open source firewall project. filbert: a filtering ethernet bridge based on freebsd7.2 installation guide. =================== generic preparation ------------------- - note the IP addresses of ... - the local IP gateway (aka the default router) - an accessible name server - a local SMTP smart host - local NTP servers [optional] all this information will be needed during the install process. - make a copy of the filbert firewall install CD-ROM: a copy of the ISO image is available from ... ftp://eis.utoronto.ca/pub/filbert/FreeBSD_filbert_install.iso -- OR -- save a copy of the filbert install boot-image to USB flash memory: a copy of the boot-image is available from ... ftp://eis.utoronto.ca/pub/filbert/FreeBSD_filbert_inst_ftp.boot This image is configured to install FreeBSD via ftp to ftp.nrc.ca. To write this boot-image to a USB flash device ... on Unix-style systems, use "dd". For example, in FreeBSD ... # dd bs=256k if=inst_ftp.boot of=/dev/da0 for MS-Windows systems, please refer to ... ftp://eis.utoronto.ca/pub/filbert/Win/diskimage-USAGE ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! The configuration files provided in these "install" images will cause FreeBSD to use the ENTIRE hard disk without regard for disk partitions (slices). This will WIPE OUT anything already on the hard disk. This will also prevent the system from being able to host multiple OS's (ie. no dual-booting) until the hard disk is repartitioned/reconfigured at a later time. ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### system preparation ------------------ - configure the system's BIOS so that it will try to boot from CD-ROM before it tries to boot from floppy disk or from hard disk. - choose which network interface (NIC) will be external (ie. connected to the "outside world"). this NIC will be used to download the additional software packages needed to build and run the firewall. - connect the external NIC to the network. - choose a hostname and an IP address for the new system. this information will be used in configuring the external NIC. NOTE: the chosen IP address and hostname should be registered in a DNS so that any e-mail generated by the firewall software will not be rejected by mail servers with stringent anti-spam policies. - if this is to be a hot spare for an existing filbert firewall, take a snapshot of the existing system via the admin menu: under ... M > Maintenance menu choose one of ... r save to remote f save to floppy d save to DOS floppy - If this is to be a re-install of an existing firewall (an update) AND the existing firewall has FreeBSD 5.x, or later, as its base OS then take a snapshot of the existing system (see immediately above), proceed with an "update" install (see below) and provide this latest snapshot when prompted. - If this is to be a re-install of an existing firewall BUT the existing firewall uses an older base OS (eg. FreeBSD 4.10), then a snapshot from the older firewall will not be compatible with the new software. However permission sets are still compatible. So on the existing older firewall: - use the admin menu to ... w store permission set ... and have the current permissions and groups written to a remote file or a DOS file. - proceed with a "standalone" install. When the install is complete and the fresh system is up and running, reload the saved permissions back into the firewall. For a detailed description on how to do that, see below for the section labelled loading a firewall permission set. ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== FreeBSD installation -------------------- - boot from the filbert install CD-ROM or boot from the filbert install boot-image stored on USB media. + Filbert firewall install Initial greeting and prompt. - reply with "y" to continue with the install. - reply with "n" to abort the firewall install and end up at the generic FreeBSD sysinstall main menu. + Identify network interface hardware Displays the current status of each NIC device. - at least one NIC should be connected at this point. a connected NIC will usually (but not necessarily) have 'status: active' - to check other hardware, move the network connection to another NIC, reply to the "check ...again" prompt with "y" (press 'Y' and then press 'Enter') and observe any changes to the NIC information. - repeat the check as often as needed. - when all NIC hardware has been identified: - decide which NIC will be "external." - connect the "external" NIC to the network. - reply with "n" to the "check ...again" prompt. + Network interface information required Use up/down-arrow to select the external interface. - press 'Enter' + Network Configuration This is where you make use of the information collected in the system preparation steps. - fill in all the fields except "Extra options to ifconfig:" - press 'Tab' to move from field to field. - when complete, move to "OK" and press 'Enter'. + Identify and configure disk Enter the system disk type or choose a specific disk device. If the system has more the one harddisk then it would be best to enter a specific device name in order to select and configure the desired disk. If the system has only one harddisk then simply entering