FireBrick

FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...

FireBrick 105 Features

Details of how to obtain and activate optional features for your FireBrick are available here.

List of available features

Standard

Optional

Out-of-the-box Protection Extras Feature
Easy-to-use web-based
configuration pages 		Shaping Feature
Managed Switch Profiles Feature
Session Tracking Firewall Tunnels Feature
Stealth Reporting Feature
Status Information Bonding Feature
IP Groups 5 Port Feature
Port Groups VLAN Feature
Subnets  
Routing  
Mapping  
Profiles  

Out-of-the-box Protection

  • Simply connect FireBrick between your computer or network, and your internet connection
  • Provides instant firewall protection using default filter rules, without any configuration, in a typical application
  • Uses Stealth mode to route traffic between WAN and LAN without needing an IP address
  • Select 1 of 4 most common configurations using simple Factory Reset procedure
  • Load a pre-defined configuration file for instant bespoke configuration

Easy-to-use web-based configuration pages

  • Use any web browser, no bespoke configuration software needed
  • Access from LAN or WAN, with password protection
  • Multiple Administrative Users, each with configurable access restrictions, including read-only
  • Configurable User Interface (e.g. choose subnet masks format, date format, etc.)
  • FireBrick Configuration can be saved to a PC, and reloaded to FireBrick
  • Software upgrades - download free from website, and load easily using web browser
  • LEDs on FireBrick for configurable at-a-glance diagnostics

Managed Switch

  • WAN port and 4 port LAN Switch as default
  • WAN and LAN can be swapped (e.g. to use switch for multiple WAN connections)
  • All ports RJ45, 10/100Mbps, Full/Half Duplex, Auto Crossover, fully configurable
  • Throughput 100Mb/s switching, approx. 14Mb/s routing (typical)
  • Built-in Cable Tester - diagnose cable shorts or breaks, disconnected or powered-down far end, distance to damage or far end, etc.
  • Optional 5 Port Feature - all 5 ports independent, create DMZs etc.
  • Optional VLAN Feature - VLAN tagging for when 5 ports are not enough

Session Tracking Firewall

  • Default filters for most typical requirements, but fully customisable
  • Ordered filter matching on new sessions
  • Session tracking with configurable time-outs
  • Filter on source and/or target ports and protocol (e.g. allow in TCP port 80 to web server)
  • Filter on source and/or target IP addresses
  • Use IP and Port Groups for source and/or target
  • Filter on source and/or target interface(s) (e.g. WAN, LAN, DMZ, Tunnel, etc.)
  • Filter on TCP SYN and TOS
  • Each rule can Allow, Drop, Bounce, or Reject
  • Notify using Alert LED and log (configurable)
  • With optional Reporting Feature, stats by syslog, email, and SNMP

Stealth

  • Allows FireBrick to be plugged between WAN & LAN and filter traffic without having its own IP address
  • Passes ARP requests between WAN and LAN
  • ARP request/reply is tracked to avoid ARP stealing
  • Makes FireBrick invisible to traceroute and portscans
  • Easily disabled - configure as router with own IP address(es)

Status Information

  • Log file records all critical events (configurable)
  • Full RMON stats available for the routing core and each of the 5 ports
  • Throughput stats available for each filter rule, with per-second, per-5-minute, per-day and total counts
  • Session list - shows all active sessions. Filter list by various parameters such as protocol
  • DHCP report - shows all DHCP allocations, including renewal time, machine name and MAC
  • ARP cache report - shows all active ARPs requested by FireBrick
  • MAC cache report - shows all visible MAC addresses on per port basis
  • Optional Reporting Feature for syslog, email and SNMP

IP Groups

  • Define groups of addresses (e.g. addresses of all your web servers)
  • Use IP group by name in multiple places (e.g. filters)
  • Allows a single control (e.g. filter) to apply to many IP addresses, so reducing number of filters required
  • Allows even single addresses to be given a logical name, for ease of use
  • IP of logged-in user - a special group ideal for allowing timed pin hole access from a dynamic IP address

Port Groups

  • Port groups - Define sets of protocol/ports (e.g. TCP 1024-65535->80/443 for web traffic)
  • Use Port Group by name in multiple places (e.g. filters)
  • Allows a single control (e.g. filter) to apply to many protocol/ports, so reducing number of controls required
  • Allows even single protocol/port to be given a logical name, for ease of use

