firewall profile in debian(-edu) (UML IPCop debian package How-To)
Hello,
the router/firewall is considered not to be part of skolelinux, the schools
have to solve this part mostly for themselves.
Keeping the firewall separate from the servers is a good reason not to let
tjener do the routing, avoiding the work to support firewall security is
another.
Fortunately we don't need to leave school admins all alone[1] with their
firewall setup any more, though. It is possible to integrate the IPCop[2]
firewall distribution in skolelinux.
With four more questions (account info for gateway and ISP) you can install
the whole skolelinux infrastructure (gateway,tjener,ltspserver) on a single
machine for quick demonstrations, tests, or use in small setups.
The german computer magazine "C't" has published a CDD! that runs the IPCop
firewall distribution in a chrooted UML process.
For those of you curious, I managed to have the ipcop "gateway" running on a
debian-edu server under UML, you'll find the instructions at the end of this
email.
In the how-to I explain how to manually setup an UML ipcop in skolelinux, for
further automation and debianization of the installation some minor changes
to the ipcop package and skolelinux could of course be beneficial.
This is where hopefully developers from debian-edu and ctmagazine could step
forward and help each other.
One thing is that it seemed the ipcop package needs to be set up by the
ctsrvcfg program. Just apt-getting ipcop did not work for me. Maybe this
functionality can be moved to the control files of the ipcop package, and
debconfized? Additionaly some adjustments where needed to make the debian-edu
interface configuration, modified by ctsrvcfg, work again. (I think I also
made the comments a little bit clearer.) See attachment.
The other is that the UML IPcop kernel did not run on the skolelinux kernel.
So I installed the kernel build by ctmagazine. Integrating ipcop would need
to check for further differences besides the separate address space patch
which is not in the debian(-edu) kernel.
That's basicly all. Well it would also be nice if IPCop could merge the UML
patches upstream.
Credits go to the ctserver and skolelinux team.
All the best,
-Christian
[1]
Schools might have a hard time choosing and installing from the many firewall
solutions out there. Configuration and maintanance possibilities, costs and
the effort needed varies widely. Depending on the local admin, if a hardware
router or software router is used, etc. The schools security might even get
proprietary and closed up.
[2]
http://ipcop.org
----
Skolelinux IPCop HOW-TO
Steps to install the "gateway" (UML IPCop) on a combined Skolelinux main and
terminalserver.
1. Install the mainserver and terminalserver profiles from the sarge CD on a
machine with three ethernet devices.
2. You need more than 1GB free space on /var, therfore you'll need to increase
the size of lv_var. Since the installed e2fsadm did not work with lvm2, I
switched the mount for /skole/backup with /var after copying the files.
3. With "apt-cdrom add" add the CD out of the C't magazine's special
"Netzwerke" to your /etc/apt/sources.list.
Alternatively for the security patched kernel add:
deb http://www.heise.de/ct/ftp/projekte/vdr4 experimental/
for the host tools:
deb http://www.heise.de/ct/ftp/projekte/srv binary/
and for the UML ipcop:
deb http://www.heise.de/ct/ftp/projekte/srv ipcop/
to your sources.list .
4. "apt-get update"
5. The UML ipcop did crash running on the skolelinux kernel after complaining
about unknown partitiontables in the fs images.
So do "apt-get install kernel-image-2.6.12-ct-1" to install the also
UML-security enhanced C't kernel. (If you are using a 2.4 kernel use
kernel-image-2.4.31-ct-1)
6. Install the C't server install/config tool "apt-get install ctsrvcfg"
7. Start "ctsrvcfg", select to install ipcop, and configure the
"details" (account information for ipcop and DSL provider).
8. Stop ipcop and the network "/etc/init.d/ipcop stop",
"/etc/init.d/networking stop"
9. Adjust /etc/network/interfaces for virtual UML setup as done in the
attatched file.
10. Adjust the ipcop configuration for skolelinux needs.
"mount -o loop /var/lib/uml/ipcop/ipcop.img"
And edit /mnt/var/ipcop/ethernet/settings to read as the attached settings
file.
11. Start the network again "/etc/init.d/networking start"
12. Start the UML ipcop "/etc/init.d/ipcop start
13. Now you can login to ipcop with "ssh -p 222 10.0.2.1" or at
https://10.0.2.1:445. You need to turn off proxying for 10.0.2.1, though! In
konqueror the proxy setting is set immutable, so try mozilla. Use
"about:config" to append ", 10.0.2.1" to the no proxy list.
