View previous topic :: View next topic |
Author |
Message |
nbensa l33t
Joined: 10 Jul 2002 Posts: 799 Location: Buenos Aires, Argentina
|
Posted: Mon May 19, 2003 3:39 am Post subject: I've done!!! |
|
|
After almost a year running Linux Gentoo here, finally I switched my firewall to Linux (I was running Win95+Winroute there)
I've found (thanks to Rex Young, from the gentoo-user mailing list) the drivers for my modem: a PCTel Micromodem integrated into a PCChips M598 motherboard.
BTW, I've found that my connection is faster than before (up to 25% faster.)
I'm a Windows free person!!!!!!!!!!!!!
Best regards,
Norberto
PS: I'm sorry for my English, my mother language is Spanish... |
|
Back to top |
|
|
LimeFrog Apprentice
Joined: 31 Mar 2003 Posts: 187 Location: Skövde, Sweden
|
Posted: Mon May 19, 2003 8:46 am Post subject: |
|
|
Good for you. _________________ I don't believe in God, but I'm afraid of him! |
|
Back to top |
|
|
bsolar Bodhisattva
Joined: 12 Jan 2003 Posts: 2764
|
Posted: Mon May 19, 2003 8:52 am Post subject: |
|
|
I'm always happy when I hear that another user has come out of the tunnel... _________________ I may not agree with what you say, but I'll defend to the death your right to say it. |
|
Back to top |
|
|
taskara Advocate
Joined: 10 Apr 2002 Posts: 3763 Location: Australia
|
Posted: Mon May 19, 2003 9:23 am Post subject: |
|
|
why don't you post your firewall config on the forum for others to see!
post any issues you had, it may help others _________________ Kororaa install method - have Gentoo up and running quickly and easily, fully automated with an installer! |
|
Back to top |
|
|
Lovechild Advocate
Joined: 17 May 2002 Posts: 2858 Location: Århus, Denmark
|
Posted: Mon May 19, 2003 10:09 am Post subject: |
|
|
Please do a documentation peice on this, other people might find it useful.
And CONGRATULATIONS on the wintendofreeness of your lifestyle. |
|
Back to top |
|
|
d3c3it l33t
Joined: 01 Mar 2003 Posts: 765 Location: Manchester, UK
|
Posted: Mon May 19, 2003 4:11 pm Post subject: |
|
|
Lovechild wrote: | Please do a documentation peice on this, other people might find it useful.
And CONGRATULATIONS on the wintendofreeness of your lifestyle. |
yes please do i wish to do this but ive no idea how to do such a thing but wouldnt know where to begin, did you use dhcp? _________________ Some people go to counselling,
others use linux |
|
Back to top |
|
|
nbensa l33t
Joined: 10 Jul 2002 Posts: 799 Location: Buenos Aires, Argentina
|
Posted: Mon May 19, 2003 4:52 pm Post subject: |
|
|
Ok, I'll post it later; I'm at work now.
But you'll be surprised, there's no magic there. Compile the modem's driver, emerge shorewall, and you're almost there... I'll write the details later. Stay tunned!!!
Norberto |
|
Back to top |
|
|
d3c3it l33t
Joined: 01 Mar 2003 Posts: 765 Location: Manchester, UK
|
Posted: Mon May 19, 2003 5:02 pm Post subject: |
|
|
nbensa wrote: | Ok, I'll post it later; I'm at work now.
But you'll be surprised, there's no magic there. Compile the modem's driver, emerge shorewall, and you're almost there... I'll write the details later. Stay tunned!!!
Norberto |
does it act as a firewall aswell as a router? because ive got a spare p133, 16mb ram and was going to run it as a router and dchp server *ie plugin a network cable and bang ive got a net connection no setup* _________________ Some people go to counselling,
others use linux |
|
Back to top |
|
|
nbensa l33t
Joined: 10 Jul 2002 Posts: 799 Location: Buenos Aires, Argentina
|
Posted: Tue May 20, 2003 8:14 pm Post subject: |
|
|
Hello everyone,
I didn't forget to write, I'm doing it but it will take some time. So, one of two thing can happen:
a) wait until I got everything in Spanish and then translated to English.
b) if someone wants to step over, do it, as (a) can take one or two weeks.
Now, replying to d3c3it yes, it's a firewall and router, but I run my dhcp server in another box that also runs nfs, postfix, spamassassin, imap, etc.
BTW, does anyone know how to tell minicom/wvdial to send unencrypted passwords to my ISP?? Thanks.
Best regards,
Norberto |
|
Back to top |
|
|
nbensa l33t
Joined: 10 Jul 2002 Posts: 799 Location: Buenos Aires, Argentina
|
Posted: Tue May 20, 2003 8:15 pm Post subject: |
|
|
Hello everyone,
I didn't forget to write, I'm doing it but it will take some time. So, one of two thing can happen:
a) wait until I got everything in Spanish and then translated to English.
b) if someone wants to step over, do it, as (a) can take one or two weeks.
