Zampa - OS/2 firewalling made easy Contents: - Introduction - Who is this for? - Software requirements - Installation - Setting up a firewall - Words of precaution - Known bugs/limitations - Closing up ------------ Introduction From some strange reason, IBM decided not to document this extremely powerful and useful part of the 5x/6x versions of MPTS, that is, TCP/IP 4.1 and above. Not many people knew, but when you think of it, it's kinda logical that it's there: The AIX firewall. In the AIX TCP/IP implementation, IBM has it's most powerful firewall, and it's considered to be among the best ones around. Since the OS/2 TCP/IP stack is mostly based on this stack, and because IBM implemented Virtual Private Networking support, the firewall also happened to be ported to OS/2. But IBM seemingly doesn't want people to use it... For quite some time, this was totally unknown. Then, I'd say about a year ago or so, someone discovered it. They also found it to be very similiar to the AIX firewall, and pointed us to the redbook for the AIX firewall, which gave some leads on how to set up this thing. But, unfortunately, it was still hard to figure out. Then there was some russian guy who made a webpage, with brief description of how to set it up. However, this page didn't give very much details about the firewall itself and how to set it up for particular purposes. Still, this is the information I have based my knowledge about it on. Thanks to Vit Timchishin. The url of this page is: http://www.os2.spb.ru/guru/tcpip/ipsece.html Anyway, I have been waiting for quite a while for someone else to make a program like this, but I got sick of waiting, so I decided to make one myself. Considering the amount of time I spent on this thing, I'm really wondering why IBM didn't do it themselves. But well.. Here it is. :) ------------ Who is this for? This program is for anyone running OS/2 Warp 3, Warp 4, Warp server, or Warp Server for e-business, who wants to protect themselves or their business from hackers and other mean heads out there. For Warp 3, Warp 4 and Warp Server, you need to have TCP/IP 4.1 installed in order for this to work. It's also ideal for people who are using their computer as a gateway to the internet, if they wish to keep unwanted traffic out. I believe that this firewall also supports NAT (network address translation), which allows you to share one single internet connection with several machines on a LAN, without the need of a public IP pool designated to those computers. This makes it possible to use a dial-up connection for this, making any internet dialers "support" NAT. No more need for special dialers that support NAT (or IP masquerading, which is the old "term" for this). When I find time to look into this, I'll probably include functionality for setting this up too. If anyone knows anything about it, please contact me! ------------ Software requirements To use this cute piece of software you'll need to do the following: - MPTS v5.x or above (comes with TCP/IP 4.1 and above) - The following lines in your config.sys: DEVICE=C:\MPTN\PROTOCOL\IPSEC.SYS DEVICE=C:\MPTN\PROTOCOL\FWIP.SYS DEVICE=C:\MPTN\PROTOCOL\CDMF.SYS DEVICE=C:\MPTN\PROTOCOL\MD5.SYS These lines are automagically added if you select VPN support during TCP/IP installation. - VROBJ.DLL - can be downloaded from hobbes: ftp://hobbes.nmsu.edu/pub/os2/dev/rexx/vrobj21d.zip or http://hobbes.nmsu.edu/pub/os2/dev/rexx/vrobj21d.zip Make sure this file is located in a directory in your libpath. ------------ Installation Have a look at the software requirements mentioned above. Once you've made sure that these requirements are met, simply run Zampa.exe, and you should be up and running. ------------ Setting up a firewall The rules you define in the firewall are always read from the top and down. That means, whenever a packet comes in or goes out, it's compared to each and every one of the current firewall rules, starting from the top. If it finds a rule that matches the packet in question, that packets action (deny or permit) is applied to it, and it's again ready for the next packet. It no rule is found, it reaches the end of the firewall configuration file, and applies the default rule, which is "deny all". That means that if you set up the firewall with no rules, no packets will be allowed to or from your computer on any interface. You will be defining two sets of rules: one for the interface(s) defined as secure, and one for interface(s) defined as non-secure. The secure interface is typically