The Lone Coder Reflections for the Unsung Linux Saviours
by Ken O. Burtch
The Perfect SuSE Firewall Setup
Is
Linux
easy to install? As the old magician's saying goes,
it's easy when you know how. Installing Microsoft Windows requires some
knowledge of partitioning, file systems and networking. The same is true of
Linux. But Linux is also open source: it can be customized and optimized
in ways that are not possible with a commercial operating system.
My firewall computer was running ClarkConnect from
Point Clark Networks.
Developed in Toronto, ClarkConnect is a
Red Hat Linux based
firewall system
(Wikipedia)
with a convenient web interface and was free for personal
use.
Screenshot: ClarkConnect Firewall in a Web Browser
Unfortunately, when I went to download the latest version, there were
disconnection problems. Even using the wget command, which reconnects
and continues downloading, the disk image I got was corrupted. I emailed
Point Clark but I didn't receive any reply. I would like to recommend
ClarkConnect but I really can't.
It was time to create a new firewall.
The term "firewall" gets misused a lot today. Windows XP,
for example, has firewall software called a
personal firewall
(Wikipedia)
but it isn't a true firewall nor does
it give full protection. A firewall is a dedicated computer sitting between
the Internet and your computer (or home network).
The firewall holds back the "fires" of the untrustworthy
Internet from your important computers. That's why a traditional firewall
is a standalone system with minimal software and no development tools. Even
if a malevolent program gets into the firewall, there's no where for it to
go.
For most homes, a traditional firewall computer is not
practical. It's simply too expensive to have a second computer that
intentionally does nothing. There is either the option to go with some kind of
firewall software that gives partial protection, a router with a firewall
(again, not a true firewall) or a firewall computer
that does additional tasks. Those additional tasks increase the risk of
break-ins and exploits, but it also puts the computer to use. It's common
to have a home firewall share a printer, for example, with all the computers
in the home.
I've been trying my luck with Novell's
OpenSuSE Linux lately. Since my
firewall is an older machine, and OpenSuSE can run sluggishly with a full
install, my first concern was whether or not my computer could handle it.
Second, a pre-built firewall like ClarkConnect installs in a matter of
minutes. How long would it take to setup OpenSuSE as a firewall?
Do an Internet search on installing and configuring
OpenSuSE 10.2 will likely take you to
"The Perfect Setup". This web
article (along with its many mirrors) takes a user step-by-step with
screenshots through a basic OpenSuSE installation. As for a "perfect setup",
probably not. It's too simple for people who've done it before, and too
complicated for someone with no experience.
It wasn't long into the installation process before I
knew that OpenSuSE may be capable of being a firewall, but it would require
some TLC to get it running. Several days of TLC. It would take some
Internet searches and a little programming on my part to fill in the missing
pieces. None of it was difficult but it was time consuming.
Here's my notes. (Of course, these are provided for
informational purposes and come with no guarantees.)
Two Network Cards or Three? First, you'll need a
computer. The firewall doesn't have to be very fast: a slow Pentium
III collecting dust in a closet works well in most cases. You'll need 2 network cards: one to connect
to the modem and one to connect to your home computer or home network
hub. If you buy new network cards, not all brands worth with Linux. Check
the specifications on the box.
If you are running a server computer on the Internet, you may want to
create a Demilitarized Zone (DMZ,
Wikipedia).
This is simply a third network card where traffic from the Internet is
directed to keep it from bogging down your home network.
For example, 192.168.1.* may be your home network on one card and
192.168.2.* may be your network of computers providing Internet services.
The other aspect of a DMZ is that the computers are configured so they cannot
open connections to the home network, in case of security breaches (but
connections can be made in the other direction).
In an office setting, a DMZ often makes sense because there's a lot of activity
on the office network. At home, there's not much activity on a network.
In my case, I run a separate web server computer but I don't use a DMZ.
Backup and/or record your old settings. Once you
repartition your hard drives, you lose everything. On a firewall it's even
worse: you may lose Internet access. Download any documents you might need
(like this article). Backup configuration directories such as /etc. Save
anything in /home that you might want to keep (such as the .ssh directory
with your Secure Shell keys. In my case, note the kernel modules required
for my ancient network cards because they are too old to be automatically
detected during the installation.
