-------------------------------------------------------------------------- Dachstein Firewall Setup for BigPond Advanced Cable Connect using BPALOGIN -------------------------------------------------------------------------- This readbpa.txt file written by: Ernest Haak Last Revised: 28 Mar 2002 Disclaimer: - The Dachstein Firewall was created from dachstein-v1.0.2-1680.exe - The BPALogin can be found at http://bpalogin.sourceforge.net/ - The bpalogin.lrp package on this image was supplied by a friend and the only reference I can find of this package at http://2dex.com/lrp/bpalogin.lrp is a dead link. - This procedure works for me on my test systems. Your results may vary. - This ReadBPA.txt file needs to be read in conjunction with the original readme.txt file coming with this package from which all other disclaimers apply. - Sections of this text copied from the readme.txt file. BPALogin v2.0 ------------- This is a client to connect to Australia's Big Pond Advance powered by Cable. BPALogin is maintained by Shane Hyde (shane@trontech.net) The latest version is at http://www.users.bigpond.net.au/bpalogin Useful LEAF related links: ---------------------------------------- http://leaf.sourceforge.net/ http://lrp.steinkuehler.net/ http://lrp.c0wz.com:81/ http://www.linuxrouter.org/ http://wpkgate.kc.com.my.cpwright.com/lrp/ http://lrp.ramhb.co.nz/main.htm http://lrp.plain.co.nz/ ---------------------------------------- Background to this Configuration ================================ This is my first encounter with Linux so please take this into account with these instructions. As a BigPond Advanced cable user I have added the bpalogin package to the LRP-LEAF firewall to streamline setup and connection to BigPond in Australia. Creating This Image =================== 1) Created a bootable 1.68Mb floppy with Dachstein Firewall 1.0.2 from file dachstein-v1.0.2-1680.exe downloaded from the http://lrp.steinkuehler.net/ site. 2) Added bpalogin.lrp and ifconfig.lrp packages (through W2K explorer). 3) Added rtl8139.0 (using instructions for adding modules in the readme.txt file). - The NIC supplied by Telstra as a SMC1211TX card using the RealTek chipset. - Other modules may need to be added depending on the NIC's in your machine. 4) Added packages to the base Dachstein Firewall 1.0.2 by editing syslinux.cfg using wordpad to append the following packages to the LRP= option: "bpalogin" - to run the bpalogin package to connect to BigPond cable. "ifconfig" - to run command ifconfig to check IP addresses on the LRP-LEAF box. 5) Increased RAM used for system to load into from 6Mb to 8Mb by editing syslinux.cfg using wordpad to change the following option: from: ramdisk_size=6144 to: ramdisk_size=8192 6) Increased RAM used for logging from 4Mb to 6Mb by booting disk, and from lrcfg choosing option 3.1.1 (ramlog): from: /dev/ram1 4096 to: /dev/ram1 6144 Customizing This Installation ============================= This section is a guideline to configuring the disk created from this image to get you up and running. It is by no means the final amount of configuration required for any system. Instructions from LRP-LEAF indicate you have logged on as root with no password (or the password you have set). Run lrcfg is the default configurator supplied with the Dachstein Firewall original setup disk. It runs by default when you login as root or can be run from the command line by typing lrcfg. Instructions from W2K assume the disk is in a Windows 2000 machine (or other Win32 machine) that can read the 1.68Mb formatted disk. 1 - Activating Network Cards ---------------------------- From LRP-LEAF run lrcfg. Select Package / Modules (option 3.3.1) For the SMC EZCard SM1211TX supplied by Telstra and the other RealTek chipset card (Belkin F5D5000) I uncomment the following to activate them. pci-scan rtl8139 Save and backup using Backup / Modules (option b.5) Note: PCI slot 3 had the SMC card and this configured as eth0 (to be connected to the BigPond cable modem) PCI slot 4 had the Belkin card and this configured as eth1 (to be connected to the local LAN switch/hub) You need to make sure that eth0 is connected to your cable modem and eth1 is connected to your LAN. See the readme.txt file for details on setting this up. 2 - Activating BPALogin ----------------------- From LRP-LEAF run lrcfg. Select Package / bpalogin (option 3.8.1) Update the following username xxxxxxx password xxxxxxx authserver x.x.x.x - find the IP address by "ping dce-server" when connected to BigPond for this setting. debuglevel 1 - only displays a message in the syslog to say success or failure to login Save and backup using Backup / bpalogin (option b.10) 3 - Change the RAMDISK for the OS to Load Into ---------------------------------------------- If you have more than 16Mb of RAM you may wish to make changes to use more memory (or less if you want). Make sure that the memory allocation for 3 and 4 does not exceed your total memory