Chapter 8. Installation - step 5: configure your network

Table of Contents

interfaces file (/etc/network/interfaces)
network options file (/etc/network/options)
hosts IP addresses (/etc/hosts)
hostname (/etc/hostname)
resolv.conf (/etc/resolv.conf)
Super server daemon configuration (/etc/inetd.conf)
hosts.allow (/etc/hosts.allow)
hosts.deny (/etc/hosts.deny)
network (/etc/network)

You are now going to declare your network configuration through the Network configuration menu.


If you want to permanently change any of the following parameters, do not forget to backup etc.lrp !

Through the LEAF configuration menu type 1 to access to the Network configuration menu:

                        Network configuration menu

        1) interfaces file                   (/etc/network/interfaces)
        2) network options file              (/etc/network/options)
        3) hosts IP addresses                (/etc/hosts)
        4) hostname                          (/etc/hostname)
        5) resolv.conf                       (/etc/resolv.conf)
        6) super server daemon configuration (/etc/inetd.conf)
        7) hosts.allow                       (/etc/hosts.allow)
        8) hosts.deny                        (/etc/hosts.deny)
        9) networks                          (/etc/networks)

  q) quit

interfaces file (/etc/network/interfaces)

By default, the LEAF "Bering" firewall uses eth0 as the external interface with a dynamic IP provided by pump.lrp and eth1 as the internal interface at address

Edit 1) interfaces to modify those settings.

Typical LEAF configurations are provided in the interfaces file, simply uncomment what you need and comment (#) what you will not need!

Check the interfaces man pages or the Debian network interfaces examples for more complicated setup.

The network configuration is activated in the /etc/init.d/networking script through the ifupdown functions.

Once your interfaces are configured, remember to save and backup the etc.lrp package !


Be sure that any interface change is reflected in your firewall configuration (step 6 below). Adjust Shorewall params file accordingly !

network options file (/etc/network/options)

Default variables in this file are the following:


These are default variables generally acceptable. The ip_forward variable is set back to yes by Shorewall. So if you do not use Shorewall and want to enable ip forwarding you will have to set this variable to yes.

hosts IP addresses (/etc/hosts)

The /etc/hosts file is where you put the name and IP address of local hosts. If you place a host in this file, then you do not need to query the domain name server to get its IP Address. The disadvantage of doing this is that if the IP address for that host changes, you must keep this file up to date yourself . In a well managed system, the only hostnames that usually appear in this file are an entry for the loopback interface, and also the local hosts name. By default:	localhost	firewall


Do not forget to declare the internal address(es) of a ssh client in this file if you want to connect quickly to your firewall machine!

hostname (/etc/hostname)

By default, the name of your machine is:


resolv.conf (/etc/resolv.conf)

The /etc/resolv.conf file is the main configuration file for DNS resolution. Its format is quite simple. It is a text file that has one keyword per line. There are three keywords typically used by the file. These keywords are:

  • domain: This keyword specifies the local domain name

  • search: This keyword specifies a list of alternate domain names to search for a hostname

  • name server: This keyword, which may be used many times, specifies an IP address of a domain name server to query when resolving names

By default this file is set to:


You should not need to change it. The file, by default, shows the address of the local DNS server ( provided by dnscache. Pump won't override the address unless you implicitly allow it. Check the pump documentation below if you want to change that.

Super server daemon configuration (/etc/inetd.conf)

The /etc/inetd.conf file is the configuration file for the inetd server daemon. Its function is to tell inetd what to do when it receives a connection request for a particular service. For each service that you wish to accept connections, you must tell inetd what network server daemon to run (and how to run it).

Its format is also fairly simple. It is a text file with each line describing a service that you wish to provide. Any text in a line following a `#' is both ignored, and it is considered a comment. Each line contains seven fields separated by any number of whitespace (tab or space) characters.

By default the three following services are open through inetd:

ssh     stream  tcp     nowait  root    	/usr/sbin/tcpd  /usr/sbin/sshd -i
www     stream  tcp     nowait  sh-httpd        /usr/sbin/tcpd
stat    stream  tcp     nowait  root    	/usr/sbin/tcpd  /usr/sbin/

hosts.allow (/etc/hosts.allow)

The /etc/hosts.allow file is a configuration file for the /usr/sbin/tcpd program. The hosts.allow file contains rules describing which hosts are allowed access to a service on your machine.

The default for LEAF is:

# /etc/hosts.allow: list of hosts that are allowed to access the system.  See
#                   hosts_access(5) and /usr/doc/net/portmapper.txt
# Example:    ALL: LOCAL @some_netgroup
#             ALL: EXCEPT
# Allow anything from the local net

Any host from the internal network in the IP range will be allowed to access to ssh, www and stat through inetd.

If you want that only from your internal network can access to the firewall through ssh and weblet, you will have:


hosts.deny (/etc/hosts.deny)

The /etc/hosts.deny file is a configuration file for the /usr/sbin/tcpd program. The hosts.deny file contains entries for the rules defining which hosts will NOT be allowed access to a service on your machine.

The default in LEAF is:

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See hosts_access(5) and /usr/doc/net/portmapper.txt
# Example:    ALL:, .some.domain
#             ALL EXCEPT in.fingerd:, .other.domain
# The PARANOID wildcard matches any host whose name does not match its
# address.
# Prevent all access not explicitly allowed in hosts.allow

network (/etc/network)

The /etc/networks file has a similar function to that of the /etc/hosts file.This file provides a simple database of network names against network addresses. Its format differs in that there may be only two fields per line, and that the fields are coded as:

The default in LEAF is: