protocol)</title>
<para>
Go to <xref linkend='dhcp' /> for information about using DHCP with &kappname;.
</para>
</sect2>
<sect2>
<title>Squid, Web proxies and ICP</title>
<para>
If you are using a web cache/proxy like Squid and also want to peer and
interact with other web caches, you may have to enable the ICP (Internet
Cache Protocol, under the network section of the <guilabel>Protocol</guilabel>
tab. Just enabling the Squid protocol will not enable ICP.
</para>
</sect2>
</sect1>
<!--
<sect1 id="guarddog-features">
<title>More Guarddog features</title>
<para>It slices! It dices! and it comes with a free toaster!</para>
<para>
The Squiggle Tool <guiicon><inlinemediaobject>
<imageobject>
<imagedata fileref="squiggle.png" format="PNG">
</imageobject>
<imageobject>
<imagedata fileref="squiggle.eps" format="EPS">
</imageobject>
<textobject>
<phrase>Squiggle</phrase>
</textobject>
</inlinemediaobject></guiicon> is used to draw squiggly lines all over
the &kappname; main window. It's not a bug, it's a feature!
</para>
</sect1>
-->
</chapter>
<!--
***************************************************************************
* Program Reference *******************************************************
***************************************************************************
-->
<chapter id="commands">
<title>Program Reference</title>
<sect1 id="guarddog-zonetab">
<title>The Zone Tab</title>
<para>
&kappname; is built around the concept of zones containing IP
addresses, and then managing which network protocols are permited
between the different zones. This tab is where zones and thier contents
are managed.
</para>
<para>
The list of currently defined zones is on the left side of the tab under
<guilabel>Defined Network Zones:</guilabel>. The properties of the currently
selected zone are shown in the <guilabel>Zone Properties</guilabel> area.
The <guibutton>New Zone</guibutton> and <guibutton>Delete Zone</guibutton>
buttons in the bottom left corner of the tab create new zones or delete the
currently selected zone.
</para>
<para>
There are two zones which are built-in and can not be modifed or
deleted. They are called the <guilabel>Internet</guilabel> and
<guilabel>Local</guilabel> zones. The <guilabel>Local</guilabel> zone
automatically contains the IP addresses of the network interfaces for the
machine that the firewall runs on. Note that the list of addresses in this
zone are not actually shown in the window. The <guilabel>Internet</guilabel> zone
automatically contains the IP addresses of anything that is not in another
zone. It acts as the default zone holding addresses that are not in
any other zone.
</para>
<para>
Each zone has a name that can be edited in the <guilabel>Name:</guilabel>
text edit box. It is recommended that this be kept relatively brief. A longer
comment can be entered for each zone in the <guilabel>Comment:</guilabel>
text edit box.
</para>
<sect2>
<title>Addresses</title>
<para>
Each zone consists of a number of IP addresses. The <guilabel>Zone Addresses</guilabel>
list holds the list of IP addresses for the currently selected zone.
Addresses can be added to the list by using the <guibutton>New Address</guibutton>
button. The currently selected address can be deleted using the <guibutton>Delete Address</guibutton>
button. The text field next to <guilabel>Address:</guilabel>, allows you
to edit the currently selected address.
</para>
<para>
Addresses and ranges of addresses can be specified in several ways:
</para>
<itemizedlist>
<listitem>
<para>Numeric IP address (dotted quad). Whole networks can be specified by
using a mask. Masks can be network masks (e.g. 255.255.255.0) or a plain number
(e.g. 24). Some examples are: 123.34.56.78, 192.168.1.1/24 and
192.168.1.1/255.255.255.0 (the last two mean all the addresses
from 192.168.1.1 to 192.168.1.255)</para>
</listitem>
<listitem>
<para>Domain name. Only Fully Qualified Domain Names (FQDN) are allowed,
something like .simonzone.com will not work. A complete name is required,
like www.simonzone.com, for example.</para>
</listitem>
</itemizedlist>
</sect2>
<sect2>
<title>Connection</title>
<para>The <guilabel>Connection</guilabel> list allows you to specify which
other zones the currently selected zone is connected to. When a zone is
connected to another zone, that particular combination will appear on the
<guilabel>Protocol</guilabel> tab. If a combination is not selected here
then it won't appear on the <guilabel>Protocol</guilabel> tab, and no
communication will be permitted between the two zones.
