Table of Contents
Prior to installing Dachstein, the PC must be readied. This includes verifying system requirements, removing unnecessary components, and configuring network adapters. Once the PC is ready, you can then begin working on the Dachstein software.
486 DX or higher. (A 486 SX will work, but requires additional work which is not covered here.)
12 Mb RAM minimum (16 Mb recommended)
3.5" floppy disk drive (two if you want lots of features) capable of reading 1.44 Mb disks
ATAPI CD-ROM drive (if you have the Dachstein CD distribution). A SCSI CD will work, but requires more work, and is not covered here.
Keyboard and monitor (during the install)
If there is a hard disk drive in the PC, it can be removed. You will not need it. Also, any special adapter cards such as IO adapters (unless they control the floppy disk drive), extra printer port cards, sound cards etc. can be removed. If an item isn't required, I would recommend removing it. There's no reason to keep it there complicating the system, and generating more heat when it offers no advantage.
See Appendix E - Laptop-Specific Issues, in addition to this section, for hints on preparing a laptop as a firewall.
You will need two network adapters, the PC, a DOS boot disk, the network card drivers, the Network Information Sheet (Appendix C), pencil, and two stickers, 1/4" by 1". Mark one sticker Internal, the other External. Before we actually talk about configuring the cards, let's consider which cards to use. There are many NICs which are compatible with Linux (check out the Hardware-HOWTO in the Resources section at the end of this document). My experience has been that cards which are compatible with the NE2000 adapter seem to work the best. Of course, if a manufacturer has their own Linux driver software and support, thats a great option, too. I have never had much trouble with configuring NE2000 adapters, and I have had success with 3Com 3C509B adapters. Finally, I have had limited success with Intel EtherExpress PRO/10 adapters, however I could never get two to initialize in the same box at the same time. If you have one of these, you might consider looking for a second adapter of a different type.
Boot the PC in DOS, then load your NIC configuration software from the driver disk. Configure the first card using the following guidelines (consult the documentation for your adapter for more details):
Duplex - If you have this option, set the card to whatever your hub, switch, or other connection can support.
Plug and Play - Shut it off.
Port or IO address: 300 (may also be listed as 0x300, or 0x0300) - Write this number down in block 25 of the Network Information Sheet.
IRQ or Interrupt: 5 - Write this number down in block 26 of the Network Information Sheet.
Place the "Internal" sticker on the back of this card so you can see it from behind the PC. Write down the MAC address of this card on the Network Information Sheet in block 24.
Some NIC configuration applications are not able to configure two cards residing in the PC at the same time. One application known not to work is that shipped with older Kingston ISA adapters (even though it says you can using 'QSTART /MULTIPLE'). If this is the case, you may have to remove the NIC you just configured. Using the same driver software, configure the second adapter with the following specifications:
Duplex - If you have this option, set the card to whatever your hub, switch, or other connection can support.
Plug and Play - Shut it off.
Port or IO address: 280 (may also be listed as 0x280, or 0x0280) - Write this number down in block 21 of the Network Information Sheet.
IRQ or Interrupt: 3 - Write this number down in block 22 of the Network Information Sheet.
Place the "External" sticker on the back of this card so you can see it from behind the PC. Write down the MAC address of this card on the Network Information Sheet in block 20.
Configuring 3Com adapters is a bit more difficult than NE2000-compatibles. The reason is that it's not always clear which adapter will be activated first. The first adapter activated will be eth0 (the external NIC), however. When using ISA cards, I have read that the card with the lower MAC address is activated first (though I have not verified this). When using PCI adapters, the order of activation is based upon which slot each card resides in. I suggest not labeling the adapters, or putting the case back on until you have gone through configuring your firewall settings, and can successfully ping to both sides. Additionally, you need not write down the adapters' I/O or IRQ settings on the Network Information Sheet (unless you want to for the sake of completeness of documentation) as these are not explicitly passed to the NIC driver.
