Tutorial: Using Zones

Tutorial: Using Zones

In this tutorial we will build on what we have learnt in the first tutorial and introduce the concept of Zones. Zones allow you to precisely control which protocols are permitted between different groups of computers.

Introducing Zones

In Guarddog a zone is just a bunch of IP addresses. You may recall that IP addresses are like telephone numbers for machines on the internet. A zone is more or less specifies a group of computers. Once a zone has been created we can use the Protocol tab to specify which protocols computers in the zone may use.

For example. If know that the people at evil.com are evil and should not be trusted, we can restrict thier access to our computer by first creating a zone called "Bad Guys", entering evil.com into that zone and then going to the Protocol tab and making sure that no protocols are selected between the "Bad Guys" zone and the "Local" zone. (The Local zone represents the local machine). This way we can limit, or even completely block evil.com's access.

Placing the Bad Guys in a zone and firewalling them out.

Editing Zones

Zones are specified and edited on the Zone tab. To the left of the Zone tab is the list of zones that have been defined. Guarddog has two built in zones that you can't change. They are Local and Internet. Local is a zone simple containing the local machine, the machine that Guarddog is running on. Internet corresponds to any IP address that's not in another zone. Put simply, if a IP address is not in another zone it is assumed to be in the Internet zone.

The properties for the currently selected zone are displayed to the right of the zone list. Each zone has a name. The zone's name is used on the Protocol tab and should be kept short. A more descriptive comment can also be given to a zone.

The list of IP addresses that make up the zone are in the Zone Addresses list.

To the right of the window is the Connection list. Here it is possible to specify which other zones the current zone should be able to communicate with.

The Zone tab.

Warning

An IP address should only be in one zone at a time.

Creating a Demilitarised Zone

Let's put zones to work.

A good use of zones is to harden our firewall by setting up a "Demilitarised Zone" (DMZ). In network security a DMZ is a bunch of computers that are located inbetween the internet and an organisation's internal computer network. Computers in the DMZ are exposed to the internet and are usually performing tasks like serving web pages to the internet or handling email. Since these machines are exposed to the internet and constant attack from outside, they are given limited access to the internal network. If an attacker gains control of a machine in the DMZ they don't automatically gain extra access to the internal network.

Even if you are not managing an internal network or a group of web servers or mail servers, you probably do make use of a group of computers that could be considered to be in a DMZ. For this tutorial we will set up a DMZ containing the mail server you use for sending and receiving email from.

First go to the Zone tab and click on the New Zone button to create a new zone. The new zone will be appear in the list of zones and will, oddly enough, be called new zone. Go up to the Name text box and change new zone to say "DMZ". The name should be fairly short, but you can put a more descriptive comment in the comment text box.

Over to the right is the Connection list. It is just a group of checkboxes that let you specify which other zones the current zone is connected to. Put a tick in Local checkbox to indicate that the DMZ zone is connected to the Local zone/machine. The combination of DMZ and Local zone will only be available on the Protocol tab when this checkbox is ticked.

Now move over to the Protocol tab and make sure that Protocols Served from Zone: is set to DMZ. In the protocol list below there should be a column called Local. Open up the Mail group of protocols and tick POP2, POP3, and SMTP. The first two are used by to fetch mail from a mail box on a mail server. SMTP is used for sending mail. By turning these on for Local we are saying that we want the local machine to be allowed to use these mail protocols with the machines in the DMZ.

If the machines in your DMZ are also web servers you may also want to turn on HTTP, FTP and some other common protocols.

Once you have finished configuring Guarddog, Apply your changes and test your email program to see if you can still send and receive email.

KDE Logo