Select a text-only desktop. This is especially important if
(like many people) you're using an old computer as a firewall. Using a
text-only desktop instead of KDE or Gnome will reduce the memory usage and
the number of running programs,
increasing performance. This will mean that you'll have
to use the text version of SuSE's YaST
(Yet Another Setup Too, Wikipedia)
installation/configuration tool to
setup the system. Text YaST has all the functionality of the graphical YaST
but is not as pretty to look at. You can run YaST in a shell session by typing
"yast".
Partition off unsafe directories. By default,
SuSE creates one large main hard drive partition. You don't want that.
If you're firewall gets attacked, your log files
and temporary directory could fill your hard drive. In the worst case,
your system can crash and you won't be able to log in. To minimize this
risk, create separate partitions for /tmp and /var (or /var/log). You might
also want to make a separate partition for /usr (see harden the system below).
Perform a minimal installation. Don't
install everything. The more unnecessary software you have, the poorer the
performance and the greater the security risks. Install only the programs
you'll think you'll need. You will miss some but they can be installed later.
For home DSL
or cablemodem connections, SuSE will walk you through the setup. If asked, make sure you
use IP masquerading (also known as "NAT") if you have more than one computer
on your home network.
I ran
into problems with my monitor: it was an old monitor that didn't support
SuSE's text video mode (that is, with the SuSE logo on the screen). Hey, SuSE!
It looks cool but it doesn't work for everyone. I ended up having to switch
monitors for the install.
Test the installation. If you've installed everything
correctly, you should have access from the firewall onto the Internet. Try
pinging Google or loading Google in the lynx text-only browser from the firewall.
Online Updates. Run YaST and install all the
latest security patches.
Customing the Kernel. Depending on what
kind of computer you have, you may want to rebuild the kernel to match your
hardware. This can reduce memory usage, improve load time and get the best
use out of your microprocessor. However, it can be intimidating if you've
never done attempted it. For a business, this step can be important. In the
case of my Pentium III, I decided that it wasn't worth the trouble.
Even if you don't rebuild the kernel, some kernel settings are customizable
at run-time using the sysctl command (or through the /proc file
system). (There are other settings that
are adjustable in the source code and require rebuilding the kernel.) If
you plan to run a database on your firewall, or if you're running a heavily
load web server, it's especially important to tweak the kernel settings to
get the best performance. Here are some common settings:
fs.file-nr - the allocated, current and maximum number of file
handles. May need to be adjusted for web servers or databases.
net.ipv4.tcp_wmem - the minimum, default and maximum congestion
buffer size for network sockets. For your connection, the default size
should optimally be the bandwidth (bytes/sec) * round-trip time (seconds).
net.ipv4.tcp_keepalive_time - how long to keep a socket open if
there is no activity. The default is 7200 seconds (2 hours), which may waste
a lot of resources on a home firewall with a web server. You may want to
drop this to 1 hour or less.
net.ipv4.icmp_echo_ignore_all - set this to 1 if you want to
ignore the ICMP echo requests (that is, the ping and traceroute commands
won't work on the firewall). Good for stealth but bad if you need to debug
your Internet connection or firewall.
kernel.sem - kernel semaphores. May need adjusting for some
databases.
kernel.shmmax - maximum size of a shared memory segment. May need
adjusting for some databases.
kernel.shmmni - maximum number of shared memory segments. May need
adjusting for some databases.
kernel.shmall - maximum memory for all shared memory. Should
at least be ceiling of kernel.shmmax / `getconf PAGE_SIZE`. May need adjusting for some databases.
There are dozens of other settings. These are all dependent on the kernel and
the names or functions may change between different versions of the Linux
kernel. Don't change them unless you're sure of the consequences as some
setting may affect others. To make these changes
occur on startup, put them in /etc/sysctl.conf. Since I'm not
running a web server (except for Mailman) or a database, I left these
settings at their defaults.
Configuring DHCP Server. (Not to be confused with a DHCP client.)