Boot the PC in DOS, then load your NIC configuration software from the driver disk Configure the first card using the following guidelines (consult the documentation for your adapter for more details):
Duplex - If you have this option, set the card to whatever your hub, switch, or other connection can support.
Plug and Play - Shut it off.
Port or IO address: 300 (may also be listed as 0x300)
IRQ or Interrupt: 5
The 3C5X9CFG.EXE configuration utility allows you to configure more than one card at a time. As such, installing one card at a time is not necessary when using 3Com NICs. Simply move over to the Select menu, and select the next adapter in the list to configure. Once you do this, make the following changes to the second adapter.:
Duplex - If you have this option, set the card to whatever your hub, switch, or other connection can support.
Plug and Play - Shut it off.
Port or IO address: 280 (may also be listed as 0x280)
IRQ or Interrupt: 3
The SOFTSET2.EXE utility used to configure EtherExpress cards can configure multiple adapters in the same machine at the same time, but again, I have not been able to get the eepro module to initialize two adapters at the same time, so It is assumed that only one EtherExpress adapter is present in the machine.
Configure the Duplex to match that of your hub.
Configure the adapter using either IO=0x280/IRQ=3 or IO=0x300/IRQ=5.
Disable any special features such as Plug and Play.
Now, configure your other adapter using the settings left free after configuring the EtherExpress card, and mark each NIC with the appropriate sticker.
If you are configuring PCI NICs, write down the slot numbers for each NIC in blocks 23 and 27 of the Network Information Sheet. This may be helpful in figuring out which NIC is which when they are initialized, as some drivers will initialize NICs in lower PCI slots before initializing those in higher PCI slots. As such, if you configured only one NIC at a time, place both NICs back in the PC, inserting the External NIC in a lower slot number than the Internal NIC.
Some NIC configuration programs require that the PC be rebooted after changing the Plug and Play setting in order to continue the configuration. If this is the case, reboot the PC after changing the Plug and Play settings. Once you are finished configuring the NICs, shut the PC down, and set it off to the side. We will come back to it once we have an EigerStein disk. If you are using 3Com NICs, don't forget to do a ping test, and then label the adapters once you are finished with the Configuring Dachstein section.
This section describes how to prepare a Dachstein disk for either the Dachstein CD or 'floppy-only' distributions. Note that this section does not cover configuring the networking and services. This section just gets the disk loaded with the proper software and ready to boot. You will require one 3.5" high density disk. You will also need a PC with a connection to the Internet (or at least with a copy of the Dachstein image or Dachstein CD), and Microsoft Windows 95, 98, or 2000 installed on it (Windows NT is untested).
Place the floppy in the disk drive, and locate and run the disk image file you wish to create. This disk image is self-extracting, and will automatically write itself to the disk in drive A:.
some systems have trouble writing the 1680K format disks. The following errors have been observed:
The disk may get written, but the installer hangs up when trying to verify that the disk was written correctly. If this happens, try the disk anyway - in the past, these disks have worked without error.
The computer will lock up trying to begin writing the disk. If this happens, your particular Windows version or configuration is not capable of writing the disk images. Find another Windows PC.
The installer verifies the disk, and finds errors. If this happens, try it again with a new disk. The one you are using is not trustworthy.
If you will be running Dachstein from a laptop, please see Appendix E - Laptop-Specific Issues.
The 1.68 Mb Dachstein disk is now ready to be configured. If all went well you should be ready able to boot off of the disk and be ready to fill out the details of the Network Infomation Sheet.
I have created the CD from both Adaptec's EZ-CD Creator, and from Nero Burning ROM. Both worked flawlessly. Essentially, the process is to select the menu option to create a CD from an image, open the image file (dachstein-cd-v?.?.?.iso), then write the image. If you don't like the Windows-way, and you run XFree86, check out CDR Toaster. It does a nice job of burning CDs from .ISO images.
