eBox users guide

This guide is intended for those people who already has eBox platform installed, or those who are evaluating its installation and want to know briefly its working and its possibilities.

If your interest is focused on the internal working of this program or wants to learn how does the platform, which is written eBox with, please consult the "eBox Developers Guide".

eBox is a framework which has network services and a management application, for these services, through a web interface. Some of them are: firewall, file sharing, proxy-cache, content filter, mail server, NTP server, DHCP server, printer server, Jabber server and network objects management.

eBox has a modular design, so it's possible its installation without all the available modules described on this guide. Anyway, you can check the information about the modules you don't own and inquire if they are useful for you, necessary or have an important real value for your current eBox platform.

Default URL to access to eBox administration interface is https://hostname/eBox, where hostname is the IP address or the hostname where eBox is installed.

User interface is divided on three main parts:

An important detail of eBox is its way to do effective every change on the application. In other words, how and when changes will be saved.

There are some exceptions when it's not necessary to "Save Changes". Just enough doing an action on the form where we are will make the work. These are the cases:

Interface general configuration is accessed through System → General from the left menu.

From this section you can make three major changes over the eBox management interface:

You can get eBox backups management through System → Backup from the left menu.

From the backup page, you can make a copy of the last saved eBox state or restore previous saved backups. Two backup modes are available in eBox which are described below.

Our web interface to halt or reboot the computer where eBox is installed in, is reachable through System → Halt/Reboot.

You shouldn't forget that if your eBox system is your Internet gateway, you will lose connection to the global network meanwhile eBox is halt.

If you find a problem while eBox is running, you can fill a file with the bug report at System → Bug report and send it by e-mail to support@ebox-platform.com

You can access to date/time configuration in System → Date/Time and System → Timezone .

At System → Date/Time , you can adjust eBox date and time. There are two different options to adjust date and time correctly: by hand, setting as "Disabled" NTP Server synchronisation, and using an external NTP Server, setting as "Enabled" NTP synchronisation.

At System → Timezone you can configure the system timezone. You just need to select you geographic zone from the list at the left, and a city from the list at the right, both belonging your time zone, and accept your configuration.

Each eBox module status is managed from here instead of having to enable every module from one of its configuration page. This allows us to have in a single sight which modules are enabled analogously the module summary in Summary page. Each eBox module is disabled by default including base modules such as Network (Chapter 3) or Firewall (Chapter 6).

There are modules which depends on another to be enabled. In a typical installation, for example, the squid module has a chain of dependencies to be enabled as shown: squid -> firewall -> network. So to enable Squid module, firstly the dependant modules must be enabled first. A module may have multiple module dependencies to work.

The first time you enable a module, eBox will ask to perform several actions and file modifications that you must accept explicitly to enable the module. This is so to comply the Debian policy which indicate that every package must manage its own data and if it modifies configuration/data from other packages the user must accept explicitly those modifications. Every action to perform has a reason which is explained accordingly. Until you save changes, the modules that you may enable would not be committed.

Every time a user make a modification in an eBox-controlled file, eBox will realise that a change may be done when saving changes. And it will ask you again to override your changes. This monitoring is only done on those modules which are enabled. If every configuration setting is done through eBox UI, no more dialogues of this kind will be shown.

In order to disable a module, just click status column of the desired module. If the module is a dependency from other modules, this action will disable them as well.

You can enter into network interfaces configuration at Network → Interfaces at the left menu.

For each network interface we can choose a new name and its configuration. Available configurations are:

You can set IP addresses for the name servers that you want to use to resolve host names. You may set as many name servers as you want, the first one is primary one which whether it becomes down, the secondary one is used instead and so on.

You can use this tools to check if your network settings are correct.

Selecting Network → Diagnostics you could make a ping to a reachable host through your network interfaces, or you can resolve a domain name.

The output of this operations will be shown on this page, corresponding with the standard output of the GNU/Linux commands ping and dig.

Through this section you can set the gateways where your network traffic is directed. It is very useful in order to split or do balance your Internet traffic.

Choosing Network → Gateways you could add as many gateways as you want. The following attributes are required when adding a gateway:

The correct values for upload and download rate are critical to ensure the correct functionality from traffic shaping module.

Once you have added a gateway, it will appear at the Gateway list . Then, you can delete it or edit the values set previously through the icons which appear on the right side of the list.

