SECTION A - HARDWARE & INSTALLATION

1. What do I need to run CEQURUX Firewall/VPN?

   You'll need a 386 or better PC, with at least 16 Mb of RAM and at least 500 MB of hard disk space, two network cards (or one network card, a serial port, and a modem for SLIP/PPP, or one network card, and a sync comms card) and a VGA card and monitor.

   More specific details about what hardware is supported can be found below.

2. I want to install CEQURUX Firewall/VPN onto a disk that has more than 1024 cylinders. How do I do it?
   When I boot CEQURUX Firewall/VPN it says `Missing Operating System'.
   When I boot CEQURUX Firewall/VPN it says `Cyl > 1024' (or similar).

   The missing operating system message is usually a case of CEQURUX Firewall/VPN and DOS or some other OS conflicting over their ideas of disk geometry. If your controller or BIOS supports cylinder translation (often marked as `>1GB drive support' or `LBA mode'), try toggling its setting and reinstalling CEQURUX Firewall/VPN.

3. I have an IDE drive with lots of bad blocks on it and CEQURUX Firewall/VPN doesn't seem to install properly. Why?

   CEQURUX Firewall/VPN does not scan for bad blocks on the hard drive before installing. IDE drives are supposed to come with built-in bad-block remapping; if you have documentation for your drive, you may want to see if this feature has been disabled on your drive.

4. My network card keeps reporting errors like, `ed0: timeout'. Why is this?

   This is usually caused by an interrupt conflict (e.g., two boards using the same IRQ), or by having the wrong interrupt specified in the hardware setup.

5. What kind of hard drives does CEQURUX Firewall/VPN run on?

   CEQURUX Firewall/VPN works with both IDE and SCSI hard drives. CEQURUX Firewall/VPN can also be used with MFM, RLL and ESDI drives, but this is not recommended.
   

6. What SCSI controllers are supported?

   CEQURUX Firewall/VPN supports the following SCSI controllers:

   Adaptec

   AH-154x Series

   AH-174x Series

   AH-152x Series

   AH-2742/2842 Series

   AH-2820/2822/2825 Series

   AH-294x and aic7870 MB controllers

   Sound Blaster SCSI (AH-152x compat)

   Buslogic

   BT-445 Series

   BT-545 Series

   BT-742 Series

   BT-747 Series

   BT-946 Series

   BT-956 Series

   Future Domain

   TMC-950 Series

   PCI Generic

   NCR 53C810 based controllers

   NCR 53C82x based controllers

   ProAudioSpectrum

   Zilog 5380 based controllers

   Trantor 130 based controllers

   Seagate

   ST-01/02 Series

   Tekram

   DC-390, DC-390T

   UltraStor

   UH-14f Series

   UH-24f Series

   UH-34f Series

   Western Digital

   WD7000

   
   
7. What CD-ROM drives are supported by CEQURUX Firewall/VPN?
   • Any SCSI drive connected to a supported controller.
   • Mitsumi LU002 (8bit), LU005 (16bit) and FX001D (16bit 2x Speed).
   • Sony CDU 31/33A
   • Sound Blaster Non-SCSI CD-ROM
   • Matsushita/Panasonic CD-ROM
   • ATAPI compatible IDE CD-ROMs
   All non-SCSI interfaces are known to be extremely slow compared to SCSI drives.

8. What types of tape drives are supported under CEQURUX Firewall/VPN?

   CEQURUX Firewall/VPN supports SCSI, QIC-02 and QIC-40/80 (Floppy based) tape drives, including 8-mm (aka Exabyte) and DAT drives.

9. What network cards does CEQURUX Firewall/VPN support?

   There is support for the following cards:

   `cs' driver

   Crystal Semiconductor 8920

   `ed' driver

   Novell NE1000 and NE2000

   WD/SMC 80xx and Elite Ultra (8216)

   3Com 3c503

   HP PC Lan+

   and clones of the above

   `eg' driver

   3Com 3c505

   `ie' driver

   AT&T EN100/StarLAN 10

   3Com 3c507

   NI5210

   `le' driver

   DEC Etherworks 2 or 3

   `lnc' drive

   Lance/PCnet cards (Isolan, Novell NE2100, NE32-VL)

   `ep' driver

   3com 3c509

   `ix' driver

   Intel EtherExpress Pro/10 and Pro/100B

   `ex' driver

   Intel EtherExpress Pro/10

   `fxp' driver

   Intel EtherExpress Pro PCI

   `de' driver

   DEC 21x40 PCI cards (including 21140 100bT cards)

   `tx' driver

   SMC 9432TX

   `vx' driver

   3Com 3c59x

   3Com 3c9xx

   `fe' driver

   Allied-Telesis AT1700 and RE2000

   Fujitsu FMV-180

   There is also support for the Arnet (Digi) Sync/570i ISA, RISCom N2, WANic 400/405, and Cronyx/Sigma sync cards using synchronous PPP.

