STDI Consulting Inc

ARCHIVE: openSUSE 11.0 installation

Install openSUSE to run as a firewall

The most current version for openSUSE 11.3 can be found here.

This is the first article and covers the openSUSE 11.0 installation. Starting point is a PC with nothing worth keeping on the disk and the install DVD.

After several test installations, I found the option that works for me. It will be a text-only server version (no GNOME or KDE or xWindows) and a few additional steps to make the firewall more robust. Hardening the firewall is an ongoing process, but this is a good start here. Feedback is always welcome, please use the Contact Us link on the left.

Ok, here we go. Load the DVD and power up.
  • The first screen shows the Boot from Hard Disk or Installation. Highlight Installation then press F5 to change the Kernel Options. I had to select the No ACPI option, previous attempts didn't go well with ACPI option enabled. I don't see why ACPI support is needed for the firewall. The system is always running and will be replaced when it breaks. ACPI is short for "Advanced Configuration and Power Interface" and more information is available at
  • Next option is the License Agreement. Read and check the box should you agree. Click Next.
  • Next is Installation Mode. Select New Installation and uncheck both boxes, the Use Automatic Configuration and Include Add-On... Click Next.
  • Set the Clock and Time Zone and click Next.
  • Next is Desktop Selection. Click Other and choose Minimal Server Selection (Text Mode). Click Next.
  • In the Disk Setup option, I always wipe the disk and let the install process format with the default settings. There is likely a /dev/sda1 as swap and the remaining disk space as /dev/sda2. My disks are around the 6GB size, so I don't create multiple partitions. Click Next.
  • Next is Create New User. Enter a new user name and password. Leave the Use this password for system administrator checked and uncheck Automatic Login. If you don't need a user profile, just click Next and the password dialog for the root user comes up. Click Next.
  • Next is Installation Settings. One more configuration change is needed. Click on the Software heading, scroll down to the Server Functions and check the Internet Gateway option. This option installs the firewall software. Click OK.
    There are some other packages checked as well, such as Base System, Novell AppArmor, YaST and Software Management. The Print Server is also checked and I was unable to remove it from the install options. Now it's time to start the copying, click Install.
  • Next is the Confirm Installation pop-up. Click Install again and it's time for a coffee.

    While the installation process inches along and I already had my coffee, I remembered a problem I had with this PC the day before. When I was launching the install process, it aborted shortly after the first welcome screen with a fatal error message. The problem was caused by some hardware issues and a 'Hole in Memory'. Mine was likely caused by a faulty network adapter. After using a new set of adapters, the error disappeared. I'm using the built-in ethernet port plus two PCI 10/100 ethernet adapters, both the same model and version.

    Aah, the system reboots and from now on it's all in text mode.
  • First is Hostname and Domain Name. Enter the names and uncheck the Change Hostname via DHCP. I don't use DHCP, and if I do, it will be on a $20 Netgear Router - served me well in the past. Click Next.
  • Now the Network Configuration. This is more elaborate and time consuming.
  • Disable IPv6 support and hit enter. Accept the message. I don't use IPv6 yet, so no need to have it active and eating up resources.
  • Very first option is to disable DHCP on the adapter that will connect to the Internet. Select the Statically assigned IP Address and enter the IP Address, Subnet Mask and Hostname. I also set the Firewall Zone to External under the General tab.
  • Highlight the next Network Device and select Edit. Change the Firewall Zone under General and set the IP Address.
  • Check the DHCP Client Options under the Global Options tab. Make sure the Change Default Rout via DHCP is not checked.
  • Configure the Name Servers under the Hostname/DNS tab.
  • Last step in Network Device configuration is the Routing information. Enter the Default Gateway. Do not enable IP Forwarding.

    CAUTION: There is a bug in the openSUSE 11.0 install. When you add multiple IP addresses under Alias Name, the install process only adds entries but never updates or deletes any of them. The change shows correctly on the screen, but after restarting, all the old entered IP addresses are still there. I had to go in and delete them manually in the /etc/sysconfig/network/ifcfg-ethx file.

