Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message

ThinkPad T61 Headless Firewall with Fedora 23

Linux on ThinkPads
Post Reply
Message
Author
ThePowerTool
Posts: 9
Joined: Sat Dec 08, 2007 10:22 am
Location: Charlotte, NC
Contact:

ThinkPad T61 Headless Firewall with Fedora 23

#1 Post by ThePowerTool » Sun May 22, 2016 4:37 pm

I've been doing this for some time because I love the flexibility of a full-blown linux firewall protecting my network and I'm a fan of Fedora. I've used Fedora since it was first named "Fedora" to better distinguish RedHat up-stream from enterprise offerings.

I will provide URLs both for reference and to give credit to authors work that I found helpful.

This post will cover building a headless firewall using Fedora 23. These instructions will be fairly similar to Fedora 22 and 21 as I built systems with 22 and 21 using the steps, here.

Materials:
1 ThinkPad T61 Type 7663-CTO
- Note: For those that aren't TP-experts the "CTO" means "Configured To Order".
- 2G Memory, 200GB HD, ethernet: Intel Corp. 82566MM Gigabit (FYI)

1 Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06)

1 Arris SURFBoard 6183

1 ISO image of Fedora 23 Server Net Install - https://getfedora.org/en/server/download
- This system requires 32b arch. I used Fedora-Server-netinst-i386-23.iso.
- Important Note: Always, always, always, always, always verify your DLs: https://getfedora.org/verify

1 NIC connects to my switch
1 NIC connects to my TWC modem

TWC modem set up (assumes TWC service operational, Arris SB6183):
1. Out of box: Connect to any computer with a recent browser via ethernet
2. Power up modem
3. Browse to 192.168.100.1
4. Provide your credentials
That's all you need to prep.
Important Note: Whenever the Arris SB6183 is connected to a different MAC you must reboot (or manually change the MAC) the Arris modem. The above 5 steps are only necessary, once.
In simple terms: When you move the Arris SB6183 ethernet cable to a new system (e.g. your new firewall) disconnect power for 10 seconds, reconnect, and it will work (allow 10 to 30 seconds).

Hardware planning for speed: This is more important than you might think. Somewhere between 1999-2001 I plugged 2 100mb cards into my ThinkPad firewall and never worried about them again. That is until I got 300mb/s service. I loved those cards because they have the edge-connect cables and make it easy to "tuck-away" my TP firewall in a small space. Obviously the cards must go. Sadly the edge-connect cables can't do the job as they create bandwidth problems. I need to know I can get 300mb/s (and more) from NIC to bus to CPU+memory to bus to NIC without loss. PC CardBus throughput is a max of 132MB/s. PCIe throughput starts at 250MB/s. PCIe covers my 300mb/s requirement + additional overhead to cover 600mb/s service when it's offered in my area. CardBus should also have the capacity but PCIe clearly has more room. That's what guided my choices in HW as listed, above. The 1G express card modem was very reasonably priced on Amazon.

Assumptions:
1. You have a working knowledge of Linux
2. You have at least a basic knowledge of networking
3. You know how to type duckduckgo.com into a URL address bar of your browser and what to do next.
4. You have installation experience--not mandatory--if you don't you may run through this a few times and will need patience.

Installation:

I burned my ISO to a CD. It's fast and the image is only 480MB.

Boot from the CD, edit the kernel parameters to add "TEXT". I don't want any of the graphical support installed.

You can choose to continue on the local console. I selected the other option to install headless via VNC. I plugged in my network connection and launched my favorite VNC client on my production desktop. My production desktop is also Fedora and for VNC I use Vinagre.

Important Note: The text screen instructing you to "connect your VNC client to port 1" is incorrect. What it really means is port 5901. It's "understood" defacto. Right?

I customized my options making sure to choose headless and selecting all of the command line, admin, and headless tools listed. I just went through everything carefully and it seemed like all of the selections were fairly obvious. I may revisit making this paragraph into a more detailed set of instructions if there are enough questions or requests for additional information on selection.

If you did everything correctly and rebooted you are not looking at a text console with a logon prompt.

Log in, su - for root and test your network connectivity. I do this more as a hardward check:
ifconfig

You may also ping by name to verify DNS is working and further verify network capabilities.

