From TIER

Contents 1 Manual 1.1 Getting Started 1.2 Main Page 1.3 System 1.3.1 System Setup 1.3.2 Upgrade Firmware 1.3.3 Reboot 1.4 Network Configuration 1.4.1 Interfaces 1.4.1.1 General configuration 1.4.1.2 Static IP configuration 1.4.1.3 Wireless options 1.5 Routing Configuration 1.5.1 Static Routes 1.5.2 Dynamic routing 1.5.2.1 General Configuration 1.5.2.2 Enable Interfaces 1.5.2.3 Distribution Lists 1.6 Services 1.6.1 DHCP 1.7 Firewall/NAT 1.7.1 Interface List 2 Advanced 2.1 Tierconf Config 2.1.1 Changing config file 2.2 Read/Save Configuration 2.3 System Shell Prompt 2.4 APT configuration 2.4.1 Update Package Lists 2.4.2 Upgrade Packages 3 Design 4 Other Issues 4.1 Installed 4.2 Authentication 4.3 Web Based shells 4.4 TCP Over HTTP 4.5 References

1 Manual

1.1 Getting Started

Network: The default configuration is:

• eth0: 10.0.1.10/24
• eth1: 10.0.99.1/24
• wlan0: 10.0.10.10/24 in Master mode

Tierconf: The login is 'admin' and the password is also 'admin'. Logging in will take you to the main page, which displays the system's hostname, OS type and uptime information.

First Operations: Before configuring the router, the TierConf configuration must first be synchronized with the system files. To do this, go to the "Read/Save Configurations" page (under Advanced Tools) and execute the "read" operation for System Config.

1.2 Main Page

When you first access the TierConf webGUI you will see the System Information screen. Along the left hand side of all screens is a menu to allow you to navigate to other screens. The items under the Interfaces menu heading may be different in your system, depending on the type and number of network interfaces you have.

1.3 System

1.3.1 System Setup

The System Setup screen allows you to control some general parameters.

• Hostname : The unqualified hostname of your firewall. (e.g myfirewall)
• Domain : The domain name to qualify your firewall hostname. (e.g mydomain.com)
• DNS Servers : The IP address of one or more DNS servers for use by the firewall. (e.g 10.0.0.123)
• Web Username : The username to use when connecting to the m0n0wall webGUI. (default: admin)
• Web Password : The password to use when connecting to the m0n0wall webGUI. The current password is not displayed; this field is used only to change the password. You should change this when you first install m0n0wall.
• Time zone : The time zone of your firewall. This affects the value of times printed to the system logs.
• Time update interval : How often your firewall should contact the NTP server to update its time.
• NTP time server : The name of the NTP (Network Time Protocol) server for your firewall to use.

1.3.2 Upgrade Firmware

Firmware upgrades are not yet supported under the current version of the TierConf WebGUI.

1.3.3 Reboot

The system can be rebooted from the web interface, and a confirmation page will allow the opportunity to abort the reboot. Rebooting the system takes a few minutes; the WebGUI will not be available during this process.

1.4 Network Configuration

1.4.1 Interfaces

The main Interfaces page lists the system's physical interfaces. For each interface, the following columns are shown:

• Available: The interface is physically available on the system. It means that the appropriate driver modules should also be loaded.
• Configured: The interface has a configuration in the OS network interfaces file.
• Wireless: Whether or not the interface is wireless.
• Currently up: The interface is currently UP.
• Control: Start, stop, or restart the interface. This can be done at any time, but be careful not to disable the interface to which you're connected.

Clicking on a particular interface name (eg. eth0) will bring up the detailed configuration page for that interface.

1.4.1.1 General configuration

Auto

The interface is started automatically at boot or network service start time. If the wireless interface is a PCMCIA card, this should probably be set to 'No', because the PCMCIA service starts the interface on its own.

Wireless

This field displays whether or not the interface is wireless. It cannot be changed.

Type

Connection type that should be used:

• Static: A static IP address will be assigned to the interface.
• DHCP: A dynamic address is assigned to the firewall WAN by a DHCP server on the WAN side.

1.4.1.2 Static IP configuration

Only available when a static connection type is selected. When DHCP is chosen, this information will be configured automatically.

IP address: The static IP for the interface should be set here.

Subnet: The Subnet mask that should be used for the interface.

Gateway: The default gateway for the firewall.

1.4.1.3 Wireless options

Protocol: Choose which wireless protocol to use - either 802.11a/b/g - , or select Auto to determine automatically. Note: Automatic configuration will also automatically select channel and bitrate information.

Wireless Mode: Select whether the interface should operate as a client (Managed mode), and access point (Master mode) or in ad-hoc mode.

SSID: Choose a wireless network name. This field is required.

Channel: Select the channel the interface should operate on. If this field is left blank, the channel will be determined automatically.

Bitrate: Select the bitrate at which the interface should operate. If this field is left blank, the bitrate will be determined automatically.

Distance:

Antenna:

MAC ACKs:

Transmit Power:

1.5 Routing Configuration

We use the zebra routing daemon to perform both static and dynamic routing.

1.5.1 Static Routes

The Static Routes sub-section allows static routes to be set up so that networks that use a gateway different from the default can be reached. By pressing the + icon, TierConf allows new static routes to be added.

