Slashdot Mirror
Configuring IPCop Firewalls
Ravi writes "IPCop is a GPLed firewall solution targeted at Small Office/Home Office network. It is favored by many for its ease of configuration and setup and its support for a variety of features that you would expect to have in a modern firewall. IPCop is famed for letting users setup a sophisticated firewall for ones network without ever having to write an iptables rule themselves." Read the rest of Ravi's review.
Configuring IPCOP Firewalls - Closing borders with Open Source
author
Barrie Dempster and James Eaton-Lee
pages
230
publisher
Packt Publishing
rating
8.5
reviewer
Ravi
ISBN
1-904811-36-1
summary
A practical book that takes a hands on approach in setting up and configuring IPCop firewall on ones network
Configuring IPCop Firewalls published by Packt Publishing is authored by two people Barrie Dempster and James Eaton-Lee and is divided into 11 chapters. The first chapter gives a brief introduction to firewalls and explains technical concepts such as OSI reference model, an introduction to TCP/IP and a brief outline of the parts that comprise a network. Even though I did not find anything new in this chapter, I realized that this is meant for people who are new to the world of computer networks and aims to bring them up to date with the various technologies associated with it. A network administrator intending to pick up skills in configuring and setting up IPCop, can circumvent this chapter and go to the second chapter which gives an introduction to IPCop and its different features. The authors have explained the concepts in an easily understood way with the aid of necessary screen-shots. One of the salient features of IPCop is its web based interface which allows one to configure all aspects of it from a remote location. In fact, IPCop is designed to be controlled from a remote location and serves all its configuration parameters via the Apache web server.
In the second chapter, one gets to know all the features of IPCOP including the different services it offer. One thing that struck me while going through this book was that the authors are fully immersed in explaining the configuration aspects of IPCop which is done entirely via the web interface. Other than the first, third, and 10th chapter, where the readers are made to digest some theory, the rest of the book is as a how-to. I found this to be ideally suited for people who are the least bothered about theory and just want to set up IPCop and get on with what they were doing.
In the third chapter, we are introduced to the unique feature used by IPCop to segregate the network depending upon its vulnerability. And in the succeeding chapter, the authors walk one through installing IPCop. Here each and every installation step is explained with the help of a screenshot which makes understanding the procedure much more intuitive.
The chapter titled "Basic IPCop Usage" gives a good introduction to the web interface provided by IPCop. Reading this chapter, I was able to get a good feel for the IPCop interface. More specifically, you learn how to configure IPCop to provide different services such as DHCP server, support for Dynamic DNS, editing the hosts file and so on. The IPCop interface is quite rich in functionality even providing options to reboot or shutdown the machine remotely. In this chapter, apart from the introduction to the web interface, the authors have also provided a few tips related to logging in to the remote machine running IPCop using SSH.
Put in simple terms, IPCop is a specialized Linux distribution which contain a collection of tools which revolve around providing robust firewall capabilities. The tools bundled with IPCop range from the ubiquitous iptables, services such as DNS, and DHCP, to tools which specialize in intrusion detection such as snort.
The sixth chapter titled "Intrusion Detection with IPCop" explains the concept of intrusion detection and how one can use snort IDS bundled with IPCop to effectively find out what is passing through our network and thus isolate any harmful packets.
The book moves on to explain how to use IPCop to set up a virtual private network (VPN). By way of an example, the authors explain how to setup a VPN between two remote networks with each end having a IPCop firewall in place. This chapter covers different VPN scenarios such as host to net, net to net connections as well as configuring IPCop to detect the Certifying Authority certificates.
The 8th chapter is a rather short one which explains how to effectively use proxying and caching solutions available in IPCop to manage the bandwidth.
One of the biggest advantages of IPCop is that it is possible to extend it to provide additional features by way of add-ons. Add-ons are generally developed by third parties and are usually developed with an aim to provide a feature that the developers of IPCop have missed. There are a whole lot of add-ons available for IPCop. The 9th chapter introduces the most popular add-ons available for IPCop such as SquidGuard — a content filtering add-on, LogSend — an add-on which send the IPCop logs to remote email accounts, AntiSpam, integrating ClamAV anti virus solution and more. The authors have also explained how to install and enable these add-ons using the IPCop web interface.
