Creating an EigerStein Firewall: Initial Configuration

Initial Configuration

1	Insure you have the Network Information Sheet filled out.
2	Boot the firewall PC with the EigerStein Disk, and log in as root (just type `root` at the `myrouter login:` prompt and press [Enter]). You should now be at the LRP configuration menu.
3	Press [3], [Enter] for Package settings, then [2], [Enter] for Modules, and [1], [Enter] for Modules to load at boot. This will automatically start ae, and load the /etc/modules file.
4	Using the arrow keys, scroll down until you see a module (driver) for your network card(s). For the NE2000 compatible cards, there are actually two modules that must be loaded, 8390.o and ne.o. For 3Com 3C509B adapters, there is a single module, 3c509.o which must be loaded. Note: for laptop installations, you should not need to uncomment any modules. This is handled by the pcmcia services modules. In this case, you may skip to step 7.
5	Remove the # sign in front of each driver that you will load. For the NE2000 compatibles, make sure that the `8390` entry appears first in the file, then, down further, the `ne` entry. For 3Com 3C509B adapters, just uncoment the `3c509` line, and go on to step 7.
6	Using the entries from blocks 21, 22, 25, and 26 on the Network Information Sheet, change the line beginning with ne following this following format: `ne io=<ExtIO>,<IntIO> irq=<ExtIRQ>,<IntIRQ>` For example, using the configuration in Preparing the PC above, this line would read: `ne io=0x280,0x300 irq=3,5` Note: This step does not apply to 3Com adapters. Do not pass the I/O and IRQ settings to the driver explicitly.
7	Scroll down to the `###IP Masq modules` section.
8	Verify that the following modules are active (all others should have a # sign in front of them). `ip_masq_ftp * ip_masq_h323 * ip_masq_icq * ip_masq_quake * ip_masq_raudio * ip_masq_vdolive * ip_masq_cuseeme * ip_masq_user ip_masq_autofw ip_masq_portfw ip_masq_mfw` * Uncomment if you want to allow the respective traffic through the firewall.
9	Save the file by typing [Alt]-[w], then pressing [Enter].
10	Exit ae by typing [Alt]-[q].
11	Type [q], [Enter], [q], [Enter] to get back to the main configuration screen.
12	Type [1], [Enter] to go into the Network configuration menu, then [1], [Enter] to edit the /etc/network.conf file.
13	This file is divided into ten sections. Each section title is bordered by # symbols on the left, top, and bottom to make them stand out. Note that this is a good time to review the network.conf reference provided on lrp.steinkuehler.net. It explains what all of the settings in this file do. These sections are: Brief Instructions for this file General Settings Interfaces IP Filter setup Interface activation functions Hostname Hosts file Domain Search order and name servers QoS/Fariqueing functions End
14	Scroll down to the `General Settings` section.
15	Change the `MAX_LOOP` setting from `10` to the number of DNS servers you will access. Example: If your ISP gave you a primary and secondary dns address only, this number should read `2`.
16	Change `CONFIG_DNS` from `NO` to `YES`.
17	Scroll down to the `Interfaces` section.
18	Locate the line that reads `IF_AUTO="eth1".`
19	Change it to read: `IF_AUTO="eth0 eth1"`
20	Locate the line that reads `DEF_IP_KRNL_LOGMARTIANS=YES`.
21	This setting (along with the one in step 31) determines whether or not 'martian' packets (packets that do not have a legitimate source) are logged by the firewall. By logging, I mean that they are written directly to the screen. This is somewhat problematic during the process of configuration and testing, as the menus become difficult to read with logged packet information popping up. As such, I elect to turn logging off. If you want to log and inspect martian packets, turn this setting back on after the firewall is up and stable. Change it to read: `DEF_IP_KRNL_LOGMARTIANS=NO`
22	Scroll down to the line that reads `eth0_IPADDR=0.0.0.0`.
23	Change it to read: `eth0_IPADDR=<ip_from_block_1>` Note: This value comes from the Network Information Sheet, block 1.
24	Scroll down to the line that reads: `eth0_MASKLEN=0`
25	Change this line to read: `eth0_MASKLEN=<masklen_from_block_8>` Note: This value comes from the Network Information Sheet, block 8.
