In this tutorial we will build on what we have learnt in the first tutorial and introduce the concept of Zones. Zones allow you to precisely control which protocols are permitted between different groups of computers.
In Guarddog a Zone is just a bunch of IP addresses. You may recall that IP addresses are like telephone numbers for machines on the internet. A Zone is more or less specifies a group of computers. Once a Zone has been created we can use the "Protocol" tab to specify which protocols computers in the Zone may use.
For example. If know that the people at evil.com are evil and should not be trusted, we can restrict thier access to our computer by first creating a Zone called "Bad Guys", entering evil.com into that Zone and then going to the "Protocol" tab and making sure that no protocols are selected between the "Bad Guys" zone and the "Local" zone. (The "Local" zone represents the local machine). This way we can limit, or even completely block evil.com's access.
Zones are specified and edited on the "Zone" tab. To the left of the "Zone" tab is the list of Zones that have been defined. Guarddog has two built in zones that you can't change. They are "Local" and "Internet". "Local" is a zone simple containing the local machine, the machine that Guarddog is running on. "Internet" corresponds to any IP address that's not in another zone. Put simply, if a IP address is not in another zone it is assumed to be in the "Internet" zone.
The properties for the currently selected zone are displayed to the right of the Zone list. Each Zone has a name. The Zone's name is used on the "Protocol" tab and should be kept short. A more descriptive comment can also be given to a Zone.
The list of IP addresses that make up the Zone are in the "Zone Address" list.
To the right of the window is the "Connections" list. Here it is possible to specify which other Zones the current Zone should be able to communicate with.
Let's put Zones to work.
A good use of Zones is to harden our firewall by setting up a "Demilitarised Zone" (DMZ). In network security a DMZ is a bunch of computers that are located inbetween the internet and an organisation's internal computer network. Computers in the DMZ are exposed to the internet and are usually performing tasks like serving web pages to the internet or handling email. Since these machines are exposed to the internet and constant attack from outside, they are given limited access to the internal network. If an attacker gains control of a machine in the DMZ they don't automatically gain extra access to the internal network.
Even if you are not managing an internal network or a group of web servers or mail servers, you probably do make use of a group of computers that could be considered to be in a DMZ. For this tutorial we will set up a DMZ containing the mail server you use for sending and receiving email from.
First go to the Zone tab and click on the "New Zone" button to create a new zone. The new zone will be appear in the list of zones and will, oddly enough, be called "new zone". Go up to the "Name" text box and change "new zone" to say "DMZ". The name should be fairly short, but you can put a more descriptive comment in the comment text box.
Over to the right is the "Connection" list. It is just a group of checkboxes that let you specify which other zones the current zone is connected to. Put a tick in "Local" checkbox to indicate that the "DMZ" zone is connected to the Local zone/machine. The combination of DMZ and Local zone will only be available on the Protocol tab when this checkbox is ticked.
Now move over to the "Protocol" tab and make sure that "Protocols Served from Zone:" is set to "DMZ". In the protocol list below there should be a column called "Local". Open up the "Mail" group of protocols and tick POP2, POP3, and SMTP. The first two are used by to fetch mail from a mail box on a mail server. SMTP is used for sending mail. By turning these on for "Local" we are saying that we want the Local machine to be allowed to use these mail protocols with the machines in the DMZ.
If the machines in your DMZ are also web servers you may also want to turn on HTTP, FTP and some other common protocols.
Once you have finished configuring Guarddog, "Apply" your changes and test your email program to see if you can still send and receive email.
