





                             SafeFire Firewall

                                Version 1.0

                   Installation and Configuration guide.


               Copyright (C) 1999, Link Guard Solutions Ltd.



____________________________________________________________________________

Contents
____________________________________________________________________________


    0. Before installing
    1. Introduction
    2. Installation
    3. Uninstallation
    4. Configuration
    5. SFIRE.CFG description


____________________________________________________________________________

0. Before you begin
____________________________________________________________________________


    WARNING: SafeFire Installation utility makes changes in PROTOCOL.INI.
             After this changes Adapter and Protocol Services configuration
             utility is unable to utilize this file.

             If you need to make changes in your adapter and protocol
             configuration, run SETUP.EXE coming with SafeFire and choose

                "Uninstall from system files"

             option and press OK. Then run Adapter and Protocol Services
             and do desired changes. When changes will be done, run
             SETUP.EXE again and choose

                "Update system files only"

             option to return back settings required for SafeFire.


____________________________________________________________________________

1. Introduction
____________________________________________________________________________


    SafeFire Firewall is a Network Address Translation / Firewall utility
    for OS/2. It is designed to utilize the power and flexibility  of OS/2
    operating system: SafeFire is pure 32 bit, highly multithreaded
    application.

    The Network Address Translation (NAT) feature allows to connect network
    to Internet using only one real IP address regardless from a number of
    PC's in an internal network and allow PC's from an internal network
    access almost all Internet services transparently, as if these PC's
    would be connected to Internet directly.

    Another advantage of using NAT is that all packets go to and from
    internal network is checked for correctness and translated so it is
    impossible to access PC's in the internal net without special and
    controlled actions (see below description of a Port Mapper feature) and
    therefore an internal net is protected from external attacks even
    without any additional actions.

    Packet Filter feature supported by SafeFire allows system administrator
    to limit access of users from internal net to Internet services and
    external access from Internet to PC where SafeFire is running.

    Port Mapping feature allows system administrators to move services
    accessible from Internet behind firewall while retaining controlled
    access to this services.

    Run-time configuration of Packet Filter and monitoring of statistics
    are provided by various parts of SafeFire. It is possible using simple
    in use command line utility.

    To achieve a maximum performance and retain a minimal dependence from a
    LAN  adapter it uses low level access to adapter through the NDIS
    interface and a helper driver. This allows SafeFire use any Ethernet
    LAN adapters with available MAC NDIS drivers for OS/2.


____________________________________________________________________________

2. Installation
____________________________________________________________________________


    SafeFire can be installed in two types of environment.

     One LAN adapter used for connection to ISP and local PC's
     One LAN adapter used for connection to ISP and other LAN adapter
      is used for connection to local PC's

    This cases schematically presented below:

                             PC with SafeFire
        Internal net            Ŀ
    Ŀ Ŀ Ŀ      Ŀ    Ĵ      HUB
    Ĵ Ĵ Ĵ      Ĵ             Ŀ
                               Ĵ    Ŀ
                   Ĵ     
     ...  >  ISP

                One LAN adapter configuration



                                      PC with SafeFire
        Internal net                      Ŀ
    Ŀ Ŀ Ŀ      Ŀ     HUB      Ĵ
    Ĵ Ĵ Ĵ      Ĵ    Ŀ        
                      Ĵ    Ŀ      
              Ĵ       
     ...    >  ISP

                Two LAN adapters configuration


    SafeFire relies on a correct configuration of a TCP/IP stack of the PC
    where it is installed.

    In first case IP address assigned by ISP (i.e. real IP address) should
    be assigned as a main IP address of an interface and an IP address in
    the internal network should be assigned as an alias.

    Second case does not have such a limitation.

    In both cases IP forwarding at PC where SafeFire is installed should be
    turned on.

    Client PC's should be configured so as if they connected directly to
    Internet and have assigned PC with SafeFire installed as a default
    router. You should provide correct DNS settings for this PC's. This is
    highly recommended to set DNS server address to the same as for gateway
    PC.


    Installation process is very simple:

    o extract SafeFire package in temporary directory

    o run INSTALL.EXE

    o Choose directory where SafeFire will be installed

    o Choose a LAN interface connected to an external network
      from the list of available interfaces

    o Press OK button
      Installer will make  appropriate changes in CONFIG.SYS and
      PROTOCOL.INI and will create backup copies of these files.

    After reboot SafeFire can be lunched either by double clicking on the
    SafeFire icon in the SafeFire folder or from a command line:

        c:\SFire\bin>sfire.exe


____________________________________________________________________________

3. Uninstallation
____________________________________________________________________________


    Uninstallation process is simple too:

    o Run SETUP.EXE located in the \BIN sub directory of the SafeFire
      installation directory from a command line or by double clicking at a
      "Install/Uninstall" icon in the SafeFire folder.

    o Choose the "Uninstall and remove program files" action

    o Press OK button

    The installer will make appropriate changes in CONFIG.SYS and
    PROTOCOL.INI and will create backup copies of these files. Also the
    installer will remove files coming in SafeFire package, program objects
    and a folder from the desktop. Your own configuration files will be
    preserved.  Empty directories and SETUP.EXE should be deleted manually.