Now, replying to d3c3it yes, it's a firewall and router, but I run my dhcp server in another box that also runs nfs, postfix, spamassassin, imap, etc.
BTW, does anyone know how to tell minicom/wvdial to send unencrypted passwords to my ISP?? Thanks.
Best regards,
Norberto |
|
Back to top |
|
|
krusty_ar Guru
Joined: 03 Oct 2002 Posts: 560 Location: Rosario, Argentina
|
|
Back to top |
|
|
d3c3it l33t
Joined: 01 Mar 2003 Posts: 765 Location: Manchester, UK
|
Posted: Tue May 20, 2003 9:57 pm Post subject: |
|
|
nbensa wrote: | Hello everyone,
I didn't forget to write, I'm doing it but it will take some time. So, one of two thing can happen:
a) wait until I got everything in Spanish and then translated to English.
b) if someone wants to step over, do it, as (a) can take one or two weeks.
Now, replying to d3c3it yes, it's a firewall and router, but I run my dhcp server in another box that also runs nfs, postfix, spamassassin, imap, etc.
BTW, does anyone know how to tell minicom/wvdial to send unencrypted passwords to my ISP?? Thanks.
Best regards,
Norberto |
cheers, i asked about the dhcp because id like to have the box running that:) _________________ Some people go to counselling,
others use linux |
|
Back to top |
|
|
SPo0n Tux's lil' helper
Joined: 03 May 2003 Posts: 85 Location: England
|
Posted: Wed May 21, 2003 9:34 am Post subject: Re: I've done!!! |
|
|
nbensa wrote: | PS: I'm sorry for my English, my mother language is Spanish... |
Looks perfectly fine to me, infact better than mine is sometimes - and i'm English |
|
Back to top |
|
|
nbensa l33t
Joined: 10 Jul 2002 Posts: 799 Location: Buenos Aires, Argentina
|
Posted: Tue Jun 10, 2003 12:46 am Post subject: |
|
|
So here it is...
How to run a firewall/router
using Gentoo and a winmodem
Disclaimer
I AM NOT RESPONSIBLE AND I CANNOT BE LIABLE BY ANY DAMAGE INFRINGED TO YOUR COMPUTER AND/OR NETWORK DIRECTLY OR INDIRECTLY BY FOLLOWING THE STEPS DESCRIBED HERE. YOU UNCONDIONALLY ACCEPT THAT YOU ARE DOING THIS AT YOUR OWN RISK.
Requirements
The first thing is to have a box to play with. An old Pentium 100 can be (I guess) a good firewall/router, but since my modem is a software modem (a.k.a. Winmodem,) I need to use a Pentium MMX class machine.
My motherboard is a PCChips M598MLR and includes a NIC (Davicom DM9102,) a modem (PCTel Minimodem DAA,) sound and video. It has 64MB of RAM but I guess 32MB will do pretty well.
For the software part go for a minimum Gentoo install (bootstrap, system) and add: ppp, wvdial, shorewall, your modem drivers(*) and optionally, ssh, and webmin (can be used to control shorewall with a GUI.)
Code: | (*) You'll have to look around for your modem drivers by yourself.
A nice place to start is http://linmodems.org/ |
Procedure
Modem drivers
I'll talk about the procedure for my specific modem since that's what I have, and I've struggled with it for a while.
I found my drivers here: http://linmodems.technion.ac.il/pctel-linux/
If you have the same motherboard and modem as I have, go ahead and download pctel-0.9.6.tar.gz. It will not compile under Gentoo out-of-the-box because there's a bug in the configure script. I've made a patch for it (fast hack, i.e., it may not work, YMMV.) Look at the end of this post for the patch.
Now, let's compile this beast. Save the patch as ~/pctel-0.9.6-configure-patch.diff, and then:
Code: | $ tar zxvf pctel-0.9.6.tar.gz
$ cd pctel-0.9.6
$ patch -Np1 < ~/pctel-0.9.6-configure-patch.diff
$ ./configure --prefix=/usr --with-hal=cm8738
$ make
$ sudo make install (or su -c "make install") |
At this stage, you'll have your modem drivers compiled and installed under /lib/modules/`uname -r`/misc/{pctel.o,ptserial.o} but if you modprobe'em you'll get an error.
Code: | $ sudo /sbin/insmod -f pctel
$ sudo /sbin/insmod -f ptserial |
You need to use --force 'cos the modules are linked against a closed source library compiled with gcc 2.x and there's nothing else you can do about it (except complain to PCTel.)