The tenth chapter titled "Testing, Auditing and Hardening IPCop" has more of a theoretical disposition where the authors list some of the common attributes towards security and patch management and also some of the security risks and a few common security and auditing tools and tests.
One thing I really like about this book is the practical approach taken by the authors in explaining how to accomplish a certain task. Each section is accompanied by the relevant screenshots of the web interface with a brief explanation of the options available. The book is well designed with a number of tips provided in each section highlighted in big square brackets which makes it quite eye catching. Even though I found the book a bit short on theory, it is an ideal resource which provides a hands on approach to people who are more interested in installing and setting up IPCop firewall solutions in ones network rather than pondering about the theoretical concepts of the same.
Ravi Kumar likes to share his thoughts on all things related to GNU/Linux, Open Source and Free Software through his blog on Linux.
You can purchase Configuring IPCOP Firewalls - Closing borders with Open Source from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Configuring IPCop Firewalls published by Packt Publishing is authored by two people Barrie Dempster and James Eaton-Lee and is divided into 11 chapters. The first chapter gives a brief introduction to firewalls and explains technical concepts such as OSI reference model, an introduction to TCP/IP and a brief outline of the parts that comprise a network. Even though I did not find anything new in this chapter, I realized that this is meant for people who are new to the world of computer networks and aims to bring them up to date with the various technologies associated with it. A network administrator intending to pick up skills in configuring and setting up IPCop, can circumvent this chapter and go to the second chapter which gives an introduction to IPCop and its different features. The authors have explained the concepts in an easily understood way with the aid of necessary screen-shots. One of the salient features of IPCop is its web based interface which allows one to configure all aspects of it from a remote location. In fact, IPCop is designed to be controlled from a remote location and serves all its configuration parameters via the Apache web server.
In the second chapter, one gets to know all the features of IPCOP including the different services it offer. One thing that struck me while going through this book was that the authors are fully immersed in explaining the configuration aspects of IPCop which is done entirely via the web interface. Other than the first, third, and 10th chapter, where the readers are made to digest some theory, the rest of the book is as a how-to. I found this to be ideally suited for people who are the least bothered about theory and just want to set up IPCop and get on with what they were doing.
In the third chapter, we are introduced to the unique feature used by IPCop to segregate the network depending upon its vulnerability. And in the succeeding chapter, the authors walk one through installing IPCop. Here each and every installation step is explained with the help of a screenshot which makes understanding the procedure much more intuitive.
The chapter titled "Basic IPCop Usage" gives a good introduction to the web interface provided by IPCop. Reading this chapter, I was able to get a good feel for the IPCop interface. More specifically, you learn how to configure IPCop to provide different services such as DHCP server, support for Dynamic DNS, editing the hosts file and so on. The IPCop interface is quite rich in functionality even providing options to reboot or shutdown the machine remotely. In this chapter, apart from the introduction to the web interface, the authors have also provided a few tips related to logging in to the remote machine running IPCop using SSH.
Put in simple terms, IPCop is a specialized Linux distribution which contain a collection of tools which revolve around providing robust firewall capabilities. The tools bundled with IPCop range from the ubiquitous iptables, services such as DNS, and DHCP, to tools which specialize in intrusion detection such as snort.
The sixth chapter titled "Intrusion Detection with IPCop" explains the concept of intrusion detection and how one can use snort IDS bundled with IPCop to effectively find out what is passing through our network and thus isolate any harmful packets.
The book moves on to explain how to use IPCop to set up a virtual private network (VPN). By way of an example, the authors explain how to setup a VPN between two remote networks with each end having a IPCop firewall in place. This chapter covers different VPN scenarios such as host to net, net to net connections as well as configuring IPCop to detect the Certifying Authority certificates.
The 8th chapter is a rather short one which explains how to effectively use proxying and caching solutions available in IPCop to manage the bandwidth.
One of the biggest advantages of IPCop is that it is possible to extend it to provide additional features by way of add-ons. Add-ons are generally developed by third parties and are usually developed with an aim to provide a feature that the developers of IPCop have missed. There are a whole lot of add-ons available for IPCop. The 9th chapter introduces the most popular add-ons available for IPCop such as SquidGuard — a content filtering add-on, LogSend — an add-on which send the IPCop logs to remote email accounts, AntiSpam, integrating ClamAV anti virus solution and more. The authors have also explained how to install and enable these add-ons using the IPCop web interface.
