Tutorial: Using Zones

In this tutorial we will build on what we have learnt in the first tutorial and introduce the concept of Zones. Zones allow you to precisely control which protocols are permitted between different groups of computers.

Introducing Zones

In Guarddog a zone is just a bunch of IP addresses. You may recall that IP addresses are like telephone numbers for machines on the internet. A zone more or less specifies a group of computers. Once a zone has been created we can use the Protocol tab to specify which protocols computers in the zone may use.

For example. If we know that the people at evil.com are evil and can not be trusted, then we can restrict thier access to our computer by using zones. First we create a zone called "Bad Guys" and place evil.com in it. Next we go to the Protocol tab and make sure that no protocols are selected between the "Bad Guys" zone and the "Local" zone. (The Local zone represents the local machine). This way we can limit, or even completely block evil.com's access to our computer.

Placing the Bad Guys in a zone and firewalling them out.

Editing Zones

Zones are specified and edited on the Zone tab. To the left of the Zone tab is the list of defined zones. Guarddog has two builtin zones that you can't change. They are Local and Internet. Local is a zone simply containing the local machine; the machine that Guarddog is running on. Internet corresponds to any IP address that's not in another zone. Put simply, if a IP address is not in another zone it is assumed to be in the Internet zone.

The information about the currently selected zone are displayed to the right of the zone list. Each zone has a name which is used on the Protocol tab and therefore should be kept fairly short. A more descriptive comment can also be given to a zone.

The list of IP addresses in a zone are shown in the Zone Addresses list.

Zones that the currently selected zone may communicate with, are listed in the Connection list located on the right side of the window.

The Zone tab.


An IP address should only be in one zone at a time.

Creating a Demilitarised Zone

Let's put zones to work.

A good use of zones is to harden our firewall by setting up a "Demilitarised Zone" (DMZ). In network security a DMZ is a group of computers located between the internet and an organisation's internal computer network. Computers in the DMZ are exposed to the internet and usually performing tasks like serving web pages to public or handling email. Since these machines are exposed to the internet and constant attack from outside, thier access to the internal network is restricted. The idea is that if an attacker gains control of a machine in the DMZ, they won't automatically gain higher access to the organisation's internal computer network.

Even if you are not managing an internal network or a group of web or email servers, you probably do make use of a group of computers that could be considered to be in a DMZ. For this tutorial we will set up a DMZ containing the mail server you use for sending and receiving email.

Go to the Zone tab and click on the New Zone button to create a new zone. The new zone will appear in the zone list and will be called new zone. Go up to the Name text box and change new zone to say "DMZ". The name should be fairly short, but you may put a longer, more descriptive comment in the Comment text box.

On the right side of the window is the Connection list. It is just a group of check boxes that let you specify which other zones the currently selected zone is connected to. Put a tick in Local check box to indicate that the DMZ zone is connected to the Local zone. The combination of DMZ and Local zone will only be available on the Protocol tab when this check box is ticked. Guarddog will block all communication between zones that are not connected to each other.

Now move over to the Protocol tab and make sure that Protocols Served from Zone: is set to DMZ. In the protocol list below there is a column called Local. Open up the Mail group of protocols and tick POP2, POP3, and SMTP. POP3 is used to fetch mail from a mail box on a mail server. While SMTP is used for sending outgoing mail. By turning these on for Local we are saying that we want the local machine to be allowed to use these mail protocols with the machines in the DMZ zone.

If the machines in your DMZ are also web servers you may also want to turn on HTTP, FTP and some other common protocols.

Once you have finished configuring Guarddog, apply your changes with the Apply button and test your email program to see if you can still send and receive email.