This is the program that allows any
computer to attach itself to your home network without a custom setup. Since
I have custom setups (static IP's) for some of my machines, I organized my
IP numbers so that DHCP won't assign conflicting numbers. In my case,
IP numbers 100-199 are for DHCP, 200-254 are for static IPs. Make sure the
DHCP server is assigned to the local network card. Test the DHCP setup by
signing on with a computer (or, on Windows, with ipconfig /release and
/renew). Make sure the assigned IP number is in the correct range.
You should now be able to access the Internet from your home network. Try
pinging Google or loading Google in a web browser. Software like file sharing
still won't work until you forward the correct ports on the firewall (see below).
Configuring Email (Including Spam and Virus Detection).
My firewall receives mail sent to my domain, pegasoft.ca. I had to
install and configuring a mail server. Now
things get a little more complicated and will require some careful tuning on
your part. During the setup, YaST has a checkbox for
AMaViS--if you turn it on, SuSE will install AMaViS but you will need to
configure it before any email can be sent or delivered. The steps below are
taken from several different web sites and documents.
Postfix Domain Problem.Postfix is the email delivery program
used by OpenSuSE. In order to deliver mail, Postfix needs to know what
email domains are accepted by the firewall.
Postfix doesn't pick up the domain correctly (by default, it uses the
domain of the computer...that is, myfirewall.mydomain.ca). In
YaST, choose masquerade local setting mydomain.ca so mail for
the general domain can be delivered to the firewall as well.
YaST doesn't completely configure the masquerading. Change
mydestination, the names of domains serviced by postfix, to the correct
domains. In my case, from
in /etc/postfix/main.cf to avoid "too many hops" message for
mail sent to hitomi.pegasoft.ca. Restart postfix with
/etc/init.d/postfix restart (or reload settings with postfix
reload).
AMaViS Hostname Problem.
The mail won't be delivered yet. The anti-virus front-end program,
AMaViS ("A Mail Virus Scanner"),
fails because uname doesn't return a fully-qualified domain name. Mail
won't be delivered if this isn't fixed because postfix cannot connect to
port 10025, the anti-virus notify/forward port. Edit /etc/amavisd.conf
and set $myhostname to the full domain name of the computer. In my case: $myhostname = 'hitomi.pegasoft.ca'.
AMaViS Startup. Type chkconfig amavisd on so it starts
at boot time (and
/etc/init.d/amavisd start for testing right now).
Download the Anti-Virus Database.
AMaViS uses the
ClamAV anti-virus software by default (though it supports
many other virus scanners as well). The virus database must be downloaded
or clamscan will prevent email delivery. freshclam installs/updates
the virus database off the Internet. Run freshclam.
ClamAV Anti-Virus Failed Message.
You may see the message "WARN: all primary virus scanners failed" in the
mail error log (/var/log/mail.err). AMaViS organizes virus scanners into "primary" and
"backup" scanners. In OpenSuSE 10.2, AMaViS runs ClamAV as a backup
virus checker so that each email will cause this warning to appear in the
mail logs. To avoid this message (and possibly get better
performance), clamd must be enabled in the
/etc/amavisd.conf file by
uncommenting it in the @av_scanners list. Follow the notes to
verify it is set up correctly--it is in OpenSuSE 10.2 but may not be in
older versions of OpenSuSE. (The scanner actually ran clamscan
without the clamd daemon in @av_scanners_backup list so
email was being checked in spite of the failure message).
ClamAV Startup and Test
Use chkconfig clamd on and manually start ClamAV with
/etc/init.d/clamd on. (or with /usr/sbin/clamd &
in /etc/init.d/boot.local, the new rc.local file standard, like
I did before I saw /etc/init.d/clamd).
Send a test message to yourself containing the following debug virus message:
ClamAV should detect it and it should not be delivered.
(Note: If you try to email this web page to someone, it will not arrive for the same reason!)
ClamAV Anti-Virus Database Regular Updates.
Use chkconfig freshclam on to activate regular updates. Or if you're
like me and found out about it later, do it manually by adding
nice /usr/bin/freshclam --quiet to a nightly cron job to keep the
virus database up-to-date.
AMaViS Configuration. Now adjust the AMaViS configuration file,
/etc/amavisd.conf.
These settings are not configured by YaST.
Set $mydomain to your email domain instead of example.
(in my case, "pegasoft.ca")
Set local_domain_maps to any domains that AMaViS should handle. For
myfirewall.mydomain.ca, I think that's included under .$mydomain.
