Blonde Guy technical notes

InJoy Firewall

part one: Network address translation

It all started when I needed to connect the home network to DSL. I got the cheapest connection option, one dynamically assigned IP address. One machine in the home network is the server. It delivers Internet connectivity using InJoy Firewall.

My DSL modem has an ethernet port; I hooked it directly to the hubs uplink port. The server is connected to one of the regular ports of the hub. The server obtains it's IP address dynamically. The InJoy Firewall software allows four other machines to be plugged into the hub.

Installation

Installing InJoy is not difficult, but the instructions are not very simple. Here is a step by step summary of what I did.

Change the server machine to DHCP. It had been just a static IP in my home network. I started the TCP/IP configuration program, and I changed the interface from static to dynamic. After I saved the settings, I did a reboot.
After the reboot, I checked if I was connected to the internet. I opened an OS/2 command prompt and typed ping www.ibm.com The DSL connection was working fine.
With ping working fine, I then installed InJoy Firewall. I downloaded ijfire12.zip (1215422 bytes) from the Injoy website. I created a directory (c:\bin\firewall) for the software, and unzipped the archive into that directory.
I had purchased a license for the Firewall. To install the license, I copied gateway.cf_ to gateway.cf, then I edited gateway.cf, adding the license that came in e-mail.

For a setup like this, with only one network card in the server, there needs to be an extra interface, an alias. This is the setup.cmd file which defines the extra interface.

route -fh
arp -f
ifconfig lo 127.0.0.1
REM ifconfig lan0 nil
REM ifconfig lan1 metric 1 mtu 1500
REM ifconfig lan2 metric 1 mtu 1500
REM ifconfig lan3 metric 1 mtu 1500
REM ifconfig lan4 metric 1 mtu 1500
REM ifconfig lan5 metric 1 mtu 1500
REM ifconfig lan6 metric 1 mtu 1500
REM ifconfig lan7 metric 1 mtu 1500
dhcpstrt -i lan0
ifconfig lan0 192.168.1.1 netmask 255.255.255.0 alias
ipgate on

To install Injoy, run the install.cmd file. This installs the device driver for the firewall. I like workplace shell, so I created a folder of objects using folder.cmd. Because Injoy changes config.sys and protcol.ini, another reboot is required.
After rebooting, I checked again to see that ping would work. It did, so I needed to check a client machine.
The client machine needs to have the server machine as a router, and the same DNS hosts as the server. Once configured, I tried to connect to the outside. This also worked.

Injoy comes with plenty of documentation, it is stored as plain text files in the docs directory of the firewall software. The document which gave the most information for this article was gateway.txt.

I have made no attempt to make a decent firewall here. Before I go too far down that path, I will get a second network adapter, attach the DSL ethernet directly to the server, and pass only the right packets. Because I am on DSL, I don't think there is much danger with my present setup.

Upgrading to two network cards

After using the previously described setup for a few months, I did obtain another network card. I found that when I upgraded to TCP/IP 4.3, the InJoy Firewall no longer functioned. After a bit of technical support from InJoy, I learned that the TCP/IP 4.3 did not have some of the features required to run InJoy Firewall with one network adapter.

To install a second network card, the Firewall must be uninstalled. This is simply a matter of running the InJoy install.cmd, and selecting uninstall. It isn't even necessary to reboot.

Run MPTS, and add the second network driver. I bound NETBIOS and TCP/IP to the network card I used for my LAN, and I bound only TCP/IP to the network card that I used for the DSL line. After exiting MPTS, I ran the install program for InJoy once more, and finally rebooted.

The network functioned as expected when the machine started again. This is my setup.cmd file for two network cards.

route -fh
arp -f
ifconfig lo 127.0.0.1
ifconfig lan0 192.168.1.18 netmask 255.255.255.0 metric 1 mtu 1500
REM ifconfig lan1
REM ifconfig lan2 metric 1 mtu 1500
REM ifconfig lan3 metric 1 mtu 1500
REM ifconfig lan4 metric 1 mtu 1500
REM ifconfig lan5 metric 1 mtu 1500
REM ifconfig lan6 metric 1 mtu 1500
REM ifconfig lan7 metric 1 mtu 1500
dhcpstrt -i lan1
ipgate on

Firewall Configuration

Once I had two cards, and NAT, I proceded to configure the firewall to prevent attacks.

Firewall configuration is done by composing rules. The rules are stored in the firerule.cnf file in the firewall subdirectory. The philosophy for firewall configuration is to make security tight, but then allow services that are needed.

The Injoy security level is stored in the firewall.cnf file in the firewall directory. I have set the security level to level 7. It was necessary to allow some non-default behavior to make level 7 useable.

The rules I've allowed in firerule.cnf are these:

Allow-Web	
		Comment = "Open port on protected Firewall PC",
		Protocol = TCP,
		Destination-Port = "http",
		Destination = "My_IP",
		Rule-Action = Allow,
		Direction = Bidirectional
Allow-FTP	
		Comment = "Open port on protected Firewall PC",
		Protocol = TCP,
		Destination-Port = "ftp",
		Destination = "My_IP",
		Rule-Action = Allow,
		Direction = Bidirectional

Allow-FTP-pasv	
		Comment = "Open ports on protected Firewall PC",
		Protocol = TCP,
		Destination-Port = "55000:56000",
		Destination = "My_IP",
		Rule-Action = Allow,
		Direction = Bidirectional

Allow-FTP-data	
		Comment = "Open port on protected Firewall PC",
		Protocol = TCP,
		Destination-Port = "ftp-data",
		Destination = "My_IP",
		Rule-Action = Allow,
		Direction = Bidirectional

Allow-Telnet	
		Comment = "Open port on protected Firewall PC",
		Protocol = TCP,
		Destination-Port = "23",
		Destination = "My_IP",
		Rule-Action = Allow,
		Direction = Bidirectional

Allow-POP	
		Comment = "Open port on protected Firewall PC",
		Protocol = TCP,
		Destination-Port = "109 110",
		Destination = "My_IP",
		Rule-Action = Allow,
		Direction = Bidirectional

Allow-SMTP	
		Comment = "Open port on protected Firewall PC",
		Protocol = TCP,
		Destination-Port = "25",
		Destination = "My_IP",
		Rule-Action = Allow,
		Direction = Bidirectional

Allow-DHCP-Lease	
		Comment = "Allow DHCP through Firewall (UDP port 68)",
		Protocol = UDP,
		Destination-Port = "68",
		Rule-Action = Allow,
		Direction = Incoming

These rules allow me to run the servers I want with the access that I want. The POP and SMTP allow access to the Weasel e-mail server. Relaying is prevented by tight policies for Weasel, and is periodically tested using the relay testing provided by abuse.org.

Testing the Firewall

The next step is to test the Firewall. I took my laptop to a cafe with wireless internet, and tried to connect to the server in the following ways.

OS/2 command line FTP client
OS/2 Telnet
Firefox
Firefox/FTP
Netdrive/Passive FTP
Netdrive/Active FTP
e-mail send
e-mail receive
ping

Once the server can do all of the above tests, configuration is complete.

Last Modified: 26 Nov 2006
Graphics by Colorful Language
Copyright 2005 by Blonde Guy