the disk type will be enough. - reply with either a listed disk type (eg. ide, scsi, sata) or reply with a specific device name (FreeBSD's device name format takes the form "xxN" where "xx" is at least 2 chars). Typical disk device names: IDE: ad0, ad1, ad2, ad3 SATA: ad4, ad5, ad6, ... etc. SCSI: da0, da1, da2, ... etc. + Last chance warning Offers the last opportunity to stop the install process before the entire disk is overwritten with FreeBSD filesystems and software. - reply "n" to abort the install process now. - reply "y" to continue. [ file system initialization and software installation. expect this part to take anywhere between 5 to 20 minutes depending on the system speed, the disk speed and the network speed. ] + Select local or UTC (GMT) clock - press 'Enter' + Time Zone selector - press '2' - press 'Enter' + Countries in America -- North and South (use down-arrow to highlight "Canada") - press 'Enter' + Canada Time Zones - press '8' [ Ontario ] - press 'Enter' + Confirmation - press 'Enter' [ set the new root password. ] [ set the new 'jack' password. ] [ choose the installation type: standalone, first, spare, update. ] [ select/assign the NICs. ] [ enter IP address of the SMTP smart-host to be used. ] [ set system clock and set/select time-servers. ] [ system reboot. ] ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== firewall configuration ---------------------- - login as 'jack' to get to the admin menu. - at the 'Choice ?' prompt reply with ... y to get an explanation of firewall permissions. Or visit "http://eis.utoronto.ca/ftp/pub/filbert/USAGE" Y to get a brief description of the menu interface itself. admin menu usage guidelines --------------------------- If at any time a prompt is unclear then reply with "?" to get a more detailed explanation of what is expected. Just hitting Enter will often have the same result as a "?" reply. But in some cases hitting Enter causes the full list of possibilities to be displayed. Most of the menu actions can be aborted at any time by entering an "x" at any prompt or by hitting Control-D. loading a firewall permission set --------------------------------- + in the admin menu: - download a permission file saved from another filbert firewall: Choice? r fetch from local, remote, msdos or web? remote host userid path: 128.100.xxx.yy gaston oldfwp gaston@128.100.xxx.yy's password: oldfwp 100% 3490 3.4KB/s 00:00 download file name? (@=url) orig.fwp press return to continue: - load a permission file into the running firewall permissions by fetching from "local" in order to launch the lynx browser: Choice? r fetch from local, remote, msdos or web? local [the lynx browser is launched in "firewall file storage"] + in the lynx browser: - use the up/down arrow keys to highlight ... File storage directory - press Enter. the lynx browser lists files in the download area. - use the up/down arrow keys to highlight the file containing the recently fetched permission batch file: -rw-r----- 1 root wheel 3490 Aug 22 23:56 orig.fwp - press Enter. the permission set is displayed: ##### # generated on: ... # generated at: 2005... ##### # IP groups. [ ... etc ... ] ##### # port groups. [ ... etc ... ] ##### # firewall permissions. [ ... etc ... ] ##### junk.stuff.utoronto.ca 2005........ ##### - press P. this lists the lynx "Printing Options." + in lynx "Printing Options": - [optional] to verify this permission set, use the up/down arrow keys to highlight ... Test firewall permission syntax and press Enter. the contents of the permission set are checked and displayed, section by section: Printing file. Please wait... ----- ----- ----- ----- ----- ----- ----- -- view new IP group list? (y/n) [ ... etc ... ] ----- ----- ----- ----- ----- ----- ----- -- view new ports group list? (y/n) [ ... etc ... ] ----- ----- ----- ----- ----- ----- ----- -- view new permissions? (y/n) n [ ... etc ... ] ----- ----- ----- ----- ----- ----- ----- -- view parsed results? (y/n) [ ... etc ... ] - to configure the firewall with this permission set, use the up/down arrow keys to highlight ... Load into firewall permissions and press Enter. the contents of the permission set are added to any existing firewall permissions: Printing file. Please wait... backup the current settings? (y/n) y preparing to load ... Port groups: ------------ [ ... etc ... ] IP groups: ---------- [ ... etc ... ] Permissions: ------------ [ ... etc ... ] *** are you sure? (y/n) reply with 'y' to actually load the permissions. reply with 'n' to abort loading the permissions. + to exit the lynx browser, press Q and then press Y. ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== 3Com NIC kernel messages ------------------------ Just fyi: on BSD-based systems using 3Com NICs (ie. xl(4) devices), the kernel can occasionally present messages which look like ... xl0: transmission error: 90 xl0: tx underrun, increasing tx start threshold to 120 bytes These messages usually appear soon after a reboot. This seems to be a normal part of the 3Com device driver's operation. These messages can be safely ignored. ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== Contact filbert (AT) eis.utoronto.ca for further help/information.