The tenth chapter titled "Testing, Auditing and Hardening IPCop" has more of a theoretical disposition where the authors list some of the common attributes towards security and patch management and also some of the security risks and a few common security and auditing tools and tests.
One thing I really like about this book is the practical approach taken by the authors in explaining how to accomplish a certain task. Each section is accompanied by the relevant screenshots of the web interface with a brief explanation of the options available. The book is well designed with a number of tips provided in each section highlighted in big square brackets which makes it quite eye catching. Even though I found the book a bit short on theory, it is an ideal resource which provides a hands on approach to people who are more interested in installing and setting up IPCop firewall solutions in ones network rather than pondering about the theoretical concepts of the same.
Ravi Kumar likes to share his thoughts on all things related to GNU/Linux, Open Source and Free Software through his blog on Linux.
You can purchase Configuring IPCOP Firewalls - Closing borders with Open Source from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
You are being MICROattacked, from various angles, in a SOFT manner.
OpenBSD + PF > Linux + IPCop > Cisco PIX > Sonicwall
For some reason the review links to B & N, but it seems that Amazon has it a few bucks cheaper. With a book this pricey, any savings are welcome.
IPCop is famed for letting users setup a sophisticated firewall for ones network
It is "one's" not "ones". And, it would have been better to say "for their network".
Is *any* editting done?
Have you read my journal today?
...you probably don't need this book. IPCop is super easy to to set up & configure if you're even the slightest bit geeky. I really like it, but then I'm the slightest bit geeky.
Does anyone knowledgeable want to contrast IPCop to SmoothWall?
Advantages/Disadvantages? Pros/Cons?
Personally, I've always used m0n0wall since it can be run from a CD/floppy/flash drive, and the only experience I've ever had with IPCop was a bad one. I was working on a small project with a tight deadline, and it just completely failed at a crucial moment and I didn't give it a second look. Admittedly, it was configured by an idiot, so I am wondering:
What does IPCop offer that other options (m0n0wall, Smoothwall) don't?
What is the most barebones setup you can manage with it? By that I mean the smallest system requirements to get decent performance?
How to use a GUI
I thought this was a bad thing.
For example, there was this http://www.kb.cert.org/vuls/id/175500 compromise from last year. I don't know the status, but it just seems to me this isn't such a good idea.
I can think of a few other reasons why taking the Microsoft approach to a firewall distro isn't good. Most of which boil down to Linux's current status as "more secure" is easily discredited.
An analogy would be all of the features/applications are a long rope with which the distro hangs itself.
I'm thinking the firewall needs to be very hardended with logging information to monitoring tools on another box. Am I wrong?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Small real estate company with several sattelite offices around the bay area. Owner was cheap. Sometimes a cheap boss can force you to be creative, which can be fun.
Most of the IPcop firewalls in the sattelite offices are running on PII or less machines, with the main office on a P4 1.4ghz. Freeswan VPN's are setup between all the office.
Not much more to say than that. Other than a few upgrades (easily done through the web interface) my ipcop boxes have had uptimes around 2 years. Very awesome, reliable firewall.
But for that one cent you can have the satisfaction of screwing slashdot out of their kickback.
Seems to me the value-add provided by slashdot, by giving us a review of the book, to me is worth a "kickback". But of course, in any endeavor where the costs are only paid by those willing to do so, there will always be those who not just only take from it, but who do so while pretending they're somehow superior for doing so. (shrug) Whatever.
Why not? Using a user-friendly GUI to configure a Linux firewall is a great way to *LEARN* to use more advanced features down the road.
/etc/apt/sources.list file by hand, or have Synaptic do it for you. Synaptic will correctly parse any changes that you make, and if it modifies the file, it will do so in an easy-to-read way. I recently installed Ubuntu for a friend of mine and explained to him that a good way to learn to use the command line configuration files is to play around with the GUI utilities and study the changes they make to those files.
/etc/hosts file like Linux somewhere under the \winnt\system32 directory... I made the mistake of editing it by hand, and then trying to undo the changes with the GUI. The changes made by the GUI were somehow silently ignored, which led to a mistifying series of DNS problems.
