|BOT - Tips and Tricks|
There are scenarios where it is necessary to copy the BOT config from one IPCop to another IPCop:
The BOT installation / deinstallation routine automatically saves and restores the config on (de-)installation. See Installation (especially section 'Uninstall BOT').
It is very simple to copy the BOT config from IPCop 'A' to IPCop 'B'. There are two ways to copy the files:
The config is on IPCop 'B' but not yet loaded into BOT. There is one simple way to load the config into BOT (also see Installation, section 'Uninstall BOT' for a description of the save / restore mechanism):
The config from IPCop 'A' is copied to IPCop 'B' now.
You have to verify the BOT config via the WebGUI
and change the Admin MAC and the HTTPS port in BOT settings (if necessary).
A standard IPCop installation logs every packet which is blocked by the (default) firewall rules. The idea behind this is to see what is blocked and get hints when something (maybe Port-Forwarding or External-Access) is not working as desired. You can see the blocked access attempts and will have an easier troubleshooting.
But now the problem: there are many unwanted packets which are blocked (hey that's why we have a firewall in the first place) and logged. This logging will make the firewall log grow very fast. On a default IPCop you will easily have more than 10000 log entries per day! This means two problems:
As the unwanted packets are mostly directed to only a few services, it's easy to reduce the log entries to a minimum. There are only a few firewall rules needed which block those traffic but don't log it. With those firewall rules applied the number of log entries can be reduced from over 10000 to under 100 per day!
So now to the practical part: which BOT rules are needed to reduce the firewall log.
The following example shows how to avoid the logging of NetBios and TCP 445 where all the skript-kiddies try their luck. First of all we create two new service groups:
These two service groups will be used in some BOT deny rules. One rule with source interface 'Any' and service group 'Deny everywhere' and one rule with source interface 'Red' and service group 'Deny Group'. These rules should be in 'Other Network/Outside' and also in 'IPCop access'. Normaly it should be enough to have the rules in 'IPCop access', but I have nevertheless seen log entries on those services when 'Other Network/Outside' was missing. So when the services are blocked in 'Other Network/Outside' you will (should) not see those services in the firewall logs. When the rules are at the beginning of the rule sequence the packets will be blocked as soon as possible.
The new "reduce firewall log" rules are marked with a red rectangle in the next screenshot:
When you look into your firewall logs and see many hits on one service,
you can add this service to one of the two deny service groups and the
firewall logs will not contain those hits anymore.
If you want to use filesharing like Torrent or want to play onlinegames you need a special BOT rule. You need a special rule because every Torrent server can use a different port(-range) and many onlinegames use a bunch of different TCP and UDP ports. So when using BOT you would have to create a rule for every port or you would have to create a service group with all those ports. This will work but is time-consuming and complex.
A simpler (and less restricted) way is to allow all high ports (1024 - 65535). The Well Known Ports (0 - 1023) will still be under control of BOT, but you don't need a big service group or a lot of BOT rules. As long as you play onlinegames or use Torrent, you enable this special rule and afterwards you disable this rule and BOT will controll the whole portrange (0 - 65535) again.
Custom service (for high ports):
BOT Filesharing/Gaming rule (marked with a red rectangle):
Allow Ping in BOT rules is easy but a bit tricky, you have to define a custom service with ICMP (and more restricted with ICMP-Types if wanted).
As an example we define two custom services with ICMP-Types 'echo-reply (pong)' and 'echo-request (ping)' and one service group with these two custom services.
When you want to allow a PC to use Ping, you have to create a BOT allow
rule and select the service group 'Ping Group'. For Ping to IPCop you have to select 'IPCop access',
for Ping to Internet or Ping from Green to DMZ/Blue you have to select 'Other Network/Outside'. That's all, the PC should
be able to use Ping now.
Tips 'n' Tricks last changed 21. March 2006
|Created 2006 by dotzball | Design by wintermute|