The parameters to set up a new route are the following:

Destination Network: Select the network that needs to be reached, using Classless Inter-Domain Routing (CIDR) code for subnetting. (See RFC1517, RFC1518, RFC1519, RFC1520 for more details.)

Gateway: The IP address of the gateway that the firewall must use in order to reach the destination network.

Description: Enter an optional description for the new route.

1.5.2 Dynamic routing

1.5.2.1 General Configuration

All the following checkboxes should be enabled.

Enabled

Redistribute static routes:

Redistribute connected routes:

1.5.2.2 Enable Interfaces

Select the interfaces on which routing has to be enabled.

1.5.2.3 Distribution Lists

Each list is an access control list. For each list:

Interfaces For each interface, you can select:

• Advertise: whether to send out routing updates on this interface
• Receive: whether to receive routing updates on this interface

Access lists Create list of IP addresses/subnets that the distribution list should be applied on.

1.6 Services

1.6.1 DHCP

The DHCP server can be enabled for each interface.

The router's IP address will be pushed to all DHCP clients (using the DHCP ROUTER option).

NOTE: If you want the router to push additional DHCP options (such as a list of name servers), you will have to configure these by hand in /etc/dhcpd.conf (where they will be clobbered whenever DHCP parameters are set in the GUI).

Enable the DHCP server

Click on the appropriate tab for the interface and check this box.

Subnet/Mask

The subnet for which the DHCP server would respond.

Range

In the first box, enter the starting address of your DHCP range. In the second box, enter the ending address of the range. Note that you don't want to make this the same as the available range, as this includes the subnet address and broadcast address, which are unusable, as well as the address of your m0n0wall interface which also cannot be in the range.

Default and Maximum Lease Time

The default lease time is the length of the DHCP lease on any clients that do not request a specific expiration time on their DHCP lease. The default is 7200 seconds, or two hours. For the vast majority of network environments, this is too low. I would generally recommend setting this to a week, which is 604,800 seconds.

The maximum lease time must be more than the default lease time. Most networks will not use this value at all. In most instances, I set this to one second longer than the default lease time.

Static DHCP Mappings

NOT DONE

Static DHCP mappings can be used to assign the same IP address every time to a particular host. This can be helpful if you define access rules on the firewall or on other hosts on your LAN based on IP address, but still want to use DHCP. Alternatively, you can keep the IP address box blank to assign an IP out of the available range, when you are using the "Deny unknown clients" option.

Static DHCP Mappings

Static DHCP mappings can be used to assign the same IP address every time to a particular host. This can be helpful if you define access rules on the firewall or on other hosts on your LAN based on IP address, but still want to use DHCP.

1.7 Firewall/NAT

Currently on NAT is supported.

Enable NAT

1.7.1 Interface List

Masquerade: For each interface, you can enable this

WAN: Only one of the interfaces can be selected as the WAN outgoing interface that will forward traffic for the others.

2 Advanced

2.1 Tierconf Config

Write Protect: Not supported

2.1.1 Changing config file

The default XML configuration file is in config.xml The user can create a new config file or change the current configuration.

Select config: Select the config name to change the current configuration XML file. The new configuration will be read, to apply changes (writing to system files/restart services) go to the "Restart Services Page"

Create new config: The new configuration will be copied from the current active configuration. To use it select it above.

2.2 Read/Save Configuration

This provides the inter-conversion between the configuration in the current XML file and the OS configuration files. Also to restart individual services. Usually, clicking "Save" on the configuration pages writes to the OS files as well. Currently, the supported ones are:

• Network configuration: read, write, restart
• Routing: write, restart
• DHCP: write, restart
• Firewall: write, restart

2.3 System Shell Prompt

This provides a root shell currently. There is no user input. Also don't run commands that run for more than 10 seconds. Use "Reset" to kill current command and start off new.

2.4 APT configuration

This supports changing/adding debian APT repositories.

2.4.1 Update Package Lists

2.4.2 Upgrade Packages

Not supported

3 Design

4 Other Issues

4.1 Installed

• Anyterm: http://shirin.cs.berkeley.edu:8000/apache2-default/browser/anyterm.html
• HTTunnel: http://tier.cs.berkeley.edu/software/

4.2 Authentication

• mini_httpd has Basic Authentication using .htpasswd file in the root directory
• HTTP Authentication with PHP CGI: http://ravenphpscripts.com/postt2950.html#20975
  • for per-script authentication

4.3 Web Based shells

• Anyterm: Using Javascript, XmlHTTP and an Apache module
  • complete text based terminal
  • no need for any Java etc on server side
• PHP Interactive: Shell to execute PHP commands.
• PHP Shell: PHP based bash shell.
  • one command at a time - command has to return in 30secs
  • cannot take input
  • has user authentication
• CGI Shell: CGI based shell
  • uses PHP/CGI script to just start a server remotely
  • then uses a client to just run commands etc on the remote host

4.4 TCP Over HTTP

• HTTunnel: creates tunnel from local machine to remote
  • requires server side Apache2 module
  • client creates a listening socket - now connect to this
• Others: Corkscrew etc

4.5 References

• Anyterm
• Long list of web based shells at Anyterm: http://anyterm.org/compared.html