I am an experienced Linux user and do pretty much everything from the command line. But I find there is a lot to like about the new GUI utilities like gnome-system-tools, especially compared to their MS Windows counterparts.
One of the great things about most Linux GUI configuration utilities is that they use the *same* configuration files that you could edit by hand, and generally try to modify them in a human-readable way. For example, under Debian or Ubuntu, you can edit your
Contrast this with Windows where a lot of things can ONLY be configured with the GUI utilities, which often write their changes to impenetrable, undocumented binary registry keys... very hard to track down. If you try to configure things from the command line in Windows, you'll run into inconsistencies. For example, Windows XP actually has an
So I see the gnome-system-tools style of GUI configuration tools to be a Very Good Thing. These utilities make configuration easier for many people, without preventing them from accessing the underlying configuration in a comprehensive manner, and without leaving the system in an inconsistent state.
My bicyles
I've used IPCop a few times doing some complex tasks (VPN's, VOIP, VTC) and have been generally satisfied with how things worked but look forward to the next major rev of the product based on the 2.6 kernel. The current IPsec implementation is OpenSWAN based and I prefer the native ipsec included with the 2.6. This by no means diminishes the effort of the IPCop team, it's a good product.
Slashdot gets money from advertisements regardless of whether some people reach into their pockets and buy books through a B & N link.
So you want Linux to only be used by "geeks" and have *less* market penetration?
-b.
I've used IPCop, both a couple years ago and for a while earlier this year. I was impressed by it both times, but was unhappy about the noise/heat/electricity of a box running 24/7. Granted, it had great features, but I really didn't use them, so I just replaced it with a WRT54G running DD-WRT (I stopped using sveasoft after I felt they weren't honoring the spirit, if not the letter, of GPL).
IPCop will permenantly dominate if someone manages to port it to the WRT54G. If I could have the amazing power of IPCop in a $50 silent box, that used little electricity, then I think IPCop would be on the edge of being a killer appliance.
(If you were hoping I was going to say one was better than the other, it's like asking which is better - a sandwich or a glass of water - it depends if you're hungry or thirsty)
So you want Linux to only be used by "geeks" and have *less* market penetration?
Nah, he just doesn't want his "1337ness" to go away as people realize that these things really aren't as difficult as they seem
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?
I love the way nmapfe will give you the command that it is going to run. Choose a different checkbox then the command line changes. I wish more apps did this. I prefer command line but sometimes I don't feel like reading 100 man pages so I use the GUIs. Having the GUI tell me the command it is about to run would be awesome.
I should add that I don't do any real admin anymore. Most of slashdot would have assumed that the second I mentioned using a GUI.
I support the troops. I pay f'ing taxes.
I'm using IPCop and Copfilter on a LinITX PC for a client and so far he's very happy with the results. LinITX is a mini-ITX PC slightly larger than a Linksys "blue box" router with built-in video/USB/AT (so you don't have to configure it via serial console!), three Ethernet ports, a flash disk slot, room for a 2.5" HDD internally, and 2 on-board IDE controllers - you can even temporarily hook up a generic internal CD-ROM drive for install purposes.
-b.
IPcop has been a fantastic solution for my both at home and in some business solutions. Easy to manage, stable, and strong mailing lists for support.
But the only knock I have is roadwarrior VPN's & windows. Now I'm sure that part of the problem lies with trying to integrate the two. Net-to-net VPN's are ungodly easy and rock solid. I've tried jumping through the hoops to get a roadwarrior going with no luck, and the most common piece of advice I've seen is to use a third-party add on such as zerina. Damnit there's a VPN built into the distro, why not just use that?
Besides, I'm already running third-party AV and anti-spam solutions (copfilter has been outstanding) , I'm not interested in adding another layer of possible failure onto the machine.
There are some people that if they don't know, you can't tell 'em.
I do firewall/VPN/security work for a living; I've tried/used Ipcop and nearly all of the products mentioned below and dozens more (m0n0wall, cisco PIX, cisco ASA, checkpoint, juniper, smoothwall, proxy bases firewalls, sonicwall, guarddog, watchdog, hommade linux/freebsd/openbsd/etc etc).