   If you want a specific recommendation, try getting Genius GE2500III cards - these are cheap, fast and reliable (NE2000 compatible).

   
   

10. Programs occasionally die with `Signal 11' errors. What's going on?

    This can be caused by bad hardware (memory, motherboard, etc.). Try running a memory-testing program on your PC. Note that, even though every memory testing program you try will report your memory as being fine, it's possible for slightly marginal memory to pass all memory tests, yet fail under operating conditions (such as during busmastering DMA from a disk controller).

11. How do I tell if CEQURUX Firewall/VPN found my serial ports or modem cards?

    As the CEQURUX Firewall/VPN kernel boots, it will probe for the serial ports in your system for which the kernel was configured. Once it has started up, log in and run the command:

    dmesg | grep sio
    Here's some example output from the above command:
    sio0 at 0x3f8-0x3ff irq 4 on isa
    sio0: type 16550A
    sio1 at 0x2f8-0x2ff irq 3 on isa
    sio1: type 16550A
    This shows two serial ports. The first is on irq 4, is using port address 0x3f8, and has a 16550A-type UART chip. The second uses the same kind of chip but is on irq 3 and is at port address 0x2f8. Internal modem cards are treated just like serial ports - except that they always have a modem `attached' to the port.

12. While installing from CDROM, the kernel boots, the messages mention the ATAPI IDE CDROM drive, but when selecting the Media, no CDROM drive gets detected.

    There are two possibilities. The first is that this IDE drive is one of extremely few drives that actually doesn't work with CEQURUX Firewall/VPN. Far more likely is that the drive is the only IDE device on that IDE interface, and that it is jumpered as a slave. To fix, just rejumper the drive to be a master. One also shouldn't put a CDROM on the second IDE interface if there are no devices on the first IDE interface (rather just use the first).

13. I've just replaced my router, and now none of the gateways on the firewall work.

    The gateway program on the firewall performs a 'ping' once at startup to obtain the MAC address of the default router and then caches the result forever. Therefore, if the default router's MAC address changes, you have to run 'zap cdsgw' on the firewall console (as root user) to cure the problem.

14. I have 100BaseTX full-duplex Fast Ethernet network interfaces, but they seem to be working at only 10BaseT. How do I fix this?

    Log in to the firewall as root user and edit the file: /usr/local/custom/rc.local
    Insert the following lines:

    ifconfig fxp0 media 100basetx mediaopt full-duplex
    ifconfig fxp1 media 100basetx mediaopt full-duplex

    NOTE:

    Remember to substitute fxp0 and fxp1 with the relevant devices specific to your firewall.

    These can be determined by using fwadmin and checking in the system setup section.

    (Other keys->Setup->Other keys->System)

15. Is it possible to have a backup machine with the same configuration as our operational firewall?

    Yes, this is possible.

    1. Install the CEQURUX Firewall/VPN onto this machine, but do not register or configure it in any way. Store the backup machine in a safe place. If at all possible, make sure that this machine has identical hardware to your main firewall. This will ensure that you do not need to adjust the hardware configuration in any way.
    2. Obtain a blank, formatted floppy disk and insert it into the main firewall's floppy drive. Invoke fwadmin and navigate to the Misc->Import/Export->Export config menu. This will transfer all necessary configuration files to the floppy disk. It is probably a good idea to perform this action after every time the firewall's configuration changes. Store this floppy in a safe place.
    3. In the unlikely event that your main firewall is unusable, boot up the backup firewall from a CEQURUX Firewall/VPN cd of the same version. From the sysinstall menu, select the Install configuration from floppy option. Insert your configuration floppy and proceed to load the configuration. When this is done, exit the menu. The firewall will automatically reboot with the correct configuration. This would be a good time to connect this firewall to the network.
    4. If all goes well, the backup firewall should start functioning normally as per the original.

       Possible problems:

    5. If the two firewall's hardware configuration is identical but internal and external networks are unreachable, try swapping the two ethernet cables around (internal/external). If this does not work, inspect the hardware settings in fwadmin (other keys->setup->other keys->system). Make sure that the interfaces have the appropriate drivers assigned to them (see the administrator's guide for more details).
    6. If the hardware configuration differs between the two firewalls, you will more-than-likely need to re-configure the network interfaces. To do this, invoke fwadmin and navigate to other keys->setup->other keys->system. Here you must assign the appropriate drivers to the interfaces (see the administrator's guide for more details).

16. I want to add another hard drive to my firewall for more squid cache space and/or for more space to store mail. How do I do it?

    This answer applies to version 4.1.x of CEQURUX firewall.
    The answer for version 4.3 of the firewall will be added at a later stage.