    After reboot the SafeFire NDIS helper driver will be removed from
    memory and an uninstallation process will be done completely.


____________________________________________________________________________

4. Configuration
____________________________________________________________________________


    Configuration of SafeFire is done by editing a SFIRE.CFG configuration
    file.

    SafeFire is coming with a sample configuration file called SFIRE.SMP.
    Copy it to SFIRE.CFG and change to reflect your needs.

    NOTE: For editing SFIRE.CFG use an editor which retain an ASCII format
          of this file, for example OS/2 System Editor (E.EXE).

    If no SFIRE.CFG is provided then SafeFire will use default settings.
    See chapter '5. SFIRE.CFG description' where default settings is
    described.


____________________________________________________________________________

5. SFIRE.CFG description
____________________________________________________________________________


    SFIRE.CFG is a main configuration file of the SafeFire.

    SFIRE.CFG is split into sections, each section contains variables.

    Following sections are used by SafeFire:

        [nat]       - Network Address Translation section
        [ident]     - IDENT server section
        [remote]    - Remote control section
        [portmap]   - Port Mapping section
        [filter]    - Packet Filter section
        [key]       - License key section


    Each section can defines variables. If a value of the variable  is not
    set in SFIRE.CFG the default value is used.

    Description of variables in each section follows:

        o Section [nat]

             enable

                possible values:  yes no

                description    :  This variable enables or disables Network
                                  Address Translation

                sample         :  enable = yes

             defragment

                possible values:  yes no

                description    :  This variable enables or disables
                                  processing of packet fragments. If this
                                  option is enabled then fragments will be
                                  saved and then correctly translated when
                                  header fragment will be available.

                sample         :  defragment = yes

             forward_ignored

                possible values:  yes no

                description    :  If this option is enabled then packets
                                  ignored by NAT will be forwarded to
                                  internal net without translation.
                                  Otherwise such packets are dropped. This
                                  option does not affect packet filter
                                  checks. I.e. if the packet filter is
                                  enabled then these packets will be
                                  checked by packet filter.

                sample         :  forward_ignored = yes

             private_net

                possible values:  yes no

                description    :  If this option is enabled then NAT will
                                  limit set of packets coming from an
                                  internal net to private address ranges as
                                  described in RFC1918:

                                  Class A: from 10.0.0.0    to 10.255.255.255
                                  Class B: from 172.16.0.0  to 172.31.255.255
                                  Class C: from 192.168.0.0 to 192.168.255.255

                sample         :  private_net = no

        o Section [ident]

             enable

                possible values:  yes no

                description    :  This option enables or disables a
                                  built-in IDENT protocol server. Keeping
                                  this server enabled is important for full
                                  IRC clients support because most IRC
                                  servers requires it.

                sample         :  enable = yes

             user

                description    :  This option set variable part of the
                                  IDENT server answer response.

                sample         :  user = os2user

        o Section [portmap]

             rule
                description    :  Each occurrence of this variable defines
                                  a rule for the port mapping feature. Each
                                  rule consist of two pairs of values
                                  delimited by a comma. Each pair of
                                  consist of an address and a port number
                                  delimited by a colon. First pair of
                                  address:port determines a point where
                                  incoming connections going and second
                                  pair determines a point where this
                                  connections will be redirected. You can
                                  use 0 instead of first address. In this
                                  case an IP address of the LAN interface
                                  used by SafeFire will be assumed.

                sample         :  rule = 0:80,10.0.1.1:8080

                                  Connections going to the port 80 (WWW) of
                                  the LAN interface utilized by SafeFire
                                  will be redirected to the port 8080 of
                                  the host 10.0.1.0 in an internal net.

        o Section [filter]

             enable

                possible values:  yes no

                description    :  This variable enables or disables a
                                  packet filter feature.

                sample         :  enable = yes

             default_policy

                possible values:  accept reject

                description    :  This variable set a default policy of the
                                  packet filter. If this variable is set to
                                  'accept' then packets which does not
                                  match any rule in the packet filter rules
                                  database will be accepted. Otherwise it
                                  will be rejected. For more details refer
                                  to FILTER.TXT.

                sample         :  default_policy = reject

             rule

                possible values:  yes no

                description    :  Each occurrence of this variable defines
                                  one rule for the packet filter. A rule
                                  syntax described in an appropriate
                                  chapter of FILTER.TXT.

                sample         :  rule = allow icmp from any to 192.168.1.0/24

        o Section [key]

             name
             key

            These two variables are used by license key.



    Default settings are listed below:

        o Section [nat]

            enable          = yes
            defragment      = yes
            private_net     = yes
            forward_ignored = no

        o Section [ident]

            enable          = yes
            user            = os2user

        o Section [filter]

            enable          = no
            default_policy  = reject

____________________________________________________________________________
____________________________________________________________________________