</para>
</sect2>
<!--
<sect2>
<title>The File Menu</title>
<para>
<variablelist>
<varlistentry>
<term><menuchoice>
<shortcut>
<keycombo><keycap>Ctrl</keycap><keycap>n</keycap></keycombo>
</shortcut>
<guimenu>File</guimenu>
<guimenuitem>New</guimenuitem>
</menuchoice></term>
<listitem><para><action>Creates a new document</action></para></listitem>
</varlistentry>
<varlistentry>
<term><menuchoice>
<shortcut>
<keycombo><keycap>Ctrl</keycap><keycap>s</keycap></keycombo>
</shortcut>
<guimenu>File</guimenu>
<guimenuitem>Save</guimenuitem>
</menuchoice></term>
<listitem><para><action>Saves the document</action></para></listitem>
</varlistentry>
<varlistentry>
<term><menuchoice>
<shortcut>
<keycombo><keycap>Ctrl</keycap><keycap>q</keycap></keycombo>
</shortcut>
<guimenu>File</guimenu>
<guimenuitem>Quit</guimenuitem>
</menuchoice></term>
<listitem><para><action>Quits</action> &kappname;</para></listitem>
</varlistentry>
</variablelist>
</para>
</sect2>
-->
</sect1>
<sect1 id="guarddog-protocoltab">
<title>The Protocol Tab</title>
<para>
The <guilabel>Protocol</guilabel> tab is used to specify which protocols are
permitted between which combinations of zones.
</para>
<para>
To the left of the tab is the <guilabel>Defined Network Zones:</guilabel>
list holding every zone currently defined. The <guilabel>Zone Properties</guilabel>
area shows which protocols or services the currently selected zone is
permitted to serve and to whom. We will refer to the currently selected zone
as the serving zone.
</para>
<para>
The expandable list of protocols is organised into ten categories:
</para>
<itemizedlist>
<listitem><para>
Chat - Protocols used by chat programs like IRC and ICQ.
</para></listitem>
<listitem><para>
Data Serve - Protocols used by databases and other data sources like time
servers.
</para></listitem>
<listitem><para>
File Transfer - Protocols used to tranfers files like HTTP for the Web and FTP.
</para></listitem>
<listitem><para>
Game - Protocols used by games for online multiplayer gaming.
</para></listitem>
<listitem><para>
Interactive Session - Protocols used for working on or performing actions on
remote systems. SSH Secure Shell, telnet and RPC protocols are here.
</para></listitem>
<listitem><para>
Mail - Protocols associated with delivering and moving email. SMTP and POP3
are here.
</para></listitem>
<listitem><para>
Media - Protocols used for delivering multimedia across the internet in real
time.
</para></listitem>
<listitem><para>
Miscellaneous - Other protocols that really didn't fit under the other
categories.
</para></listitem>
<listitem><para>
Network - Protocols related to the direct operation of the network inself.
</para></listitem>
<listitem><para>
User Defined - Protocols defined by the user on the "Advanced" tab show up
here.
</para></listitem>
</itemizedlist>
<para>
To the right of each protocol entry in the list is one or more columns
of check boxes. Each zone that the serving zone is connected to has a
column on check boxes. The name of the zone is at the top of the column.
The zones/columns which appear here are determined by the <guilabel>Connection</guilabel>
list on the <guilabel>Zone</guilabel> tab for the currently selected zone.
</para>
<para>
The check boxes have the following meanings:
</para>
<itemizedlist>
<listitem><para>Clear - The protocol is not permitted. Clients in this zone
may not start a connection to the serving zone using this protocol. For
example, if "Web Servers" is the currently selected serving zone, and the
HTTP (Web) protocol box is clear for the "Bad Guys" zone, then machines in
the "Bad Guys" zone will not be allowed to access a web server running on a
machine in the "Web Servers" zone. Any attempt will be completely ignored.
Any incoming packets will be dropped.
</para></listitem>
<listitem><para>Checked/Ticked - The protocol is permitted. Clients in this
zone may start a connection to the serving zone using this protocol. For
example, if "Web Servers" is the currently selected serving zone, and the
HTTP (Web) protocol box is ticked for the "Bad Guys" zone, then machines in
the "Bad Guys" zone will be allowed to access a web server running on a
machine in the "Web Servers" zone.</para></listitem>
<listitem><para>Crossed - The protocol is not permitted and packets will be
rejected instead of just dropped. When a packet is rejected an ICMP packet
is sent back to the source to inform it that the packet was rejected by the
firewall. For example, if "Web Servers" is the currently selected serving
zone, and the HTTP (Web) protocol box is crossed for the "Bad Guys" zone, then
machines in the "Bad Guys" zone will not be allowed to access a web server
running on a machine in the "Web Servers" zone. But unlike when the check box
is clear, any connection attempts will be rejected instead of
ignored.</para></listitem>
</itemizedlist>
<para>This information is summerised at the bottom of the tab in a concise
key or legend showing each of the different check box states and meanings.
</para>
<tip>
<para>
Rejecting a protocol is considered a more "friendly" way of blocking it's use,
because the sender is immediately informed about what has happened. When a
packet is quietly blocked by the firewall, the sender will not know and will
have to wait and "time out" before realising that communication has failed.
</para>
<para>
Generally there is little reason to reject protocols instead of just having
them dropped. If someone is trying to use a protocol that you didn't allow,
then for safety's sake we should assume that they are hostile and therefore
should not be helped. In this situation, dropping packets is better because
it uses less network capacity and has the effect of making most port scanning
software that an intruder may be using, run very slowly.
</para>
<para>
The only situation that you are likely to run into where rejecting a protocol
is desirable, is with the "ident" protocol (located under the Network category).
</para>
</tip>
<sect2>
<title>Protocol Information</title>
<para>
Information about a protocol is displayed on the botton left side of the tab.
You can get information about any of the protocols in the list by clicking on
it's title.
</para>
<para>
The following information about each protocol is available:
</para>
<itemizedlist>
<listitem><para>Name - The name of the protocol. It's full name and also any
acronym it may be known by.</para></listitem>
<listitem><para>Description - A short description of what the protocol is
used for.</para></listitem>
<listitem><para>Security Risk - An estimate of the security risk that use of
the protocol has. The risk ranges from low, medium, high or unknown.
</para></listitem>
<listitem><para>Network Usage - This is a description of how the protocol
uses the network. It describes which connections, IP protocols and port
ranges etc that the protocol uses to operate. This field is only shown if the
<guilabel>Show Advanced Protocol Help</guilabel> checkbox on the
<guilabel>Advanced</guilabel> tab is checked.
</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1 id="guarddog-loggingtab">
<title>The Logging Tab</title>
<para>The <guilabel>Logging</guilabel> tab holds many options for controlling
what events are logged and how they are logged.</para>
<para>The <guilabel>Log blocked packets</guilabel> checkbox controls whether
packets that are blocked by &kappname; are logged in the system log. A packet
that is not part of a permitted protocol is by blocked by default. When this
checkbox is ticked, blocked packets are logged.</para>
<para>The <guilabel>Log rejected packets</guilabel> checkbox controls whether
packets that are rejected by &kappname; are logged in the system log.
Protocols are marked to be rejected on the <guilabel>Protocol</guilabel>
tab by putting a cross in their checkbox. When this checkbox is
ticked, any rejected packets are logged.</para>
<para>The <guilabel>Log aborted TCP connections (half open scans)</guilabel>
check box controls whether TCP connections that are forcefully terminated using
a RST packet are logged. A port scanning technique know as "half-open"
scanning uses RST packets to quickly abort an half open TCP connection in
order to avoid detection. This can be done using <command>nmap</command>'s
<option>-sS</option> option. By
turning this option on you can detect and log when this happens. Unfortunately
many web servers like to quickly terminate connections by using a RST packet.