    Install the harddrive. If the BIOS doesn't detect the drive, then you shouldn't boot the firewall. In the BIOS, set the LBA for IDE drives. When the firewall boots, it will assign the new drive a name. This could be something like 'wd3' or 'sd2'. Once booted and logged in, you can deduce the drive(s) name by running 'dmesg | less' from the command line. If you are using IDE then look for wd0, wd1, wd2 or something similar. If you are using SCSI then look for sd0, sd1, sd2 or soemthing similar. The following is just an excerpt from the dmesg output.

    Example

    firewall# dmesg | less

    fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa

    fdc0: FIFO enabled, 8 bytes threshold

    fd0: 1.44MB 3.5in

    wdc0 at 0x1f0-0x1f7 irq 14 on isa

    wdc0: unit 0 (wd0): <FUJITSU MPE3064AT>

    wd0: 6187MB (12672450 sectors), 13410 cyls, 15 heads, 63 S/T, 512 B/S

    wdc1 at 0x170-0x177 irq 15 on isa

    wdc1: unit 0 (wd2): <ST320413A>

    wd2: 19092MB (39102336 sectors), 38792 cyls, 16 heads, 63 S/T, 512 B/S

    bt0 not found at 0x330.

    We can thus see that there are two drives, a Fujitsu 6G and a Seagate 20G. Then run the mount command from the command line to see which of the 'wd' devices are mounted.

    Example

    firewall# mount

    /dev/wd0s1a on / (local)

    /dev/wd0s1f on /usr (local)

    /dev/wd0s1e on /var (local)

    procfs on /proc (local)

    From the mount command we can see that wd0(Fujitsu) is mounted. We can therefore deduce that wd2(Seagate) is unmounted and is the new added drive. For the rest of the answer, we shall use 'wd2'. Everything in square brackets are the commands that you need to type into the root shell on the firewall.

    Proceed with: [dd if=/dev/zero of=/dev/wd2 bs=512 count=1000] This is to completely erase the partion table and any disklabel that may have existed on the drive prior to the installation.
    Note that if you get a single character wrong, you could destroy all your data, so tread gently!

    [fdisk -i wd2] Here you should hit enter for every question, until it asks: "Should we write the new partition table" and to this you should you should answer 'y' and hit enter.

    [fdisk wd2] From this command, you should take notes. Record the following data that fdisk returns: 'cylinders', 'heads', 'sectors/track', and 'blks/cyl'.
    Also make a note of the 'size' value, specified in the third last line.

    [disklabel -r -w wd2 minimum] This creates a default disklabel (with entirely wrong data), which we will modify to our needs.

    [disklabel -e wd2] You will find yourself inside a vi session. Change the following values in the file:

    • 'sectors/track' should take the 'sectors/track' value above.
    • 'tracks/cylinder' should take the 'heads' value.
    • 'sectors/cylinder' should take the 'blks/cyl' value.
    • confirm that 'sectors/unit' value is the same as the 'size' value above.
    • change the '3 partitions' to '8 partitions'.
    • delete the partition called 'a:' (erase entire line).
    • for the 'c:' partition:
      • change the 'size' to 'sectors/unit' (aka 'size' above).
      • change 'fsize' to '0' and bsize to '0'.
    • create an 'e:' partition, but copying and pasting the 'c:' line:
      • change 'fstype' to '4.2BSD' (caps important).
      • you'll see that the 'c:' partition doesn't have a bps/cpg value; insert a '0' (zero) at this point.

    [newfs wd2e] Nothing to get wrong here, except be sure to append an 'e' to the drive in question.

    [mkdir /extra1] If you have more than one drive that you are trying to add, then call them /extra[n] where [n] represents a decimal digit.

    IMPORTANT: Be sure to use the designation extra to ensure the preservation of any links that you may have create before such operations as upgrading.

    [mount /dev/wd2e /extra1] This should succeed. Type 'df' after that, to confirm that it is mounted, and is the correct size.

    Now, to make sure that it mounts after every reboot, append the following line to the file /usr/local/custom/rc.local (if the file doesn't exist, then create it afresh):
    mount /dev/wd2e /extra1

    During this procedure, ignore error messages on the system console. Do, however, consider them important after you've finished, and have mounted the drive - there should be none.

17. How do I upgrade my firewall's kernel?

    The easiest way is to upgrade to the latest release of CEQURUX, which will come with the latest kernels.

    If you need to manually upgrade a kernel for some reason:

    1. fetch the appropriate file from ftp://ftp.cequrux.com/pub/kernels/. kernel.256 for example, is for a machine with 256MB of RAM.
    2. create a temporary directory (say 'jnk') (ie. mkdir /tmp/jnk)
    3. move the kernel file into your new directory, and call it 'kernel'. (ie. mv kernel.256 /tmp/jnk/kernel)
    4. run the upgrade_kernel command, supplying it with the temporary directory as a parameter (ie. upgrade_kernel /tmp/jnk)
    5. lastly, remove your temporary files. (ie. rm -rf /tmp/jnk)

     

     

     

     

    
    The End.