Check your system log for 2 important "gotchas":
e1000e 0000:00:19.0 enp0s25: Detected Hardware Unit Hang:
e1000e 0000:00:19.0 enp0s25: Reset adapter unexpectedly

Additionally try
]# dmesg | grep -i aspm

Look for:
ACPI FADT declares the system doesn't support PCIe ASPM, so disable it
acpi PNP0A08:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI]
acpi PNP0A08:00: FADT indicates ASPM is unsupported, using BIOS configuration
r8169 0000:05:00.0: can't disable ASPM; OS doesn't have ASPM control
ath5k 0000:03:00.0: can't disable ASPM; OS doesn't have ASPM control

Active State Power Management (ASPM or APM):
There's a BIOS issue which impacts linux (not just Fedora). Blame the BIOS devs.
Add pcie_aspm=off to your kernel command line parameters (GRUB_CMDLINE_LINUX):
vi /etc/default/grub

Rebooting with this parameter added may resolve the issue[s] you are experiencing.
Ref: http://serverfault.com/questions/193114 ... do-i-start

This may not be enough. You may need to boot to BIOS settings and disable APM, there. That's what I had to do.

If you go through all of this and still experience the Detected Hardware Unit Hang: then you may need to change your ethernet settings via ethtool:

]# ethtool -K eth0 gso off gro off tso off

Ref: http://serverfault.com/questions/616485 ... -unit-hang
Ref: http://ehc.ac/p/e1000/bugs/378/ now--> https://sourceforge.net/p/e1000/bugs/378/

Between changing your BIOS, updating the kernel line parameter, and the above ethtool settings you should be able to resolve these issues.

I'm really hoping at this point one or more of the above solutions provided you with a successful resolution if you experienced any of the known issues I covered.

The Firewall:

Reference: http://fedoramagazine.org/build-network ... -networkd/
Major Hayden did a fantastic job of documenting this. I'm just updating it to cover issues I ran into during my walk-through.

My network interfaces:

enp0s25: private LAN on the e1000e (Intel hardware) via the motherboard connector
ens5: Public/hot side using the Realtek 1G express card (192.168.1.1/24)

mkdir /etc/systemd/network

I then created (in the above dir) the two systemd config files enp0s25.network and ens5.network, shown here:

Code: Select all

]# cat /etc/systemd/network/enp0s25.network
[Match]
MACAddress=00:21:86:9A:F9:68
Name=enp0s25

[Network]
Address=192.168.1.1/24
IPForward=yes

cat /etc/systemd/network/ens5.network
[Match]
MACAddress=00:13:3B:99:FF:FF
Name=ens5

[Network]
DHCP=yes
IPForward=yes
Note: I left out the GATEWAY and DNS entries Major Hayden used because I'm letting DHCP assign everything. I verified this was handled properly during the initial test after installation.

Prepare the services, disable network, NetworkManager. Enable systemd-networkd, systemd-resolved:

Note: I strongly urge you to check status before and after each change (systemctl status .....):

Code: Select all

]# systemctl disable network
]# systemctl disable NetworkManager
]# systemctl enable systemd-networkd

]# systemctl enable systemd-resolved
]# systemctl start systemd-resolved
]# mkdir /run/systemd/resolve #this is necessary on a F23 fresh install
]# mv /etc/resolv.conf /run/systemd/resolve #this is necessary on a F23 fresh install
]# ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
Reboot!

If you're on the exact same HW you should see the same results:

Code: Select all

]# networkctl 
IDX LINK             TYPE               OPERATIONAL SETUP     
  1 lo               loopback           carrier     unmanaged 
  2 ens5             ether              routable    configured
  3 enp0s25          ether              routable    configured
  4 wls3             wlan               off         unmanaged
DHCP

dnsmasq is already installed with F23 (probably based upon my server sw selections during install)

]# systemctl status dnsmasq # if it's not there; ]# dnf install dnsmasq
]# systemctl enable dnsmask # again, remember to check status after commands like this

I like to always backup .conf files
]# cp /etc/dnsmasq.conf /etc/dnsmasq.conf.org #it's a good admin habit :-)
Open /etc/dnsmasq.conf and make the following modifications:
. Uncomment dhcp-authoratative
. Uncomment interface= and add your interface: interface=enp0s25
. Set dhcp-range and lease time
. Make any other changes you like. I always add the MAC for my freenas server like this:
dhcp-host=00:0d:60:17:97:a6,192.168.1.250 # freenas
Save!

