| ||This is the third article covering the firewall which is included with openSUSE 11. Starting point is a reasonably current PC and the installation DVD. I'm using an IBM Thinkcentre P4 3GHz with 1GB memory and 40GB disk. The PC has one built in network port and I added two Compaq 10/100 network cards.|
We will disable IPv6 completly in this configuration. If you plan to use IPv6 or don't know what that means, it is probably safe to continue and read about it at Wikipedia while the installation process loads the files.
I did a test installation with openSUSE 11.4 and the installation steps are the same. If you have the 11.4 version, you can follow this same script.
I'm running the openSUSE firewall since October 2008 in production and these are the options that work for me. My requirements are simple, no VPN, no Proxy, just simple routing from multiple external IP addresses to multiple internal IP addresses. I have several HTTP servers, some with SSL, 2 SMTP servers, Blackberry Enterprise Server, 2 Lotus Domino Servers, Traveler for smartphones and Sametime plus some other systems. I tried to avoid a DHCP serve for the longest time, but it's getting too complicated. All the portable devices need DHCP to make them truly portable. So here we go, this time with DHCP and DNS.
The Firewall will be a text-only server version (no GNOME or KDE or xWindows) and a few additional steps to make the firewall more robust. Hardening the firewall is an ongoing process, but this here should be a good start. Feedback is always welcome, please use the Contact Us link on the left.
One word of advice before we begin. Have the network cable ready and connected. The installation will act differently when no network connection is detected, or when the network connection is not correctly configured.
I downloaded the iso image using BitTorrent and burnt the DVD. The first step before I run the install, I execute the Check Installation Media on the System where it's being installed. I had some incompatibility issues between the DVD drives. Switching the DVD drive solved the problem.
Ok, here we go. Load the DVD and power up. You may want to connect a mouse for the installation. The configuration is a text-only setup and the mouse will not be supported anymore after the installation.
The first screen shows the Boot from Hard Disk or Installation. If you experience problems later in the installation, it may be caused by the the Power Interface. Older hardware does not support this feature. For now click Next.
If you need to disable the Power Interface, highlight Installation then press F5 to change the Kernel Options. select the No ACPI option. Previous attempts with Version 11.0 didn't go well with ACPI option enabled. I don't see why ACPI support is needed for the firewall. The system is always running and will be replaced when it breaks. ACPI is short for "Advanced Configuration and Power Interface" and more information is available at http://www.acpi.info
Next option is the License Agreement. Select the Language and Keyboard Layout, read the License Agreement, then click Next.
Next is Installation Mode. Select New Installation and uncheck both boxes, the Use Automatic Configuration and Include Add-On... Click Next.
Set the Clock and Time Zone and click Next.
Next is Desktop Selection. Click Other and choose Minimal Server Selection (Text Mode). Click Next.
Nest is Suggested Partitioning. I always wipe the disk and let the install process format with the default settings. There is likely a /dev/sda1 as swap and the remaining disk space as /dev/sda2. I have no need for user data or large disks. The firewall will fit on a 10GB disk in case you still have a good quality one on a shelf somewhere.
To use the whole disk for the installation, click on Create Partition Setup..., then select option 1 which is the first hard disk and click Next.
Click Use entire hard disk and uncheck the Propose Separate Home Partition. My 10Gb disk has a swap on /dev/sda1 and the size depends on the memory. The remaining space is used as Linux native on /dev/sda2. We won't have space problem, just accept the defaults and click Next.
The screen return to the Suggested Partitioning shows the new layout and the actions, click Next unless you need to change the options.
Next is Create New User. Enter a new user name and a password. Leave the Use this password for system administrator checked and uncheck Automatic Login. We don't really need a user profile, the firewall configuration is done with the root login. If you don't supply a username here, the next screen will prompt for the root user password. Click Next.
Next is Installation Settings. One more configuration change is needed. Click on the Software heading, scroll down to the Server Functions and check the Internet Gateway and DHCP and DNS server option. If you don't need the DHCP option at all, just don't select them in the install. It is completly optional. Anyway, these two options install the firewall and DHCP/DNS software. Click OK.
Review the installation list again. Only the most basic options should be in there. There are some other packages checked as well, such as Base System, Novell AppArmor, YaST and Software Management. The Print Server is also checked and I was unable to remove it from the install options. Now it's time to start the copying, click Install.
Next is the Confirm Installation pop-up. Click Install again and it's time for a coffee.
While the installation process inches along, I remembered a problem from my first installation back in 2008. When I was launching the install process, it aborted shortly after the first welcome screen with a fatal error message. The problem was caused by some hardware issues and a 'Hole in Memory'. Mine was likely caused by a faulty network adapter. After using a new set of adapters, the error disappeared. I'm using the built-in ethernet port plus two PCI 10/100 ethernet adapters, both the same model and version. The two adapters happen to be some old Compac Network adapters. The benefit of older generation hardware are the mature drivers. Same goes with the PC, I'm using end-of-lease hardware. The price is right and the only issues I have is with the ACPI drivers. So I just turn them off when booting - problem solved.
When the system comes up again, you MUST configure at least one adapter. I connected the built in port directly to the Internet, which will be the External Zone. I'm not using DHCP, so all my IP addresses have to be set. The Internet connection is needed to fetch the patches and fixes during the next phase of the install.
When the system comes back after copying all the files, we are now in Text Mode.
First screen is Hostname and Domain Name: Enter the firewalls Hostname and the Domain Name. Uncheck the Change Hostname via DHCP and leave the Assign Hostname to Loopback IP. Tab to Next and hit enter.
The next page is for the General Network Settings. Leave the Network Mode as-is. Tab to the IPv6 protocol and Disable IPv6, The system does a quick reset.
