====== Settings ======

===== Configuration =====
  - Run //Network configuration// in Menu **System**. Make sure you assign the correct red interface which is passed to the vm from the physical Server.
  - //Edit hosts// in Menu **Network**. Add all hosts with static IPs here.
  - //DHCP server// in Menu **Services**. Make sure all interfaces are off, and refer to [[efw252:dnsmasq|DHCP Server - dnsmasq]]
  - Setup //Dynamic DNS// in Menu **Services**.
  - Click //Time server// and edit time zone.
  - Enable //Intrusion prevention// in Menu **Services**.
  - Setup //Port forwarding / NAT// in Menu **Firewall**. Add all ports you need to forward traffic to the respective machine, including HTTP(80) and HTTPS(443) to the web server. Make sure receiving machines such as NAS are configured correctly to access the internet.
  - Disable the Outgoing firewall in //Outgoing traffic//.

===== SSH Server =====
You need to enable the SSH Server to be able to login remotely without password.
  - run ssh-keygen on your host
  - copy the id_rsa.pub file to a USB stick, then attach the stick to the box, or use SCP file transfer
  - copy the host's id_rsa.pub file to /root/.ssh/authorized_keys
  - in the box' web interface, set __Allow public key based authentication__ only in //SSH access// in Menu **System**

===== Phishtank =====
You might want to disable phishtank to avoid false positives, for example on www.google.com
  - Modify the script which downloads the malware definitions from phishtank, add the following before the script code:<code>vim /usr/local/bin/getblackholedns
import sys
sys.exit(0)</code>The script normally gets invoked once a day through an entry in /etc/anacron.daily. Removing that entry does not help, as it is reestablished after a reboot.
  - Delete the malware definitions file, or modify the file to avoid the false positives:<code>rm /var/signatures/dnsmasq/phishtank.csv</code>
  - Remove the content of the conf file for dnsmasq. This file will be overwritten at next reboot, but because of the missing phishtank.csv it will be empty, however, it's necessary for a successful start of dnsmasq:<code>vim /var/signatures/dnsmasq/blackholedns.conf
:d9999d
:wq</code>

===== Firewall =====
==== SSH port forwarding ====
  * add hosts to be accessed from within the LAN to //Custom hosts// in menu //Network//
  * port forwards from RED to GREEN work for hosts behind a fixed ip address on RED when accessed from LAN
  * port forwards from RED to GREEN do not work for hosts behind a ddns ip address on RED when accessed from LAN. Make sure incoming and forward port range is the same to allow access from within the LAN.
==== iptables ====
Check whether the firewall is set and hit on a specific port with:<code>iptables -t nat -L -v -n</code>

===== Links =====
  * [[http://www.endian.com/fileadmin/documentation/efw-admin-guide/en/efw-admin-guide.html|Administrative Guide]]
  * [[http://www.yougetsignal.com/tools/open-ports/|Port Forwarding Tester]]