System Setup

Pressing F1 followed by F2 will bring up the System Setup Screen (Figure 4.3).

  

Figure 4.3: The System Setup Screen

This is the most important screen to set up correctly. This is where you tell the firewall what network interfaces you are using, what their IP addresses are, and the address of the router to use to access the Internet.

The following primary functions are available from this screen:

F1

Return to the Setup screen, losing changes

F2

View or change the set of installed devices

F3

View or change the SLIP/PPP setup (only relevant if you selected ppp, pppd or sl0 as the external interface)

F7

View help

F8

Return to the Setup Screen

The fields in the System Setup Screen are:

Name

The logical `host names' to use for the inside and outside interfaces. The default names are `inside' and `outside'; you should not need to change these unless you have more than one CEQURUX Firewall in your domain (in which case the names should be different for each firewall).

Interface

The interfaces to use to attach to the internal and external networks, and the optional DMZ. These are toggle fields that cycle through the names of the available network device drivers. If you have a serial connection, you should choose `sl0' (for SLIP) or either `ppp' or `pppd' (for PPP).

You may not specify the same value for the internal and external interfaces. The two entries for PPP correspond to two different implementations of PPP; you will probably find that `ppp' works best for dial-up and `pppd' best for dedicated leased lines.

If you need help in determining which interface is correct, use the `Boot Messages' screen to see which network devices were successfully probed. (`Boot Messages' is accessible under `Misc' from the Main Screen.) The correspondence between interface names and network card types is also summarised below.

Address

The numeric IP addresses of the network interfaces. Note that if you use SLIP or PPP your service provider must provide you with a static IP address rather than using dynamic address negotiation.

If the external IP address does not match the address you specified in the Registration Screen, then the firewall will behave as if it is unregistered, and many components will be disabled but basic network connectivity should work. If you are installing and pre-configuring a firewall using a temporary IP address that is different from the permanent IP address that the firewall will use once it is deployed, then you can enter the permanent external IP address in the Registration screen and the temporary external IP address in the System Setup screen.

Netmask

The dotted decimal netmasks of the network interfaces.

Router/Gateway

The numeric IP address of your external router (or of your ISP's gateway if you are using SLIP or PPP).

Inetd Rate Limit

Services such as mail, remote administration, and TCP proxies, are all handled by a daemon known as inetd. This daemon imposes a limit on how many connections to a particular service are allowed per minute, as a way of helping to prevent denial-of-service attacks. The usual value is 256, which is adequate for most systems. However, for systems which deal with very heavy loads of mail or web traffic, you may want to increase the rate limit.

External NTP Servers

If you use NTP to synchronise time on your routers and hosts, you can specify the IP addresses of up to three external servers here. The firewall will then get time sync from these servers, and internal hosts/routers can in turn query the NTP service on the firewall, or receive NTP broadcasts from the firewall.

Broadcast NTP

If enabled, this will cause the NTP server on the firewall to use broadcasts to pass time information to internal NTP servers.

Need Password to Repair

In the event of a serious system crash from which the firewall does not automatically recover (typically due to a critical system file being lost or damaged), it is possible to boot straight into a root shell by entering `-s' at the `Boot:' prompt. This option lets you specify whether this shell will require a password or not.

Specifying `NO' is a potential security risk unless your firewall host is physically secure, but does have the advantage that it will allow you to repair the firewall even if the password files are damaged or lost. On the other hand, carrying out a repair to a system that has suffered such damage requires a high level of skill, and if you have this level of skill you will be able to circumvent the password requirement in any case by booting from diskette.

Our advice is to physically secure your firewall if possible, and then set this to `NO'.

Kernel TCP Connection Timeout

The usual timeout for TCP connections is 75 seconds. As a defence against denial-of-service attacks, the firewall uses a default timeout of 25 seconds instead. You may find this causes problems when connecting to sites over slow links, or when using demand-dial PPP, in which case you can adjust the value here (in the range 15-120 seconds).

The interface names associated with different Ethernet cards are summarised in Figure 4.4.

  

Figure 4.4: Network Cards and Interface Names

If you are using SLIP or PPP, you will need to do some further configuration; see Section 4.13 for details.