the one leading to the local network, while the unsecure is the one leading to the internet (or another untrusted network). The idea is that you define one set of rules that apply to traffic flowing in and out through both adapters, and how traffic going between them is treated. Ofcourse you can also define a rule that applies to all interfaces. In addition, you are able to define rules depending on if the traffic in question has the firewall machine as destination, if it's going through the firewall machine (gateway operation), or both. Available options include: Packet action (permit or deny) Defines what to do with packets matching this rule Source address definition (IP address and netmask) Defines what is to be the source address of matching packets. Can be either a specific IP, or a whole net/subnet. Destination address definition (IP address and netmask) Same as above. Protocol matching Defines which protocols the rule applies to (all, tcp, udp, icmp, tcp/ack, IBM IPSP) Source port/ICMP type Source port of the packet, or the ICMP type for ICMP packets Destination port/ICMP code Destination of the packet, or the ICMP code for ICMP packets Adapter Which adapter the packet is going through (secure, non-secure, or any) Routing Wether or not the packets are going through the firewall machine, or only to/from the firewall machine itself. (local, route, both) Direction Which way the packet are flowing (inbound, outbound, both) Logging Wether or not this rule should be logged. Default for permit rules is no, for deny rules it's yes. (l=yes, y, no, n) Fragmentation Determines if the filter should act on the whole packet only (default), only the packet headers and every fragment of the pack, or if it should match both fragments, headers AND the packet as a whole. (f=yes, no, only) Tunnel ID Identifies the tunnel the traffic is flowing through. (t=x, x is any tunnel ID) All of these options except the tunnel ID can be specified when creating a rule in Zampa. For the normal simple use, the fragmentation parameter may also be left with the default value. Logging can be specified if you wish, but currently I don't have routines built-in to read/analyze the logs, although I'm looking into adding functionality for this in a future release. You will also define at least one of your interfaces as secure, if not, they will all default to be non-secure. This has (as far as I know) no effect on how the firewall acts, but you will either have to specify non-secure or both in the interface field. When you create a rule, it will show up at the end of the rule list. You will then have to change it's position in the list before saving the configuration and updating the running firewall configuration. --- Summary When creating a rule, keep in mind the following logic: The rules are read top-down, until a rule that maches the packet in question is found. At this point the rule action is performed on the packet. If no rule is found, it uses the default rule, which denies everything. ------------ Words of precaution This software is still beta. And since the firewall is not at all documented from IBM, I have to assume that they do not provide support for it either. This means that the quality of the product can't be determined either. I believe that it is good, on par with the AIX firewall, but ofcourse I can not document this or guarantee it. As with all software of this kind, it's always a good idea to back up vital parts of your system before using this software. As they say, real men don't take backups. But they cry a lot. ------------ Known bugs/limitations There is still a few quirks to come around in this program, but since it's still a beta, I expect to get these fixed by the time it goes out of beta. I expect this space to be filled as I get more feedback from users.. ;) ------------ Closing up Send bugs/suggestions/comments to: ltning@mo.himolde.no Latest version of the program can always be found at: http://www.mo.himolde.no/~ltning/os2 Quick summary: This is beta. Do not trust it. Backup. Cross your fingers... BTW: THIS IS NOT FREE SOFTWARE! IT IS FOR EVALUATION PURPOSES ONLY! !!!BETA!!! IF YOU WILL BE USING THIS SOFTWARE COMMERCIALLY, A SITE LICENCE MUST BE OBTAINED. CONTACT ME ON THE E-MAIL ADDRESS ABOVE! Oh and.. The usual disclaimer.. I TAKE NO RESPONSIBILITY WHATSOEVER FOR WHAT THIS PROGRAM MIGHT DO TO YOU, YOUR BUSINESS, YOUR COMPUTER, YOUR WIFE, YOUR HUSBAND, YOUR KIDS, YOUR LIFE. WHATEVER IT MIGHT DO OR NOT DO, I AM NOT TO BLAME. Eirik Overby Norway