The AMaViS "taking longer than 40 seconds" message in the mail logs: long emails with
big attachments are aborted after 40 seconds. There is an
undocumented way of dealing with this. For
a home firewall on a slow computer, increase the timeout limit with
$sa_timeout. Try adding the following line:
$sa_timeout = 300; # 5 minutes for virus checking
If you have a better computer than I'm using, you can process more messages
at a time by increasing the value of $max_servers.
While you're at it, change the email addresses to something sensible
for a home network such as using postmaster for alerts:
$final...destiny variables indicate what to do with the problem
emails: -D_DISCARD (destroy them), -D_BOUNCE (send them back), -D_PASS
(let them through). Remember if you destroy them all, the sender will
not know about it--efficient but dangerous if it was a message
mistakenly labeled as spam from one's boss, for example.
Customize the spam warning attached to suspect emails with a short message
such as "[SPAM?] ":
$sa_spam_subject_tag = '[SPAM?] ';
/usr/sbin/amavisd reload to reload settings on-the-fly.
Spam Detection Setup.
OpenSuSE 10.2 comes with SpamAssassin and/or Bogofilter.
SpamAssassin is the default. AMaViS is supposed to run
SpamAssassin automatically if it exists.
Add to /etc/mail/spamassassin/local.cf the
external static IP number of your firewall. In my case:
Other sample configuration file values and starter Bayes database at www.fsl.com. Check your rules with spamassassin --lint. Here's some example settings for the conf file:
dns_available yes # improves performance
lock_method flock # improves performance on non-NFS systems
use_auto_whitelist 0 # improves detection
whitelist_from myboss@job.com # must get through even if looks like spam
whitelist_from mycoworker@job.com # must get through even if looks like spam
bayes_auto_expire 0 # improves performance but must sa-learn --sync manually
Only keep essential addresses in the whitelist: social network sites make it easy
for spammers to find the email addresses of your friends and family.
/etc/init.d/amavis stop to stop AMaViS
/etc/init.d/spamd start to start SpamAssassin
/usr/sbin/amavisd debug-sa to show debug messages for SpamAssassin (sa)
If it stops with no errors, stop with control-c and start AMaViS again with /etc/init.d/amavis start.
Email a test message to yourself (through the
firewall) containing this debug spam message:
For SpamAssassin to be effective, it needs to learn to detect the
latest spam. Keep it up-to-date or feed it spam messages using
su amavis - `sa-learn --spam copy-of-email-file`
and --ham to feed it good messages.
Add sa-update / /etc/init.d/spamd restart to
nightly jobs to update the spam assassin rules. Rules are stored in
/var/lib/spamassassin/version/. Third-party rules available at
http://wiki.apache.org/spamassassin/CustomRulesets
and most can be installed with sa-update --channel.
Run Spamassassin on startup: chkconfig spamd on
Final Email Check. There should be no more errors in the mail
logs. All mail should be delivered properly. If you want to forward email
to another address, create .forward files in the home directories
of users (or use Postfix aliases).
Firewall Setup.
I'm on a high-speed DSL connection. On OpenSUSE, the network interface for
a DSL connection is named "dsl0"
(not "ppp0" as they were in the past). A second DSL connection would be
named "dsl1". In YaST's firewall setup, set "dsl0" to external zone,
eth1 (or whatever is your home network card) to internal zone. To setup the forwarded ports,
enter them in the masquerade section. In my case, the mail delivery port
must be open since my firewall is handling my mail. My web server is on
a different computer so port 80 must be forwarded. Likewise with file
sharing connections.
In my case, this doesn't forward ports in the internal zone which can cause
problems when trying to access the PegaSoft web site while inside the home network.
As a workaround, you can hard-code such hosts in /etc/hosts on the computers
inside the firewall. Ideally, new custom firewall rules should be
added using iptables. Custom firewall rules can also restrict
traffic to certain IP's such as only allowing secure shell access from
your office as opposed to opening the port to the whole Internet.
It you have a DMZ, assign the DMZ network card as DMZ in the firewall to
block connections from the DMZ to the home network.