]# systemctl start dnsmasq

So you followed my instructions and suggestion and after viewing systemctl status dnsmasq you discover it failed!

I walked you though this in hopes that you will always remember or at-least remember when it fails next time. It's SE Linux.

Code: Select all

]# setenforce Permissive
]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30
systemctl start dnsmasq

Now it should work fine! Verify using systemctl status dnsmask.

Now, the firewall and firewall-cmd:

I'm going to provide a bit more detail, here, as things aren't quite right in the firewall as left by the default F23 install. Let's start by taking a look at the firewall's current list of zones and config in 2 steps:
]# firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work

Take a moment and look at the list of zones that is returned to familiarize yourself with the zone names. The two that you need to remember (for purposes of this post) are FedoraServer and external.

For the 2nd step:

]# firewall-cmd --list-all-zones

This returns detail for all the zones in the format:

zone name
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

Ideally that is how I like to see new firewalls come up (as shown above)--fully locked down with nothing open. But there is still more to consider. Let's take a look at our two interfaces:
]# firewall-cmd --get-zone-of-interface=ens5
]# firewall-cmd --get-zone-of-interface=enp0s25

More than likely enp0s25 is assigned to FedoraServer (if I recall correctly) and the other is unassigned.

My plan for zones:
FedoraServer = internal, enp0s25, 192.168.1.1/24
external = external, ens5, Public IP (DHCP assigned via TWC)

To view zone detail by zone:
]# firewall-cmd --zone=ZONE --list-all
ZONE
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

Here's our goal (and how my firewall is configured):

Code: Select all

[root@tplinux ~]# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default, active)
  interfaces: enp0s25
  sources: 
  services: cockpit dhcp dhcpv6-client dns ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@tplinux ~]# firewall-cmd --zone=external --list-all
external (active)
  interfaces: ens5
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules:
Note FedoraServer (internal 192.16.1.1/24) has a number of ports/services configured while my external (external with external IP assigned via TWC DHCP) has nothing (except masquerade). While I'm not specifically showing it I would strongly urge you to strip all of your other zones of services to make your firewall more secure. At the very least be familiar with the current settings.

Because FedoraServer is default we don't need to specify "--zone=FedoraServer" in the following commands (but you are welcome to if you want):

Code: Select all

]# firewall-cmd --add-masquerade
]# firewall-cmd --add-service=dns --add-service=dhcp
]# firewall-cmd --zone=FedoraServer --add-interface=enp0s25
]# firewall-cmd --zone=external --add-interface=ens5

]# firewall-cmd --runtime-to-permanent
--runtime-to-permanent saves all of our firewall-current-settings as "permanent" to be used at each boot and firewall-reload. Individual commands can also include "--permanent" but you can issue multiple commands without the "--permanent" option and then use the one command to save the entire current config to permanent.

Use the following two commands to verify against our goal (from above):
]# firewall-cmd --zone=FedoraServer --list-all
]# firewall-cmd --zone=external --list-all

Your firewall should now be fully operational. You should reboot and verify you didn't miss anything. The firewall should boot to a text logon prompt and be fully functional the moment the boot completes.

If you want or need to disable IPv6:
/etc/sysctl.conf

Add these two lines after the last remark:
net.ipv6.conf.ens5.disable_ipv6 = 1
net.ipv6.conf.enp0s25.disable_ipv6 = 1
ThePowerTool

karotlopj
Sophomore Member
Posts: 160
Joined: Wed May 18, 2016 7:14 am
Location: Yorkshire, England

Re: ThinkPad T61 Headless Firewall with Fedora 23

#2 Post by karotlopj » Sun Jun 12, 2016 8:55 am

If anyone is interested in using a ThinkPad as a firewall/router I'd suggest pfSense, a firewall based on FreeBSD

https://www.pfsense.org

You just need to download a small image onto a pendrive, boot from it and install. A world class Firewall up and running in five minutes and you can configure, maintain and analyse perforamce via a browser.

Only problem so far, is finding a 1GB pcmcia or USB NIC supported by FreeBSD, but my ThinkPad pfSense box has been running ok with a 100Mb NIC so far.