In advanced configurations, defining a set of gateways and rules to applied them is not sufficient. Thus the user defined Example 3.1 routing table may help:

In those cases, we may use static routes. This table specifies those networks whose traffic is redirected to a fixed gateway, which must be reachable from eBox host. Each route must have an unique network to route. Moreover, an optional description is provided to allow administrator to add information to the route and ease so the maintenance.

Network objects are an easy way to give a name to a network item, or a group of them. They are used to simplify network configuration management, allowing you to choose different behaviors for each item or group of them with just a descriptive name.

Network objects can be used, for instance, to five a name to an IP or a group of IPs. If the object is a group of IPs, instead of defining some rules for each IP, every IP inside the object will acquire that configuration.

Network objects used by eBox can be created, modified and erased in an easy and intuitive way using the web interface.

You may add as many objects you want. A name must be provided to the object. After that, you may enter into members field where you may define:

Editing an object or a member of it is done by clicking the pencil icon in Action field. Likewise the object/member removal is done by clicking on the trash can icon.

As it happened in Chapter 4, the network services are an abstraction to ease the management of your network. Each network service describes a set of ports for Internet protocols where service accepts requests. Providing a name plus an optional description allows you to manage the network service policies more intuitively and less error-prone.

The network services are used by firewall module (Chapter 6) and traffic shaping module (Chapter 19). Anyway, as eBox philosophy every feature which use a network service must use this module to work with and ease the administration life.

In order to get the network service management you may go to Services.

As you may notice, there are several services which have been created by eBox for you. These services are used by eBox modules afterwards. For instance, dhcp service is described as an internal service called 'Dynamic Host Configuration Protocol'.This service is read-only as it is already managed by dhcp module automatically. Each service has a configuration where the service protocol, well-known source and destination ports are set. There are three special services which define the generic abstraction for every service (any) and every TCP/UDP service. They are entered to handle easily rules defined in other modules that depends on this network services.

You may input a new service with these following elements:

You might inspect several system-defined services prior to add your own ones. Anyway, a user-defined service may be created when additional network services be installed on top of an eBox installation, for example introducing FTP (File Transfer Protocol) service.

One of the most important features in eBox is its firewall module. You can access it through Firewall . There you can make packet filtering (Section 6.3) or port redirection (Section 6.2).

The firewall has different behaviour with external or internal network interfaces.

The internal interfaces are connected to local networks. They had not restrictions as the external interfaces have.

The external interfaces are connected to external networks and eBox only allows redirections from them.

Port redirects allow to get external traffic into a host behind a eBox system with firewall module installed. You can get the configuration of these options at Firewall → Redirects .

If you need to add a new redirect, first select your desired Interface which will listen incoming connections. This should be one of the interfaces previously selected as external. Moreover, it should be assigned the External port where you expect your incoming traffic, and the protocol that will be used.

You should enter the destination system IP address and its Port where packets would go on.

Once you have selected this data, you just need to select between the different Actions, the Add one, and click on it.

To remove a rule, you should select remove between the available Actions, and click on it.

Redirect configuration can be modified by changing its parameters and clicking on their modify Actions.

From Firewall → Packet filter you can configure packet filter rules. You may use the abstractions provided above such as network services and network objects. Using these concepts enhances the rules flexibility and clearness, reducing the amount.

At first sight, we have five different traffic flows to set your firewall rules to them.

Take into account to the last two set of rules that it is granted access to untrusted networks to your managed networks. This may compromise your network security. As eBox secure by default policy recommends, do not modify these rules unless you know what you are doing. The figure Figure 6.1 try to make up the concept:

Figure 6.1. Firewall rules set

The deny policy for eBox firewall is a ignorance one. Every denied packet is filtered and discarded without any notification.

Every set of rules define a fixed behaviour for the traffic flows that they apply. These rules will be matched from top to the bottom, thus order is important. Each rule consists of these following fields, some of them are only available to several rule set by construction:

eBox can automatically upgrade your system software. This option can be enable at Software → Configuration

When you make automatic the system software update, it will be easier to keep an up-to-date system, avoiding possible bugs or security problems as soon as a solution appear.

At Software → eBox components you can install, upgrade or remove different existing eBox packages. Some packages won't be uninstalled, so these are needed for eBox correct working.

You can manage the software at the system where eBox is installed with the same ease as components management.

Through HTTP Proxy → General you can access into the eBox's proxy HTTP general configuration.

At the configuration window these options are detailed:

At HTTP Proxy → Filter settings, you can select the filter settings to those elements of this network which set their policy to filter.

You may set the content filter threshold which establishes a restriction level to web contents with explicit sex and violence items to be filtered by the proxy.

To perform a more detailed filter policy. A tab menu is shown with the following elements:

Through HTTP Proxy → Objects' Policy it is possible to establish one connection policy for every network object, allowing a different configuration for each newly created objects. This configuration will be applied previously to the eBox global policy for the selected objects.

NTP server can only be enabled or disabled at Module status by clicking on "enable" at its row as it is explained in Section 2.6.

If it's "Enabled", clients with eBox as NTP Server will have its date and time configuration synchronised with eBox one, whose configuration can be configured following the instructions at Date/time configuration.

Through Users → Add user is possible to create eBox users and modify their configuration.

If you want to create a user, you just need to enter required information on the form, at the configuration window, and click Create. There are fields to enter user name, real name, user comments, its password (with confirmation) and its user group which will belong to, if any.

After that, configuration for each created user can be modified, selecting the user from the table available at Users → Edit User and click on Pencil icon.

User edit window is dynamic, which means that its content can change depending on the eBox modules installed. There are two parts that will ever exist: on the upper zone, general user information will be shown to give the chance to modify it, including its comment, name and password (with confirmation); on the bottom you can see a Delete button that you can click to remove the eBox user, and its dependencies with the installed modules. Between these parts, new information about each installed and enabled eBox modules can appear, including user-related options about: mail accounts, file sharing, printers sharing...Each section is explained in the module which belongs to.

Entering into Groups you can create new groups or edit current groups configuration.

To create a new group, you just need to enter a group name, a comment about the group (optional) and click "Create".

If you want to edit a group, you have to follow the same procedure as with users. Just select it from the selection list at the bottom part and click Edit.

Group edit window is dynamic as users edit window is. It includes the same two blocks: first one to edit comment group and choose which users belongs to the group, and the second one to Delete the selected group and all the dependencies with the installed modules. Between these two parts, group-related information of each eBox module installed, will be shown here.

You can add new printers on eBox at Printers → Add printer . Each new printer could be shared on your network, allowing or not users and groups accesses.

Adding a new printer requires to know some information like how it's connected with eBox, manufacturer, model and driver if you want to get a full-working system. eBox will ask the information and will offer existing possibilities to configure the new printer.

Going into Printers → Printers admin you can access into eBox printer administration.

We can review and modify the printer sharing current status in the system, and see the printer list configured on the system. We also can remove them from eBox or modify its status and its current parameters.

Any moment after the addition of a new printer, you can remove it clicking at its own corresponding action, or access to its specific configuration clicking at "Edit" on that printer.

If you decide to edit the printer configuration, a four-tabbed windows will appear, which give access to each configuration item on the printer management:

You can get into file sharing configuration entering into File sharing . To activate file sharing, check out Section 2.6 for details on how to do it.

There are two working modes to this module. It can behave as a simple File Server using SMB/CIFS protocols or as well as a centralized authenticate method using Primary Domain Controller (PDC) to login on Windows NT-based.

Both working modes needs the following fields configured:

This list of settings makes only sense in PDC mode:

If file sharing module is installed and enabled in eBox, you may want to share files among users within the same group or publish files within the local network. To achieve so, you should go into Users and edit the user which can publish files on the local network. There, you can enable this user to do so and , furthermore, you can set him administrative rights to add machines to the domain, if the working mode is PDC. Check User accounts to know more about the eBox user configuration.

If you want to share a directory among the users within a group, you should reach Groups and edit the group you want. There you can set a name to that directory.

To enter at the General settings on the eBox mail server, go to Mail → General . At the configuration page, upper zone, some tabs will be shown to configure different things on the mail server:

At Mail → Virtual domains you can manage virtual domains, which give a name domain to the mail accounts of the different eBox users.

To create a new domain, you just need to choose a name for the domain and a default size for the eBox users' mailboxes who belong to the domain. Later, you can modify the default mailbox size and force changes at existing mailboxes to any size, from the menu you can find clicking at Edit for the desired domain. If you want to remove one existing domain, just click at the Remove button for that domain.

If mail module is installed and enabled in eBox, and you wish to create one mail account to a user, it must be done going into Users and editing our desired user, where you can also set an alias for the user mail address. Check User accounts to know more about the eBox user configuration.

