Installation
Preparing for Installation
For this installation I will be using an FTP install from one of Mandrake's Worldwide mirrors, as the downloadable 3-CD or DVD Images do not have the required packages. Note that even though this product is freely available under the GPL license, please either buy the full Mandrake distribution or join the Mandrake Club to ensure further development. Also, if you want commercial support for this firewall, Mandrake's MNF product is still available at their website.
In order to perform an FTP installation you must first create two diskettes that will be used for the install. Go to http://www.mandrakelinux.com/en/ftp.php3 and select a mirror to download the floppy images from. The diskette images will be located in the
./official/10.1/i586/install/imagesdirectory, the files you want are network.img and network_drivers.img.
To get these images onto a floppy under Linux, simply type
dd if=network.img of=/dev/fd0 bs=1024 conv=syncat a command prompt. Under Windows, you must also download a floppy image writer utility, which can be found in the
./official/10.1/i586/dosutilitydirectory, the file you want is rawritewin.exe. Once Downloaded, simply launch the application and locate the image file you want to write to a floppy.
Starting the Installation
Upon booting the computer with the network.img diskette, the installation routine should start and (hopefully) at least one of your network cards will be detected. Enter all the relevant information, such as IP Address, DNS and Gateway addresses that will allow you to download the software from an FTP server through your Internet connection.
The next step will be to select the installation type and either select an "Official" mirror, or enter the FTP server settings you want to use. If everything is correct, the graphical Installation program will be downloaded from the Internet and setup will continue. Depending on your connection speed, and the speed of the FTP server, this could take a while. If you are planning to "mass produce" these firewalls, it is best to setup a local mirror to speed up installation.
Once the graphical part of the installation starts, just step through the beginning settings of the installation, choosing what suits your machine. You will however want to choose "Higher" as the "Security Setting". Also once you get to package Selection, you must uncheck every "Package Group Selection" item and make sure you select "Individual Package Selection" before proceeding.
After you continue from the package selection screen, the installation program will ask you which minimum installation selection you want, usually it is a good idea not to run X on a firewall, so just select "with basic documentation", or "Truly minimal install" and continue on. When it asks for the packages you want to install, you will want to switch the package list to "flat" instead of group sorted, you do this by clicking on the arrows that look like a refresh button.
Now we will select the packages that will allow Mandrake 10.1 to act as a Firewall Device. First you must find and select "httpd2-naat", this will select this package as well as automatically select various other packages needed. Next you will want to select the "mnf-en" meta package that will select most of the other needed packages. Note: You must select httpd2-naat before you select mnf-en, otherwise it will try to use settings for apache ver 1.x instead of apache ver 2.x, thus the software will not work. The only other mandatory package you must select is naat-frontend-www-doc, although you may want to select other packages, such as "slocate" or "kernel-secure" (recommended) depending on your preferences. Just remember that this is a firewall, and the fewer packages you install the better.
As you continue the install, when it asks for users, ensure that you create the "admin" user, as well as one other user that you will use to login to the firewall. The admin user will be the user that you will use to login to the web configuration page. Also, when you configure services that start on boot, make sure you select any that your computer may need to boot, as well as the httpd2-naat service and possibly ssh if you want to remotely login.
After the first boot
After the install is done and you reboot the computer, you will notice that many services might have failed, even the httpd2-naat service will fail. To get the httpd2-naat service to work, you need to update the SSL certificates. You can do this by issuing the following command, (as root, in the /root directory):
/usr/lib/ssl/apache2-mod_ssl/gentestcrt.shThis script will ask you a few questions before it generates the required SSL Certificates, so you can either enter the information, or just hit enter through all the questions and the certificates will be created. Now, copy the certificates to the correct place:
cp server.* /etc/ssl/apache2Before httpd2-naat will actually run, you must edit one of the apache configuration files, "/etc/httpd/conf.d/51_ssl.httpd2-naat-vhost.naat". Within that file, wherever it says:
"/etc/ssl/apache/server.crt" and "/etc/ssl/apache/server.key"change it to
"/etc/ssl/apache2/server.crt" and "/etc/ssl/apache2/server.key"Once you are done editing that file, go ahead and try to restart the httpd2-naat services with:
/etc/init.d/httpd2-naat restartNow the service should start and you should now be able to remotely log into the web based configuration pages.