ThePowerTool
Posts: 9
Joined: Sat Dec 08, 2007 10:22 am
Location: Charlotte, NC
Contact:

Re: ThinkPad T61 Headless Firewall with Fedora 23

#3 Post by ThePowerTool » Wed Jun 15, 2016 12:03 pm

karotlopj wrote:Only problem so far, is finding a 1GB pcmcia or USB NIC supported by FreeBSD, but my ThinkPad xxXxxxx box has been running ok with a 100Mb NIC so far.
You may want to actually read the above post as this is not the only problem and can leave people in a bad position. That bad position being 1) wasting time on an install only to find out it won't do the job and possibly 2) having to make additional hardware purchases.

Plugging in a NIC doesn't guarantee you'll get speeds that give you access to the full bandwidth supplied by your provider any more than plugging in a 1G NIC guarantees you "1G" of througput. That's why I spent so much time on this issue in the post.

I won't address PCMCIA as I have already done that (above) in detail.

Important information to include for discussions like this:
According to the USB specifications:
USB 1.0 is 12Mbps (1.5Mbps if you don't have the "upgrade")
USB 2.0 is 480Mbps
USB 3.0 is 5Gbps

Key things you might want to tell people planning for a firewall or router so they don't lose significant speed:
1. These speeds (above) are theoretical and practical implementation (plugging in a device) will typically show you much, much slower speeds.
2. Connecting via a USB hub will reduce speeds even more.
3. Any 1G NIC would be significantly throttled using a USB 1.0 or 2.0 port
4. The rule-of-thumb is "USB-based adapters negatively impact throughput and slow down network performance" but there are rare exceptions.
5. Drivers. This is Pandora's Box. Driver capability and availability can give you great results or severely limit function. It can be surprisingly easy to end up with a fairly new box and a non-functional or fairly useless NIC (older or newer NIC).


Additionally you neglected to cover ThinkPads and USB support. The model ThinkPad T61 does not come with USB 3.0. Plug in a 1G NIC into my USB 2.0 port and I lose well over 50% of my hardware investment.

One might conclude that you didn't read my post because it appears your only goal was to promote something else. That's called hijaking. This is my 1st post here and you likely only read the subject line and then hijacked it while providing bad advice. The appropriate solution would be to create your own separate thread.

This is not just about being polite to the author. People searching for installation instructions for the solution you are promoting may now receive search results that include how to install Fedora. That's why I censored your quote.

Please don't hijack other peoples work.

If you would like to discuss anything here that's pertinent to my subject please reply.

If you would like to discuss anything here pertinent to the solution you are promoting please start your own thread and I'll be happy to reply and assist you, there.

Thank you.
ThePowerTool

ashoka
Posts: 5
Joined: Sun Dec 18, 2016 8:27 am
Location: Barcelona, Spain

Re: ThinkPad T61 Headless Firewall with Fedora 23

#4 Post by ashoka » Sun Dec 18, 2016 9:06 am

karotlopj wrote:If anyone is interested in using a ThinkPad as a firewall/router I'd suggest pfSense, a firewall based on FreeBSD

https://www.pfsense.org

You just need to download a small image onto a pendrive, boot from it and install. A world class Firewall up and running in five minutes and you can configure, maintain and analyse perforamce via a browser.

Only problem so far, is finding a 1GB pcmcia or USB NIC supported by FreeBSD, but my ThinkPad pfSense box has been running ok with a 100Mb NIC so far.
I agree. Pfsense is just incredible even with low-profile hardware. Setting up the firewall rules (using pf) is very easy when compared with iptables or other Linux alternatives.

UMPC2024
Sophomore Member
Posts: 159
Joined: Sun Nov 24, 2013 1:18 am
Location: Lawrence, KS

Re: ThinkPad T61 Headless Firewall with Fedora 23

#5 Post by UMPC2024 » Thu Dec 22, 2016 2:04 pm

ThePowerTool wrote:This is not just about being polite to the author. People searching for installation instructions for the solution you are promoting may now receive search results that include how to install Fedora. That's why I censored your quote.

Please don't hijack other peoples work.

If you would like to discuss anything here that's pertinent to my subject please reply.

If you would like to discuss anything here pertinent to the solution you are promoting please start your own thread and I'll be happy to reply and assist you, there.

Thank you.
Guys come on, please read the posts before posting. It's called etiquette.

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “Linux Questions”

Who is online

Users browsing this forum: No registered users and 4 guests