available. From W2K Edit the syslinux.cfg file on the floppy using wordpad Update the following ramdisk_size=61440 - Make it 60Mb or what ever memory you have to spare. Save as text-Only and reboot LRP-LEAF box with disk. 4 - Change the RAMLOG Size -------------------------- Make sure that the memory allocation for 3 and 4 does not exceed your total memory available. From LRP-LEAF run lrcfg. Select Package / ramlog (option 3.1.1) Update the following /dev/ram1 30720 - Make it 30Mb or what ever memory you have to spare. Save and backup using Backup / ramlog (option b.3) Configuration Options To Be Set At Your Discretion. =================================================== The following modification are described to give you an idea of what configuration may be needed for your system after getting everything working. These are my observations and should be applied at your discretion with your systems configuration in mind. Firewall Log - DENY Messages ---------------------------- When connecting to Telstra BigPond Cable I get the following errors in the messages log for the firewall. You should run the connection to the internet without making these changes to determine what DENY requests are hitting your connection so you can modify the request accordingly. This example of the log shows the type of messages I was receiving (and there were lots of them): Mar 28 20:04:56 firewall kernel: Packet log: input DENY eth0 PROTO=2 10.128.92.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=3388 F=0x0000 T=1 (#8) Mar 28 20:05:33 firewall kernel: Packet log: input DENY eth0 PROTO=17 10.128.92.1:67 255.255.255.255:68 L=372 S=0x00 I=40439 F=0x0000 T=255 (#8) Mar 26 23:11:42 firewall kernel: Packet log: input DENY eth0 PROTO=1 10.128.92.1:3 203.xx.xx.xx:13 L=56 S=0x00 I=20198 F=0x0000 T=255 (#11) This indicates that a request for information was to be sent back to address 10.128.92.1 using different protocols (2, 1, 17) with some requests to my IP address 203.xx.xx.xx and others to 244.0.0.1 or 255.255.255.255. These conditions highly unusual as 10.x.x.x addresses should not route, therefore the address was probably spoofed. As messages of this type are frequent any fill up your logs. There is an option to turn these messages off (still denying the request) to stop your logs from filling up. The following is how I DENIED these examples: PROTOCOL_IP/SUBNET_PORT PROTO=2 - indicates the protocol 10.128.9.1 - is the return IP address (to be returned on port 65535) 224.0.0.1 - is the subnet 65535 - after the subnet is the port the request can in on By replacing any of these values with "0" will be for ALL of the type eg. 2_0/0 will DENY all IP addresses on protocol 2 (PROTO=2). Similarly 0_10.128.92.1 will deny all requests for 10.128.92.1 on any protocol. I also added the following to DENY all port 80 requests (attempts to hit my web server running on the firewall box). 6_0/0_80 - DENY all requests for http on port 80 (This will need to be removed when I start serving web pages.) So to apply all these changes From LRP-LEAF run lrcfg. Select Network Settings / Network Configuration (option 1.1) Find SILENT_DENY in the file. Uncomment it and add the following: SILENT_DENY="6_0/0_80 0_10.128.92.1" Save and backup using Backup / etc (option b.2) This is an example of real hack attempts that were denied coming from 202.66.200.227. Mar 27 22:29:04 firewall kernel: Packet log: input DENY eth0 PROTO=6 202.66.200.227:4672 203.45.124.126:21 L=60 S=0x00 I=25559 F=0x4000 T=50 SYN (#43) Mar 27 22:29:07 firewall kernel: Packet log: input DENY eth0 PROTO=6 202.66.200.227:4672 203.45.124.126:21 L=60 S=0x00 I=26843 F=0x4000 T=50 SYN (#43) Mar 27 22:29:13 firewall kernel: Packet log: input DENY eth0 PROTO=6 202.66.200.227:4672 203.45.124.126:21 L=60 S=0x00 I=28654 F=0x4000 T=50 SYN (#43) Web Surfing DNS Resolution Problems ----------------------------------- If you are having trouble when surfing, trying to resolve DNS names, then the following may be happening. A request goes to your DNS server(s) if they cannot find the address they should attempt to get a resolution from other DNS servers they are aware of. Instead of getting the request and passing it back to you they may pass your IP address to the other DNS server to send the request directly back to you. This will be traffic coming in to you firewall on port 53 (DNS) that is from a server (IP address) that you have not made a request to. This should be blocked by the firewall unless you setup the following. WARNING: I have not attempted this, but believe it will allow ALL requests in on port 53. You may wish to make it more specific by changing the first 0 to the IP addresses in your logs. From LRP-LEAF run lrcfg. Select Network Settings / Network Configuration (option 1.1) Find EXTERN_TCP_PORTS in the file. Uncomment it and add the following: EXTERN_TCP_PORTS="0/0_53" - this will allow all traffic to port 53 Save and backup using Backup / etc (option b.2)