These are some notes that may help folks using firestarter (http://www.fs-security.com) on Fedora Core 3. The FC3 installation is an upgrade from FC2, with all updates to FC3 since applied. firestarter is firestarter-1.0.1-1, installed from the RPM on the firestarter web site. Setup: I have a firewall which I usually run decapitated. It is, of course, dual homed (i.e. two NICs). Eth0 is the external interface, eth1 the internal. Both have their IP addresses assigned by DHCP, so firestarter runs when an IP address is assigned. Because I run it decapitated, I must be able to use SSH to log in. Problem 1: Boot sequencing. I had problems booting in that even with the firewall set up correctly, I had no NATting. Conjecture: The first IF is initialized, including DHCP. This includes the firewall script. However, since eth1 is not yet initialized, the firewall is broken. Result: no NATting. Then eth1 is initialized. Apparently, DHCP does not run for eth1, or at least the file /etc/dhclient-exit-hooks is not used. If I manually run /etc/firestarter/firestarter.sh, everything works correctly. Workaround one: rejigger PCI cards, and their attendant boot configurations files in /etc/sysconfig so that eth1 is the external interface. I have not tried this. I'm lazy. Workaround two: add a line, "/etc/firestarter/firestarter.sh start", to /etc/rc.d/rc.local. That's easy, and it works for all cases. Problem 2: Out of the box, the firewall did not allow me to SSH into the firewall machine. I had to shut the firewall off at the (temporary) console, log in over SSH, and restart the firewall. Not an acceptable solution. Solution: add a policy to allow connections from the appropriate internal host(s). That works. This is a change from previous behavior, and as far as I can tell is not documented! -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
Attachment:
pgpfNb0U0zf6P.pgp
Description: PGP signature