26	Scroll down to the line that reads: `eth0_BROADCAST=0.0.0.0`
27	Change this line to read: `eth0_BROADCAST=<broadcast_from_block_3>` Note: This value comes from the Network Information Sheet, block 3.
28	Scroll down to the line that reads: `eth0_DEFAULT_GW=0.0.0.0`
29	Change this line to read: `eth0_DEFAULT_GW=<gateway_from_block_6>` Note: This value comes from the Network Information Sheet, block 6.
30	Scroll down to the line that reads: `eth0_IP_KRNL_LOGMARTIANS=YES`
31	Change this line to read: `eth0_IP_KRNL_LOGMARTIANS=NO` See step 21 for an explanation of why this is set to NO.
32	Scroll down to the line that reads: `eth1_IPADDR=192.168.1.254`
33	Make the following changes to that line, and all subsequent eth1... lines in that group: `eth1_IPADDR=``<ip_from_block_9>` (this comes from block 9 on the Network Information Sheet.) `eth1_MASKLEN``=<masklen_from_block_15>` (this comes block line 15 on the Network Information Sheet.) `eth1_ BROADCAST``=<broadcast_block_line_10>` (this comes from block 10 on the Network Information Sheet.) `eth1_IP_SPOOF=YES` `eth1_IP_KRNL_LOGMARTIANS``=NO` `eth1_IP_SHARED_MEDIA=NO` `eth1_BRIDGE=NO` `eth1_PROXY_ARP=NO` `eth1_FAIRQ=NO`
34	Scroll down to the line that reads: `EXTERN_DHCP=YES` in the IP Filter setup section.
35	Change this line to read: `EXTERN_DHCP=NO`
36	Scroll down to the line that reads: `EXTERN_IP=0.0.0.0`
37	Change this line to read: `EXTERN_IP=<ip_from_block_1>` Note: This value comes from the Network Information Sheet, block 1.
38	Scroll down to the line that reads: `EXTERN_UDP_PORTS="0/0_domain 0/0_ntp 0/0_bootpc"`
39	Change this line to read: `EXTERN_UDP_PORTS="0/0_domain"`
40	Scroll down to the line that reads: `EXTERN_TCP_PORTS="0/0_ssh 0/0_smtp"`
41	Change this line to read: `EXTERN_TCP_PORTS="0/0_ssh"`
42	Scroll down to the line that reads: `INTERN_NET=192.168.1.0/24`
43	Change this and the next line to read: `INTERN_NET=<ip_from_block_14>/<masklen_from_block_15>` (this comes from blocks 14 & 15 on the Network Information Sheet.) `INTERN_IP=<ip_from_block_9>` (this comes from block 9 on the Network Information Sheet.)
44	Scroll down to the line in the Hostname section that reads: `HOSTNAME=myrouter`
45	Change this line to read: `HOSTNAME=<name_from_block_16>` (this comes from block 16 on the Network Information Sheet.)
46	Locate the line in the Hosts file section that reads: `HOSTS0="$eth0_IPADDR $HOSTNAME.private.network $HOSTNAME mr rtr"`
47	Change this line to read: `HOSTS0="$eth0_IPADDR $HOSTNAME.<domain_from_block_19> $HOSTNAME mr rtr"`
48	Scroll down to the line in the Domain Search Order and Name Servers section that reads: `DOMAINS="private.network"`
49	Change this line to read: `DOMAINS="<domain_from_block_19>"`
50	Scroll down to the lines that read: `DNS0=192.168.1.254` `#DNS1=0.0.0.0`
51	Change these lines (and add one more) to read: `DNS0=<ip_from_block_17> # Primary name server from ISP` (see block 17 on the Network Information Sheet.) `DNS1=<ip_from_block_18> # Secondary name server from ISP` (see block 18 on the Network Information Sheet.)
52	Press [Alt]-[w] then [Enter] to save the changes.
53	Press [Alt]-[q] to exit back to the menu.
54	Press [q] then [Enter] to return to the main menu.
55	Press [q] then [Enter] to exit to the shell.
56	Type: `passwd [Enter]` to change the system password.
57	At the `Enter new password:` prompt, type in a password between 5 and 8 characters (numbers are also acceptable), then press [Enter]. Note that you will not see the characters you type appear on the screen, nor will you see the cursor move.
58	At the `Re-enter new password:` prompt, type in the same password, then press [Enter]. Again, you will not see the characters you type appear on the screen, nor will you see the cursor move. If you typed in the same password both times, you will see a message appear indicating that the password was changed. If you see the following message: `Passwords do not match. The password for root is unchanged.` This means that the passwords you typed in were not the same. If this is the case, return to step 54 and try again.
59	Back up the firewall disk now (see Appendix A).

Contents

Fill Out the Network Information Sheet

Seattle Firewall Basic Configuration