Use the DrawBridgeOS Terminal Applicable only to DrawBridgeOS systems. See the Platform information on your local DrawBridge System Overview page. (Note: the System Overview link only will work on the LAN of a DrawBridge-protected network.) About the DrawBridgeOS Terminal Location in the DrawBridgeOS web portal: System / Configuration / DrawBridge Terminal . This terminal gives system administrators the ability to perform the common network configuration tasks listed below. Note: This configuration terminal is considered an "interim solution" until a more graphical configuration interfaces is designed for these networking components. About Mode & Endpoint Mode options Command Builder Mode : an easier "hold-your-hand" experience: to run a command, you must first select the Section and Node you wish to act on. Advanced Command Mode : a free-text entry field designed for power-users who are familar with the required command syntax. Endpoint options "Endpoints" define the context for a command. Here's the four endpoint options, with additional information or example scenarios: configure - Used to set or delete particular configuration details generate - Generally used for PKI and VPN functions reset - Generally used for cache-clearing operations show - Used to display current configuration and service information See the next section, Network Configuration Tasks, below, for additional information. Network Configuration Tasks Show current configuration: show config This is generally your first step to see what the actual current configuration of the DrawBridge is: Command Builder Mode : not available Advanced Command Mode : Endpoint: show Command: config Click the Run button Review the output (in the area below the command entry) as needed. Ethernet interface addressing (IPv4) You may wish to review the output of show config (above) first. You'll need to know the interface name (eg eth3 ) that you wish to configure. Set a new static IP address Command Builder Mode : Endpoint: configure Operation: set Section: interfaces Node: ethernet Command: address For example: eth3 address 10.22.6.1/24 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: set interfaces ethernet address For example: set interfaces ethernet eth3 address 10.22.6.1/24 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Configuring a WAN/internet interface? You'll need to configure a Static Route for "all networks" 0.0.0.0/0 -- see Configure Static Routing, below. Configuring a LAN interface? Several things may need to be updated: - Firewall rules for transparent filtering - Firewall zone-interface association - DHCP server subnet settings - DNS server allow-from and listen addresses Delete an existing static IP address Command Builder Mode : Endpoint: configure Operation: delete Section: interfaces Node: ethernet Command: address For example: eth3 address 10.22.6.1/24 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: delete interfaces ethernet address For example: delete interfaces ethernet eth3 address 10.22.6.1/24 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Removing a static IP address on a WAN interface? You may need to remove your "all networks" 0.0.0.0/0 Static Route. See Configure Static Routing, below. Set an Ethernet interface to use DHCP-assigned addressing (DHCP client) Command Builder Mode : Endpoint: configure Operation: set Section: interfaces Node: ethernet Command: address dhcp For example: eth3 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: set interfaces ethernet address dhcp For example: set interfaces ethernet eth3 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Delete an Ethernet interface DHCP-assigned addressing configuration (DHCP Client) Command Builder Mode : Endpoint: configure Operation: delete Section: interfaces Node: ethernet Command: address dhcp For example: eth3 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: delete interfaces ethernet address dhcp For example: delete interfaces ethernet eth3 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) vLAN interfaces and addressing You may wish to review the output of show config (above) first. You'll need to know the physical interface name (eg eth6 ) on which you wish to put your vLAN interface. Create a new vLAN interface and/or set an address (static or DHCP-client) Command Builder Mode : Endpoint: configure Operation: set Section: interfaces Node: ethernet Command: vif address For example: eth6 vif 223 address 192.168.99.1/24 Or, for a DHCP client example: eth6 vif 223 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: set interfaces ethernet vif address For example: set interfaces ethernet eth6 vif 223 address 192.168.99.1/24 Or, to configure the interface to be a dhcp client: set interfaces ethernet eth6 vif 223 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Configuring a WAN/internet interface? You'll need to configure a Static Route for "all networks" 0.0.0.0/0 -- see Configure Static Routing, below. Configuring a LAN interface? Several things may need configured/updated: - Firewall rules for transparent filtering - Firewall zone-interface association - DHCP server subnet settings - DNS server allow-from and listen addresses