Ingate Firewall 4.2: User Manual
PrevNext

Appendix B. More in-depth examples

Table of Contents
Example 1a. Ingate Firewall with two interfaces, no NAT
Example 1b. Ingate Firewall with two interfaces, using NAT
Example 2. Ingate Firewall with four interfaces and DMZ
Example 3. VPN between two Ingate Firewalls
Example 4. VPN connection with road warrior
Example 5. SIP Configuration

Example 1a. Ingate Firewall with two interfaces, no NAT

A sample company (Example Company) will be used in this example. Company has a small local network with a server and some workstations at one location. This network connects to the Internet through a gateway. To protect the local network, an Ingate Firewall is installed between this gateway and the local network.

The internal server has the IP address 195.12.12.2 and the workstations have 195.12.12.3, 195.12.12.4, and 195.12.12.5. The IP address given to the firewall on the inside is 195.12.12.1. For the outside, the firewall will request an IP address from a DHCP server.

The first thing to do is to install the firewall. Connect a computer to the unit with a serial cable and turn the firewall on. Access the administration interface (see also chapter 3, Installing Ingate Firewall). Log on as the user admin. The installation program will start automatically.

    Ingate Firewall Administration
       1. Basic configuration  
       2. Save/Load configuration  
       3. Become a failover team member  
       4. Leave failover team and become standalone  
       5. Wipe email logs  
       6. Set password  
       q. Exit admin  
       ==>


Basic unit installation program version 4.2

Press return to keep the default value

Network configuration inside:
Physical device name[eth0]:
IP address [0.0.0.0]: 195.12.12.1
Netmask/bits [255.255.255.0]:
Deactivate other interfaces? (y/n) [n]

Computers from which configuration is allowed:

You can select either a single computer or a network.

Configure from a single computer? (y/n) [y]
IP address [0.0.0.0]: 195.12.12.3

Password [ ]: mopscot

Other configuration
Do you want to reset the rest of the configuration? (y/n) [n]

You have now entered the following configuration

Network configuration inside:
Physical device: eth0
IP address: 195.12.12.1
Netmask: 255.255.255.0
Deactivate other interfaces: no

Computer allowed to configure from:
IP address: 195.12.12.3

Password: mopscot

The rest of the configuration is kept.

Is this configuration correct (yes/no/abort)? yes

Now, exit the administration program. The Ingate Firewall will boot with the configuration just entered. As it boots, disconnect the serial cable, go to the client computer 195.12.12.3 to start a web browser and log on the firewall.

If you want to change language in the web interface, go to the Change Language page.

Now go to Network and check the Eth0 configuration. Most of it was made by the installation program. The configuration will be as follows:

Continue with the configuration for Eth1. Activate the DHCP client and create a directly connected network.

Go to the Networks and Computers page and name the internal server. The network on the inside is called Company network and includes all computers on the local network. The outside world is called Internet and is connected to the External interface. Make a separate network for the server, since much of the traffic from the outside should only be allowed to reach the server.

On the Basic Configuration page under Basic Configuration the firewall is given a name. Select to reject all traffic to which no rules apply. The firewall should reply to ping only to the interface receiving the original ping packet, i. e., should not "tunnel" the ping request to another interface or alias. Note that you must enter "*" as the Default gateway for the firewall to use the default gateway assigned by the DHCP server.

Go to the Access Control page and select the firewall IP address to use for access to the web interface. Specify that configuration traffic can only be sent to the firewall via the Eth0 interface and that only the computer with the IP address 192.12.12.3 on the inner network can configure the firewall. Select authentication via local password only as there is no RADIUS server being used.

For Log Classes, Logging Configuration and Protocols, use the standard settings of Ingate Firewall.

Check Time classes under Rules and Relays to make sure everything is OK. Here, new time classes for office hours and off-duty hours are defined.

After networks, computers, and services are defined, it is time to set up rules for the traffic that is allowed. Specify the following:

Incoming traffic

  • Allow WWW traffic from the outside to the server to make the WWW server run on the server available for the outside (rule 10).

  • Allow SMTP traffic to the server to enable incoming e-mail (rule 11).

  • Allow DNS traffic to the server so that name queries are possible (rules 8-9).

  • To protect from NFS mounting from the Internet, block out incoming NFS traffic (rule 1). Insert this rule before the DNS reply rule (rule 4) from the Internet to the Server on the Inside.

    There are no more services that must be blocked.

Outgoing traffic

  • Allow DNS from the server (rules 3-4) to enable name queries on the Internet. DNS queries from the company network go through the internal server.

  • Allow SMTP from the server so that e-mail can come out (rule 6).

  • Allow Company network to make terminal connections outward through SSH (rule 2).

  • Allow WWW to the Internet (rule 5).

  • Allow retrieval of files from the Internet via FTP, but only during off-duty hours (rule 7).

Once configuration is complete, go to Administration and select Apply configuration, then during the test run, select Save configuration. Store the configuration to a file as a backup, by clicking on Save to local file. The firewall is now up and running.

PrevHomeNext
Relays in Ingate FirewallUpExample 1b. Ingate Firewall with two interfaces, using NAT