IPCOP Block Outgoing Traffic
The first article in the series, which appeared in the December 2011 issue of LFY, discussed IPCOP 1.4.21, its basic installation and configuration. Though an excellent firewall distro, basic IPCOP has limited functionality. To enhance it, various add-ons
IPcop has an inherent lacuna in a very important area—it does not filter outgoing traffic based on TCP/ UDP ports, but allows all outbound traffic (from the Green to the Red zone) on all ports. ‘URL Filter’ addresses the filtering of websites only. An interesting add-on for this functionality is ‘Block Outgoing Traffic’, also called Blockouttraffic or simply BOT. With this, IPCOP can filter outbound traffic based on Green IP/MAC addresses, Internet IP addresses and various services (ports), offering granular control over outgoing traffic, to conform with corporate Internet access policies. To achieve this, BOT creates Linux Iptables rules via the Web-based GUI. BOT enables IPCOP to divide the Green network into groups based on their IP (or MAC) addresses. These groups are then configured to access only the desired services such as HTTP, FTP, telnet, SSH, DNS, etc, either singly or by forming service groups. Control can be further tightened by allowing the services or their groups only to required Internet addresses.
The parameters of a typical request from the internal network to the Internet include: Source: the IP address and the MAC address Destination: the IP address and MAC address (that of the default gateway) Source: Port number (TCP or UDP) Destination: Services BOT allows the administrator to configure various groups by different parameters, as elaborated in Table 1.