Subnets

  • Define multiple subnets on multiple interfaces, each with:-
    • DHCP server with persistent allocation, configurable IP range, gateway, DNS servers, etc.
    • DHCP client, configurable, works with any standards-compliant server
    • Network Address Translation (NAT)
    • VLAN ID (with optional VLAN Feature)
  • FireBrick uses different MAC address for each subnet
  • Multiple DHCP client subnets with different MACs (useful for some cable modem installations)
  • DHCP Restrict - allocate specific addresses or subnets to specific machines, based on name or MAC of machines
  • DHCP Mirror -
    • allows a DHCP allocated address (e.g. from cable modem) to be passed on to another machine, via DHCP server
    • holds allocation while the other machine is switched off (useful if allocated address is dynamic)
  • Supports /31 subnets (RFC3021, not widely supported so use with care)

Routing

  • Normal and Stealth routing
  • Ordered routing rules (first criteria match is followed)
  • Routes can be placed before or after routing to subnets
  • Routing match criteria:-
    • Route on source interface(s)
    • Route on target IP, port and/or protocol
    • Route on source IP, port and/or protocol
  • Routing actions:-
    • Route to general interface or specific subnet/tunnel
    • Tag route as NAT or no NAT
    • Specify gateway address for ethernet routes
    • Proxy ARP (not a routing action as such)
  • Weighted routing (%) with optional Bonding Feature (e.g. for load sharing between multiple links)

Mapping

  • Map IP address and/or port of sessions
  • E.g. map incoming traffic to internal server on private IP address
  • Mapping match criteria:-
    • Any traffic, including stealth (make it routed)
    • Source IP, target IP, port/protocol
    • Source interface(s), target interface(s)
  • Mapping action - change some or all attributes:-
    • New target interface (and specific subnet/tunnel)
    • New source IP (with option for self using 255.255.255.255)
    • New target IP
    • New target port
    • Block IP mapping if direct range of IPs used (not if IP group used)
  • Weighted mapping (%) with optional Bonding Feature (e.g. for load sharing between web servers)

Profiles

  • Profiles are used to modify the FireBrick's behaviour according to circumstance
  • Enable/disable rules (routing, subnets, filters, mapping, users, tunnels, shaping, etc.)
  • Standard FireBrick includes fixed time-based profiles:-
    • "24/7" is default (always active) profile
    • "9-5 M-F" is 9am-5pm Monday-Friday (typical working hours)
    • "2am Sunday" is 2am-3am Sunday (ideal for things that must be done occasionally)
    • "NOT" profiles available, "NOT 24/7" being never (i.e. disabled)
  • Optional Profiles Feature for configurable time, manual and ping-scan profiles

Optional Features

  • All above-mentioned features are included as standard, the following are optional
  • This means a simple pricing structure - buy the base model and optional features as required
  • There are no ongoing charges, per user licenses, or software upgrade fees
  • Features can easily be added as you need them, over the internet in a few seconds

Extras Feature (optional)

  • More of everything (e.g. 100 filter rules instead of 30)
  • Creates price difference between simple and complex applications
  • See Manual for full list of extras

Shaping Feature (optional)

  • Allows different types of traffic to be allocated different bandwidth and priority
  • Ensure high priority traffic (e.g. Voice-Over-IP) always has sufficient bandwidth and minimum latency
  • Ensure low priority traffic (e.g. email) does not affect time-critical services
  • Speed lanes define min/max bandwidth, and queue-jumping priority
  • Shaping rules identify traffic (like filter rules) and choose relevant speed lane
  • Master speed lanes ensure aggregate traffic does not fill link, for minimum latency
  • Fast Priority causes all traffic in specified lane to jump queue in master lane
  • Fast ACK allows TCP ACKs (no payload) to jump queue, for faster browsing
  • Fast QOS allows priority service type (TOS) to jump queue
  • Bandwidth trade-off between speed lanes if required
  • Usage is metered for each speed lane, useful for monitoring (available by SNMP with Reporting Feature)
  • Useful for selling bandwidth to tenants in shared or managed offices

Profiles Feature (optional)

  • In addition to simple fixed time profiles in a standard FireBrick
  • Time profiles - configurable hour by hour, day by day (7 days a week)
  • Manual profiles - allows user to enable/disable configurations via web interface
  • Ping profiles:-
    • Ping other machines to monitor network health
    • Ping using specific interface, gateway, and TTL (if multiple paths exist)
    • Notify users of a problem (see Reporting Feature)
    • Implement Automatic Fallback if a link fails
  • Combine profiles using AND and/or OR for complex monitoring requirements
  • Use with Bonding Feature to provide fallback resilience on multiple lines

Tunnels Feature (optional)

  • Tunnels are a way to create a virtual route from one FireBrick to another over an IP link
  • Allows Virtual Private Networks (VPNs) to be created between FireBricks
  • Once created, a tunnel appears as a virtual interface in the FireBrick, for routing and filtering of content
  • Useful for routing fixed public IP addresses to remote sites, even sites on dynamic IP addresses
  • The protocol is proprietary but documented, and there is at least one linux implementation freely available
  • The protocol allows authentication of tunnels by IP and MD5/secret (but is not encrypted)
  • The protocol uses UDP port 1, and survives NAT, so easy to route through unusual networks

Reporting Feature (optional)

  • Provides Status Information events by a variety of means:-
    • Email
    • Syslog
    • SNMP - usage of each port (basic and RMON), each speed lane, and each filter rule
  • Provides stats (to log, syslog, or email) every 5 minutes, showing usage of each filter, speed lane, and interface
  • If Ping profiles used (see Profiles Feature), notify failure by log, syslog, or email

Bonding Feature (optional)

  • Provides Bonding of multiple links (e.g. multiple ADSL lines)
  • Automatic Fallback - use Profiles Feature to monitor links and fallback if one fails
  • Uplink Bonding:-
    • Sends packets to all uplinks on a round robin basis
    • Provides true aggregate uplink capacity even on a single data transfer session
    • Handles up to 4 routers (e.g. 4 ADSL lines)
  • Downlink Load Sharing:-
    • Distributes traffic on a session-by-session basis over multiple links
    • Uses NAT on outgoing sessions to ensure replies come via a specific link
    • Provides aggregate downlink capacity on multiple outgoing sessions
    • Downlink capacity on any individual session will be limited to the link it uses
    • Weighted routing allows for different capacity links
  • Tunnel Bonding (with Tunnels Feature):-
    • True aggregate bonding of both uplink and downlink - create a true fat pipe
    • Ideal for running busy servers on ADSL lines
    • Seamless Fallback if one or more links fails (does not need Profiles Feature)
    • Specific traffic types (TOS) handled specially to avoid issues with packet reordering affecting protocols like VoIP
    • Requires a second FireBrick at the far end of the multiple links (typically hosted by an ISP)
    • Total throughput limited to around 6Mbps
  • Weighted routing (%) for load sharing between multiple routes (e.g. downlink load sharing)
  • Weighted mapping (%) for load sharing between multiple machines (e.g web servers)

5 Port Feature (optional)

  • All 5 ethernet ports can be independent
  • Any combination of independent or switched ports
  • Individual firewall filtering on each logical interface
  • Create multiple Demilitarised Zones (DMZs) for servers etc.
  • Useful for complex routing scenarios
  • Full 100Mbps switching between ports on same logical interface

VLAN Feature (optional)

  • VLAN (virtual local area network) allows multiple LANs to share the same infrastructure (switches and interlinks) whilst remaining independent (i.e. providing multiple independent LANs in a virtual way)
  • VLAN subnets allow the FireBrick to operate with an external VLAN tagging network switch.
  • Use FireBrick to route and filter traffic between groups of ports on the VLAN switch
  • Use VLAN switch to effectively expand number of ports available to FireBrick
  • Ideal for a serviced office - can provide up to 30 VLAN subnets (with Extras Feature)
  • FireBrick DHCP Server can allocate addresses according to VLAN tag of requesting machine

Notes

  • More information can be found in the on-line Manual.
  • The FireBrick protects your network from attacks at the IP level, but is only as good as you configure it to be.
  • It is not a substitute for regular virus checking as viruses can arrive by a number of methods (web, email, zipped files, word documents, floppy disks, etc)
  • Whilst the FireBrick is a well-established product with many years of use in the field, it is constantly being enhanced with new features and improvements. As such these specifications are subject to change without notice.