To set an alias to user groups, you have to get the group configuration page using Groups . If mail module is enabled, an alias can be set for all group members. Check User groups to know how to get to group configuration.

You can enter into DHCP Server configuration going into DHCP .

You just will be able to configure DHCP server if there is any network interface declared as Static. If there are different interfaces set as static, you could choose which one will be configured through the selection element. DHCP server works as well with virtual static interfaces. In order to serve IP addresses in a static interface is required to set at least a range or a fixed address mapping.

If you want to enable DHCP server, check out Section 2.6 for details to do so.

Working configuration about DHCP server can be adjusted with these options:

Take into account that every setting in ranges list and fixed address mappings must not overlap each other. Not only in the same interface but also in the remainder ones. These checks are done automatically by eBox.

When the DNS service is enabled it will automatically work as a DNS cache service, that is, several DNS requests will be resolved as an only external DNS request, reducing response time and network traffic with most visited hosts.

There is a more advanced feature that will allow you to create domains for your local network. This is very useful if you want your users to use host names for your local machines instead of recalling IPs.

The DNS service in eBox features a simple to use server which allows you to add domains. And within each domain, you can add hosts and aliases for each one of them. Note that it lacks features such as zone transfers, subdomains and so forth. Those add-ons will be added in the future.

Moreover, reverse mapping is done as well automatically by the module. Every host which has an IP address associated with, the inverse relation is done as well.

You can get to Jabber server configuration at Jabber and with each user options.

Jabber server configures a instant messenger network access, for a local network or with external connection. It also handles authentication per-user, allowing or not its access to each one.

If you want to enable Jabber server, check out Section 2.6 for details to do so.

You can configure Jabber server behavior by setting these options:

On each user configuration, we can find two new options for its Jabber access configuration:

A basic knowledge of public key infrastructure is needed to understand and use this module. You can find a good introduction at the Wikipedia article about PKI.

You can get to Certification Authority (CA) Management at Certificate Manager

The CA Management purpose is to allow the issue of certificates, which can be used by another eBox modules or external applications.

The certificates are issued using a CA's certificate which will be created with this module.

Firstly, in order to use certificate, issuing the CA's certificate is needed signing by itself. This certificate is used to issue 'normal' certificates, so the other module's features would not be available until it exists.

To achieve so, we enter in the module's page and we find a form to create the CA's certificate. The form requires the organization's name and the number of days till the certificate expires.

Once the CA's certificate is in place, we are able to issue new certificates with it.

In order to do so, we fill the form which appears on the top of the module's page. The mandatory data are the certificate's common name and the number of days until its expiration. This last value is limited by the duration of the CA's certificate.

When the certificate has been issued, it will appear in the certificate's list and it will be available to the remainder eBox modules to use it.

Through the certificate's list we can access to actions which can be done upon each certificate. The actions available are download files, revoke and renew.

You can get to Virtual Private Network (VPN) configuration at OpenVPN .

In order to set up VPN service, you first need to configure a Certification Authority. eBox also provides this service so you can build it up via Certification Authority .

OpenVPN module can configure eBox as OpenVPN server as well as client. As many servers/clients as you want may be configured.

Since VPN is a quite complicated service, we illustrate with two typical scenarios how to configure them with eBox.

18.2.1. Road warrior

You can set up eBox to support Road Warriors. That is, eBox working as a gateway and an OpenVPN server, which has a local area network (LAN) behind, letting clients connect to eBox from WAN (road warriors) in order to access the protected LAN via VPN service. The following figure could show a better picture:

Figure 18.1. Road warrior scenario

Our objective is to connect client 3 with the other two far away clients (1 and 2) and last two each other.

First, we need to create the Certification Authority and certificates for all elements present in the system, the OpenVPN server and the two away clients. Here, this eBox acts as well as Certification Authority.

Note

To obtain detail information about eBox Certification Authority module,check its own part in the manual.

Once we have the certificates, we should set up the OpenVPN server in eBox at Create new server. We should give it a name, a protocol/port pair, a certificate (which have recently created above) and a subnet to work with. The remainder elements can be set by default values. As we see, the OpenVPN server will be listening on all external interfaces, so we need to set at least one of eBox interfaces as external via Network → Interfaces . In our scenario only two interfaces are needed, an internal one for the LAN and an external one to work in Internet.

After creating the OpenVPN server, we should enable the service and save changes. Then, check out in Status that there is an OpenVPN server fully working.