This can produce quite a lot of unwanted noise in your system logs. Therefore
you may want to turn this option off. Also, this option only has effect when
the firewall is used on a Linux kernel 2.4 machine in combination with
<command>iptables</command>.</para>
<tip>
<para>Packet logs are received by the <command>syslog</command>. Consult
the <command>syslog</command> manual page for more information.</para>
</tip>
<sect2>
<title>Rate Limiting</title>
<para>This group of options allows you to specify how &kappname; should limit
the rate at which messages are placed in the system log. Rate Limited logging
is intended to stop someone from performing a Denial of Service attack against
your machine by flooding it with packets and trying to fill your system log
files and disk space.</para>
<para>The <guilabel>Rate limit logging</guilabel> checkbox controls whether
packet logging should be rate limited or not. It is recommended that this be
left on.</para>
<para>The <guilabel>Rate</guilabel> widget allows you to specify the maximum
average rate that packet log entries may be added to the system log. The rate
may be specified in terms of the number of entries per second, minute, hour or
day.</para>
<para>The <guilabel>Rate</guilabel> widget allows you to specify the
<emphasis>average</emphasis> maximum logging rate. Packets to be logged often
come in bursts of many packets in very quick succession. The
<guilabel>Burst</guilabel> widget allows you to specify how many packets
in a burst may be logged. Once the burst limit has been reached, the
average logging rate is enforced.</para>
<tip><para>For more information on exactly how this works, consult the
<command>iptables</command> documentation and the Linux kernel source
<filename>/net/ipv4/netfilter/ipt_limit.c</filename> file.
</para></tip>
<para>The <guilabel>Warn when limiting</guilabel> check box controls whether
&kappname; should put warning messages in the system log when it has been
forced to apply rate limiting to the packet log messages. When rate limiting
is applied to packet log messages, only a limited number of messages appear
in the log, while the rest are omitted. When you come to view the system log,
it useful to know if packet log messages have been omitted due to rate limiting.
</para>
<para>The <guilabel>Warning rate</guilabel> widget allows you to specify how
often warning messages should be placed in the system log when rate limiting
is being used.
</para>
<tip><para>The warning messages in the system log have the word
<literal>LIMITED</literal> at the start of the line.</para></tip>
</sect2>
<sect2>
<title>Logging Options</title>
<para>The <guilabel>Log IP Options</guilabel> checkbox controls whether the
options field in the IP header of a packet should be included in a packet log
message.</para>
<para>The <guilabel>Log TCP Options</guilabel> checkbox controls whether the
options field in the TCP header of a packet should be included in a packet
log message.</para>
<para>The <guilabel>Log TCP sequence numbers</guilabel> checkbox controls
whether the TCP sequence number for a packet should be included in a packet
log message.</para>
<para>The <guilabel>Logging Priority</guilabel> selector specifies the logging
priority used when sending log messages to the system log. See the
documentation for <filename>syslog.conf</filename> for more information.
</para>
</sect2>
</sect1>
<sect1 id="guarddog-advancedtab">
<title>The Advanced Tab</title>
<para>The <guilabel>Advanced</guilabel> tab holds many miscellaneous advanced
options. Here you can also set up your own simple protocols for opening a
small hole through your firewall to support an <emphasis>ad hoc</emphasis>
protocol. For example, accessing a remote administration web interface that
is served from a non-standard port number.</para>
<para>When the <guilabel>Show advanced protocol help</guilabel> check box is
ticked, extra information is given in the help text for protocols on the
<guilabel>protocol</guilabel> tab. The extra information includes the what
kinds of network connections the protocols uses.</para>
<para>The <guilabel>Allow TCP timestamps</guilabel> check box lets you turn
TCP timestamps on or off. Leaving TCP timestamps turned on makes it possible
for outsiders to calculate how long your machine has been running since it
was last booted. <command>nmap</command> <option>-O</option> can do this.