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# This file was manually modified from the result created by
# debian-edu-profile during the Debian installation and subsequent
# installation of the ipcop package with ctsrvcfg
#
# It assumes three NICs to be present
#
# eth0 internel skolelinux net (part of br0)
# eth1 thinclient net
# eth2 NIC where the DSL model is connected (part of br1)
#
# and provides the bridge setup where additional
# NICs or virtual tap devices can be added.
#
# br2 is there to add wlan devices to bridge_ports
# br3 is there to add a dmz device or additional virtual tap
# devices from other UMLs to bridge_ports
# The loopback interface
auto lo
iface lo inet loopback
auto tap0 tap1 tap2 tap3 eth0 eth1 br0 br1 br2 br3
# eth0 (host ethernet NIC to internal LAN for br0)
iface eth0 inet manual
up ifconfig eth0 0.0.0.0 promisc up
# eth1 (host ethernet NIC to thinclients)
iface eth1 inet static
address 192.168.0.254
netmask 255.255.255.0
broadcast 192.168.0.255
# eth2 (host ethernet NIC to DSL (pppoe) for br1)
iface eth2 inet manual
up ifconfig eth2 0.0.0.0 promisc up
# optional eth3 (host ethernet NIC to wlan for br2)
# connect to bridge br2
#iface eth3 inet manual
# up ifconfig eth3 0.0.0.0 promisc up
# optional eth4 (host ethernet NIC to dmz for br3)
# connect to bridge br3
#iface eth4 inet manual
# up ifconfig eth4 0.0.0.0 promisc up
# virtual internal lan device for firewall (ipcop green)
iface tap0 inet manual
pre-up tunctl -u ipcop -t tap0
up ifconfig tap0 up
down ifconfig tap0 down
# virtual external dsl device for firewall (ipcop red)
iface tap1 inet manual
pre-up tunctl -u ipcop -t tap1
up ifconfig tap1 up
down ifconfig tap1 down
# virtual wlan device for firewall (ipcop blue)
iface tap2 inet manual
pre-up tunctl -u ipcop -t tap2
up ifconfig tap2 up
down ifconfig tap2 down
# virtual dmz device for firewall (ipcop orange)
iface tap3 inet manual
pre-up tunctl -u ipcop -t tap3
up ifconfig tap3 up
down ifconfig tap3 down
# br0 is the interface to internal lan
iface br0 inet static
address 10.0.2.2
netmask 255.255.254.0
network 10.0.2.0
broadcast 10.0.3.255
gateway 10.0.2.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.0.2.2
dns-search intern
bridge_ports eth0 tap0
bridge_fd 1
bridge_stp off
bridge_hello 1
down ifconfig br0 down
# br1 between DSL nic and virtual firewall dsl nic
iface br1 inet manual
bridge_ports eth2 tap1
bridge_fd 1
bridge_stp off
bridge_hello 1
down ifconfig br1 down
# bridge to virtual firewall wlan
iface br2 inet manual
bridge_ports tap2
bridge_fd 1
bridge_stp off
bridge_hello 1
down ifconfig br2 down
# bridge to virtual firewall dmz
iface br3 inet manual
bridge_ports tap3
bridge_fd 1
bridge_stp off
bridge_hello 1
down ifconfig br3 down
CONFIG_TYPE=7
GREEN_DEV=eth0
GREEN_DRIVER=null
GREEN_DRIVER_OPTIONS=' '
GREEN_ADDRESS=10.0.2.1
GREEN_NETMASK=255.255.254.0
GREEN_NETADDRESS=10.0.2.0
GREEN_BROADCAST=10.0.3.255
GREEN_DISPLAYDRIVER=intern
RED_DEV=eth1
RED_DRIVER=null
RED_DRIVER_OPTIONS=' '
RED_DISPLAYDRIVER=null
RED_DHCP_HOSTNAME=gateway
RED_ADDRESS=0.0.0.0
RED_NETMASK=0.0.0.0
RED_TYPE=PPPOE
RED_NETADDRESS=0.0.0.0
RED_BROADCAST=255.255.255.255
DNS1=
DNS2=
DEFAULT_GATEWAY=
BLUE_DEV=
BLUE_DRIVER=null
BLUE_DRIVER_OPTIONS=' '
BLUE_ADDRESS=192.168.254.1
BLUE_NETADDRESS=192.168.254.0
BLUE_NETMASK=255.255.255.0
BLUE_BROADCAST=192.168.254.255
BLUE_DISPLAYDRIVER=wlan
ORANGE_DEV=
ORANGE_DRIVER=null
ORANGE_DRIVER_OPTIONS=' '
ORANGE_ADDRESS=192.168.253.1
ORANGE_NETMASK=255.255.255.0
ORANGE_BROADCAST=192.168.253.255
ORANGE_DISPLAYDRIVER=dmz
ORANGE_NETADDRESS=192.168.253.0
ORANGE_NETADDRESS=192.168.253.0
Reply to: