Recent Changes - Search:

Research


edit SideBar


TrustixHowTo

How to set up Trustix Enterprise Firewall

In the following document I want to provide a short HowTo based on my experiences with setting up the VPN tunnel to Trondheim. It is using the most basic firewall configuration with just two zones. That's not the best solution (one with DMZ would be more secure), but for our goals it is sufficient.

This document is meant for power users and up, with some basic linux and networking knowledge.

Before you begin

Keep in mind, that this is a guide to set up the firewall server.

  • For client set up: SettingUpVPNClients
  • For testing the connection to the Pats lab: ConnectionTestPats
  • Usage of PATS lab, includes Master.SMSPatsSetUp

Resource needs:

  • one PC with
    • at least 128 MB RAM
    • two NICs or more
    • some GB of free space
Network connections: one ethernet connection directly to the internet, one to the LAN. You'll need fixed IPs for both sides and of course the appropriate connection properties must be gathered before the setup begins: IP for each interface, subnet mask, default gateway for the external link.
Get information about the other side of the desired VPN tunnel: gateway, subnet, authentication and passwd/key.
And of course the Trustix Enterprise Firewall setup CD, the image can be downloaded from http://www.trustix.com. The license is node locked to the MAC of one of the NICs. Altough the documentation doesn't say a word about it, this must be the MAC of the first card, eth0.

Setting up

The setup part is rather easy, just boot from the CD and follow the instructions. Choose basic firewall install, the process is more or less automated.
After the file copying finishes, it is mandatory to set up the network connections. Here you'll need the networking parameters gathered in the previus step.
Depending of the card configuration, choose the appropriate interface for LAN, set up the default gateway (the outer interface and the IP of the gateway on the outer subnet).
Also, you need to configure the zones. Currently there will be just two of them: the LAN and the Internet, the parameters filled out based on the information gathered before the setup.
Add the IP address of the host which you want to use to remotely administer the firewall.
After, unblock traffic in the menu.

Using the remote management interface

From designated computers it is possible to connect to the firewall with a java application. It is included on the setup CD (the users guide is also there), set up and run. Here enter the IP address of the firewall and username/pass. Default is admin and trustix, which of course should be changed immediately (as all default passwords)!
After logging in, there will be a screen divided into two parts. On the left side, there is a tree with the sones (and in the future, with the connections and enabled services). On the right side, there is a map about the current zones.
After making changes, don't forget to apply them. Consult with the users guide about the management interface.

Setting up the VPN tunnel

It's easy :-), right click on the internet side. Create VPN gateway, add new connection, fill out the connection parameters, OK. Then right click on the LAN side, VPN tunnel and scretch the arrow to the VPN gateway icon on the other side, click. There would be a green dotted line, which connects the border of the LAN and the VPN gateway in the Internet zone. Right click on the arrow and choose Activate to activate the tunnel.

Using the tunneled connection and general internet access

After setting up the tunnel, connect a client to the firewall with setting a PC's default gateway to the IP address of the firewall (the PC must have an IP in the tunneled subnet). Done.

After, you will notice, that you can't open any webpages. That's because, currently just the tunnel is up. To browse the web, add a rule in the management interface starting in the LAN zone and ending in the internet zone (right click on the LAN, Allow, left click in the Internet zone). If you need to provide access to the PC in the LAN zone from the internet (and not just from the other side of the vpn tunnel), add a rule depending on the service type. It is not recommended to use unencrypted protocols. If possible use only SSH.

Finished

It shall function now. If not, contact me:

More information:

Documentation of TrustixΔ

Edit - History - Print - Recent Changes - Search
Page last modified on January 31, 2006, at 03:01 PM EST