Now tab to the Change option and select Network Interfaces.
The Network Settings page is now up.
in the Overview option, you should see the three network adapters. In my case, I have two Netelligent 10/100 TX PCI UTP entries and one 82541I Gigabit Ethernet Controller. Tab to the adapter section and highlight the Interface that connects to the Internet, then Edit the entry (Alt-i)
Select General (Alt-G) first. Make sure the Firewall Zone is set to the correct Zone, in my case the External Zone. Remember, this is the one that has the network cable connected. Now we change the Address (Alt-A). Tab to the Statically assign IP Address and check the field (space bar). Enter the IP Address, Subnet Mask and Hostname. Then go to General (Alt-G) and set the Firewall Zone as External Zone. I don't have any changes in the Hardware submenu. I will have multiple external addresses, but I will worry about them later. In most configurations, there is only one external address. Click Next (Alt-N).
Repeat this for the other two adapters as well. The 1st of my Netelligent adapters with the Device Name = eth0 is my Demilitarized Zone and configured as 10.10.1.1 and the 2nd with the Device Name = eth1 is the Internal Zone configured as 192.168.1.1. Make sure you use the correct addresses for your environment.
Still in the Network Settings, select Hostname/DNS from the menu (enter Alt-S). Tab down to the DNS settings. Enter the address for DNS servers 1, 2 and 3. These are the IP numbers you got from your ISP.
Then select the Routing from the menu (Alt-U). Enter the Default Gateway IP address and select OK (Alt-O)
NOTE: You can configure (or reconfigure) the adapters at any time, just launch YaST2 to make the changes.
Back in the General Network Settings menu, check the configuration on the screen. The Firewall may be disabled, but we'll configure the firewall first and make sure it starts when the system comes up. If you agree with the settings, select Next (Alt-N).
CAUTION: There is a bug in the openSUSE 11.0 install. When you add multiple IP addresses under Alias Name, the install process only adds entries but never updates or deletes any of them. The change shows correctly on the screen, but after restarting, all the old entered IP addresses are still there. I had to go in and delete them manually in the /etc/sysconfig/network/ifcfg-ethx file.
With the Network configured, you may get the Test Internet Connection page. Feel free to run the test, but I recommend to just skip the test for now. If you do the test, this step will also get the latest openSUSE software updates. I have the Software Update further down. If there is a problem with the Internet connection, you will get errors. Even so the Skip Test was selected, the install process still pulls in some description or documentation. Once the dowonload is finshed, the system prompts again for the Online Update, select Skip again and then Next.
The next screen shows the Release Notes. Read the information and click Next
Next screen is Hardware Configuration, I don't want to configure a printer, so click Next
Next screen is Installation Completed. Click Finish
Remove the DVD.
The installation process is now done and the it's time to login to the system.
At the login prompt enter root and then the password.
The first thing I test is a shutdown. Enter shutdown now -h and the system will terminate. If ACPI is active, the power will be turned off, if it's not, the last line will show xxx System halted, this is the time to push the power button to turn off the PC. After a few seconds, start the PC again and the system should boot correctly. If the boot ladder is malfunctioning, you will find out now.
NOTE: the shutdown command has several options, the now will bring it down immediately, the -h will halt the system and the -r will restart the system.
Again, at the login prompt enter root and then the password.
Type YaST2 from the command line.
Next step is to stop System Services that are not needed. Go to YaST2 > System > System Services (Runlevel), I change the following services from Yes to No. Some may be set to No already.
cifs > don't want any remote files
cups > don't want the printer
postfix > don't want the MTA
smartd > don't want the disk monitoring
powersaved or powerd> don't need any of the power or hardware utilities
sshd > no plans to login from remote. It's all local and nothing else.
Select OK (Alt-O).
Configure or disable some services in YaST2 > Network Services
> Network Services (xinetd), make sure it's disabled.
> Remote Administration (VNC): Make sure the Do Not Allow Remote Administration is checked the Open Port in Firewall is unchecked.
At this point, we have a reasonable well working system, but still too many programs and packages that are not needed. To to YaST2 > Software > Software Management and get rid of some of the 'dangerous' programs.
Set the Filter to Search and enter the following strings in the Search Pattern:
Search Pattern:finger uninstall finger (the one with the 'i' in the first column, that's the only one installed anyway). Toggle from the 'i' to '-' with the space bar so the program will be removed.
Search Pattern:wget uninstall wget
Search Pattern:telnet uninstall telnet
Then click Accept (Alt-A) to remove the programs/packages. Some dependencies may need to be resolved, just accept the default.
Last step is a software update.
Launch YaST2 and go to Software > Online Update
We accept the default and start the update by selecting Accept (Alt-A). It'll take some time to download and apply the patches. Now is a good time for another coffee.
Select Filters > Needed Patches
Select all of them to be installed (toggle with space bar and put the + in the first column)
One of the patches is for Wireshark. tshark is the command line version and does a nice job monitoring the port(s). More about tshark at a later time.
There are patches for YaST and the system tells me that a restart is needed after they are installed. I accept the selection and let the system do the update.
Now it's time to configure the DHCP server if you installed the option above. See DHCP Server Setup for details.
Another tool I use is nmap. I run this on a laptop with Windows XP. nmap checks all ports on a system and reports the open ones. A firewall should have no open ports, unless I specifically list them in my firewall configuration. I checked the system and the result is very satisfying, no open ports. Keep in mind that I didn't yet configure the firewall software.
Ok, this is it for the system installation. The next step is firewall configuration and adding some monitoring tools. After all I want to know when the firewall is being probed and scanned. It's interesting how often my network is being scanned and how many telnet connections are done.
But I'll keep this for another time.
I hope you find this document helpful and appreciate your feedback here.
First published on November 06, 2010