Generally, unless you are connected to a high speed network connection chances
are you have no good reason to have TCP timestamps turned on.</para>
<para>The <guilabel>Restore to factory defaults</guilabel> clears the
firewall configuration and resets it back to how it was the first time
&kappname; was run.</para>
<sect2>
<title>Local Dynamic Port Range</title>
<para>The two input fields next to <guilabel>Local Dynamic Port Range</guilabel>
allow you to specify the range of port numbers used by the operating system
for the source port of new out-going connections. When a connection is made to
a port on an external machine, the source port of the connection is usually
not specified by the application. It is left up to the operating system to choose
a suitable free source port number. The local dynamic port range is just a range
of port numbers that the operating system will use when looking for an
available source port.</para>
<para>Generally, there is little reason to change this. It might only become
important on machines that need to have an unusually high number of
connections active at the same time.</para>
</sect2>
<sect2 id='dhcp'>
<title>DHCP (Dynamic Host Configuration Protocol)</title>
<para>If you are using DHCP to configure a network interface, then you will
need to specify the name of the interface(s) in the <guilabel>Enable DHCP on
interfaces:</guilabel> widget.</para>
<para>If you are running a DHCP server on a network interface, then you will
need to specify the name of the interface(s) in the <guilabel>Enable DHCP server
on interfaces:</guilabel> widget.</para>
<para>When entering multiple interface names, separate them using a comma ",".</para>
</sect2>
<sect2>
<title>Import/Export</title>
<para><guilabel>Import</guilabel> and <guilabel>Export</guilabel> allow you
to save the current configuration to a file, and read it back into &kappname;
again. When you click on either of these buttons, a file dialog appears and
you can choose the file to import from, or export to.</para>
<para>The <guilabel>Description</guilabel> text box allows you enter a short
note about the current firewall configuration.</para>
<tip><para><guilabel>Export</guilabel> doesn't just export the current
firewall configuration, it actually outputs an entire firewall script.
The firewall script can then be moved onto another machine and manually
installed and run.</para></tip>
</sect2>
<sect2>
<title>User Defined Protocols</title>
<para>In addition to all the protocols that &kappname; supports, it is also
possible to specify your own custom protocols.</para>
<para>In the middle of the <guilabel>User Defined Protocols</guilabel>
group is the current list of user defined protocols. Use the <guilabel>New
Protocol</guilabel> button to create a new blank protocol. The <guilabel>Delete
Protocol</guilabel> button naturally deletes the currently selected user
defined protocol.</para>
<para>After creating a new protocol you can give it a name using the
<guilabel>Name</guilabel> text field. The <guilabel>Type</guilabel> widget lets
you specify what IP protocol your user defined protocol uses. You have the
choice between TCP and UDP. In the <guilabel>Port</guilabel> widget you
specify the TCP or UDP port on the server or remote machine that the
protocol must connect to. For UDP protocols use the
<guilabel>bidirectional</guilabel> check box to specify if the protocol is
bidirectional and requires packets to travel in both directions. Once a
user defined protocol has been specified here, it becomes available on the
<guilabel>Protocol</guilabel> tab under the <guilabel>User Defined</guilabel>
category. There it can be turned on or off just like any other
built-in protocol.</para>
<tip><para>This feature is intended for simple protocols where a server is
just serving from a single TCP or UDP port. If you feel that you need to
specify a more complex protocol, consider contacting the author so that
direct support for it can be added in a future &kappname; release.</para></tip>
</sect2>
</sect1>
</chapter>
<!--
<chapter id="developers">
<title>Developer's Guide to Guarddog</title>
<para>
Programming &guarddog; plugins is a joy to behold. Just read through the next
66 pages of API's to learn how!
</para>
<refentry id="re-1007-unmanagechildren-1">
<refmeta>
<refentrytitle>XtUnmanageChildren</refentrytitle>
<refmiscinfo>Xt - Geometry Management</refmiscinfo>
</refmeta>
<refnamediv>
<refname>XtUnmanageChildren
</refname>
<refpurpose>remove a list of children from a parent widget's managed list.
