1 |
On Fri, Jan 20, 2006 at 01:01:03PM +0000, Gavin Seddon wrote: |
2 |
> I am really sorry for this, I am following fwbuilder instructions from |
3 |
> tp://www.fwbuilder.org/archives/cat_howtos.html#000095 |
4 |
> it recommends ssh to root@fwbuilder, which lost me. Correctly someone |
5 |
> pointed out about allowing root access with ssh, I had forgotten I |
6 |
> stopped this in the absence of a firewall, all I need to do is install |
7 |
> the fwall I have built. However, this needs a user and pass. I |
8 |
> generated the password but I can't activate the inst procedure. The |
9 |
> sshing was just a recommended test. Do I need to allow ssh root login |
10 |
> to install my firewall? |
11 |
> Thanks. |
12 |
|
13 |
>From what I remeber about using FWBuilder; |
14 |
|
15 |
First, the "name" you give your server when you create it in fwbuilder |
16 |
is the machine name fwbuilder is going to try to ssh to. In my case, I |
17 |
orginally named my firewall "Disco-stu" in fwbuilder, and when I tried |
18 |
to install the script, it failed as it could not resolve Disco-stu. I |
19 |
had to rename my the entry in fwbuilder to "disco-stu" for the automatic |
20 |
install to work. |
21 |
|
22 |
Secondly, it is recommened to use ssh keys instead of tunneled clear |
23 |
text. This is how I setup my server (in fact, all my servers don't |
24 |
accept tunneled clear text passwords). The basic idea is on your |
25 |
workstation, create a key (I use dsa) with ssh-keygen. This will |
26 |
generate two files, id_dsa and id_dsa.pub. Then copy the .pub file to |
27 |
the remote server you want access to, and put the contents of the file |
28 |
in ~/.ssh/authorized_keys of the user you want to ssh in as. In this |
29 |
case, I put my .pub file in /root/.ssh/authorized.keys. Now, you can ssh |
30 |
from your normal user account on your workstation to the firewall server |
31 |
as root (assuming you lift the don't allow root logins from sshd.conf) |
32 |
|
33 |
Lastly, fwbuilder just builds a shell script for you when you compile, |
34 |
and then just copys the shell script to the firewall server and runs it |
35 |
when you install. If you are having problems with the automated install, |
36 |
you can always just manually copy the file over. If you look in the |
37 |
directory where you saved the firewall configuration, you will find two |
38 |
files, <firewall-server-name>.fwb and <firewall-server-name>.fw. |
39 |
The .fwb file is the config file used by fwbuilder (and is just xml), |
40 |
and the .fw file is the script it generated when you compiled. All you |
41 |
need to do is copy the .fw file somewhere on the firewall box, and run |
42 |
it as root. I usually stored it in /etc/firewall and then I wrote a |
43 |
custom init script to start the firewall scipt. Once you have manually |
44 |
copied the file over and ran it as run, you can then write a simple |
45 |
script to so just that: |
46 |
|
47 |
#!/bin/sh |
48 |
scp ~/etc/disco-stu.fw root@disco-stu:/etc/firewall |
49 |
ssh root@dusco-stu /etc/firewall/disco-stu.fw |
50 |
|
51 |
That is basically all the auto install is going to do, but I believe it |
52 |
uses ssh-agent (at least it used to), which is why you may be having |
53 |
problems. |
54 |
|
55 |
Brett |
56 |
-- |
57 |
gentoo-amd64@g.o mailing list |