| 1 |
On Fri, Jan 20, 2006 at 01:01:03PM +0000, Gavin Seddon wrote: |
| 2 |
> I am really sorry for this, I am following fwbuilder instructions from |
| 3 |
> tp://www.fwbuilder.org/archives/cat_howtos.html#000095 |
| 4 |
> it recommends ssh to root@fwbuilder, which lost me. Correctly someone |
| 5 |
> pointed out about allowing root access with ssh, I had forgotten I |
| 6 |
> stopped this in the absence of a firewall, all I need to do is install |
| 7 |
> the fwall I have built. However, this needs a user and pass. I |
| 8 |
> generated the password but I can't activate the inst procedure. The |
| 9 |
> sshing was just a recommended test. Do I need to allow ssh root login |
| 10 |
> to install my firewall? |
| 11 |
> Thanks. |
| 12 |
|
| 13 |
>From what I remeber about using FWBuilder; |
| 14 |
|
| 15 |
First, the "name" you give your server when you create it in fwbuilder |
| 16 |
is the machine name fwbuilder is going to try to ssh to. In my case, I |
| 17 |
orginally named my firewall "Disco-stu" in fwbuilder, and when I tried |
| 18 |
to install the script, it failed as it could not resolve Disco-stu. I |
| 19 |
had to rename my the entry in fwbuilder to "disco-stu" for the automatic |
| 20 |
install to work. |
| 21 |
|
| 22 |
Secondly, it is recommened to use ssh keys instead of tunneled clear |
| 23 |
text. This is how I setup my server (in fact, all my servers don't |
| 24 |
accept tunneled clear text passwords). The basic idea is on your |
| 25 |
workstation, create a key (I use dsa) with ssh-keygen. This will |
| 26 |
generate two files, id_dsa and id_dsa.pub. Then copy the .pub file to |
| 27 |
the remote server you want access to, and put the contents of the file |
| 28 |
in ~/.ssh/authorized_keys of the user you want to ssh in as. In this |
| 29 |
case, I put my .pub file in /root/.ssh/authorized.keys. Now, you can ssh |
| 30 |
from your normal user account on your workstation to the firewall server |
| 31 |
as root (assuming you lift the don't allow root logins from sshd.conf) |
| 32 |
|
| 33 |
Lastly, fwbuilder just builds a shell script for you when you compile, |
| 34 |
and then just copys the shell script to the firewall server and runs it |
| 35 |
when you install. If you are having problems with the automated install, |
| 36 |
you can always just manually copy the file over. If you look in the |
| 37 |
directory where you saved the firewall configuration, you will find two |
| 38 |
files, <firewall-server-name>.fwb and <firewall-server-name>.fw. |
| 39 |
The .fwb file is the config file used by fwbuilder (and is just xml), |
| 40 |
and the .fw file is the script it generated when you compiled. All you |
| 41 |
need to do is copy the .fw file somewhere on the firewall box, and run |
| 42 |
it as root. I usually stored it in /etc/firewall and then I wrote a |
| 43 |
custom init script to start the firewall scipt. Once you have manually |
| 44 |
copied the file over and ran it as run, you can then write a simple |
| 45 |
script to so just that: |
| 46 |
|
| 47 |
#!/bin/sh |
| 48 |
scp ~/etc/disco-stu.fw root@disco-stu:/etc/firewall |
| 49 |
ssh root@dusco-stu /etc/firewall/disco-stu.fw |
| 50 |
|
| 51 |
That is basically all the auto install is going to do, but I believe it |
| 52 |
uses ssh-agent (at least it used to), which is why you may be having |
| 53 |
problems. |
| 54 |
|
| 55 |
Brett |
| 56 |
-- |
| 57 |
gentoo-amd64@g.o mailing list |
Archives