The Dachstein CD is bootable. I would recommend creating a boot floppy for it (particularly if your firewall's BIOS does not allow booting from CD) to store configuration files. What type of system you create the floppy disk on depends upon which application you plan on using to write the image. I used RAWRITE.EXE, which requires a true MS-DOS system*. Using the newer WinImage will require a Windows 9x/2000 system.
Insure you have RAWRITE.EXE, and the bootdisk.bin file (obtained from the CD) available on the PC.
Boot the PC into MS-DOS
Switch to the directory containing RAWRITE and the disk image file.
Run the following command:
rawrite bootdisk.bin a: [Enter]
Once the disk has been written, remove it, and label it appropriately.
Running RAWRITE.EXE on a Windows9x/2000 box in DOS mode will appear to complete writing correctly, however will leave you with a disk that will at best boot inconsistently.
Launch WinImage
Click the File menu, then Open
In the Files of type dropdown, select All Files.
Locate the bootdisk.bin file, and double-click it. (Once you open it, you should see a list of all of the files in the disk image that will be written to the floppy disk in the WinImage window.)
Click the Disk menu, then select Write disk (or just click the Write disk button in the toolbar).
If the disk has files on it, you will be given a message indicating that the files will be lost. If you are sure you want to place the disk image on this disk, click the Yes button to overwrite it. Otherwise, click the No button, replace the disk and go back to step 5.
Once WinImage is done writing the image, it will indicate so (with a ding), and the progress window will disappear. You may close WinImage, and remove the floppy.
This section will help to guide the less-experienced user through the process of filling out the Network Information Sheet (Appendix C). Once filled out, that sheet will be referenced in many of the subsequent tasks to complete a procedure. In addition, the Network Information Sheet should be a handy reference document when troubleshooting problems with your network or firewall.
In block 1, enter the External IP Address for your firewall. This is the address that was provided to you by your ISP, or if you were given an IP address range, the address in that range that you want the firewall to have. Note that this address may not end in a 0 or 255. If you receive your network settings via DHCP (that is, your IP address is not static, but rather changes from time to time), enter 1.1.1.2. If you are a home user, subscribing to Internet services from an ISP, they must either provide you with this address, or inform you that you will be obtaining an address via DHCP.
In block 2, enter a secondary IP address for the external interface if you require one. If you are a home user, subscribing to an ISP for basic Internet services, you likely will not have a secondary IP address. Business customers who lease a range of addresses may wish to assign a second IP address to the external interface. One example where having a secondary IP address assigned to the external interface would be to make more than one www server on the private network available to the public.
In block 3, enter your broadcast address. If you receive your IP configuration from a DHCP server, enter a '+' here. If you are a home user who has subscribed to Internet services, your ISP must give you this number, or inform you that you will be getting your network settings via DHCP. If you need to figure this number out, you will need the IP address, the subnet mask, and a subnet calculator. See the Resources section for links to subnet calculators.
In block 4, enter your subnet mask. Typically, this number is either 255.255.255.0, or 255.255.0.0. There are cases, however where these numbers may not work. If you are leasing an IP address range with fewer than 254 addresses, your ISP may have subnetted the address range. A subnet calculator will help in figuring this number out, if you do not have it. You ISP should be able to give you the subnet mask, however. If you receive your network settings via DHCP, enter a 255.255.255.252
In block 5, enter your starting and ending IP addresses in your range. This is only for those who have leased a range of IP addresses. Most home users subscribing to Internet services will not need to enter anything here. Your ISP should be able to provide you with these addresses.
In block 6, enter the external gateway. This is the router where packets go after they leave the firewall destined for the Internet. This may also be called a "gateway", or "default gateway". Your ISP should give you this number when your service is established. If you get your IP configuration from a DHCP server, enter 1.1.1.1 here.