</refpurpose>
<indexterm id="ix-1007-unmanagechildren-1"><primary>widgets</primary><secondary>removing</secondary></indexterm>
<indexterm id="ix-1007-unmanagechildren-2"><primary>XtUnmanageChildren</primary></indexterm>
</refnamediv>
<refsynopsisdiv>
<refsynopsisdivinfo>
<date>4 March 1996</date>
</refsynopsisdivinfo>
<synopsis>
void XtUnmanageChildren(<replaceable parameter>children</replaceable>, <replaceable parameter>num_children</replaceable>)
WidgetList <replaceable parameter>children</replaceable>;
Cardinal <replaceable parameter>num_children</replaceable>;
</synopsis>
<refsect2 id="r2-1007-unmanagechildren-1">
<title>Inputs</title>
<variablelist>
<varlistentry>
<term><replaceable parameter>children</replaceable>
</term>
<listitem>
<para>Specifies an array of child widgets. Each child must be of
class RectObj or any subclass thereof.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable parameter>num_children</replaceable>
</term>
<listitem>
<para>Specifies the number of elements in <replaceable parameter>children</replaceable>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2></refsynopsisdiv>
<refsect1 id="r1-1007-unmanagechildren-1">
<title>Description
</title>
<para><function>XtUnmanageChildren()</function> unmaps the specified widgets
and removes them from their parent's geometry management.
The widgets will disappear from the screen, and (depending
on its parent) may no longer have screen space allocated for
them.
</para>
<para>Each of the widgets in the <replaceable parameter>children</replaceable> array must have
the same parent.
</para>
<para>See the “Algorithm” section below for full details of the
widget unmanagement procedure.
</para>
</refsect1>
<refsect1 id="r1-1007-unmanagechildren-2">
<title>Usage</title>
<para>Unmanaging widgets is the usual method for temporarily
making them invisible. They can be re-managed with
<function>XtManageChildren()</function>.
</para>
<para>You can unmap a widget, but leave it under geometry
management by calling <function>XtUnmapWidget()</function>. You can
destroy a widget's window without destroying the widget by
calling <function>XtUnrealizeWidget()</function>. You can destroy a
widget completely with <function>XtDestroyWidget()</function>.
</para>
<para>If you are only going to unmanage a single widget, it is
more convenient to call <function>XtUnmanageChild()</function>. It is
often more convenient to call <function>XtUnmanageChild()</function>
several times than it is to declare and initialize an array
of widgets to pass to <function>XtUnmanageChildren()</function>. Calling
<function>XtUnmanageChildren()</function> is more efficient, however,
because it only calls the parent's <function>change_managed()</function>
method once.
</para>
</refsect1>
<refsect1 id="r1-1007-unmanagechildren-3">
<title>Algorithm
</title>
<para><function>XtUnmanageChildren()</function> performs the following:
</para>
<variablelist>
<varlistentry>
<term>-
</term>
<listitem>
<para>Ignores the child if it already is unmanaged or is being
destroyed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-
</term>
<listitem>
<para>Otherwise, if the child is realized, it makes it nonvisible
by unmapping it.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
</para>
</refsect1>
<refsect1 id="r1-1007-unmanagechildren-4">
<title>Structures</title>
<para>The <type>WidgetList</type> type is simply an array of widgets:
</para>
<screen id="sc-1007-unmanagechildren-1">typedef Widget *WidgetList;
</screen>
</refsect1>
</refentry>
</chapter>
-->
<chapter id="faq">
<title>Questions and Answers</title>
&reporting.bugs;
&updating.documentation;
<qandaset id="faqlist">
<qandaentry>
<question>
<para>Does &kappname; need to be running for it to protect my computer?</para>
</question>
<answer>
<para>&kappname; provides a user friendly way of configuring your computer's
built-in firewalling capabilities. &kappname; itself doesn't need to be
running continously to protect your computer.</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>How can I see which ports a given protocol uses? or How can I see which ports
a given protocol opens up?</para>
</question>
<answer>
<para>Go to the <guilabel>Advanced</guilabel> tab and tick the checkbox at
<guilabel>Show advanced protocol help</guilabel>. Now when you
go back to the <guilabel>Protocol</guilabel> tab and click on the name of a
protocol in the middle of the window, the protocol on the left side of the
tab will show the information about the protocol and also what TCP/UDP ports
it uses.</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>Why are my FTP/Mail/IRC connections slow?</para>
</question>
<answer>
<para>
Many mail and IRC servers, when connected to, use the "ident" protocol to try
to find out the owner of the incoming connection, and don't respond to the
incoming connection until they have tried "ident". This problem shows up,
for example, as delays when connecting to mail servers. The connection will
be made with the mail server, but there will be a noticeable delay before any
mail is retrieved. This is because the server tries to make an "ident"
connection back, but has wait and time out before realising that it won't
work. The solution is to just make sure that "ident" is being rejected for
connections coming from the zone containing the mail server.