    Verify all the settings and click Next.
  • Next is Test Internet Connection.
  • Make sure that you have a network cable plugged in the External Zone. As soon as you click Next, the install process goes out to to get some files. You will be plagued by error messages if you don't have an Internet connection. Should you get in the error message loop, just select Abort and it will eventually stop and continue.
  • Next is Authentication Method. I leave the default.
  • Next may be New Local User. Depending on previous user configuration, this step may or may not show. I don't want a user setup, so I just continue.
  • Read the Release Notes and click Next.
  • You may get more connection errors here. Select Abort a few times and it will continue.
  • Skip over the Printer setup, this is one of the functions that will be removed later.
  • Now the big moment, click Finish. The system is now ready and time to login. Remove the DVD, login and because I had some boot issues during my testing, I do a shut down and start to make sure the system comes up correctly. Hurray, it came up.
  • Before I make any configuration changes, I check the system startup and system logs. Launch YaST2 from the command line, go to Miscellaneous and review the two logs.

    During the configuration, I'm setting the network properties and some of them are not correctly saved. Not sure where the problem is. If you get the error on the network, just continue and fix the configuration later after the reboot. One of the next steps is the Software Update anyway.

    To get the latest patches, we need a working connection to the Internet and the system has to know what to do. Under Software and Online Update Configuration, accept the defaults and click Next. You should not get an error. If you do, there is still a problem with the network adapter or cable and has to be resolved before we continue.

    I have an error in System Log as follows:
    ... martian source: 207.176.xx.xx from 216.176.xx.xx on dev eth2
    This is caused by a missing gateway address. Back into YaST2 and set the gateway address and all is fine (after a reboot).

    Also getting some Fatal errors on ACPI calls, since I don't plan to use them, I will remove them later from the startup.

    Next step is to stop System Services that are not needed. Start a and go to System > System Services (Runlevel), I change the following services from Yes to No.
  • acpid > don't want hardware utilities
  • cups > don't want the printer
  • postfix > don't want the MTA
  • powersaved > don't need any of the power or hardware utilities
  • sshd > no plans to login from remote. It's all local and nothing else.

    Configure some services in YaST2 > Network Services
  • Remote Administration (VNC): In do not allow remote administration and therefore I unchecked the Open Port in Firewall....
  • Network Services (xinetd), disable the services

    At this point, we have a reasonable well working system, but still too many programs and packages that are not needed. In YaST2, go to Software > Software Management and get rid of some of the 'dangerous' programs.
    Go to View > File List then Filter > Search and search for the following strings:
  • finger uninstall finger (the one with the 'i' in the first column, that's the only one installed anyway).
    toggle from the 'i' to '-' so the program will be removed.
  • ftp: uninstall wget
  • telnet: uninstall telnet
    Then click Accept to remove the programs/packages.

    Last step is a software update.
  • Launch YaST2 and go to Software > Online Update
  • Select Filters > Needed Patches
  • Select all of them to be installed (toggle with space bar and put the + in the first column)
  • One of the patches is for Wireshark. tshark is the command line version and does a nice job monitoring the port(s). More about tshark at a later time.
    There are patches for YaST and the system tells me that a restart is needed after they are installed. I accept the selection and let the system do the update.

    Another tool I use is nmap. I run this on a laptop with Windows XP. nmap checks all ports on a system and reports the open ones. A firewall should have no open ports, unless I specifically list them in my firewall configuration. I checked the system and the result is very satisfying, no open ports. Keep in mind that I didn't yet configure the firewall software.

    Ok, this is it for the system installation. The next step is firewall configuration and adding some monitoring tools. After all I want to know when the firewall is being probed and scanned. It's interesting how often my network is being scanned and how many telnet connections are done.

    But I'll keep this for another time.
    Back to Jeep Home

    First published on September 14, 2008

  • Timestamp: 08/04/2021 10:31:06 PM EDT [on srv7cps]
    1996 - 2021 STDI Consulting Inc.
    All Rights Reserved