Once you have the modules loaded, modify /etc/conf.d/local.start
Code: | $ sudo nano /etc/conf.d/local.start |
and insert:
Code: | insmod -f pctel &>/dev/null
insmod -f ptserial &>/dev/null |
Shorewall
Let's continue with shorewall.
Code: | $ sudo nano /etc/shorewall/shorewall.conf |
Change CLAMPMSS=No to CLAMPMSS=Yes (read docs to know why.)
Code: | $ sudo nano /etc/shorewall/interfaces |
Your 'loc' zone will be -hopefully- eth0 and your 'net' zone will be ppp0. You can delete (or comment out) 'dmz' zone, unless you have a complex network setup, but in that case, I doubt you need to read this howto anyways
And NAT your network!
Code: | $ sudo nano /etc/shorewall/masq |
Simply put:
and you're done with shorewall. Start it and add to default run-level:
Code: | $ sudo /etc/init.d/shorewall start
$ sudo /sbin/rc-update add shorewall default |
Wvdial
wvdial needs a little more attention:
Code: | $ sudo wvdialconf /etc/wvdial.conf
$ sudo nano /etc/wvdial.conf |
The file is self-explained. Put your ISP's phone number, username, and password.
Try to dial:
Code: | $ sudo wvdial
(yep, as root. We'll fix some permissions later.) |
If it worked, you are almost done. Press ^C to hang up.
Let's fix some permissions
Add yourself and the users you want to give dial out control to the (you guess it) dialout group. I like to edit /etc/group manually, but if you have a better tool or procedure, do it.
My modem has a node in /dev/ttyS15, so I just did:
Code: | $ sudo chgrp dialout /dev/ttyS15
$ sudo chmod g+rw /dev/ttyS15 |
If your /dev/modem doesn't exist, or points to the wrong ttySxx:
Code: | $ sudo rm /dev/modem
$ sudo ln -s ttyS15 /dev/modem |
wvdial will place a lock file in /var/lock. Unfortunately, /var/lock is owned by root.uucp with mode 0770 by default, so no one else can write to that directory. You have two options:
Quote: | a) add yourself and the users to uucp group
b) sudo chmod o+rwt /var/lock |
I'm not sure which one is better and/or more secure. I did the second in case you're wondering. Now try to wvdial as normal user. And if you have problems, post them here and I (or someone else) will take a look.
Setting up workstations
The last step is to setup the gateway for your workstations. Simply put your firewall's IP on /etc/conf.d/net and restart your network service. If you use DHCP, then configure your dhcp server to broadcast the IP address of the firewall.
Now, go on-line, and try to browse the web from your workstations.
Because my firewall doesn't have monitor nor keyboard, I use ssh:
Conclusion
I was scared at first, but it was simpler than I thought. My 'new' firewall running Gentoo Linux instead of Windows+Winroute, not only seems faster (up to 25% faster downloads) even my connection is more stable now. I'm really satisfied with this job.
That's all. Again, if you have problems, please, post them here.
Best regards,
Norberto
Patch for pctel-0.9.6:
Code: |
diff -urN pctel-0.9.6.old/configure pctel-0.9.6/configure
--- pctel-0.9.6.old/configure 2002-11-08 06:45:32.000000000 -0300
+++ pctel-0.9.6/configure 2003-05-18 20:31:57.000000000 -0300
@@ -3328,20 +3328,21 @@
+ KERNEL_VERSION=`echo $KERNEL_VERSION | awk '{ print $1 }'`
min_kernel_version=2.4.0
echo "$as_me:$LINENO: checking for Linux kernel version >= $min_kernel_version" >&5
echo $ECHO_N "checking for Linux kernel version >= $min_kernel_version... $ECHO_C" >&6
- real_kernel_version="`eval echo $KERNEL_VERSION | sed -e 's/-[a-zA-Z0-9][^-]*$//g' | awk -F'.' '{ print $1"."$2"."$3 }'`"
+ real_kernel_version="`uname -r`"
- k_version="`echo $real_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\1/'`"
- k_patch="`echo $real_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\2/'`"
- k_sub="`echo $real_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\3/'`"
-
- v_min="`echo $min_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\1/'`"
- p_min="`echo $min_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\2/'`"
- s_min="`echo $min_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\3/'`"
+ k_version="`echo $real_kernel_version | sed 's,\([0-9]*\).\([0-9]*\).\([0-9]*\).*,\1,'`"
+ k_patch="`echo $real_kernel_version | sed 's,\([0-9]*\).\([0-9]*\).\([0-9]*\).*,\2,'`"
+ k_sub="`echo $real_kernel_version | sed 's,\([0-9]*\).\([0-9]*\).\([0-9]*\).*,\3,'`"
+