Delete a vLAN interface address or dhcp-client configuration Command Builder Mode : Endpoint: configure Operation: delete Section: interfaces Node: ethernet Command: vif address For example: eth6 vif 223 address 192.168.99.1/24 Or, removing a dhcp-client configuration: eth6 vif 223 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: delete interfaces ethernet vif address For example: delete interfaces ethernet eth6 vif 223 address 192.168.99.1/24 Or, for a dhcp-client example: delete interfaces ethernet eth6 vif 223 address dhcp Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Configuring a LAN interface? Several things may need configured/updated: - Firewall rules for transparent filtering - Firewall zone-interface association - DHCP server subnet settings - DNS server allow-from and listen addresses Delete an existing vLAN interface Command Builder Mode : Endpoint: configure Operation: delete Section: interfaces Node: ethernet Command: vif For example: eth6 vif 223 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: delete interfaces ethernet vif = For example: delete interfaces ethernet eth6 vif 223 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Removing a vLAN interface altogether? Be sure to remove any zone-relationships. For example: delete firewall zone eastwoodtc interface eth6.223 Static Routing Static Routes tell DrawBridgeOS where to go to find networks. This is most commonly used/needed when you've configured a static IP address on your WAN interface (vs using DHCP, which handles the routes automatically). Note: when configuring a route to an upstream internet gateway (such as your modem), you'll use 0.0.0.0/0 to indicate "all networks". This is what the examples below are showing, with the "modem" address being 192.168.3.1 . For other scenarios, for example making a new remote subnet (eg. 10.44.44.0/24 ) accessible over a VPN link (perhaps via router 192.168.22.2 ) -- you'd specify that ( 10.44.44.0/24 ), rather than the "all networks" 0.. mentioned above, and the ...22.2 router as your next-hop . You may wish to review the output of show config (above) first. Set a new static route Command Builder Mode : Endpoint: configure Operation: set Section: protocols Node: static Command: next-hop For example: 0.0.0.0/0 next-hop 192.168.3.1 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: set protocols static route next-hop For example: set protocls static route 0.0.0.0/0 next-hop 192.168.3.1 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Delete an existing static route Command Builder Mode : Endpoint: configure Operation: delete Section: protocols Node: static Command: next-hop For example: 0.0.0.0/0 next-hop 192.168.3.1 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: delete protocols static route next-hop For example: delete protocls static route 0.0.0.0/0 next-hop 192.168.3.1 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Network Address Translation Network Address Translation (NAT) is best-known for its role enabling your entire LAN to use one (or more) public IPv4 address(es) assigned to you by your internet service provider. On the technical side, though, there are two types of NAT: Source NAT -- modifies packet SOURCE headers (address and/or port) Destination NAT -- modifies packet DESTINATION headers (address and/or port) The DrawBridge by-default performs a Source-NAT Masquerade to the WAN interface address for egress IPv4 traffic. If you have multiple public IP addresses from your ISP, however, it's likely that you'll want to add one or more rules to ensure the services you're hosting are using the proper address for egress traffic. Looking for the instructions on how to forward a port to a server on your network? You'll need a Destination NAT rule. Create a new NAT rule Unfortunately, the creation of new NAT rules is not supported with this Terminal interface. However, existing rules can be modified. Contact support@compassfoundation.io with the configuration needed for your situation. Modify an existing rule Get your current configuration with the show config command in Advanced Command Mode. Locate the existing rule that you wish to change. For example: rule 220 { description eastwoodtc-webserver destination { port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.2.5 } } Determine which components you need to change for your requirements. For this example, we'll change the Destination ports from just 443 to 80,443 Command Builder Mode : Endpoint: configure Operation: set Section: nat Node: destination Command: rule destination port For example: rule 220 destination port 80,443 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Run show config again. You should now see the updated value in the rule: rule 220 { description eastwoodtc-webserver destination { port 80,443 } inbound-interface eth0 protocol tcp translation { address 192.168.2.5 } } You're all set! Note that the Advanced Command Mode can also be used to achieve the same outcome Advanced Command Mode Endpoint: configure Command: set nat destination rule destination port For example: nat destination rule 220 destination port 80,443 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. Delete a NAT rule You