I personally vastly prefer PfSense over any of them for nearly all applications. http://pfsense.com/
My name is coaxeus, and I approve this message. In fact, I think it is awesome.
Slashdot gets money from advertisements regardless of whether some people reach into their pockets and buy books through a B & N link.
No, slashdot gets money from advertisements only if those advertisements perform for the people running the ads. How many times have you clicked those ads and then followed up by doing some business with one of the advertisers? Affiliate links to places like B&N or other vendors are just part of the wider revenue-generating efforts, and all of the techniques have good days and bad. Unless you're really complaining about the basic pursuit of raising enough money to run the site, pay the people who make it go, and keep it alive between slow periods, what are you complaining about?
Don't disappoint your bird dog. Go to the range.
I'm going to have to get this book.
I'm one of those people midway between clueless AOL users and people who actually know what they're doing: I run all linux but don't actually know how to configure ipchains or the like. So I have an old (fanless 486) headless IPCop box downstairs, acting as a firewall and NAT. I got it set up and it's been running for six years, doing what I wanted, without me having to deal with it at all. Nobody (to the best of my knowledge) has ever gotten through it, and I do check the logs it generates on a weekly basis. It's been an enormous help: I don't have to set up DHCP, NAT, or a firewall, or figure out how to get a server and a couple desktops all connected without exposing myself to risks I don't understand. I'm nothing like a computer professional, I'm a lousy programmer, I don't understand most of the IT stuff I read on slashdot. IPCop isn't pretty, but it chugs along and does what I need. And, since I don't know what I'm doing, I can't figure out how to configure it to let traffic for SecondLife through, so I can't start playing SecondLife. Win-win situation!
Nostalgia's not what it used to be.
I agree completely. nmapfe is great about that. When I know the command line options I want to use, I run nmap. When I don't, I fire up nmapfe and use it to LEARN the appropriate command line options.
GUIs done right, as front-ends for command-line programs or configuration files, can be very powerful and useful tools.
My bicyles
I've used a lot of products like this. However I find pfSense a lot better.
Join the Linux Generation. #LinuxGeneration on EFnet Linux Counter #249871
So, nobody points out 'editting'? Since when is that spelled tt? Get off the proper English bandwagon. You're not my English teacher and you certainly need your own spelling teacher.
IPCop is a great linux-router distro for old crappy machines as well.. i have it running at home on a pentium 133 with 32 megs of ram.. its been up 96 days without any problems at all.. the BSD based firewalls are great as well, but there's really not that much of a performance difference in my opinion.. they all do the same exact thing in the long run.. i guess its just a matter of your personal preference.. but for those of you who have an old piece just sitting in your closet, it'd make a great IPCop box.. incredibly easy to setup as well..
*plays the Apogee theme song music*
I think it would have been helpful to note somewhere in the review what IPCop actually is. It's a Linux firewall distribution.
Reading the review, I thought that it was some new packet filtering system, like an actual replacement/alternative to iptables that I'd just never heard about.
The review's introduction called it a "solution" which is a generic term for 'anything that does anything, somehow.' Not very descriptive.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Mod parent up! It can be frustrating being able to on a GUI, it works, and you don't know what you have done.
Spoken like a true computer scientist. I know, I used to be one. You see, the problem is you're spending too much time getting excited about the solution and not enough time looking at the problem.
It certainly doesn't hurt to have an understanding of the underlying mechanics of Linux based firewalls, but it shouldn't have to be a prerequisite of solving your problem. I've been a Linux user for 10+ years and I use IPCop at home. I'm familiar enough with iptables to solve any problems I might encounter, but I'm not interested in any more than that. I actually want to use my computers as tools, rather than spending all my time figuring out how to do something which should be easy.
Would you recommend every motorist should be able to strip their engine down and rebuild it? It just isn't feasible, or sensible.
So you have a problem with people paying the bills, and possibly earning a profit. nice troll.
Save yourself some money by buying the book here: Configuring IPCop Firewalls.
Is there an advantage for the SOHO person to use IPCop vs. a small hardware firewall for their SOHO? It seems like IPCop would be an application that you embed in a small, cheap hardware firewall to sell to SOHO people.
My router handles firewalling but I read some time ago that Firestarter is also a good GUI based firewall, is easy to use but with features for advanced use. How does it campare with IPCop?
