STDI Consulting Inc

ARCHIVE: openSUSE 11.1 installation

Install openSUSE to run as a firewall

The most current version for openSUSE 11.3 can be found here.

The installation didn't change from openSUSE 11.0, all options look the same and for our purpose here, they are the same.
This is the second article covering the firewall which is included with openSUSE. Starting point is a PC with nothing worth keeping on the disk and the install DVD. The PC has one network port built in and I added two network cards.

After several test installations with openSUSE11.0 and running the firewall since October 2008 in production, these are the options that work for me. It will be a text-only server version (no GNOME or KDE or xWindows) and a few additional steps to make the firewall more robust. Hardening the firewall is an ongoing process, but this here should be a good start. Feedback is always welcome, please use the Contact Us link on the left.

One word of advice before we begin. Have the network cable ready and connected. The installation will act differently when no network connection is detected, or when the network connection is not correctly configured.

Ok, here we go. Load the DVD and power up. You may want to connect a mouse for the installation. The configuration is a text-only setup and the mouse will not be supported anymore after the installation.
  • The first screen shows the Boot from Hard Disk or Installation. Highlight Installation then press F5 to change the Kernel Options. I had to select the No ACPI option, previous attempts didn't go well with ACPI option enabled. I don't see why ACPI support is needed for the firewall. The system is always running and will be replaced when it breaks. ACPI is short for "Advanced Configuration and Power Interface" and more information is available at
  • Next option is the License Agreement. Select the Language and Keyboard Layout, read the License Agreement, then click Next.
  • Next is Installation Mode. Select New Installation and uncheck both boxes, the Use Automatic Configuration and Include Add-On... Click Next.
  • Set the Clock and Time Zone and click Next.
  • Next is Desktop Selection. Click Other and choose Minimal Server Selection (Text Mode). Click Next.
  • In the Disk Setup option, I always wipe the disk and let the install process format with the default settings. There is likely a /dev/sda1 as swap and the remaining disk space as /dev/sda2. My disks are around the 6GB size, so I don't create multiple partitions.
    To use the whole disk for the installation, click on Create Partition Setup..., then select option 1 which is the first hard disk and click Next.
    Click Use entire hard disk. Depending on the size, you may get more then 2 disks. We don't have space problem, just accept the defaults and click Next.
    The suggested partitioning shows the layout, click Next.
  • Next is Create New User. Enter a new user name and password. Leave the Use this password for system administrator checked and uncheck Automatic Login. If you don't need a user profile, just click Next and the password dialog for the root user comes up. Click Next.
  • Next is Installation Settings. One more configuration change is needed. Click on the Software heading, scroll down to the Server Functions and check the Internet Gateway option. This option installs the firewall software. Click OK.
    Review the installation list again. Only the most basic options should be in there. There are some other packages checked as well, such as Base System, Novell AppArmor, YaST and Software Management. The Print Server is also checked and I was unable to remove it from the install options. Now it's time to start the copying, click Install.
  • Next is the Confirm Installation pop-up. Click Install again and it's time for a coffee.

    While the installation process inches along, I remembered a problem from my first installation back in 2008. When I was launching the install process, it aborted shortly after the first welcome screen with a fatal error message. The problem was caused by some hardware issues and a 'Hole in Memory'. Mine was likely caused by a faulty network adapter. After using a new set of adapters, the error disappeared. I'm using the built-in ethernet port plus two PCI 10/100 ethernet adapters, both the same model and version. The two adapters happen to be some old Compac Network adapters. The benefit of older generation hardware are the mature drivers. Same goes with the PC, I'm using end-of-lease hardware. The price is right and the only issues I have is with the ACPI drivers. So I just turn them off when booting - problem solved.

    When the system comes up again, you MUST configure at least one adapter. I'm not using DHCP, so I have to set the IP addresses This is needed to fetch the patches and fixes during the next phase of the install. In the Network Configuration menu, leave the Use Following Configuration checked, but change the Network Interfaces by tabbing to the Change option (Alt-C) then select Network Interfaces (Alt-N).

  • First is Hostname and Domaion Name: Enter the firewalls Hostname and the Domain Name. Uncheck the Change Hostname via DHCP and leave the
  • Write Hostname to /etc/hosts checked and click Next. I don't use DHCP in my network.
  • In the General Network Settings, we need to make some modifications. The idea is to have all adapter correctly configured here. Tab to the Change option and lets start with General Network Settings. Hit enter for Network Setup Method. Disable the IPv6 support - uncheck the field. Accept the message that pops up. Leave User Cotrolled ... unchecked and Traditional Method.. checked. Then select Ok (Alt-O).
  • The Firewall options will be configured much later when the system is up and running, so no changes yet.
  • Back in the menu again, select Network Interfaces and hit enter.
    In the Network Settings, you should see the three network adapters. In my case, I have two Netelligent 10/100 TX PCI UTP entries and one 82541I Gigabit Ethernet Controller.
  • Highlight the Interface that connects to the Internet, then Edit the entry (Alt-i)
  • Select General (Alt-G) first. Make sure the Firewall Zone is set to the correct Zone. Now we change the Address (Alt-A). Tab to the Statically assign IP Address and check the field. Enter the IP Address, Subnet Mask and Hostname. I don't have any changes in the Hardware submenu, click Next (Alt-N).
  • Repeat this for the other two adapters as well. I enter just the basic values, for the external adapter, that is just one IP address. I'll worry about the multiple external IP addresses later.
  • Still in the Network Settings, select Hostname/DNS in the menu to set Hostname and Domain Name (enter Alt-S). Tab down to the DNS settings. Enter the DNS servers 1, 2 and 3. These are the IP numbers you got from your ISP.
  • Then select the Routing from the menu (Alt-U). Enter the Default Gateway IP address and select OK (Alt-O)
    NOTE: You can configure (or reconfigure) the adapters at any time, just launch YaST2 to make the changes.
  • Back in the main configuration menu, check the configuration on the screen, if you agree with the settings, select Next (Alt-N).