In block 7, enter your external network address. If you receive your network settings from a DHCP server, you can leave this block empty. If you use a static IP address, and do not know your network address, you can use a subnet calculator to figure it out, if you have your IP address and subnet mask. A simple way to figure it out is to replace all 255s in your subnet mask with the corresponding numbers from your IP address. What's left over should be your network address. Example 1: IP=111.222.333.444, SNM=255.255.255.0. The network address would be 111.222.333.0. Example 2: IP=111.222.333.444, SNM=255.255.255.127. The network address would be 111.222.333.127
In block 8, enter the external mask number. If you receive your network settings from a DHCP server, enter a 30. This is a number between 1 and 32 that represents your subnet mask. Some subnet calculators will give this number. Here are some of the more common numbers: Example 1: SNM=255.0.0.0. The mask number is 8. Example 2: SNM=255.255.0.0. The mask number is 16. Example 3: SNM=255.255.255.0. The mask number is 24. Example 4: SNM=255.255.255.127. The mask number is 25.
In block 9, enter the IP address of the internal interface on your firewall. For most situations, you can stick with the default 192.168.1.254. If you need to select a different IP address, remember that it cannot end in 0 or 255. Remaining procedures in this document assume an internal IP address of 192.168.1.254.
In block 10, enter your internal broadcast address. If you are using the default, this will be 192.168.1.255. You can also just enter a '+' sign, thus allowing Dachstein to figure out the details.
In block 11, enter your internal subnet mask. If you are sticking with the default, this will be 255.255.255.0.
In block 12, enter your internal address range. If you are sticking with the default settings, this will be Start: 192.168.1.1 and End: 192.168.1.254.
In block 13, enter your internal gateway. This applies only to those who are installing the firewall into a wide-area network with more than one IP network being routed through the firewall. This internal gateway is typically a router. I have also seen it referred to as a foreign router. Few home users will need to enter anything here.
In block 14, enter your internal network address. See step 7 for more information on network addresses. If you are using the default settings, this will be 192.168.1.0.
In block 15, enter your internal mask number. If you are sticking with the default, this number will be 24.
In block 16, enter a hostname for your firewall. This can be any name used to identify this system as a device on the network, though something short is advisable. In some situations, you may be assigned a hostname by your ISP. If this is the case, enter that hostname. For example, one ISP uses hostnames in the following format: XNNNNNN-X, where X is a letter, and N is a digit.
In block 17, enter your primary DNS server address. If you receive your IP configuration from a DHCP server, enter 0.0.0.0 here. This should be provided by your ISP, or you should get this from a DHCP server (if you are connecting with DHCP).
In block 18, enter your secondary DNS server address if you have one. If you receive your IP configuration from a DHCP server, enter 0.0.0.0 here. This should be provided by your ISP, or you should get this from a DHCP server (if you are connecting with DHCP).
In block 19, enter your domain. This may come from your ISP if you subscribe to Internet services from a local ISP. If you are responsible for maintaining DNS information for your organization, this will be the domain you registered. Note that this does not include the hostname of your firewall or any servers.
Blocks 20 through 27 should have been filled out when configuring the NICs.
This procedure will guide you through the initial configuration of the router. Once complete, you will have a firewall capable of receiving its network settings from a DHCP server, issuing network settings to internal clients, and DNS caching for internal clients. If you have static addressing on either side (or both sides) of the firewall, complete this procedure anyway. There are additional procedures later for converting to static addressing.
Insure you have the Network Information Sheet filled out.
Boot the firewall PC with the Dachstein Disk, and log in as root (just type root at the firewall login: prompt and press [Enter]). You should now be at the LRP configuration menu.
Press [3] for Package settings, then [Enter], then the number next to modules, then [Enter], then the number next to modules kernel modules to load at boot, then [Enter]. This will automatically start e3, and load the /etc/modules file.
Using the arrow keys, scroll down until you see a module (driver) for your network card(s). For the NE2000 compatible cards, there are actually two modules that must be loaded, 8390.o and ne.o. For 3Com 3C509B adapters, there is a single module, 3c509.o which must be loaded. For Intel EtherExpress PRO/10 cards, the module to use is the eepro module.
for laptop installations, you should not need to uncomment any modules. This is handled by the pcmcia services modules. In this case, you may skip to step 7.