+ v_min="`echo $min_kernel_version | sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\1/'`"
+ p_min="`echo $min_kernel_version | sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\2/'`"
+ s_min="`echo $min_kernel_version | sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\3/'`"
if test $k_version -gt $v_min \
-o $k_version -eq $v_min -a $k_patch -gt $p_min \
@@ -3437,11 +3438,11 @@
echo "$as_me:$LINENO: checking for Linux kernel version >= $min_kernel_version" >&5
echo $ECHO_N "checking for Linux kernel version >= $min_kernel_version... $ECHO_C" >&6
- real_kernel_version="`eval echo $KERNEL_VERSION | sed -e 's/-[a-zA-Z0-9][^-]*$//g' | awk -F'.' '{ print $1"."$2"."$3 }'`"
+ real_kernel_version="`uname -r`"
- k_version="`echo $real_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\1/'`"
- k_patch="`echo $real_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\2/'`"
- k_sub="`echo $real_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\3/'`"
+ k_version="`echo $real_kernel_version | sed 's,\([0-9]*\).\([0-9]*\).\([0-9]*\).*,\1,'`"
+ k_patch="`echo $real_kernel_version | sed 's,\([0-9]*\).\([0-9]*\).\([0-9]*\).*,\2,'`"
+ k_sub="`echo $real_kernel_version | sed 's,\([0-9]*\).\([0-9]*\).\([0-9]*\).*,\3,'`"
v_min="`echo $min_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\1/'`"
p_min="`echo $min_kernel_version | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\2/'`"
|
[/list] |
|
Back to top |
|
|
tfoggoa n00b
Joined: 27 Jan 2003 Posts: 27 Location: Ottawa, Ontario, Canada
|
Posted: Thu Jun 12, 2003 5:58 pm Post subject: |
|
|
For me Coyote Linux is a better choice as it fits on a floppy, which you can then write protect.
www.coyotelinux.com
It's very easy to setup and has very low HW requirements. Does NAT using DHCP.
-Todd |
|
Back to top |
|
|
nbensa l33t
Joined: 10 Jul 2002 Posts: 799 Location: Buenos Aires, Argentina
|
Posted: Thu Jun 12, 2003 11:01 pm Post subject: |
|
|
Perhaps... But it feels sooooo good doing it your self |
|
Back to top |
|
|
beejay Retired Dev
Joined: 03 Oct 2002 Posts: 924 Location: Flensungen (das liegt neben Merlau)
|
Posted: Mon Jun 16, 2003 11:20 am Post subject: |
|
|
nbensa wrote: | Perhaps... But it feels sooooo good doing it your self |
Hmm - this sentence may be understood in two totally different ways of which I don't want to explain the second one _________________ Dort wo schwarzer Rauch aufsteigt, sich alsbald ein Fehler zeigt.
www.paludis-sucks.org | www.gentoo.de | www.gentoo-ev.org | www.gentoo.org |
|
Back to top |
|
|
nbensa l33t
Joined: 10 Jul 2002 Posts: 799 Location: Buenos Aires, Argentina
|
Posted: Mon Jun 16, 2003 4:58 pm Post subject: |
|
|
beejay wrote: | I don't want to explain the second one |
The second one is boring |
|
Back to top |
|
|
broschi Apprentice
Joined: 20 Aug 2002 Posts: 189 Location: Atlantide
|
Posted: Tue Jun 17, 2003 5:18 am Post subject: |
|
|
As a matter of fact the gentoo livecd initrd requires at least 64mb of RAM. Otherwise you'll end up with an out of memory kernel panic (that drastic). _________________ "Is this type of thing going to happen every time we switch to improbability drive?" "Very probably I'm afraid." |
|
Back to top |
|
|
TecHunter Tux's lil' helper
Joined: 15 Feb 2003 Posts: 124
|
Posted: Tue Jun 17, 2003 10:21 am Post subject: |
|
|
i'm sad i have to use m$ for years.because my tutor's projects are all mis
i'm eagerly looking forward to that day i can sweep m$ out from my hdd _________________ Gentoo is GREAT!!! |
|
Back to top |
|
|
ism n00b
Joined: 10 Jun 2003 Posts: 4
|
Posted: Tue Jun 17, 2003 12:17 pm Post subject: |
|
|
d3c3it wrote: | cheers, i asked about the dhcp because id like to have the box running that:) | Running a dhcpd on your firewall is trivial. HOWEVER, it is important that you check and doublecheck what interface the daemon listens and accepts requests on. A lot of people might be angry if you suddenly start accepting dhcp requests and distributing LAN addresses on your ISP.
Luckily dhcpd can be set up to listen to spesified interface.
Other packages I have run from my firwall is
* samba - Again, beware who you talk to
* bind also doubling as wins server. Of course, talking only with my LAN.
Of course, running anything except firwall on a firewall is at your own risk _________________ -ism |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|