Afterward, you should add advertised networks, which are those which authorised OpenVPN clients will be able to access. In order to achieve so, you need to have these advertised networks reachable. You can set them on editing the chosen OpenVPN server. In our scenario, you should add local network to make visible client 3 to other two clients.

Now it is high time to configure clients. An OpenVPN client may be configure using our bundles which are available in Servers table and click on Down arrow icon. Two Operating Systems bundles have been created, choose the one you use. If you are using a BSD-like environment such as MacOS™, choose Linux system. Choose those client certificate to give to the client and set the external IP address to the VPN clients must connect. eBox will try to guess it using an Internet Web service. If the selected system is Windows™, the OpenVPN installer for Win32 is included as well. It gives you an archive to be distributed to the client.

The bundle includes the configuration file and the required files to start the VPN connection. For instance, in Linux, just decompress the archive and run into the newly created directory the following command: openvpn --config filename. Now you have access to client 3 from two remote clients. Connecting each other remote clients is necessary to to set Allow client-to-client connections check-box within OpenVPN server configuration. In order to check the configuration is correct, you can see the routing table where advertised networks are added to tapX virtual interface.

18.2.2. Connect two offices with eBox and OpenVPN

This second scenario tries to picture a common use case for eBox. Two offices in different networks require to be connected through a private network. To do so, we are going to use eBox in both local networks as gateways and one as an OpenVPN client and another as a server. The following figure tries to make clearer the situation:

Figure 18.2. eBox OpenVPN server vs. eBox OpenVPN client

Our aim is to connect client 1 in LAN 1 with client 2 in LAN 2 as if they were under the same local network. Therefore we need to set up the OpenVPN server as we do in Section 18.2.1. However, just a pair of changes is needed setting on option Allow eBox-to-eBox tunnels to exchange routes among eBox machines and eBox-to-eBox-tunnel password to perform a little more secure environment among the two offices.

In order to configure eBox as OpenVPN client, we can do it at Create new client button within OpenVPN menu. We should set client's name and active. You may set the client configuration manually giving the required information or automatically using the bundle giving by the server as we have done in Section 18.2.1. The former requires the server service address, required certificates and server's tunnel password as well, and the latter this information is extracted automatically from the bundle. When you save changes, in status summary, you can see the new OpenVPN daemon in LAN 2 running as a client with the connection target to the other eBox within LAN 1.

The traffic shaping module allows you to add rules and establish policies which will help you to do a more efficient use of the Internet connections.

You will be able to set boundaries for protocols and services on your network. That is, you could, for example, set a maximum download or upload rate for certain services such as ssh, http and so forth.

In order to use the traffic shaping module, eBox must be placed as your gateway in your network. That means your installation will have to fulfil the following requirements:

The eBox control center is intended to manage simultaneously several eBoxes at the same time using a very secure channel to communicate the center with the sparse eBoxes. The Figure 20.1 indicates how a single element, the Control Center, can send instructions, basically actions which every eBox module may perform and expose in its public API, which each eBox performs independently answering back with a response to the control center when the action has been accomplished.

Figure 20.1. Control center scenario

In order to provide a secure connection, a Virtual Private Network (VPN) is used as link layer and Secure HyperText Transfer Protocol (HTTPS) as transport layer. This dual lock assures the communication between the control center and its eBoxes is protected and the performance is not really decreased as the required bandwidth to set a system configuration can be considered minimal.

Over HTTPS, SOAP protocol is used to exchange XML-based messages between the control center and the eBox's group. The message pattern is a remote procedure call (RPC) one which the control center asks the eBoxes to do something and the eBox responds immediately. An answer may be given back. Furthermore, a state is also provided since a remote eBox "object" is handled to exchanges the messages that allows the control center manager set a configuration and then save changes in a single SOAP session.

The communication among the elements may be full duplex. The control center send actions to be performed by the eBox's group and, on the other hand, every eBox can send information about itself or any of its services using the eBox event framework. This information is gathered into the log system which could be better exploited in the future to supervise several eBoxes at one time.

In this section, we are going to describe to set up a control center, join/quit eBox to the group and configure eBox to make the communication between both elements work. In order to have this scheme ready, two different machines are required, one holding an eBox and the other one with a simple Debian Sarge.

The process uses a subscription pattern. The control center is the only one which knows who can connect to the network and the eBox must have a private element, known here as bundle, to subscribe.