I will provide URLs both for reference and to give credit to authors work that I found helpful.
This post will cover building a headless firewall using Fedora 23. These instructions will be fairly similar to Fedora 22 and 21 as I built systems with 22 and 21 using the steps, here.
Materials:
1 ThinkPad T61 Type 7663-CTO
- Note: For those that aren't TP-experts the "CTO" means "Configured To Order".
- 2G Memory, 200GB HD, ethernet: Intel Corp. 82566MM Gigabit (FYI)
1 Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06)
1 Arris SURFBoard 6183
1 ISO image of Fedora 23 Server Net Install - https://getfedora.org/en/server/download
- This system requires 32b arch. I used Fedora-Server-netinst-i386-23.iso.
- Important Note: Always, always, always, always, always verify your DLs: https://getfedora.org/verify
1 NIC connects to my switch
1 NIC connects to my TWC modem
TWC modem set up (assumes TWC service operational, Arris SB6183):
1. Out of box: Connect to any computer with a recent browser via ethernet
2. Power up modem
3. Browse to 192.168.100.1
4. Provide your credentials
That's all you need to prep.
Important Note: Whenever the Arris SB6183 is connected to a different MAC you must reboot (or manually change the MAC) the Arris modem. The above 5 steps are only necessary, once.
In simple terms: When you move the Arris SB6183 ethernet cable to a new system (e.g. your new firewall) disconnect power for 10 seconds, reconnect, and it will work (allow 10 to 30 seconds).
Hardware planning for speed: This is more important than you might think. Somewhere between 1999-2001 I plugged 2 100mb cards into my ThinkPad firewall and never worried about them again. That is until I got 300mb/s service. I loved those cards because they have the edge-connect cables and make it easy to "tuck-away" my TP firewall in a small space. Obviously the cards must go. Sadly the edge-connect cables can't do the job as they create bandwidth problems. I need to know I can get 300mb/s (and more) from NIC to bus to CPU+memory to bus to NIC without loss. PC CardBus throughput is a max of 132MB/s. PCIe throughput starts at 250MB/s. PCIe covers my 300mb/s requirement + additional overhead to cover 600mb/s service when it's offered in my area. CardBus should also have the capacity but PCIe clearly has more room. That's what guided my choices in HW as listed, above. The 1G express card modem was very reasonably priced on Amazon.
Assumptions:
1. You have a working knowledge of Linux
2. You have at least a basic knowledge of networking
3. You know how to type duckduckgo.com into a URL address bar of your browser and what to do next.
4. You have installation experience--not mandatory--if you don't you may run through this a few times and will need patience.
Installation:
I burned my ISO to a CD. It's fast and the image is only 480MB.
Boot from the CD, edit the kernel parameters to add "TEXT". I don't want any of the graphical support installed.
You can choose to continue on the local console. I selected the other option to install headless via VNC. I plugged in my network connection and launched my favorite VNC client on my production desktop. My production desktop is also Fedora and for VNC I use Vinagre.
Important Note: The text screen instructing you to "connect your VNC client to port 1" is incorrect. What it really means is port 5901. It's "understood" defacto. Right?
I customized my options making sure to choose headless and selecting all of the command line, admin, and headless tools listed. I just went through everything carefully and it seemed like all of the selections were fairly obvious. I may revisit making this paragraph into a more detailed set of instructions if there are enough questions or requests for additional information on selection.
If you did everything correctly and rebooted you are not looking at a text console with a logon prompt.
Log in, su - for root and test your network connectivity. I do this more as a hardward check:
ifconfig
You may also ping by name to verify DNS is working and further verify network capabilities.
Check your system log for 2 important "gotchas":
e1000e 0000:00:19.0 enp0s25: Detected Hardware Unit Hang:
e1000e 0000:00:19.0 enp0s25: Reset adapter unexpectedly
Additionally try
]# dmesg | grep -i aspm
Look for:
ACPI FADT declares the system doesn't support PCIe ASPM, so disable it
acpi PNP0A08:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI]
acpi PNP0A08:00: FADT indicates ASPM is unsupported, using BIOS configuration
r8169 0000:05:00.0: can't disable ASPM; OS doesn't have ASPM control
ath5k 0000:03:00.0: can't disable ASPM; OS doesn't have ASPM control
Active State Power Management (ASPM or APM):
There's a BIOS issue which impacts linux (not just Fedora). Blame the BIOS devs.
Add pcie_aspm=off to your kernel command line parameters (GRUB_CMDLINE_LINUX):
vi /etc/default/grub
Rebooting with this parameter added may resolve the issue[s] you are experiencing.
Ref: http://serverfault.com/questions/193114 ... do-i-start
This may not be enough. You may need to boot to BIOS settings and disable APM, there. That's what I had to do.
If you go through all of this and still experience the Detected Hardware Unit Hang: then you may need to change your ethernet settings via ethtool:
]# ethtool -K eth0 gso off gro off tso off
Ref: http://serverfault.com/questions/616485 ... -unit-hang
Ref: http://ehc.ac/p/e1000/bugs/378/ now--> https://sourceforge.net/p/e1000/bugs/378/
Between changing your BIOS, updating the kernel line parameter, and the above ethtool settings you should be able to resolve these issues.
I'm really hoping at this point one or more of the above solutions provided you with a successful resolution if you experienced any of the known issues I covered.
The Firewall:
Reference: http://fedoramagazine.org/build-network ... -networkd/
Major Hayden did a fantastic job of documenting this. I'm just updating it to cover issues I ran into during my walk-through.
My network interfaces:
enp0s25: private LAN on the e1000e (Intel hardware) via the motherboard connector
ens5: Public/hot side using the Realtek 1G express card (192.168.1.1/24)
mkdir /etc/systemd/network
I then created (in the above dir) the two systemd config files enp0s25.network and ens5.network, shown here:
Code: Select all
]# cat /etc/systemd/network/enp0s25.network
[Match]
MACAddress=00:21:86:9A:F9:68
Name=enp0s25
[Network]
Address=192.168.1.1/24
IPForward=yes
cat /etc/systemd/network/ens5.network
[Match]
MACAddress=00:13:3B:99:FF:FF
Name=ens5
[Network]
DHCP=yes
IPForward=yes
Prepare the services, disable network, NetworkManager. Enable systemd-networkd, systemd-resolved:
Note: I strongly urge you to check status before and after each change (systemctl status .....):
Code: Select all
]# systemctl disable network
]# systemctl disable NetworkManager
]# systemctl enable systemd-networkd
]# systemctl enable systemd-resolved
]# systemctl start systemd-resolved
]# mkdir /run/systemd/resolve #this is necessary on a F23 fresh install
]# mv /etc/resolv.conf /run/systemd/resolve #this is necessary on a F23 fresh install
]# ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
If you're on the exact same HW you should see the same results:
Code: Select all
]# networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback carrier unmanaged
2 ens5 ether routable configured
3 enp0s25 ether routable configured
4 wls3 wlan off unmanaged
dnsmasq is already installed with F23 (probably based upon my server sw selections during install)
]# systemctl status dnsmasq # if it's not there; ]# dnf install dnsmasq
]# systemctl enable dnsmask # again, remember to check status after commands like this
I like to always backup .conf files
]# cp /etc/dnsmasq.conf /etc/dnsmasq.conf.org #it's a good admin habit
Open /etc/dnsmasq.conf and make the following modifications:
. Uncomment dhcp-authoratative
. Uncomment interface= and add your interface: interface=enp0s25
. Set dhcp-range and lease time
. Make any other changes you like. I always add the MAC for my freenas server like this:
dhcp-host=00:0d:60:17:97:a6,192.168.1.250 # freenas
Save!
]# systemctl start dnsmasq
So you followed my instructions and suggestion and after viewing systemctl status dnsmasq you discover it failed!
I walked you though this in hopes that you will always remember or at-least remember when it fails next time. It's SE Linux.
Code: Select all
]# setenforce Permissive
]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30
Now it should work fine! Verify using systemctl status dnsmask.
Now, the firewall and firewall-cmd:
I'm going to provide a bit more detail, here, as things aren't quite right in the firewall as left by the default F23 install. Let's start by taking a look at the firewall's current list of zones and config in 2 steps:
]# firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
Take a moment and look at the list of zones that is returned to familiarize yourself with the zone names. The two that you need to remember (for purposes of this post) are FedoraServer and external.
For the 2nd step:
]# firewall-cmd --list-all-zones
This returns detail for all the zones in the format:
zone name
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Ideally that is how I like to see new firewalls come up (as shown above)--fully locked down with nothing open. But there is still more to consider. Let's take a look at our two interfaces:
]# firewall-cmd --get-zone-of-interface=ens5
]# firewall-cmd --get-zone-of-interface=enp0s25
More than likely enp0s25 is assigned to FedoraServer (if I recall correctly) and the other is unassigned.
My plan for zones:
FedoraServer = internal, enp0s25, 192.168.1.1/24
external = external, ens5, Public IP (DHCP assigned via TWC)
To view zone detail by zone:
]# firewall-cmd --zone=ZONE --list-all
ZONE
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Here's our goal (and how my firewall is configured):
Code: Select all
[root@tplinux ~]# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default, active)
interfaces: enp0s25
sources:
services: cockpit dhcp dhcpv6-client dns ssh
ports:
protocols:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root@tplinux ~]# firewall-cmd --zone=external --list-all
external (active)
interfaces: ens5
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
Because FedoraServer is default we don't need to specify "--zone=FedoraServer" in the following commands (but you are welcome to if you want):
Code: Select all
]# firewall-cmd --add-masquerade
]# firewall-cmd --add-service=dns --add-service=dhcp
]# firewall-cmd --zone=FedoraServer --add-interface=enp0s25
]# firewall-cmd --zone=external --add-interface=ens5
]# firewall-cmd --runtime-to-permanent
Use the following two commands to verify against our goal (from above):
]# firewall-cmd --zone=FedoraServer --list-all
]# firewall-cmd --zone=external --list-all
Your firewall should now be fully operational. You should reboot and verify you didn't miss anything. The firewall should boot to a text logon prompt and be fully functional the moment the boot completes.
If you want or need to disable IPv6:
/etc/sysctl.conf
Add these two lines after the last remark:
net.ipv6.conf.ens5.disable_ipv6 = 1
net.ipv6.conf.enp0s25.disable_ipv6 = 1