Preparing for Installation
For this installation I will be using an FTP install from one of Mandrake's Worldwide mirrors, as the downloadable 3-CD or DVD Images do not have the required packages. Note that even though this product is freely available under the GPL license, please either buy the full Mandrake distribution or join the Mandrake Club to ensure further development. Also, if you want commercial support for this firewall, Mandrake's MNF product is still available at their website.
In order to perform an FTP installation you must first create two diskettes that will be used for the install. Go to http://www.mandrakelinux.com/en/ftp.php3 and select a mirror to download the floppy images from. The diskette images will be located in the
./official/10.1/i586/install/imagesdirectory, the files you want are network.img and network_drivers.img.
To get these images onto a floppy under Linux, simply type
dd if=network.img of=/dev/fd0 bs=1024 conv=syncat a command prompt. Under Windows, you must also download a floppy image writer utility, which can be found in the
./official/10.1/i586/dosutilitydirectory, the file you want is rawritewin.exe. Once Downloaded, simply launch the application and locate the image file you want to write to a floppy.
Starting the Installation
Upon booting the computer with the network.img diskette, the installation routine should start and (hopefully) at least one of your network cards will be detected. Enter all the relevant information, such as IP Address, DNS and Gateway addresses that will allow you to download the software from an FTP server through your Internet connection.
The next step will be to select the installation type and either select an "Official" mirror, or enter the FTP server settings you want to use. If everything is correct, the graphical Installation program will be downloaded from the Internet and setup will continue. Depending on your connection speed, and the speed of the FTP server, this could take a while. If you are planning to "mass produce" these firewalls, it is best to setup a local mirror to speed up installation.
Once the graphical part of the installation starts, just step through the beginning settings of the installation, choosing what suits your machine. You will however want to choose "Higher" as the "Security Setting". Also once you get to package Selection, you must uncheck every "Package Group Selection" item and make sure you select "Individual Package Selection" before proceeding.
After you continue from the package selection screen, the installation program will ask you which minimum installation selection you want, usually it is a good idea not to run X on a firewall, so just select "with basic documentation", or "Truly minimal install" and continue on. When it asks for the packages you want to install, you will want to switch the package list to "flat" instead of group sorted, you do this by clicking on the arrows that look like a refresh button.
Now we will select the packages that will allow Mandrake 10.1 to act as a Firewall Device. First you must find and select "httpd2-naat", this will select this package as well as automatically select various other packages needed. Next you will want to select the "mnf-en" meta package that will select most of the other needed packages. Note: You must select httpd2-naat before you select mnf-en, otherwise it will try to use settings for apache ver 1.x instead of apache ver 2.x, thus the software will not work. The only other mandatory package you must select is naat-frontend-www-doc, although you may want to select other packages, such as "slocate" or "kernel-secure" (recommended) depending on your preferences. Just remember that this is a firewall, and the fewer packages you install the better.
As you continue the install, when it asks for users, ensure that you create the "admin" user, as well as one other user that you will use to login to the firewall. The admin user will be the user that you will use to login to the web configuration page. Also, when you configure services that start on boot, make sure you select any that your computer may need to boot, as well as the httpd2-naat service and possibly ssh if you want to remotely login.
After the first boot
After the install is done and you reboot the computer, you will notice that many services might have failed, even the httpd2-naat service will fail. To get the httpd2-naat service to work, you need to update the SSL certificates. You can do this by issuing the following command, (as root, in the /root directory):
/usr/lib/ssl/apache2-mod_ssl/gentestcrt.shThis script will ask you a few questions before it generates the required SSL Certificates, so you can either enter the information, or just hit enter through all the questions and the certificates will be created. Now, copy the certificates to the correct place:
cp server.* /etc/ssl/apache2Before httpd2-naat will actually run, you must edit one of the apache configuration files, "/etc/httpd/conf.d/51_ssl.httpd2-naat-vhost.naat". Within that file, wherever it says:
"/etc/ssl/apache/server.crt" and "/etc/ssl/apache/server.key"change it to
"/etc/ssl/apache2/server.crt" and "/etc/ssl/apache2/server.key"Once you are done editing that file, go ahead and try to restart the httpd2-naat services with:
/etc/init.d/httpd2-naat restartNow the service should start and you should now be able to remotely log into the web based configuration pages.
Sumber : http://www.flexbeta.net/main/printarticle.php?id=87
Labels: jaringan
0 Comments:
<< Home | << Add a comment