    CAUTION: There is a bug in the openSUSE 11.0 install. When you add multiple IP addresses under Alias Name, the install process only adds entries but never updates or deletes any of them. The change shows correctly on the screen, but after restarting, all the old entered IP addresses are still there. I had to go in and delete them manually in the /etc/sysconfig/network/ifcfg-ethx file.

  • The next screen shows the Release Notes. Read the information and click Next
  • Hardware Configuration, I don't want to configure a printer, so click Next
  • Installation Completed. Click Finish

    The installation process is now done and the it's time to login to the system. Login as root and launch YaST2 to go back into the configuration. We have to run the software upgrade first.

    Now it's time to get the software updates. Make sure the cable is plugged into the right adapter.
    Verify all the settings and click Next.
  • Next is Test Internet Connection.
  • Make sure that you have a network cable plugged in the External Zone. As soon as you click Next, the install process goes out to to get some files. You will be plagued by error messages if you don't have an Internet connection. Should you get in the error message loop, just select Abort and it will eventually stop and continue.
    Follow the prompt of the upgrade. Depending on release, this step will act differently. Just follow the prompts and Accept the packages. When I did the upgrade, the process was done in two steps. A small set of upgrades first, then the big update. And finally finish with a reboot. Let the system Boot from Hard Disk.

    The final steps are different depending on the previously selected options.
  • I have no printer configured or connected, so I'm getting an error complaining about a missing printer, select Next (Alt-N)
  • If you get the Authentication Method, leave the default.
  • Next may be New Local User. Depending on previous user configuration, this step may or may not show. I don't want a user setup, so I just continue.
  • Read the Release Notes and click Next.
  • You may get more connection errors here. Select Abort a few times and it will continue.
  • Skip over the Printer setup, this is one of the functions that will be removed later.
  • Now the big moment, click Finish. The system is now ready and time to login. Remove the DVD, login and because I had some boot issues during my testing, I do a shut down and start to make sure the system comes up correctly. Hurray, it came up.
  • Before I make any configuration changes, I check the system startup and system logs. Launch YaST2 from the command line, go to Miscellaneous and review the two logs.

    During the installation, I only configured the external network. Two reasons, I have a backup of the configuration and don't really want to type all the settings and if I encounter a problem during the install, I just start again from the beginning. Takes less time then trying to figure out what went wrong.
    We already installed the latest patches, so no need to do a Software Update again. Just in case you need them, you can do them from YaST2 then to to Software.

    Next step is to stop System Services that are not needed. Start a and go to System > System Services (Runlevel), I change the following services from Yes to No.
  • acpid > don't want hardware utilities
  • cups > don't want the printer
  • postfix > don't want the MTA
  • powersaved > don't need any of the power or hardware utilities
  • sshd > no plans to login from remote. It's all local and nothing else.

    Configure some services in YaST2 > Network Services
  • Remote Administration (VNC): In do not allow remote administration and therefore I unchecked the Open Port in Firewall....
  • Network Services (xinetd), disable the services

    At this point, we have a reasonable well working system, but still too many programs and packages that are not needed. In YaST2, go to Software > Software Management and get rid of some of the 'dangerous' programs.
    Go to View > File List then Filter > Search and search for the following strings:
  • finger uninstall finger (the one with the 'i' in the first column, that's the only one installed anyway).
    toggle from the 'i' to '-' so the program will be removed.
  • ftp: uninstall wget
  • telnet: uninstall telnet
    Then click Accept to remove the programs/packages.

    Last step is a software update.
  • Launch YaST2 and go to Software > Online Update
  • Select Filters > Needed Patches
  • Select all of them to be installed (toggle with space bar and put the + in the first column)
  • One of the patches is for Wireshark. tshark is the command line version and does a nice job monitoring the port(s). More about tshark at a later time.
    There are patches for YaST and the system tells me that a restart is needed after they are installed. I accept the selection and let the system do the update.

    Another tool I use is nmap. I run this on a laptop with Windows XP. nmap checks all ports on a system and reports the open ones. A firewall should have no open ports, unless I specifically list them in my firewall configuration. I checked the system and the result is very satisfying, no open ports. Keep in mind that I didn't yet configure the firewall software.

    Ok, this is it for the system installation. The next step is firewall configuration and adding some monitoring tools. After all I want to know when the firewall is being probed and scanned. It's interesting how often my network is being scanned and how many telnet connections are done.

    But I'll keep this for another time.
    Back to Jeep Home

    First published on August 04, 2009
    Last revised on August 30, 2009

  • Timestamp: 08/04/2021 09:30:29 PM EDT [on srv7cps]
    1996 - 2021 STDI Consulting Inc.
    All Rights Reserved