Anyone?
IMO the IPCOP style firewall systems are only good for quite basic setups, mostly in the 'two nics, one external one internal' realm.
But if your firewalls need to have multiple nic's and such, running carp and pfsync, doing all sorts of funky stuff on each, then the web based things suck. The best ive seen is pfsense, but it still suffers from the whole concept of internal/external nic's instead of just letting me sort that shit out.
I use FreeBSD for all my firewalls now, with the exception of one pair of firewalls which I use openbsd with, only because obsd has the 'carpdev' option and FreeBSD does not, meaning I cant carp external IP addresses properly ( FreeBSD looks for the NIC with an IP on the same subnet as the desired carp IP ).
If you are looking after a semi complex network then IMO dont use IPCOP/Pfsense style setups, as nice as they may for some things.
Forget marketing, he just wants to receive *more* penetration.
I work for a county hospital, so we don't get much money for equipment. So, a couple of years ago, when we out-grew our old firewall, I was forced to come up with a firewall solution for little or no money. So I took a spare pc and set it up with IPCop. We still use IPCop today, except now it is on a P4 2.4GHz pc with 1GB of ram. It services 600 devices that connect to the internet. I did have to make a few customizations for it, especially with the content filtering, since we have groups of ppl that need to hit only a few sites and nothing else. It has done a great job and the load rarely gets above 35%.
How to plug in things that need electricity
In response to your first paragraph, for the past 4 years I've been running IPCop on a $0 Pentium 1 266mhz that my friend was going to throw away and I've had zero problems.
In response to your last question, they make images for the Soekris boards which are supposed to be used on CF cards.
Linksys runs Linux, do you mean to say that everybody should return them?
I feel the same way. Geek out, then move up and balance.
I use IPCop at quite a few locations. My favorite addon is an openvpn module called Zerina. It can be found at zerina.de.
Note that Windows has two hosts files: hosts and lmhosts. That, I guess, was just to keep it simple... ;)
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Can IPcop be used as a socks5 proxy or which is the best socks5 proxy available as opensource and which is easy to administer etc ?
Chris ,
Php Programmers.
Basically anyways. This book makes an attempt to fill the first few chapters with basic network theory and read more like an intro to networking course book than anything I can compare it to. The pieces on ipcop are good for getting the theory but little is described as to the technology running IPCOP, or to define it's strengths and weaknesses compared to other platforms.
The IPCOP is a good platform for many applications, and out of the box makes for a great SOHO device. Without customizing the 'cops they're not being realized to their full potential, sections of the book outline this, but I would have preferred there have been more info regarding implementation.
All in all it is what it is, a pictorial to the use of an easy to configure device.
I would like to say, a security platform who's default SSH user is root doesn't exactly exemplify secure practices.
Contrast this with Windows where a lot of things can ONLY be configured with the GUI utilities, which often write their changes to impenetrable, undocumented binary registry keys... very hard to track down. If you try to configure things from the command line in Windows, you'll run into inconsistencies. For example, Windows XP actually has an /etc/hosts file like Linux somewhere under the \winnt\system32 directory... I made the mistake of editing it by hand, and then trying to undo the changes with the GUI. The changes made by the GUI were somehow silently ignored, which led to a mistifying series of DNS problems.
It's cute that people still think Windows can't be configured from the command line. It's one of the things Windows 2003 got right.
What about running it on newer hardware with SATA disks ?
How about software raid, can it handle it ?
How many users per MHz ?
The free version of Astaro is much better than IPCop. It's got many, many, more features plus, if you're a home user you can get really cheap upgrades to add IDS, Web filtering, and email antispam/antivirus scanning. I use their commercial appliance where I work and it's great. Common Criteria and ICSA certification - plus it's Linux based.
Enough FUD and half-assed anecdotes already. You can use "reg" from the command-line to do any kind of querying/editing/export/import/comparing in the registry. The "reg" command is well documented. So is the API to interface it any way you want.
There is no official "GUI" to edit %windir%\system32\drivers\etc\hosts. You have to do it "by hand" with f.ex. Notepad or with some third-party utility.
Try adding a line to it and type "ipconfig /displaydns". You don't have to /flushdns, the DNS client monitors the hosts-file for changes and will cache any new entries automatically.