If you have a server
that is not on a DMZ, you can setup a firewall on the server to block
access to the home network, but if security is breached someone may be able
to disable the firewall anyway. Or you can try blocking the computer on
each computer on your home network. Not ideal, but it adds extra protection.
Locate command. I like locate and use it all the time but
it isn't installed by default on OpenSuSE 10.2. Install the find subsys
package which includes locate and updatedb.
Add nice /usr/bin/updatedb to the nightly cron job.
Secure SHell (SSH) Hardening.Secure Shell, the modern day
TELNET,
provides key authentication and encrypted shell windows between different
machines. (In short, if it's set up properly, you never have to type a
password.)
It is only as secure as
you configure it to be. Once you set up your secure shell keys and test
your SSH access to the firewall, you will want to turn off clear passwords
and just use the key authentication. Turn off challenge for PAM as well as
PasswordAuthentication for no password prompt in the sshd configuration file.
Network Time Protocol (NTP). NTP keeps the clock on your firewall
up-to-date. This can be configured through the ntpd configuration file
and/or YaST's Network Services / NTP Configuration. Through ntpd, all the
computers on your home network can get the time from your firewall.
However, if you're only concerned about the firewall clock, add the
following line to a nightly cron job:
/usr/sbin/ntpdate time.nrc.ca # Update clock (Canada: National Research Council atomic clock)
Or use a different NTP server such as pool.ntp.org.
Mailing list configuration.Mailman is a popular program and is available for OpenSuSE 10.2. It cannot
be configured through YaST. It has a web-based interface but this cannot
be used until the software is set up. Since my mail server is on the
firewall but my web server is a separate computer, I had to run a second
web server on the firewall for Mailman and assigned it a different network
port.
Initialize the lists using the mailman utility commands. /usr/lib/mailman/bin/newlist
Name of list: the email address, not the list title
Email of person running: full email address with domain /usr/lib/mailman/bin/list_lists to verify list. /usr/lib/mailman/bin/add_member -r list imports a list of
members from a text file
(The lists are stored in /var/lib/mailman/.)
To cut back on overhead, if you're not using the Usenet news to mailing
list gateway, comment out that line in the cron table.
Setup web interface
If you don't already have the Apache web server installed, install it.
chkconfig apache2 on
a2enflag MAILMAN to turn on mailman apache2 conf.d configuration file
Since I have another web server, change web server port to 8080 so not to
interfere with port-forwarded 80.
Fix the default domain. By default, it's my-computer.my-domain.ca not
my-domain.ca.
DEFAULT_EMAIL_HOST to my-domain.ca
DEFAULT_URL_HOST to www.my-domain.ca:8080
/usr/lib/mailman/bin/withlist -l -r fix_url list-name
/usr/lib/mailman/bin/withlist -l -r fix_url mailman
Do list administrative setup through the web interface.
Administer the lists through http://your-firewall:8080/mailman/admin/list-name
to setup prefix, list title, digest rate and description.
Make mailman run on startup.
chkconfig mailman on
Configure Windows sharing with Samba.
Samba shares directories and printers with
computers on your home network using Microsoft's SMB protocol. This makes
them visible to both Windows and Linux.
Configure basic printer and Windows sharing through YaST.
Add the following modifications to the [global] section of
/etc/samba/smb.conf to restrict Samba to your internal network
and set your basic Windows info:
netbios name = FIREWALL-NAME
workgroup = DOMAIN-NAME # e.g. PEGASOFT
server string = Firewall Server
bind interfaces only = yes
interfaces = eth0 # or whatever your home network card is
Don't duplicate any lines in that section.
CUPS Printer Configuration. To connect your printer to the firewall
and share it with the computers on your home network, you'll need to configure the
Common UNIX Printing System (CUPS):
Allow From *.my-domain.ca in the /etc/cups/cupsd.conf security options. This lets you use
CUPS' web interface from any computer in that domain (port 631).
Check the setup through the web interface. The printer doesn't need to be shared from CUPS so leave that option off. It will be shared from SMB.
Create the printer queue on the client computer. For SMB, with proper
workgroup and host, the name of the cups printer should appear when you
click the "Look Up" button. Use the name of the printer, not "print$".
Test print from the client computer.