Remove the # sign in front of each driver that you will load. For the NE2000 compatibles, make sure that the 8390 entry appears first in the file, then, down further, the ne entry.
For 3Com 3C509B adapters, just uncoment the 3c509 line, and go on to step 7.
For Intel EtherExpress PRO/10 adapters, uncomment the eepro line, and go on to the next step.
Using the entries from blocks 21, 22, 25, and 26 on the Network Information Sheet, change the line beginning with ne following this following format:
ne io=<ExtIO>,<IntIO> irq=<ExtIRQ>,<IntIRQ>
For example, using the configuration in Preparing the PC, this line would read:
ne io=0x280,0x300 irq=3,5
This step does not apply to 3Com adapters. Do not pass the I/O and IRQ settings to the 3c509 module explicitly.
For Intel EtherExpress PRO/10 adapters, pass the io address and the irq in the same manner as for the ne module. Since efforts to run two EtherExpress PRO/10 cards in the same PC have not produced favorable results, the following example illustrates configuration of only one of these adapters:
eepro io=0x280 irq=3
Scroll down to the ###IP Masq modules section.
Verify that, at the very least, the following modules are active (that is, they are not commented out)...:
ip_masq_user ip_masq_autofw ip_masq_portfw ip_masq_mfw
... and uncomment the following if you want to allow the respective traffic through the firewall:
ip_masq_ftp (for access to external ftp servers) ip_masq_h323 (for MS NetMeeting) ip_masq_icq ip_masq_quake ip_masq_raudio ip_masq_vdolive ip_masq_cuseeme
Save the file by typing [Ctrl]-[s].
Exit e3 by typing [Ctrl]-[q].
Type [q], [Enter], [q], [Enter] to get back to the main configuration screen.
Type [1], [Enter] to go into the Network configuration menu, then [1], [Enter] to edit the /etc/network.conf file.
This file is divided into ten sections. Each section title is bordered by # symbols on the left, top, and bottom to make them stand out. Note that this is a good time to review the network.conf reference provided on lrp.steinkuehler.net. It explains what all of the settings in this file do. These sections are:
Brief Instructions for this file
General Settings
Interfaces
NAT 'virtual' interface
IP Filter setup
Internal interface
Port forwarding
DMZ setup
Interface activation/deactivation functions
Hostname
Hosts file
Domain Search order and name servers
QoS/Fariqueing functions
End
Scroll down to the General Settings section.
Change the MAX_LOOP setting from 10 to the number of DNS servers you will access.
Example: If your ISP gave you a primary and secondary dns address only, this number should read 2.
Scroll down to the line in the Hostname section that reads:
HOSTNAME=firewall
Change this line to read:
HOSTNAME=<name_from_block_16> (this comes from block 16 on the Network Information Sheet.)
Locate the line in the Hosts file section that reads:
HOSTS0="$eth1_IPADDR $HOSTNAME.private.network $HOSTNAME fw"
Change this line to read:
HOSTS0="$eth1_IPADDR $HOSTNAME.<domain_from_block_19> $HOSTNAME fw"
Press [Ctrl]-[s] to save the changes.
Press [Ctrl]-[q] to exit back to the menu.
Press [q] then [Enter] to return to the main menu.
Press [q] then [Enter] to exit to the shell.
Type:
passwd [Enter]
to change the system password.
At the
Enter new password:
prompt, type in a password between 5 and 8 characters (numbers are also acceptable), then press [Enter].
you will not see the characters you type appear on the screen, nor will you see the cursor move.
At the
Re-enter new password:
prompt, type in the same password, then press [Enter]. Again, you will not see the characters you type appear on the screen, nor will you see the cursor move.
If you typed in the same password both times, you will see a message appear indicating that the password was changed. If you see the following message:
Passwords do not match. The password for root is unchanged.
This means that the passwords you typed in were not the same. If this is the case, return to step 54 and try again.
Back up the firewall disk now (see Appendix A).