BOT - Getting started

First time configuration

Before BOT can be activated we have to configure the PC which will be used for BOT administration.
In the IPCop WebGUI goto Firewall -> BlockOutTraffic, you will see following:

You have to enter the BOT settings:

Admin MAC:
This has to be the MAC address of your (workstation) PC where you administrate BOT from.

This has to be the HTTPS port of your IPCop Webgui.

BOT creates a 'default admin access rule' with the MAC as source address and IPCop and the HTTPS Port as destination to guarantee that you don't get locked out from IPCop Webgui. This is the reason why you have to enter 'Admin MAC' and 'HTTPS Port' here.

Connection state:
BOT will allow traffic which belongs to a related or established connection if you enable this option. When you use Port-Forwardings (for example to an internal webserver) you should enable this option.

BOT will create logging rules for traffic which has not matched one of your BOT rules if you enable this option.

Default Deny action:
Here you can select whether BOT should DROP or REJECT traffic which has not matched one of your BOT rules.

Advanced Mode:
When you enable this option you will have more options to customize BOT rules. But be warned you can open your firewall in advanced mode! You should only select this option if you have deeper firewall knowledge.

When you hit 'Save' the settings are stored and you can start defining BOT rules and other usefull features. Additional (advanced) features can be configured when you goto Firewall -> Advanced BOT Config in the WebGUI:

First you should define some custom services, you can select those custom services later when you create service groups or your own BOT rules:

There are three custom services defined in the screenshot above:

  • IPCop ssh is necessary to adminstrate your IPCop via ssh.
  • IPCop https is necessary for using the IPCop WebGUI. The PC with 'Admin MAC' address as configured in BOT settings will be able to reach the WebGUI but you may want to allow WebGUI access to further PCs.
  • IPCop proxy is defined so it can be used in a BOT rule to allow access to your IPCop Webproxy for surfing.

Next you can define service groups, custom addresses, address grouping or add a new interface:

When you select 'Service Grouping' you will see this:

In the above screenshot following groups are defined:

  • Default services contains (email related) services which you may want to allow internal PCs to access in the internet.
  • IPCop admin contains services for IPCop administration. This group can be used to conveniently allow access to IPCop administration to multiple PCs.
  • IPCop services contains services like DNS, Proxy, NTP and DHCP. This group can be used to allow your PCs to use these IPCop services.

After defining these custom services and service groups we are set to define our first BOT rules.

So what do we want to achieve? We want to allow internal PCs

  • to send and retrieve emails,
  • surf the internet via the IPCop webproxy,
  • to use the DNS, DHCP and NTP services on the IPCop,
  • and later (as icing on the cake) we want to allow two admin PCs to administrate IPCop via webgui and SSH.

We have already defined some service groups to archieve this. So start with the first BOT rule, we allow lan PCs to use the IPCop services.

Go back to BlockOutTraffic section (Webgui -> Firewall -> BlockOutTraffic) and 'Add a new rule'. You will see the following GUI. You can select various options for the firewall rule. The firewall options are grouped into following categories: source, destination, additional settings and timeframe (if the rule should only be activ at a specific time).

So to allow the (green) network PCs to use the IPCop services select as source:

  • Default interface: Green
  • Default networks: Green Network

and as destination:

  • IPCop access
  • use Service and Service Group "IPCop services" (the one you defined in advanced BOT config before)

The rule has to be enabled and optionally you can enter a comment.

There are two ways to proceed now, you can hit [Next] or [Save]. With [Save] the rule will be saved and added at the end of your list of BOT rules. With [Next] you will get an overview of the rule options and the possibility to select a position in the list of BOT rules where the rule will be inserted.

If you have hit [Next], you will see this:

You can go [Back] if you want to change an option or hit [Save] to save the rule at the specified positon. At first the position is not that interesting but later, as soon as you have many rules, you may want to insert a rule at a specific position.

The rule is saved and you will see the overview of your current rules:

So the IPCop services available for internal (green network) PCs now. Next create a rule to allow some internet services.

Hit [New Rule] and select the following options.

As source:

  • Default interface: Green
  • Default networks: Green Network

As destination:

  • Other Network/Outside
  • Default networks: Any (the PCs are allowed to access all internet addresses)
  • Enable Services
  • select Service Groups: Default services (the second group you have defined in advanced BOT config)

The rule needs to be enabled and optionally you can enter a comment. Now hit [Save] or [Next]+[Save] and you have your second BOT rule.

Internal PCs are allowed to access the internet with Mail (you can add more services to the "Default services" group later) and use DNS, DHCP, NTP and webproxy on the IPCop.

Your list of 'Current rules' should now look like this:

You are now set to enable BOT. All traffic which is not allowed by your current rules is blocked then.

You may want to allow some PCs to administrate the IPCop box via Webgui or SSH. See next chapter "Further advanced config".

Further advanced config

The first BOT rules are defined and we can go a step further. We define a BOT rule which allows the administration from some internal network PCs.

First we define custom addresses for the Admin PCs in the advanced BOT section 'Address settings':

You see two admin PCs, defined with MAC address in the screenshot above. Similar to custom services you can use those custom addresses in your BOT rules or group them together in a address group.

In the next advanced BOT config section 'Address Grouping' we create a group 'Admins' with the two custom addresses defined before:

Now we are already able to create the admin rule. Go back to the BlockOutTraffic page and hit [New Rule].

Enter the necessary rule options, select as source:

  • Default interface: Green
  • Address Group: Admins

As destination:

  • IPCop access
  • Enable Services
  • select Service Group: IPCop admin (the third group you have defined in advanced BOT config at the beginning)

That's all, we are done. Your list of 'Current rules' should now look like this:

IPCop - The Bad Packets Stop Here

BlockOutTraffic - The Firewall WebGUI Addon for IPCop

  Created 2006 by dotzball | Design by wintermute