Reconnect Script. To have your computer automatically reconnect
after being kicked off the Internet, use a script like the one I wrote:
reconnect.sh. Follow the instructions
on this page (boot.local doesn't work on SuSE for this script.
Nightly Cron Script. A nightly list of tasks to run, setup
through crontab. May look something like this:
#!/bin/bash
#
# nightly.sh - nightly cron job
#
# This script was built for OpenSuSE 10.2 and DSL for Ken's firewall. It
# has not been tested on other systems.
#
# This script should be run every night by cron.
# ---------------------------------------------------------------------------
TMP="/tmp/nightly.$$"
# Sanity Tests
if [ "$LOGNAME" != "root" ] ; then
echo "$0: Must be root to run"
exit 192
fi
# Get list of processes
PS=`ps -efw`
# Check for DSL Reconnect Script
DSL=`echo "$PS" | grep reconnect.sh`
if [ -z "$DSL" ] ; then
echo "DSL reconnect script (reconnect.sh) is not running." >> "$TMP"
fi
# Server Tests
SERVER="192.168.internal-ip"
PING=`ping -c 1 "$SERVER" >/dev/null 2>&1`
if [ $? -ne 0 ] ; then
echo "Web server $SERVER is down." >> "$TMP"
fi
SERVER="www.google.ca"
PING=`ping -c 1 "$SERVER" >/dev/null 2>&1`
if [ $? -ne 0 ] ; then
echo "The Internet is down - unable to ping ($SERVER)." >> "$TMP"
fi
# Update clock
/usr/sbin/ntpdate time.nrc.ca > /dev/null 2>> "$TMP"
# Update anti-virus database
nice /usr/bin/freshclam --quiet >> "$TMP" 2>&1
# Update locate database
nice /usr/bin/updatedb >> "$TMP" 2>&1
# Cleanup
if [ -f "$TMP" ] ; then
REPORT=`cat $TMP`
if [ ! -z "$REPORT" ] ; then
echo "$REPORT" | mail -s "Hitomi Nightly Firewall Report" root
fi
rm "$TMP"
fi
sync
sync
External Testing. A firewall is no good if it doesn't block
things. Have a friend with some computer experience run some tests to make
sure the firewall is blocking network ports properly. Don't try to do the
testing yourself: it's important to get a second person to check for things
you may have overlooked.
Final Check. Check all logs for any warnings or errors to make sure everything is OK.
Once you're firewall is properly set up (and double checked for a few
days), it should run quietly with little intervention. So make sure you
fix all bugs or configuration issues before you forget about it.
Harden the System. After testing the firewall
for a few weeks, it's time to do final security improvements. Remove any
unnecessary
software you no longer need. Consider mounting /usr as a read-only file
system to avoid software tampering. You may want to intrusion detection
software like
Tripwire
(Wikipedia).
Remove or rename any development tools
such as gcc or make. Since this can impact installing new software or
doing security updates, consider carefully if it's worth the extra time,
especially for a home firewall.
I've used the new firewall for a few weeks. My concern that
the firewall might be sluggish under OpenSuSE is true, but not for the
reason that I thought. A text-only desktop of OpenSuSE runs well on older
computers. However, I installed a mail server with anti-virus/anti-spam
software that perform overs 80,000 checks for every piece of mail. So
connections are fast but email can take a minute or two to be sent. Not a
huge issue but a noticable one.
My second concern was the difficulty of configuration.
OpenSuSE is quite capable of running as a firewall, but the configuration
tools are not up to the challenge.
Although OpenSuSE installs as a desktop machine in a matter of minutes,
installing software outside of that application results in bugs and
configuration problems. It's not difficult but it requires web searches
and patience. Hopefully, this article will reduce this problem.
I would like to have used ClarkConnect, but clearly if you
cannot download the software then the software, no matter how good it is,
is useless.
The "Perfect Setup" web site brags about perfect setups.
Is this a perfect firewall setup? Probably not. I'll settle for a perfect start.
![[Navigation Bar]](../art/nav_bar_head2.png)
![[Lone Coder]](/pictures/lone_coder.jpg)
![[Cafe]](../art/icon_coffeecup.gif){kind=icon}
![[Link Opens New Window]](../art/icon_newwindow.gif){kind=icon}
![[RSS]](/art/rss.gif){kind=small}