do have the option of completely removing a NAT rule by referencing just the rule number: Command Builder Mode : Endpoint: configure Operation: delete Section: nat Node: destination or source Command: rule For example: rule 220 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: delete nat rule For example: delete nat destination rule 220 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Firewall The DrawBridgeOS firewall is a zone-based firewall system. This simply means that a Zone "layer" abstracts away actual interfaces from the rules. In other words, rather than writing firewall rules and referencing a specific interface, instead, rules are written for zone-relationship pairs. The primary benefit of a Zone-based approach is that multiple interfaces can belong to a zone, enabling much simpler firewall configuration on complex networks. For example, all Drawbridges will have at least the following zones configured: - internet - Member interface: eth0 - eastwoodtc - Member interface: eth4 -- the main LAN interface. Generally the business name is used; "Eastwood Trading Company" is our fictitious example company in this documentation. - local - Member interface: local -- the actual DrawBridge system itself Now, with this example in mind, suppose Eastwood Trading Co gets an additional internet connection for redundancy, and they connect this to eth1 . With a zone-based firewall, it's as simple as adding eth1 to the internet zone, and the firewall configuration is pretty much done -- the same rules that secure eth0 from unsolicited inbound traffic, for example, automatically apply now to eth1 as well, by virtue of adding eth1 to the internet firewall zone. Firewall rules perform several functions on the DrawBridge: Secure the DrawBridge (and the local network behind it) from unsolicited traffic Selectively allow traffic for legitimate remote device filtering and remote access Transparently redirect LAN-origin web requests for content filtering Looking for port-forwarding assistance? Note that you'll need to perform the actual port-forward operation with NAT (Network Address Translation), and then allow the traffic with a firewall rule. The DrawBridge firewall also supports "groups", which enables the reuse of port and address lists across multiple rules. Before embarking on rule changes below, you may wish to review the output of show config (above) to get the current context of the system: firewall zone-relationships, existing rule numbers and actions, and so forth. Set a new firewall rule Creating a new firewall rule is a multi-step process. 1. Specify a rule number and default-action within an existing firewall namespace: Command Builder Mode : Endpoint: configure Operation: set Section: firewall Node: name Command: rule action For example: internet-eastwoodtc rule 107 action accept` Click the Commit and Test button. You should receive a Success! message in the output area below. Advanced Command Mode : Endpoint: configure Command: set firewall name rule action For example: set firewall name internet-eastwoodtc rule 107 action accept Click the Commit and Test button. You should receive a Success! message in the output area below. 2. Specify source or destination address details; you will need to use this command again if you wish to set Both source and destination addresses: Command Builder Mode : Endpoint: configure Operation: set Section: firewall Node: name Command: rule address
For example: internet-eastwoodtc rule 107 destination address 192.168.10.3 Click the Commit and Test button. You should receive a Success! message in the output area below. Advanced Command Mode : Endpoint: configure Command: set firewall name rule address
For example: set firewall name internet-eastwoodtc rule 107 destination address 192.168.10.3 Click the Commit and Test button. You should receive a Success! message in the output area below. 3. Specify source or destination port details; you will need to use this command again if you wish to set Both source and destination ports: Command Builder Mode : Endpoint: configure Operation: set Section: firewall Node: name Command: rule port For example: internet-eastwoodtc rule 107 destination port 443 Click the Commit and Test button. You should receive a Success! message in the output area below. Advanced Command Mode : Endpoint: configure Command: set firewall name rule port For example: set firewall name internet-eastwoodtc rule 107 destination port 443 Click the Commit and Test button. You should receive a Success! message in the output area below. 4. Give the rule a name: Command Builder Mode : Endpoint: configure Operation: set Section: firewall Node: name Command: rule description rule description rule For example: internet-eastwoodtc rule 223 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!) Advanced Command Mode : Endpoint: configure Command: delete firewall name rule For example: delete firewall name internet-eastwoodtc rule 223 Click the Commit and Test button. You should receive a Success! message in the output area below. When finished making changes, click the Save Config File button to write the changes to disk. (Changes will not survive a reboot if they aren't saved!)