</para>
</answer>
</qandaentry>
</qandaset>
</chapter>
<chapter id="credits">
<title>Credits and License</title>
<para>
&kappname;
</para>
<para>
Program copyright 2000-2003 Simon Edwards <email>simon@simonzone.com</email>
</para>
<para>
Documentation copyright 2000-2003 Simon Edwards <email>simon@simonzone.com</email>
</para>
&underFDL; <!-- FDL: do not remove -->
<!-- Determine which license your application is licensed under,
and delete all the remaining licenses below:
(NOTE: All documentation are licensed under the FDL,
regardless of what license the application uses) -->
&underGPL; <!-- GPL License -->
<para>
Thanks go to the following people:
</para>
<itemizedlist>
<listitem><para>J F Gratton (Help with a little bit of network code.)</para></listitem>
<listitem><para>Joerg Buchland (Help with sorting out what /dev interface ISDN uses.)</para></listitem>
<listitem><para>Ludovic Lange (Bug fixes, DHCP help.)</para></listitem>
<listitem><para>Jason L. Buberel (Feedback, protocol info.)</para></listitem>
<listitem><para>Carsten Pfeiffer (Feedback, help with KDE3)</para></listitem>
<listitem><para>Gunner Poulsen (Danish translation)</para></listitem>
<listitem><para>Adam Kreuschner (SuSE RPMs)</para></listitem>
<listitem><para>Matthew Schick (Redhat RPMs)</para></listitem>
<listitem><para>Daniele Medri (Italian translation)</para></listitem>
<listitem><para>Stephan Johach (German translation)</para></listitem>
<listitem><para>Anyone else who has provided help or bug reports or support.</para></listitem>
</itemizedlist>
</chapter>
<appendix id="installation">
<title>Installation</title>
<sect1 id="getting-guarddog">
<title>How to obtain Guarddog</title>
<para>
&kappname; can be found a
<ulink url="http://www.simonzone.com/software/guarddog/">http://www.simonzone.com/software/guarddog/</ulink>.</para>
</sect1>
<!--
<sect1 id="requirements">
<title>Requirements</title>
<para>
In order to successfully use &kappname;, you need KDE 2.0. Foobar.lib is required
in order to support the advanced &kappname; features. &kappname; uses about 5 megs of
memory to run, but this may vary depending on your platform and
configuration.
</para>
<para>
All required libraries as well as &guarddog; itself can be found
on <ulink url="ftp://ftp.guarddog.org">The &guarddog; home page</ulink>.
</para>
<para>
You can find a list of changes at <ulink
url="http://apps.kde.org/guarddog">http://apps.kde.org/guarddog</ulink>.
</para>
</sect1>
<sect1 id="compilation">
<title>Compilation and installation</title>
<para>
In order to compile and install KApp on your system, type the following in the base
directory of the Icon Editor distribution:
<screen width="40">
<prompt>%</prompt> <userinput>./configure</userinput>
<prompt>%</prompt> <userinput>make</userinput>
<prompt>%</prompt> <userinput>make install</userinput>
</screen>
</para>
<para>Since KApp uses autoconf and automake you should have not trouble compiling it.
Should you run into problems please report them to the KDE mailing lists.</para>
</sect1>
<sect1 id="configuration">
<title>Configuration</title>
<para>Don't forget to tell your system to start the <filename>dtd</filename>
dicer-toaster daemon first, or KApp won't work !</para>
</sect1>
-->
</appendix>
&documentation.index;
</book>
<!--
Local Variables:
mode: sgml
sgml-minimize-attributes: nil
sgml-general-insert-case: lower
End:
-->
